yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: yadunut:remove-auto-upgrade
Branches Tags
yadunut:main yadunut:update-devFlake-clan-core-for-checks yadunut:update-nixpkgs yadunut:push-unvrqnoxxpxs yadunut:push-pmmlnrxvqntt yadunut:push-lxuyokqwsqmr yadunut:check yadunut:ke-docs-testing-container yadunut:push-qxwmroxwwppo yadunut:monitoring-network yadunut:update-nixpkgs-2025-10-20 yadunut:exports-endpoints yadunut:wireguard yadunut:hgl-site yadunut:push-tnkqqznukmkw yadunut:clan-25.05 yadunut:fix-c yadunut:feat/snapshot-tests yadunut:write-access yadunut:ke-fix-cr yadunut:ke-qa-nixpkgs-input yadunut:lopter-lo-fix-error-msg yadunut:hgl-ui-textfield yadunut:zerotier_refactor yadunut:docs-framework yadunut:simplify_http_backend yadunut:test-update-vars yadunut:deps-poc yadunut:vars-docs yadunut:yggdrasil yadunut:ui/fix-install-state-after-install yadunut:revers-update-vars-break yadunut:fix-modules-spagetti yadunut:sachk-main yadunut:pr-5024 yadunut:ke-docs-add-nixos-rebuild-switch yadunut:mdformat yadunut:fix-typography yadunut:serve-json-telegraf yadunut:remove-deprecations yadunut:remove-module-pkgs yadunut:clean-dead-code yadunut:monitoring-service-prometheus yadunut:service-static-hosts yadunut:remove-facts yadunut:vm-mamanger-remove yadunut:cli-clan-inspect yadunut:tor yadunut:terst yadunut:flake-compat yadunut:fix/combobox-form-binding yadunut:docs-options yadunut:init-restic yadunut:migration-docs yadunut:ui/reduce-opacity-sidebar-pane yadunut:migrate-syncthing yadunut:remove-build-clan yadunut:remove-modules-2 yadunut:remove-modules yadunut:nim65s-multi-wifi yadunut:feat/options-styling yadunut:clan-autorefresh yadunut:assertions yadunut:push-uymllnlsszzv yadunut:ke-facts-cli-warning yadunut:module-migration-add-warning yadunut:update-devFlake-private-nixpkgs-dev yadunut:update-templates-services-2 yadunut:ke-disko-shell-completions yadunut:templates-2 yadunut:prep-ui-version2 yadunut:try-fix-flash-test yadunut:pr-4283-generate_test_vars-fix-it yadunut:ssh-proxy yadunut:pr-3785 yadunut:vars-new yadunut:update-templates-again yadunut:revert-delete-state-version yadunut:speed-up-vars-check yadunut:agit-4042 yadunut:generate-test-vars-precache yadunut:kenji/ke-fix-ssh-deploy yadunut:fix-users yadunut:ssh-fix yadunut:remove-auto-upgrade yadunut:fix-flake-cache-chroot yadunut:nix_transform_host_options yadunut:push-trllkluxupnn yadunut:migrate-postgresql yadunut:feat/terminal-ui-component yadunut:feat/clan-uri-in-route yadunut:admin-migrate-service yadunut:pinned-clan-core yadunut:improve-container yadunut:Qubasa-replace_machine_name_with_machine_obj yadunut:control-master yadunut:check-the-checks yadunut:updated yadunut:validation-hash yadunut:push-wqqzvqtllpmt yadunut:Qubasa-main yadunut:enable-more-macos yadunut:p2p-updates yadunut:lassulus yadunut:Qubasa-debugging-docs yadunut:options-warnings yadunut:vars-deploy-test yadunut:init/manpage yadunut:a-kenji-improve/editor yadunut:complete-clan-modules yadunut:clan/cli/facts-noisy-1443 yadunut:clan/examples yadunut:init/editors yadunut:add-pre-commit yadunut:feat/clan-install-json yadunut:init/manpages yadunut:a-kenji-clan/install yadunut:init/flatpak yadunut:clana
yadunut:ui-version1 yadunut:demo-v2.2 yadunut:demo-v2.1 yadunut:demo-v2.0 yadunut:demo-v1.1 yadunut:demo-v1.0
..
compare: yadunut:feat/clan-uri-in-route
Branches Tags
yadunut:main yadunut:update-devFlake-clan-core-for-checks yadunut:update-nixpkgs yadunut:push-unvrqnoxxpxs yadunut:push-pmmlnrxvqntt yadunut:push-lxuyokqwsqmr yadunut:check yadunut:ke-docs-testing-container yadunut:push-qxwmroxwwppo yadunut:monitoring-network yadunut:update-nixpkgs-2025-10-20 yadunut:exports-endpoints yadunut:wireguard yadunut:hgl-site yadunut:push-tnkqqznukmkw yadunut:clan-25.05 yadunut:fix-c yadunut:feat/snapshot-tests yadunut:write-access yadunut:ke-fix-cr yadunut:ke-qa-nixpkgs-input yadunut:lopter-lo-fix-error-msg yadunut:hgl-ui-textfield yadunut:zerotier_refactor yadunut:docs-framework yadunut:simplify_http_backend yadunut:test-update-vars yadunut:deps-poc yadunut:vars-docs yadunut:yggdrasil yadunut:ui/fix-install-state-after-install yadunut:revers-update-vars-break yadunut:fix-modules-spagetti yadunut:sachk-main yadunut:pr-5024 yadunut:ke-docs-add-nixos-rebuild-switch yadunut:mdformat yadunut:fix-typography yadunut:serve-json-telegraf yadunut:remove-deprecations yadunut:remove-module-pkgs yadunut:clean-dead-code yadunut:monitoring-service-prometheus yadunut:service-static-hosts yadunut:remove-facts yadunut:vm-mamanger-remove yadunut:cli-clan-inspect yadunut:tor yadunut:terst yadunut:flake-compat yadunut:fix/combobox-form-binding yadunut:docs-options yadunut:init-restic yadunut:migration-docs yadunut:ui/reduce-opacity-sidebar-pane yadunut:migrate-syncthing yadunut:remove-build-clan yadunut:remove-modules-2 yadunut:remove-modules yadunut:nim65s-multi-wifi yadunut:feat/options-styling yadunut:clan-autorefresh yadunut:assertions yadunut:push-uymllnlsszzv yadunut:ke-facts-cli-warning yadunut:module-migration-add-warning yadunut:update-devFlake-private-nixpkgs-dev yadunut:update-templates-services-2 yadunut:ke-disko-shell-completions yadunut:templates-2 yadunut:prep-ui-version2 yadunut:try-fix-flash-test yadunut:pr-4283-generate_test_vars-fix-it yadunut:ssh-proxy yadunut:pr-3785 yadunut:vars-new yadunut:update-templates-again yadunut:revert-delete-state-version yadunut:speed-up-vars-check yadunut:agit-4042 yadunut:generate-test-vars-precache yadunut:kenji/ke-fix-ssh-deploy yadunut:fix-users yadunut:ssh-fix yadunut:remove-auto-upgrade yadunut:fix-flake-cache-chroot yadunut:nix_transform_host_options yadunut:push-trllkluxupnn yadunut:migrate-postgresql yadunut:feat/terminal-ui-component yadunut:feat/clan-uri-in-route yadunut:admin-migrate-service yadunut:pinned-clan-core yadunut:improve-container yadunut:Qubasa-replace_machine_name_with_machine_obj yadunut:control-master yadunut:check-the-checks yadunut:updated yadunut:validation-hash yadunut:push-wqqzvqtllpmt yadunut:Qubasa-main yadunut:enable-more-macos yadunut:p2p-updates yadunut:lassulus yadunut:Qubasa-debugging-docs yadunut:options-warnings yadunut:vars-deploy-test yadunut:init/manpage yadunut:a-kenji-improve/editor yadunut:complete-clan-modules yadunut:clan/cli/facts-noisy-1443 yadunut:clan/examples yadunut:init/editors yadunut:add-pre-commit yadunut:feat/clan-install-json yadunut:init/manpages yadunut:a-kenji-clan/install yadunut:init/flatpak yadunut:clana
yadunut:ui-version1 yadunut:demo-v2.2 yadunut:demo-v2.1 yadunut:demo-v2.0 yadunut:demo-v1.1 yadunut:demo-v1.0

2 Commits
remove-aut ... feat/clan-

Author SHA1 Message Date
Brian McGee
985f66dac8 feat(ui): lazy load routes 2025-05-22 16:05:18 +01:00
Brian McGee
0a75575e08 feat(ui): move route definitions to routes folder 2025-05-22 15:33:39 +01:00
596 changed files with 5202 additions and 25393 deletions
Expand all files Collapse all files

64
checks/admin/default.nix Normal file
View File

@@ -0,0 +1,64 @@
{
pkgs,
self,
clanLib,
...
}:
let
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6zj7ubTg6z/aDwRNwvM/WlQdUocMprQ8E92NWxl6t+ test@test";
in
clanLib.test.makeTestClan {
inherit pkgs self;
nixosTest = (
{ ... }:
{
name = "admin";
clan = {
directory = ./.;
modules."@clan/admin" = ../../clanServices/admin/default.nix;
inventory = {
machines.client = { };
machines.server = { };
instances = {
ssh-test-one = {
module.name = "@clan/admin";
roles.default.machines."server".settings = {
allowedKeys.testkey = public-key;
};
};
};
};
};
nodes = {
client.environment.etc.private-test-key.source = ./private-test-key;
server = {
services.openssh = {
enable = true;
settings.UsePAM = false;
};
};
};
testScript = ''
start_all()
machines = [client, server]
for m in machines:
m.systemctl("start network-online.target")
for m in machines:
m.wait_for_unit("network-online.target")
client.succeed(f"ssh -F /dev/null -i /etc/private-test-key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes root@server true &>/dev/null")
'';
}
);
}

0
clanServices/admin/tests/vm/private-test-key → checks/admin/private-test-key
View File

0
clanServices/admin/tests/vm/sops/machines/server/key.json → checks/admin/sops/machines/server/key.json
View File

0
clanServices/admin/tests/vm/sops/secrets/server-age.key/secret → checks/admin/sops/secrets/server-age.key/secret
View File

0
checks/borgbackup/sops/secrets/clientone-age.key/users/admin → checks/admin/sops/secrets/server-age.key/users/admin
View File

0
checks/borgbackup/sops/users/admin/key.json → checks/admin/sops/users/admin/key.json
View File

0
clanServices/admin/tests/vm/vars/per-machine/server/openssh/ssh.id_ed25519.pub/value → checks/admin/vars/per-machine/server/openssh/ssh.id_ed25519.pub/value
View File

0
checks/mycelium/vars/per-machine/server/mycelium/key/machines/server → checks/admin/vars/per-machine/server/openssh/ssh.id_ed25519/machines/server
View File

0
clanServices/admin/tests/vm/vars/per-machine/server/openssh/ssh.id_ed25519/secret → checks/admin/vars/per-machine/server/openssh/ssh.id_ed25519/secret
View File

0
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/users/admin → checks/admin/vars/per-machine/server/openssh/ssh.id_ed25519/users/admin
View File

0
clanServices/admin/tests/vm/vars/per-machine/server/openssh/ssh.id_ed25519/machines/server → checks/admin/vars/per-machine/server/root-password/password-hash/machines/server
View File

0
clanServices/admin/tests/vm/vars/per-machine/server/root-password/password-hash/secret → checks/admin/vars/per-machine/server/root-password/password-hash/secret
View File

0
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/users/admin → checks/admin/vars/per-machine/server/root-password/password-hash/users/admin
View File

0
clanServices/admin/tests/vm/vars/per-machine/server/root-password/password/secret → checks/admin/vars/per-machine/server/root-password/password/secret
View File

0
checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/users/admin → checks/admin/vars/per-machine/server/root-password/password/users/admin
View File

51
checks/borgbackup-legacy/default.nix
View File

@@ -1,51 +0,0 @@
(
{ ... }:
{
name = "borgbackup";
nodes.machine =
{ self, pkgs, ... }:
{
imports = [
self.clanModules.borgbackup
self.nixosModules.clanCore
{
services.openssh.enable = true;
services.borgbackup.repos.testrepo = {
authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
};
}
{
clan.core.settings.directory = ./.;
clan.core.state.testState.folders = [ "/etc/state" ];
environment.etc.state.text = "hello world";
systemd.tmpfiles.settings."vmsecrets" = {
"/etc/secrets/borgbackup/borgbackup.ssh" = {
C.argument = "${../assets/ssh/privkey}";
z = {
mode = "0400";
user = "root";
};
};
"/etc/secrets/borgbackup/borgbackup.repokey" = {
C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
z = {
mode = "0400";
user = "root";
};
};
};
# clan.core.facts.secretStore = "vm";
clan.core.vars.settings.secretStore = "vm";
clan.borgbackup.destinations.test.repo = "borg@localhost:.";
}
];
};
testScript = ''
start_all()
machine.systemctl("start --wait borgbackup-job-test.service")
assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
'';
}
)

139
checks/borgbackup/default.nix
View File

@@ -1,118 +1,51 @@
{
pkgs,
nixosLib,
clan-core,
...
}:
nixosLib.runTest (
(
{ ... }:
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
name = "borgbackup";
clan = {
directory = ./.;
test.useContainers = true;
modules."@clan/borgbackup" = ../../clanServices/borgbackup/default.nix;
inventory = {
machines.clientone = { };
machines.serverone = { };
instances = {
borgone = {
module.name = "@clan/borgbackup";
roles.client.machines."clientone" = { };
roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
};
};
};
};
nodes = {
serverone = {
services.openssh.enable = true;
# Needed so PAM doesn't see the user as locked
users.users.borg.password = "borg";
};
clientone =
{ config, pkgs, ... }:
let
dependencies = [
clan-core
pkgs.stdenv.drvPath
] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
in
nodes.machine =
{ self, pkgs, ... }:
{
imports = [
self.clanModules.borgbackup
self.nixosModules.clanCore
{
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
clan.core.networking.targetHost = config.networking.hostName;
environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
environment.etc.install-closure.source = "${closureInfo}/store-paths";
nix.settings = {
substituters = pkgs.lib.mkForce [ ];
hashed-mirrors = null;
connect-timeout = pkgs.lib.mkForce 3;
flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
services.borgbackup.repos.testrepo = {
authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
};
system.extraDependencies = dependencies;
clan.core.state.test-backups.folders = [ "/var/test-backups" ];
}
{
clan.core.settings.directory = ./.;
clan.core.state.testState.folders = [ "/etc/state" ];
environment.etc.state.text = "hello world";
systemd.tmpfiles.settings."vmsecrets" = {
"/etc/secrets/borgbackup/borgbackup.ssh" = {
C.argument = "${../assets/ssh/privkey}";
z = {
mode = "0400";
user = "root";
};
};
"/etc/secrets/borgbackup/borgbackup.repokey" = {
C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
z = {
mode = "0400";
user = "root";
};
};
};
# clan.core.facts.secretStore = "vm";
clan.core.vars.settings.secretStore = "vm";
clan.borgbackup.destinations.test.repo = "borg@localhost:.";
}
];
};
testScript = ''
import json
start_all()
machines = [clientone, serverone]
for m in machines:
m.systemctl("start network-online.target")
for m in machines:
m.wait_for_unit("network-online.target")
# dummy data
clientone.succeed("mkdir -p /var/test-backups /var/test-service")
clientone.succeed("echo testing > /var/test-backups/somefile")
clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
# create
clientone.succeed("borgbackup-create >&2")
clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
# list
backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
out = clientone.succeed("borgbackup-list").strip()
print(out)
assert backup_id in out, f"backup {backup_id} not found in {out}"
# borgbackup restore
clientone.succeed("rm -f /var/test-backups/somefile")
clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
machine.systemctl("start --wait borgbackup-job-test.service")
assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
'';
}
)

6
checks/borgbackup/sops/machines/clientone/key.json
View File

@@ -1,6 +0,0 @@
[
{
"publickey": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
"type": "age"
}
]

15
checks/borgbackup/sops/secrets/clientone-age.key/secret
View File

@@ -1,15 +0,0 @@
{
"data": "ENC[AES256_GCM,data:wCKoKuJo4uXycfqEUYAXDlRRMGJaWgOFiaQa4Wigs0jx1eCI80lP3cEZ1QKyrU/9m9POoZz0JlaKHcuhziTKUqaevHvGfVq2y00=,iv:pH5a90bJbK9Ro6zndNJ18qd4/rU+Tdm+y+jJZtY7UGg=,tag:9lHZJ9C/zIfy8nFrYt9JBQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUDhpd1ZqbWFqR0I3dVFI\nOHlyZnFUYXJnWElrRWhoUHVNMzdKd0VrcGdRCkphQVhuYzlJV0p1MG9MSW5ncWJ3\nREp1OEJxMzQzS2MxTk9aMkJ1a3B0Q0kKLS0tIENweVJ2Tk1yeXlFc2F5cTNIV3F3\nTkRFOVZ1amRIYmg1K3hGWUFSTTl4Wk0KHJRJ7756Msod7Bsmn9SgtwRo53B8Ilp3\nhsAPv+TtdmOD8He9MvGV+BElKEXCsLUwhp/Py6n6CJCczu0VIr8owg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-20T13:33:56Z",
"mac": "ENC[AES256_GCM,data:FyfxXhnI6o4SVGJY2e1eMDnfkbMWiCkP4JL/G4PQvzz+c7OIuz8xaa03P3VW7b7o85NP2Tln4FMNTZ0FYtQwd0kKypLUnIxAHsixAHFCv4X8ul1gtZynzgbFbmc0GkfVWW8Lf+U+vvDwT+UrEVfcmksCjdvAOwP26PvlEhYEkSw=,iv:H+VrWYL+kLOLezCZrI8ZgeCsaUdpb7LxDMiLotezVPs=,tag:B/cbPdiEFumGKQHby5inCA==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/machines/clientone
View File

@@ -1 +0,0 @@
../../../../../../sops/machines/clientone

19
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/secret
View File

@@ -1,19 +0,0 @@
{
"data": "ENC[AES256_GCM,data:52vY68gqbwiZRMUBKc9SeXR06fuKAhuAPciLpxXgEOxI,iv:Y34AVoHaZzRiFFTDbekXP1X3W8zSXJmzVCYODYkdxnY=,tag:8WQaGEHQKT/n+auHUZCE0w==,type:str]",
"sops": {
"age": [
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUFUZUZ2M00zTGlhNjF4\nL0VlMVY4Z2xMbWRWR29zZlFwdm1XRk12NGtBCnkrb3A4M3BkalMyeWdDaUdQdStt\nUWY3SXJROXdpRzN0NlBJNEpjTEZ0aFkKLS0tIGZkMGhsTXB2RnRqVHVrUFQwL2lw\nZnBreWhWa3Jrcm4yOXBiaUlPWFM1aDAKRE+Zzrja7KeANEJUbmFYuVoO3qGyi4iH\n0cfH0W8irRe9vsKMXz7YJxtByYLwRulrT8tXtElHvIEVJG0mwwaf0Q==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNEljUFdnQ0tTQ1IxZ2Zo\nYkc4V2dCaUk0YXh5SzlSazhsRTVKVzFvVXhFCkRyMlMxR3EyWEZIRzFQV3d2dVpz\na3NPbk9XdWR1NmtMQlZsNlBuU0NkQWMKLS0tIDlDYzMzOExVL1g5SVRHYlpUQlBV\na2lpdTUwaEd4OXhWUWxuV04xRVVKNHcK9coohAD1IoarLOXSGg3MIRXQ3BsTIA4y\nKrcS/PxITKJs7ihg93RZin70R79Qsij1RHZLKGfgGJ67i8ZCxc4N0g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-20T13:33:59Z",
"mac": "ENC[AES256_GCM,data:eABMaIe07dwAMMlgrIUUpfpj73q1H5Keafql91MBQ5NN9Znr5lI/ennQsQsuLO8ZTCC34US/MJndliW34SqVM9y53p0jjPzqBxSKYq74iNcBz7+TxbjlY1aapgTRPr6Ta8I/5loohnxlHqjvLL70ZzfbChDN0/4jZsDVXYNfbIk=,iv:41Mz2u40JN0iE5zPUK6siaxo0rTtlk7fGWq7TF5NyUI=,tag:1A+h6XPH7DeQ6kxGDV3PgQ==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh.pub/value
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3clYF6BDZ0PxfDdprx7YYM4U4PKEZkWUuhpre0wb7w nixbld@kiwi

1
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/machines/clientone
View File

@@ -1 +0,0 @@
../../../../../../sops/machines/clientone

19
checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/secret
View File

@@ -1,19 +0,0 @@
{
"data": "ENC[AES256_GCM,data:tAjfBW75XDS8lfJCf/+9rPYH3aMjRX1nmdN5dPMxnrlhuEPM3Smv9AM93Tz36k7BKk31bUWcV/99ax+KaIK1Rzgym/CwKGGxIUziuVOEOwrCOBeOw7amZ9YGsgiLUTLIhoeO6SjfdZ4q2JxGPw7KqNfUM9kiZT01vx5JTLa24JdvBKpizbtHRlL1lappTRVt0dG2WhT9/YhQUGu9ZFqPs8+bPOBclc78qjCm2DAPgsprK+JCBuq+r+qHgAx4Ee1QHI7FC39e5NeGBTBeZfZ5d95+0klKuTx9FCPs6QRBkQ0tN29OpwzkdSuRAXGGHpzPkZ+FupbETtSQWCmnjma6jPzEl8oDUTWooKK0mUEz8icvTQvRfyM3Qt3mQpkX3e0rTEbZzoLdWCwTufP/tRQNDCWvI/NV7OjIHpNPjymqE5uPmiBpA6y6hhCH7zL1eDo11ICSIX3hkyFJH2svvFQn6oLrPAoByvNutfetKhd8z7NFpVeIOWwtuPzO7wU5M7zESHww0JF78vjFwimQYYhQ,iv:fVjeVez4dTGSrANi5ZeP9PJhsSySqeqqJzBDbd0gFW4=,tag:Aa89+bWLljxV1tlSHtpddw==,type:str]",
"sops": {
"age": [
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaW94M3VwcFJ2elcrRGlv\nUGdzVk9vU2ZweFpIVVlIRUEyRVlSMlEyeHpVCnJuV0xIS3hMLy9IbG92S0pvL2RP\nL0J0WkVuWVhQdldHekdYNTVXdFkrUlEKLS0tIFQzdGErZVBwQUFNMXErbDBQVURZ\naHlsY2hDa1Zud1E2dFh0ZHl4VEJ2S0kKVABqwRcCUTcsBInfo9CpFtoM3kl4KMyU\nGXDjHOSjlX5df7OKZAvYukgX7Q2penvq+Fq4fa4A1Cmkqga7cHdJ+A==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbHRSVEg3Vi9qTnAwWGF6\nbEdIR2gvZ2laZnJMbVF3NjcvN25OdXF3WXowCnVUODdEa1NWU3JISXlrNldOMjVi\ndUlMTVdBaWxvZHlwSTdJY3NCcll4SjAKLS0tIEp6ZVlDTklqVXdNYzJ2dElCR21o\nUWphMDdyVVppVnFHOVlHZTNtajZzOXMKRB61lUrAkUXSYl3ffOOK8k4QgLA4bFln\naQ7GOol8f8W5H68zXBMZrhjP6k4kZDfknc9jgyoWM7jaZNSWC5J19Q==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-20T13:33:59Z",
"mac": "ENC[AES256_GCM,data:NjVpDweqxTSQGt9VKR/CMfvbvHQJHCi8P7XbOuKLZKQ4GVoeZ5r4PsC6nxKHHikN6YL1oJCmaSxr0mJRk/sFZg/+wdW8L7F5aQeFRiWo9jCjH0MDMnfiu5a0xjRt21uPl/7LUJ9jNon5nyxPTlZMeYSvTP2Q9spnNuN8vqipP68=,iv:DPvbN9IvWiUfxiJk6mey/us8N1GGVJcSJrT8Bty4kB4=,tag:+emK8uSkfIGUXoYpaWeu3A==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

4
checks/clan-core-for-checks.nix
View File

@@ -1,6 +1,6 @@
{ fetchgit }:
fetchgit {
url = "https://git.clan.lol/clan/clan-core.git";
rev = "13a9b1719835ef4510e4adb6941ddfe9a91d41cb";
sha256 = "sha256-M+pLnpuX+vIsxTFtbBZaNA1OwGQPeSbsMbTiDl1t4vY=";
rev = "843e1b24be6ff9a7015e67b3291216c08f628d3e";
sha256 = "1bfm3n9r9k8prbwsh0yzp421y4ahblv407gqihwvcpiqsx6s3b9b";
}

23
checks/data-mesher/default.nix
View File

@@ -1,25 +1,21 @@
{
pkgs,
nixosLib,
clan-core,
lib,
self,
clanLib,
...
}:
let
clanLib.test.makeTestClan {
inherit pkgs self;
nixosTest = (
{ lib, ... }:
let
machines = [
"admin"
"peer"
"signer"
];
in
nixosLib.runTest (
{ ... }:
in
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
name = "data-mesher";
clan = {
@@ -86,4 +82,5 @@ nixosLib.runTest (
})
'';
}
)
);
}

28
checks/deltachat/default.nix Normal file
View File

@@ -0,0 +1,28 @@
(import ../lib/container-test.nix) (
{ pkgs, ... }:
{
name = "deltachat";
nodes.machine =
{ self, ... }:
{
imports = [
self.clanModules.deltachat
self.nixosModules.clanCore
{
clan.core.settings.directory = ./.;
}
];
};
testScript = ''
start_all()
machine.wait_for_unit("maddy")
# imap
machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
# smtp submission
machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
# smtp
machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
'';
}
)

66
checks/dummy-inventory-test-from-flake/default.nix
View File

@@ -1,66 +0,0 @@
{
pkgs,
nixosLib,
clan-core,
...
}:
nixosLib.runTest (
{ hostPkgs, config, ... }:
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
# This tests the compatibility of the inventory
# With the test framework
# - legacy-modules
# - clan.service modules
name = "dummy-inventory-test-from-flake";
clan.test.fromFlake = ./.;
extraPythonPackages = _p: [
clan-core.legacyPackages.${hostPkgs.system}.setupNixInNixPythonPackage
];
testScript =
{ nodes, ... }:
''
from setup_nix_in_nix import setup_nix_in_nix # type: ignore[import-untyped]
setup_nix_in_nix()
def run_clan(cmd: list[str], **kwargs) -> str:
import subprocess
clan = "${clan-core.packages.${hostPkgs.system}.clan-cli}/bin/clan"
clan_args = ["--flake", "${config.clan.test.flakeForSandbox}"]
return subprocess.run(
["${hostPkgs.util-linux}/bin/unshare", "--user", "--map-user", "1000", "--map-group", "1000", clan, *cmd, *clan_args],
**kwargs,
check=True,
).stdout
start_all()
admin1.wait_for_unit("multi-user.target")
peer1.wait_for_unit("multi-user.target")
# Provided by the legacy module
print(admin1.succeed("systemctl status dummy-service"))
print(peer1.succeed("systemctl status dummy-service"))
# peer1 should have the 'hello' file
peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
# Check that the file is owned by 'nobody'
assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
# Check that the file is in the 'users' group
assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
# Check that the file is in the '0644' mode
assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
run_clan(["machines", "list"])
'';
}
)

70
checks/dummy-inventory-test-from-flake/flake.nix
View File

@@ -1,70 +0,0 @@
{
inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
inputs.nixpkgs.follows = "clan-core/nixpkgs";
outputs =
{ self, clan-core, ... }:
let
# Usage see: https://docs.clan.lol
clan = clan-core.clanLib.buildClan {
inherit self;
inventory =
{ ... }:
{
meta.name = "foo";
machines.peer1 = { };
machines.admin1 = { };
services = {
legacy-module.default = {
roles.peer.machines = [ "peer1" ];
roles.admin.machines = [ "admin1" ];
};
};
instances."test" = {
module.name = "new-service";
roles.peer.machines.peer1 = { };
};
modules = {
legacy-module = ./legacy-module;
};
};
modules.new-service = {
_class = "clan.service";
manifest.name = "new-service";
roles.peer = { };
perMachine = {
nixosModule = {
# This should be generated by:
# nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
clan.core.vars.generators.new-service = {
files.not-a-secret = {
secret = false;
deploy = true;
};
files.a-secret = {
secret = true;
deploy = true;
owner = "nobody";
group = "users";
mode = "0644";
};
script = ''
# This is a dummy script that does nothing
echo -n "not-a-secret" > $out/not-a-secret
echo -n "a-secret" > $out/a-secret
'';
};
};
};
};
};
in
{
# all machines managed by Clan
inherit (clan) nixosConfigurations nixosModules clanInternals;
};
}

10
checks/dummy-inventory-test-from-flake/legacy-module/README.md
View File

@@ -1,10 +0,0 @@
---
description = "Set up dummy-module"
categories = ["System"]
features = [ "inventory" ]
[constraints]
roles.admin.min = 1
roles.admin.max = 1
---

5
checks/dummy-inventory-test-from-flake/legacy-module/roles/admin.nix
View File

@@ -1,5 +0,0 @@
{
imports = [
../shared.nix
];
}

5
checks/dummy-inventory-test-from-flake/legacy-module/roles/peer.nix
View File

@@ -1,5 +0,0 @@
{
imports = [
../shared.nix
];
}

34
checks/dummy-inventory-test-from-flake/legacy-module/shared.nix
View File

@@ -1,34 +0,0 @@
{ config, ... }:
{
systemd.services.dummy-service = {
enable = true;
description = "Dummy service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
if [ ! -f "$generated_password_path" ]; then
echo "Generated password file not found: $generated_password_path"
exit 1
fi
host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
if [ ! -e "$host_id_path" ]; then
echo "Host ID file not found: $host_id_path"
exit 1
fi
'';
};
# TODO: add and prompt and make it work in the test framework
clan.core.vars.generators.dummy-generator = {
files.host-id.secret = false;
files.generated-password.secret = true;
script = ''
echo $RANDOM > "$out"/host-id
echo $RANDOM > "$out"/generated-password
'';
};
}

6
checks/dummy-inventory-test-from-flake/sops/machines/admin1/key.json
View File

@@ -1,6 +0,0 @@
[
{
"publickey": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
"type": "age"
}
]

6
checks/dummy-inventory-test-from-flake/sops/machines/peer1/key.json
View File

@@ -1,6 +0,0 @@
[
{
"publickey": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
"type": "age"
}
]

15
checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/secret
View File

@@ -1,15 +0,0 @@
{
"data": "ENC[AES256_GCM,data:GPpsUhSzWPtTP8EUNKsobFXjYqDldhkkIH6hBk11RsDLAGWdhVrwcISGbhsWpYhvAdPKA84DB6Zqyh9lL2bLM9//ybC1kzY20BQ=,iv:NrxMLdedT2FCkUAD00SwsAHchIsxWvqe7BQekWuJcxw=,tag:pMDXcMyHnLF2t3Qhb1KolA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb2tWb1ExKzdmUTRzaGVj\nK3cyYTBHZTJwVjM1SzUvbHFiMnVhY05iKzFZCnJTSE1VSVdpcUFLSEJuaE1CZzJD\nWjZxYzN2cUltdThNMVRKU3FIb20vUXMKLS0tIFlHQXRIdnMybDZFUVEzWlQrc1dw\nbUxhZURXblhHd0pka0JIK1FTZEVqdUEKI/rfxQRBc+xGRelhswkJQ9GcZs6lzfgy\nuCxS5JI9npdPLQ/131F3b21+sP5YWqks41uZG+vslM1zQ+BlENNhDw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-04T12:44:13Z",
"mac": "ENC[AES256_GCM,data:fWxLHXBWolHVxv6Q7utcy6OVLV13ziswrIYyNKiwy1vsU8i7xvvuGO1HlnE+q43D2WuHR53liKq1UHuf1JMrWzTwZ0PYe+CVugtoEtbR2qu3rK/jAkOyMyhmmHzmf6Rp4ZMCzKgZeC/X2bDKY/z0firHAvjWydEyogutHpvtznM=,iv:OQI3FfkLneqbdztAXVQB3UkHwDPK+0hWu5hZ9m8Oczg=,tag:em6GfS2QHsXs391QKPxfmA==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/users/admin
View File

@@ -1 +0,0 @@
../../../users/admin

15
checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/secret
View File

@@ -1,15 +0,0 @@
{
"data": "ENC[AES256_GCM,data:W3cOkUYL5/YulW2pEISyTlMaA/t7/WBE7BoCdFlqrqgaCL7tG4IV2HgjiPWzIVMs0zvDSaghdEvAIoB4wOf470d1nSWs0/E8SDk=,iv:wXXaZIw3sPY8L/wxsu7+C5v+d3RQRuwxZRP4YLkS8K4=,tag:HeK4okj7O7XDA9JDz2KULw==,type:str]",
"sops": {
"age": [
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRC83b3dtSVpXcGovNnVs\nTzFka2J2MEFhYkF1ajVrdjMrNUtPWGRObjM4Cm5zSUR5OGw0T0FaL3BaWmR6L29W\nU2syMFIyMUhFRUZpWFpCT28vWko2ZU0KLS0tIFpHK3BjU1V1L0FrMGtwTGFuU3Mz\nRkV5VjI2Vndod202bUR3RWQwNXpmVzQKNk8/y7M62wTIIKqY4r3ZRk5aUCRUfine\n1LUSHMKa2bRe+hR7nS7AF4BGXp03h2UPY0FP5+U5q8XuIj1jfMX8kg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-04T12:44:16Z",
"mac": "ENC[AES256_GCM,data:yTkQeFvKrN1+5FP+yInsaRWSAG+ZGG0uWF3+gVRvzJTFxab8kT2XkAMc+4D7SKgcjsmwBBb77GNoAKaKByhZ92UaCfZ2X66i7ZmYUwLM1NVVmm+xiwwjsh7PJXlZO/70anTzd1evtlZse0jEmRnV5Y0F0M6YqXmuwU+qGUJU2F8=,iv:sy6ozhXonWVruaQfa7pdEoV5GkNZR/UbbINKAPbgWeg=,tag:VMruQ1KExmlMR7TsGNgMlg==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/users/admin
View File

@@ -1 +0,0 @@
../../../users/admin

4
checks/dummy-inventory-test-from-flake/sops/users/admin/key.json
View File

@@ -1,4 +0,0 @@
{
"publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"type": "age"
}

1
checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
View File

@@ -1 +0,0 @@
../../../../../../sops/machines/admin1

19
checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret
View File

@@ -1,19 +0,0 @@
{
"data": "ENC[AES256_GCM,data:T8edCvw=,iv:7/G5xt5fv38I9uFzk7WMIr9xQdz/6lFxqOC+18HBg8Q=,tag:F39Cxbgmzml+lZLsZ59Kmg==,type:str]",
"sops": {
"age": [
{
"recipient": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUhiYkZWK3dPMHNiRTVM\nRHNvaHFsOFp1c0UxQitwVG0zY01MNDZRV1E4CjEybENoTVIzN29vQ3FtUTRSYmFU\nNXIzQllVSllXRGN2M1B6WXJLdHZSajgKLS0tIDllZ0ZmZUcxMHhDQUpUOEdWbmkv\neUQweHArYTdFSmNteVpuQ3BKdnh0Y0UKs8Hm3D+rXRRfpUVSZM3zYjs6b9z8g10D\nGTkvreUMim4CS22pjdQ3eNA9TGeDXfWXE7XzwXLCb+wVcf7KwbDmvg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSDhpT3cvck9PenZYVEZH\ndFQreVRBdG93L1dBUGlvYjFWcDlHWUJsZUVBCm9DMTJ4UytiYzlEVHNWdUcwS1ds\nT0dhbzAzNDdmbDBCU0dvL2xNeHpXcGsKLS0tIFArbmpsbzU3WnpJdUt1MGN0L1d0\nV1JkTDJYWUxsbmhTQVNOeVRaSUhTODQKk9Vph2eldS5nwuvVX0SCsxEm4B+sO76Z\ndIjJ3OQxzoZmXMaOOuKHC5U0Y75Qn7eXC43w5KHsl2CMIUYsBGJOZw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-04T12:44:14Z",
"mac": "ENC[AES256_GCM,data:6fKrS1eLLUWlHkQpxLFXBRk6f2wa5ADLMViVvYXXGU24ayl9UuNSKrCRHp9cbzhqhti3HdwyNt6TM+2X6qhiiAQanKEB2PF7JRYX74NfNKil9BEDjt5AqqtpSgVv5l7Ku/uSHaPkd2sDmzHsy5Q4bSGxJQokStk1kidrwle+mbc=,iv:I/Aad82L/TCxStM8d8IZICUrwdjRbGx2fuGWqexr21o=,tag:BfgRbGUxhPZzK2fLik1kxA==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value
View File

@@ -1 +0,0 @@
18650

1
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
View File

@@ -1 +0,0 @@
../../../../../../sops/machines/peer1

19
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret
View File

@@ -1,19 +0,0 @@
{
"data": "ENC[AES256_GCM,data:vp0yW0Gt,iv:FO2cy+UpEl5aRay/LUGu//c82QiVxuKuGSaVh0rGJvc=,tag:vf2RAOPpcRW0HwxHoGy17A==,type:str]",
"sops": {
"age": [
{
"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFVNMEd2YUxpSm5XVVRi\nY2ZUc3NTOStJUFNMWWVPQTgxZ2tCK1QrMW1ZCjYwMlA4dkIzSlc0TGtvZjcyK3Bi\nM3pob2JOOFUyeVJ6M2JpaTRCZlc1R0kKLS0tIDJMb1dFcVRWckhwYWNCQng0RlFO\nTkw3OGt4dkFIZVY5aVEzZE5mMzJSM0EKUv8bUqg48L2FfYVUVlpXvyZvPye699of\nG6PcjLh1ZMbNCfnsCzr+P8Vdk/F4J/ifxL66lRGfu2xOLxwciwQ+5Q==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2dDbVhoQngxM3lTSmZF\nUTAwS1lCTGhEMU1GVXpFUzlIUFdqZy9LajF3Ck9mdVpBRjlyVUNhZXZIUFZjUzF1\nNlhFN28vNmwzcUVkNmlzUnpkWjJuZE0KLS0tIHpXVHVlNk9vU1ZPTGRrYStWbmRO\nbDM4U2o1SlEwYWtqOXBqd3BFUTAvMHcKkI8UVd0v+x+ELZ5CoGq9DzlA6DnVNU2r\nrV9wLfbFd7RHxS0/TYZh5tmU42nO3iMYA9FqERQXCtZgXS9KvfqHwQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-04T12:44:18Z",
"mac": "ENC[AES256_GCM,data:1ZZ+ZI1JsHmxTov1bRijfol3kTkyheg2o3ivLsMHRhCmScsUry97hQJchF78+y2Izt7avaQEHYn6pVbYt/0rLrSYD7Ru7ITVxXoYHOiN5Qb98masUzpibZjrdyg5nO+LW5/Hmmwsc3yn/+o3IH1AUYpsxlJRdnHHCmoSOFaiFFM=,iv:OQlgmpOTw4ljujNzqwQ5/0Mz8pQpCSUtqRvj3FJAxDs=,tag:foZvdeW7gK9ZVKkWqnlxGA==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
View File

@@ -1 +0,0 @@
../../../../../../sops/users/admin

1
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value
View File

@@ -1 +0,0 @@
6745

1
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1
View File

@@ -1 +0,0 @@
../../../../../../sops/machines/peer1

19
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret
View File

@@ -1,19 +0,0 @@
{
"data": "ENC[AES256_GCM,data:prFl0EJy8bM=,iv:zITWxf+6Ebk0iB5vhhd7SBQa1HFrIJXm8xpSM+D9I0M=,tag:NZCRMCs1SzNKLBu/KUDKMQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S0RZRWxaZVZvTUhjdWVL\naU9WZmtEcm1qa2JsRmdvdmZmNENMaWFEVUFRCmdoVnRXSGlpRlFjNmVVbDJ5VnFT\nMnVJUlVnM3lxNmZCRTdoRVJ4NW1oYWcKLS0tIFFNbXBFUk1RWnlUTW1SeG1vYzlM\nVVpEclFVOE9PWWQxVkZ0eEgwWndoRWcKDAOHe+FIxqGsc6LhxMy164qjwG6t2Ei2\nP0FSs+bcKMDpudxeuxCjnDm/VoLxOWeuqkB+9K2vSm2W/c/fHTSbrA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VU5jOEpwYUtDVEVFcVpU\nQkExTVZ3ejZHcGo5TG8zdUQwNktoV09WdUZvCmQ0dE1TOWRFbTlxdVd4WWRxd3VF\nQUNTTkNNT3NKYjQ5dEJDY0xVZ3pZVUUKLS0tIDFjajRZNFJZUTdNeS8yN05FMFZU\ncEtjRjhRbGE0MnRLdk10NkFLMkxqencKGzJ66dHluIghH04RV/FccfEQP07yqnfb\n25Hi0XIVJfXBwje4UEyszrWTxPPwVXdQDQmoNKf76Qy2jYqJ56uksw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-04T12:44:20Z",
"mac": "ENC[AES256_GCM,data:FIkilsni5kOdNlVwDuLsQ/zExypHRWdqIBQDNWMLTwe8OrsNPkX+KYutUvt9GaSoGv4iDULaMRoizO/OZUNfc2d8XYSdj0cxOG1Joov4GPUcC/UGyNuQneAejZBKolvlnidKZArofnuK9g+lOTANEUtEXUTnx8L+VahqPZayQas=,iv:NAo6sT3L8OOB3wv1pjr3RY2FwXgVmZ4N0F4BEX4YPUY=,tag:zHwmXygyvkdpASZCodQT9Q==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin
View File

@@ -1 +0,0 @@
../../../../../../sops/users/admin

1
checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value
View File

@@ -1 +0,0 @@
not-a-secret

17
checks/dummy-inventory-test/default.nix
View File

@@ -1,18 +1,14 @@
{
pkgs,
nixosLib,
clan-core,
self,
clanLib,
...
}:
nixosLib.runTest (
clanLib.test.makeTestClan {
inherit pkgs self;
nixosTest = (
{ ... }:
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
# This tests the compatibility of the inventory
# With the test framework
# - legacy-modules
@@ -93,4 +89,5 @@ nixosLib.runTest (
assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
'';
}
)
);
}

15
checks/flake-module.nix
View File

@@ -4,7 +4,6 @@ let
filter
pathExists
;
nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
in
{
imports = filter pathExists [
@@ -30,18 +29,19 @@ in
let
nixosTestArgs = {
# reference to nixpkgs for the current system
inherit pkgs lib nixosLib;
inherit pkgs lib;
# this gives us a reference to our flake but also all flake inputs
inherit self;
inherit (self) clanLib;
clan-core = self;
};
nixosTests =
lib.optionalAttrs (pkgs.stdenv.isLinux) {
# Deltachat is currently marked as broken
# deltachat = import ./deltachat nixosTestArgs;
# Base Tests
secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
borgbackup = self.clanLib.test.baseTest ./borgbackup nixosTestArgs;
wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
# Container Tests
@@ -50,9 +50,11 @@ in
matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
# Clan Tests
dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
admin = import ./admin nixosTestArgs;
data-mesher = import ./data-mesher nixosTestArgs;
syncthing = import ./syncthing nixosTestArgs;
}
// lib.optionalAttrs (pkgs.stdenv.hostPlatform.system == "aarch64-linux") {
# for some reason this hangs in an odd place in CI, but it works on my machine ...
@@ -112,9 +114,6 @@ in
cp ${../flake.lock} $out/flake.lock
'';
};
packages = lib.optionalAttrs (pkgs.stdenv.isLinux) {
run-vm-test-offline = pkgs.callPackage ../pkgs/run-vm-test-offline { };
};
legacyPackages = {
nixosTests =
let

44
checks/mumble/default.nix
View File

@@ -1,28 +1,17 @@
{
pkgs,
nixosLib,
clan-core,
lib,
self,
clanLib,
...
}:
nixosLib.runTest (
{ ... }:
clanLib.test.makeTestClan {
inherit pkgs self;
# TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
useContainers = false;
nixosTest = (
{ lib, ... }:
let
machines = [
"peer1"
"peer2"
];
in
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
name = "mumble";
defaults =
common =
{ pkgs, modulesPath, ... }:
{
imports = [
@@ -32,11 +21,16 @@ nixosLib.runTest (
clan.services.mumble.user = "alice";
environment.systemPackages = [ pkgs.killall ];
};
machines = [
"peer1"
"peer2"
];
in
{
name = "mumble";
clan = {
directory = ./.;
# TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
test.useContainers = false;
inventory = {
machines = lib.genAttrs machines (_: { });
services = {
@@ -49,6 +43,9 @@ nixosLib.runTest (
enableOCR = true;
nodes.peer1 = common;
nodes.peer2 = common;
testScript = ''
import time
import re
@@ -129,4 +126,5 @@ nixosLib.runTest (
raise Exception("Timeout waiting for certificate creation")
'';
}
)
);
}

53
checks/mycelium/default.nix
View File

@@ -1,53 +0,0 @@
{
pkgs,
nixosLib,
clan-core,
...
}:
nixosLib.runTest (
{ ... }:
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
name = "mycelium";
clan = {
test.useContainers = false;
directory = ./.;
modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
inventory = {
machines.server = { };
instances = {
mycelium-test = {
module.name = "@clan/mycelium";
roles.peer.machines."server".settings = {
openFirewall = true;
addHostedPublicNodes = true;
};
};
};
};
};
nodes = {
server = { };
};
testScript = ''
start_all()
# Check that mycelium service is running
server.wait_for_unit("mycelium")
server.succeed("systemctl status mycelium")
# Check that mycelium is listening on its default port
server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
'';
}
)

6
checks/mycelium/sops/machines/server/key.json
View File

@@ -1,6 +0,0 @@
[
{
"publickey": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
"type": "age"
}
]

15
checks/mycelium/sops/secrets/server-age.key/secret
View File

@@ -1,15 +0,0 @@
{
"data": "ENC[AES256_GCM,data:hLJS+CJllYM50KxKuiYamxBLGd9lwoeIFapP9mZAlVGH5DSenylcKUfsphxafASoB516qns2DznBoS9mWqg9uTsRZjk4WlR3x6A=,iv:uRiIpUKIiV3riNcBAWUqhZbE+Vb7lLMfU0C/TClVZ6M=,tag:4+nsMssiSyq9Iv7sDuWmoQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUWFOMzluRmdOQXBmRjRN\ncXNSUlB5Z0t6dWYxNVkvMmhrN1FDdmxHcTNJCkhPL3BYMFFXMmU5ZGRqOC9KWEgv\nSHB5OUJqTk5Dd0tDTks1R1ZhYktrLzgKLS0tIHJIMlFRVWphZXlISmR3VUJKUjNk\ndWF4eCt6UHBrSndBay95RVJ3dldiaFkKCgYqrt0aCGRTaHycBoeqv/zeByu2ZZ3Z\nVfgxnD9liIQkS2wERbpk0/Yq9wkKgVxj+DZoWwHYhP0eKCw2UOorCA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-06-04T11:54:59Z",
"mac": "ENC[AES256_GCM,data:xoeOz7FRCPJ18UTsfbY1x/N65pxbTsehT9Kv3MgEd6NQJn6FTvquaj3HEZ0KvIzStBz1FNOhSql9CZUFc4StYps05EbX61MMMnz6Nlj3xcTwuVQFabGoinxcXbCDSA+tAW7VqzVxumj6FMDg+r77gdcIApZjGJg4Z9ws2RZd3u4=,iv:U8IUDwmfg8Umob9mtKgGaKoIY4SKNL895BABJxzx5n8=,tag:tnMCx6D/17ZYgI6SgNS29A==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/mycelium/sops/secrets/server-age.key/users/admin
View File

@@ -1 +0,0 @@
../../../users/admin

4
checks/mycelium/sops/users/admin/key.json
View File

@@ -1,4 +0,0 @@
{
"publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"type": "age"
}

1
checks/mycelium/vars/per-machine/server/mycelium/ip/value
View File

@@ -1 +0,0 @@
52d:87c1:4222:b550:ee01:a7ae:254:5a66

19
checks/mycelium/vars/per-machine/server/mycelium/key/secret
View File

@@ -1,19 +0,0 @@
{
"data": "ENC[AES256_GCM,data:DGzl2G4H+NkwXq0fCUQS0+8FG1x9xoIsYvAgUxP4Qp8=,iv:CXOJVgYNthVOZ4vbdI3n4KLXSFVemzaoEnRGMC+m0i8=,tag:/u+pV3xWpUq0ZtAm6LKuGQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZHZjdXMwclBTeGthcGpM\nV1ArVy83akNHNEpXVFhoR1FWNlJUeHNKTW00CjJFTFZneFNrL0hDMXJpaTQ2M1ln\nTmdPMGhzeUp0NU55QnhCZEU2QVk1OG8KLS0tIDFhQmJhOHJsTjhYNEhITEw0WFgy\nWC9pTi9od0wyMWtZRVZJYWo0Nmo5SHMKDohnAAfrnGOiw55huMme2EEWE53N/feS\nutvbiTZh1ECHCi/uoK757fjnJ/WrQMSxUpctT9I8bpJRtbTqkx3XRw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeTZENGFpWndDbmdsWDRw\nMTBCVXg5Zkg2a2s5Yk1HSERIVlVQRXdUSUNnCnREbno0dEN0ZEgvOFNMRG1ReGx4\na0h1YUFuMkxBZXJUTE9xOUVUMitEalkKLS0tIFZMZ21qclRqUFR0dlAyMFkzdUNX\nNjRLTWVRVWtHSDlDakEzMmpRVWkyc0EKabm8mTKJVxQNTaIgU+8rb/xk9Dpg+Zjz\nb+wgD0+TlARlenMtIub8Y6N06ENOc20oovylfu+g7xV+EkvRPCd6tA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-06-04T11:55:02Z",
"mac": "ENC[AES256_GCM,data:UIBaD/3mACgFzkajkFXz3oKai8IxpYQriR2t0mc5fL92P5ECloxCobY386TDZYOEVrDJ45Bw+IzqZbsCx/G9f1xCCTR2JvqygxYIsK3TpQPsboJzb9Cz3dBNBCXGboVykcg/NobEMaJBw1xtdAQBhuo8S7ymIuOPtGz0vPFJkf8=,iv:g0YAOBsRpgAOikKDMJDyOtcVx+0QwetfA8R6wQFH7lY=,tag:sfdFLjtiqFHdP/Qe1suBBQ==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

1
checks/mycelium/vars/per-machine/server/mycelium/key/users/admin
View File

@@ -1 +0,0 @@
../../../../../../sops/users/admin

1
checks/mycelium/vars/per-machine/server/mycelium/pubkey/value
View File

@@ -1 +0,0 @@
2125c6b039374467eaa3eaf552bd3e97f434d16006433cfbba3e6823c958b728

24
checks/syncthing/default.nix
View File

@@ -1,25 +1,20 @@
{
pkgs,
nixosLib,
clan-core,
lib,
self,
clanLib,
...
}:
nixosLib.runTest (
{ ... }:
clanLib.test.makeTestClan {
inherit pkgs self;
# TODO: container driver does not support wait_for_file() yet
useContainers = false;
nixosTest = (
{ lib, ... }:
{
imports = [
clan-core.modules.nixosVmTest.clanTest
];
hostPkgs = pkgs;
name = "syncthing";
clan = {
directory = ./.;
# TODO: container driver does not support wait_for_file() yet
test.useContainers = false;
inventory = {
machines = lib.genAttrs [
"introducer"
@@ -84,4 +79,5 @@ nixosLib.runTest (
assert "hello" in out
'';
}
)
);
}

4
clanModules/auto-upgrade/README.md
View File

@@ -1,10 +1,8 @@
---
description = "Set up automatic upgrades"
categories = ["System"]
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
---
**⚠️ DEPRECATED: This module is deprecated and will be removed on 2025-07-15. Please migrate to using the system.autoUpgrade NixOS option directly.**
Whether to periodically upgrade NixOS to the latest version. If enabled, a
systemd timer will run `nixos-rebuild switch --upgrade` once a day.

4
clanModules/auto-upgrade/roles/default.nix
View File

@@ -14,9 +14,7 @@ in
};
};
config = {
warnings = [ "The clan.auto-upgrade module is deprecated and will be removed on 2025-07-15. Please migrate to using the system.autoUpgrade NixOS option directly." ];
system.autoUpgrade = lib.mkIf (cfg ? flake) {
system.autoUpgrade = {
inherit (cfg) flake;
enable = true;
dates = "02:00";

2
clanModules/borgbackup/README.md
View File

@@ -1,7 +1,7 @@
---
description = "Efficient, deduplicating backup program with optional compression and secure encryption."
categories = ["System"]
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
---
BorgBackup (short: Borg) gives you:

3
clanModules/borgbackup/roles/client.nix
View File

@@ -106,8 +106,7 @@ in
systemd.services = lib.mapAttrs' (
_: dest:
lib.nameValuePair "borgbackup-job-${dest.name}" {
# since borgbackup mounts the system read-only, we need to run in a
# ExecStartPre script, so we can generate additional files.
# since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.
serviceConfig.ExecStartPre = [
''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}''
];

2
clanModules/borgbackup/roles/server.nix
View File

@@ -45,7 +45,7 @@ in
else
lib.warn ''
Machine ${machine} does not have a borgbackup key at ${fullPath},
run `clan vars generate ${machine}` to generate it.
run `clan var generate ${machine}` to generate it.
'' null
) allClients;

2
clanModules/deltachat/README.md
View File

@@ -1,7 +1,5 @@
---
description = "Email-based instant messaging for Desktop."
categories = ["Social"]
features = [ "inventory", "deprecated" ]
---
!!! info

142
clanModules/deltachat/default.nix
View File

@@ -1,3 +1,143 @@
{ config, pkgs, ... }:
{
imports = [ ./roles/default.nix ];
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
environment.systemPackages = [ pkgs.deltachat-desktop ];
services.maddy =
let
domain = "${config.clan.core.settings.machine.name}.local";
in
{
enable = true;
primaryDomain = domain;
config = ''
# Minimal configuration with TLS disabled, adapted from upstream example
# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
# Do not use this in unencrypted networks!
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
table.chain local_rewrites {
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster postmaster@$(primary_domain)
}
optional_step file /etc/maddy/aliases
}
msgpipeline local_routing {
destination postmaster $(local_domains) {
modify {
replace_rcpt &local_rewrites
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
smtp tcp://[::]:25 {
limits {
all rate 20 1s
all concurrency 10
}
dmarc yes
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
submission tcp://[::1]:587 {
limits {
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
modify {
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
target.remote outbound_delivery {
limits {
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
imap tcp://[::1]:143 {
auth &local_authdb
storage &local_mailboxes
}
'';
ensureAccounts = [ "user@${domain}" ];
ensureCredentials = {
"user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
};
};
}

143
clanModules/deltachat/roles/default.nix
View File

@@ -1,143 +0,0 @@
{ config, pkgs, ... }:
{
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
environment.systemPackages = [ pkgs.deltachat-desktop ];
services.maddy =
let
domain = "${config.clan.core.settings.machine.name}.local";
in
{
enable = true;
primaryDomain = domain;
config = ''
# Minimal configuration with TLS disabled, adapted from upstream example
# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
# Do not use this in unencrypted networks!
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
table.chain local_rewrites {
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster postmaster@$(primary_domain)
}
optional_step file /etc/maddy/aliases
}
msgpipeline local_routing {
destination postmaster $(local_domains) {
modify {
replace_rcpt &local_rewrites
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
smtp tcp://[::]:25 {
limits {
all rate 20 1s
all concurrency 10
}
dmarc yes
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
submission tcp://[::1]:587 {
limits {
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
modify {
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
target.remote outbound_delivery {
limits {
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
imap tcp://[::1]:143 {
auth &local_authdb
storage &local_mailboxes
}
'';
ensureAccounts = [ "user@${domain}" ];
ensureCredentials = {
"user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
};
};
}

2
clanModules/ergochat/README.md
View File

@@ -1,5 +1,3 @@
---
description = "A modern IRC server"
categories = ["Social"]
features = [ "inventory", "deprecated" ]
---

15
clanModules/ergochat/default.nix
View File

@@ -1,3 +1,14 @@
{
imports = [ ./roles/default.nix ];
_: {
services.ergochat = {
enable = true;
settings = {
datastore = {
autoupgrade = true;
path = "/var/lib/ergo/ircd.db";
};
};
};
clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
}

14
clanModules/ergochat/roles/default.nix
View File

@@ -1,14 +0,0 @@
_: {
services.ergochat = {
enable = true;
settings = {
datastore = {
autoupgrade = true;
path = "/var/lib/ergo/ircd.db";
};
};
};
clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
}

1
clanModules/flake-module.nix
View File

@@ -18,6 +18,7 @@ in
dyndns = ./dyndns;
ergochat = ./ergochat;
garage = ./garage;
golem-provider = ./golem-provider;
heisenbridge = ./heisenbridge;
importer = ./importer;
iwd = ./iwd;

2
clanModules/garage/README.md
View File

@@ -1,7 +1,5 @@
---
description = "S3-compatible object store for small self-hosted geo-distributed deployments"
categories = ["System"]
features = [ "inventory", "deprecated" ]
---
This module generates garage specific keys automatically.

42
clanModules/garage/default.nix
View File

@@ -1,3 +1,43 @@
{ config, pkgs, ... }:
{
imports = [ ./roles/default.nix ];
systemd.services.garage.serviceConfig = {
LoadCredential = [
"rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
"admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
"metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
];
Environment = [
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
"GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
];
};
clan.core.vars.generators.garage = {
files.admin_token = { };
files.metrics_token = { };
runtimeInputs = [
pkgs.coreutils
pkgs.openssl
];
script = ''
openssl rand -base64 -out "$out"/admin_token 32
openssl rand -base64 -out "$out"/metrics_token 32
'';
};
clan.core.vars.generators.garage-shared = {
share = true;
files.rpc_secret = { };
runtimeInputs = [
pkgs.coreutils
pkgs.openssl
];
script = ''
openssl rand -hex -out "$out"/rpc_secret 32
'';
};
clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
}

43
clanModules/garage/roles/default.nix
View File

@@ -1,43 +0,0 @@
{ config, pkgs, ... }:
{
systemd.services.garage.serviceConfig = {
LoadCredential = [
"rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
"admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
"metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
];
Environment = [
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
"GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
];
};
clan.core.vars.generators.garage = {
files.admin_token = { };
files.metrics_token = { };
runtimeInputs = [
pkgs.coreutils
pkgs.openssl
];
script = ''
openssl rand -base64 -out "$out"/admin_token 32
openssl rand -base64 -out "$out"/metrics_token 32
'';
};
clan.core.vars.generators.garage-shared = {
share = true;
files.rpc_secret = { };
runtimeInputs = [
pkgs.coreutils
pkgs.openssl
];
script = ''
openssl rand -hex -out "$out"/rpc_secret 32
'';
};
clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
}

7
clanModules/golem-provider/README.md Normal file
View File

@@ -0,0 +1,7 @@
---
description = "Golem Provider for the Golem Network, an open-source and decentralized platform where everyone can use and share each other's computing power without relying on centralized entities like cloud computing corporations"
---
By running a golem provider your machine's compute resources are offered via the golem network which will allow other members to execute compute tasks on your machine. If this happens, you will be compensated with GLM, an ERC20 token.
More about golem providers: https://docs.golem.network/docs/golem/overview

34
clanModules/golem-provider/default.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, pkgs, ... }:
let
cfg = config.clan.golem-provider;
yagna = pkgs.callPackage ../../pkgs/yagna { };
accountFlag = if cfg.account != null then "--account ${cfg.account}" else "";
in
{
imports = [ ./interface.nix ];
users.users.golem = {
isSystemUser = true;
home = "/var/lib/golem";
group = "golem";
createHome = true;
};
users.groups.golem = { };
environment.systemPackages = [ yagna ];
systemd.services.golem-provider = {
description = "Golem Provider";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${yagna}/bin/golemsp run --no-interactive ${accountFlag}";
Restart = "always";
RestartSec = "5";
User = "golem";
Group = "golem";
};
};
}

20
clanModules/golem-provider/interface.nix Normal file
View File

@@ -0,0 +1,20 @@
{ lib, ... }:
let
inherit (lib) mkOption;
inherit (lib.types) nullOr str;
in
{
options.clan.golem-provider = {
account = mkOption {
type = nullOr str;
description = ''
Ethereum address for payouts.
Leave empty to automatically generate a new address upon first start.
'';
default = null;
};
};
}

4
clanModules/golem-provider/test/vm.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
imports = [ ../. ];
}

3
clanModules/heisenbridge/README.md
View File

@@ -1,5 +1,4 @@
---
description = "A matrix bridge to communicate with IRC"
categories = ["Social"]
features = [ "inventory", "deprecated" ]
---

22
clanModules/heisenbridge/default.nix
View File

@@ -1,3 +1,23 @@
{
imports = [ ./roles/default.nix ];
config,
lib,
...
}:
{
imports = [
(lib.mkRemovedOptionModule [
"clan"
"heisenbridge"
"enable"
] "Importing the module will already enable the service.")
];
config = {
services.heisenbridge = {
enable = true;
homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
};
services.matrix-synapse.settings.app_service_config_files = [
"/var/lib/heisenbridge/registration.yml"
];
};
}

22
clanModules/heisenbridge/roles/default.nix
View File

@@ -1,22 +0,0 @@
{
lib,
...
}:
{
imports = [
(lib.mkRemovedOptionModule [
"clan"
"heisenbridge"
"enable"
] "Importing the module will already enable the service.")
];
config = {
services.heisenbridge = {
enable = true;
homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
};
services.matrix-synapse.settings.app_service_config_files = [
"/var/lib/heisenbridge/registration.yml"
];
};
}

2
clanModules/iwd/README.md
View File

@@ -1,6 +1,6 @@
---
description = "Automatically provisions wifi credentials"
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
categories = [ "Network" ]
---

12
clanModules/iwd/roles/default.nix
View File

@@ -80,18 +80,6 @@ in
# TODO: restart the iwd.service if something changes
})
{
warnings = [
''
The clan module `iwd` is deprecated and replaced by the clan service `wifi`
Please migrate your config to the new service (see: https://docs.clan.lol/reference/clanServices/wifi/)
To keep passwords after migrating the config, use:
clan vars get <your-machine> iwd.<network-name>/ssid | clan vars set <your-machine> wifi.<network-name>/network-name
and:
clan vars get <your-machine> iwd.<network-name>/password | clan vars set <your-machine> wifi.<network-name>/password
''
];
# disable wpa supplicant
networking.wireless.enable = false;

2
clanModules/localsend/README.md
View File

@@ -1,5 +1,3 @@
---
description = "Securely sharing files and messages over a local network without internet connectivity."
categories = ["Utility"]
features = [ "inventory", "deprecated" ]
---

59
clanModules/localsend/default.nix
View File

@@ -1,3 +1,60 @@
{
imports = [ ./roles/default.nix ];
config,
pkgs,
lib,
...
}:
let
cfg = config.clan.localsend;
in
{
# Integration can be improved, if the following issues get implemented:
# - cli frontend: https://github.com/localsend/localsend/issues/11
# - ipv6 support: https://github.com/localsend/localsend/issues/549
options.clan.localsend = {
displayName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "The name that localsend will use to display your instance.";
};
package = lib.mkPackageOption pkgs "localsend" { };
ipv4Addr = lib.mkOption {
type = lib.types.str;
example = "192.168.56.2/24";
description = "Every machine needs a unique ipv4 address";
};
};
imports = [
(lib.mkRemovedOptionModule [
"clan"
"localsend"
"enable"
] "Importing the module will already enable the service.")
];
config = {
clan.core.state.localsend.folders = [
"/var/localsend"
];
environment.systemPackages = [
(pkgs.callPackage ./localsend-ensure-config {
localsend = config.clan.localsend.package;
alias = config.clan.localsend.displayName;
})
];
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
#TODO: This is currently needed because there is no ipv6 multicasting support yet
systemd.network.networks."09-zerotier" = {
networkConfig = {
Address = cfg.ipv4Addr;
};
};
};
}

63
clanModules/localsend/roles/default.nix
View File

@@ -1,63 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.clan.localsend;
in
{
# Integration can be improved, if the following issues get implemented:
# - cli frontend: https://github.com/localsend/localsend/issues/11
# - ipv6 support: https://github.com/localsend/localsend/issues/549
options.clan.localsend = {
displayName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "The name that localsend will use to display your instance.";
};
package = lib.mkPackageOption pkgs "localsend" { };
ipv4Addr = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "192.168.56.2/24";
description = "Optional IPv4 address for ZeroTier network.";
};
};
imports = [
(lib.mkRemovedOptionModule [
"clan"
"localsend"
"enable"
] "Importing the module will already enable the service.")
];
config = {
clan.core.state.localsend.folders = [
"/var/localsend"
];
environment.systemPackages = [
(pkgs.callPackage ./localsend-ensure-config {
localsend = config.clan.localsend.package;
alias = config.clan.localsend.displayName;
})
];
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
#TODO: This is currently needed because there is no ipv6 multicasting support yet
systemd.network.networks = lib.mkIf (cfg.ipv4Addr != null) {
"09-zerotier" = {
networkConfig = {
Address = cfg.ipv4Addr;
};
};
};
};
}

2
clanModules/mycelium/README.md
View File

@@ -1,7 +1,7 @@
---
description = "End-2-end encrypted IPv6 overlay network"
categories = ["System", "Network"]
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
---
Mycelium is an IPv6 overlay network written in Rust. Each node that joins the overlay network will receive an overlay network IP in the 400::/7 range.

2
clanModules/packages/README.md
View File

@@ -1,5 +1,5 @@
---
description = "Define package sets from nixpkgs and install them on one or more machines"
categories = ["System"]
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
---

4
clanModules/root-password/README.md
View File

@@ -1,11 +1,9 @@
---
description = "Automatically generates and configures a password for the root user."
categories = ["System"]
features = ["inventory", "deprecated"]
features = [ "inventory" ]
---
This module is deprecated and will be removed in a future release. It's functionality has been replaced by the user-password service.
After the system was installed/deployed the following command can be used to display the root-password:
```bash

12
clanModules/root-password/roles/default.nix
View File

@@ -1,8 +1,6 @@
{
_class,
pkgs,
config,
lib,
...
}:
{
@@ -11,13 +9,9 @@
config.clan.core.vars.generators.root-password.files.password-hash.path;
clan.core.vars.generators.root-password = {
files.password-hash =
{
files.password-hash = {
neededFor = "users";
}
// (lib.optionalAttrs (_class == "nixos") {
restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
});
};
files.password = {
deploy = false;
};
@@ -36,7 +30,7 @@
if [[ -n "''${prompt_value-}" ]]; then
echo "$prompt_value" | tr -d "\n" > "$out"/password
else
xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > "$out"/password
fi
mkpasswd -s -m sha-512 < "$out"/password | tr -d "\n" > "$out"/password-hash
'';

2
clanModules/sshd/README.md
View File

@@ -1,7 +1,7 @@
---
description = "Enables secure remote access to the machine over ssh."
categories = ["System", "Network"]
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
---
This module will setup the opensshd service.

2
clanModules/state-version/README.md
View File

@@ -1,6 +1,6 @@
---
description = "Automatically generate the state version of the nixos installation."
features = [ "inventory", "deprecated" ]
features = [ "inventory" ]
---
This module generates the `system.stateVersion` of the nixos installation automatically.

4
clanModules/trusted-nix-caches/README.md
View File

@@ -1,5 +1,3 @@
---
description = "This module sets the `clan.lol` and `nix-community` cache up as a trusted cache."
categories = ["System", "Network"]
features = [ "deprecated" ]
---
----

2
clanModules/user-password/README.md
View File

@@ -1,7 +1,7 @@
---
description = "Automatically generates and configures a password for the specified user account."
categories = ["System"]
features = ["inventory", "deprecated"]
features = ["inventory"]
---
If setting the option prompt to true, the user will be prompted to type in their desired password.

8
clanModules/user-password/roles/default.nix
View File

@@ -18,10 +18,7 @@ in
type = lib.types.bool;
default = true;
example = false;
description = ''
Whether the user should be prompted
If disabled, will autogenerate the password without prompting.
'';
description = "Whether the user should be prompted.";
};
};
@@ -34,7 +31,6 @@ in
clan.core.vars.generators.user-password = {
files.user-password-hash.neededFor = "users";
files.user-password-hash.restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
prompts.user-password.type = "hidden";
prompts.user-password.persist = true;
@@ -52,7 +48,7 @@ in
if [[ -n "''${prompt_value-}" ]]; then
echo "$prompt_value" | tr -d "\n" > "$out"/user-password
else
xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/user-password
xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > "$out"/user-password
fi
mkpasswd -s -m sha-512 < "$out"/user-password | tr -d "\n" > "$out"/user-password-hash
'';

Some files were not shown because too many files have changed in this diff Show More