Run formatter

treefmt: add mdformat for markdown files
2025-08-25 18:52:55 +02:00 · 2025-08-25 18:40:30 +02:00
573 changed files with 8361 additions and 16432 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -8,6 +8,6 @@ jobs:
    runs-on: nix
    steps:
      - uses: actions/checkout@v4
-      - run: nix run --print-build-logs .#deploy-docs
+      - run: nix run .#deploy-docs
    env:
      SSH_HOMEPAGE_KEY: ${{ secrets.SSH_HOMEPAGE_KEY }}
--- a/.github/workflows/repo-sync.yml
+++ b/.github/workflows/repo-sync.yml
@@ -10,7 +10,7 @@ jobs:
    if: github.repository_owner == 'clan-lol'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - uses: actions/create-github-app-token@v2
--- a/.gitignore
+++ b/.gitignore
@@ -52,5 +52,3 @@ pkgs/clan-app/ui/.fonts
 *.gif
 *.mp4
 *.mkv
-
-.jj
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +1,6 @@
 # Contributing to Clan

 <!-- Local file: docs/CONTRIBUTING.md -->
-Go to the Contributing guide at https://docs.clan.lol/guides/contributing/CONTRIBUTING
+
+Go to the Contributing guide at
+https://docs.clan.lol/guides/contributing/CONTRIBUTING
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -16,4 +16,3 @@ FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
--- a/README.md
+++ b/README.md
@@ -1,45 +1,69 @@
 # Clan core repository

-Welcome to the Clan core repository, the heart of the [clan.lol](https://clan.lol/) project! This monorepo is the foundation of Clan, a revolutionary open-source project aimed at restoring fun, freedom, and functionality to computing. Here, you'll find all the essential packages, NixOS modules, CLI tools, and tests needed to contribute to and work with the Clan project. Clan leverages the Nix system to ensure reliability, security, and seamless management of digital environments, putting the power back into the hands of users.
+Welcome to the Clan core repository, the heart of the
+[clan.lol](https://clan.lol/) project! This monorepo is the foundation of Clan,
+a revolutionary open-source project aimed at restoring fun, freedom, and
+functionality to computing. Here, you'll find all the essential packages, NixOS
+modules, CLI tools, and tests needed to contribute to and work with the Clan
+project. Clan leverages the Nix system to ensure reliability, security, and
+seamless management of digital environments, putting the power back into the
+hands of users.

 ## Why Clan?

-Our mission is simple: to democratize computing by providing tools that empower users, foster innovation, and challenge outdated paradigms. Clan represents our contribution to a future where technology serves humanity, not the other way around. By participating in Clan, you're joining a movement dedicated to creating a secure, user-empowered digital future.
+Our mission is simple: to democratize computing by providing tools that empower
+users, foster innovation, and challenge outdated paradigms. Clan represents our
+contribution to a future where technology serves humanity, not the other way
+around. By participating in Clan, you're joining a movement dedicated to
+creating a secure, user-empowered digital future.

 ## Features of Clan

- **Full-Stack System Deployment:** Utilize Clan's toolkit alongside Nix's reliability to build and manage systems effortlessly.
+- **Full-Stack System Deployment:** Utilize Clan's toolkit alongside Nix's
+  reliability to build and manage systems effortlessly.
 - **Overlay Networks:** Secure, private communication channels between devices.
- **Virtual Machine Integration:** Seamless operation of VM applications within the main operating system.
+- **Virtual Machine Integration:** Seamless operation of VM applications within
+  the main operating system.
 - **Robust Backup Management:** Long-term, self-hosted data preservation.
- **Intuitive Secret Management:** Simplified encryption and password management processes.
+- **Intuitive Secret Management:** Simplified encryption and password management
+  processes.

 ## Getting started with Clan

-If you're new to Clan and eager to dive in, start with our quickstart guide and explore the core functionalities that Clan offers:
+If you're new to Clan and eager to dive in, start with our quickstart guide and
+explore the core functionalities that Clan offers:

- **Quickstart Guide**: Check out [getting started](https://docs.clan.lol/#starting-with-a-new-clan-project)<!-- [docs/site/index.md](docs/site/index.md) --> to get up and running with Clan in no time.
+- **Quickstart Guide**: Check out
+  [getting started](https://docs.clan.lol/#starting-with-a-new-clan-project)<!-- [docs/site/index.md](docs/site/index.md) -->
+  to get up and running with Clan in no time.

 ### Managing secrets

-In the Clan ecosystem, security is paramount. Learn how to handle secrets effectively:
+In the Clan ecosystem, security is paramount. Learn how to handle secrets
+effectively:

- **Secrets Management**: Securely manage secrets by consulting [Vars](https://docs.clan.lol/concepts/generators/)<!-- [secrets.md](docs/site/concepts/generators.md) -->.
+- **Secrets Management**: Securely manage secrets by consulting
+  [Vars](https://docs.clan.lol/concepts/generators/)<!-- [secrets.md](docs/site/concepts/generators.md) -->.

 ### Contributing to Clan

-The Clan project thrives on community contributions. We welcome everyone to contribute and collaborate:
+The Clan project thrives on community contributions. We welcome everyone to
+contribute and collaborate:

- **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/guides/contributing/CONTRIBUTING/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
+- **Contribution Guidelines**: Make a meaningful impact by following the steps
+  in
+  [contributing](https://docs.clan.lol/contributing/contributing/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.

 ## Join the revolution

-Clan is more than a tool; it's a movement towards a better digital future. By contributing to the Clan project, you're part of changing technology for the better, together.
+Clan is more than a tool; it's a movement towards a better digital future. By
+contributing to the Clan project, you're part of changing technology for the
+better, together.

 ### Community and support

 Connect with us and the Clan community for support and discussion:

 - [Matrix channel](https://matrix.to/#/#clan:clan.lol) for live discussions.
- IRC bridge on [hackint#clan](https://chat.hackint.org/#/connect?join=clan) for real-time chat support.
-
+- IRC bridge on [hackint#clan](https://chat.hackint.org/#/connect?join=clan) for
+  real-time chat support.
--- a/checks/clan-core-for-checks.nix
+++ b/checks/clan-core-for-checks.nix
@@ -0,0 +1,6 @@
+{ fetchgit }:
+fetchgit {
+  url = "https://git.clan.lol/clan/clan-core.git";
+  rev = "5d884cecc2585a29b6a3596681839d081b4de192";
+  sha256 = "09is1afmncamavb2q88qac37vmsijxzsy1iz1vr6gsyjq2rixaxc";
+}
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -12,6 +12,7 @@ let
    elem
    filter
    filterAttrs
+    flip
    genAttrs
    hasPrefix
    pathExists
@@ -44,7 +45,7 @@ in
  flake.check = genAttrs [ "x86_64-linux" "aarch64-darwin" ] (
    system:
    let
-      checks = filterAttrs (
+      checks = flip filterAttrs self.checks.${system} (
        name: _check:
        !(hasPrefix "nixos-test-" name)
        && !(hasPrefix "nixos-" name)
@@ -56,7 +57,7 @@ in
          "clan-core-for-checks"
          "clan-deps"
        ])
-      ) self.checks.${system};
+      );
    in
    inputs.nixpkgs.legacyPackages.${system}.runCommand "fast-flake-checks-${system}"
      { passthru.checks = checks; }
--- a/checks/flash/flake-module.nix
+++ b/checks/flash/flake-module.nix
@@ -29,20 +29,9 @@
        imports = [ self.nixosModules.test-install-machine-without-system ];

        clan.core.vars.generators.test = lib.mkForce { };
+
        disko.devices.disk.main.preCreateHook = lib.mkForce "";
-
-        # Every option here should match the options set through `clan flash write`
-        # if you get a mass rebuild on the disko derivation, this means you need to
-        # adjust something here. Also make sure that the injected json in clan flash write
-        # is up to date.
-        i18n.defaultLocale = "de_DE.UTF-8";
-        console.keyMap = "de";
-        services.xserver.xkb.layout = "de";
-        users.users.root.openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target\n"
-        ];
      };
-
  };

  perSystem =
@@ -55,15 +44,12 @@
      dependencies = [
        pkgs.disko
        pkgs.buildPackages.xorg.lndir
-        pkgs.glibcLocales
-        pkgs.kbd.out
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp

        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
-        (import ../installation/facter-report.nix pkgs.hostPlatform.system)
      ]
      ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
@@ -96,10 +82,10 @@
          };
          testScript = ''
            start_all()
-            machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
+
            # Some distros like to automount disks with spaces
            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
-            machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
+            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
          '';
        } { inherit pkgs self; };
      };
--- a/checks/installation/facter-report.nix
+++ b/checks/installation/facter-report.nix
@@ -1,10 +0,0 @@
-system:
-builtins.fetchurl {
-  url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${system}.json";
-  sha256 =
-    {
-      aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
-      x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
-    }
-    .${system};
-}
--- a/checks/installation/flake-module.nix
+++ b/checks/installation/flake-module.nix
@@ -18,23 +18,27 @@
    fileSystems."/".device = lib.mkDefault "/dev/vda";
    boot.loader.grub.device = lib.mkDefault "/dev/vda";

-    imports = [
-      self.nixosModules.test-install-machine-without-system
-    ];
+    imports = [ self.nixosModules.test-install-machine-without-system ];
  };
-
  clan.machines.test-install-machine-with-system =
    { pkgs, ... }:
    {
      # https://git.clan.lol/clan/test-fixtures
-      facter.reportPath = import ./facter-report.nix pkgs.hostPlatform.system;
+      facter.reportPath = builtins.fetchurl {
+        url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${pkgs.hostPlatform.system}.json";
+        sha256 =
+          {
+            aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
+            x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
+          }
+          .${pkgs.hostPlatform.system};
+      };

      fileSystems."/".device = lib.mkDefault "/dev/vda";
      boot.loader.grub.device = lib.mkDefault "/dev/vda";

      imports = [ self.nixosModules.test-install-machine-without-system ];
    };
-
  flake.nixosModules = {
    test-install-machine-without-system =
      { lib, modulesPath, ... }:
@@ -155,7 +159,6 @@
              pkgs.stdenv.drvPath
              pkgs.bash.drvPath
              pkgs.buildPackages.xorg.lndir
-              (import ./facter-report.nix pkgs.hostPlatform.system)
            ]
            ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
          };
@@ -299,8 +302,7 @@
                      "test-install-machine-without-system",
                      "-i", ssh_conn.ssh_key,
                      "--option", "store", os.environ['CLAN_TEST_STORE'],
-                      "--target-host", f"nonrootuser@localhost:{ssh_conn.host_port}",
-                      "--yes"
+                      f"nonrootuser@localhost:{ssh_conn.host_port}"
                  ]

                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
@@ -324,9 +326,7 @@
                      "test-install-machine-without-system",
                      "-i", ssh_conn.ssh_key,
                      "--option", "store", os.environ['CLAN_TEST_STORE'],
-                      "--target-host",
-                      f"nonrootuser@localhost:{ssh_conn.host_port}",
-                      "--yes"
+                      f"nonrootuser@localhost:{ssh_conn.host_port}"
                  ]

                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
--- a/checks/morph/flake-module.nix
+++ b/checks/morph/flake-module.nix
@@ -35,7 +35,6 @@
                  pkgs.stdenv.drvPath
                  pkgs.stdenvNoCC
                  self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
-                  (import ../installation/facter-report.nix pkgs.hostPlatform.system)
                ]
                ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
--- a/checks/service-dummy-test/legacy-module/README.md
+++ b/checks/service-dummy-test/legacy-module/README.md
@@ -1,10 +1,6 @@
---
-description = "Set up dummy-module"
-categories = ["System"]
-features = [ "inventory" ]
+______________________________________________________________________

-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
---
+description = "Set up dummy-module" categories = ["System"] features = \[
+"inventory" \]

+## [constraints] roles.admin.min = 1 roles.admin.max = 1
--- a/checks/update/flake-module.nix
+++ b/checks/update/flake-module.nix
@@ -112,7 +112,6 @@
                    pkgs.stdenv.drvPath
                    pkgs.bash.drvPath
                    pkgs.buildPackages.xorg.lndir
-                    (import ../installation/facter-report.nix pkgs.hostPlatform.system)
                  ]
                  ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                };
--- a/clanServices/admin/default.nix
+++ b/clanServices/admin/default.nix
@@ -1,3 +1,4 @@
+{ ... }:
 {
  _class = "clan.service";
  manifest.name = "clan-core/admin";
--- a/clanServices/admin/flake-module.nix
+++ b/clanServices/admin/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/borgbackup/README.md
+++ b/clanServices/borgbackup/README.md
@@ -5,7 +5,7 @@ inventory.instances = {
  borgbackup = {
    module = {
      name = "borgbackup";
-      input = "clan-core";
+      input = "clan";
    };
    roles.client.machines."jon".settings = {
      destinations."storagebox" = {
--- a/clanServices/borgbackup/flake-module.nix
+++ b/clanServices/borgbackup/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/certificates/README.md
+++ b/clanServices/certificates/README.md
@@ -1,32 +0,0 @@
-This service sets up a certificate authority (CA) that can issue certificates to
-other machines in your clan. For this the `ca` role is used.
-It additionally provides a `default` role, that can be applied to all machines
-in your clan and will make sure they trust your CA.
-
-## Example Usage
-
-The following configuration would add a CA for the top level domain `.foo`. If
-the machine `server` now hosts a webservice at `https://something.foo`, it will
-get a certificate from `ca` which is valid inside your clan. The machine
-`client` will trust this certificate if it makes a request to
-`https://something.foo`.
-
-This clan service can be combined with the `coredns` service for easy to deploy,
-SSL secured clan-internal service hosting.
-
-```nix
-inventory = {
-  machines.ca = { };
-  machines.client = { };
-  machines.server = { };
-
-  instances."certificates" = {
-    module.name = "certificates";
-    module.input = "self";
-
-    roles.ca.machines.ca.settings.tlds = [ "foo" ];
-    roles.default.machines.client = { };
-    roles.default.machines.server = { };
-  };
-};
-```
--- a/clanServices/certificates/default.nix
+++ b/clanServices/certificates/default.nix
@@ -1,245 +0,0 @@
-{ ... }:
-{
-  _class = "clan.service";
-  manifest.name = "certificates";
-  manifest.description = "Sets up a certificates internal to your Clan";
-  manifest.categories = [ "Network" ];
-  manifest.readme = builtins.readFile ./README.md;
-
-  roles.ca = {
-
-    interface =
-      { lib, ... }:
-      {
-
-        options.acmeEmail = lib.mkOption {
-          type = lib.types.str;
-          default = "none@none.tld";
-          description = ''
-            Email address for account creation and correspondence from the CA.
-            It is recommended to use the same email for all certs to avoid account
-            creation limits.
-          '';
-        };
-
-        options.tlds = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          description = "Top level domain for this CA. Certificates will be issued and trusted for *.<tld>";
-        };
-
-        options.expire = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          description = "When the certificate should expire.";
-          default = "8760h";
-          example = "8760h";
-        };
-      };
-
-    perInstance =
-      { settings, ... }:
-      {
-        nixosModule =
-          {
-            config,
-            pkgs,
-            lib,
-            ...
-          }:
-          let
-            domains = map (tld: "ca.${tld}") settings.tlds;
-          in
-          {
-            security.acme.defaults.email = settings.acmeEmail;
-            security.acme = {
-              certs = builtins.listToAttrs (
-                map (domain: {
-                  name = domain;
-                  value = {
-                    server = "https://${domain}:1443/acme/acme/directory";
-                  };
-                }) domains
-              );
-            };
-
-            networking.firewall.allowedTCPPorts = [
-              80
-              443
-            ];
-
-            services.nginx = {
-              enable = true;
-              recommendedProxySettings = true;
-              virtualHosts = builtins.listToAttrs (
-                map (domain: {
-                  name = domain;
-                  value = {
-                    addSSL = true;
-                    enableACME = true;
-                    locations."/".proxyPass = "https://localhost:1443";
-                    locations."= /ca.crt".alias =
-                      config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
-                  };
-                }) domains
-              );
-            };
-
-            clan.core.vars.generators = {
-
-              # Intermediate key generator
-              "step-intermediate-key" = {
-                files."intermediate.key" = {
-                  secret = true;
-                  deploy = true;
-                  owner = "step-ca";
-                  group = "step-ca";
-                };
-                runtimeInputs = [ pkgs.step-cli ];
-                script = ''
-                  step crypto keypair --kty EC --curve P-256 --no-password --insecure $out/intermediate.pub $out/intermediate.key
-                '';
-              };
-
-              # Intermediate certificate generator
-              "step-intermediate-cert" = {
-                files."intermediate.crt".secret = false;
-                dependencies = [
-                  "step-ca"
-                  "step-intermediate-key"
-                ];
-                runtimeInputs = [ pkgs.step-cli ];
-                script = ''
-                  # Create intermediate certificate
-                  step certificate create \
-                    --ca $in/step-ca/ca.crt \
-                    --ca-key $in/step-ca/ca.key \
-                    --ca-password-file /dev/null \
-                    --key $in/step-intermediate-key/intermediate.key \
-                    --template ${pkgs.writeText "intermediate.tmpl" ''
-                      {
-                        "subject": {{ toJson .Subject }},
-                        "keyUsage": ["certSign", "crlSign"],
-                        "basicConstraints": {
-                          "isCA": true,
-                          "maxPathLen": 0
-                        },
-                        "nameConstraints": {
-                          "critical": true,
-                          "permittedDNSDomains": [${
-                            (lib.strings.concatStringsSep "," (map (tld: ''"${tld}"'') settings.tlds))
-                          }]
-                        }
-                      }
-                    ''} ${lib.optionalString (settings.expire != null) "--not-after ${settings.expire}"} \
-                    --not-before=-12h \
-                    --no-password --insecure \
-                    "Clan Intermediate CA" \
-                    $out/intermediate.crt
-                '';
-              };
-            };
-
-            services.step-ca = {
-              enable = true;
-              intermediatePasswordFile = "/dev/null";
-              address = "0.0.0.0";
-              port = 1443;
-              settings = {
-                root = config.clan.core.vars.generators.step-ca.files."ca.crt".path;
-                crt = config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
-                key = config.clan.core.vars.generators.step-intermediate-key.files."intermediate.key".path;
-                dnsNames = domains;
-                logger.format = "text";
-                db = {
-                  type = "badger";
-                  dataSource = "/var/lib/step-ca/db";
-                };
-                authority = {
-                  provisioners = [
-                    {
-                      type = "ACME";
-                      name = "acme";
-                      forceCN = true;
-                    }
-                  ];
-                  claims = {
-                    maxTLSCertDuration = "2160h";
-                    defaultTLSCertDuration = "2160h";
-                  };
-                  backdate = "1m0s";
-                };
-                tls = {
-                  cipherSuites = [
-                    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
-                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
-                  ];
-                  minVersion = 1.2;
-                  maxVersion = 1.3;
-                  renegotiation = false;
-                };
-              };
-            };
-          };
-      };
-  };
-
-  # Empty role, so we can add non-ca machins to the instance to trust the CA
-  roles.default = {
-    interface =
-      { lib, ... }:
-      {
-        options.acmeEmail = lib.mkOption {
-          type = lib.types.str;
-          default = "none@none.tld";
-          description = ''
-            Email address for account creation and correspondence from the CA.
-            It is recommended to use the same email for all certs to avoid account
-            creation limits.
-          '';
-        };
-      };
-
-    perInstance =
-      { settings, ... }:
-      {
-        nixosModule.security.acme.defaults.email = settings.acmeEmail;
-      };
-  };
-
-  # All machines (independent of role) will trust the CA
-  perMachine.nixosModule =
-    { pkgs, config, ... }:
-    {
-      # Root CA generator
-      clan.core.vars.generators = {
-        "step-ca" = {
-          share = true;
-          files."ca.key" = {
-            secret = true;
-            deploy = false;
-          };
-          files."ca.crt".secret = false;
-          runtimeInputs = [ pkgs.step-cli ];
-          script = ''
-            step certificate create --template ${pkgs.writeText "root.tmpl" ''
-              {
-                "subject": {{ toJson .Subject }},
-                "issuer": {{ toJson .Subject }},
-                "keyUsage": ["certSign", "crlSign"],
-                "basicConstraints": {
-                  "isCA": true,
-                  "maxPathLen": 1
-                }
-              }
-            ''} "Clan Root CA" $out/ca.crt $out/ca.key \
-              --kty EC --curve P-256 \
-              --not-after=8760h \
-              --not-before=-12h \
-              --no-password --insecure
-          '';
-        };
-      };
-      security.pki.certificateFiles = [ config.clan.core.vars.generators."step-ca".files."ca.crt".path ];
-      environment.systemPackages = [ pkgs.openssl ];
-      security.acme.acceptTerms = true;
-    };
-}
--- a/clanServices/certificates/flake-module.nix
+++ b/clanServices/certificates/flake-module.nix
@@ -1,17 +0,0 @@
-{
-  ...
-}:
-let
-  module = ./default.nix;
-in
-{
-  clan.modules.certificates = module;
-  perSystem =
-    { ... }:
-    {
-      clan.nixosTests.certificates = {
-        imports = [ ./tests/vm/default.nix ];
-        clan.modules.certificates = module;
-      };
-    };
-}
--- a/clanServices/certificates/tests/vm/default.nix
+++ b/clanServices/certificates/tests/vm/default.nix
@@ -1,84 +0,0 @@
-{
-  name = "certificates";
-
-  clan = {
-    directory = ./.;
-    inventory = {
-
-      machines.ca = { }; # 192.168.1.1
-      machines.client = { }; # 192.168.1.2
-      machines.server = { }; # 192.168.1.3
-
-      instances."certificates" = {
-        module.name = "certificates";
-        module.input = "self";
-
-        roles.ca.machines.ca.settings.tlds = [ "foo" ];
-        roles.default.machines.client = { };
-        roles.default.machines.server = { };
-      };
-    };
-  };
-
-  nodes =
-    let
-      hostConfig = ''
-        192.168.1.1 ca.foo
-        192.168.1.3 test.foo
-      '';
-    in
-    {
-
-      client.networking.extraHosts = hostConfig;
-      ca.networking.extraHosts = hostConfig;
-
-      server = {
-
-        networking.extraHosts = hostConfig;
-
-        # TODO: Could this be set automatically?
-        # I would like to get this information from the coredns module, but we
-        # cannot model dependencies yet
-        security.acme.certs."test.foo".server = "https://ca.foo/acme/acme/directory";
-
-        # Host a simple service on 'server', with SSL provided via our CA. 'client'
-        # should be able to curl it via https and accept the certificates
-        # presented
-        networking.firewall.allowedTCPPorts = [
-          80
-          443
-        ];
-
-        services.nginx = {
-          enable = true;
-          virtualHosts."test.foo" = {
-            enableACME = true;
-            forceSSL = true;
-            locations."/" = {
-              return = "200 'test server response'";
-              extraConfig = "add_header Content-Type text/plain;";
-            };
-          };
-        };
-      };
-    };
-
-  testScript = ''
-    start_all()
-
-    import time
-
-    time.sleep(3)
-    ca.succeed("systemctl restart acme-order-renew-ca.foo.service ")
-
-    time.sleep(3)
-    server.succeed("systemctl restart acme-test.foo.service")
-
-    # It takes a while for the correct certs to appear (before that self-signed
-    # are presented by nginx) so we wait for a bit.
-    client.wait_until_succeeds("curl -v https://test.foo")
-
-    # Show certificate information for debugging
-    client.succeed("openssl s_client -connect test.foo:443 -servername test.foo </dev/null 2>/dev/null | openssl x509 -text -noout 1>&2")
-  '';
-}
--- a/clanServices/certificates/tests/vm/sops/machines/ca/key.json
+++ b/clanServices/certificates/tests/vm/sops/machines/ca/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
-    "type": "age"
-  }
-]
--- a/clanServices/certificates/tests/vm/sops/machines/client/key.json
+++ b/clanServices/certificates/tests/vm/sops/machines/client/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1js225d8jc507sgcg0fdfv2x3xv3asm4ds5c6s4hp37nq8spxu95sc5x3ce",
-    "type": "age"
-  }
-]
--- a/clanServices/certificates/tests/vm/sops/machines/server/key.json
+++ b/clanServices/certificates/tests/vm/sops/machines/server/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1nwuh8lc604mnz5r8ku8zswyswnwv02excw237c0cmtlejp7xfp8sdrcwfa",
-    "type": "age"
-  }
-]
--- a/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret
+++ b/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:6+XilULKRuWtAZ6B8Lj9UqCfi1T6dmqrDqBNXqS4SvBwM1bIWiL6juaT1Q7ByOexzID7tY740gmQBqTey54uLydh8mW0m4ZtUqw=,iv:9kscsrMPBGkutTnxrc5nrc7tQXpzLxw+929pUDKqTu0=,tag:753uIjm8ZRs0xsjiejEY8g==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d3kycldZRXhmR0FqTXJp\nWWU0MDBYNmxxbFE5M2xKYm5KWnQ0MXBHNEM4CjN4RFFVcFlkd3pjTFVDQ3Vackdj\nVTVhMWoxdFpsWHp5S1p4L05kYk5LUkkKLS0tIENtZFZZTjY2amFVQmZLZFplQzBC\nZm1vWFI4MXR1ZHIxTTQ5VXdSYUhvOTQKte0bKjXQ0xA8FrpuChjDUvjVqp97D8kT\n3tVh6scdjxW48VSBZP1GRmqcMqCdj75GvJTbWeNEV4PDBW7GI0UW+Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-02T08:42:39Z",
-		"mac": "ENC[AES256_GCM,data:AftMorrH7qX5ctVu5evYHn5h9pC4Mmm2VYaAV8Hy0PKTc777jNsL6DrxFVV3NVqtecpwrzZFWKgzukcdcRJe4veVeBrusmoZYtifH0AWZTEVpVlr2UXYYxCDmNZt1WHfVUo40bT//X6QM0ye6a/2Y1jYPbMbryQNcGmnpk9PDvU=,iv:5nk+d8hzA05LQp7ZHRbIgiENg2Ha6J6YzyducM6zcNU=,tag:dy1hqWVzMu/+fSK57h9ZCA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin
+++ b/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret
+++ b/clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:jdTuGQUYvT1yXei1RHKsOCsABmMlkcLuziHDVhA7NequZeNu0fSbrJTXQDCHsDGhlYRcjU5EsEDT750xdleXuD3Gs9zWvPVobI4=,iv:YVow3K1j6fzRF9bRfIEpuOkO/nRpku/UQxWNGC+UJQQ=,tag:cNLM5R7uu6QpwPB9K6MYzg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOVF2WXRSL0NpQzFZR01I\nNU85TGcyQmVDazN1dmpuRFVTZEg5NDRKTGhrCk1IVjFSU1V6WHBVRnFWcHkyVERr\nTjFKbW1mQ2FWOWhjN2VPamMxVEQ5VkkKLS0tIENVUGlhanhuWGtDKzBzRmk2dE4v\nMXZBRXNMa3IrOTZTNHRUWVE3UXEwSWMK2cBLoL/H/Vxd/klVrqVLdX9Mww5j7gw/\nEWc5/hN+km6XoW+DiJxVG4qaJ7qqld6u5ZnKgJT+2h9CfjA04I2akg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-02T08:42:51Z",
-		"mac": "ENC[AES256_GCM,data:zOBQVM2Ydu4v0+Fw3p3cEU+5+7eKaadV0tKro1JVOxclG1Vs6Myq57nw2eWf5JxIl0ulL+FavPKY26qOQ3aqcGOT3PMRlCda9z+0oSn9Im9bE/DzAGmoH/bp76kFkgTTOCZTMUoqJ+UJqv0qy1BH/92sSSKmYshEX6d1vr5ISrw=,iv:i9ZW4sLxOCan4UokHlySVr1CW39nCTusG4DmEPj/gIw=,tag:iZBDPHDkE3Vt5mFcFu1TPQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin
+++ b/clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret
+++ b/clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:5CJuHcxJMXZJ8GqAeG3BrbWtT1kade4kxgJsn1cRpmr1UgN0ZVYnluPEiBscClNSOzcc6vcrBpfTI3dj1tASKTLP58M+GDBFQDo=,iv:gsK7XqBGkYCoqAvyFlIXuJ27PKSbTmy7f6cgTmT2gow=,tag:qG5KejkBvy9ytfhGXa/Mnw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzVqYkplTzJKN1pwS3VM\naFFIK2VsR3lYUVExYW9ieERBL0tlcFZtVzJRCkpiLzdmWmFlOUZ5QUJ4WkhXZ2tQ\nZm92YXBCV0RpYnIydUdEVTRiamI4bjAKLS0tIG93a2htS1hFcjBOeVFnNCtQTHVr\na2FPYjVGbWtORjJVWXE5bndPU1RWcXMKikMEB7X+kb7OtiyqXn3HRpLYkCdoayDh\n7cjGnplk17q25/lRNHM4JVS5isFfuftCl01enESqkvgq+cwuFwa9DQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-02T08:42:59Z",
-		"mac": "ENC[AES256_GCM,data:xybV2D0xukZnH2OwRpIugPnS7LN9AbgGKwFioPJc1FQWx9TxMUVDwgMN6V5WrhWkXgF2zP4krtDYpEz4Vq+LbOjcnTUteuCc+7pMHubuRuip7j+M32MH1kuf4bVZuXbCfvm7brGxe83FzjoioLqzA8g/X6Q1q7/ErkNeFjluC3Q=,iv:QEW3EUKSRZY3fbXlP7z+SffWkQeXwMAa5K8RQW7NvPE=,tag:DhFxY7xr7H1Wbd527swD0Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin
+++ b/clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value
+++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value
@@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBsDCCAVegAwIBAgIQbT1Ivm+uwyf0HNkJfan2BTAKBggqhkjOPQQDAjAXMRUw
-EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwOTAxMjA0MzAzWhcNMjYwOTAyMDg0
-MzAzWjAfMR0wGwYDVQQDExRDbGFuIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABDXCNrUIotju9P1U6JxLV43sOxLlRphQJS4dM+lvjTZc
-aQ+HwQg0AHVlQNRwS3JqKrJJtJVyKbZklh6eFaDPoj6jfTB7MA4GA1UdDwEB/wQE
-AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRKHaccHgP2ccSWVBWN
-zGoDdTg7aTAfBgNVHSMEGDAWgBSfsnz4phMJx9su/kgeF/FbZQCBgzAVBgNVHR4B
-Af8ECzAJoAcwBYIDZm9vMAoGCCqGSM49BAMCA0cAMEQCICiUDk1zGNzpS/iVKLfW
-zUGaCagpn2mCx4xAXQM9UranAiAn68nVYGWjkzhU31wyCAupxOjw7Bt96XXqIAz9
-hLLtMA==
-----END CERTIFICATE-----
--- a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca
+++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca
@@ -1 +0,0 @@
-../../../../../../sops/machines/ca
--- a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret
+++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Auonh9fa7jSkld1Zyxw74x5ydj6Xc+0SOgiqumVETNCfner9K96Rmv1PkREuHNGWPsnzyEM3pRT8ijvu3QoKvy9QPCCewyT07Wqe4G74+bk1iMeAHsV3To6kHs6M8OISvE+CmG0+hlLmdfRSabTzyWPLHbOjvFTEEuA5G7xiryacSYOE++eeEHdn+oUDh/IMTcfLjCGMjsXFikx1Hb+ofeRTlCg47+0w4MXVvQkOzQB5V2C694jZXvZ19jd/ioqr8YASz2xatGvqwW6cpZxqOWyZJ0UAj/6yFk6tZWifqVB3wgU=,iv:ITFCrDkeWl4GWCebVq15ei9QmkOLDwUIYojKZ2TU6JU=,tag:8k4iYbCIusUykY79H86WUQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsT25UbjJTQ2tzbnQyUm9p\neWx1UlZIeVpocnBqUCt0YnFlN2FOU25Lb0hNCmdXUUsyalRTbHRRQ0NLSGc1YllV\nUXRwaENhaXU1WmdnVDE0UWprUUUyeDAKLS0tIHV3dHU3aG5JclM0V3FadzN0SU14\ndFptbEJUNXQ4QVlqbkJ1TjAvdDQwSGsKcKPWUjhK7wzIpdIdksMShF2fpLdDTUBS\nZiU7P1T+3psxad9qhapvU0JrAY+9veFaYVEHha2aN/XKs8HqUcTp3A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZFVteVZwVGVmRE9NT3hG\nNGMyS3FSaXluM1FpeUp6SDVMUEpwYzg5SmdvCkRPU0QyU1JicGNkdlMyQWVkT0k3\nL2YrbDhWeGk4WFhxcUFmTmhZQ0pEQncKLS0tIG85Ui9rKzBJQ2VkMFBUQTMvSTlu\nbm8rZ09Wa24rQkNvTTNtYTZBN3MrZlkK7cjNhlUKZdOrRq/nKUsbUQgNTzX8jO+0\nzADpz6WCMvsJ15xazc10BGh03OtdMWl5tcoWMaZ71HWtI9Gip5DH0w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-02T08:42:42Z",
-		"mac": "ENC[AES256_GCM,data:9xlO5Yis8DG/y8GjvP63NltD4xEL7zqdHL2cQE8gAoh/ZamAmK5ZL0ld80mB3eIYEPKZYvmUYI4Lkrge2ZdqyDoubrW+eJ3dxn9+StxA9FzXYwUE0t+bbsNJfOOp/kDojf060qLGsu0kAGKd2ca4WiDccR0Cieky335C7Zzhi/Q=,iv:bWQ4wr0CJHSN+6ipUbkYTDWZJyFQjDKszfpVX9EEUsY=,tag:kADIFgJBEGCvr5fPbbdEDA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin
+++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value
+++ b/clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value
@@ -1 +0,0 @@
-25.11
--- a/clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value
+++ b/clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value
@@ -1 +0,0 @@
-25.11
--- a/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value
+++ b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value
@@ -1,10 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBcTCCARigAwIBAgIRAIix99+AE7Y+uyiLGaRHEhUwCgYIKoZIzj0EAwIwFzEV
-MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDkwMTIwNDI1N1oXDTI2MDkwMjA4
-NDI1N1owFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI
-zj0DAQcDQgAEk7nn9kzxI+xkRmNMlxD+7T78UqV3aqus0foJh6uu1CHC+XaebMcw
-JN95nAe3oYA3yZG6Mnq9nCxsYha4EhzGYqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIG
-A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFJ+yfPimEwnH2y7+SB4X8VtlAIGD
-MAoGCCqGSM49BAMCA0cAMEQCIBId/CcbT5MPFL90xa+XQz+gVTdRwsu6Bg7ehMso
-Bj0oAiBjSlttd5yeuZGXBm+O0Gl+WdKV60QlrWutNewXFS4UpQ==
-----END CERTIFICATE-----
--- a/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret
+++ b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:PnEXteU3I7U0OKgE+oR3xjHdLWYTpJjM/jlzxtGU0uP2pUBuQv3LxtEz+cP0ZsafHLNq2iNJ7xpUEE0g4d3M296S56oSocK3fREWBiJFiaC7SAEUiil1l3UCwHn7LzmdEmn8Kq7T+FK89wwqtVWIASLo2gZC/yHE5eEanEATTchGLSNiHJRzZ8n0Ekm8EFUA6czOqA5nPQHaSmeLzu1g80lSSi1ICly6dJksa6DVucwOyVFYFEeq8Dfyc1eyP8L1ee0D7QFYBMduYOXTKPtNnyDmdaQMj7cMMvE7fn04idIiAqw=,iv:nvLmAfFk2GXnnUy+Afr648R60Ou13eu9UKykkiA8Y+4=,tag:lTTAxfG0EDCU6u7xlW6xSQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMjNWUm5NbktQeTRWRjJE\nWWFZc2Rsa3I5aitPSno1WnhORENNcng5OHprCjNUQVhBVHFBcWFjaW5UdmxKTnZw\nQlI4MDk5Wkp0RElCeWgzZ2dFQkF2dkkKLS0tIDVreTkydnJ0RDdHSHlQeVV6bGlP\nTmpJOVBSb2dkVS9TZG5SRmFjdnQ1b3cKQ5XvwH1jD4XPVs5RzOotBDq8kiE6S5k2\nDBv6ugjsM5qV7/oGP9H69aSB4jKPZjEn3yiNw++Oorc8uXd5kSGh7w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-02T08:43:00Z",
-		"mac": "ENC[AES256_GCM,data:3jFf66UyZUWEtPdPu809LCS3K/Hc6zbnluystl3eXS+KGI+dCoYmN9hQruRNBRxf6jli2RIlArmmEPBDQVt67gG/qugTdT12krWnYAZ78iocmOnkf44fWxn/pqVnn4JYpjEYRgy8ueGDnUkwvpGWVZpcXw5659YeDQuYOJ2mq0U=,iv:3k7fBPrABdLItQ2Z+Mx8Nx0eIEKo93zG/23K+Q5Hl3I=,tag:aehAObdx//DEjbKlOeM7iQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin
+++ b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin
@@ -1 +0,0 @@
-../../../../../sops/users/admin
--- a/clanServices/coredns/README.md
+++ b/clanServices/coredns/README.md
@@ -1,68 +0,0 @@
-This module enables hosting clan-internal services easily, which can be resolved
-inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
-and exposing endpoints from a machine to others, which will be
-accessible under `http://<service>.clan` in your browser.
-
-The service consists of two roles:
-
- A `server` role: This is the DNS-server that will be queried when trying to
-  resolve clan-internal services. It defines the top-level domain.
- A `default` role: This does two things. First, it sets up the nameservers so
-  that clan-internal queries are resolved via the `server` machine, while
-  external queries are resolved as normal via DHCP. Second, it allows exposing
-  services (see example below).
-
-## Example Usage
-
-Here the machine `dnsserver` is designated as internal DNS-server for the TLD
-`.foo`. `server01` will host an application that shall be reachable at
-`http://one.foo` and `server02` is going to be reachable at `http://two.foo`.
-`client` is any other machine that is part of the clan but does not host any
-services.
-
-When `client` tries to resolve `http://one.foo`, the DNS query will be
-routed to `dnsserver`, which will answer with `192.168.1.3`. If it tries to
-resolve some external domain (e.g. `https://clan.lol`), the query will not be
-routed to `dnsserver` but resolved as before, via the nameservers advertised by
-DHCP.
-
-```nix
-inventory = {
-
-  machines = {
-    dnsserver = { }; # 192.168.1.2
-    server01 = { };  # 192.168.1.3
-    server02 = { };  # 192.168.1.4
-    client = { };    # 192.168.1.5
-  };
-
-  instances = {
-    coredns = {
-
-      module.name = "@clan/coredns";
-      module.input = "self";
-
-      # Add the default role to all machines, including `client`
-      roles.default.tags.all = { };
-
-      # DNS server
-      roles.server.machines."dnsserver".settings = {
-        ip = "192.168.1.2";
-        tld = "foo";
-      };
-
-      # First service
-      roles.default.machines."server01".settings = {
-        ip = "192.168.1.3";
-        services = [ "one" ];
-      };
-
-      # Second service
-      roles.default.machines."server02".settings = {
-        ip = "192.168.1.4";
-        services = [ "two" ];
-      };
-    };
-  };
-};
-```
--- a/clanServices/coredns/default.nix
+++ b/clanServices/coredns/default.nix
@@ -1,176 +0,0 @@
-{ ... }:
-
-{
-  _class = "clan.service";
-  manifest.name = "coredns";
-  manifest.description = "Clan-internal DNS and service exposure";
-  manifest.categories = [ "Network" ];
-  manifest.readme = builtins.readFile ./README.md;
-
-  roles.server = {
-
-    interface =
-      { lib, ... }:
-      {
-        options.tld = lib.mkOption {
-          type = lib.types.str;
-          default = "clan";
-          description = ''
-            Top-level domain for this instance. All services below this will be
-            resolved internally.
-          '';
-        };
-
-        options.ip = lib.mkOption {
-          type = lib.types.str;
-          # TODO: Set a default
-          description = "IP for the DNS to listen on";
-        };
-
-        options.dnsPort = lib.mkOption {
-          type = lib.types.int;
-          default = 1053;
-          description = "Port of the clan-internal DNS server";
-        };
-      };
-
-    perInstance =
-      {
-        roles,
-        settings,
-        ...
-      }:
-      {
-        nixosModule =
-          {
-            lib,
-            pkgs,
-            ...
-          }:
-          {
-
-            networking.firewall.allowedTCPPorts = [ settings.dnsPort ];
-            networking.firewall.allowedUDPPorts = [ settings.dnsPort ];
-
-            services.coredns =
-              let
-
-                # Get all service entries for one host
-                hostServiceEntries =
-                  host:
-                  lib.strings.concatStringsSep "\n" (
-                    map (
-                      service: "${service} IN A ${roles.default.machines.${host}.settings.ip}   ; ${host}"
-                    ) roles.default.machines.${host}.settings.services
-                  );
-
-                zonefile = pkgs.writeTextFile {
-                  name = "db.${settings.tld}";
-                  text = ''
-                    $TTL 3600
-                    @   IN SOA  ns.${settings.tld}. admin.${settings.tld}. 1 7200 3600 1209600 3600
-                        IN NS   ns.${settings.tld}.
-                    ns  IN A    ${settings.ip}   ; DNS server
-
-                  ''
-                  + (lib.strings.concatStringsSep "\n" (
-                    map (host: hostServiceEntries host) (lib.attrNames roles.default.machines)
-                  ));
-                };
-
-              in
-              {
-                enable = true;
-                config =
-
-                  let
-                    dnsPort = builtins.toString settings.dnsPort;
-                  in
-
-                  ''
-                    .:${dnsPort} {
-                        forward . 1.1.1.1
-                        cache 30
-                    }
-
-                    ${settings.tld}:${dnsPort} {
-                        file ${zonefile}
-                    }
-                  '';
-              };
-          };
-      };
-  };
-
-  roles.default = {
-    interface =
-      { lib, ... }:
-      {
-        options.services = lib.mkOption {
-          type = lib.types.listOf lib.types.str;
-          default = [ ];
-          description = ''
-            Service endpoints this host exposes (without TLD). Each entry will
-            be resolved to <entry>.<tld> using the configured top-level domain.
-          '';
-        };
-
-        options.ip = lib.mkOption {
-          type = lib.types.str;
-          # TODO: Set a default
-          description = "IP on which the services will listen";
-        };
-
-        options.dnsPort = lib.mkOption {
-          type = lib.types.int;
-          default = 1053;
-          description = "Port of the clan-internal DNS server";
-        };
-      };
-
-    perInstance =
-      { roles, settings, ... }:
-      {
-        nixosModule =
-          { lib, ... }:
-          {
-
-            networking.nameservers = map (m: "127.0.0.1:5353#${roles.server.machines.${m}.settings.tld}") (
-              lib.attrNames roles.server.machines
-            );
-
-            services.resolved.domains = map (m: "~${roles.server.machines.${m}.settings.tld}") (
-              lib.attrNames roles.server.machines
-            );
-
-            services.unbound = {
-              enable = true;
-              settings = {
-                server = {
-                  port = 5353;
-                  verbosity = 2;
-                  interface = [ "127.0.0.1" ];
-                  access-control = [ "127.0.0.0/8 allow" ];
-                  do-not-query-localhost = "no";
-                  domain-insecure = map (m: "${roles.server.machines.${m}.settings.tld}.") (
-                    lib.attrNames roles.server.machines
-                  );
-                };
-
-                # Default: forward everything else to DHCP-provided resolvers
-                forward-zone = [
-                  {
-                    name = ".";
-                    forward-addr = "127.0.0.53@53"; # Forward to systemd-resolved
-                  }
-                ];
-                stub-zone = map (m: {
-                  name = "${roles.server.machines.${m}.settings.tld}.";
-                  stub-addr = "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}";
-                }) (lib.attrNames roles.server.machines);
-              };
-            };
-          };
-      };
-  };
-}
--- a/clanServices/coredns/flake-module.nix
+++ b/clanServices/coredns/flake-module.nix
@@ -1,18 +0,0 @@
-{ ... }:
-let
-  module = ./default.nix;
-in
-{
-  clan.modules = {
-    coredns = module;
-  };
-  perSystem =
-    { ... }:
-    {
-      clan.nixosTests.coredns = {
-        imports = [ ./tests/vm/default.nix ];
-
-        clan.modules."@clan/coredns" = module;
-      };
-    };
-}
--- a/clanServices/coredns/tests/vm/default.nix
+++ b/clanServices/coredns/tests/vm/default.nix
@@ -1,110 +0,0 @@
-{
-  ...
-}:
-{
-  name = "coredns";
-
-  clan = {
-    directory = ./.;
-    test.useContainers = true;
-    inventory = {
-
-      machines = {
-        dns = { }; # 192.168.1.2
-        server01 = { }; # 192.168.1.3
-        server02 = { }; # 192.168.1.4
-        client = { }; # 192.168.1.1
-      };
-
-      instances = {
-        coredns = {
-
-          module.name = "@clan/coredns";
-          module.input = "self";
-
-          roles.default.tags.all = { };
-
-          # First service
-          roles.default.machines."server01".settings = {
-            ip = "192.168.1.3";
-            services = [ "one" ];
-          };
-
-          # Second service
-          roles.default.machines."server02".settings = {
-            ip = "192.168.1.4";
-            services = [ "two" ];
-          };
-
-          # DNS server
-          roles.server.machines."dns".settings = {
-            ip = "192.168.1.2";
-            tld = "foo";
-          };
-        };
-      };
-    };
-  };
-
-  nodes = {
-    dns =
-      { pkgs, ... }:
-      {
-        environment.systemPackages = [ pkgs.net-tools ];
-      };
-
-    client =
-      { pkgs, ... }:
-      {
-        environment.systemPackages = [ pkgs.net-tools ];
-      };
-
-    server01 = {
-      services.nginx = {
-        enable = true;
-        virtualHosts."one.foo" = {
-          locations."/" = {
-            return = "200 'test server response one'";
-            extraConfig = "add_header Content-Type text/plain;";
-          };
-        };
-      };
-    };
-    server02 = {
-      services.nginx = {
-        enable = true;
-        virtualHosts."two.foo" = {
-          locations."/" = {
-            return = "200 'test server response two'";
-            extraConfig = "add_header Content-Type text/plain;";
-          };
-        };
-      };
-    };
-  };
-
-  testScript = ''
-    import json
-    start_all()
-
-    machines = [server01, server02, dns, client]
-
-    for m in machines:
-        m.systemctl("start network-online.target")
-
-    for m in machines:
-        m.wait_for_unit("network-online.target")
-
-    # This should work, but is borken in tests i think? Instead we dig directly
-
-    # client.succeed("curl -k -v http://one.foo")
-    # client.succeed("curl -k -v http://two.foo")
-
-    answer = client.succeed("dig @192.168.1.2 -p 1053 one.foo")
-    assert "192.168.1.3" in answer, "IP not found"
-
-    answer = client.succeed("dig @192.168.1.2 -p 1053 two.foo")
-    assert "192.168.1.4" in answer, "IP not found"
-
-  '';
-}
--- a/clanServices/coredns/tests/vm/sops/users/admin/key.json
+++ b/clanServices/coredns/tests/vm/sops/users/admin/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}
--- a/clanServices/data-mesher/flake-module.nix
+++ b/clanServices/data-mesher/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/dyndns/README.md
+++ b/clanServices/dyndns/README.md
@@ -1,15 +1,18 @@
+A Dynamic-DNS (DDNS) service continuously keeps one or more DNS records in sync
+with the current public IP address of your machine.\
+In *clan* this service is backed by
+[qdm12/ddns-updater](https://github.com/qdm12/ddns-updater).

-A Dynamic-DNS (DDNS) service continuously keeps one or more DNS records in sync with the current public IP address of your machine.  
-In *clan* this service is backed by [qdm12/ddns-updater](https://github.com/qdm12/ddns-updater).
+> Info\
+> ddns-updater itself is **heavily opinionated and version-specific**. Whenever
+> you need the exhaustive list of flags or provider-specific fields refer to its
+> *versioned* documentation – **not** the GitHub README

-> Info  
-> ddns-updater itself is **heavily opinionated and version-specific**. Whenever you need the exhaustive list of flags or
-> provider-specific fields refer to its *versioned* documentation – **not** the GitHub README
---
+______________________________________________________________________

 # 1. Configuration model

-Internally ddns-updater consumes a single file named `config.json`.  
+Internally ddns-updater consumes a single file named `config.json`.\
 A minimal configuration for the registrar *Namecheap* looks like:

 ```json
@@ -41,16 +44,17 @@ Another example for *Porkbun*:
 }
 ```

-When you write a `clan.nix` the **common** fields (`provider`, `domain`, `period`, …) are already exposed as typed
-*Nix options*.  
-Registrar-specific or very new keys can be passed through an open attribute set called **extraSettings**.
+When you write a `clan.nix` the **common** fields (`provider`, `domain`,
+`period`, …) are already exposed as typed *Nix options*.\
+Registrar-specific or very new keys can be passed through an open attribute set
+called **extraSettings**.

---
+______________________________________________________________________

 # 2. Full Porkbun example

-Manage three records – `@`, `home` and `test` – of the domain
-`jon.blog` and refresh them every 15 minutes:
+Manage three records – `@`, `home` and `test` – of the domain `jon.blog` and
+refresh them every 15 minutes:

 ```nix title="clan.nix" hl_lines="10-11"
 inventory.instances = {
@@ -80,7 +84,8 @@ inventory.instances = {
 };
 ```

-1. `secret_field_name` tells the *vars-generator* to store the entered secret under the specified JSON field name in the configuration.
+1. `secret_field_name` tells the *vars-generator* to store the entered secret
+   under the specified JSON field name in the configuration.
 2. ddns-updater allows multiple hosts by separating them with a comma.
-3. The `api_key` above is *public*; the corresponding **private key** is retrieved through `secret_field_name`.
-
+3. The `api_key` above is *public*; the corresponding **private key** is
+   retrieved through `secret_field_name`.
--- a/clanServices/dyndns/flake-module.nix
+++ b/clanServices/dyndns/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/emergency-access/README.md
+++ b/clanServices/emergency-access/README.md
@@ -1,4 +1,5 @@
-This service will automatically set the emergency access password if your system fails to boot.
+This service will automatically set the emergency access password if your system
+fails to boot.

 ## Usage

--- a/clanServices/emergency-access/flake-module.nix
+++ b/clanServices/emergency-access/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 {
  clan.modules = {
-    emergency-access = ./default.nix;
+    emergency-access = lib.modules.importApply ./default.nix { };
  };
 }
--- a/clanServices/garage/flake-module.nix
+++ b/clanServices/garage/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/hello-world/default.nix
+++ b/clanServices/hello-world/default.nix
@@ -4,6 +4,7 @@
 # The test for this module in ./tests/vm/default.nix shows an example of how
 # the service is used.

+{ packages }:
 { ... }:
 {
  _class = "clan.service";
@@ -33,17 +34,20 @@
        settings,

        # The name of this instance of the service
+        instanceName,

        # The current machine
+        machine,

        # All roles of this service, with their assigned machines
+        roles,
        ...
      }:
      {
        # Analog to 'perSystem' of flake-parts.
        # For every instance of this service we will add a nixosModule to a morning-machine
        nixosModule =
-          { ... }:
+          { config, ... }:
          {
            # Interaction examples what you could do here:
            # - Get some settings of this machine
--- a/clanServices/hello-world/flake-module.nix
+++ b/clanServices/hello-world/flake-module.nix
@@ -5,7 +5,9 @@
  ...
 }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
 in
 {
  clan.modules = {
--- a/clanServices/importer/README.md
+++ b/clanServices/importer/README.md
@@ -1,5 +1,6 @@
-The importer module allows users to configure importing modules in a flexible and structured way.
-It exposes the `extraModules` functionality of the inventory, without any added configuration.
+The importer module allows users to configure importing modules in a flexible
+and structured way. It exposes the `extraModules` functionality of the
+inventory, without any added configuration.

 ## Usage

@@ -21,6 +22,6 @@ inventory.instances = {
 };
 ```

-This will import the module `modules/base.nix` to all machines that have the `all` tag,
-which by default is every machine managed by the clan.
-And also import for all machines tagged with `zone1` the module at `modules/zone1.nix`.
+This will import the module `modules/base.nix` to all machines that have the
+`all` tag, which by default is every machine managed by the clan. And also
+import for all machines tagged with `zone1` the module at `modules/zone1.nix`.
--- a/clanServices/importer/flake-module.nix
+++ b/clanServices/importer/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 {
  clan.modules = {
-    importer = ./default.nix;
+    importer = lib.modules.importApply ./default.nix { };
  };
 }
--- a/clanServices/internet/default.nix
+++ b/clanServices/internet/default.nix
@@ -31,6 +31,7 @@
      {
        roles,
        lib,
+        settings,
        ...
      }:
      {
--- a/clanServices/internet/flake-module.nix
+++ b/clanServices/internet/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/localbackup/README.md
+++ b/clanServices/localbackup/README.md
@@ -32,4 +32,5 @@ The service provides these commands:

 - `localbackup-create`: Create a new backup
 - `localbackup-list`: List available backups
- `localbackup-restore`: Restore from backup (requires NAME and FOLDERS environment variables)
+- `localbackup-restore`: Restore from backup (requires NAME and FOLDERS
+  environment variables)
--- a/clanServices/localbackup/flake-module.nix
+++ b/clanServices/localbackup/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules.localbackup = module;
--- a/clanServices/matrix-synapse/default.nix
+++ b/clanServices/matrix-synapse/default.nix
@@ -144,7 +144,7 @@
              };
            }
            // lib.mapAttrs' (
-              _name: user:
+              name: user:
              lib.nameValuePair "matrix-password-${user.name}" {
                files."matrix-password-${user.name}" = { };
                migrateFact = "matrix-password-${user.name}";
--- a/clanServices/matrix-synapse/flake-module.nix
+++ b/clanServices/matrix-synapse/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules.matrix-synapse = module;
--- a/clanServices/monitoring/README.md
+++ b/clanServices/monitoring/README.md
@@ -14,4 +14,3 @@ inventory.instances = {
 This service will eventually set up a monitoring stack for your clan. For now,
 only a telegraf role is implemented, which exposes the currently deployed
 version of your configuration, so it can be used to check for required updates.
-
--- a/clanServices/monitoring/default.nix
+++ b/clanServices/monitoring/default.nix
@@ -1,3 +1,4 @@
+{ packages }:
 { ... }:
 {
  _class = "clan.service";
@@ -10,15 +11,15 @@
      { lib, ... }:
      {
        options.allowAllInterfaces = lib.mkOption {
-          type = lib.types.nullOr lib.types.bool;
-          default = null;
-          description = "Deprecated. Has no effect.";
+          type = lib.types.bool;
+          default = false;
+          description = "If true, Telegraf will listen on all interfaces. Otherwise, it will only listen on the interfaces specified in `interfaces`";
        };

        options.interfaces = lib.mkOption {
-          type = lib.types.nullOr (lib.types.listOf lib.types.str);
-          default = null;
-          description = "Deprecated. Has no effect.";
+          type = lib.types.listOf lib.types.str;
+          default = [ "zt+" ];
+          description = "List of interfaces to expose the metrics to";
        };
      };
  };
--- a/clanServices/monitoring/flake-module.nix
+++ b/clanServices/monitoring/flake-module.nix
@@ -1,24 +1,22 @@
 {
-  lib,
  self,
+  lib,
  ...
 }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
 in
 {
  clan.modules.monitoring = module;

  perSystem =
-    { pkgs, ... }:
+    { ... }:
    {
      clan.nixosTests.monitoring = {
-        imports = [
-          (lib.modules.importApply ./tests/vm/default.nix {
-            inherit (self) packages;
-            inherit pkgs;
-          })
-        ];
+        imports = [ ./tests/vm/default.nix ];
+
        clan.modules.monitoring = module;
      };
    };
--- a/clanServices/monitoring/telegraf.nix
+++ b/clanServices/monitoring/telegraf.nix
@@ -11,54 +11,34 @@
          ...
        }:
        let
+          jsonpath = "/tmp/telegraf.json";
          auth_user = "prometheus";
        in
        {
-          warnings =
-            lib.optionals (settings.allowAllInterfaces != null) [
-              "monitoring.settings.allowAllInterfaces is deprecated and and has no effect. Please remove it from your inventory."
-              "The monitoring service will now always listen on all interfaces over https."
-            ]
-            ++ (lib.optionals (settings.interfaces != null) [
-              "monitoring.settings.interfaces is deprecated and and has no effect. Please remove it from your inventory."
-              "The monitoring service will now always listen on all interfaces over https."
-            ]);

-          networking.firewall.allowedTCPPorts = [
+          networking.firewall.interfaces = lib.mkIf (settings.allowAllInterfaces == false) (
+            builtins.listToAttrs (
+              map (name: {
+                inherit name;
+                value.allowedTCPPorts = [
+                  9273
+                  9990
+                ];
+              }) settings.interfaces
+            )
+          );
+
+          networking.firewall.allowedTCPPorts = lib.mkIf (settings.allowAllInterfaces == true) [
            9273
            9990
          ];

-          clan.core.vars.generators."telegraf-certs" = {
-            files.crt = {
-              restartUnits = [ "telegraf.service" ];
-              deploy = true;
-              secret = false;
-            };
-            files.key = {
-              mode = "0600";
-              restartUnits = [ "telegraf.service" ];
-            };
-
-            runtimeInputs = [
-              pkgs.openssl
-            ];
-
-            script = ''
-              openssl req -x509 -nodes -newkey rsa:4096 \
-                -keyout "$out"/key \
-                -out "$out"/crt \
-                -subj "/C=US/ST=CA/L=San Francisco/O=Example Corp/OU=IT/CN=example.com"
-            '';
-          };
-
          clan.core.vars.generators."telegraf" = {
+
            files.password.restartUnits = [ "telegraf.service" ];
            files.password-env.restartUnits = [ "telegraf.service" ];
            files.miniserve-auth.restartUnits = [ "telegraf.service" ];

-            dependencies = [ "telegraf-certs" ];
-
            runtimeInputs = [
              pkgs.coreutils
              pkgs.xkcdpass
@@ -76,38 +56,7 @@
          systemd.services.telegraf-json = {
            enable = true;
            wantedBy = [ "multi-user.target" ];
-            after = [ "telegraf.service" ];
-            requires = [ "telegraf.service" ];
-            serviceConfig = {
-              LoadCredential = [
-                "auth_file_path:${config.clan.core.vars.generators.telegraf.files.miniserve-auth.path}"
-                "telegraf_crt_path:${config.clan.core.vars.generators.telegraf-certs.files.crt.path}"
-                "telegraf_key_path:${config.clan.core.vars.generators.telegraf-certs.files.key.path}"
-              ];
-              Environment = [
-                "AUTH_FILE_PATH=%d/auth_file_path"
-                "CRT_PATH=%d/telegraf_crt_path"
-                "KEY_PATH=%d/telegraf_key_path"
-              ];
-              Restart = "on-failure";
-              User = "telegraf";
-              Group = "telegraf";
-              RuntimeDirectory = "telegraf-www";
-            };
-            script = "${pkgs.miniserve}/bin/miniserve -p 9990 /run/telegraf-www --auth-file \"$AUTH_FILE_PATH\" --tls-cert \"$CRT_PATH\" --tls-key \"$KEY_PATH\"";
-          };
-
-          systemd.services.telegraf = {
-            serviceConfig = {
-              LoadCredential = [
-                "telegraf_crt_path:${config.clan.core.vars.generators.telegraf-certs.files.crt.path}"
-                "telegraf_key_path:${config.clan.core.vars.generators.telegraf-certs.files.key.path}"
-              ];
-              Environment = [
-                "CRT_PATH=%d/telegraf_crt_path"
-                "KEY_PATH=%d/telegraf_key_path"
-              ];
-            };
+            script = "${pkgs.miniserve}/bin/miniserve -p 9990 ${jsonpath} --auth-file ${config.clan.core.vars.generators.telegraf.files.miniserve-auth.path}";
          };

          services.telegraf = {
@@ -115,7 +64,6 @@
            environmentFiles = [
              (builtins.toString config.clan.core.vars.generators.telegraf.files.password-env.path)
            ];
-
            extraConfig = {
              agent.interval = "60s";
              inputs = {
@@ -151,12 +99,10 @@
                metric_version = 2;
                basic_username = "${auth_user}";
                basic_password = "$${BASIC_AUTH_PWD}";
-                tls_cert = "$${CRT_PATH}";
-                tls_key = "$${KEY_PATH}";
              };

              outputs.file = {
-                files = [ "/run/telegraf-www/telegraf.json" ];
+                files = [ jsonpath ];
                data_format = "json";
                json_timestamp_units = "1s";
              };
--- a/clanServices/monitoring/tests/vm/default.nix
+++ b/clanServices/monitoring/tests/vm/default.nix
@@ -1,95 +1,24 @@
-{ ... }:
 {
  name = "monitoring";

  clan = {
    directory = ./.;
    inventory = {
-      machines.peer1 = {
-        deploy.targetHost = "[2001:db8:1::1]";
-      };
+      machines.peer1 = { };

      instances."test" = {
        module.name = "monitoring";
        module.input = "self";

        roles.telegraf.machines.peer1 = { };
+
      };
    };
  };

-  nodes = {
-    peer1 =
-      { lib, ... }:
-      {
-        services.telegraf.extraConfig = {
-          agent.interval = lib.mkForce "1s";
-          outputs.prometheus_client = {
-            # BUG: We have to disable basic auth here because the prometheus_client
-            # output plugin will otherwise deadlock Telegraf on startup.
-            basic_password = lib.mkForce "";
-            basic_username = lib.mkForce "";
-          };
-        };
-      };
-  };
-
-  # !!! ANY CHANGES HERE MUST BE REFLECTED IN:
-  # clan_lib/metrics/telegraf.py::get_metrics
  testScript =
-    { nodes, ... }:
+    { ... }:
    ''
-      import time
-      import os
-      import sys
-      import subprocess 
-      import ssl
-      import json
-      import shlex
-      import urllib.request
-      from base64 import b64encode
      start_all()
-
-      peer1.wait_for_unit("network-online.target")
-      peer1.wait_for_unit("telegraf.service")
-      peer1.wait_for_unit("telegraf-json.service")
-
-      # Fetch the basic auth password from the secret file
-      password = peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.telegraf.files.password.path}").strip()
-      credentials = f"prometheus:{password}"
-
-      print("Using credentials:", credentials)
-      peer1.succeed(f"curl -k -u {credentials}  https://localhost:9990/telegraf.json")
-      peer1.succeed(f"curl -k -u {credentials}  https://localhost:9273/metrics")
-
-      cert_path = "${nodes.peer1.clan.core.vars.generators.telegraf-certs.files.crt.path}"
-      url = "https://192.168.1.1:9990/telegraf.json"  # HTTPS required
-
-      print("Waiting for /var/run/telegraf-www/telegraf.json to be bigger then 200 bytes")
-      peer1.wait_until_succeeds(f"test \"$(stat -c%s /var/run/telegraf-www/telegraf.json)\" -ge 200", timeout=30)
-
-      encoded_credentials = b64encode(credentials.encode("utf-8")).decode("utf-8")
-      headers = {"Authorization": f"Basic {encoded_credentials}"}
-      req = urllib.request.Request(url, headers=headers)  # noqa: S310
-
-      # Trust the provided CA/server certificate
-      context = ssl.create_default_context(cafile=cert_path)
-      context.check_hostname = False
-      context.verify_mode = ssl.CERT_REQUIRED
-
-      found_system = False
-      with urllib.request.urlopen(req, context=context, timeout=5) as response:
-          for raw_line in response:
-              line_str = raw_line.decode("utf-8").strip()
-              if not line_str:
-                  continue
-              obj = json.loads(line_str)
-              if obj.get("name") == "nixos_systems":
-                  found_system = True
-                  print("Found nixos_systems metric in json output")
-                  break
-
-      assert found_system, "nixos_systems metric not found in json output"
-
    '';
 }
--- a/clanServices/monitoring/tests/vm/sops/machines/peer1/key.json
+++ b/clanServices/monitoring/tests/vm/sops/machines/peer1/key.json
@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
-    "type": "age"
-  }
-]
--- a/clanServices/monitoring/tests/vm/sops/secrets/peer1-age.key/secret
+++ b/clanServices/monitoring/tests/vm/sops/secrets/peer1-age.key/secret
@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:ACFpRJRDIgVPurZwHYW0J1MnvyuiRGnXMeQj1nb9rDAIqHbZzZk8+E0Nu1+EdXwk78ziP6tHR1GQP2ILTtpLME4lXXRVjouW5Eo=,iv:ctR1HENO3XGIq1/gzYi47nateYzsSK317EKn92ptqDI=,tag:q1yuk/ZMx3nuORkiT/XXqg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMUtabnp3V0dzNFFYRzk0\nd0ZJbUtDMXRPRGxpRjhYR1MyQzdJYWdJTUFrCjBNV0pPTTlIOHBBbzlEQkFzVy92\ndENxcDdIZlNDSm1oZTNveUtIeVc3MXcKLS0tIGtocENjMFNYT0s1LzhYNy92QU5G\nREVEdjErb0xPSE1yb0g5bGlackh6bEUKwxBoDteD7+JfnlFF71CHx4oEdV/TFYcF\n3JPYUbTWAIyMtUu/CLbX+Pn9Mv+McrEIqhwT7TWL/YbELKVadX/k5Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-18T14:33:37Z",
-		"mac": "ENC[AES256_GCM,data:4631iJmioJ2vZ2PTFbdEJu7UqtyQbp43XBlgEbFAviGZdugb3weVI24rJ8m1Rdnxq8uciEeiX6YHBhURdWQY4JNm2wTGnjz7e2PwQ8FCwOmxCcIQPpdKKsziq/M4HArgD66eUxIWfTt1yJfHgBcUuuANbrbH8MirllT+hJTBhqE=,iv:rM8a/MpKbK7DlqjuR4BG77XDHLK11Q+E2rzZLDJalhk=,tag:bbGMn4anXrLHg4eLA0/CXA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/monitoring/tests/vm/sops/secrets/peer1-age.key/users/admin
+++ b/clanServices/monitoring/tests/vm/sops/secrets/peer1-age.key/users/admin
@@ -1 +0,0 @@
-../../../users/admin
--- a/clanServices/monitoring/tests/vm/sops/users/admin/key.json
+++ b/clanServices/monitoring/tests/vm/sops/users/admin/key.json
@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/state-version/version/value
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/state-version/version/value
@@ -1 +0,0 @@
-25.11
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/crt/value
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/crt/value
@@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIFuTCCA6GgAwIBAgIUMXnA00bMrYvYSq0PjU5/HhXTpmcwDQYJKoZIhvcNAQEL
-BQAwbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJh
-bmNpc2NvMRUwEwYDVQQKDAxFeGFtcGxlIENvcnAxCzAJBgNVBAsMAklUMRQwEgYD
-VQQDDAtleGFtcGxlLmNvbTAeFw0yNTA5MTgxNDMzMzZaFw0yNTEwMTgxNDMzMzZa
-MGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5j
-aXNjbzEVMBMGA1UECgwMRXhhbXBsZSBDb3JwMQswCQYDVQQLDAJJVDEUMBIGA1UE
-AwwLZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7
-sdy27E/XMAyKrgeFcXY70R/vX0gx6EcZlWGp2vZSUVAfW1ni/Vq/LVC02sxGEGwv
-10+42yP2yghi89doKo8oCoLsbVu+Pi+TmRsgAijy4jN8pHqbn9/Vk8M8utLa1u4z
-VonSIx9pzCYd2+IIdwVuWoyPAAnK/JIKS3n0A8KWkZ/1lq6YDl2whj8iY4YF2Ekg
-M0SWhquLZiaApAs7STTYvcP7iLfL4U6cH65dRAbwWMpMErPuLf/CedkXiSUp8Zqx
-YIXXE5lf7wqt7tM6k6BHic9FEzAo1HnBWBXV5eB5fs1lX9M1VPmx43XINCfzKwxE
-xODtIBrmvj+qOp6/ihBsu3LlOoOikxmL+T9Wgvf7fOuFC4BgmX85mGUV+EMZCDoJ
-44jlwFF8wgrfG/ZawkP+opNsQLsdOm9DbAdWpx5+JYdgWBahjxuH4z2eIiBmMKgj
-puqDgXdZzcERiYtOEEn0p0tvIkVLO3Tm2GjtHbmg1yF2nwsZjupGfcOGTVX4Zi5x
-ZCs7vYgBtZy96kNAuyZcFl8eBUr/oVg//i3Zc9Vnw/UJryB7I6dvj228hlrSz0Ve
-pGoeZXbcCzRv8NX2V0V1VTtrblSA3w5WRxVzK7UAVetPZ4dlJX+eyx3x2wiC3TiW
-ZYH8haFubQqr1h9oXFHgDE5xYZKr51T3SRGfpn6KvQIDAQABo1MwUTAdBgNVHQ4E
-FgQUJHOErJYWaGdla1XhxWha4XBKFYgwHwYDVR0jBBgwFoAUJHOErJYWaGdla1Xh
-xWha4XBKFYgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXqcg
-DW6qzFccR+JTqNR5HBOneB07LxaUqfBTAzU5GTRljY3mVpnTa6vVvXlStChqdmwU
-JJdRhWzTpzE4K92l4UKiYKy486PT1ff34aPLPX5BB9OzL4dgvC3gO0MYDJ84AFZl
-6BN/MRTinioG+s14SsxmgcUTl+HXsxt75r3WKjXvqECqhONLPXEXDJ6TVmfb2yd5
-X9cE6HLS2IXqfvs0EdXmQhSQVS7AlUQWZPDeoBTDUA1tT6ZKCcG0BuHEFnHxg4Yg
-W9xp/wMJCEly+9eNJYZYzyK1AHRGnTMRCSifTJEybwI4A35v68FyRLfAC0lM2qVL
-yQIGjj55+r4yGCK7bySSKjs59LLLxi6Px3S61OxAYq9KMT65nBLK9JAPFyTnikw9
-q/xW208lL+kcRtG+ARo5ycx5QUjWdsHn7TCnqxnDhHznwSV4KGbJFaGQZTtgfcz0
-g5a1GwxqHjEZ9IWiN38f2l4kpLLybKhwVQMYeG000s7rDa5hgjbh13qtQN6vUvI6
-VozzZPnFcR1Rsa8RR9njDugxbVwlJQfGkoMiMZwNGgXnZRC2XaI6SCyPwqTPBuVP
-ZR1eWv4qwsIGKJzJYcdChb5dimlTuVSfZmONpnrOP/4mhQLyaWr3XLqxxP3mIXsz
-k1PNWTkgLsXO8DNkCudxcvPElXfmaw6zwaLrZys=
-----END CERTIFICATE-----
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/machines/peer1
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/machines/peer1
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/secret
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:eWZyDgPQppMI/wNGSGsXowQ35I1KW1KH9p3GfxMFKNfoG2rnNwiBG11ARd9CDVMnY5OUt6RxL2sRKBlvqqjouCICDEEj3CWNnEpA55JGnmp3jj+kCRiA/te67F5vDXWus/mLGgI00apHwqUkwRkdck0URgniEIektncP9mQhcKDT7Lksm1S8oTHGDRcdiG4MxhrOq0qumVWdwS3qkAuwOvFMlYeCec6nfKBV5QTGeDxe8m8tijr7RTfM8cEaXrwaJDct1IIiHsl1U+V7+rz0KEvJ8ofeyOLP2zNSq4JfwM9rg/EwVuPsKf6LNmm6G/JdePlaCrwTaLchwb20/Tnf9nvrZu3P5w86IuniIyjFByvLR3bc6wKjxkWDU/+9UoTXfms5qKYNsgylFdg1xfqPjK0SgWiUL4IlxTBYPoPouNp/NZO+vzB+nkAcljCNGnYrfCz53F3gsTwBXIGmye2gvmNMvP+rs2/ySEt3XIzMEiWlBjDlurpAaYgqHhxVuc2jiqX56W8nu/QStopKP6sziPQbRqKDERSACxJ/WWumXTVO56dVJzqTpYnkqpq28tFoRd2yG7cJjlAbgqyxRuNkcLwnTEjGeGSSdVvmBeCqr4LuIh5qd2B4lrHQ6fR9xE/EHuJ2bcAH/x8ukOE7CZrACIEr6HfcpsnNhnpFYdA6gf4Gle21UJpK7hpY3+nCMNEPdfTjYkCvi/guzjG+X+UQPY466qbiVhUnNK4sg35axAJyNH1Jk6lK6+L/o4EVHBvnEUagLN2xFD5w0kXYMpzvQWEMaexyciDs6Natn7MzYVhmea8OfKXVE6dQz3Y5YFJ3uEQGGjuNO4fPyfnVgUULeaAs/IWkoPl2HV0x0KdxMEKGw2CAl7XuHYfV1rFTur+Wvf72rECUiiDmOgDU1g4plcBxQ6ocp34kize3lt1PdEL0R9lWg5c6l8LsqFhLqK8lpPV6neRdXX4UDzPjxnf3Ra/p1Hn283QSAv55pIwJQAo+kjWGckzr9CleUnLfPxQUKJQ7Jpjb/HtuhTQGA0mTsCbEHR6VWM/EYS4WzUd6opmfBstzSplD+kSBFIBoee+0dkUjfZcdFIWJRcabtjnn2TEsHHCK+dAguYY77OGeAh+tw7r66gONgtNlwjCN+KrzWH8cTu8BEaUoZH35lExs/wn+Ucj8IXDUXYLTTzGgokBybEeis+BDWFpDrhsZKFSwRE8tsrxfpgr7R1Ue9zMLoHnKeDZ6ndkm6fMinZ81OOchfE8bElRecCEzs9N/zU9nCtXKSAiYc86VntdbDFcPAm+bZ4hVkQpiRvQVGFYhgLuol7i9xhKD86TuIkqwMybEnT0ruqMNEVljxMWK7Cy+CAWg68w+hY2Pd54vXyC9ORndrYG7zbtVEe2dR7peeWTDTjU+5gVqIlC9lIhnIjgDprzvjszukHzc6TE98W9bnEKieSNGbQntm+YPohprg3CdVoPc1GfVueRqyXfXG0WVkLgfrhgfuLaJGKgwo438cUcRV8qH2wgCa7CGPMgvxzXJrK2dSRmZA/vPgZDpX9r78YlFGo+g/ghGhiNVonMYtMhohlSrzrQARA2AYuMgM91aXPnoKtqDy8+UL4g344bu7Jh3SKyGoqBo3TFLJyQgutzIx6EHG/eIDnTfc/I/3RgBtwo7RR/g+g899nhsiBLKVQId0/EZ+rKSndRTguCnFkjwCvXNW1z5uoiom/J5Q+J0xC1lqcjWF0zn9UwStQmvXDOABJUsGu+AZnj5l27MdRWvTfP2p3r12TXbyPEwOGuJa2LKSL/k4XmuaO8HkxSsfC1ImPOuPGbjgVkh62Y2oMqI90dtVrZ2HyosHwxv4tKzGAZbvH5vkK7TZXgoXCgAq+XwCPG9gtW2sIA2qoxw+SLOG5CEnHt6VlSgelLce9lU6kETdJ13fSqjMwZTQD07vXVnrtCHhsC6s+aY/7/2lJ2x8VmRBXVW7yREF56AdjYYVYgiAoHQqaQ0/OHpr6hacckqBTP0VzlNHLAzwm5zlgsZLDt3NxjTUZdgJEvFxF+rjzZHgyXwMA8hfzPbfVjftDW8hCMD1p8wJSY+CqaH+6/Ui9Q0X4F3YcZbhn/i9ZmMrB+CzBcjVzGrZIA0FLFoJWD2bFVPmMbcmDsT5ei0HafGBb2NBQ1gYvceGlN3WVQbTYCG54QavABNAyGFH+eQHvnk5jCg2DYspoCOPjEvIHjKM+gluIrozrnzMO2+hzp4Z+AscJCOm91LmL4PIFviyWzqy6AV1BLYPMLybdqrbEqUCFIzkXdFW3AZxV69hwhnBaZbLAaLeOG9YUz48o7oOITsDKVtuzUxkYDj+vBxI6zf7SvqjmopNXuZ2+4J+oa/p7xCpNUJTi0V4Ac38BZMiUcpXidu1V0pkGWbca4Dfqf2vBOzOcpLxrorizsyROv1SJAA7mR8KQut28HnkXgshIhB4cY99tnmKN/E1oiLGU0NkUHR6fCBtV2Ak8k7PNCVzhU0y6/NCJoSKqKQpuPEMVT+0QaKNfjtGvWgvZrvcchoMNAAGQa1OMSkmcZ4KdnAUaMROrS5LH3IBwpmSwtTBFkx9Shl3xMm2SpF6SdWnpweUbRAQqKNmRvSQLsXiEwOwxIO018mo8CgyiDyyIf4k0gFlNTapYyacwRO4vTMc3vfXjTcwK1LzUZVeG+e61WVDmmu2e6zls0JhXe7V58OkbnYWnzNzBSxWJluicno/P9h5vefBOHfysKe6SlGye/H0BO7piVG96cjqC0hTul8k1ysQoXtFgf4fbrlqs/D1kR9xVHcr3hAeWd9c4LwXEcSCeVuBd0bsoo2sYIeNSWNdJo9bSF0vb49snroh/RgbzntW3+geL94DEZaXMmf+RLujLEIgoNLlZ6r2jTMvlV6DWbSRE3cii6LFOXdQq53fmG/cI73R3hGNdQaLhZDaOi7hLnxbAMAjtEVQQOQg93a43d/BDGFzgNhKjYqyjZ9mM/Tk37DLlZ+xeIEJpALLIAaOguSG5cg3ALBrdGRec+SPf0r6M6DVkS1VHFz54kPx1eGkJQyQTotcykafNIt1Ahbqif0Z7U2bF0LxUbrZxcoldFteBNzihlXxa4zrY5Uj3BWEOrd6E8zHUIW97KwUAdttMTlNoOrMOgLY4790cVX+K7sa9ZPWz8Lts7o99sdcF7+dHoVxvfM0O3vXdzA/2O1opKqD6ZfPmU1UyWL/N2d4d9JerDhD6RFuBJP7nsv8osf2NHyWdHV9Luj0gOiBZvoOuSI4nvE05rPIXR/UEjXBw+1XaGHqcj8x/6rE6oTAma/1DH+E+N0j6mUd97vHFa48rbABCLWK4n9MrjXpQAVYNlXsSRgmEaVcq3S4RdRHKIp6yhhsUfNI8B8i8obQ3lBj7ktx1BNynnSJKTbQVOritYsQEY3t/+PvCdr4RKflftx0KzwcFTscVSrX22+aZZD+VrPZ3o8OUH8yxBWUsK5hdhuVOfNEjL6TpgDUZgbFUdlTDHmzPm5RxDxK6qGLxr0JwfLNm/+nYliKoyiTFKVKWFDE5Z+Rt0yKj+pDrWXBpKPySTfWX80VbioPW0curpiLt4tjVFfzhZ6V60vPfjcCjHlGz/pA5atUTGlZBP6DynDFJVV4QO0uhRYRfDvk+D6YOjZSHAX0e82IFg5l4d3fcF9WveqIfKRhJEVt3s4PLhCul/ESTWp45h1IA9ZfI4wvmuP0hCUvLgTOKx75QnwfVQRKJ5xa+R0e2Igywnobz63LaX9+yC8KJ23U8ZHS0Wc3E2NqTVEiP93ds98pMRMepoln20bsLUypcW2/py0WYb/YEGzlww9MxywAEQX+Pce8XhI7iylSfUzUmk863Y8cE1RMAiDeMFIQ8vZBT+LKwJ5zdik8jqJFED5XVGtYai7vEjj1tZKrfL+fR6CtDdQqyP1fWS+Xi5CZ7rdr2HiD943Vre1ZA8B7byozkMuahiYVzfTKIGI6lUMvXmmVNkdWXmj26YRy4l4X1KYM9L7f4NX8jRe61sUXanWJgcScxQTNKfGDOiKWRFQjo5UgCXOvjGtFCpRQyksY19TatFHRGrNdV2CmZhFTaaGbCbqD5QlfdoY1StT0Ko3x/YJR4/4Yoa2oCr2cVzNZ0/xPW0bC5NszLnKMjVI8Nj1nNFvMm4yZBpaz6YKk2REf9nndbkbhcppdrZN4Vt7wdt2gV2+5OpXRZ8OaxnegFpNiYuJb61gzXFYmYjWCkU6V9ncGV/71fXWMlxSlu4kLVhIQqD2+RI/VWAcS+cFEvb0Ntjft/gkyQcrLCeeFzdxXSNnlX1h5DigeRwyNtW4Mrk8vFQ6o2Oi3HiBKmvAD7sPkJg+lOJngQ/hI0477c0=,iv:q3j8EAokyyxiszf+wyRqxEr2igaD1bX7YnFx/NbsGg8=,tag:HKKYWRJEUwW2/TxL+5dSng==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeXRjU214aWk5ajl1aW9E\naGJlb1ViaVRmMTBHdkFDQUNDZS94WFZiNUNvCllmWTJBck9hR3U3V09VWDZwQ2xI\nd3ZEQnBIUG5ZSTVIdS8rQ2FMYVhyNk0KLS0tIEE1UG8rSzFyU01sVXhGVHpoaE9i\nSis4Qi9tMGFqbTNMTDZUVk1ZdXkrM28Km4VkfaOsZ69ckjvrg+os43H/O1IoWHzC\nt4LqZRz1Tk7/d1aLWavSPPjVYrCOMZeNBqGbQpGfjjuXrafClRNQdQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3R1RHTGViTnRLVVkyM3J0\nbm96cGVPTlo4NXBNL0g1eEVSNG9DUkgwVFRBCmRKVTlMRmV3Tmg2RTZIclBlWlcr\ndzI5MUxhcllzbE1IMDNxa08zVkpITmsKLS0tIG01Y2dyQkY3UmRudFk2d0p6bThn\nemlaWnZoS3p4VHhMTFFwTm9VN0ttYzQKVbLFgtK6NIRIiryWHeeOPD45iwUds4QD\n7b8xYYoxlo+DETggxK6Vz3IdT/BSK5bFtgAxl864b5gW+Aw4c6AO5w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-18T14:33:37Z",
-		"mac": "ENC[AES256_GCM,data:XKCnd0QrAlOCECSeSvbLYHMLbmUh4fMRnLaTb5ARoP4Zc9joWGsCaRZxokc2/sG4BXA/6pkbQXHyIOudKbcBpVjjvs9E+6Mnzt53nfRoH/iOkYPbN2EO49okVZJXW0M1rlBxrxvGuiDlz2p2p6L7neKLy4EB482pYea5+dUr2Yw=,iv:oj/MkZCfkvCmAb79uzEvKwEAm1bKtWhS4rPRAWSgRgw=,tag:h5TPPILXkhJplnDT2Gqtfw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/users/admin
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf-certs/key/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/machines/peer1
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/machines/peer1
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/secret
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Q0Vn7J0nERccBYT8HZxHF0Zi5qxmMu40n0H1c+L2SCRF6vRLdURxXKDwvh8xtTU=,iv:ucExjoYDFYy19GsBbNNldJRPBSpT+L+x4PrwTG+m2K8=,tag:/Quupyy/nnUNZsDudEMmNA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWWo5OEJ5N1RTR0xMaDhL\nQnlUV2RrRXIzM01OemhQWjVkd3FNZjRhR2dzCi9IeE56b3VZTkNkdW9DMzVia3Zx\nbklxWmFpenRjdEIrc0ZDTGdmSTAxRTQKLS0tIHZJdjdYUzhhY0YzQjRqS0psZmpI\nVHJpUjNZNHRpc2ZWSml1TVNNejhiT28K8TTP/J+XspXZ7TVYj9YaBhEodPIXjojB\nRLqAIgJXRaK4NCLukC6l0IMii6w5J/512RnO2ZBTGhKfbdLfyLOFqg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZVc5b0FhbzNXcG1zUDlD\neEVWcWpSRkRCMkxBTHdBM3dCbjVpR3FBa0VjCitlTmx4eUJOMHlaU0dFZEhpK3ZD\nZzlMQXVuZWpnaUNmQW9kOGtOaGVDMU0KLS0tIFNlUi9LSzF0UEJCSVBiRlRSNFQz\nNHhMbmNlRXd4ZEJQWVcvTWdCRWEzMUkKls7RbmNOdPDx8z15F+7qay9qIWx6jNsN\nTahT+GgbG29t1aGQCb0yEzKuUyAp39maxxSWToPsfCgJSYJ8RYiUng==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-18T14:33:39Z",
-		"mac": "ENC[AES256_GCM,data:g+9/fRiqom2+W28ZpiF+oBj9V6ieq5Xz3sRz3GyzvHoLr6yw51JvpG2QuYNYANW0WCiUjFDkU0qPj/9gLHcuX52nc+gNaTzznb1QGPg7WCGSQI7xaMzyYsPxHpg/BOdj5CL8GyLiOWstD1ch0kc3bJmyu68sJUs04uGtHAADzsE=,iv:oASrYaZarEPDu0R3hd/jMazLgwG5r//hIdMyU/tN15o=,tag:o1fgf5oy+rlWXg88FN5Nfw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/users/admin
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/miniserve-auth/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/machines/peer1
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/machines/peer1
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/secret
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:4NIUEK05kEQAKjR8F9mU3M/XvtZXw+X6CejVI0usMcb4WzagNz7XTVDhLWXZ9St5Ev0Y,iv:bD2+rDLMoWSqUAIZRJof0wRrJVya1xwZUTIJBdCs98I=,tag:g2s4byFHTzwU3ikcBGMElA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeVh2M2tqSGlOVkpzNlhU\nd0pMd1R0c0tQWnZzdXViWmtxcjl1Wk1Ka0FNCnBUUWJVbjlyR1hSNGpXNWlPRHJB\nNnMzN3BMQ2NDamFBMlhHbVdJUEZ6cjQKLS0tIEJjWmI0ZDl1NXgrSW9uc0R0LzAr\neEwwOC9DdDg2RTJHQ0M3QTFlcVBaSE0K2Du4NguefdEyY1gS6OuVdO3gHga4omcR\n8B+K1wUfIQbArxZLawPxrj7WNDoW5d4mF9fA3MeV1DFyc4KwtYZmUw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWkdBakVrMVR4RU8xdDlF\nRDkvL0Mrb3ltazhIMjRLZDVlSTVlaFY2ODBBCnlQM2s0SGEvZjFDN3dGWDhIN0dK\nenhQbjZ1ZS9QZzg5SE5XazZXS3dFSkkKLS0tIHJhKzhadGpjTXd4L3hOQkhpR0Fy\nYzhTN2dxVSt3OE5uZFpuWmVlYW4vd1kKwHOxP0C5mLcm4oIT/sGQtUsdsmu3LSN0\nSola5+N+IrAZ+HKnuZlDLZ5JmJSc5j/YhGNn7KR1xhkhfGSS1e3UZw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-18T14:33:39Z",
-		"mac": "ENC[AES256_GCM,data:ehbrYqTJcsBKGHUB25JHFnKXrJ6z3LkcElZ89xVr4XxLet+odbhsjIoP2FCcxex7PlXcegMduhHBpXwNGUbX+IUNAXTxlWA9CLDmYhWuS2WLiEVXrS11NE03/zUyHdVx/C38dbIPrWD9iaYSrAiuOyfqDTh9k/Bn7vehLTtadoE=,iv:Nk2WVuJydi5tfsb1Mib4A6NocBCDp9QoIbSadq3bIDI=,tag:IaoyfCv3SkmtemXMR9XnkA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/users/admin
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password-env/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/machines/peer1
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/machines/peer1
@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/secret
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/secret
@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:0BmP+NwG/NGe6R5yU55/MdPEQ8E5u+VXWtvstHc4GpDtmBY=,iv:vo8XBcN7KcYjiyKvvp+XDOdP9yR9B7wJi0XlaiCdVbk=,tag:brK9ntAPSuOvw/C+oDo51g==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1ntpf7lqqw4zrk8swjvwtyfak7f2wg04uf7ggu6vk2yyt9qt74qkswn25ck",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Tk1INGtybUVlejlNNlZE\nVms3TkdRVVF1T0E4TmV3NmxvYWVEL2U3WVhNCjJIaHhBcWVlMEYxRjg5bzJpTWdJ\neUhaRTNRTmtlTW0zUXQxTVZEMkQ2MFEKLS0tIFNGWDI4b2FXTE8xQ2xqb0cyK3FI\ncktHWnE5c1ZSVFpmQU1HZmU2VVB1QmcK/s1fVmwpMMg4BYkkAJzSY7hVQWae1F7g\nmfH8EGlr74mifWUNEbd49/K13nl8atQx6bcau83JIEQR+yyihuY4Jw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsL2FXVytUUVZnVU90bG5L\nYURiYjgwN3RuTldWMGl4clpUWmxkeUsrVzM0CkhKZFgwWHl4dWhNSWRQRXVPNDR6\na3hHNmp2RG9YNDhNM2MyV2FuOGY2UlUKLS0tIFpNU2tNOHdhRDRTdHhYWVh2NGZa\nU3J3S0hpclZzWGIwTlFyczdNZkZSZTAKXCZrLaIOVq90ejoKMaRiK0xNw8WOPcnm\nz2uxProEYvQhY8k29mhCFX5HCN0tGn1XTtHeDL7uHuKuFsnSG/fgYQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-18T14:33:39Z",
-		"mac": "ENC[AES256_GCM,data:QkGJKj/H+MI9Mr9Up5NDUToSddY5eTz47egc2+IatfxR8RebKJ2/mYaeLV26vPdmY60bIac4N/nZkoa6IVBhkHHMvsEHsx3nD6Lro9Wf/pWP8Zddzr90LF5p2+wusq25JutKQiPKOb2gmrcagmSsH/7V/UqI/my3PMeKmw6irhw=,iv:hOtHF/cDFdNfvqCKRhJsOwAHEiQmCPjENzsg23sKG+Q=,tag:K7qG9b4fQD0VbAV8OYp3vw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/users/admin
+++ b/clanServices/monitoring/tests/vm/vars/per-machine/peer1/telegraf/password/users/admin
@@ -1 +0,0 @@
-../../../../../../sops/users/admin
--- a/clanServices/mycelium/flake-module.nix
+++ b/clanServices/mycelium/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/packages/flake-module.nix
+++ b/clanServices/packages/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/sshd/README.md
+++ b/clanServices/sshd/README.md
@@ -1,8 +1,13 @@
-The `sshd` Clan service manages SSH to make it easy to securely access your machines over the internet. The service uses `vars` to store the SSH host keys for each machine to ensure they remain stable across deployments.
+The `sshd` Clan service manages SSH to make it easy to securely access your
+machines over the internet. The service uses `vars` to store the SSH host keys
+for each machine to ensure they remain stable across deployments.

-`sshd` also generates SSH certificates for both servers and clients allowing for certificate-based authentication for SSH.
+`sshd` also generates SSH certificates for both servers and clients allowing for
+certificate-based authentication for SSH.

-The service also disables password-based authentication over SSH, to access your machines you'll need to use public key authentication or certificate-based authentication.
+The service also disables password-based authentication over SSH, to access your
+machines you'll need to use public key authentication or certificate-based
+authentication.

 ## Usage

--- a/clanServices/sshd/flake-module.nix
+++ b/clanServices/sshd/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/state-version/README.md
+++ b/clanServices/state-version/README.md
@@ -0,0 +1,37 @@
+This service generates the `system.stateVersion` of the nixos installation
+automatically.
+
+Possible values:
+[system.stateVersion](https://search.nixos.org/options?channel=unstable&show=system.stateVersion&from=0&size=50&sort=relevance&type=packages&query=stateVersion)
+
+## Usage
+
+The following configuration will set `stateVersion` for all machines:
+
+```
+inventory.instances = {
+  state-version = {
+    module = {
+      name = "state-version";
+      input = "clan";
+    };
+    roles.default.tags.all = { };
+  };
+```
+
+## Migration
+
+If you are already setting `system.stateVersion`, either let the automatic
+generation happen, or trigger the generation manually for the machine. The
+service will take the specified version, if one is already supplied through the
+config.
+
+To manually generate the version for a specified machine run:
+
+```
+clan vars generate [MACHINE]
+```
+
+If the setting was already set, you can then remove `system.stateVersion` from
+your machine configuration. For new machines, just import the service as shown
+above.
--- a/clanServices/state-version/default.nix
+++ b/clanServices/state-version/default.nix
@@ -0,0 +1,50 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "clan-core/state-version";
+  manifest.description = "Automatically generate the state version of the nixos installation.";
+  manifest.categories = [ "System" ];
+  manifest.readme = builtins.readFile ./README.md;
+
+  roles.default = {
+
+    perInstance =
+      { ... }:
+      {
+        nixosModule =
+          {
+            config,
+            lib,
+            ...
+          }:
+          let
+            var = config.clan.core.vars.generators.state-version.files.version or { };
+          in
+          {
+
+            warnings = [
+              ''
+                The clan.state-version service is deprecated and will be
+                removed on 2025-07-15 in favor of a nix option.
+
+                Please migrate your configuration to use `clan.core.settings.state-version.enable = true` instead.
+              ''
+            ];
+
+            system.stateVersion = lib.mkDefault (lib.removeSuffix "\n" var.value);
+
+            clan.core.vars.generators.state-version = {
+              files.version = {
+                secret = false;
+                value = lib.mkDefault config.system.nixos.release;
+              };
+              runtimeInputs = [ ];
+              script = ''
+                echo -n ${config.system.stateVersion} > "$out"/version
+              '';
+            };
+          };
+      };
+  };
+
+}
--- a/clanServices/state-version/flake-module.nix
+++ b/clanServices/state-version/flake-module.nix
@@ -0,0 +1,16 @@
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
+{
+  clan.modules.state-version = module;
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.state-version = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/state-version" = module;
+      };
+    };
+}
--- a/clanServices/state-version/tests/vm/default.nix
+++ b/clanServices/state-version/tests/vm/default.nix
@@ -0,0 +1,22 @@
+{ lib, ... }:
+{
+  name = "service-state-version";
+
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
+      instances.default = {
+        module.name = "@clan/state-version";
+        module.input = "self";
+        roles.default.machines."server" = { };
+      };
+    };
+  };
+
+  nodes.server = { };
+
+  testScript = lib.mkDefault ''
+    start_all()
+  '';
+}
--- a/clanServices/state-version/tests/vm/sops/users/admin/key.json
+++ b/clanServices/state-version/tests/vm/sops/users/admin/key.json
--- a/clanServices/state-version/tests/vm/vars/per-machine/server/state-version/version/value
+++ b/clanServices/state-version/tests/vm/vars/per-machine/server/state-version/version/value
--- a/clanServices/syncthing/README.md
+++ b/clanServices/syncthing/README.md
@@ -15,6 +15,7 @@

 Now the folder `~/syncthing/documents` will be shared with all your machines.

+## Documentation

-## Documentation 
-Extensive documentation is available on the [Syncthing](https://docs.syncthing.net/) website.
+Extensive documentation is available on the
+[Syncthing](https://docs.syncthing.net/) website.
--- a/clanServices/syncthing/flake-module.nix
+++ b/clanServices/syncthing/flake-module.nix
@@ -5,7 +5,9 @@
  ...
 }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
 in
 {
  clan.modules = {
--- a/clanServices/syncthing/vars.nix
+++ b/clanServices/syncthing/vars.nix
@@ -11,9 +11,7 @@
      pkgs.syncthing
    ];
    script = ''
-      export TMPDIR=/tmp
-      TEMPORARY=$(mktemp -d)
-      syncthing generate --config "$out" --data "$TEMPORARY"
+      syncthing generate --config "$out"
      mv "$out"/key.pem "$out"/key
      mv "$out"/cert.pem "$out"/cert
      cat "$out"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$out"/id
--- a/clanServices/tor/default.nix
+++ b/clanServices/tor/default.nix
@@ -58,7 +58,7 @@
          priority = lib.mkDefault 10;
          # TODO add user space network support to clan-cli
          module = "clan_lib.network.tor";
-          peers = lib.mapAttrs (name: _machine: {
+          peers = lib.mapAttrs (name: machine: {
            host.var = {
              machine = name;
              generator = "tor_${instanceName}";
--- a/clanServices/tor/flake-module.nix
+++ b/clanServices/tor/flake-module.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ lib, ... }:
 let
-  module = ./default.nix;
+  module = lib.modules.importApply ./default.nix { };
 in
 {
  clan.modules = {
--- a/clanServices/trusted-nix-caches/README.md
+++ b/clanServices/trusted-nix-caches/README.md
@@ -7,7 +7,7 @@ inventory.instances = {
  clan-cache = {
    module = {
      name = "trusted-nix-caches";
-      input = "clan-core";
+      input = "clan";
    };
    roles.default.machines.draper = { };
  };
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
pinpox	41c52197ea	Run formatter	2025-08-25 18:52:55 +02:00
pinpox	a9c53b8b1e	treefmt: add mdformat for markdown files	2025-08-25 18:40:30 +02:00