clan-cli: Refactor the API to use the Flake object

.gitea/workflows/checks.yaml

@@ -1,6 +1,9 @@
 name: checks
 on:
   pull_request:
+  push:
+    branches:
+      - main
 jobs:
   checks-impure:
     runs-on: nix

.gitea/workflows/update-clan-core-for-checks.yml

@@ -1,53 +0,0 @@
-name: "Update pinned clan-core for checks"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "51 2 * * *"
-jobs:
-  update-pinned-clan-core:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-      - name: Update clan-core for checks
-        run: nix run .#update-clan-core-for-checks
-      - name: Create pull request
-        env:
-          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-        run: |
-          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
-          git commit -am "Update pinned clan-core for checks"
-          git push origin +HEAD:update-clan-core-for-checks
-          set -x
-          resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-            -H "Authorization: token $CI_BOT_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d '{
-              "head": "update-clan-core-for-checks",
-              "base": "main",
-              "title": "Update Clan Core for Checks",
-              "body": "This PR updates the pinned clan-core flake input that is used for checks."
-            }' \
-           "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls")
-          pr_number=$(echo "$resp" | jq -r '.number')
-
-          # Merge when succeed
-          while true; do
-            resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-              -H "Authorization: token $CI_BOT_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d '{
-                "Do": "merge",
-                "merge_when_checks_succeed": true,
-                "delete_branch_after_merge": true
-              }' \
-              "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls/$pr_number/merge")
-            msg=$(echo $resp | jq -r '.message')
-            if [[ "$msg" != "Please try again later" ]]; then
-              break
-            fi
-            echo "Retrying in 2 seconds..."
-            sleep 2
-          done

.gitignore

@@ -1,24 +1,24 @@
 .direnv
-.nixos-test-history
-.hypothesis
+**/.nixos-test-history
+***/.hypothesis
 out.log
 .coverage.*
-qubeclan
+**/qubeclan
 pkgs/repro-hook
-testdir
+**/testdir
 democlan
 example_clan
-result*
-/pkgs/clan-cli/clan_lib/nixpkgs
+**/result
+/pkgs/clan-cli/clan_cli/nixpkgs
 /pkgs/clan-cli/clan_cli/webui/assets
 nixos.qcow2
-*.glade~
+**/*.glade~
 /docs/out
-/pkgs/clan-cli/clan_lib/select
-.local.env
+/pkgs/clan-cli/clan_cli/select
+**/.local.env
 
-# macOS stuff
-.DS_Store
+# MacOS stuff
+**/.DS_store
 
 # dream2nix
 .dream2nix
@@ -46,11 +46,3 @@ dist
 
 # TODO: remove after bug in select is fixed
 select
-
-# Generated files
-pkgs/clan-app/ui/api/API.json
-pkgs/clan-app/ui/api/API.ts
-pkgs/clan-app/ui/api/Inventory.ts
-pkgs/clan-app/ui/api/modules_schemas.json
-pkgs/clan-app/ui/api/schema.json
-pkgs/clan-app/ui/.fonts

CONTRIBUTING.md

@@ -1,4 +1,4 @@
 # Contributing to Clan
 
 <!-- Local file: docs/CONTRIBUTING.md -->
-Go to the Contributing guide at https://docs.clan.lol/guides/contributing/CONTRIBUTING
+Go to the Contributing guide at https://docs.clan.lol/manual/contribute/

README.md

@@ -24,7 +24,7 @@ If you're new to Clan and eager to dive in, start with our quickstart guide and
 
 In the Clan ecosystem, security is paramount. Learn how to handle secrets effectively:
 
-- **Secrets Management**: Securely manage secrets by consulting [secrets](https://docs.clan.lol/guides/getting-started/secrets/)<!-- [secrets.md](docs/site/guides/getting-started/secrets.md) -->.
+- **Secrets Management**: Securely manage secrets by consulting [secrets](https://docs.clan.lol/getting-started/secrets/)<!-- [secrets.md](docs/site/getting-started/secrets.md) -->.
 
 ### Contributing to Clan
 

checks/backups/flake-module.nix

@@ -147,7 +147,25 @@
   perSystem =
     { pkgs, ... }:
     let
-      clanCore = self.checks.x86_64-linux.clan-core-for-checks;
+      clanCore = self.filter {
+        include = [
+          "checks/backups"
+          "checks/flake-module.nix"
+          "clanModules/borgbackup"
+          "clanModules/flake-module.nix"
+          "clanModules/localbackup"
+          "clanModules/packages"
+          "clanModules/single-disk"
+          "clanModules/zerotier"
+          "flake.lock"
+          "flakeModules"
+          "inventory.json"
+          "nixosModules"
+          # Just include everything in 'lib'
+          # If anything changes in /lib that may affect everything
+          "lib"
+        ];
+      };
     in
     {
       checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
@@ -164,6 +182,11 @@
               # import the inventory generated nixosModules
               self.clanInternals.inventoryClass.machines.test-backup.machineImports;
             clan.core.settings.directory = ./.;
+            environment.systemPackages = [
+              (pkgs.writeShellScriptBin "foo" ''
+                echo ${clanCore}
+              '')
+            ];
           };
 
           testScript = ''

checks/borgbackup-legacy/default.nix

@@ -1,51 +0,0 @@
-(
-  { ... }:
-  {
-    name = "borgbackup";
-
-    nodes.machine =
-      { self, pkgs, ... }:
-      {
-        imports = [
-          self.clanModules.borgbackup
-          self.nixosModules.clanCore
-          {
-            services.openssh.enable = true;
-            services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-            };
-          }
-          {
-            clan.core.settings.directory = ./.;
-            clan.core.state.testState.folders = [ "/etc/state" ];
-            environment.etc.state.text = "hello world";
-            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../assets/ssh/privkey}";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/borgbackup/borgbackup.repokey" = {
-                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-            # clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
-
-            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.systemctl("start --wait borgbackup-job-test.service")
-      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
-    '';
-  }
-)

checks/borgbackup/default.nix

@@ -1,118 +1,51 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
+(
   { ... }:
   {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
     name = "borgbackup";
 
-    clan = {
-      directory = ./.;
-      test.useContainers = true;
-      modules."@clan/borgbackup" = ../../clanServices/borgbackup/default.nix;
-      inventory = {
+    nodes.machine =
+      { self, pkgs, ... }:
+      {
+        imports = [
+          self.clanModules.borgbackup
+          self.nixosModules.clanCore
+          {
+            services.openssh.enable = true;
+            services.borgbackup.repos.testrepo = {
+              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+            };
+          }
+          {
+            clan.core.settings.directory = ./.;
+            clan.core.state.testState.folders = [ "/etc/state" ];
+            environment.etc.state.text = "hello world";
+            systemd.tmpfiles.settings."vmsecrets" = {
+              "/etc/secrets/borgbackup/borgbackup.ssh" = {
+                C.argument = "${../assets/ssh/privkey}";
+                z = {
+                  mode = "0400";
+                  user = "root";
+                };
+              };
+              "/etc/secrets/borgbackup/borgbackup.repokey" = {
+                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
+                z = {
+                  mode = "0400";
+                  user = "root";
+                };
+              };
+            };
+            # clan.core.facts.secretStore = "vm";
+            clan.core.vars.settings.secretStore = "vm";
 
-        machines.clientone = { };
-        machines.serverone = { };
-
-        instances = {
-          borgone = {
-
-            module.name = "@clan/borgbackup";
-
-            roles.client.machines."clientone" = { };
-            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
-          };
-        };
+            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
+          }
+        ];
       };
-    };
-
-    nodes = {
-
-      serverone = {
-        services.openssh.enable = true;
-        # Needed so PAM doesn't see the user as locked
-        users.users.borg.password = "borg";
-      };
-
-      clientone =
-        { config, pkgs, ... }:
-        let
-          dependencies = [
-            clan-core
-            pkgs.stdenv.drvPath
-          ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
-          closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-
-        in
-        {
-
-          services.openssh.enable = true;
-
-          users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
-
-          clan.core.networking.targetHost = config.networking.hostName;
-
-          environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
-
-          environment.etc.install-closure.source = "${closureInfo}/store-paths";
-          nix.settings = {
-            substituters = pkgs.lib.mkForce [ ];
-            hashed-mirrors = null;
-            connect-timeout = pkgs.lib.mkForce 3;
-            flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-          };
-          system.extraDependencies = dependencies;
-
-          clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-        };
-
-    };
-
     testScript = ''
-      import json
       start_all()
-
-      machines = [clientone, serverone]
-
-      for m in machines:
-          m.systemctl("start network-online.target")
-
-      for m in machines:
-          m.wait_for_unit("network-online.target")
-
-      # dummy data
-      clientone.succeed("mkdir -p /var/test-backups /var/test-service")
-      clientone.succeed("echo testing > /var/test-backups/somefile")
-
-      clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
-      clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
-
-      # create
-      clientone.succeed("borgbackup-create >&2")
-      clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
-
-      # list
-      backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
-      out = clientone.succeed("borgbackup-list").strip()
-      print(out)
-      assert backup_id in out, f"backup {backup_id} not found in {out}"
-
-      # borgbackup restore
-      clientone.succeed("rm -f /var/test-backups/somefile")
-      clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
-      assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
+      machine.systemctl("start --wait borgbackup-job-test.service")
+      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
     '';
   }
 )

checks/borgbackup/sops/machines/clientone/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-    "type": "age"
-  }
-]

checks/borgbackup/sops/secrets/clientone-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:wCKoKuJo4uXycfqEUYAXDlRRMGJaWgOFiaQa4Wigs0jx1eCI80lP3cEZ1QKyrU/9m9POoZz0JlaKHcuhziTKUqaevHvGfVq2y00=,iv:pH5a90bJbK9Ro6zndNJ18qd4/rU+Tdm+y+jJZtY7UGg=,tag:9lHZJ9C/zIfy8nFrYt9JBQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUDhpd1ZqbWFqR0I3dVFI\nOHlyZnFUYXJnWElrRWhoUHVNMzdKd0VrcGdRCkphQVhuYzlJV0p1MG9MSW5ncWJ3\nREp1OEJxMzQzS2MxTk9aMkJ1a3B0Q0kKLS0tIENweVJ2Tk1yeXlFc2F5cTNIV3F3\nTkRFOVZ1amRIYmg1K3hGWUFSTTl4Wk0KHJRJ7756Msod7Bsmn9SgtwRo53B8Ilp3\nhsAPv+TtdmOD8He9MvGV+BElKEXCsLUwhp/Py6n6CJCczu0VIr8owg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:56Z",
-		"mac": "ENC[AES256_GCM,data:FyfxXhnI6o4SVGJY2e1eMDnfkbMWiCkP4JL/G4PQvzz+c7OIuz8xaa03P3VW7b7o85NP2Tln4FMNTZ0FYtQwd0kKypLUnIxAHsixAHFCv4X8ul1gtZynzgbFbmc0GkfVWW8Lf+U+vvDwT+UrEVfcmksCjdvAOwP26PvlEhYEkSw=,iv:H+VrWYL+kLOLezCZrI8ZgeCsaUdpb7LxDMiLotezVPs=,tag:B/cbPdiEFumGKQHby5inCA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/sops/secrets/clientone-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/borgbackup/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/machines/clientone

@@ -1 +0,0 @@
-../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:52vY68gqbwiZRMUBKc9SeXR06fuKAhuAPciLpxXgEOxI,iv:Y34AVoHaZzRiFFTDbekXP1X3W8zSXJmzVCYODYkdxnY=,tag:8WQaGEHQKT/n+auHUZCE0w==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUFUZUZ2M00zTGlhNjF4\nL0VlMVY4Z2xMbWRWR29zZlFwdm1XRk12NGtBCnkrb3A4M3BkalMyeWdDaUdQdStt\nUWY3SXJROXdpRzN0NlBJNEpjTEZ0aFkKLS0tIGZkMGhsTXB2RnRqVHVrUFQwL2lw\nZnBreWhWa3Jrcm4yOXBiaUlPWFM1aDAKRE+Zzrja7KeANEJUbmFYuVoO3qGyi4iH\n0cfH0W8irRe9vsKMXz7YJxtByYLwRulrT8tXtElHvIEVJG0mwwaf0Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNEljUFdnQ0tTQ1IxZ2Zo\nYkc4V2dCaUk0YXh5SzlSazhsRTVKVzFvVXhFCkRyMlMxR3EyWEZIRzFQV3d2dVpz\na3NPbk9XdWR1NmtMQlZsNlBuU0NkQWMKLS0tIDlDYzMzOExVL1g5SVRHYlpUQlBV\na2lpdTUwaEd4OXhWUWxuV04xRVVKNHcK9coohAD1IoarLOXSGg3MIRXQ3BsTIA4y\nKrcS/PxITKJs7ihg93RZin70R79Qsij1RHZLKGfgGJ67i8ZCxc4N0g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:59Z",
-		"mac": "ENC[AES256_GCM,data:eABMaIe07dwAMMlgrIUUpfpj73q1H5Keafql91MBQ5NN9Znr5lI/ennQsQsuLO8ZTCC34US/MJndliW34SqVM9y53p0jjPzqBxSKYq74iNcBz7+TxbjlY1aapgTRPr6Ta8I/5loohnxlHqjvLL70ZzfbChDN0/4jZsDVXYNfbIk=,iv:41Mz2u40JN0iE5zPUK6siaxo0rTtlk7fGWq7TF5NyUI=,tag:1A+h6XPH7DeQ6kxGDV3PgQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh.pub/value

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3clYF6BDZ0PxfDdprx7YYM4U4PKEZkWUuhpre0wb7w nixbld@kiwi

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/machines/clientone

@@ -1 +0,0 @@
-../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:tAjfBW75XDS8lfJCf/+9rPYH3aMjRX1nmdN5dPMxnrlhuEPM3Smv9AM93Tz36k7BKk31bUWcV/99ax+KaIK1Rzgym/CwKGGxIUziuVOEOwrCOBeOw7amZ9YGsgiLUTLIhoeO6SjfdZ4q2JxGPw7KqNfUM9kiZT01vx5JTLa24JdvBKpizbtHRlL1lappTRVt0dG2WhT9/YhQUGu9ZFqPs8+bPOBclc78qjCm2DAPgsprK+JCBuq+r+qHgAx4Ee1QHI7FC39e5NeGBTBeZfZ5d95+0klKuTx9FCPs6QRBkQ0tN29OpwzkdSuRAXGGHpzPkZ+FupbETtSQWCmnjma6jPzEl8oDUTWooKK0mUEz8icvTQvRfyM3Qt3mQpkX3e0rTEbZzoLdWCwTufP/tRQNDCWvI/NV7OjIHpNPjymqE5uPmiBpA6y6hhCH7zL1eDo11ICSIX3hkyFJH2svvFQn6oLrPAoByvNutfetKhd8z7NFpVeIOWwtuPzO7wU5M7zESHww0JF78vjFwimQYYhQ,iv:fVjeVez4dTGSrANi5ZeP9PJhsSySqeqqJzBDbd0gFW4=,tag:Aa89+bWLljxV1tlSHtpddw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaW94M3VwcFJ2elcrRGlv\nUGdzVk9vU2ZweFpIVVlIRUEyRVlSMlEyeHpVCnJuV0xIS3hMLy9IbG92S0pvL2RP\nL0J0WkVuWVhQdldHekdYNTVXdFkrUlEKLS0tIFQzdGErZVBwQUFNMXErbDBQVURZ\naHlsY2hDa1Zud1E2dFh0ZHl4VEJ2S0kKVABqwRcCUTcsBInfo9CpFtoM3kl4KMyU\nGXDjHOSjlX5df7OKZAvYukgX7Q2penvq+Fq4fa4A1Cmkqga7cHdJ+A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbHRSVEg3Vi9qTnAwWGF6\nbEdIR2gvZ2laZnJMbVF3NjcvN25OdXF3WXowCnVUODdEa1NWU3JISXlrNldOMjVi\ndUlMTVdBaWxvZHlwSTdJY3NCcll4SjAKLS0tIEp6ZVlDTklqVXdNYzJ2dElCR21o\nUWphMDdyVVppVnFHOVlHZTNtajZzOXMKRB61lUrAkUXSYl3ffOOK8k4QgLA4bFln\naQ7GOol8f8W5H68zXBMZrhjP6k4kZDfknc9jgyoWM7jaZNSWC5J19Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:59Z",
-		"mac": "ENC[AES256_GCM,data:NjVpDweqxTSQGt9VKR/CMfvbvHQJHCi8P7XbOuKLZKQ4GVoeZ5r4PsC6nxKHHikN6YL1oJCmaSxr0mJRk/sFZg/+wdW8L7F5aQeFRiWo9jCjH0MDMnfiu5a0xjRt21uPl/7LUJ9jNon5nyxPTlZMeYSvTP2Q9spnNuN8vqipP68=,iv:DPvbN9IvWiUfxiJk6mey/us8N1GGVJcSJrT8Bty4kB4=,tag:+emK8uSkfIGUXoYpaWeu3A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/clan-core-for-checks.nix

@@ -1,6 +0,0 @@
-{ fetchgit }:
-fetchgit {
-  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "13a9b1719835ef4510e4adb6941ddfe9a91d41cb";
-  sha256 = "sha256-M+pLnpuX+vIsxTFtbBZaNA1OwGQPeSbsMbTiDl1t4vY=";
-}

checks/data-mesher/default.nix

@@ -1,89 +1,86 @@
 {
   pkgs,
-  nixosLib,
-  clan-core,
-  lib,
+  self,
+  clanLib,
   ...
 }:
-let
-  machines = [
-    "admin"
-    "peer"
-    "signer"
-  ];
-in
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  nixosTest = (
+    { lib, ... }:
+    let
+      machines = [
+        "admin"
+        "peer"
+        "signer"
+      ];
+    in
+    {
+      name = "data-mesher";
 
-    hostPkgs = pkgs;
-    name = "data-mesher";
-
-    clan = {
-      directory = ./.;
-      inventory = {
-        machines = lib.genAttrs machines (_: { });
-        services = {
-          data-mesher.default = {
-            roles.peer.machines = [ "peer" ];
-            roles.admin.machines = [ "admin" ];
-            roles.signer.machines = [ "signer" ];
+      clan = {
+        directory = ./.;
+        inventory = {
+          machines = lib.genAttrs machines (_: { });
+          services = {
+            data-mesher.default = {
+              roles.peer.machines = [ "peer" ];
+              roles.admin.machines = [ "admin" ];
+              roles.signer.machines = [ "signer" ];
+            };
           };
         };
       };
-    };
 
-    defaults =
-      { config, ... }:
-      {
-        environment.systemPackages = [
-          config.services.data-mesher.package
-        ];
+      defaults =
+        { config, ... }:
+        {
+          environment.systemPackages = [
+            config.services.data-mesher.package
+          ];
 
-        clan.data-mesher.network.interface = "eth1";
-        clan.data-mesher.bootstrapNodes = [
-          "[2001:db8:1::1]:7946" # peer1
-          "[2001:db8:1::2]:7946" # peer2
-        ];
+          clan.data-mesher.network.interface = "eth1";
+          clan.data-mesher.bootstrapNodes = [
+            "[2001:db8:1::1]:7946" # peer1
+            "[2001:db8:1::2]:7946" # peer2
+          ];
 
-        # speed up for testing
-        services.data-mesher.settings = {
-          cluster.join_interval = lib.mkForce "2s";
-          cluster.push_pull_interval = lib.mkForce "5s";
+          # speed up for testing
+          services.data-mesher.settings = {
+            cluster.join_interval = lib.mkForce "2s";
+            cluster.push_pull_interval = lib.mkForce "5s";
+          };
         };
+
+      nodes = {
+        admin.clan.data-mesher.network.tld = "foo";
       };
 
-    nodes = {
-      admin.clan.data-mesher.network.tld = "foo";
-    };
+      # TODO Add better test script.
+      testScript = ''
 
-    # TODO Add better test script.
-    testScript = ''
+        def resolve(node, success = {}, fail = [], timeout = 60):
+          for hostname, ips in success.items():
+              for ip in ips:
+                  node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout)
 
-      def resolve(node, success = {}, fail = [], timeout = 60):
-        for hostname, ips in success.items():
-            for ip in ips:
-                node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout)
+          for hostname in fail:
+              node.wait_until_fails(f"getent ahosts {hostname}")
 
-        for hostname in fail:
-            node.wait_until_fails(f"getent ahosts {hostname}")
+        start_all()
 
-      start_all()
+        admin.wait_for_unit("data-mesher")
+        signer.wait_for_unit("data-mesher")
+        peer.wait_for_unit("data-mesher")
 
-      admin.wait_for_unit("data-mesher")
-      signer.wait_for_unit("data-mesher")
-      peer.wait_for_unit("data-mesher")
-
-      # check dns resolution
-      for node in [admin, signer, peer]:
-        resolve(node, {
-            "admin.foo": ["2001:db8:1::1", "192.168.1.1"],
-            "peer.foo": ["2001:db8:1::2", "192.168.1.2"],
-            "signer.foo": ["2001:db8:1::3", "192.168.1.3"]
-        })
-    '';
-  }
-)
+        # check dns resolution
+        for node in [admin, signer, peer]:
+          resolve(node, {
+              "admin.foo": ["2001:db8:1::1", "192.168.1.1"],
+              "peer.foo": ["2001:db8:1::2", "192.168.1.2"],
+              "signer.foo": ["2001:db8:1::3", "192.168.1.3"]
+          })
+      '';
+    }
+  );
+}

checks/deltachat/default.nix

@@ -0,0 +1,28 @@
+(import ../lib/container-test.nix) (
+  { pkgs, ... }:
+  {
+    name = "deltachat";
+
+    nodes.machine =
+      { self, ... }:
+      {
+        imports = [
+          self.clanModules.deltachat
+          self.nixosModules.clanCore
+          {
+            clan.core.settings.directory = ./.;
+          }
+        ];
+      };
+    testScript = ''
+      start_all()
+      machine.wait_for_unit("maddy")
+      # imap
+      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
+      # smtp submission
+      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
+      # smtp
+      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
+    '';
+  }
+)

checks/dummy-inventory-test-from-flake/default.nix

@@ -1,66 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-
-nixosLib.runTest (
-  { hostPkgs, config, ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    # This tests the compatibility of the inventory
-    # With the test framework
-    # - legacy-modules
-    # - clan.service modules
-    name = "dummy-inventory-test-from-flake";
-
-    clan.test.fromFlake = ./.;
-
-    extraPythonPackages = _p: [
-      clan-core.legacyPackages.${hostPkgs.system}.setupNixInNixPythonPackage
-    ];
-
-    testScript =
-      { nodes, ... }:
-      ''
-        from setup_nix_in_nix import setup_nix_in_nix # type: ignore[import-untyped]
-        setup_nix_in_nix()
-
-        def run_clan(cmd: list[str], **kwargs) -> str:
-            import subprocess
-            clan = "${clan-core.packages.${hostPkgs.system}.clan-cli}/bin/clan"
-            clan_args = ["--flake", "${config.clan.test.flakeForSandbox}"]
-            return subprocess.run(
-                ["${hostPkgs.util-linux}/bin/unshare", "--user", "--map-user", "1000", "--map-group", "1000", clan, *cmd, *clan_args],
-                **kwargs,
-                check=True,
-            ).stdout
-
-        start_all()
-        admin1.wait_for_unit("multi-user.target")
-        peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
-
-        # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
-
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
-
-        run_clan(["machines", "list"])
-      '';
-  }
-)

checks/dummy-inventory-test-from-flake/flake.nix

@@ -1,70 +0,0 @@
-{
-  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
-  inputs.nixpkgs.follows = "clan-core/nixpkgs";
-
-  outputs =
-    { self, clan-core, ... }:
-    let
-      # Usage see: https://docs.clan.lol
-      clan = clan-core.clanLib.buildClan {
-        inherit self;
-
-        inventory =
-          { ... }:
-          {
-            meta.name = "foo";
-            machines.peer1 = { };
-            machines.admin1 = { };
-            services = {
-              legacy-module.default = {
-                roles.peer.machines = [ "peer1" ];
-                roles.admin.machines = [ "admin1" ];
-              };
-            };
-
-            instances."test" = {
-              module.name = "new-service";
-              roles.peer.machines.peer1 = { };
-            };
-
-            modules = {
-              legacy-module = ./legacy-module;
-            };
-          };
-
-        modules.new-service = {
-          _class = "clan.service";
-          manifest.name = "new-service";
-          roles.peer = { };
-          perMachine = {
-            nixosModule = {
-              # This should be generated by:
-              # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
-              clan.core.vars.generators.new-service = {
-                files.not-a-secret = {
-                  secret = false;
-                  deploy = true;
-                };
-                files.a-secret = {
-                  secret = true;
-                  deploy = true;
-                  owner = "nobody";
-                  group = "users";
-                  mode = "0644";
-                };
-                script = ''
-                  # This is a dummy script that does nothing
-                  echo -n "not-a-secret" > $out/not-a-secret
-                  echo -n "a-secret" > $out/a-secret
-                '';
-              };
-            };
-          };
-        };
-      };
-    in
-    {
-      # all machines managed by Clan
-      inherit (clan) nixosConfigurations nixosModules clanInternals;
-    };
-}

checks/dummy-inventory-test-from-flake/legacy-module/README.md

@@ -1,10 +0,0 @@
----
-description = "Set up dummy-module"
-categories = ["System"]
-features = [ "inventory" ]
-
-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
----
-

checks/dummy-inventory-test-from-flake/legacy-module/roles/admin.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/dummy-inventory-test-from-flake/legacy-module/roles/peer.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/dummy-inventory-test-from-flake/legacy-module/shared.nix

@@ -1,34 +0,0 @@
-{ config, ... }:
-{
-  systemd.services.dummy-service = {
-    enable = true;
-    description = "Dummy service";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
-      if [ ! -f "$generated_password_path" ]; then
-        echo "Generated password file not found: $generated_password_path"
-        exit 1
-      fi
-      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
-      if [ ! -e "$host_id_path" ]; then
-        echo "Host ID file not found: $host_id_path"
-        exit 1
-      fi
-    '';
-  };
-
-  # TODO: add and prompt and make it work in the test framework
-  clan.core.vars.generators.dummy-generator = {
-    files.host-id.secret = false;
-    files.generated-password.secret = true;
-    script = ''
-      echo $RANDOM > "$out"/host-id
-      echo $RANDOM > "$out"/generated-password
-    '';
-  };
-}

checks/dummy-inventory-test-from-flake/sops/machines/admin1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
-    "type": "age"
-  }
-]

checks/dummy-inventory-test-from-flake/sops/machines/peer1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-    "type": "age"
-  }
-]

checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:GPpsUhSzWPtTP8EUNKsobFXjYqDldhkkIH6hBk11RsDLAGWdhVrwcISGbhsWpYhvAdPKA84DB6Zqyh9lL2bLM9//ybC1kzY20BQ=,iv:NrxMLdedT2FCkUAD00SwsAHchIsxWvqe7BQekWuJcxw=,tag:pMDXcMyHnLF2t3Qhb1KolA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb2tWb1ExKzdmUTRzaGVj\nK3cyYTBHZTJwVjM1SzUvbHFiMnVhY05iKzFZCnJTSE1VSVdpcUFLSEJuaE1CZzJD\nWjZxYzN2cUltdThNMVRKU3FIb20vUXMKLS0tIFlHQXRIdnMybDZFUVEzWlQrc1dw\nbUxhZURXblhHd0pka0JIK1FTZEVqdUEKI/rfxQRBc+xGRelhswkJQ9GcZs6lzfgy\nuCxS5JI9npdPLQ/131F3b21+sP5YWqks41uZG+vslM1zQ+BlENNhDw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:13Z",
-		"mac": "ENC[AES256_GCM,data:fWxLHXBWolHVxv6Q7utcy6OVLV13ziswrIYyNKiwy1vsU8i7xvvuGO1HlnE+q43D2WuHR53liKq1UHuf1JMrWzTwZ0PYe+CVugtoEtbR2qu3rK/jAkOyMyhmmHzmf6Rp4ZMCzKgZeC/X2bDKY/z0firHAvjWydEyogutHpvtznM=,iv:OQI3FfkLneqbdztAXVQB3UkHwDPK+0hWu5hZ9m8Oczg=,tag:em6GfS2QHsXs391QKPxfmA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:W3cOkUYL5/YulW2pEISyTlMaA/t7/WBE7BoCdFlqrqgaCL7tG4IV2HgjiPWzIVMs0zvDSaghdEvAIoB4wOf470d1nSWs0/E8SDk=,iv:wXXaZIw3sPY8L/wxsu7+C5v+d3RQRuwxZRP4YLkS8K4=,tag:HeK4okj7O7XDA9JDz2KULw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRC83b3dtSVpXcGovNnVs\nTzFka2J2MEFhYkF1ajVrdjMrNUtPWGRObjM4Cm5zSUR5OGw0T0FaL3BaWmR6L29W\nU2syMFIyMUhFRUZpWFpCT28vWko2ZU0KLS0tIFpHK3BjU1V1L0FrMGtwTGFuU3Mz\nRkV5VjI2Vndod202bUR3RWQwNXpmVzQKNk8/y7M62wTIIKqY4r3ZRk5aUCRUfine\n1LUSHMKa2bRe+hR7nS7AF4BGXp03h2UPY0FP5+U5q8XuIj1jfMX8kg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:16Z",
-		"mac": "ENC[AES256_GCM,data:yTkQeFvKrN1+5FP+yInsaRWSAG+ZGG0uWF3+gVRvzJTFxab8kT2XkAMc+4D7SKgcjsmwBBb77GNoAKaKByhZ92UaCfZ2X66i7ZmYUwLM1NVVmm+xiwwjsh7PJXlZO/70anTzd1evtlZse0jEmRnV5Y0F0M6YqXmuwU+qGUJU2F8=,iv:sy6ozhXonWVruaQfa7pdEoV5GkNZR/UbbINKAPbgWeg=,tag:VMruQ1KExmlMR7TsGNgMlg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/dummy-inventory-test-from-flake/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1

@@ -1 +0,0 @@
-../../../../../../sops/machines/admin1

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:T8edCvw=,iv:7/G5xt5fv38I9uFzk7WMIr9xQdz/6lFxqOC+18HBg8Q=,tag:F39Cxbgmzml+lZLsZ59Kmg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUhiYkZWK3dPMHNiRTVM\nRHNvaHFsOFp1c0UxQitwVG0zY01MNDZRV1E4CjEybENoTVIzN29vQ3FtUTRSYmFU\nNXIzQllVSllXRGN2M1B6WXJLdHZSajgKLS0tIDllZ0ZmZUcxMHhDQUpUOEdWbmkv\neUQweHArYTdFSmNteVpuQ3BKdnh0Y0UKs8Hm3D+rXRRfpUVSZM3zYjs6b9z8g10D\nGTkvreUMim4CS22pjdQ3eNA9TGeDXfWXE7XzwXLCb+wVcf7KwbDmvg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSDhpT3cvck9PenZYVEZH\ndFQreVRBdG93L1dBUGlvYjFWcDlHWUJsZUVBCm9DMTJ4UytiYzlEVHNWdUcwS1ds\nT0dhbzAzNDdmbDBCU0dvL2xNeHpXcGsKLS0tIFArbmpsbzU3WnpJdUt1MGN0L1d0\nV1JkTDJYWUxsbmhTQVNOeVRaSUhTODQKk9Vph2eldS5nwuvVX0SCsxEm4B+sO76Z\ndIjJ3OQxzoZmXMaOOuKHC5U0Y75Qn7eXC43w5KHsl2CMIUYsBGJOZw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:14Z",
-		"mac": "ENC[AES256_GCM,data:6fKrS1eLLUWlHkQpxLFXBRk6f2wa5ADLMViVvYXXGU24ayl9UuNSKrCRHp9cbzhqhti3HdwyNt6TM+2X6qhiiAQanKEB2PF7JRYX74NfNKil9BEDjt5AqqtpSgVv5l7Ku/uSHaPkd2sDmzHsy5Q4bSGxJQokStk1kidrwle+mbc=,iv:I/Aad82L/TCxStM8d8IZICUrwdjRbGx2fuGWqexr21o=,tag:BfgRbGUxhPZzK2fLik1kxA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value

@@ -1 +0,0 @@
-18650

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:vp0yW0Gt,iv:FO2cy+UpEl5aRay/LUGu//c82QiVxuKuGSaVh0rGJvc=,tag:vf2RAOPpcRW0HwxHoGy17A==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFVNMEd2YUxpSm5XVVRi\nY2ZUc3NTOStJUFNMWWVPQTgxZ2tCK1QrMW1ZCjYwMlA4dkIzSlc0TGtvZjcyK3Bi\nM3pob2JOOFUyeVJ6M2JpaTRCZlc1R0kKLS0tIDJMb1dFcVRWckhwYWNCQng0RlFO\nTkw3OGt4dkFIZVY5aVEzZE5mMzJSM0EKUv8bUqg48L2FfYVUVlpXvyZvPye699of\nG6PcjLh1ZMbNCfnsCzr+P8Vdk/F4J/ifxL66lRGfu2xOLxwciwQ+5Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2dDbVhoQngxM3lTSmZF\nUTAwS1lCTGhEMU1GVXpFUzlIUFdqZy9LajF3Ck9mdVpBRjlyVUNhZXZIUFZjUzF1\nNlhFN28vNmwzcUVkNmlzUnpkWjJuZE0KLS0tIHpXVHVlNk9vU1ZPTGRrYStWbmRO\nbDM4U2o1SlEwYWtqOXBqd3BFUTAvMHcKkI8UVd0v+x+ELZ5CoGq9DzlA6DnVNU2r\nrV9wLfbFd7RHxS0/TYZh5tmU42nO3iMYA9FqERQXCtZgXS9KvfqHwQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:18Z",
-		"mac": "ENC[AES256_GCM,data:1ZZ+ZI1JsHmxTov1bRijfol3kTkyheg2o3ivLsMHRhCmScsUry97hQJchF78+y2Izt7avaQEHYn6pVbYt/0rLrSYD7Ru7ITVxXoYHOiN5Qb98masUzpibZjrdyg5nO+LW5/Hmmwsc3yn/+o3IH1AUYpsxlJRdnHHCmoSOFaiFFM=,iv:OQlgmpOTw4ljujNzqwQ5/0Mz8pQpCSUtqRvj3FJAxDs=,tag:foZvdeW7gK9ZVKkWqnlxGA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value

@@ -1 +0,0 @@
-6745

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:prFl0EJy8bM=,iv:zITWxf+6Ebk0iB5vhhd7SBQa1HFrIJXm8xpSM+D9I0M=,tag:NZCRMCs1SzNKLBu/KUDKMQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S0RZRWxaZVZvTUhjdWVL\naU9WZmtEcm1qa2JsRmdvdmZmNENMaWFEVUFRCmdoVnRXSGlpRlFjNmVVbDJ5VnFT\nMnVJUlVnM3lxNmZCRTdoRVJ4NW1oYWcKLS0tIFFNbXBFUk1RWnlUTW1SeG1vYzlM\nVVpEclFVOE9PWWQxVkZ0eEgwWndoRWcKDAOHe+FIxqGsc6LhxMy164qjwG6t2Ei2\nP0FSs+bcKMDpudxeuxCjnDm/VoLxOWeuqkB+9K2vSm2W/c/fHTSbrA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VU5jOEpwYUtDVEVFcVpU\nQkExTVZ3ejZHcGo5TG8zdUQwNktoV09WdUZvCmQ0dE1TOWRFbTlxdVd4WWRxd3VF\nQUNTTkNNT3NKYjQ5dEJDY0xVZ3pZVUUKLS0tIDFjajRZNFJZUTdNeS8yN05FMFZU\ncEtjRjhRbGE0MnRLdk10NkFLMkxqencKGzJ66dHluIghH04RV/FccfEQP07yqnfb\n25Hi0XIVJfXBwje4UEyszrWTxPPwVXdQDQmoNKf76Qy2jYqJ56uksw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:20Z",
-		"mac": "ENC[AES256_GCM,data:FIkilsni5kOdNlVwDuLsQ/zExypHRWdqIBQDNWMLTwe8OrsNPkX+KYutUvt9GaSoGv4iDULaMRoizO/OZUNfc2d8XYSdj0cxOG1Joov4GPUcC/UGyNuQneAejZBKolvlnidKZArofnuK9g+lOTANEUtEXUTnx8L+VahqPZayQas=,iv:NAo6sT3L8OOB3wv1pjr3RY2FwXgVmZ4N0F4BEX4YPUY=,tag:zHwmXygyvkdpASZCodQT9Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value

@@ -1 +0,0 @@
-not-a-secret

checks/dummy-inventory-test/default.nix

@@ -1,96 +1,93 @@
 {
   pkgs,
-  nixosLib,
-  clan-core,
+  self,
+  clanLib,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  nixosTest = (
+    { ... }:
+    {
+      # This tests the compatibility of the inventory
+      # With the test framework
+      # - legacy-modules
+      # - clan.service modules
+      name = "dummy-inventory-test";
 
-    hostPkgs = pkgs;
-
-    # This tests the compatibility of the inventory
-    # With the test framework
-    # - legacy-modules
-    # - clan.service modules
-    name = "dummy-inventory-test";
-
-    clan = {
-      directory = ./.;
-      inventory = {
-        machines.peer1 = { };
-        machines.admin1 = { };
-        services = {
-          legacy-module.default = {
-            roles.peer.machines = [ "peer1" ];
-            roles.admin.machines = [ "admin1" ];
+      clan = {
+        directory = ./.;
+        inventory = {
+          machines.peer1 = { };
+          machines.admin1 = { };
+          services = {
+            legacy-module.default = {
+              roles.peer.machines = [ "peer1" ];
+              roles.admin.machines = [ "admin1" ];
+            };
           };
-        };
 
-        instances."test" = {
-          module.name = "new-service";
-          roles.peer.machines.peer1 = { };
-        };
+          instances."test" = {
+            module.name = "new-service";
+            roles.peer.machines.peer1 = { };
+          };
 
-        modules = {
-          legacy-module = ./legacy-module;
-        };
-      };
-      modules.new-service = {
-        _class = "clan.service";
-        manifest.name = "new-service";
-        roles.peer = { };
-        perMachine = {
-          nixosModule = {
-            # This should be generated by:
-            # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
-            clan.core.vars.generators.new-service = {
-              files.not-a-secret = {
-                secret = false;
-                deploy = true;
+          modules = {
+            legacy-module = ./legacy-module;
+            new-service = {
+              _class = "clan.service";
+              manifest.name = "new-service";
+              roles.peer = { };
+              perMachine = {
+                nixosModule = {
+                  # This should be generated by:
+                  # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
+                  clan.core.vars.generators.new-service = {
+                    files.not-a-secret = {
+                      secret = false;
+                      deploy = true;
+                    };
+                    files.a-secret = {
+                      secret = true;
+                      deploy = true;
+                      owner = "nobody";
+                      group = "users";
+                      mode = "0644";
+                    };
+                    script = ''
+                      # This is a dummy script that does nothing
+                      echo -n "not-a-secret" > $out/not-a-secret
+                      echo -n "a-secret" > $out/a-secret
+                    '';
+                  };
+                };
               };
-              files.a-secret = {
-                secret = true;
-                deploy = true;
-                owner = "nobody";
-                group = "users";
-                mode = "0644";
-              };
-              script = ''
-                # This is a dummy script that does nothing
-                echo -n "not-a-secret" > $out/not-a-secret
-                echo -n "a-secret" > $out/a-secret
-              '';
             };
           };
         };
       };
-    };
 
-    testScript =
-      { nodes, ... }:
-      ''
-        start_all()
-        admin1.wait_for_unit("multi-user.target")
-        peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
+      testScript =
+        { nodes, ... }:
+        ''
+          start_all()
+          admin1.wait_for_unit("multi-user.target")
+          peer1.wait_for_unit("multi-user.target")
+          # Provided by the legacy module
+          print(admin1.succeed("systemctl status dummy-service"))
+          print(peer1.succeed("systemctl status dummy-service"))
 
-        # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
+          # peer1 should have the 'hello' file
+          peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
 
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
-      '';
-  }
-)
+          ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
+          # Check that the file is owned by 'nobody'
+          assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
+          # Check that the file is in the 'users' group
+          assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
+          # Check that the file is in the '0644' mode
+          assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
+        '';
+    }
+  );
+}

checks/flake-module.nix

@@ -4,7 +4,6 @@ let
     filter
     pathExists
     ;
-  nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
 in
 {
   imports = filter pathExists [
@@ -15,7 +14,7 @@ in
     ./installation/flake-module.nix
     ./morph/flake-module.nix
     ./nixos-documentation/flake-module.nix
-    ./dont-depend-on-repo-root.nix
+    ./sanity-checks/dont-depend-on-repo-root.nix
   ];
   perSystem =
     {
@@ -30,35 +29,32 @@ in
         let
           nixosTestArgs = {
             # reference to nixpkgs for the current system
-            inherit pkgs lib nixosLib;
+            inherit pkgs lib;
             # this gives us a reference to our flake but also all flake inputs
             inherit self;
             inherit (self) clanLib;
-            clan-core = self;
           };
-          nixosTests =
-            lib.optionalAttrs (pkgs.stdenv.isLinux) {
+          nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+            # Deltachat is currently marked as broken
+            # deltachat = import ./deltachat nixosTestArgs;
 
-              # Base Tests
-              secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-              borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
-              wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
+            # Base Tests
+            secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
+            borgbackup = self.clanLib.test.baseTest ./borgbackup nixosTestArgs;
+            wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
 
-              # Container Tests
-              container = self.clanLib.test.containerTest ./container nixosTestArgs;
-              zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-              matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-              postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+            # Container Tests
+            container = self.clanLib.test.containerTest ./container nixosTestArgs;
+            zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
+            matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
+            postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
 
-              dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
-              dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
-              data-mesher = import ./data-mesher nixosTestArgs;
-            }
-            // lib.optionalAttrs (pkgs.stdenv.hostPlatform.system == "aarch64-linux") {
-              # for some reason this hangs in an odd place in CI, but it works on my machine ...
-              # on aarch64-linux it works though
-              mumble = import ./mumble nixosTestArgs;
-            };
+            # Clan Tests
+            mumble = import ./mumble nixosTestArgs;
+            dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
+            data-mesher = import ./data-mesher nixosTestArgs;
+            syncthing = import ./syncthing nixosTestArgs;
+          };
 
           packagesToBuild = lib.removeAttrs self'.packages [
             # exclude the check that checks that nothing depends on the repo root
@@ -105,12 +101,6 @@ in
                 mkdir -p $out
                 cat $schemaFile > $out/allSchemas.json
               '';
-
-          clan-core-for-checks = pkgs.runCommand "clan-core-for-checks" { } ''
-            cp -r ${pkgs.callPackage ./clan-core-for-checks.nix { }} $out
-            chmod +w $out/flake.lock
-            cp ${../flake.lock} $out/flake.lock
-          '';
         };
       legacyPackages = {
         nixosTests =

checks/flash/flake-module.nix

@@ -43,7 +43,6 @@
     let
       dependencies = [
         pkgs.disko
-        pkgs.buildPackages.xorg.lndir
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
 
@@ -81,7 +80,7 @@
 
             # Some distros like to automount disks with spaces
             machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdb && mount /dev/vdb "/mnt/with spaces"')
-            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
+            machine.succeed("clan flash write --debug --flake ${../..} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
           '';
         } { inherit pkgs self; };
       };

checks/installation/flake-module.nix

@@ -15,7 +15,6 @@ let
         pkgs.bash.drvPath
         pkgs.nixos-anywhere
         pkgs.bubblewrap
-        pkgs.buildPackages.xorg.lndir
       ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
     in
@@ -198,7 +197,7 @@ in
             installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
 
             installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
+            installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
 
             installer.succeed("clan machines install --no-reboot --debug --flake test-flake --yes test-install-machine-without-system --target-host nonrootuser@localhost --update-hardware-config nixos-facter >&2")
             installer.shutdown()
@@ -218,7 +217,7 @@ in
             installer.start()
             installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
             installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
+            installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
             installer.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")
             installer.fail("test -f test-flake/machines/test-install-machine/facter.json")
 

checks/morph/flake-module.nix

@@ -32,6 +32,7 @@
               { pkgs, ... }:
               let
                 dependencies = [
+                  self
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
@@ -54,7 +55,7 @@
           testScript = ''
             start_all()
             actual.fail("cat /etc/testfile")
-            actual.succeed("env CLAN_DIR=${self.checks.x86_64-linux.clan-core-for-checks} clan machines morph test-morph-template --i-will-be-fired-for-using-this --debug --name test-morph-machine")
+            actual.succeed("env CLAN_DIR=${self} clan machines morph test-morph-template --i-will-be-fired-for-using-this --debug --name test-morph-machine")
             assert actual.succeed("cat /etc/testfile") == "morphed"
           '';
         } { inherit pkgs self; };

checks/mumble/default.nix

@@ -1,132 +1,104 @@
 {
   pkgs,
-  nixosLib,
-  clan-core,
-  lib,
+  self,
+  clanLib,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  let
-    machines = [
-      "peer1"
-      "peer2"
-    ];
-  in
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
+  useContainers = false;
+  nixosTest = (
+    { lib, ... }:
+    let
+      common =
+        { pkgs, modulesPath, ... }:
+        {
+          imports = [
+            (modulesPath + "/../tests/common/x11.nix")
+          ];
 
-    hostPkgs = pkgs;
+          clan.services.mumble.user = "alice";
+          environment.systemPackages = [ pkgs.killall ];
+        };
+      machines = [
+        "peer1"
+        "peer2"
+      ];
+    in
+    {
+      name = "mumble";
 
-    name = "mumble";
-
-    defaults =
-      { pkgs, modulesPath, ... }:
-      {
-        imports = [
-          (modulesPath + "/../tests/common/x11.nix")
-        ];
-
-        clan.services.mumble.user = "alice";
-        environment.systemPackages = [ pkgs.killall ];
-      };
-
-    clan = {
-      directory = ./.;
-      # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
-      test.useContainers = false;
-      inventory = {
-        machines = lib.genAttrs machines (_: { });
-        services = {
-          mumble.default = {
-            roles.server.machines = machines;
+      clan = {
+        directory = ./.;
+        inventory = {
+          machines = lib.genAttrs machines (_: { });
+          services = {
+            mumble.default = {
+              roles.server.machines = machines;
+            };
           };
         };
       };
-    };
 
-    enableOCR = true;
+      enableOCR = true;
 
-    testScript = ''
-      import time
-      import re
+      nodes.peer1 = common;
+      nodes.peer2 = common;
 
+      testScript = ''
+        start_all()
 
-      def machine_has_text(machine: Machine, regex: str) -> bool:
-          variants = machine.get_screen_text_variants()
-          # for debugging
-          # machine.screenshot(f"/tmp/{machine.name}.png")
-          for text in variants:
-              print(f"Expecting '{regex}' in '{text}'")
-              if re.search(regex, text) is not None:
-                  return True
-          return False
+        with subtest("Waiting for x"):
+          peer1.wait_for_x()
+          peer2.wait_for_x()
 
-      start_all()
+        with subtest("Waiting for murmur"):
+          peer1.wait_for_unit("murmur.service")
+          peer2.wait_for_unit("murmur.service")
 
-      with subtest("Waiting for x"):
-        peer1.wait_for_x()
-        peer2.wait_for_x()
+        with subtest("Starting Mumble"):
+          # starting mumble is blocking
+          peer1.execute("mumble >&2 &")
+          peer2.execute("mumble >&2 &")
 
-      with subtest("Waiting for murmur"):
-        peer1.wait_for_unit("murmur.service")
-        peer2.wait_for_unit("murmur.service")
+        with subtest("Wait for Mumble"):
+          peer1.wait_for_window(r"^Mumble$")
+          peer2.wait_for_window(r"^Mumble$")
 
-      with subtest("Starting Mumble"):
-        # starting mumble is blocking
-        peer1.execute("mumble >&2 &")
-        peer2.execute("mumble >&2 &")
-
-      with subtest("Wait for Mumble"):
-        peer1.wait_for_window(r"Mumble")
-        peer2.wait_for_window(r"Mumble")
-
-      with subtest("Wait for certificate creation"):
-        peer1.wait_for_window(r"Mumble")
-        peer2.wait_for_window(r"Mumble")
-
-        for i in range(20):
-          time.sleep(1)
+        with subtest("Wait for certificate creation"):
+          peer1.wait_for_window(r"^Mumble$")
+          peer1.sleep(3) # mumble is slow to register handlers
           peer1.send_chars("\n")
           peer1.send_chars("\n")
+          peer2.wait_for_window(r"^Mumble$")
+          peer2.sleep(3) # mumble is slow to register handlers
           peer2.send_chars("\n")
           peer2.send_chars("\n")
-          if machine_has_text(peer1, r"Mumble Server Connect") and \
-              machine_has_text(peer2, r"Mumble Server Connect"):
-            break
-        else:
-          raise Exception("Timeout waiting for certificate creation")
 
-      with subtest("Check validity of server certificates"):
-        peer1.execute("killall .mumble-wrapped")
-        peer1.sleep(1)
-        peer1.execute("mumble mumble://peer2 >&2 &")
-        peer1.wait_for_window(r"Mumble")
+        with subtest("Wait for server connect"):
+          peer1.wait_for_window(r"^Mumble Server Connect$")
+          peer2.wait_for_window(r"^Mumble Server Connect$")
 
-        for i in range(20):
-          time.sleep(1)
+        with subtest("Check validity of server certificates"):
+          peer1.execute("killall .mumble-wrapped")
+          peer1.sleep(1)
+          peer1.execute("mumble mumble://peer2 >&2 &")
+          peer1.wait_for_window(r"^Mumble$")
+          peer1.sleep(3) # mumble is slow to register handlers
           peer1.send_chars("\n")
           peer1.send_chars("\n")
-          if machine_has_text(peer1, "Connected."):
-            break
-        else:
-          raise Exception("Timeout waiting for certificate creation")
+          peer1.wait_for_text("Connected.")
 
-        peer2.execute("killall .mumble-wrapped")
-        peer2.sleep(1)
-        peer2.execute("mumble mumble://peer1 >&2 &")
-        peer2.wait_for_window(r"Mumble")
-
-        for i in range(20):
-          time.sleep(1)
+          peer2.execute("killall .mumble-wrapped")
+          peer2.sleep(1)
+          peer2.execute("mumble mumble://peer1 >&2 &")
+          peer2.wait_for_window(r"^Mumble$")
+          peer2.sleep(3) # mumble is slow to register handlers
           peer2.send_chars("\n")
           peer2.send_chars("\n")
-          if machine_has_text(peer2, "Connected."):
-            break
-        else:
-          raise Exception("Timeout waiting for certificate creation")
-    '';
-  }
-)
+          peer2.wait_for_text("Connected.")
+      '';
+    }
+  );
+}

checks/mycelium/default.nix

@@ -1,53 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "mycelium";
-
-    clan = {
-
-      test.useContainers = false;
-      directory = ./.;
-      modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          mycelium-test = {
-            module.name = "@clan/mycelium";
-            roles.peer.machines."server".settings = {
-              openFirewall = true;
-              addHostedPublicNodes = true;
-            };
-          };
-        };
-      };
-    };
-
-    nodes = {
-      server = { };
-    };
-
-    testScript = ''
-      start_all()
-
-      # Check that mycelium service is running
-      server.wait_for_unit("mycelium")
-      server.succeed("systemctl status mycelium")
-
-      # Check that mycelium is listening on its default port
-      server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
-    '';
-  }
-)

checks/mycelium/sops/machines/server/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
-    "type": "age"
-  }
-]

checks/mycelium/sops/secrets/server-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:hLJS+CJllYM50KxKuiYamxBLGd9lwoeIFapP9mZAlVGH5DSenylcKUfsphxafASoB516qns2DznBoS9mWqg9uTsRZjk4WlR3x6A=,iv:uRiIpUKIiV3riNcBAWUqhZbE+Vb7lLMfU0C/TClVZ6M=,tag:4+nsMssiSyq9Iv7sDuWmoQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUWFOMzluRmdOQXBmRjRN\ncXNSUlB5Z0t6dWYxNVkvMmhrN1FDdmxHcTNJCkhPL3BYMFFXMmU5ZGRqOC9KWEgv\nSHB5OUJqTk5Dd0tDTks1R1ZhYktrLzgKLS0tIHJIMlFRVWphZXlISmR3VUJKUjNk\ndWF4eCt6UHBrSndBay95RVJ3dldiaFkKCgYqrt0aCGRTaHycBoeqv/zeByu2ZZ3Z\nVfgxnD9liIQkS2wERbpk0/Yq9wkKgVxj+DZoWwHYhP0eKCw2UOorCA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-04T11:54:59Z",
-		"mac": "ENC[AES256_GCM,data:xoeOz7FRCPJ18UTsfbY1x/N65pxbTsehT9Kv3MgEd6NQJn6FTvquaj3HEZ0KvIzStBz1FNOhSql9CZUFc4StYps05EbX61MMMnz6Nlj3xcTwuVQFabGoinxcXbCDSA+tAW7VqzVxumj6FMDg+r77gdcIApZjGJg4Z9ws2RZd3u4=,iv:U8IUDwmfg8Umob9mtKgGaKoIY4SKNL895BABJxzx5n8=,tag:tnMCx6D/17ZYgI6SgNS29A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/mycelium/sops/secrets/server-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/mycelium/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/mycelium/vars/per-machine/server/mycelium/ip/value

@@ -1 +0,0 @@
-52d:87c1:4222:b550:ee01:a7ae:254:5a66

checks/mycelium/vars/per-machine/server/mycelium/key/machines/server

@@ -1 +0,0 @@
-../../../../../../sops/machines/server

checks/mycelium/vars/per-machine/server/mycelium/key/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:DGzl2G4H+NkwXq0fCUQS0+8FG1x9xoIsYvAgUxP4Qp8=,iv:CXOJVgYNthVOZ4vbdI3n4KLXSFVemzaoEnRGMC+m0i8=,tag:/u+pV3xWpUq0ZtAm6LKuGQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZHZjdXMwclBTeGthcGpM\nV1ArVy83akNHNEpXVFhoR1FWNlJUeHNKTW00CjJFTFZneFNrL0hDMXJpaTQ2M1ln\nTmdPMGhzeUp0NU55QnhCZEU2QVk1OG8KLS0tIDFhQmJhOHJsTjhYNEhITEw0WFgy\nWC9pTi9od0wyMWtZRVZJYWo0Nmo5SHMKDohnAAfrnGOiw55huMme2EEWE53N/feS\nutvbiTZh1ECHCi/uoK757fjnJ/WrQMSxUpctT9I8bpJRtbTqkx3XRw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeTZENGFpWndDbmdsWDRw\nMTBCVXg5Zkg2a2s5Yk1HSERIVlVQRXdUSUNnCnREbno0dEN0ZEgvOFNMRG1ReGx4\na0h1YUFuMkxBZXJUTE9xOUVUMitEalkKLS0tIFZMZ21qclRqUFR0dlAyMFkzdUNX\nNjRLTWVRVWtHSDlDakEzMmpRVWkyc0EKabm8mTKJVxQNTaIgU+8rb/xk9Dpg+Zjz\nb+wgD0+TlARlenMtIub8Y6N06ENOc20oovylfu+g7xV+EkvRPCd6tA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-04T11:55:02Z",
-		"mac": "ENC[AES256_GCM,data:UIBaD/3mACgFzkajkFXz3oKai8IxpYQriR2t0mc5fL92P5ECloxCobY386TDZYOEVrDJ45Bw+IzqZbsCx/G9f1xCCTR2JvqygxYIsK3TpQPsboJzb9Cz3dBNBCXGboVykcg/NobEMaJBw1xtdAQBhuo8S7ymIuOPtGz0vPFJkf8=,iv:g0YAOBsRpgAOikKDMJDyOtcVx+0QwetfA8R6wQFH7lY=,tag:sfdFLjtiqFHdP/Qe1suBBQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/mycelium/vars/per-machine/server/mycelium/key/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/mycelium/vars/per-machine/server/mycelium/pubkey/value

@@ -1 +0,0 @@
-2125c6b039374467eaa3eaf552bd3e97f434d16006433cfbba3e6823c958b728

checks/syncthing/default.nix

@@ -1,87 +1,83 @@
 {
   pkgs,
-  nixosLib,
-  clan-core,
-  lib,
+  self,
+  clanLib,
   ...
 }:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  # TODO: container driver does not support wait_for_file() yet
+  useContainers = false;
+  nixosTest = (
+    { lib, ... }:
+    {
+      name = "syncthing";
 
-    hostPkgs = pkgs;
-
-    name = "syncthing";
-
-    clan = {
-      directory = ./.;
-      # TODO: container driver does not support wait_for_file() yet
-      test.useContainers = false;
-      inventory = {
-        machines = lib.genAttrs [
-          "introducer"
-          "peer1"
-          "peer2"
-        ] (_: { });
-        services = {
-          syncthing.default = {
-            roles.peer.machines = [
-              "peer1"
-              "peer2"
-            ];
-            roles.introducer.machines = [ "introducer" ];
-          };
-        };
-      };
-    };
-
-    nodes.introducer = {
-      # Doesn't test zerotier!
-      services.syncthing.openDefaultPorts = true;
-      services.syncthing.settings.folders = {
-        "Shared" = {
-          enable = true;
-          path = "~/Shared";
-          versioning = {
-            type = "trashcan";
-            params = {
-              cleanoutDays = "30";
+      clan = {
+        directory = ./.;
+        inventory = {
+          machines = lib.genAttrs [
+            "introducer"
+            "peer1"
+            "peer2"
+          ] (_: { });
+          services = {
+            syncthing.default = {
+              roles.peer.machines = [
+                "peer1"
+                "peer2"
+              ];
+              roles.introducer.machines = [ "introducer" ];
             };
           };
         };
       };
-      clan.syncthing.autoAcceptDevices = true;
-      clan.syncthing.autoShares = [ "Shared" ];
-      # For faster Tests
-      systemd.timers.syncthing-auto-accept.timerConfig = {
-        OnActiveSec = 1;
-        OnUnitActiveSec = 1;
-      };
-    };
-    nodes.peer1 = {
-      services.syncthing.openDefaultPorts = true;
-    };
-    nodes.peer2 = {
-      services.syncthing.openDefaultPorts = true;
-    };
 
-    testScript = ''
-      start_all()
-      introducer.wait_for_unit("syncthing")
-      peer1.wait_for_unit("syncthing")
-      peer2.wait_for_unit("syncthing")
-      peer1.execute("ls -la /var/lib/syncthing")
-      peer2.execute("ls -la /var/lib/syncthing")
-      peer1.wait_for_file("/var/lib/syncthing/Shared")
-      peer2.wait_for_file("/var/lib/syncthing/Shared")
-      introducer.shutdown()
-      peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
-      peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
-      out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
-      assert "hello" in out
-    '';
-  }
-)
+      nodes.introducer = {
+        # Doesn't test zerotier!
+        services.syncthing.openDefaultPorts = true;
+        services.syncthing.settings.folders = {
+          "Shared" = {
+            enable = true;
+            path = "~/Shared";
+            versioning = {
+              type = "trashcan";
+              params = {
+                cleanoutDays = "30";
+              };
+            };
+          };
+        };
+        clan.syncthing.autoAcceptDevices = true;
+        clan.syncthing.autoShares = [ "Shared" ];
+        # For faster Tests
+        systemd.timers.syncthing-auto-accept.timerConfig = {
+          OnActiveSec = 1;
+          OnUnitActiveSec = 1;
+        };
+      };
+      nodes.peer1 = {
+        services.syncthing.openDefaultPorts = true;
+      };
+      nodes.peer2 = {
+        services.syncthing.openDefaultPorts = true;
+      };
+
+      testScript = ''
+        start_all()
+        introducer.wait_for_unit("syncthing")
+        peer1.wait_for_unit("syncthing")
+        peer2.wait_for_unit("syncthing")
+        peer1.execute("ls -la /var/lib/syncthing")
+        peer2.execute("ls -la /var/lib/syncthing")
+        peer1.wait_for_file("/var/lib/syncthing/Shared")
+        peer2.wait_for_file("/var/lib/syncthing/Shared")
+        introducer.shutdown()
+        peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
+        peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
+        out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
+        assert "hello" in out
+      '';
+    }
+  );
+}

clanModules/admin/README.md

@@ -1,5 +1,5 @@
 ---
 description = "Convenient Administration for the Clan App"
 categories = ["Utility"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---

clanModules/admin/default.nix

@@ -1,3 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
 {
   imports = [ ./roles/default.nix ];
 }

clanModules/admin/roles/default.nix

@@ -1,6 +1,5 @@
 { lib, config, ... }:
 {
-
   options.clan.admin = {
     allowedKeys = lib.mkOption {
       default = { };

clanModules/auto-upgrade/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Set up automatic upgrades"
 categories = ["System"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---
 
 Whether to periodically upgrade NixOS to the latest version. If enabled, a

clanModules/borgbackup-static/README.md

@@ -4,7 +4,7 @@ description = "Statically configure borgbackup with sane defaults."
 !!! Danger "Deprecated"
     Use [borgbackup](borgbackup.md) instead.
 
-    Don't use borgbackup-static through [inventory](../../guides/inventory.md).
+    Don't use borgbackup-static through [inventory](../../manual/inventory.md).
 
 This module implements the `borgbackup` backend and implements sane defaults
 for backup management through `borgbackup` for members of the clan.

clanModules/borgbackup/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Efficient, deduplicating backup program with optional compression and secure encryption."
 categories = ["System"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---
 BorgBackup (short: Borg) gives you:
 

clanModules/borgbackup/roles/client.nix

@@ -106,8 +106,7 @@ in
     systemd.services = lib.mapAttrs' (
       _: dest:
       lib.nameValuePair "borgbackup-job-${dest.name}" {
-        # since borgbackup mounts the system read-only, we need to run in a
-        # ExecStartPre script, so we can generate additional files.
+        # since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.
         serviceConfig.ExecStartPre = [
           ''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}''
         ];

clanModules/borgbackup/roles/server.nix

@@ -45,7 +45,7 @@ in
         else
           lib.warn ''
             Machine ${machine} does not have a borgbackup key at ${fullPath},
-            run `clan vars generate ${machine}` to generate it.
+            run `clan var generate ${machine}` to generate it.
           '' null
       ) allClients;
 

clanModules/data-mesher/shared.nix

@@ -12,16 +12,13 @@ let
   # currently only supports zerotier
   defaultBootstrapNodes = builtins.foldl' (
     urls: name:
-    let
-
-      ipPath = "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
-
-    in
-    if builtins.pathExists ipPath then
+    if
+      builtins.pathExists "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value"
+    then
       let
-        ip = builtins.readFile ipPath;
+        ip = builtins.readFile "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
       in
-      urls ++ [ "[${ip}]:${builtins.toString cfg.network.port}" ]
+      urls ++ "${ip}:${cfg.network.port}"
     else
       urls
   ) [ ] (dmLib.machines config).bootstrap;
@@ -90,8 +87,7 @@ in
           push_pull_interval = "30s";
 
           interface = cfg.network.interface;
-
-          bootstrap_nodes = if cfg.bootstrapNodes == null then defaultBootstrapNodes else cfg.bootstrapNodes;
+          bootstrap_nodes = cfg.bootstrapNodes or defaultBootstrapNodes;
         };
 
         http.port = 7331;
@@ -109,7 +105,10 @@ in
           private_key = {
             inherit owner;
           };
-          public_key.secret = false;
+          public_key = {
+            inherit owner;
+            secret = false;
+          };
         };
 
       runtimeInputs = [
@@ -135,7 +134,10 @@ in
           private_key = {
             inherit owner;
           };
-          public_key.secret = false;
+          public_key = {
+            inherit owner;
+            secret = false;
+          };
         };
 
       runtimeInputs = [

clanModules/deltachat/README.md

@@ -1,7 +1,5 @@
 ---
 description = "Email-based instant messaging for Desktop."
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
 ---
 
 !!! info

clanModules/deltachat/default.nix

@@ -1,3 +1,143 @@
+{ config, pkgs, ... }:
 {
-  imports = [ ./roles/default.nix ];
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
+  environment.systemPackages = [ pkgs.deltachat-desktop ];
+
+  services.maddy =
+    let
+      domain = "${config.clan.core.settings.machine.name}.local";
+    in
+    {
+      enable = true;
+      primaryDomain = domain;
+      config = ''
+        # Minimal configuration with TLS disabled, adapted from upstream example
+        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+        # Do not use this in unencrypted networks!
+
+        auth.pass_table local_authdb {
+          table sql_table {
+            driver sqlite3
+            dsn credentials.db
+            table_name passwords
+          }
+        }
+
+        storage.imapsql local_mailboxes {
+          driver sqlite3
+          dsn imapsql.db
+        }
+
+        table.chain local_rewrites {
+          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+          optional_step static {
+            entry postmaster postmaster@$(primary_domain)
+          }
+          optional_step file /etc/maddy/aliases
+        }
+
+        msgpipeline local_routing {
+          destination postmaster $(local_domains) {
+            modify {
+              replace_rcpt &local_rewrites
+            }
+            deliver_to &local_mailboxes
+          }
+          default_destination {
+            reject 550 5.1.1 "User doesn't exist"
+          }
+        }
+
+        smtp tcp://[::]:25 {
+          limits {
+            all rate 20 1s
+            all concurrency 10
+          }
+          dmarc yes
+          check {
+            require_mx_record
+            dkim
+            spf
+          }
+          source $(local_domains) {
+            reject 501 5.1.8 "Use Submission for outgoing SMTP"
+          }
+          default_source {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+              reject 550 5.1.1 "User doesn't exist"
+            }
+          }
+        }
+
+        submission tcp://[::1]:587 {
+          limits {
+            all rate 50 1s
+          }
+          auth &local_authdb
+          source $(local_domains) {
+            check {
+                authorize_sender {
+                    prepare_email &local_rewrites
+                    user_to_email identity
+                }
+            }
+            destination postmaster $(local_domains) {
+                deliver_to &local_routing
+            }
+            default_destination {
+                modify {
+                    dkim $(primary_domain) $(local_domains) default
+                }
+                deliver_to &remote_queue
+            }
+          }
+          default_source {
+            reject 501 5.1.8 "Non-local sender domain"
+          }
+        }
+
+        target.remote outbound_delivery {
+          limits {
+            destination rate 20 1s
+            destination concurrency 10
+          }
+          mx_auth {
+            dane
+            mtasts {
+              cache fs
+              fs_dir mtasts_cache/
+            }
+            local_policy {
+                min_tls_level encrypted
+                min_mx_level none
+            }
+          }
+        }
+
+        target.queue remote_queue {
+          target &outbound_delivery
+          autogenerated_msg_domain $(primary_domain)
+          bounce {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+            }
+          }
+        }
+
+        imap tcp://[::1]:143 {
+          auth &local_authdb
+          storage &local_mailboxes
+        }
+      '';
+      ensureAccounts = [ "user@${domain}" ];
+      ensureCredentials = {
+        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
+      };
+    };
 }

clanModules/deltachat/roles/default.nix

@@ -1,143 +0,0 @@
-{ config, pkgs, ... }:
-{
-  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
-  environment.systemPackages = [ pkgs.deltachat-desktop ];
-
-  services.maddy =
-    let
-      domain = "${config.clan.core.settings.machine.name}.local";
-    in
-    {
-      enable = true;
-      primaryDomain = domain;
-      config = ''
-        # Minimal configuration with TLS disabled, adapted from upstream example
-        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
-        # Do not use this in unencrypted networks!
-
-        auth.pass_table local_authdb {
-          table sql_table {
-            driver sqlite3
-            dsn credentials.db
-            table_name passwords
-          }
-        }
-
-        storage.imapsql local_mailboxes {
-          driver sqlite3
-          dsn imapsql.db
-        }
-
-        table.chain local_rewrites {
-          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
-          optional_step static {
-            entry postmaster postmaster@$(primary_domain)
-          }
-          optional_step file /etc/maddy/aliases
-        }
-
-        msgpipeline local_routing {
-          destination postmaster $(local_domains) {
-            modify {
-              replace_rcpt &local_rewrites
-            }
-            deliver_to &local_mailboxes
-          }
-          default_destination {
-            reject 550 5.1.1 "User doesn't exist"
-          }
-        }
-
-        smtp tcp://[::]:25 {
-          limits {
-            all rate 20 1s
-            all concurrency 10
-          }
-          dmarc yes
-          check {
-            require_mx_record
-            dkim
-            spf
-          }
-          source $(local_domains) {
-            reject 501 5.1.8 "Use Submission for outgoing SMTP"
-          }
-          default_source {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-              reject 550 5.1.1 "User doesn't exist"
-            }
-          }
-        }
-
-        submission tcp://[::1]:587 {
-          limits {
-            all rate 50 1s
-          }
-          auth &local_authdb
-          source $(local_domains) {
-            check {
-                authorize_sender {
-                    prepare_email &local_rewrites
-                    user_to_email identity
-                }
-            }
-            destination postmaster $(local_domains) {
-                deliver_to &local_routing
-            }
-            default_destination {
-                modify {
-                    dkim $(primary_domain) $(local_domains) default
-                }
-                deliver_to &remote_queue
-            }
-          }
-          default_source {
-            reject 501 5.1.8 "Non-local sender domain"
-          }
-        }
-
-        target.remote outbound_delivery {
-          limits {
-            destination rate 20 1s
-            destination concurrency 10
-          }
-          mx_auth {
-            dane
-            mtasts {
-              cache fs
-              fs_dir mtasts_cache/
-            }
-            local_policy {
-                min_tls_level encrypted
-                min_mx_level none
-            }
-          }
-        }
-
-        target.queue remote_queue {
-          target &outbound_delivery
-          autogenerated_msg_domain $(primary_domain)
-          bounce {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
-            }
-          }
-        }
-
-        imap tcp://[::1]:143 {
-          auth &local_authdb
-          storage &local_mailboxes
-        }
-      '';
-      ensureAccounts = [ "user@${domain}" ];
-      ensureCredentials = {
-        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
-      };
-    };
-}

clanModules/ergochat/README.md

@@ -1,5 +1,3 @@
 ---
 description = "A modern IRC server"
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
 ---

clanModules/ergochat/default.nix

@@ -1,3 +1,14 @@
-{
-  imports = [ ./roles/default.nix ];
+_: {
+  services.ergochat = {
+    enable = true;
+
+    settings = {
+      datastore = {
+        autoupgrade = true;
+        path = "/var/lib/ergo/ircd.db";
+      };
+    };
+  };
+
+  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
 }

clanModules/ergochat/roles/default.nix

@@ -1,14 +0,0 @@
-_: {
-  services.ergochat = {
-    enable = true;
-
-    settings = {
-      datastore = {
-        autoupgrade = true;
-        path = "/var/lib/ergo/ircd.db";
-      };
-    };
-  };
-
-  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
-}

clanModules/flake-module.nix

@@ -8,8 +8,8 @@ in
 {
   # only import available files, as this allows to filter the files for tests.
   flake.clanModules = filterAttrs (_name: pathExists) {
-    auto-upgrade = ./auto-upgrade;
     admin = ./admin;
+    auto-upgrade = ./auto-upgrade;
     borgbackup = ./borgbackup;
     borgbackup-static = ./borgbackup-static;
     deltachat = ./deltachat;
@@ -18,6 +18,7 @@ in
     dyndns = ./dyndns;
     ergochat = ./ergochat;
     garage = ./garage;
+    golem-provider = ./golem-provider;
     heisenbridge = ./heisenbridge;
     importer = ./importer;
     iwd = ./iwd;

clanModules/garage/README.md

@@ -1,7 +1,5 @@
 ---
 description = "S3-compatible object store for small self-hosted geo-distributed deployments"
-categories = ["System"]
-features = [ "inventory", "deprecated" ]
 ---
 
 This module generates garage specific keys automatically.

clanModules/garage/default.nix

@@ -1,3 +1,43 @@
+{ config, pkgs, ... }:
 {
-  imports = [ ./roles/default.nix ];
+  systemd.services.garage.serviceConfig = {
+    LoadCredential = [
+      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
+      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
+      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
+    ];
+    Environment = [
+      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
+      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
+      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
+      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
+    ];
+  };
+
+  clan.core.vars.generators.garage = {
+    files.admin_token = { };
+    files.metrics_token = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -base64 -out "$out"/admin_token 32
+      openssl rand -base64 -out "$out"/metrics_token 32
+    '';
+  };
+
+  clan.core.vars.generators.garage-shared = {
+    share = true;
+    files.rpc_secret = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -hex -out "$out"/rpc_secret 32
+    '';
+  };
+
+  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
 }

clanModules/garage/roles/default.nix

@@ -1,43 +0,0 @@
-{ config, pkgs, ... }:
-{
-  systemd.services.garage.serviceConfig = {
-    LoadCredential = [
-      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
-      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
-      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
-    ];
-    Environment = [
-      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
-      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
-      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
-      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
-    ];
-  };
-
-  clan.core.vars.generators.garage = {
-    files.admin_token = { };
-    files.metrics_token = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      openssl rand -base64 -out "$out"/admin_token 32
-      openssl rand -base64 -out "$out"/metrics_token 32
-    '';
-  };
-
-  clan.core.vars.generators.garage-shared = {
-    share = true;
-    files.rpc_secret = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      openssl rand -hex -out "$out"/rpc_secret 32
-    '';
-  };
-
-  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
-}

clanModules/golem-provider/README.md

@@ -0,0 +1,7 @@
+---
+description = "Golem Provider for the Golem Network, an open-source and decentralized platform where everyone can use and share each other's computing power without relying on centralized entities like cloud computing corporations"
+---
+
+By running a golem provider your machine's compute resources are offered via the golem network which will allow other members to execute compute tasks on your machine. If this happens, you will be compensated with GLM, an ERC20 token.
+
+More about golem providers: https://docs.golem.network/docs/golem/overview

clanModules/golem-provider/default.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.clan.golem-provider;
+  yagna = pkgs.callPackage ../../pkgs/yagna { };
+  accountFlag = if cfg.account != null then "--account ${cfg.account}" else "";
+in
+{
+  imports = [ ./interface.nix ];
+
+  users.users.golem = {
+    isSystemUser = true;
+    home = "/var/lib/golem";
+    group = "golem";
+    createHome = true;
+  };
+
+  users.groups.golem = { };
+
+  environment.systemPackages = [ yagna ];
+
+  systemd.services.golem-provider = {
+    description = "Golem Provider";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${yagna}/bin/golemsp run --no-interactive ${accountFlag}";
+      Restart = "always";
+      RestartSec = "5";
+      User = "golem";
+      Group = "golem";
+    };
+  };
+}

clanModules/golem-provider/interface.nix

@@ -0,0 +1,20 @@
+{ lib, ... }:
+let
+  inherit (lib) mkOption;
+
+  inherit (lib.types) nullOr str;
+
+in
+{
+  options.clan.golem-provider = {
+    account = mkOption {
+      type = nullOr str;
+      description = ''
+        Ethereum address for payouts.
+
+        Leave empty to automatically generate a new address upon first start.
+      '';
+      default = null;
+    };
+  };
+}

clanModules/golem-provider/test/vm.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  imports = [ ../. ];
+}

clanModules/heisenbridge/README.md

@@ -1,5 +1,4 @@
 ---
 description = "A matrix bridge to communicate with IRC"
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
 ---
+

clanModules/heisenbridge/default.nix

@@ -1,3 +1,23 @@
 {
-  imports = [ ./roles/default.nix ];
+  config,
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "heisenbridge"
+      "enable"
+    ] "Importing the module will already enable the service.")
+  ];
+  config = {
+    services.heisenbridge = {
+      enable = true;
+      homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
+    };
+    services.matrix-synapse.settings.app_service_config_files = [
+      "/var/lib/heisenbridge/registration.yml"
+    ];
+  };
 }

clanModules/heisenbridge/roles/default.nix

@@ -1,22 +0,0 @@
-{
-  lib,
-  ...
-}:
-{
-  imports = [
-    (lib.mkRemovedOptionModule [
-      "clan"
-      "heisenbridge"
-      "enable"
-    ] "Importing the module will already enable the service.")
-  ];
-  config = {
-    services.heisenbridge = {
-      enable = true;
-      homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
-    };
-    services.matrix-synapse.settings.app_service_config_files = [
-      "/var/lib/heisenbridge/registration.yml"
-    ];
-  };
-}

clanModules/iwd/README.md

@@ -1,6 +1,6 @@
 ---
 description = "Automatically provisions wifi credentials"
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 categories = [ "Network" ]
 ---
 

clanModules/iwd/roles/default.nix

@@ -80,18 +80,6 @@ in
       # TODO: restart the iwd.service if something changes
     })
     {
-      warnings = [
-        ''
-          The clan module `iwd` is deprecated and replaced by the clan service `wifi`
-          Please migrate your config to the new service (see: https://docs.clan.lol/reference/clanServices/wifi/)
-
-          To keep passwords after migrating the config, use:
-            clan vars get <your-machine> iwd.<network-name>/ssid | clan vars set <your-machine> wifi.<network-name>/network-name
-          and:
-            clan vars get <your-machine> iwd.<network-name>/password | clan vars set <your-machine> wifi.<network-name>/password
-        ''
-      ];
-
       # disable wpa supplicant
       networking.wireless.enable = false;
 

clanModules/localsend/README.md

@@ -1,5 +1,3 @@
 ---
 description = "Securely sharing files and messages over a local network without internet connectivity."
-categories = ["Utility"]
-features = [ "inventory", "deprecated" ]
 ---

clanModules/localsend/default.nix

@@ -1,3 +1,60 @@
 {
-  imports = [ ./roles/default.nix ];
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.clan.localsend;
+in
+{
+  # Integration can be improved, if the following issues get implemented:
+  # - cli frontend: https://github.com/localsend/localsend/issues/11
+  # - ipv6 support: https://github.com/localsend/localsend/issues/549
+  options.clan.localsend = {
+
+    displayName = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "The name that localsend will use to display your instance.";
+    };
+
+    package = lib.mkPackageOption pkgs "localsend" { };
+
+    ipv4Addr = lib.mkOption {
+      type = lib.types.str;
+      example = "192.168.56.2/24";
+      description = "Every machine needs a unique ipv4 address";
+    };
+  };
+
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "localsend"
+      "enable"
+    ] "Importing the module will already enable the service.")
+  ];
+  config = {
+    clan.core.state.localsend.folders = [
+      "/var/localsend"
+    ];
+    environment.systemPackages = [
+      (pkgs.callPackage ./localsend-ensure-config {
+        localsend = config.clan.localsend.package;
+        alias = config.clan.localsend.displayName;
+      })
+    ];
+
+    networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
+    networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
+
+    #TODO: This is currently needed because there is no ipv6 multicasting support yet
+    systemd.network.networks."09-zerotier" = {
+      networkConfig = {
+        Address = cfg.ipv4Addr;
+      };
+    };
+  };
 }

clanModules/localsend/roles/default.nix

@@ -1,63 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  cfg = config.clan.localsend;
-in
-{
-  # Integration can be improved, if the following issues get implemented:
-  # - cli frontend: https://github.com/localsend/localsend/issues/11
-  # - ipv6 support: https://github.com/localsend/localsend/issues/549
-  options.clan.localsend = {
-
-    displayName = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = "The name that localsend will use to display your instance.";
-    };
-
-    package = lib.mkPackageOption pkgs "localsend" { };
-
-    ipv4Addr = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      example = "192.168.56.2/24";
-      description = "Optional IPv4 address for ZeroTier network.";
-    };
-  };
-
-  imports = [
-    (lib.mkRemovedOptionModule [
-      "clan"
-      "localsend"
-      "enable"
-    ] "Importing the module will already enable the service.")
-  ];
-  config = {
-    clan.core.state.localsend.folders = [
-      "/var/localsend"
-    ];
-    environment.systemPackages = [
-      (pkgs.callPackage ./localsend-ensure-config {
-        localsend = config.clan.localsend.package;
-        alias = config.clan.localsend.displayName;
-      })
-    ];
-
-    networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
-    networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
-
-    #TODO: This is currently needed because there is no ipv6 multicasting support yet
-    systemd.network.networks = lib.mkIf (cfg.ipv4Addr != null) {
-      "09-zerotier" = {
-        networkConfig = {
-          Address = cfg.ipv4Addr;
-        };
-      };
-    };
-  };
-}

clanModules/mycelium/README.md

@@ -1,7 +1,7 @@
 ---
 description = "End-2-end encrypted IPv6 overlay network"
 categories = ["System", "Network"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---
 Mycelium is an IPv6 overlay network written in Rust. Each node that joins the overlay network will receive an overlay network IP in the 400::/7 range.
 

clanModules/packages/README.md

@@ -1,5 +1,5 @@
 ---
 description = "Define package sets from nixpkgs and install them on one or more machines"
 categories = ["System"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---

clanModules/root-password/README.md

@@ -1,18 +1,16 @@
 ---
 description = "Automatically generates and configures a password for the root user."
 categories = ["System"]
-features = ["inventory", "deprecated"]
+features = [ "inventory" ]
 ---
 
-This module is deprecated and will be removed in a future release. It's functionality has been replaced by the user-password service.
-
 After the system was installed/deployed the following command can be used to display the root-password:
 
 ```bash
 clan vars get [machine_name] root-password/root-password
 ```
 
-See also: [Vars](../../guides/vars-backend.md)
+See also: [Vars](../../manual/vars-backend.md)
 
 To regenerate the password run:
 ```

clanModules/root-password/roles/default.nix

@@ -1,8 +1,6 @@
 {
-  _class,
   pkgs,
   config,
-  lib,
   ...
 }:
 {
@@ -11,13 +9,9 @@
     config.clan.core.vars.generators.root-password.files.password-hash.path;
 
   clan.core.vars.generators.root-password = {
-    files.password-hash =
-      {
-        neededFor = "users";
-      }
-      // (lib.optionalAttrs (_class == "nixos") {
-        restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
-      });
+    files.password-hash = {
+      neededFor = "users";
+    };
     files.password = {
       deploy = false;
     };
@@ -36,7 +30,7 @@
       if [[ -n "''${prompt_value-}" ]]; then
         echo "$prompt_value" | tr -d "\n" > "$out"/password
       else
-        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
+        xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > "$out"/password
       fi
       mkpasswd -s -m sha-512 < "$out"/password | tr -d "\n" > "$out"/password-hash
     '';