Revert "Merge pull request 'Fix deploying with sudo + password' (#3470) from target-host into main"

This reverts commit 8a849eb90f, reversing
changes made to 3b5c22ebcf.

.gitea/workflows/checks.yaml

@@ -1,6 +1,9 @@
 name: checks
 on:
   pull_request:
+  push:
+    branches:
+      - main
 jobs:
   checks-impure:
     runs-on: nix

.gitea/workflows/update-clan-core-for-checks.yml

@@ -1,53 +0,0 @@
-name: "Update pinned clan-core for checks"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "51 2 * * *"
-jobs:
-  update-pinned-clan-core:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-      - name: Update clan-core for checks
-        run: nix run .#update-clan-core-for-checks
-      - name: Create pull request
-        env:
-          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-        run: |
-          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
-          git commit -am "Update pinned clan-core for checks"
-          git push origin +HEAD:update-clan-core-for-checks
-          set -x
-          resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-            -H "Authorization: token $CI_BOT_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d '{
-              "head": "update-clan-core-for-checks",
-              "base": "main",
-              "title": "Update Clan Core for Checks",
-              "body": "This PR updates the pinned clan-core flake input that is used for checks."
-            }' \
-           "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls")
-          pr_number=$(echo "$resp" | jq -r '.number')
-
-          # Merge when succeed
-          while true; do
-            resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-              -H "Authorization: token $CI_BOT_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d '{
-                "Do": "merge",
-                "merge_when_checks_succeed": true,
-                "delete_branch_after_merge": true
-              }' \
-              "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls/$pr_number/merge")
-            msg=$(echo $resp | jq -r '.message')
-            if [[ "$msg" != "Please try again later" ]]; then
-              break
-            fi
-            echo "Retrying in 2 seconds..."
-            sleep 2
-          done

.gitignore

@@ -1,24 +1,23 @@
 .direnv
-.nixos-test-history
+**/.nixos-test-history
-.hypothesis
+***/.hypothesis
 out.log
 .coverage.*
-qubeclan
+**/qubeclan
 pkgs/repro-hook
-testdir
+**/testdir
 democlan
 example_clan
-result*
+**/result
-/pkgs/clan-cli/clan_lib/nixpkgs
+/pkgs/clan-cli/clan_cli/nixpkgs
 /pkgs/clan-cli/clan_cli/webui/assets
 nixos.qcow2
-*.glade~
+**/*.glade~
 /docs/out
-/pkgs/clan-cli/clan_lib/select
+**/.local.env
-.local.env
 
-# macOS stuff
+# MacOS stuff
-.DS_Store
+**/.DS_store
 
 # dream2nix
 .dream2nix
@@ -46,11 +45,3 @@ dist
 
 # TODO: remove after bug in select is fixed
 select
-
-# Generated files
-pkgs/clan-app/ui/api/API.json
-pkgs/clan-app/ui/api/API.ts
-pkgs/clan-app/ui/api/Inventory.ts
-pkgs/clan-app/ui/api/modules_schemas.json
-pkgs/clan-app/ui/api/schema.json
-pkgs/clan-app/ui/.fonts

CODEOWNERS

@@ -1,2 +0,0 @@
-nixosModules/clanCore/vars/.* @lopter
-pkgs/clan-cli/clan_cli/(secrets|vars)/.* @lopter

CONTRIBUTING.md

@@ -1,4 +1,4 @@
 # Contributing to Clan
 
 <!-- Local file: docs/CONTRIBUTING.md -->
-Go to the Contributing guide at https://docs.clan.lol/guides/contributing/CONTRIBUTING
+Go to the Contributing guide at https://docs.clan.lol/manual/contribute/

README.md

@@ -24,7 +24,7 @@ If you're new to Clan and eager to dive in, start with our quickstart guide and
 
 In the Clan ecosystem, security is paramount. Learn how to handle secrets effectively:
 
-- **Secrets Management**: Securely manage secrets by consulting [secrets](https://docs.clan.lol/guides/getting-started/secrets/)<!-- [secrets.md](docs/site/guides/getting-started/secrets.md) -->.
+- **Secrets Management**: Securely manage secrets by consulting [secrets](https://docs.clan.lol/getting-started/secrets/)<!-- [secrets.md](docs/site/getting-started/secrets.md) -->.
 
 ### Contributing to Clan
 

checks/backups/flake-module.nix

@@ -147,7 +147,25 @@
   perSystem =
     { pkgs, ... }:
     let
-      clanCore = self.checks.x86_64-linux.clan-core-for-checks;
+      clanCore = self.filter {
+        include = [
+          "checks/backups"
+          "checks/flake-module.nix"
+          "clanModules/borgbackup"
+          "clanModules/flake-module.nix"
+          "clanModules/localbackup"
+          "clanModules/packages"
+          "clanModules/single-disk"
+          "clanModules/zerotier"
+          "flake.lock"
+          "flakeModules"
+          "inventory.json"
+          "nixosModules"
+          # Just include everything in 'lib'
+          # If anything changes in /lib that may affect everything
+          "lib"
+        ];
+      };
     in
     {
       checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
@@ -164,6 +182,11 @@
               # import the inventory generated nixosModules
               self.clanInternals.inventoryClass.machines.test-backup.machineImports;
             clan.core.settings.directory = ./.;
+            environment.systemPackages = [
+              (pkgs.writeShellScriptBin "foo" ''
+                echo ${clanCore}
+              '')
+            ];
           };
 
           testScript = ''

checks/borgbackup-legacy/default.nix

@@ -1,51 +0,0 @@
-(
-  { ... }:
-  {
-    name = "borgbackup";
-
-    nodes.machine =
-      { self, pkgs, ... }:
-      {
-        imports = [
-          self.clanModules.borgbackup
-          self.nixosModules.clanCore
-          {
-            services.openssh.enable = true;
-            services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-            };
-          }
-          {
-            clan.core.settings.directory = ./.;
-            clan.core.state.testState.folders = [ "/etc/state" ];
-            environment.etc.state.text = "hello world";
-            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../assets/ssh/privkey}";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/borgbackup/borgbackup.repokey" = {
-                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-            # clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
-
-            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.systemctl("start --wait borgbackup-job-test.service")
-      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
-    '';
-  }
-)

checks/borgbackup/default.nix

@@ -1,118 +1,51 @@
-{
+(
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
   { ... }:
   {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
     name = "borgbackup";
 
-    clan = {
+    nodes.machine =
-      directory = ./.;
+      { self, pkgs, ... }:
-      test.useContainers = true;
+      {
-      modules."@clan/borgbackup" = ../../clanServices/borgbackup/default.nix;
+        imports = [
-      inventory = {
+          self.clanModules.borgbackup
-
+          self.nixosModules.clanCore
-        machines.clientone = { };
-        machines.serverone = { };
-
-        instances = {
-          borgone = {
-
-            module.name = "@clan/borgbackup";
-
-            roles.client.machines."clientone" = { };
-            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
-          };
-        };
-      };
-    };
-
-    nodes = {
-
-      serverone = {
-        services.openssh.enable = true;
-        # Needed so PAM doesn't see the user as locked
-        users.users.borg.password = "borg";
-      };
-
-      clientone =
-        { config, pkgs, ... }:
-        let
-          dependencies = [
-            clan-core
-            pkgs.stdenv.drvPath
-          ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
-          closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-
-        in
           {
-
             services.openssh.enable = true;
-
+            services.borgbackup.repos.testrepo = {
-          users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
+              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-
-          clan.core.networking.targetHost = config.networking.hostName;
-
-          environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
-
-          environment.etc.install-closure.source = "${closureInfo}/store-paths";
-          nix.settings = {
-            substituters = pkgs.lib.mkForce [ ];
-            hashed-mirrors = null;
-            connect-timeout = pkgs.lib.mkForce 3;
-            flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
             };
-          system.extraDependencies = dependencies;
+          }
-
+          {
-          clan.core.state.test-backups.folders = [ "/var/test-backups" ];
+            clan.core.settings.directory = ./.;
+            clan.core.state.testState.folders = [ "/etc/state" ];
+            environment.etc.state.text = "hello world";
+            systemd.tmpfiles.settings."vmsecrets" = {
+              "/etc/secrets/borgbackup/borgbackup.ssh" = {
+                C.argument = "${../assets/ssh/privkey}";
+                z = {
+                  mode = "0400";
+                  user = "root";
                 };
-
               };
+              "/etc/secrets/borgbackup/borgbackup.repokey" = {
+                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
+                z = {
+                  mode = "0400";
+                  user = "root";
+                };
+              };
+            };
+            # clan.core.facts.secretStore = "vm";
+            clan.core.vars.settings.secretStore = "vm";
 
+            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
+          }
+        ];
+      };
     testScript = ''
-      import json
       start_all()
-
+      machine.systemctl("start --wait borgbackup-job-test.service")
-      machines = [clientone, serverone]
+      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
-
-      for m in machines:
-          m.systemctl("start network-online.target")
-
-      for m in machines:
-          m.wait_for_unit("network-online.target")
-
-      # dummy data
-      clientone.succeed("mkdir -p /var/test-backups /var/test-service")
-      clientone.succeed("echo testing > /var/test-backups/somefile")
-
-      clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
-      clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
-
-      # create
-      clientone.succeed("borgbackup-create >&2")
-      clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
-
-      # list
-      backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
-      out = clientone.succeed("borgbackup-list").strip()
-      print(out)
-      assert backup_id in out, f"backup {backup_id} not found in {out}"
-
-      # borgbackup restore
-      clientone.succeed("rm -f /var/test-backups/somefile")
-      clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
-      assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
     '';
   }
 )

checks/borgbackup/sops/machines/clientone/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-    "type": "age"
-  }
-]

checks/borgbackup/sops/secrets/clientone-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:wCKoKuJo4uXycfqEUYAXDlRRMGJaWgOFiaQa4Wigs0jx1eCI80lP3cEZ1QKyrU/9m9POoZz0JlaKHcuhziTKUqaevHvGfVq2y00=,iv:pH5a90bJbK9Ro6zndNJ18qd4/rU+Tdm+y+jJZtY7UGg=,tag:9lHZJ9C/zIfy8nFrYt9JBQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUDhpd1ZqbWFqR0I3dVFI\nOHlyZnFUYXJnWElrRWhoUHVNMzdKd0VrcGdRCkphQVhuYzlJV0p1MG9MSW5ncWJ3\nREp1OEJxMzQzS2MxTk9aMkJ1a3B0Q0kKLS0tIENweVJ2Tk1yeXlFc2F5cTNIV3F3\nTkRFOVZ1amRIYmg1K3hGWUFSTTl4Wk0KHJRJ7756Msod7Bsmn9SgtwRo53B8Ilp3\nhsAPv+TtdmOD8He9MvGV+BElKEXCsLUwhp/Py6n6CJCczu0VIr8owg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:56Z",
-		"mac": "ENC[AES256_GCM,data:FyfxXhnI6o4SVGJY2e1eMDnfkbMWiCkP4JL/G4PQvzz+c7OIuz8xaa03P3VW7b7o85NP2Tln4FMNTZ0FYtQwd0kKypLUnIxAHsixAHFCv4X8ul1gtZynzgbFbmc0GkfVWW8Lf+U+vvDwT+UrEVfcmksCjdvAOwP26PvlEhYEkSw=,iv:H+VrWYL+kLOLezCZrI8ZgeCsaUdpb7LxDMiLotezVPs=,tag:B/cbPdiEFumGKQHby5inCA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/sops/secrets/clientone-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/borgbackup/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/machines/clientone

@@ -1 +0,0 @@
-../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:52vY68gqbwiZRMUBKc9SeXR06fuKAhuAPciLpxXgEOxI,iv:Y34AVoHaZzRiFFTDbekXP1X3W8zSXJmzVCYODYkdxnY=,tag:8WQaGEHQKT/n+auHUZCE0w==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUFUZUZ2M00zTGlhNjF4\nL0VlMVY4Z2xMbWRWR29zZlFwdm1XRk12NGtBCnkrb3A4M3BkalMyeWdDaUdQdStt\nUWY3SXJROXdpRzN0NlBJNEpjTEZ0aFkKLS0tIGZkMGhsTXB2RnRqVHVrUFQwL2lw\nZnBreWhWa3Jrcm4yOXBiaUlPWFM1aDAKRE+Zzrja7KeANEJUbmFYuVoO3qGyi4iH\n0cfH0W8irRe9vsKMXz7YJxtByYLwRulrT8tXtElHvIEVJG0mwwaf0Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNEljUFdnQ0tTQ1IxZ2Zo\nYkc4V2dCaUk0YXh5SzlSazhsRTVKVzFvVXhFCkRyMlMxR3EyWEZIRzFQV3d2dVpz\na3NPbk9XdWR1NmtMQlZsNlBuU0NkQWMKLS0tIDlDYzMzOExVL1g5SVRHYlpUQlBV\na2lpdTUwaEd4OXhWUWxuV04xRVVKNHcK9coohAD1IoarLOXSGg3MIRXQ3BsTIA4y\nKrcS/PxITKJs7ihg93RZin70R79Qsij1RHZLKGfgGJ67i8ZCxc4N0g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:59Z",
-		"mac": "ENC[AES256_GCM,data:eABMaIe07dwAMMlgrIUUpfpj73q1H5Keafql91MBQ5NN9Znr5lI/ennQsQsuLO8ZTCC34US/MJndliW34SqVM9y53p0jjPzqBxSKYq74iNcBz7+TxbjlY1aapgTRPr6Ta8I/5loohnxlHqjvLL70ZzfbChDN0/4jZsDVXYNfbIk=,iv:41Mz2u40JN0iE5zPUK6siaxo0rTtlk7fGWq7TF5NyUI=,tag:1A+h6XPH7DeQ6kxGDV3PgQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh.pub/value

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3clYF6BDZ0PxfDdprx7YYM4U4PKEZkWUuhpre0wb7w nixbld@kiwi

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/machines/clientone

@@ -1 +0,0 @@
-../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:tAjfBW75XDS8lfJCf/+9rPYH3aMjRX1nmdN5dPMxnrlhuEPM3Smv9AM93Tz36k7BKk31bUWcV/99ax+KaIK1Rzgym/CwKGGxIUziuVOEOwrCOBeOw7amZ9YGsgiLUTLIhoeO6SjfdZ4q2JxGPw7KqNfUM9kiZT01vx5JTLa24JdvBKpizbtHRlL1lappTRVt0dG2WhT9/YhQUGu9ZFqPs8+bPOBclc78qjCm2DAPgsprK+JCBuq+r+qHgAx4Ee1QHI7FC39e5NeGBTBeZfZ5d95+0klKuTx9FCPs6QRBkQ0tN29OpwzkdSuRAXGGHpzPkZ+FupbETtSQWCmnjma6jPzEl8oDUTWooKK0mUEz8icvTQvRfyM3Qt3mQpkX3e0rTEbZzoLdWCwTufP/tRQNDCWvI/NV7OjIHpNPjymqE5uPmiBpA6y6hhCH7zL1eDo11ICSIX3hkyFJH2svvFQn6oLrPAoByvNutfetKhd8z7NFpVeIOWwtuPzO7wU5M7zESHww0JF78vjFwimQYYhQ,iv:fVjeVez4dTGSrANi5ZeP9PJhsSySqeqqJzBDbd0gFW4=,tag:Aa89+bWLljxV1tlSHtpddw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaW94M3VwcFJ2elcrRGlv\nUGdzVk9vU2ZweFpIVVlIRUEyRVlSMlEyeHpVCnJuV0xIS3hMLy9IbG92S0pvL2RP\nL0J0WkVuWVhQdldHekdYNTVXdFkrUlEKLS0tIFQzdGErZVBwQUFNMXErbDBQVURZ\naHlsY2hDa1Zud1E2dFh0ZHl4VEJ2S0kKVABqwRcCUTcsBInfo9CpFtoM3kl4KMyU\nGXDjHOSjlX5df7OKZAvYukgX7Q2penvq+Fq4fa4A1Cmkqga7cHdJ+A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbHRSVEg3Vi9qTnAwWGF6\nbEdIR2gvZ2laZnJMbVF3NjcvN25OdXF3WXowCnVUODdEa1NWU3JISXlrNldOMjVi\ndUlMTVdBaWxvZHlwSTdJY3NCcll4SjAKLS0tIEp6ZVlDTklqVXdNYzJ2dElCR21o\nUWphMDdyVVppVnFHOVlHZTNtajZzOXMKRB61lUrAkUXSYl3ffOOK8k4QgLA4bFln\naQ7GOol8f8W5H68zXBMZrhjP6k4kZDfknc9jgyoWM7jaZNSWC5J19Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:59Z",
-		"mac": "ENC[AES256_GCM,data:NjVpDweqxTSQGt9VKR/CMfvbvHQJHCi8P7XbOuKLZKQ4GVoeZ5r4PsC6nxKHHikN6YL1oJCmaSxr0mJRk/sFZg/+wdW8L7F5aQeFRiWo9jCjH0MDMnfiu5a0xjRt21uPl/7LUJ9jNon5nyxPTlZMeYSvTP2Q9spnNuN8vqipP68=,iv:DPvbN9IvWiUfxiJk6mey/us8N1GGVJcSJrT8Bty4kB4=,tag:+emK8uSkfIGUXoYpaWeu3A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/clan-core-for-checks.nix

@@ -1,6 +0,0 @@
-{ fetchgit }:
-fetchgit {
-  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "13a9b1719835ef4510e4adb6941ddfe9a91d41cb";
-  sha256 = "sha256-M+pLnpuX+vIsxTFtbBZaNA1OwGQPeSbsMbTiDl1t4vY=";
-}

checks/data-mesher/default.nix

@@ -1,10 +1,13 @@
 {
   pkgs,
-  nixosLib,
+  self,
-  clan-core,
+  clanLib,
-  lib,
   ...
 }:
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  nixosTest = (
+    { lib, ... }:
     let
       machines = [
         "admin"
@@ -12,14 +15,7 @@ let
         "signer"
       ];
     in
-nixosLib.runTest (
-  { ... }:
     {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
       name = "data-mesher";
 
       clan = {
@@ -86,4 +82,5 @@ nixosLib.runTest (
           })
       '';
     }
-)
+  );
+}

checks/deltachat/default.nix

@@ -0,0 +1,28 @@
+(import ../lib/container-test.nix) (
+  { pkgs, ... }:
+  {
+    name = "deltachat";
+
+    nodes.machine =
+      { self, ... }:
+      {
+        imports = [
+          self.clanModules.deltachat
+          self.nixosModules.clanCore
+          {
+            clan.core.settings.directory = ./.;
+          }
+        ];
+      };
+    testScript = ''
+      start_all()
+      machine.wait_for_unit("maddy")
+      # imap
+      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
+      # smtp submission
+      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
+      # smtp
+      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
+    '';
+  }
+)

checks/dummy-inventory-test-from-flake/default.nix

@@ -1,66 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-
-nixosLib.runTest (
-  { hostPkgs, config, ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    # This tests the compatibility of the inventory
-    # With the test framework
-    # - legacy-modules
-    # - clan.service modules
-    name = "dummy-inventory-test-from-flake";
-
-    clan.test.fromFlake = ./.;
-
-    extraPythonPackages = _p: [
-      clan-core.legacyPackages.${hostPkgs.system}.setupNixInNixPythonPackage
-    ];
-
-    testScript =
-      { nodes, ... }:
-      ''
-        from setup_nix_in_nix import setup_nix_in_nix # type: ignore[import-untyped]
-        setup_nix_in_nix()
-
-        def run_clan(cmd: list[str], **kwargs) -> str:
-            import subprocess
-            clan = "${clan-core.packages.${hostPkgs.system}.clan-cli}/bin/clan"
-            clan_args = ["--flake", "${config.clan.test.flakeForSandbox}"]
-            return subprocess.run(
-                ["${hostPkgs.util-linux}/bin/unshare", "--user", "--map-user", "1000", "--map-group", "1000", clan, *cmd, *clan_args],
-                **kwargs,
-                check=True,
-            ).stdout
-
-        start_all()
-        admin1.wait_for_unit("multi-user.target")
-        peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
-
-        # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
-
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
-
-        run_clan(["machines", "list"])
-      '';
-  }
-)

checks/dummy-inventory-test-from-flake/flake.nix

@@ -1,70 +0,0 @@
-{
-  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
-  inputs.nixpkgs.follows = "clan-core/nixpkgs";
-
-  outputs =
-    { self, clan-core, ... }:
-    let
-      # Usage see: https://docs.clan.lol
-      clan = clan-core.clanLib.buildClan {
-        inherit self;
-
-        inventory =
-          { ... }:
-          {
-            meta.name = "foo";
-            machines.peer1 = { };
-            machines.admin1 = { };
-            services = {
-              legacy-module.default = {
-                roles.peer.machines = [ "peer1" ];
-                roles.admin.machines = [ "admin1" ];
-              };
-            };
-
-            instances."test" = {
-              module.name = "new-service";
-              roles.peer.machines.peer1 = { };
-            };
-
-            modules = {
-              legacy-module = ./legacy-module;
-            };
-          };
-
-        modules.new-service = {
-          _class = "clan.service";
-          manifest.name = "new-service";
-          roles.peer = { };
-          perMachine = {
-            nixosModule = {
-              # This should be generated by:
-              # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
-              clan.core.vars.generators.new-service = {
-                files.not-a-secret = {
-                  secret = false;
-                  deploy = true;
-                };
-                files.a-secret = {
-                  secret = true;
-                  deploy = true;
-                  owner = "nobody";
-                  group = "users";
-                  mode = "0644";
-                };
-                script = ''
-                  # This is a dummy script that does nothing
-                  echo -n "not-a-secret" > $out/not-a-secret
-                  echo -n "a-secret" > $out/a-secret
-                '';
-              };
-            };
-          };
-        };
-      };
-    in
-    {
-      # all machines managed by Clan
-      inherit (clan) nixosConfigurations nixosModules clanInternals;
-    };
-}

checks/dummy-inventory-test-from-flake/legacy-module/README.md

@@ -1,10 +0,0 @@
----
-description = "Set up dummy-module"
-categories = ["System"]
-features = [ "inventory" ]
-
-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
----
-

checks/dummy-inventory-test-from-flake/legacy-module/roles/admin.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/dummy-inventory-test-from-flake/legacy-module/roles/peer.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/dummy-inventory-test-from-flake/legacy-module/shared.nix

@@ -1,34 +0,0 @@
-{ config, ... }:
-{
-  systemd.services.dummy-service = {
-    enable = true;
-    description = "Dummy service";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
-      if [ ! -f "$generated_password_path" ]; then
-        echo "Generated password file not found: $generated_password_path"
-        exit 1
-      fi
-      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
-      if [ ! -e "$host_id_path" ]; then
-        echo "Host ID file not found: $host_id_path"
-        exit 1
-      fi
-    '';
-  };
-
-  # TODO: add and prompt and make it work in the test framework
-  clan.core.vars.generators.dummy-generator = {
-    files.host-id.secret = false;
-    files.generated-password.secret = true;
-    script = ''
-      echo $RANDOM > "$out"/host-id
-      echo $RANDOM > "$out"/generated-password
-    '';
-  };
-}

checks/dummy-inventory-test-from-flake/sops/machines/admin1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
-    "type": "age"
-  }
-]

checks/dummy-inventory-test-from-flake/sops/machines/peer1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-    "type": "age"
-  }
-]

checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:GPpsUhSzWPtTP8EUNKsobFXjYqDldhkkIH6hBk11RsDLAGWdhVrwcISGbhsWpYhvAdPKA84DB6Zqyh9lL2bLM9//ybC1kzY20BQ=,iv:NrxMLdedT2FCkUAD00SwsAHchIsxWvqe7BQekWuJcxw=,tag:pMDXcMyHnLF2t3Qhb1KolA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb2tWb1ExKzdmUTRzaGVj\nK3cyYTBHZTJwVjM1SzUvbHFiMnVhY05iKzFZCnJTSE1VSVdpcUFLSEJuaE1CZzJD\nWjZxYzN2cUltdThNMVRKU3FIb20vUXMKLS0tIFlHQXRIdnMybDZFUVEzWlQrc1dw\nbUxhZURXblhHd0pka0JIK1FTZEVqdUEKI/rfxQRBc+xGRelhswkJQ9GcZs6lzfgy\nuCxS5JI9npdPLQ/131F3b21+sP5YWqks41uZG+vslM1zQ+BlENNhDw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:13Z",
-		"mac": "ENC[AES256_GCM,data:fWxLHXBWolHVxv6Q7utcy6OVLV13ziswrIYyNKiwy1vsU8i7xvvuGO1HlnE+q43D2WuHR53liKq1UHuf1JMrWzTwZ0PYe+CVugtoEtbR2qu3rK/jAkOyMyhmmHzmf6Rp4ZMCzKgZeC/X2bDKY/z0firHAvjWydEyogutHpvtznM=,iv:OQI3FfkLneqbdztAXVQB3UkHwDPK+0hWu5hZ9m8Oczg=,tag:em6GfS2QHsXs391QKPxfmA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:W3cOkUYL5/YulW2pEISyTlMaA/t7/WBE7BoCdFlqrqgaCL7tG4IV2HgjiPWzIVMs0zvDSaghdEvAIoB4wOf470d1nSWs0/E8SDk=,iv:wXXaZIw3sPY8L/wxsu7+C5v+d3RQRuwxZRP4YLkS8K4=,tag:HeK4okj7O7XDA9JDz2KULw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRC83b3dtSVpXcGovNnVs\nTzFka2J2MEFhYkF1ajVrdjMrNUtPWGRObjM4Cm5zSUR5OGw0T0FaL3BaWmR6L29W\nU2syMFIyMUhFRUZpWFpCT28vWko2ZU0KLS0tIFpHK3BjU1V1L0FrMGtwTGFuU3Mz\nRkV5VjI2Vndod202bUR3RWQwNXpmVzQKNk8/y7M62wTIIKqY4r3ZRk5aUCRUfine\n1LUSHMKa2bRe+hR7nS7AF4BGXp03h2UPY0FP5+U5q8XuIj1jfMX8kg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:16Z",
-		"mac": "ENC[AES256_GCM,data:yTkQeFvKrN1+5FP+yInsaRWSAG+ZGG0uWF3+gVRvzJTFxab8kT2XkAMc+4D7SKgcjsmwBBb77GNoAKaKByhZ92UaCfZ2X66i7ZmYUwLM1NVVmm+xiwwjsh7PJXlZO/70anTzd1evtlZse0jEmRnV5Y0F0M6YqXmuwU+qGUJU2F8=,iv:sy6ozhXonWVruaQfa7pdEoV5GkNZR/UbbINKAPbgWeg=,tag:VMruQ1KExmlMR7TsGNgMlg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/dummy-inventory-test-from-flake/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1

@@ -1 +0,0 @@
-../../../../../../sops/machines/admin1

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:T8edCvw=,iv:7/G5xt5fv38I9uFzk7WMIr9xQdz/6lFxqOC+18HBg8Q=,tag:F39Cxbgmzml+lZLsZ59Kmg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUhiYkZWK3dPMHNiRTVM\nRHNvaHFsOFp1c0UxQitwVG0zY01MNDZRV1E4CjEybENoTVIzN29vQ3FtUTRSYmFU\nNXIzQllVSllXRGN2M1B6WXJLdHZSajgKLS0tIDllZ0ZmZUcxMHhDQUpUOEdWbmkv\neUQweHArYTdFSmNteVpuQ3BKdnh0Y0UKs8Hm3D+rXRRfpUVSZM3zYjs6b9z8g10D\nGTkvreUMim4CS22pjdQ3eNA9TGeDXfWXE7XzwXLCb+wVcf7KwbDmvg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSDhpT3cvck9PenZYVEZH\ndFQreVRBdG93L1dBUGlvYjFWcDlHWUJsZUVBCm9DMTJ4UytiYzlEVHNWdUcwS1ds\nT0dhbzAzNDdmbDBCU0dvL2xNeHpXcGsKLS0tIFArbmpsbzU3WnpJdUt1MGN0L1d0\nV1JkTDJYWUxsbmhTQVNOeVRaSUhTODQKk9Vph2eldS5nwuvVX0SCsxEm4B+sO76Z\ndIjJ3OQxzoZmXMaOOuKHC5U0Y75Qn7eXC43w5KHsl2CMIUYsBGJOZw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:14Z",
-		"mac": "ENC[AES256_GCM,data:6fKrS1eLLUWlHkQpxLFXBRk6f2wa5ADLMViVvYXXGU24ayl9UuNSKrCRHp9cbzhqhti3HdwyNt6TM+2X6qhiiAQanKEB2PF7JRYX74NfNKil9BEDjt5AqqtpSgVv5l7Ku/uSHaPkd2sDmzHsy5Q4bSGxJQokStk1kidrwle+mbc=,iv:I/Aad82L/TCxStM8d8IZICUrwdjRbGx2fuGWqexr21o=,tag:BfgRbGUxhPZzK2fLik1kxA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value

@@ -1 +0,0 @@
-18650

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:vp0yW0Gt,iv:FO2cy+UpEl5aRay/LUGu//c82QiVxuKuGSaVh0rGJvc=,tag:vf2RAOPpcRW0HwxHoGy17A==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFVNMEd2YUxpSm5XVVRi\nY2ZUc3NTOStJUFNMWWVPQTgxZ2tCK1QrMW1ZCjYwMlA4dkIzSlc0TGtvZjcyK3Bi\nM3pob2JOOFUyeVJ6M2JpaTRCZlc1R0kKLS0tIDJMb1dFcVRWckhwYWNCQng0RlFO\nTkw3OGt4dkFIZVY5aVEzZE5mMzJSM0EKUv8bUqg48L2FfYVUVlpXvyZvPye699of\nG6PcjLh1ZMbNCfnsCzr+P8Vdk/F4J/ifxL66lRGfu2xOLxwciwQ+5Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2dDbVhoQngxM3lTSmZF\nUTAwS1lCTGhEMU1GVXpFUzlIUFdqZy9LajF3Ck9mdVpBRjlyVUNhZXZIUFZjUzF1\nNlhFN28vNmwzcUVkNmlzUnpkWjJuZE0KLS0tIHpXVHVlNk9vU1ZPTGRrYStWbmRO\nbDM4U2o1SlEwYWtqOXBqd3BFUTAvMHcKkI8UVd0v+x+ELZ5CoGq9DzlA6DnVNU2r\nrV9wLfbFd7RHxS0/TYZh5tmU42nO3iMYA9FqERQXCtZgXS9KvfqHwQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:18Z",
-		"mac": "ENC[AES256_GCM,data:1ZZ+ZI1JsHmxTov1bRijfol3kTkyheg2o3ivLsMHRhCmScsUry97hQJchF78+y2Izt7avaQEHYn6pVbYt/0rLrSYD7Ru7ITVxXoYHOiN5Qb98masUzpibZjrdyg5nO+LW5/Hmmwsc3yn/+o3IH1AUYpsxlJRdnHHCmoSOFaiFFM=,iv:OQlgmpOTw4ljujNzqwQ5/0Mz8pQpCSUtqRvj3FJAxDs=,tag:foZvdeW7gK9ZVKkWqnlxGA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value

@@ -1 +0,0 @@
-6745

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:prFl0EJy8bM=,iv:zITWxf+6Ebk0iB5vhhd7SBQa1HFrIJXm8xpSM+D9I0M=,tag:NZCRMCs1SzNKLBu/KUDKMQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S0RZRWxaZVZvTUhjdWVL\naU9WZmtEcm1qa2JsRmdvdmZmNENMaWFEVUFRCmdoVnRXSGlpRlFjNmVVbDJ5VnFT\nMnVJUlVnM3lxNmZCRTdoRVJ4NW1oYWcKLS0tIFFNbXBFUk1RWnlUTW1SeG1vYzlM\nVVpEclFVOE9PWWQxVkZ0eEgwWndoRWcKDAOHe+FIxqGsc6LhxMy164qjwG6t2Ei2\nP0FSs+bcKMDpudxeuxCjnDm/VoLxOWeuqkB+9K2vSm2W/c/fHTSbrA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VU5jOEpwYUtDVEVFcVpU\nQkExTVZ3ejZHcGo5TG8zdUQwNktoV09WdUZvCmQ0dE1TOWRFbTlxdVd4WWRxd3VF\nQUNTTkNNT3NKYjQ5dEJDY0xVZ3pZVUUKLS0tIDFjajRZNFJZUTdNeS8yN05FMFZU\ncEtjRjhRbGE0MnRLdk10NkFLMkxqencKGzJ66dHluIghH04RV/FccfEQP07yqnfb\n25Hi0XIVJfXBwje4UEyszrWTxPPwVXdQDQmoNKf76Qy2jYqJ56uksw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:20Z",
-		"mac": "ENC[AES256_GCM,data:FIkilsni5kOdNlVwDuLsQ/zExypHRWdqIBQDNWMLTwe8OrsNPkX+KYutUvt9GaSoGv4iDULaMRoizO/OZUNfc2d8XYSdj0cxOG1Joov4GPUcC/UGyNuQneAejZBKolvlnidKZArofnuK9g+lOTANEUtEXUTnx8L+VahqPZayQas=,iv:NAo6sT3L8OOB3wv1pjr3RY2FwXgVmZ4N0F4BEX4YPUY=,tag:zHwmXygyvkdpASZCodQT9Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value

@@ -1 +0,0 @@
-not-a-secret

checks/dummy-inventory-test/default.nix

@@ -1,18 +1,14 @@
 {
   pkgs,
-  nixosLib,
+  self,
-  clan-core,
+  clanLib,
   ...
 }:
-nixosLib.runTest (
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  nixosTest = (
     { ... }:
     {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
       # This tests the compatibility of the inventory
       # With the test framework
       # - legacy-modules
@@ -30,7 +26,6 @@ nixosLib.runTest (
               roles.admin.machines = [ "admin1" ];
             };
           };
-
           instances."test" = {
             module.name = "new-service";
             roles.peer.machines.peer1 = { };
@@ -38,38 +33,30 @@ nixosLib.runTest (
 
           modules = {
             legacy-module = ./legacy-module;
-        };
+            new-service = {
-      };
-      modules.new-service = {
               _class = "clan.service";
               manifest.name = "new-service";
               roles.peer = { };
               perMachine = {
                 nixosModule = {
                   # This should be generated by:
-            # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
+                  # ./pkgs/scripts/update-vars.py
                   clan.core.vars.generators.new-service = {
-              files.not-a-secret = {
+                    files.hello = {
                       secret = false;
                       deploy = true;
                     };
-              files.a-secret = {
-                secret = true;
-                deploy = true;
-                owner = "nobody";
-                group = "users";
-                mode = "0644";
-              };
                     script = ''
                       # This is a dummy script that does nothing
-                echo -n "not-a-secret" > $out/not-a-secret
+                      echo "This is a dummy script" > $out/hello
-                echo -n "a-secret" > $out/a-secret
                     '';
                   };
                 };
               };
             };
           };
+        };
+      };
 
       testScript =
         { nodes, ... }:
@@ -82,15 +69,8 @@ nixosLib.runTest (
           print(peer1.succeed("systemctl status dummy-service"))
 
           # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
+          peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.hello.path}")
-
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
         '';
     }
-)
+  );
+}

checks/dummy-inventory-test/sops/machines/admin1/key.json

@@ -1,6 +1,6 @@
 [
   {
-    "publickey": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
+    "publickey": "age1hd2exjq88h7538y6mvjvexx3u5gp6a03yfn5nj32h2667yyksyaqcuk5qs",
     "type": "age"
   }
 ]

checks/dummy-inventory-test/sops/machines/peer1/key.json

@@ -1,6 +1,6 @@
 [
   {
-    "publickey": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
+    "publickey": "age19urkt89q45a2wk6a4yaramzufjtnw6nq2snls0v7hmf7tqf73axsfx50tk",
     "type": "age"
   }
 ]

checks/dummy-inventory-test/sops/secrets/admin1-age.key/secret

@@ -1,15 +1,15 @@
 {
-	"data": "ENC[AES256_GCM,data:GPpsUhSzWPtTP8EUNKsobFXjYqDldhkkIH6hBk11RsDLAGWdhVrwcISGbhsWpYhvAdPKA84DB6Zqyh9lL2bLM9//ybC1kzY20BQ=,iv:NrxMLdedT2FCkUAD00SwsAHchIsxWvqe7BQekWuJcxw=,tag:pMDXcMyHnLF2t3Qhb1KolA==,type:str]",
+	"data": "ENC[AES256_GCM,data:hhuFgZcPqht0h3tKxGtheS4GlrVDo4TxH0a9lxgPYj2i12QUmE04rB07A+hu4Z8WNWLYvdM5069mEOZYm3lSeTzBHQPxYZRuVj0=,iv:sA1srRFQqsMlJTAjFcb09tI/Jg2WjOVJL5NZkPwiLoU=,tag:6xXo9FZpmAJw6hCBsWzf8Q==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb2tWb1ExKzdmUTRzaGVj\nK3cyYTBHZTJwVjM1SzUvbHFiMnVhY05iKzFZCnJTSE1VSVdpcUFLSEJuaE1CZzJD\nWjZxYzN2cUltdThNMVRKU3FIb20vUXMKLS0tIFlHQXRIdnMybDZFUVEzWlQrc1dw\nbUxhZURXblhHd0pka0JIK1FTZEVqdUEKI/rfxQRBc+xGRelhswkJQ9GcZs6lzfgy\nuCxS5JI9npdPLQ/131F3b21+sP5YWqks41uZG+vslM1zQ+BlENNhDw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaGVHeTgrN3dJQ2VITFBM\neWVzbDhjb0pwNUhBUjdUc0p5OTVta1dvSno4ClJxeUc4Z0hiaFRkVlJ1YTA4Lyta\neWdwV005WGYvMUNRVG1qOVdicTk0NUkKLS0tIFQvaDNFS1JMSFlHRXlhc3lsZm03\nYVhDaHNsam5wN1VqdzA3WTZwM1JwV2sKZk/SiZJgjllADdfHLSWuQcU4+LttDpt/\nqqDUATEuqYaALljC/y3COT+grTM2bwGjj6fsfsfiO/EL9iwzD3+7oA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-04T12:44:13Z",
+		"lastmodified": "2025-04-09T15:10:16Z",
-		"mac": "ENC[AES256_GCM,data:fWxLHXBWolHVxv6Q7utcy6OVLV13ziswrIYyNKiwy1vsU8i7xvvuGO1HlnE+q43D2WuHR53liKq1UHuf1JMrWzTwZ0PYe+CVugtoEtbR2qu3rK/jAkOyMyhmmHzmf6Rp4ZMCzKgZeC/X2bDKY/z0firHAvjWydEyogutHpvtznM=,iv:OQI3FfkLneqbdztAXVQB3UkHwDPK+0hWu5hZ9m8Oczg=,tag:em6GfS2QHsXs391QKPxfmA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:xuXj4833G6nhvcRo2ekDxz8G5phltmU8h1GgGofH9WndzrqLKeRSqm/n03IHRW0f4F68XxnyAkfvokVh6vW3LRQAFkqIlXz5U4+zFNcaVaPobS5gHTgxsCoTUoalWPvHWtXd50hUVXeAt8rPfTfeveVGja8bOERk8mvwUPxb6h4=,iv:yP1usA9m8tKl6Z/UK9PaVMJlZlF5qpY4EiM4+ByVlik=,tag:8DgoIhLstp3MRki90VfEvw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
+		"version": "3.10.1"
 	}
 }

checks/dummy-inventory-test/sops/secrets/peer1-age.key/secret

@@ -1,15 +1,15 @@
 {
-	"data": "ENC[AES256_GCM,data:W3cOkUYL5/YulW2pEISyTlMaA/t7/WBE7BoCdFlqrqgaCL7tG4IV2HgjiPWzIVMs0zvDSaghdEvAIoB4wOf470d1nSWs0/E8SDk=,iv:wXXaZIw3sPY8L/wxsu7+C5v+d3RQRuwxZRP4YLkS8K4=,tag:HeK4okj7O7XDA9JDz2KULw==,type:str]",
+	"data": "ENC[AES256_GCM,data:rwPhbayGf6mE1E9NCN+LuL7VfWWOfhoJW6H2tNSoyebtyTpM3GO2jWca1+N7hI0juhNkUk+rIsYQYbCa/5DZQiV0/2Jgu4US1XY=,iv:B5mcaQsDjb6BacxGB4Kk88/qLCpVOjQNRvGN+fgUiEo=,tag:Uz0A8kAF5NzFetbv9yHIjQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRC83b3dtSVpXcGovNnVs\nTzFka2J2MEFhYkF1ajVrdjMrNUtPWGRObjM4Cm5zSUR5OGw0T0FaL3BaWmR6L29W\nU2syMFIyMUhFRUZpWFpCT28vWko2ZU0KLS0tIFpHK3BjU1V1L0FrMGtwTGFuU3Mz\nRkV5VjI2Vndod202bUR3RWQwNXpmVzQKNk8/y7M62wTIIKqY4r3ZRk5aUCRUfine\n1LUSHMKa2bRe+hR7nS7AF4BGXp03h2UPY0FP5+U5q8XuIj1jfMX8kg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY0hKQ1dnV0tMYytDMCtj\nTDV4Zk5NeVN0bCtqaWRQV3d4M0VlcGVZMkhZCm02dHZyOGVlYzJ5Z3FlUWNXMVQ0\nb2ZrTXZQRzRNdzFDeWZCVGhlTS9rMm8KLS0tIEJkY1QwOENRYWw3cjIwd3I0bzdz\nOEtQNm1saE5wNWt2UUVnYlN4NWtGdFkKmWHU5ttZoQ3NZu/zkX5VxfC2sMpSOyod\neb7LRhFqPfo5N1XphJcCqr5QUoZOfnH0xFhZ2lxWUS3ItiRpU4VDwg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-04T12:44:16Z",
+		"lastmodified": "2025-04-09T15:10:41Z",
-		"mac": "ENC[AES256_GCM,data:yTkQeFvKrN1+5FP+yInsaRWSAG+ZGG0uWF3+gVRvzJTFxab8kT2XkAMc+4D7SKgcjsmwBBb77GNoAKaKByhZ92UaCfZ2X66i7ZmYUwLM1NVVmm+xiwwjsh7PJXlZO/70anTzd1evtlZse0jEmRnV5Y0F0M6YqXmuwU+qGUJU2F8=,iv:sy6ozhXonWVruaQfa7pdEoV5GkNZR/UbbINKAPbgWeg=,tag:VMruQ1KExmlMR7TsGNgMlg==,type:str]",
+		"mac": "ENC[AES256_GCM,data:pab0G2GPjgs59sbiZ8XIV5SdRtq5NPU0yq18FcqiMV8noAL94fyVAY7fb+9HILQWQsEjcykgk9mA2MQ0KpK/XG8+tDQKcBH+F+2aQnw5GJevXmfi7KLTU0P224SNo7EnKlfFruB/+NZ0WBtkbbg1OzekrbplchpSI6BxWz/jASE=,iv:TCj9FCxgfMF2+PJejr67zgGnF+CFS+YeJiejnHbf7j0=,tag:s7r9SqxeqpAkncohYvIQ2Q==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
+		"version": "3.10.1"
 	}
 }

checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/secret

@@ -1,19 +1,19 @@
 {
-	"data": "ENC[AES256_GCM,data:T8edCvw=,iv:7/G5xt5fv38I9uFzk7WMIr9xQdz/6lFxqOC+18HBg8Q=,tag:F39Cxbgmzml+lZLsZ59Kmg==,type:str]",
+	"data": "ENC[AES256_GCM,data:bxM9aYMK,iv:SMNYtk9FSyZ1PIfEzayTKKdCnZWdhcyUEiTwFUNb988=,tag:qJYW4+VQyhF1tGPQPTKlOQ==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
+				"recipient": "age1hd2exjq88h7538y6mvjvexx3u5gp6a03yfn5nj32h2667yyksyaqcuk5qs",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUhiYkZWK3dPMHNiRTVM\nRHNvaHFsOFp1c0UxQitwVG0zY01MNDZRV1E4CjEybENoTVIzN29vQ3FtUTRSYmFU\nNXIzQllVSllXRGN2M1B6WXJLdHZSajgKLS0tIDllZ0ZmZUcxMHhDQUpUOEdWbmkv\neUQweHArYTdFSmNteVpuQ3BKdnh0Y0UKs8Hm3D+rXRRfpUVSZM3zYjs6b9z8g10D\nGTkvreUMim4CS22pjdQ3eNA9TGeDXfWXE7XzwXLCb+wVcf7KwbDmvg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZDZYYXdpcXVqRFRnQ2Jx\nTFhFWEJTR290cHZhTXZadFFvcHM4MHVIN3lFCmJhOEZrL3g4TFBZVllxdDFZakJn\nR3NxdXo0eE8vTDh3QlhWOFpVZ0lNUHcKLS0tIEE4dkpCalNzaXJ0Qks3VHJSUzZF\nb2N3NGdjNHJnSUN6bW8welZ1VDdJakEKGKZ7nn1p11IyJB6DMxu2HJMvZ+0+5WpE\nPLWh2NlGJO3XrrL4Fw7xetwbqE+QUZPNl/JbEbu4KLIUGLjqk9JDhQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSDhpT3cvck9PenZYVEZH\ndFQreVRBdG93L1dBUGlvYjFWcDlHWUJsZUVBCm9DMTJ4UytiYzlEVHNWdUcwS1ds\nT0dhbzAzNDdmbDBCU0dvL2xNeHpXcGsKLS0tIFArbmpsbzU3WnpJdUt1MGN0L1d0\nV1JkTDJYWUxsbmhTQVNOeVRaSUhTODQKk9Vph2eldS5nwuvVX0SCsxEm4B+sO76Z\ndIjJ3OQxzoZmXMaOOuKHC5U0Y75Qn7eXC43w5KHsl2CMIUYsBGJOZw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckJCQVFyb21aT1R0d2Rr\nMWxNMHVqcGxabHBmS0RibW9sN0gyZDI1b1dFCnRWUk5LSWdxV3c4RWVZdUtEN1Fv\nRk4xVmwwT2xrdWVERkJXUVVlVXJjTVUKLS0tIC9ERG9KMGxTNEsrbzFHUGRiVUlm\nRi9qakxoc1FOVVV1TkUrckwxRUVnajQKE8ms/np2NMswden3xkjdC8cXccASLOoN\nu+EaEk69UvBvnOg9VBjyPAraIKgNrTc4WWwz+DOBj1pCwVbu9XxUlA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-04T12:44:14Z",
+		"lastmodified": "2025-04-09T15:10:30Z",
-		"mac": "ENC[AES256_GCM,data:6fKrS1eLLUWlHkQpxLFXBRk6f2wa5ADLMViVvYXXGU24ayl9UuNSKrCRHp9cbzhqhti3HdwyNt6TM+2X6qhiiAQanKEB2PF7JRYX74NfNKil9BEDjt5AqqtpSgVv5l7Ku/uSHaPkd2sDmzHsy5Q4bSGxJQokStk1kidrwle+mbc=,iv:I/Aad82L/TCxStM8d8IZICUrwdjRbGx2fuGWqexr21o=,tag:BfgRbGUxhPZzK2fLik1kxA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:cIwWctUbAFI8TRMxYWy5xqlKDVLMqBIxVv4LInnLqi3AauL0rJ3Z7AxK/wb2dCQM07E1N7YaORNqgUpFC1xo0hObAA8mrPaToPotKDkjua0zuyTUNS1COoraYjZpI/LKwmik/qtk399LMhiC7aHs+IliT9Dd41B8LSMBXwdMldY=,iv:sZ+//BrYH5Ay2JJAGs7K+WfO2ASK82syDlilQjGmgFs=,tag:nY+Af9eQRLwkiHZe85dQ9A==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
+		"version": "3.10.1"
 	}
 }

checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/host-id/value

@@ -1 +1 @@
-18650
+13898

checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/secret

@@ -1,19 +1,19 @@
 {
-	"data": "ENC[AES256_GCM,data:vp0yW0Gt,iv:FO2cy+UpEl5aRay/LUGu//c82QiVxuKuGSaVh0rGJvc=,tag:vf2RAOPpcRW0HwxHoGy17A==,type:str]",
+	"data": "ENC[AES256_GCM,data:ImlGIKxE,iv:UUWxjLNRKJCD2WHNpw8lfvCc8rnXPCqc2pni1ODckjE=,tag:HFCqiv31E9bShIIaAEjF0A==,type:str]",
 	"sops": {
 		"age": [
 			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
+				"recipient": "age19urkt89q45a2wk6a4yaramzufjtnw6nq2snls0v7hmf7tqf73axsfx50tk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFVNMEd2YUxpSm5XVVRi\nY2ZUc3NTOStJUFNMWWVPQTgxZ2tCK1QrMW1ZCjYwMlA4dkIzSlc0TGtvZjcyK3Bi\nM3pob2JOOFUyeVJ6M2JpaTRCZlc1R0kKLS0tIDJMb1dFcVRWckhwYWNCQng0RlFO\nTkw3OGt4dkFIZVY5aVEzZE5mMzJSM0EKUv8bUqg48L2FfYVUVlpXvyZvPye699of\nG6PcjLh1ZMbNCfnsCzr+P8Vdk/F4J/ifxL66lRGfu2xOLxwciwQ+5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTEROZjh6NjBhSlJSc1Av\nSHhjdkhwVUd3VzBZemhQb3dhMlJXalBmZlFjCkZPYkhZZGVOVTNjUWdFU0s4cWFn\nL2NXbkRCdUlMdElnK2lGbG5iV0w1cHMKLS0tIFREcmxDdHlUNVBFVGRVZSt0c0E5\nbnpHaW1Vb3R3ZFFnZVMxY3djSjJmOU0KIwqCSQf5S9oA59BXu7yC/V6yqvCh88pa\nYgmNyBjulytPh1aAfOuNWIGdIxBpcEf+gFjz3EiJY9Kft3fTmhp2bw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2dDbVhoQngxM3lTSmZF\nUTAwS1lCTGhEMU1GVXpFUzlIUFdqZy9LajF3Ck9mdVpBRjlyVUNhZXZIUFZjUzF1\nNlhFN28vNmwzcUVkNmlzUnpkWjJuZE0KLS0tIHpXVHVlNk9vU1ZPTGRrYStWbmRO\nbDM4U2o1SlEwYWtqOXBqd3BFUTAvMHcKkI8UVd0v+x+ELZ5CoGq9DzlA6DnVNU2r\nrV9wLfbFd7RHxS0/TYZh5tmU42nO3iMYA9FqERQXCtZgXS9KvfqHwQ==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArN3R4TThibjdYbE9TMDE1\naUhuNDlscExjaktIR2VmTk1OMWtVM0NpTUJZClJUNEcwVDlibExWQk84TTNEWFhp\nMjYyZStHc1N0ZTh1S3VTVk45WGxlWWMKLS0tIHFab25LY1R1d1l6NE5XbHJvQ3lj\nNGsxUldFVHQ5RVJERDlGbi9NY29hNWsKENBTcAS/R/dTGRYdaWv5Mc/YG4bkah5w\nb421ZMQF+r4CYnzUqnwivTG8TMRMqJLavfkutE6ZUfJbbLufrTk5Lw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-04T12:44:18Z",
+		"lastmodified": "2025-04-09T15:11:04Z",
-		"mac": "ENC[AES256_GCM,data:1ZZ+ZI1JsHmxTov1bRijfol3kTkyheg2o3ivLsMHRhCmScsUry97hQJchF78+y2Izt7avaQEHYn6pVbYt/0rLrSYD7Ru7ITVxXoYHOiN5Qb98masUzpibZjrdyg5nO+LW5/Hmmwsc3yn/+o3IH1AUYpsxlJRdnHHCmoSOFaiFFM=,iv:OQlgmpOTw4ljujNzqwQ5/0Mz8pQpCSUtqRvj3FJAxDs=,tag:foZvdeW7gK9ZVKkWqnlxGA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:JdJzocQZWVprOmZ4Ni04k1tpD1TpFcK5neKy3+0/c3+uPBwjwaMayISKRaa/ILUXlalg60oTqxB4fUFoYVm8KGQVhDwPhO/T1hyYVQqidonrcYfJfCYg00mVSREV/AWqXb7RTnaEBfrdnRJvaAQF9g2qDXGVgzp3eACdlItclv4=,iv:nOw1jQjIWHWwU3SiKpuQgMKXyu8MZYI+zI9UYYd9fCI=,tag:ewUkemIPm/5PkmuUD0EcAQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
+		"version": "3.10.1"
 	}
 }

checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/host-id/value

@@ -1 +1 @@
-6745
+30661

checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:prFl0EJy8bM=,iv:zITWxf+6Ebk0iB5vhhd7SBQa1HFrIJXm8xpSM+D9I0M=,tag:NZCRMCs1SzNKLBu/KUDKMQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S0RZRWxaZVZvTUhjdWVL\naU9WZmtEcm1qa2JsRmdvdmZmNENMaWFEVUFRCmdoVnRXSGlpRlFjNmVVbDJ5VnFT\nMnVJUlVnM3lxNmZCRTdoRVJ4NW1oYWcKLS0tIFFNbXBFUk1RWnlUTW1SeG1vYzlM\nVVpEclFVOE9PWWQxVkZ0eEgwWndoRWcKDAOHe+FIxqGsc6LhxMy164qjwG6t2Ei2\nP0FSs+bcKMDpudxeuxCjnDm/VoLxOWeuqkB+9K2vSm2W/c/fHTSbrA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VU5jOEpwYUtDVEVFcVpU\nQkExTVZ3ejZHcGo5TG8zdUQwNktoV09WdUZvCmQ0dE1TOWRFbTlxdVd4WWRxd3VF\nQUNTTkNNT3NKYjQ5dEJDY0xVZ3pZVUUKLS0tIDFjajRZNFJZUTdNeS8yN05FMFZU\ncEtjRjhRbGE0MnRLdk10NkFLMkxqencKGzJ66dHluIghH04RV/FccfEQP07yqnfb\n25Hi0XIVJfXBwje4UEyszrWTxPPwVXdQDQmoNKf76Qy2jYqJ56uksw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:20Z",
-		"mac": "ENC[AES256_GCM,data:FIkilsni5kOdNlVwDuLsQ/zExypHRWdqIBQDNWMLTwe8OrsNPkX+KYutUvt9GaSoGv4iDULaMRoizO/OZUNfc2d8XYSdj0cxOG1Joov4GPUcC/UGyNuQneAejZBKolvlnidKZArofnuK9g+lOTANEUtEXUTnx8L+VahqPZayQas=,iv:NAo6sT3L8OOB3wv1pjr3RY2FwXgVmZ4N0F4BEX4YPUY=,tag:zHwmXygyvkdpASZCodQT9Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/dummy-inventory-test/vars/per-machine/peer1/new-service/hello/value

@@ -0,0 +1 @@
+This is a dummy script

checks/dummy-inventory-test/vars/per-machine/peer1/new-service/not-a-secret/value

@@ -1 +0,0 @@
-not-a-secret

checks/flake-module.nix

@@ -4,7 +4,6 @@ let
     filter
     pathExists
     ;
-  nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
 in
 {
   imports = filter pathExists [
@@ -15,14 +14,13 @@ in
     ./installation/flake-module.nix
     ./morph/flake-module.nix
     ./nixos-documentation/flake-module.nix
-    ./dont-depend-on-repo-root.nix
+    ./sanity-checks/dont-depend-on-repo-root.nix
   ];
   perSystem =
     {
       pkgs,
       lib,
       self',
-      system,
       ...
     }:
     {
@@ -30,18 +28,18 @@ in
         let
           nixosTestArgs = {
             # reference to nixpkgs for the current system
-            inherit pkgs lib nixosLib;
+            inherit pkgs lib;
             # this gives us a reference to our flake but also all flake inputs
             inherit self;
             inherit (self) clanLib;
-            clan-core = self;
           };
-          nixosTests =
+          nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-            lib.optionalAttrs (pkgs.stdenv.isLinux) {
+            # Deltachat is currently marked as broken
+            # deltachat = import ./deltachat nixosTestArgs;
 
             # Base Tests
             secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-              borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
+            borgbackup = self.clanLib.test.baseTest ./borgbackup nixosTestArgs;
             wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
 
             # Container Tests
@@ -50,14 +48,11 @@ in
             matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
             postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
 
-              dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
+            # Clan Tests
-              dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
-              data-mesher = import ./data-mesher nixosTestArgs;
-            }
-            // lib.optionalAttrs (pkgs.stdenv.hostPlatform.system == "aarch64-linux") {
-              # for some reason this hangs in an odd place in CI, but it works on my machine ...
-              # on aarch64-linux it works though
             mumble = import ./mumble nixosTestArgs;
+            dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
+            data-mesher = import ./data-mesher nixosTestArgs;
+            syncthing = import ./syncthing nixosTestArgs;
           };
 
           packagesToBuild = lib.removeAttrs self'.packages [
@@ -88,10 +83,7 @@ in
                   schema =
                     (self.clanLib.inventory.evalClanService {
                       modules = [ m ];
-                      prefix = [
+                      key = "checks";
-                        "checks"
-                        system
-                      ];
                     }).config.result.api.schema;
                 in
                 schema
@@ -105,12 +97,6 @@ in
                 mkdir -p $out
                 cat $schemaFile > $out/allSchemas.json
               '';
-
-          clan-core-for-checks = pkgs.runCommand "clan-core-for-checks" { } ''
-            cp -r ${pkgs.callPackage ./clan-core-for-checks.nix { }} $out
-            chmod +w $out/flake.lock
-            cp ${../flake.lock} $out/flake.lock
-          '';
         };
       legacyPackages = {
         nixosTests =

checks/flash/flake-module.nix

@@ -43,7 +43,6 @@
     let
       dependencies = [
         pkgs.disko
-        pkgs.buildPackages.xorg.lndir
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
 
@@ -81,7 +80,7 @@
 
             # Some distros like to automount disks with spaces
             machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdb && mount /dev/vdb "/mnt/with spaces"')
-            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
+            machine.succeed("clan flash write --debug --flake ${../..} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
           '';
         } { inherit pkgs self; };
       };

checks/installation/flake-module.nix

@@ -15,7 +15,6 @@ let
         pkgs.bash.drvPath
         pkgs.nixos-anywhere
         pkgs.bubblewrap
-        pkgs.buildPackages.xorg.lndir
       ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
     in
@@ -198,7 +197,7 @@ in
             installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
 
             installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
+            installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
 
             installer.succeed("clan machines install --no-reboot --debug --flake test-flake --yes test-install-machine-without-system --target-host nonrootuser@localhost --update-hardware-config nixos-facter >&2")
             installer.shutdown()
@@ -218,7 +217,7 @@ in
             installer.start()
             installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
             installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
+            installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
             installer.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")
             installer.fail("test -f test-flake/machines/test-install-machine/facter.json")
 

checks/morph/flake-module.nix

@@ -32,6 +32,7 @@
               { pkgs, ... }:
               let
                 dependencies = [
+                  self
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
@@ -54,7 +55,7 @@
           testScript = ''
             start_all()
             actual.fail("cat /etc/testfile")
-            actual.succeed("env CLAN_DIR=${self.checks.x86_64-linux.clan-core-for-checks} clan machines morph test-morph-template --i-will-be-fired-for-using-this --debug --name test-morph-machine")
+            actual.succeed("env CLAN_DIR=${self} clan machines morph test-morph-template --i-will-be-fired-for-using-this --debug --name test-morph-machine")
             assert actual.succeed("cat /etc/testfile") == "morphed"
           '';
         } { inherit pkgs self; };

checks/mumble/default.nix

@@ -1,28 +1,17 @@
 {
   pkgs,
-  nixosLib,
+  self,
-  clan-core,
+  clanLib,
-  lib,
   ...
 }:
-nixosLib.runTest (
+clanLib.test.makeTestClan {
-  { ... }:
+  inherit pkgs self;
+  # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
+  useContainers = false;
+  nixosTest = (
+    { lib, ... }:
     let
-    machines = [
+      common =
-      "peer1"
-      "peer2"
-    ];
-  in
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "mumble";
-
-    defaults =
         { pkgs, modulesPath, ... }:
         {
           imports = [
@@ -32,11 +21,16 @@ nixosLib.runTest (
           clan.services.mumble.user = "alice";
           environment.systemPackages = [ pkgs.killall ];
         };
+      machines = [
+        "peer1"
+        "peer2"
+      ];
+    in
+    {
+      name = "mumble";
 
       clan = {
         directory = ./.;
-      # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
-      test.useContainers = false;
         inventory = {
           machines = lib.genAttrs machines (_: { });
           services = {
@@ -49,21 +43,10 @@ nixosLib.runTest (
 
       enableOCR = true;
 
+      nodes.peer1 = common;
+      nodes.peer2 = common;
+
       testScript = ''
-      import time
-      import re
-
-
-      def machine_has_text(machine: Machine, regex: str) -> bool:
-          variants = machine.get_screen_text_variants()
-          # for debugging
-          # machine.screenshot(f"/tmp/{machine.name}.png")
-          for text in variants:
-              print(f"Expecting '{regex}' in '{text}'")
-              if re.search(regex, text) is not None:
-                  return True
-          return False
-
         start_all()
 
         with subtest("Waiting for x"):
@@ -80,53 +63,42 @@ nixosLib.runTest (
           peer2.execute("mumble >&2 &")
 
         with subtest("Wait for Mumble"):
-        peer1.wait_for_window(r"Mumble")
+          peer1.wait_for_window(r"^Mumble$")
-        peer2.wait_for_window(r"Mumble")
+          peer2.wait_for_window(r"^Mumble$")
 
         with subtest("Wait for certificate creation"):
-        peer1.wait_for_window(r"Mumble")
+          peer1.wait_for_window(r"^Mumble$")
-        peer2.wait_for_window(r"Mumble")
+          peer1.sleep(3) # mumble is slow to register handlers
+          peer1.send_chars("\n")
+          peer1.send_chars("\n")
+          peer2.wait_for_window(r"^Mumble$")
+          peer2.sleep(3) # mumble is slow to register handlers
+          peer2.send_chars("\n")
+          peer2.send_chars("\n")
 
-        for i in range(20):
+        with subtest("Wait for server connect"):
-          time.sleep(1)
+          peer1.wait_for_window(r"^Mumble Server Connect$")
-          peer1.send_chars("\n")
+          peer2.wait_for_window(r"^Mumble Server Connect$")
-          peer1.send_chars("\n")
-          peer2.send_chars("\n")
-          peer2.send_chars("\n")
-          if machine_has_text(peer1, r"Mumble Server Connect") and \
-              machine_has_text(peer2, r"Mumble Server Connect"):
-            break
-        else:
-          raise Exception("Timeout waiting for certificate creation")
 
         with subtest("Check validity of server certificates"):
           peer1.execute("killall .mumble-wrapped")
           peer1.sleep(1)
           peer1.execute("mumble mumble://peer2 >&2 &")
-        peer1.wait_for_window(r"Mumble")
+          peer1.wait_for_window(r"^Mumble$")
-
+          peer1.sleep(3) # mumble is slow to register handlers
-        for i in range(20):
-          time.sleep(1)
           peer1.send_chars("\n")
           peer1.send_chars("\n")
-          if machine_has_text(peer1, "Connected."):
+          peer1.wait_for_text("Connected.")
-            break
-        else:
-          raise Exception("Timeout waiting for certificate creation")
 
           peer2.execute("killall .mumble-wrapped")
           peer2.sleep(1)
           peer2.execute("mumble mumble://peer1 >&2 &")
-        peer2.wait_for_window(r"Mumble")
+          peer2.wait_for_window(r"^Mumble$")
-
+          peer2.sleep(3) # mumble is slow to register handlers
-        for i in range(20):
-          time.sleep(1)
           peer2.send_chars("\n")
           peer2.send_chars("\n")
-          if machine_has_text(peer2, "Connected."):
+          peer2.wait_for_text("Connected.")
-            break
-        else:
-          raise Exception("Timeout waiting for certificate creation")
       '';
     }
-)
+  );
+}

checks/mycelium/default.nix

@@ -1,53 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "mycelium";
-
-    clan = {
-
-      test.useContainers = false;
-      directory = ./.;
-      modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          mycelium-test = {
-            module.name = "@clan/mycelium";
-            roles.peer.machines."server".settings = {
-              openFirewall = true;
-              addHostedPublicNodes = true;
-            };
-          };
-        };
-      };
-    };
-
-    nodes = {
-      server = { };
-    };
-
-    testScript = ''
-      start_all()
-
-      # Check that mycelium service is running
-      server.wait_for_unit("mycelium")
-      server.succeed("systemctl status mycelium")
-
-      # Check that mycelium is listening on its default port
-      server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
-    '';
-  }
-)

checks/mycelium/sops/machines/server/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
-    "type": "age"
-  }
-]

checks/mycelium/sops/secrets/server-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:hLJS+CJllYM50KxKuiYamxBLGd9lwoeIFapP9mZAlVGH5DSenylcKUfsphxafASoB516qns2DznBoS9mWqg9uTsRZjk4WlR3x6A=,iv:uRiIpUKIiV3riNcBAWUqhZbE+Vb7lLMfU0C/TClVZ6M=,tag:4+nsMssiSyq9Iv7sDuWmoQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUWFOMzluRmdOQXBmRjRN\ncXNSUlB5Z0t6dWYxNVkvMmhrN1FDdmxHcTNJCkhPL3BYMFFXMmU5ZGRqOC9KWEgv\nSHB5OUJqTk5Dd0tDTks1R1ZhYktrLzgKLS0tIHJIMlFRVWphZXlISmR3VUJKUjNk\ndWF4eCt6UHBrSndBay95RVJ3dldiaFkKCgYqrt0aCGRTaHycBoeqv/zeByu2ZZ3Z\nVfgxnD9liIQkS2wERbpk0/Yq9wkKgVxj+DZoWwHYhP0eKCw2UOorCA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-04T11:54:59Z",
-		"mac": "ENC[AES256_GCM,data:xoeOz7FRCPJ18UTsfbY1x/N65pxbTsehT9Kv3MgEd6NQJn6FTvquaj3HEZ0KvIzStBz1FNOhSql9CZUFc4StYps05EbX61MMMnz6Nlj3xcTwuVQFabGoinxcXbCDSA+tAW7VqzVxumj6FMDg+r77gdcIApZjGJg4Z9ws2RZd3u4=,iv:U8IUDwmfg8Umob9mtKgGaKoIY4SKNL895BABJxzx5n8=,tag:tnMCx6D/17ZYgI6SgNS29A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/mycelium/sops/secrets/server-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/mycelium/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/mycelium/vars/per-machine/server/mycelium/ip/value

@@ -1 +0,0 @@
-52d:87c1:4222:b550:ee01:a7ae:254:5a66

checks/mycelium/vars/per-machine/server/mycelium/key/machines/server

@@ -1 +0,0 @@
-../../../../../../sops/machines/server

checks/mycelium/vars/per-machine/server/mycelium/key/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:DGzl2G4H+NkwXq0fCUQS0+8FG1x9xoIsYvAgUxP4Qp8=,iv:CXOJVgYNthVOZ4vbdI3n4KLXSFVemzaoEnRGMC+m0i8=,tag:/u+pV3xWpUq0ZtAm6LKuGQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZHZjdXMwclBTeGthcGpM\nV1ArVy83akNHNEpXVFhoR1FWNlJUeHNKTW00CjJFTFZneFNrL0hDMXJpaTQ2M1ln\nTmdPMGhzeUp0NU55QnhCZEU2QVk1OG8KLS0tIDFhQmJhOHJsTjhYNEhITEw0WFgy\nWC9pTi9od0wyMWtZRVZJYWo0Nmo5SHMKDohnAAfrnGOiw55huMme2EEWE53N/feS\nutvbiTZh1ECHCi/uoK757fjnJ/WrQMSxUpctT9I8bpJRtbTqkx3XRw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeTZENGFpWndDbmdsWDRw\nMTBCVXg5Zkg2a2s5Yk1HSERIVlVQRXdUSUNnCnREbno0dEN0ZEgvOFNMRG1ReGx4\na0h1YUFuMkxBZXJUTE9xOUVUMitEalkKLS0tIFZMZ21qclRqUFR0dlAyMFkzdUNX\nNjRLTWVRVWtHSDlDakEzMmpRVWkyc0EKabm8mTKJVxQNTaIgU+8rb/xk9Dpg+Zjz\nb+wgD0+TlARlenMtIub8Y6N06ENOc20oovylfu+g7xV+EkvRPCd6tA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-04T11:55:02Z",
-		"mac": "ENC[AES256_GCM,data:UIBaD/3mACgFzkajkFXz3oKai8IxpYQriR2t0mc5fL92P5ECloxCobY386TDZYOEVrDJ45Bw+IzqZbsCx/G9f1xCCTR2JvqygxYIsK3TpQPsboJzb9Cz3dBNBCXGboVykcg/NobEMaJBw1xtdAQBhuo8S7ymIuOPtGz0vPFJkf8=,iv:g0YAOBsRpgAOikKDMJDyOtcVx+0QwetfA8R6wQFH7lY=,tag:sfdFLjtiqFHdP/Qe1suBBQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/mycelium/vars/per-machine/server/mycelium/key/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/mycelium/vars/per-machine/server/mycelium/pubkey/value

@@ -1 +0,0 @@
-2125c6b039374467eaa3eaf552bd3e97f434d16006433cfbba3e6823c958b728

checks/syncthing/default.nix

@@ -1,25 +1,20 @@
 {
   pkgs,
-  nixosLib,
+  self,
-  clan-core,
+  clanLib,
-  lib,
   ...
 }:
-nixosLib.runTest (
+clanLib.test.makeTestClan {
-  { ... }:
+  inherit pkgs self;
+  # TODO: container driver does not support wait_for_file() yet
+  useContainers = false;
+  nixosTest = (
+    { lib, ... }:
     {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
       name = "syncthing";
 
       clan = {
         directory = ./.;
-      # TODO: container driver does not support wait_for_file() yet
-      test.useContainers = false;
         inventory = {
           machines = lib.genAttrs [
             "introducer"
@@ -84,4 +79,5 @@ nixosLib.runTest (
         assert "hello" in out
       '';
     }
-)
+  );
+}

clanModules/admin/README.md

@@ -1,5 +1,5 @@
 ---
 description = "Convenient Administration for the Clan App"
 categories = ["Utility"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---

clanModules/admin/default.nix

@@ -1,3 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
 {
   imports = [ ./roles/default.nix ];
 }

clanModules/admin/roles/default.nix

@@ -1,6 +1,5 @@
 { lib, config, ... }:
 {
-
   options.clan.admin = {
     allowedKeys = lib.mkOption {
       default = { };

clanModules/auto-upgrade/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Set up automatic upgrades"
 categories = ["System"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---
 
 Whether to periodically upgrade NixOS to the latest version. If enabled, a

clanModules/borgbackup-static/README.md

@@ -4,7 +4,7 @@ description = "Statically configure borgbackup with sane defaults."
 !!! Danger "Deprecated"
     Use [borgbackup](borgbackup.md) instead.
 
-    Don't use borgbackup-static through [inventory](../../guides/inventory.md).
+    Don't use borgbackup-static through [inventory](../../manual/inventory.md).
 
 This module implements the `borgbackup` backend and implements sane defaults
 for backup management through `borgbackup` for members of the clan.

clanModules/borgbackup/README.md

@@ -1,7 +1,7 @@
 ---
 description = "Efficient, deduplicating backup program with optional compression and secure encryption."
 categories = ["System"]
-features = [ "inventory", "deprecated" ]
+features = [ "inventory" ]
 ---
 BorgBackup (short: Borg) gives you:
 

clanModules/borgbackup/roles/client.nix

@@ -106,8 +106,7 @@ in
     systemd.services = lib.mapAttrs' (
       _: dest:
       lib.nameValuePair "borgbackup-job-${dest.name}" {
-        # since borgbackup mounts the system read-only, we need to run in a
+        # since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.
-        # ExecStartPre script, so we can generate additional files.
         serviceConfig.ExecStartPre = [
           ''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}''
         ];

clanModules/borgbackup/roles/server.nix

@@ -45,7 +45,7 @@ in
         else
           lib.warn ''
             Machine ${machine} does not have a borgbackup key at ${fullPath},
-            run `clan vars generate ${machine}` to generate it.
+            run `clan var generate ${machine}` to generate it.
           '' null
       ) allClients;
 

clanModules/data-mesher/shared.nix

@@ -12,16 +12,13 @@ let
   # currently only supports zerotier
   defaultBootstrapNodes = builtins.foldl' (
     urls: name:
+    if
+      builtins.pathExists "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value"
+    then
       let
-
+        ip = builtins.readFile "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
-      ipPath = "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
-
       in
-    if builtins.pathExists ipPath then
+      urls ++ "${ip}:${cfg.network.port}"
-      let
-        ip = builtins.readFile ipPath;
-      in
-      urls ++ [ "[${ip}]:${builtins.toString cfg.network.port}" ]
     else
       urls
   ) [ ] (dmLib.machines config).bootstrap;
@@ -90,8 +87,7 @@ in
           push_pull_interval = "30s";
 
           interface = cfg.network.interface;
-
+          bootstrap_nodes = cfg.bootstrapNodes or defaultBootstrapNodes;
-          bootstrap_nodes = if cfg.bootstrapNodes == null then defaultBootstrapNodes else cfg.bootstrapNodes;
         };
 
         http.port = 7331;
@@ -109,7 +105,10 @@ in
           private_key = {
             inherit owner;
           };
-          public_key.secret = false;
+          public_key = {
+            inherit owner;
+            secret = false;
+          };
         };
 
       runtimeInputs = [
@@ -135,7 +134,10 @@ in
           private_key = {
             inherit owner;
           };
-          public_key.secret = false;
+          public_key = {
+            inherit owner;
+            secret = false;
+          };
         };
 
       runtimeInputs = [

clanModules/deltachat/README.md

@@ -1,7 +1,5 @@
 ---
 description = "Email-based instant messaging for Desktop."
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
 ---
 
 !!! info

clanModules/deltachat/default.nix

@@ -1,3 +1,143 @@
+{ config, pkgs, ... }:
 {
-  imports = [ ./roles/default.nix ];
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
+  environment.systemPackages = [ pkgs.deltachat-desktop ];
+
+  services.maddy =
+    let
+      domain = "${config.clan.core.settings.machine.name}.local";
+    in
+    {
+      enable = true;
+      primaryDomain = domain;
+      config = ''
+        # Minimal configuration with TLS disabled, adapted from upstream example
+        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+        # Do not use this in unencrypted networks!
+
+        auth.pass_table local_authdb {
+          table sql_table {
+            driver sqlite3
+            dsn credentials.db
+            table_name passwords
+          }
+        }
+
+        storage.imapsql local_mailboxes {
+          driver sqlite3
+          dsn imapsql.db
+        }
+
+        table.chain local_rewrites {
+          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+          optional_step static {
+            entry postmaster postmaster@$(primary_domain)
+          }
+          optional_step file /etc/maddy/aliases
+        }
+
+        msgpipeline local_routing {
+          destination postmaster $(local_domains) {
+            modify {
+              replace_rcpt &local_rewrites
+            }
+            deliver_to &local_mailboxes
+          }
+          default_destination {
+            reject 550 5.1.1 "User doesn't exist"
+          }
+        }
+
+        smtp tcp://[::]:25 {
+          limits {
+            all rate 20 1s
+            all concurrency 10
+          }
+          dmarc yes
+          check {
+            require_mx_record
+            dkim
+            spf
+          }
+          source $(local_domains) {
+            reject 501 5.1.8 "Use Submission for outgoing SMTP"
+          }
+          default_source {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+              reject 550 5.1.1 "User doesn't exist"
+            }
+          }
+        }
+
+        submission tcp://[::1]:587 {
+          limits {
+            all rate 50 1s
+          }
+          auth &local_authdb
+          source $(local_domains) {
+            check {
+                authorize_sender {
+                    prepare_email &local_rewrites
+                    user_to_email identity
+                }
+            }
+            destination postmaster $(local_domains) {
+                deliver_to &local_routing
+            }
+            default_destination {
+                modify {
+                    dkim $(primary_domain) $(local_domains) default
+                }
+                deliver_to &remote_queue
+            }
+          }
+          default_source {
+            reject 501 5.1.8 "Non-local sender domain"
+          }
+        }
+
+        target.remote outbound_delivery {
+          limits {
+            destination rate 20 1s
+            destination concurrency 10
+          }
+          mx_auth {
+            dane
+            mtasts {
+              cache fs
+              fs_dir mtasts_cache/
+            }
+            local_policy {
+                min_tls_level encrypted
+                min_mx_level none
+            }
+          }
+        }
+
+        target.queue remote_queue {
+          target &outbound_delivery
+          autogenerated_msg_domain $(primary_domain)
+          bounce {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+            }
+          }
+        }
+
+        imap tcp://[::1]:143 {
+          auth &local_authdb
+          storage &local_mailboxes
+        }
+      '';
+      ensureAccounts = [ "user@${domain}" ];
+      ensureCredentials = {
+        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
+      };
+    };
 }

clanModules/deltachat/roles/default.nix

@@ -1,143 +0,0 @@
-{ config, pkgs, ... }:
-{
-  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
-  environment.systemPackages = [ pkgs.deltachat-desktop ];
-
-  services.maddy =
-    let
-      domain = "${config.clan.core.settings.machine.name}.local";
-    in
-    {
-      enable = true;
-      primaryDomain = domain;
-      config = ''
-        # Minimal configuration with TLS disabled, adapted from upstream example
-        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
-        # Do not use this in unencrypted networks!
-
-        auth.pass_table local_authdb {
-          table sql_table {
-            driver sqlite3
-            dsn credentials.db
-            table_name passwords
-          }
-        }
-
-        storage.imapsql local_mailboxes {
-          driver sqlite3
-          dsn imapsql.db
-        }
-
-        table.chain local_rewrites {
-          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
-          optional_step static {
-            entry postmaster postmaster@$(primary_domain)
-          }
-          optional_step file /etc/maddy/aliases
-        }
-
-        msgpipeline local_routing {
-          destination postmaster $(local_domains) {
-            modify {
-              replace_rcpt &local_rewrites
-            }
-            deliver_to &local_mailboxes
-          }
-          default_destination {
-            reject 550 5.1.1 "User doesn't exist"
-          }
-        }
-
-        smtp tcp://[::]:25 {
-          limits {
-            all rate 20 1s
-            all concurrency 10
-          }
-          dmarc yes
-          check {
-            require_mx_record
-            dkim
-            spf
-          }
-          source $(local_domains) {
-            reject 501 5.1.8 "Use Submission for outgoing SMTP"
-          }
-          default_source {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-              reject 550 5.1.1 "User doesn't exist"
-            }
-          }
-        }
-
-        submission tcp://[::1]:587 {
-          limits {
-            all rate 50 1s
-          }
-          auth &local_authdb
-          source $(local_domains) {
-            check {
-                authorize_sender {
-                    prepare_email &local_rewrites
-                    user_to_email identity
-                }
-            }
-            destination postmaster $(local_domains) {
-                deliver_to &local_routing
-            }
-            default_destination {
-                modify {
-                    dkim $(primary_domain) $(local_domains) default
-                }
-                deliver_to &remote_queue
-            }
-          }
-          default_source {
-            reject 501 5.1.8 "Non-local sender domain"
-          }
-        }
-
-        target.remote outbound_delivery {
-          limits {
-            destination rate 20 1s
-            destination concurrency 10
-          }
-          mx_auth {
-            dane
-            mtasts {
-              cache fs
-              fs_dir mtasts_cache/
-            }
-            local_policy {
-                min_tls_level encrypted
-                min_mx_level none
-            }
-          }
-        }
-
-        target.queue remote_queue {
-          target &outbound_delivery
-          autogenerated_msg_domain $(primary_domain)
-          bounce {
-            destination postmaster $(local_domains) {
-              deliver_to &local_routing
-            }
-            default_destination {
-                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
-            }
-          }
-        }
-
-        imap tcp://[::1]:143 {
-          auth &local_authdb
-          storage &local_mailboxes
-        }
-      '';
-      ensureAccounts = [ "user@${domain}" ];
-      ensureCredentials = {
-        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
-      };
-    };
-}

clanModules/ergochat/README.md

@@ -1,5 +1,3 @@
 ---
 description = "A modern IRC server"
-categories = ["Social"]
-features = [ "inventory", "deprecated" ]
 ---

clanModules/ergochat/default.nix

@@ -1,3 +1,14 @@
-{
+_: {
-  imports = [ ./roles/default.nix ];
+  services.ergochat = {
+    enable = true;
+
+    settings = {
+      datastore = {
+        autoupgrade = true;
+        path = "/var/lib/ergo/ircd.db";
+      };
+    };
+  };
+
+  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
 }

clanModules/ergochat/roles/default.nix

@@ -1,14 +0,0 @@
-_: {
-  services.ergochat = {
-    enable = true;
-
-    settings = {
-      datastore = {
-        autoupgrade = true;
-        path = "/var/lib/ergo/ircd.db";
-      };
-    };
-  };
-
-  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
-}

clanModules/flake-module.nix

@@ -8,8 +8,8 @@ in
 {
   # only import available files, as this allows to filter the files for tests.
   flake.clanModules = filterAttrs (_name: pathExists) {
-    auto-upgrade = ./auto-upgrade;
     admin = ./admin;
+    auto-upgrade = ./auto-upgrade;
     borgbackup = ./borgbackup;
     borgbackup-static = ./borgbackup-static;
     deltachat = ./deltachat;
@@ -18,6 +18,7 @@ in
     dyndns = ./dyndns;
     ergochat = ./ergochat;
     garage = ./garage;
+    golem-provider = ./golem-provider;
     heisenbridge = ./heisenbridge;
     importer = ./importer;
     iwd = ./iwd;

clanModules/garage/README.md

@@ -1,7 +1,5 @@
 ---
 description = "S3-compatible object store for small self-hosted geo-distributed deployments"
-categories = ["System"]
-features = [ "inventory", "deprecated" ]
 ---
 
 This module generates garage specific keys automatically.

clanModules/garage/default.nix

@@ -1,3 +1,43 @@
+{ config, pkgs, ... }:
 {
-  imports = [ ./roles/default.nix ];
+  systemd.services.garage.serviceConfig = {
+    LoadCredential = [
+      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
+      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
+      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
+    ];
+    Environment = [
+      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
+      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
+      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
+      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
+    ];
+  };
+
+  clan.core.vars.generators.garage = {
+    files.admin_token = { };
+    files.metrics_token = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -base64 -out "$out"/admin_token 32
+      openssl rand -base64 -out "$out"/metrics_token 32
+    '';
+  };
+
+  clan.core.vars.generators.garage-shared = {
+    share = true;
+    files.rpc_secret = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -hex -out "$out"/rpc_secret 32
+    '';
+  };
+
+  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
 }

clanModules/garage/roles/default.nix

@@ -1,43 +0,0 @@
-{ config, pkgs, ... }:
-{
-  systemd.services.garage.serviceConfig = {
-    LoadCredential = [
-      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
-      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
-      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
-    ];
-    Environment = [
-      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
-      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
-      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
-      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
-    ];
-  };
-
-  clan.core.vars.generators.garage = {
-    files.admin_token = { };
-    files.metrics_token = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      openssl rand -base64 -out "$out"/admin_token 32
-      openssl rand -base64 -out "$out"/metrics_token 32
-    '';
-  };
-
-  clan.core.vars.generators.garage-shared = {
-    share = true;
-    files.rpc_secret = { };
-    runtimeInputs = [
-      pkgs.coreutils
-      pkgs.openssl
-    ];
-    script = ''
-      openssl rand -hex -out "$out"/rpc_secret 32
-    '';
-  };
-
-  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
-}

clanModules/golem-provider/README.md

@@ -0,0 +1,7 @@
+---
+description = "Golem Provider for the Golem Network, an open-source and decentralized platform where everyone can use and share each other's computing power without relying on centralized entities like cloud computing corporations"
+---
+
+By running a golem provider your machine's compute resources are offered via the golem network which will allow other members to execute compute tasks on your machine. If this happens, you will be compensated with GLM, an ERC20 token.
+
+More about golem providers: https://docs.golem.network/docs/golem/overview

clanModules/golem-provider/default.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.clan.golem-provider;
+  yagna = pkgs.callPackage ../../pkgs/yagna { };
+  accountFlag = if cfg.account != null then "--account ${cfg.account}" else "";
+in
+{
+  imports = [ ./interface.nix ];
+
+  users.users.golem = {
+    isSystemUser = true;
+    home = "/var/lib/golem";
+    group = "golem";
+    createHome = true;
+  };
+
+  users.groups.golem = { };
+
+  environment.systemPackages = [ yagna ];
+
+  systemd.services.golem-provider = {
+    description = "Golem Provider";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${yagna}/bin/golemsp run --no-interactive ${accountFlag}";
+      Restart = "always";
+      RestartSec = "5";
+      User = "golem";
+      Group = "golem";
+    };
+  };
+}