mv out of place test_host_interface to localhost_test

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/4555
Reviewed-by: lassulus <clanlol@lassul.us>

.gitea/workflows/build-clan-app-darwin.yml

@@ -0,0 +1,20 @@
+name: Build Clan App (Darwin)
+
+on:
+  schedule:
+    # Run every 4 hours
+    - cron: "0 */4 * * *"
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-clan-app-darwin:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build clan-app for x86_64-darwin
+        run: |
+          nix build .#packages.x86_64-darwin.clan-app --system x86_64-darwin --log-format bar-with-logs

.gitea/workflows/create-pr.sh

@@ -1,6 +1,7 @@
-#!/usr/bin/env bash
+#!/bin/sh
+
 # Shared script for creating pull requests in Gitea workflows
-set -euo pipefail
+set -eu
 
 # Required environment variables:
 # - CI_BOT_TOKEN: Gitea bot token for authentication
@@ -8,22 +9,22 @@ set -euo pipefail
 # - PR_TITLE: Title of the pull request
 # - PR_BODY: Body/description of the pull request
 
-if [[ -z "${CI_BOT_TOKEN:-}" ]]; then
+if [ -z "${CI_BOT_TOKEN:-}" ]; then
   echo "Error: CI_BOT_TOKEN is not set" >&2
   exit 1
 fi
 
-if [[ -z "${PR_BRANCH:-}" ]]; then
+if [ -z "${PR_BRANCH:-}" ]; then
   echo "Error: PR_BRANCH is not set" >&2
   exit 1
 fi
 
-if [[ -z "${PR_TITLE:-}" ]]; then
+if [ -z "${PR_TITLE:-}" ]; then
   echo "Error: PR_TITLE is not set" >&2
   exit 1
 fi
 
-if [[ -z "${PR_BODY:-}" ]]; then
+if [ -z "${PR_BODY:-}" ]; then
   echo "Error: PR_BODY is not set" >&2
   exit 1
 fi
@@ -43,9 +44,12 @@ resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
   }" \
   "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls")
 
-pr_number=$(echo "$resp" | jq -r '.number')
+if ! pr_number=$(echo "$resp" | jq -r '.number'); then
+  echo "Error parsing response from pull request creation" >&2
+  exit 1
+fi
 
-if [[ "$pr_number" == "null" ]]; then
+if [ "$pr_number" = "null" ]; then
   echo "Error creating pull request:" >&2
   echo "$resp" | jq . >&2
   exit 1
@@ -64,12 +68,15 @@ while true; do
       "delete_branch_after_merge": true
     }' \
     "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls/$pr_number/merge")
-  msg=$(echo "$resp" | jq -r '.message')
-  if [[ "$msg" != "Please try again later" ]]; then
+  if ! msg=$(echo "$resp" | jq -r '.message'); then
+    echo "Error parsing merge response" >&2
+    exit 1
+  fi
+  if [ "$msg" != "Please try again later" ]; then
     break
   fi
   echo "Retrying in 2 seconds..."
   sleep 2
 done
 
-echo "Pull request #$pr_number merge initiated"
+echo "Pull request #$pr_number merge initiated"

README.md

@@ -24,7 +24,7 @@ If you're new to Clan and eager to dive in, start with our quickstart guide and
 
 In the Clan ecosystem, security is paramount. Learn how to handle secrets effectively:
 
-- **Secrets Management**: Securely manage secrets by consulting [secrets](https://docs.clan.lol/guides/getting-started/secrets/)<!-- [secrets.md](docs/site/guides/getting-started/secrets.md) -->.
+- **Secrets Management**: Securely manage secrets by consulting [Vars](https://docs.clan.lol/concepts/generators/)<!-- [secrets.md](docs/site/concepts/generators.md) -->.
 
 ### Contributing to Clan
 

checks/backups/flake-module.nix

@@ -0,0 +1,208 @@
+{ self, ... }:
+{
+  clan.machines.test-backup = {
+    imports = [ self.nixosModules.test-backup ];
+    fileSystems."/".device = "/dev/null";
+    boot.loader.grub.device = "/dev/null";
+  };
+  clan.inventory.services = {
+    borgbackup.test-backup = {
+      roles.client.machines = [ "test-backup" ];
+      roles.server.machines = [ "test-backup" ];
+    };
+  };
+  flake.nixosModules = {
+    test-backup =
+      {
+        pkgs,
+        lib,
+        ...
+      }:
+      let
+        dependencies = [
+          pkgs.stdenv.drvPath
+        ]
+        ++ builtins.map (i: i.outPath) (builtins.attrValues (builtins.removeAttrs self.inputs [ "self" ]));
+        closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+      in
+      {
+        imports = [
+          # Do not import inventory modules. They should be configured via 'clan.inventory'
+          #
+          # TODO: Configure localbackup via inventory
+          self.clanModules.localbackup
+        ];
+        # Borgbackup overrides
+        services.borgbackup.repos.test-backups = {
+          path = "/var/lib/borgbackup/test-backups";
+          authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+        };
+        clan.borgbackup.destinations.test-backup.repo = lib.mkForce "borg@machine:.";
+
+        clan.core.networking.targetHost = "machine";
+        networking.hostName = "machine";
+
+        programs.ssh.knownHosts = {
+          machine.hostNames = [ "machine" ];
+          machine.publicKey = builtins.readFile ../assets/ssh/pubkey;
+        };
+
+        services.openssh = {
+          enable = true;
+          settings.UsePAM = false;
+          settings.UseDns = false;
+          hostKeys = [
+            {
+              path = "/root/.ssh/id_ed25519";
+              type = "ed25519";
+            }
+          ];
+        };
+
+        users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
+
+        # This is needed to unlock the user for sshd
+        # Because we use sshd without setuid binaries
+        users.users.borg.initialPassword = "hello";
+
+        systemd.tmpfiles.settings."vmsecrets" = {
+          "/root/.ssh/id_ed25519" = {
+            C.argument = "${../assets/ssh/privkey}";
+            z = {
+              mode = "0400";
+              user = "root";
+            };
+          };
+          "/etc/secrets/ssh.id_ed25519" = {
+            C.argument = "${../assets/ssh/privkey}";
+            z = {
+              mode = "0400";
+              user = "root";
+            };
+          };
+          "/etc/secrets/borgbackup/borgbackup.ssh" = {
+            C.argument = "${../assets/ssh/privkey}";
+            z = {
+              mode = "0400";
+              user = "root";
+            };
+          };
+          "/etc/secrets/borgbackup/borgbackup.repokey" = {
+            C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
+            z = {
+              mode = "0400";
+              user = "root";
+            };
+          };
+        };
+        clan.core.facts.secretStore = "vm";
+        clan.core.vars.settings.secretStore = "vm";
+
+        environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+        environment.etc.install-closure.source = "${closureInfo}/store-paths";
+        nix.settings = {
+          substituters = lib.mkForce [ ];
+          hashed-mirrors = null;
+          connect-timeout = lib.mkForce 3;
+          flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+        };
+        system.extraDependencies = dependencies;
+        clan.core.state.test-backups.folders = [ "/var/test-backups" ];
+
+        clan.core.state.test-service = {
+          preBackupScript = ''
+            touch /var/test-service/pre-backup-command
+          '';
+          preRestoreScript = ''
+            touch /var/test-service/pre-restore-command
+          '';
+          postRestoreScript = ''
+            touch /var/test-service/post-restore-command
+          '';
+          folders = [ "/var/test-service" ];
+        };
+
+        fileSystems."/mnt/external-disk" = {
+          device = "/dev/vdb"; # created in tests with virtualisation.emptyDisks
+          autoFormat = true;
+          fsType = "ext4";
+          options = [
+            "defaults"
+            "noauto"
+          ];
+        };
+
+        clan.localbackup.targets.hdd = {
+          directory = "/mnt/external-disk";
+          preMountHook = ''
+            touch /run/mount-external-disk
+          '';
+          postUnmountHook = ''
+            touch /run/unmount-external-disk
+          '';
+        };
+      };
+  };
+  perSystem =
+    { pkgs, ... }:
+    let
+      clanCore = self.checks.x86_64-linux.clan-core-for-checks;
+    in
+    {
+      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
+        nixos-test-backups = self.clanLib.test.containerTest {
+          name = "nixos-test-backups";
+          nodes.machine = {
+            imports = [
+              self.nixosModules.clanCore
+              # Some custom overrides for the backup tests
+              self.nixosModules.test-backup
+            ]
+            ++
+              # import the inventory generated nixosModules
+              self.clan.clanInternals.inventoryClass.machines.test-backup.machineImports;
+            clan.core.settings.directory = ./.;
+          };
+
+          testScript = ''
+            import json
+            start_all()
+
+            # dummy data
+            machine.succeed("mkdir -p /var/test-backups /var/test-service")
+            machine.succeed("echo testing > /var/test-backups/somefile")
+
+            # create
+            machine.succeed("clan backups create --debug --flake ${clanCore} test-backup")
+            machine.wait_until_succeeds("! systemctl is-active borgbackup-job-test-backup >&2")
+            machine.succeed("test -f /run/mount-external-disk")
+            machine.succeed("test -f /run/unmount-external-disk")
+
+            # list
+            backup_id = json.loads(machine.succeed("borg-job-test-backup list --json"))["archives"][0]["archive"]
+            out = machine.succeed("clan backups list --debug --flake ${clanCore} test-backup").strip()
+            print(out)
+            assert backup_id in out, f"backup {backup_id} not found in {out}"
+            localbackup_id = "hdd::/mnt/external-disk/snapshot.0"
+            assert localbackup_id in out, "localbackup not found in {out}"
+
+            ## borgbackup restore
+            machine.succeed("rm -f /var/test-backups/somefile")
+            machine.succeed(f"clan backups restore --debug --flake ${clanCore} test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
+            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
+            machine.succeed("test -f /var/test-service/pre-restore-command")
+            machine.succeed("test -f /var/test-service/post-restore-command")
+            machine.succeed("test -f /var/test-service/pre-backup-command")
+
+            ## localbackup restore
+            machine.succeed("rm -rf /var/test-backups/somefile /var/test-service/ && mkdir -p /var/test-service")
+            machine.succeed(f"clan backups restore --debug --flake ${clanCore} test-backup localbackup '{localbackup_id}' >&2")
+            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
+            machine.succeed("test -f /var/test-service/pre-restore-command")
+            machine.succeed("test -f /var/test-service/post-restore-command")
+            machine.succeed("test -f /var/test-service/pre-backup-command")
+          '';
+        } { inherit pkgs self; };
+      };
+    };
+}

checks/clan-core-for-checks.nix

@@ -1,6 +1,6 @@
 { fetchgit }:
 fetchgit {
   url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "eea93ea22c9818da67e148ba586277bab9e73cea";
-  sha256 = "sha256-PV0Z+97QuxQbkYSVuNIJwUNXMbHZG/vhsA9M4cDTCOE=";
+  rev = "d0ebc75135b125fd509558c7680fa2459af91195";
+  sha256 = "1k9wpy661dhwas7z05jkn8157pgmr408dn67zd9px9iphmrf7bry";
 }

checks/flake-module.nix

@@ -19,18 +19,30 @@ let
   nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
 in
 {
-  imports = filter pathExists [
-    ./backups/flake-module.nix
-    ../nixosModules/clanCore/machine-id/tests/flake-module.nix
-    ../nixosModules/clanCore/state-version/tests/flake-module.nix
-    ./devshell/flake-module.nix
-    ./flash/flake-module.nix
-    ./impure/flake-module.nix
-    ./installation/flake-module.nix
-    ./morph/flake-module.nix
-    ./nixos-documentation/flake-module.nix
-    ./dont-depend-on-repo-root.nix
-  ];
+  imports =
+    let
+      clanCoreModulesDir = ../nixosModules/clanCore;
+      getClanCoreTestModules =
+        let
+          moduleNames = attrNames (builtins.readDir clanCoreModulesDir);
+          testPaths = map (
+            moduleName: clanCoreModulesDir + "/${moduleName}/tests/flake-module.nix"
+          ) moduleNames;
+        in
+        filter pathExists testPaths;
+    in
+    getClanCoreTestModules
+    ++ filter pathExists [
+      ./backups/flake-module.nix
+      ./devshell/flake-module.nix
+      ./flash/flake-module.nix
+      ./impure/flake-module.nix
+      ./installation/flake-module.nix
+      ./update/flake-module.nix
+      ./morph/flake-module.nix
+      ./nixos-documentation/flake-module.nix
+      ./dont-depend-on-repo-root.nix
+    ];
   flake.check = genAttrs [ "x86_64-linux" "aarch64-darwin" ] (
     system:
     let
@@ -81,13 +93,13 @@ in
 
             # Base Tests
             nixos-test-secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
+            nixos-test-borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
             nixos-test-wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
 
             # Container Tests
             nixos-test-container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            # nixos-test-zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            # nixos-test-matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-            # nixos-test-postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+            nixos-test-zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
+            nixos-test-matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
             nixos-test-user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
             nixos-test-user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
 
@@ -146,8 +158,11 @@ in
 
           clan-core-for-checks = pkgs.runCommand "clan-core-for-checks" { } ''
             cp -r ${pkgs.callPackage ./clan-core-for-checks.nix { }} $out
-            chmod +w $out/flake.lock
+            chmod -R +w $out
             cp ${../flake.lock} $out/flake.lock
+
+            # Create marker file to disable private flake loading in tests
+            touch $out/.skip-private-inputs
           '';
         };
       packages = lib.optionalAttrs (pkgs.stdenv.isLinux) {

checks/flash/flake-module.nix

@@ -50,7 +50,8 @@
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
-      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+      ]
+      ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
     in
     {

checks/installation/flake-module.nix

@@ -149,7 +149,6 @@
       # vm-test-run-test-installation-> target:   To debug, enter the VM and run 'systemctl status backdoor.service'.
       checks =
         let
-          # Custom Python package for port management utilities
           closureInfo = pkgs.closureInfo {
             rootPaths = [
               self.checks.x86_64-linux.clan-core-for-checks
@@ -159,7 +158,8 @@
               pkgs.stdenv.drvPath
               pkgs.bash.drvPath
               pkgs.buildPackages.xorg.lndir
-            ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+            ]
+            ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
           };
         in
         pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
@@ -225,7 +225,7 @@
                       "install",
                       "--phases", "disko,install",
                       "--debug",
-                      "--flake", flake_dir,
+                      "--flake", str(flake_dir),
                       "--yes", "test-install-machine-without-system",
                       "--target-host", f"nonrootuser@localhost:{ssh_conn.host_port}",
                       "-i", ssh_conn.ssh_key,
@@ -289,9 +289,6 @@
                   assert not os.path.exists(hw_config_file), "hardware-configuration.nix should not exist initially"
                   assert not os.path.exists(facter_file), "facter.json should not exist initially"
 
-                  # Set CLAN_FLAKE for the commands
-                  os.environ["CLAN_FLAKE"] = flake_dir
-
                   # Test facter backend
                   clan_cmd = [
                       "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",

checks/installation/test-helpers.nix

@@ -159,7 +159,8 @@ let
       pkgs.stdenv.drvPath
       pkgs.bash.drvPath
       pkgs.buildPackages.xorg.lndir
-    ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+    ]
+    ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
   };
 
 in

checks/morph/flake-module.nix

@@ -35,7 +35,8 @@
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
-                ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+                ]
+                ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
               in
 

checks/postgresql/default.nix

@@ -1,73 +0,0 @@
-({
-  name = "postgresql";
-
-  nodes.machine =
-    { self, config, ... }:
-    {
-      imports = [
-        self.nixosModules.clanCore
-        self.clanModules.postgresql
-        self.clanModules.localbackup
-      ];
-      clan.postgresql.users.test = { };
-      clan.postgresql.databases.test.create.options.OWNER = "test";
-      clan.postgresql.databases.test.restore.stopOnRestore = [ "sample-service" ];
-      clan.localbackup.targets.hdd.directory = "/mnt/external-disk";
-      clan.core.settings.directory = ./.;
-
-      systemd.services.sample-service = {
-        wantedBy = [ "multi-user.target" ];
-        script = ''
-          while true; do
-            echo "Hello, world!"
-            sleep 5
-          done
-        '';
-      };
-
-      environment.systemPackages = [ config.services.postgresql.package ];
-    };
-  testScript =
-    { nodes, ... }:
-    ''
-      start_all()
-      machine.wait_for_unit("postgresql")
-      machine.wait_for_unit("sample-service")
-      # Create a test table
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -c 'CREATE TABLE test (id serial PRIMARY KEY);' test")
-
-      machine.succeed("/run/current-system/sw/bin/localbackup-create >&2")
-      timestamp_before = int(machine.succeed("systemctl show --property=ExecMainStartTimestampMonotonic sample-service | cut -d= -f2").strip())
-
-      machine.succeed("test -e /mnt/external-disk/snapshot.0/machine/var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'INSERT INTO test DEFAULT VALUES;'")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'DROP TABLE test;'")
-      machine.succeed("test -e /var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
-
-      machine.succeed("rm -rf /var/backup/postgres")
-
-      machine.succeed("NAME=/mnt/external-disk/snapshot.0 FOLDERS=/var/backup/postgres/test /run/current-system/sw/bin/localbackup-restore >&2")
-      machine.succeed("test -e /var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
-
-      machine.succeed("""
-      set -x
-      ${nodes.machine.clan.core.state.test.postRestoreCommand}
-      """)
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -l >&2")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c '\dt' >&2")
-
-      timestamp_after = int(machine.succeed("systemctl show --property=ExecMainStartTimestampMonotonic sample-service | cut -d= -f2").strip())
-      assert timestamp_before < timestamp_after, f"{timestamp_before} >= {timestamp_after}: expected sample-service to be restarted after restore"
-
-      # Check that the table is still there
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'SELECT * FROM test;'")
-      output = machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql --csv -c \"SELECT datdba::regrole FROM pg_database WHERE datname = 'test'\"")
-      owner = output.split("\n")[1]
-      assert owner == "test", f"Expected database owner to be 'test', got '{owner}'"
-
-      # check if restore works if the database does not exist
-      machine.succeed("runuser -u postgres -- dropdb test")
-      machine.succeed("${nodes.machine.clan.core.state.test.postRestoreCommand}")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c '\dt' >&2")
-    '';
-})

checks/service-dummy-test-from-flake/default.nix

@@ -16,6 +16,7 @@ nixosLib.runTest (
 
     # This tests the compatibility of the inventory
     # With the test framework
+    # - legacy-modules
     # - clan.service modules
     name = "service-dummy-test-from-flake";
 
@@ -28,22 +29,17 @@ nixosLib.runTest (
     testScript =
       { nodes, ... }:
       ''
+        import subprocess
         from nixos_test_lib.nix_setup import setup_nix_in_nix # type: ignore[import-untyped]
-        setup_nix_in_nix(None)  # No closure info for this test
 
-        def run_clan(cmd: list[str], **kwargs) -> str:
-            import subprocess
-            clan = "${clan-core.packages.${hostPkgs.system}.clan-cli}/bin/clan"
-            clan_args = ["--flake", "${config.clan.test.flakeForSandbox}"]
-            return subprocess.run(
-                ["${hostPkgs.util-linux}/bin/unshare", "--user", "--map-user", "1000", "--map-group", "1000", clan, *cmd, *clan_args],
-                **kwargs,
-                check=True,
-            ).stdout
+        setup_nix_in_nix(None)  # No closure info for this test
 
         start_all()
         admin1.wait_for_unit("multi-user.target")
         peer1.wait_for_unit("multi-user.target")
+        # Provided by the legacy module
+        print(admin1.succeed("systemctl status dummy-service"))
+        print(peer1.succeed("systemctl status dummy-service"))
 
         # peer1 should have the 'hello' file
         peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
@@ -56,7 +52,13 @@ nixosLib.runTest (
         # Check that the file is in the '0644' mode
         assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
 
-        run_clan(["machines", "list"])
+        # Run clan command
+        result = subprocess.run(
+            ["${
+              clan-core.packages.${hostPkgs.system}.clan-cli
+            }/bin/clan", "machines", "list", "--flake", "${config.clan.test.flakeForSandbox}"],
+            check=True
+        )
       '';
   }
 )

checks/service-dummy-test-from-flake/flake.nix

@@ -15,6 +15,12 @@
             meta.name = "foo";
             machines.peer1 = { };
             machines.admin1 = { };
+            services = {
+              legacy-module.default = {
+                roles.peer.machines = [ "peer1" ];
+                roles.admin.machines = [ "admin1" ];
+              };
+            };
 
             instances."test" = {
               module.name = "new-service";
@@ -22,6 +28,9 @@
               roles.peer.machines.peer1 = { };
             };
 
+            modules = {
+              legacy-module = ./legacy-module;
+            };
           };
 
         modules.new-service = {

checks/service-dummy-test-from-flake/legacy-module/README.md

@@ -0,0 +1,10 @@
+---
+description = "Set up dummy-module"
+categories = ["System"]
+features = [ "inventory" ]
+
+[constraints]
+roles.admin.min = 1
+roles.admin.max = 1
+---
+

checks/service-dummy-test-from-flake/legacy-module/roles/admin.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../shared.nix
+  ];
+}

checks/service-dummy-test-from-flake/legacy-module/roles/peer.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../shared.nix
+  ];
+}

checks/service-dummy-test-from-flake/legacy-module/shared.nix

@@ -0,0 +1,34 @@
+{ config, ... }:
+{
+  systemd.services.dummy-service = {
+    enable = true;
+    description = "Dummy service";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
+      if [ ! -f "$generated_password_path" ]; then
+        echo "Generated password file not found: $generated_password_path"
+        exit 1
+      fi
+      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
+      if [ ! -e "$host_id_path" ]; then
+        echo "Host ID file not found: $host_id_path"
+        exit 1
+      fi
+    '';
+  };
+
+  # TODO: add and prompt and make it work in the test framework
+  clan.core.vars.generators.dummy-generator = {
+    files.host-id.secret = false;
+    files.generated-password.secret = true;
+    script = ''
+      echo $RANDOM > "$out"/host-id
+      echo $RANDOM > "$out"/generated-password
+    '';
+  };
+}

checks/service-dummy-test/default.nix

@@ -15,6 +15,7 @@ nixosLib.runTest (
 
     # This tests the compatibility of the inventory
     # With the test framework
+    # - legacy-modules
     # - clan.service modules
     name = "service-dummy-test";
 
@@ -23,6 +24,12 @@ nixosLib.runTest (
       inventory = {
         machines.peer1 = { };
         machines.admin1 = { };
+        services = {
+          legacy-module.default = {
+            roles.peer.machines = [ "peer1" ];
+            roles.admin.machines = [ "admin1" ];
+          };
+        };
 
         instances."test" = {
           module.name = "new-service";
@@ -30,6 +37,9 @@ nixosLib.runTest (
           roles.peer.machines.peer1 = { };
         };
 
+        modules = {
+          legacy-module = ./legacy-module;
+        };
       };
       modules.new-service = {
         _class = "clan.service";
@@ -68,6 +78,9 @@ nixosLib.runTest (
         start_all()
         admin1.wait_for_unit("multi-user.target")
         peer1.wait_for_unit("multi-user.target")
+        # Provided by the legacy module
+        print(admin1.succeed("systemctl status dummy-service"))
+        print(peer1.succeed("systemctl status dummy-service"))
 
         # peer1 should have the 'hello' file
         peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")

checks/update/flake-module.nix

@@ -0,0 +1,307 @@
+{ self, ... }:
+{
+  # Machine for update test
+  clan.machines.test-update-machine = {
+    imports = [
+      self.nixosModules.test-update-machine
+      # Import the configuration file that will be created/updated during the test
+      ./test-update-machine/configuration.nix
+    ];
+  };
+  flake.nixosModules.test-update-machine =
+    { lib, modulesPath, ... }:
+    {
+      imports = [
+        (modulesPath + "/testing/test-instrumentation.nix")
+        (modulesPath + "/profiles/qemu-guest.nix")
+        self.clanLib.test.minifyModule
+        ../../lib/test/container-test-driver/nixos-module.nix
+      ];
+
+      # Apply patch to fix x-initrd.mount filesystem handling in switch-to-configuration-ng
+      nixpkgs.overlays = [
+        (_final: prev: {
+          switch-to-configuration-ng = prev.switch-to-configuration-ng.overrideAttrs (old: {
+            patches = (old.patches or [ ]) ++ [ ./switch-to-configuration-initrd-mount-fix.patch ];
+          });
+        })
+      ];
+
+      networking.hostName = "update-machine";
+
+      environment.etc."install-successful".text = "ok";
+
+      # Enable SSH and add authorized key for testing
+      services.openssh.enable = true;
+      services.openssh.settings.PasswordAuthentication = false;
+      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+      services.openssh.knownHosts.localhost.publicKeyFile = ../assets/ssh/pubkey;
+      services.openssh.hostKeys = [
+        {
+          path = ../assets/ssh/privkey;
+          type = "ed25519";
+        }
+      ];
+      security.sudo.wheelNeedsPassword = false;
+
+      boot.consoleLogLevel = lib.mkForce 100;
+      boot.kernelParams = [ "boot.shell_on_fail" ];
+
+      boot.isContainer = true;
+      nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+      # Preserve the IP addresses assigned by the test framework
+      # (based on virtualisation.vlans = [1] and node number 1)
+      networking.interfaces.eth1 = {
+        useDHCP = false;
+        ipv4.addresses = [
+          {
+            address = "192.168.1.1";
+            prefixLength = 24;
+          }
+        ];
+        ipv6.addresses = [
+          {
+            address = "2001:db8:1::1";
+            prefixLength = 64;
+          }
+        ];
+      };
+
+      # Define the mounts that exist in the container to prevent them from being stopped
+      fileSystems = {
+        "/" = {
+          device = "/dev/disk/by-label/nixos";
+          fsType = "ext4";
+          options = [ "x-initrd.mount" ];
+        };
+        "/nix/.rw-store" = {
+          device = "tmpfs";
+          fsType = "tmpfs";
+          options = [
+            "mode=0755"
+          ];
+        };
+        "/nix/store" = {
+          device = "overlay";
+          fsType = "overlay";
+          options = [
+            "lowerdir=/nix/.ro-store"
+            "upperdir=/nix/.rw-store/upper"
+            "workdir=/nix/.rw-store/work"
+          ];
+        };
+      };
+    };
+
+  perSystem =
+    {
+      pkgs,
+      ...
+    }:
+    {
+      checks =
+        pkgs.lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system == "x86_64-linux")
+          {
+            nixos-test-update =
+              let
+                closureInfo = pkgs.closureInfo {
+                  rootPaths = [
+                    self.packages.${pkgs.system}.clan-cli
+                    self.checks.${pkgs.system}.clan-core-for-checks
+                    self.clanInternals.machines.${pkgs.hostPlatform.system}.test-update-machine.config.system.build.toplevel
+                    pkgs.stdenv.drvPath
+                    pkgs.bash.drvPath
+                    pkgs.buildPackages.xorg.lndir
+                  ]
+                  ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+                };
+              in
+              self.clanLib.test.containerTest {
+                name = "update";
+                nodes.machine = {
+                  imports = [ self.nixosModules.test-update-machine ];
+                };
+                extraPythonPackages = _p: [
+                  self.legacyPackages.${pkgs.system}.nixosTestLib
+                ];
+
+                testScript = ''
+                  import tempfile
+                  import os
+                  import subprocess
+                  from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
+                  from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
+
+                  start_all()
+                  machine.wait_for_unit("multi-user.target")
+
+                  # Verify initial state
+                  machine.succeed("test -f /etc/install-successful")
+                  machine.fail("test -f /etc/update-successful")
+
+                  # Set up test environment
+                  with tempfile.TemporaryDirectory() as temp_dir:
+                      # Prepare test flake and Nix store
+                      flake_dir = prepare_test_flake(
+                          temp_dir,
+                          "${self.checks.x86_64-linux.clan-core-for-checks}",
+                          "${closureInfo}"
+                      )
+                      (flake_dir / ".clan-flake").write_text("")  # Ensure .clan-flake exists
+
+                      # Set up SSH connection
+                      ssh_conn = setup_ssh_connection(
+                          machine,
+                          temp_dir,
+                          "${../assets/ssh/privkey}"
+                      )
+
+                      # Update the machine configuration to add a new file
+                      machine_config_path = os.path.join(flake_dir, "machines", "test-update-machine", "configuration.nix")
+                      os.makedirs(os.path.dirname(machine_config_path), exist_ok=True)
+
+                      # Note: update command doesn't accept -i flag, SSH key must be in ssh-agent
+                      # Start ssh-agent and add the key
+                      agent_output = subprocess.check_output(["${pkgs.openssh}/bin/ssh-agent", "-s"], text=True)
+                      for line in agent_output.splitlines():
+                          if line.startswith("SSH_AUTH_SOCK="):
+                              os.environ["SSH_AUTH_SOCK"] = line.split("=", 1)[1].split(";")[0]
+                          elif line.startswith("SSH_AGENT_PID="):
+                              os.environ["SSH_AGENT_PID"] = line.split("=", 1)[1].split(";")[0]
+
+                      # Add the SSH key to the agent
+                      subprocess.run(["${pkgs.openssh}/bin/ssh-add", ssh_conn.ssh_key], check=True)
+
+
+                      ##############
+                      print("TEST: update with --build-host local")
+                      with open(machine_config_path, "w") as f:
+                          f.write("""
+                      {
+                        environment.etc."update-build-local-successful".text = "ok";
+                      }
+                      """)
+
+                      # rsync the flake into the container
+                      os.environ["PATH"] = f"{os.environ['PATH']}:${pkgs.openssh}/bin"
+                      subprocess.run(
+                        [
+                            "${pkgs.rsync}/bin/rsync",
+                            "-a",
+                            "--delete",
+                            "-e",
+                            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no",
+                            f"{str(flake_dir)}/",
+                            f"root@192.168.1.1:/flake",
+                        ],
+                        check=True
+                      )
+
+                      # allow machine to ssh into itself
+                      subprocess.run([
+                          "ssh",
+                          "-o", "UserKnownHostsFile=/dev/null",
+                          "-o", "StrictHostKeyChecking=no",
+                          f"root@192.168.1.1",
+                          "mkdir -p /root/.ssh && chmod 700 /root/.ssh && echo \"$(cat \"${../assets/ssh/privkey}\")\" > /root/.ssh/id_ed25519 && chmod 600 /root/.ssh/id_ed25519",
+                      ], check=True)
+
+                      # install the clan-cli package into the container's Nix store
+                      subprocess.run(
+                        [
+                            "${pkgs.nix}/bin/nix",
+                            "copy",
+                            "--to",
+                            "ssh://root@192.168.1.1",
+                            "--no-check-sigs",
+                            f"${self.packages.${pkgs.system}.clan-cli}",
+                            "--extra-experimental-features", "nix-command flakes",
+                            "--from", f"{os.environ["TMPDIR"]}/store"
+                        ],
+                        check=True,
+                        env={
+                          **os.environ,
+                          "NIX_SSHOPTS": "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no",
+                        },
+                      )
+
+                      # Run ssh on the host to run the clan update command via --build-host local
+                      subprocess.run([
+                          "ssh",
+                          "-o", "UserKnownHostsFile=/dev/null",
+                          "-o", "StrictHostKeyChecking=no",
+                          f"root@192.168.1.1",
+                          "${self.packages.${pkgs.system}.clan-cli}/bin/clan",
+                          "machines",
+                          "update",
+                          "--debug",
+                          "--flake", "/flake",
+                          "--host-key-check", "none",
+                          "--upload-inputs",  # Use local store instead of fetching from network
+                          "--build-host", "localhost",
+                          "test-update-machine",
+                          "--target-host", f"root@localhost",
+                      ], check=True)
+
+                      # Verify the update was successful
+                      machine.succeed("test -f /etc/update-build-local-successful")
+
+
+                      ##############
+                      print("TEST: update with --target-host")
+
+                      with open(machine_config_path, "w") as f:
+                          f.write("""
+                      {
+                        environment.etc."target-host-update-successful".text = "ok";
+                      }
+                      """)
+
+                      # Run clan update command
+                      subprocess.run([
+                          "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
+                          "machines",
+                          "update",
+                          "--debug",
+                          "--flake", flake_dir,
+                          "--host-key-check", "none",
+                          "--upload-inputs",  # Use local store instead of fetching from network
+                          "test-update-machine",
+                          "--target-host", f"root@192.168.1.1:{ssh_conn.host_port}",
+                      ], check=True)
+
+                      # Verify the update was successful
+                      machine.succeed("test -f /etc/target-host-update-successful")
+
+
+                      ##############
+                      print("TEST: update with --build-host")
+                      # Update configuration again
+                      with open(machine_config_path, "w") as f:
+                          f.write("""
+                      {
+                        environment.etc."build-host-update-successful".text = "ok";
+                      }
+                      """)
+
+                      # Run clan update command with --build-host
+                      subprocess.run([
+                          "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
+                          "machines",
+                          "update",
+                          "--debug",
+                          "--flake", flake_dir,
+                          "--host-key-check", "none",
+                          "--upload-inputs",  # Use local store instead of fetching from network
+                          "--build-host", f"root@192.168.1.1:{ssh_conn.host_port}",
+                          "test-update-machine",
+                          "--target-host", f"root@192.168.1.1:{ssh_conn.host_port}",
+                      ], check=True)
+
+                      # Verify the second update was successful
+                      machine.succeed("test -f /etc/build-host-update-successful")
+                '';
+              } { inherit pkgs self; };
+          };
+    };
+}

checks/update/switch-to-configuration-initrd-mount-fix.patch

@@ -0,0 +1,17 @@
+diff --git a/src/main.rs b/src/main.rs
+index 8baf5924a7db..1234567890ab 100644
+--- a/src/main.rs
++++ b/src/main.rs
+@@ -1295,6 +1295,12 @@ won't take effect until you reboot the system.
+ 
+     for (mountpoint, current_filesystem) in current_filesystems {
+         // Use current version of systemctl binary before daemon is reexeced.
++        
++        // Skip filesystem comparison if x-initrd.mount is present in options
++        if current_filesystem.options.contains("x-initrd.mount") {
++            continue;
++        }
++        
+         let unit = path_to_unit_name(&current_system_bin, &mountpoint);
+         if let Some(new_filesystem) = new_filesystems.get(&mountpoint) {
+             if current_filesystem.fs_type != new_filesystem.fs_type

checks/update/test-update-machine/configuration.nix

@@ -0,0 +1,3 @@
+{
+  # Initial empty configuration
+}

clanModules/admin/README.md

@@ -0,0 +1,5 @@
+---
+description = "Convenient Administration for the Clan App"
+categories = ["Utility"]
+features = [ "inventory", "deprecated" ]
+---

clanModules/admin/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/admin/roles/default.nix

@@ -0,0 +1,30 @@
+{ lib, config, ... }:
+{
+
+  options.clan.admin = {
+    allowedKeys = lib.mkOption {
+      default = { };
+      type = lib.types.attrsOf lib.types.str;
+      description = "The allowed public keys for ssh access to the admin user";
+      example = {
+        "key_1" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD...";
+      };
+    };
+  };
+  # Bad practice.
+  # Should we add 'clanModules' to specialArgs?
+  imports = [
+    ../../sshd
+    ../../root-password
+  ];
+  config = {
+
+    warnings = [
+      "The clan.admin module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+
+    users.users.root.openssh.authorizedKeys.keys = builtins.attrValues config.clan.admin.allowedKeys;
+  };
+}

clanModules/auto-upgrade/README.md

@@ -0,0 +1,8 @@
+---
+description = "Set up automatic upgrades"
+categories = ["System"]
+features = [ "inventory", "deprecated" ]
+---
+
+Whether to periodically upgrade NixOS to the latest version. If enabled, a
+systemd timer will run `nixos-rebuild switch --upgrade` once a day.

clanModules/auto-upgrade/roles/default.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.clan.auto-upgrade;
+in
+{
+  options.clan.auto-upgrade = {
+    flake = lib.mkOption {
+      type = lib.types.str;
+      description = "Flake reference";
+    };
+  };
+
+  config = {
+
+    warnings = [
+      "The clan.auto-upgrade module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+
+    system.autoUpgrade = {
+      inherit (cfg) flake;
+      enable = true;
+      dates = "02:00";
+      randomizedDelaySec = "45min";
+    };
+  };
+}

clanModules/borgbackup-static/README.md

@@ -0,0 +1,16 @@
+---
+description = "Statically configure borgbackup with sane defaults."
+---
+!!! Danger "Deprecated"
+    Use [borgbackup](borgbackup.md) instead.
+
+    Don't use borgbackup-static through [inventory](../../concepts/inventory.md).
+
+This module implements the `borgbackup` backend and implements sane defaults
+for backup management through `borgbackup` for members of the clan.
+
+Configure target machines where the backups should be sent to through `targets`.
+
+Configure machines that should be backuped either through `includeMachines`
+which will exclusively add the included machines to be backuped, or through
+`excludeMachines`, which will add every machine except the excluded machine to the backup.

clanModules/borgbackup-static/default.nix

@@ -0,0 +1,104 @@
+{ lib, config, ... }:
+let
+  dir = config.clan.core.settings.directory;
+  machineDir = dir + "/machines/";
+in
+{
+  imports = [ ../borgbackup ];
+
+  options.clan.borgbackup-static = {
+    excludeMachines = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExpression "[ config.clan.core.settings.machine.name ]";
+      default = [ ];
+      description = ''
+        Machines that should not be backuped.
+        Mutually exclusive with includeMachines.
+        If this is not empty, every other machine except the targets in the clan will be backuped by this module.
+        If includeMachines is set, only the included machines will be backuped.
+      '';
+    };
+    includeMachines = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExpression "[ config.clan.core.settings.machine.name ]";
+      default = [ ];
+      description = ''
+        Machines that should be backuped.
+        Mutually exclusive with excludeMachines.
+      '';
+    };
+    targets = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = ''
+        Machines that should act as target machines for backups.
+      '';
+    };
+  };
+
+  config.services.borgbackup.repos =
+    let
+      machines = builtins.readDir machineDir;
+      borgbackupIpMachinePath = machines: machineDir + machines + "/facts/borgbackup.ssh.pub";
+      filteredMachines =
+        if ((builtins.length config.clan.borgbackup-static.includeMachines) != 0) then
+          lib.filterAttrs (name: _: (lib.elem name config.clan.borgbackup-static.includeMachines)) machines
+        else
+          lib.filterAttrs (name: _: !(lib.elem name config.clan.borgbackup-static.excludeMachines)) machines;
+      machinesMaybeKey = lib.mapAttrsToList (
+        machine: _:
+        let
+          fullPath = borgbackupIpMachinePath machine;
+        in
+        if builtins.pathExists fullPath then machine else null
+      ) filteredMachines;
+      machinesWithKey = lib.filter (x: x != null) machinesMaybeKey;
+      hosts = builtins.map (machine: {
+        name = machine;
+        value = {
+          path = "/var/lib/borgbackup/${machine}";
+          authorizedKeys = [ (builtins.readFile (borgbackupIpMachinePath machine)) ];
+        };
+      }) machinesWithKey;
+    in
+    lib.mkIf
+      (builtins.any (
+        target: target == config.clan.core.settings.machine.name
+      ) config.clan.borgbackup-static.targets)
+      (if (builtins.listToAttrs hosts) != null then builtins.listToAttrs hosts else { });
+
+  config.clan.borgbackup.destinations =
+    let
+      destinations = builtins.map (d: {
+        name = d;
+        value = {
+          repo = "borg@${d}:/var/lib/borgbackup/${config.clan.core.settings.machine.name}";
+        };
+      }) config.clan.borgbackup-static.targets;
+    in
+    lib.mkIf (builtins.any (
+      target: target == config.clan.core.settings.machine.name
+    ) config.clan.borgbackup-static.includeMachines) (builtins.listToAttrs destinations);
+
+  config.assertions = [
+    {
+      assertion =
+        !(
+          ((builtins.length config.clan.borgbackup-static.excludeMachines) != 0)
+          && ((builtins.length config.clan.borgbackup-static.includeMachines) != 0)
+        );
+      message = ''
+        The options:
+        config.clan.borgbackup-static.excludeMachines = [${builtins.toString config.clan.borgbackup-static.excludeMachines}]
+        and
+        config.clan.borgbackup-static.includeMachines = [${builtins.toString config.clan.borgbackup-static.includeMachines}]
+        are mutually exclusive.
+        Use excludeMachines to exclude certain machines and backup the other clan machines.
+        Use include machines to only backup certain machines.
+      '';
+    }
+  ];
+  config.warnings = lib.optional (
+    builtins.length config.clan.borgbackup-static.targets > 0
+  ) "The borgbackup-static module is deprecated use the service via the inventory interface instead.";
+}

clanModules/borgbackup/README.md

@@ -0,0 +1,14 @@
+---
+description = "Efficient, deduplicating backup program with optional compression and secure encryption."
+categories = ["System"]
+features = [ "inventory", "deprecated" ]
+---
+BorgBackup (short: Borg) gives you:
+
+- Space efficient storage of backups.
+- Secure, authenticated encryption.
+- Compression: lz4, zstd, zlib, lzma or none.
+- Mountable backups with FUSE.
+- Easy installation on multiple platforms: Linux, macOS, BSD, …
+- Free software (BSD license).
+- Backed by a large and active open-source community.

clanModules/borgbackup/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/client.nix ];
+}

clanModules/borgbackup/roles/server.nix

@@ -0,0 +1,63 @@
+{ config, lib, ... }:
+let
+  dir = config.clan.core.settings.directory;
+  machineDir = dir + "/vars/per-machine/";
+  machineName = config.clan.core.settings.machine.name;
+
+  # Instances might be empty, if the module is not used via the inventory
+  #
+  # Type: { ${instanceName} :: { roles :: Roles } }
+  #   Roles :: { ${role_name} :: { machines :: [string] } }
+  instances = config.clan.inventory.services.borgbackup or { };
+
+  allClients = lib.foldlAttrs (
+    acc: _instanceName: instanceConfig:
+    acc
+    ++ (
+      if (builtins.elem machineName instanceConfig.roles.server.machines) then
+        instanceConfig.roles.client.machines
+      else
+        [ ]
+    )
+  ) [ ] instances;
+in
+{
+  options = {
+    clan.borgbackup.directory = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/borgbackup";
+      description = ''
+        The directory where the borgbackup repositories are stored.
+      '';
+    };
+  };
+  config.services.borgbackup.repos =
+    let
+      borgbackupIpMachinePath = machine: machineDir + machine + "/borgbackup/borgbackup.ssh.pub/value";
+
+      machinesMaybeKey = builtins.map (
+        machine:
+        let
+          fullPath = borgbackupIpMachinePath machine;
+        in
+        if builtins.pathExists fullPath then
+          machine
+        else
+          lib.warn ''
+            Machine ${machine} does not have a borgbackup key at ${fullPath},
+            run `clan vars generate ${machine}` to generate it.
+          '' null
+      ) allClients;
+
+      machinesWithKey = lib.filter (x: x != null) machinesMaybeKey;
+
+      hosts = builtins.map (machine: {
+        name = machine;
+        value = {
+          path = "${config.clan.borgbackup.directory}/${machine}";
+          authorizedKeys = [ (builtins.readFile (borgbackupIpMachinePath machine)) ];
+        };
+      }) machinesWithKey;
+    in
+    if (builtins.listToAttrs hosts) != [ ] then builtins.listToAttrs hosts else { };
+}

clanModules/data-mesher/README.md

@@ -0,0 +1,10 @@
+---
+description = "Set up data-mesher"
+categories = ["System"]
+features = [ "inventory" ]
+
+[constraints]
+roles.admin.min = 1
+roles.admin.max = 1
+---
+

clanModules/data-mesher/lib.nix

@@ -0,0 +1,19 @@
+lib: {
+
+  machines =
+    config:
+    let
+      instanceNames = builtins.attrNames config.clan.inventory.services.data-mesher;
+      instanceName = builtins.head instanceNames;
+      dataMesherInstances = config.clan.inventory.services.data-mesher.${instanceName};
+
+      uniqueStrings = list: builtins.attrNames (builtins.groupBy lib.id list);
+    in
+    rec {
+      admins = dataMesherInstances.roles.admin.machines or [ ];
+      signers = dataMesherInstances.roles.signer.machines or [ ];
+      peers = dataMesherInstances.roles.peer.machines or [ ];
+      bootstrap = uniqueStrings (admins ++ signers);
+    };
+
+}

clanModules/data-mesher/roles/admin.nix

@@ -0,0 +1,58 @@
+{ lib, config, ... }:
+let
+  cfg = config.clan.data-mesher;
+
+  dmLib = import ../lib.nix lib;
+in
+{
+  imports = [
+    ../shared.nix
+  ];
+
+  options.clan.data-mesher = {
+    network = {
+      tld = lib.mkOption {
+        type = lib.types.str;
+        default = (config.networking.domain or "clan");
+        description = "Top level domain to use for the network";
+      };
+
+      hostTTL = lib.mkOption {
+        type = lib.types.str;
+        default = "672h"; # 28 days
+        example = "24h";
+        description = "The TTL for hosts in the network, in the form of a Go time.Duration";
+      };
+    };
+  };
+
+  config = {
+
+    warnings = [
+      "The clan.admin module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+
+    services.data-mesher.initNetwork =
+      let
+        # for a given machine, read it's public key and remove any new lines
+        readHostKey =
+          machine:
+          let
+            path = "${config.clan.core.settings.directory}/vars/per-machine/${machine}/data-mesher-host-key/public_key/value";
+          in
+          builtins.elemAt (lib.splitString "\n" (builtins.readFile path)) 1;
+      in
+      {
+        enable = true;
+        keyPath = config.clan.core.vars.generators.data-mesher-network-key.files.private_key.path;
+
+        tld = cfg.network.tld;
+        hostTTL = cfg.network.hostTTL;
+
+        # admin and signer host public keys
+        signingKeys = builtins.map readHostKey (dmLib.machines config).bootstrap;
+      };
+  };
+}

clanModules/data-mesher/roles/peer.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../shared.nix
+  ];
+}

clanModules/data-mesher/roles/signer.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ../shared.nix
+  ];
+}

clanModules/data-mesher/shared.nix

@@ -0,0 +1,152 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.clan.data-mesher;
+  dmLib = import ./lib.nix lib;
+
+  # the default bootstrap nodes are any machines with the admin or signers role
+  # we iterate through those machines, determining an IP address for them based on their VPN
+  # currently only supports zerotier
+  defaultBootstrapNodes = builtins.foldl' (
+    urls: name:
+    let
+
+      ipPath = "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
+
+    in
+    if builtins.pathExists ipPath then
+      let
+        ip = builtins.readFile ipPath;
+      in
+      urls ++ [ "[${ip}]:${builtins.toString cfg.network.port}" ]
+    else
+      urls
+  ) [ ] (dmLib.machines config).bootstrap;
+in
+{
+  options.clan.data-mesher = {
+
+    bootstrapNodes = lib.mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = null;
+      description = ''
+        A list of bootstrap nodes that act as an initial gateway when joining
+        the cluster.
+      '';
+      example = [
+        "192.168.1.1:7946"
+        "192.168.1.2:7946"
+      ];
+    };
+
+    network = {
+
+      interface = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          The interface over which cluster communication should be performed.
+          All the ip addresses associate with this interface will be part of
+          our host claim, including both ipv4 and ipv6.
+
+          This should be set to an internal/VPN interface.
+        '';
+        example = "tailscale0";
+      };
+
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 7946;
+        description = ''
+          Port to listen on for cluster communication.
+        '';
+      };
+    };
+  };
+
+  config = {
+
+    services.data-mesher = {
+      enable = true;
+      openFirewall = true;
+
+      settings = {
+        log_level = "warn";
+        state_dir = "/var/lib/data-mesher";
+
+        # read network id from vars
+        network.id = config.clan.core.vars.generators.data-mesher-network-key.files.public_key.value;
+
+        host = {
+          names = [ config.networking.hostName ];
+          key_path = config.clan.core.vars.generators.data-mesher-host-key.files.private_key.path;
+        };
+
+        cluster = {
+          port = cfg.network.port;
+          join_interval = "30s";
+          push_pull_interval = "30s";
+
+          interface = cfg.network.interface;
+
+          bootstrap_nodes = if cfg.bootstrapNodes == null then defaultBootstrapNodes else cfg.bootstrapNodes;
+        };
+
+        http.port = 7331;
+        http.interface = "lo";
+      };
+    };
+
+    # Generate host key.
+    clan.core.vars.generators.data-mesher-host-key = {
+      files =
+        let
+          owner = config.users.users.data-mesher.name;
+        in
+        {
+          private_key = {
+            inherit owner;
+          };
+          public_key.secret = false;
+        };
+
+      runtimeInputs = [
+        config.services.data-mesher.package
+      ];
+
+      script = ''
+        data-mesher generate keypair \
+            --public-key-path "$out"/public_key \
+            --private-key-path "$out"/private_key
+      '';
+    };
+
+    clan.core.vars.generators.data-mesher-network-key = {
+      # generated once per clan
+      share = true;
+
+      files =
+        let
+          owner = config.users.users.data-mesher.name;
+        in
+        {
+          private_key = {
+            inherit owner;
+          };
+          public_key.secret = false;
+        };
+
+      runtimeInputs = [
+        config.services.data-mesher.package
+      ];
+
+      script = ''
+        data-mesher generate keypair \
+            --public-key-path "$out"/public_key \
+            --private-key-path "$out"/private_key
+      '';
+    };
+  };
+}

clanModules/deltachat/README.md

@@ -0,0 +1,17 @@
+---
+description = "Email-based instant messaging for Desktop."
+categories = ["Social"]
+features = [ "inventory", "deprecated" ]
+---
+
+!!! info
+    This module will automatically configure an email server on the machine for handling the e-mail messaging seamlessly.
+
+## Features
+
+- [x] **Email-based**: Uses any email account as its backend.
+- [x] **End-to-End Encryption**: Supports Autocrypt to automatically encrypt messages.
+- [x] **No Phone Number Required**: Uses your email address instead of a phone number.
+- [x] **Cross-Platform**: Available on desktop and mobile platforms.
+- [x] **Automatic Server Setup**: Includes your own DeltaChat server for enhanced control and privacy.
+- [ ] **Bake a cake**: This module cannot cake a bake.

clanModules/deltachat/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/deltachat/roles/default.nix

@@ -0,0 +1,153 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  warnings = [
+    "The clan.deltachat module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+  ];
+
+  networking.firewall.interfaces."zt+".allowedTCPPorts = [ 25 ]; # smtp with other hosts
+  environment.systemPackages = [ pkgs.deltachat-desktop ];
+
+  services.maddy =
+    let
+      domain = "${config.clan.core.settings.machine.name}.local";
+    in
+    {
+      enable = true;
+      primaryDomain = domain;
+      config = ''
+        # Minimal configuration with TLS disabled, adapted from upstream example
+        # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+        # Do not use this in unencrypted networks!
+
+        auth.pass_table local_authdb {
+          table sql_table {
+            driver sqlite3
+            dsn credentials.db
+            table_name passwords
+          }
+        }
+
+        storage.imapsql local_mailboxes {
+          driver sqlite3
+          dsn imapsql.db
+        }
+
+        table.chain local_rewrites {
+          optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+          optional_step static {
+            entry postmaster postmaster@$(primary_domain)
+          }
+          optional_step file /etc/maddy/aliases
+        }
+
+        msgpipeline local_routing {
+          destination postmaster $(local_domains) {
+            modify {
+              replace_rcpt &local_rewrites
+            }
+            deliver_to &local_mailboxes
+          }
+          default_destination {
+            reject 550 5.1.1 "User doesn't exist"
+          }
+        }
+
+        smtp tcp://[::]:25 {
+          limits {
+            all rate 20 1s
+            all concurrency 10
+          }
+          dmarc yes
+          check {
+            require_mx_record
+            dkim
+            spf
+          }
+          source $(local_domains) {
+            reject 501 5.1.8 "Use Submission for outgoing SMTP"
+          }
+          default_source {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+              reject 550 5.1.1 "User doesn't exist"
+            }
+          }
+        }
+
+        submission tcp://[::1]:587 {
+          limits {
+            all rate 50 1s
+          }
+          auth &local_authdb
+          source $(local_domains) {
+            check {
+                authorize_sender {
+                    prepare_email &local_rewrites
+                    user_to_email identity
+                }
+            }
+            destination postmaster $(local_domains) {
+                deliver_to &local_routing
+            }
+            default_destination {
+                modify {
+                    dkim $(primary_domain) $(local_domains) default
+                }
+                deliver_to &remote_queue
+            }
+          }
+          default_source {
+            reject 501 5.1.8 "Non-local sender domain"
+          }
+        }
+
+        target.remote outbound_delivery {
+          limits {
+            destination rate 20 1s
+            destination concurrency 10
+          }
+          mx_auth {
+            dane
+            mtasts {
+              cache fs
+              fs_dir mtasts_cache/
+            }
+            local_policy {
+                min_tls_level encrypted
+                min_mx_level none
+            }
+          }
+        }
+
+        target.queue remote_queue {
+          target &outbound_delivery
+          autogenerated_msg_domain $(primary_domain)
+          bounce {
+            destination postmaster $(local_domains) {
+              deliver_to &local_routing
+            }
+            default_destination {
+                reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+            }
+          }
+        }
+
+        imap tcp://[::1]:143 {
+          auth &local_authdb
+          storage &local_mailboxes
+        }
+      '';
+      ensureAccounts = [ "user@${domain}" ];
+      ensureCredentials = {
+        "user@${domain}".passwordFile = pkgs.writeText "dummy" "foobar";
+      };
+    };
+}

clanModules/disk-id/README.md

@@ -0,0 +1,5 @@
+---
+description = "Generates a uuid for use in disk device naming"
+features = [ "inventory" ]
+categories = [ "System" ]
+---

clanModules/disk-id/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/disk-id/roles/uuid4.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# Read 16 bytes from /dev/urandom
+uuid=$(dd if=/dev/urandom bs=1 count=16 2>/dev/null | od -An -tx1 | tr -d ' \n')
+
+# Break the UUID into pieces and apply the required modifications
+byte6=${uuid:12:2}
+byte8=${uuid:16:2}
+
+# Construct the correct version and variant
+hex_byte6=$(printf "%x" $((0x$byte6 & 0x0F | 0x40)))
+hex_byte8=$(printf "%x" $((0x$byte8 & 0x3F | 0x80)))
+
+# Rebuild the UUID with the correct fields
+uuid_v4="${uuid:0:12}${hex_byte6}${uuid:14:2}${hex_byte8}${uuid:18:14}"
+
+# Format the UUID correctly 8-4-4-4-12
+uuid_formatted="${uuid_v4:0:8}-${uuid_v4:8:4}-${uuid_v4:12:4}-${uuid_v4:16:4}-${uuid_v4:20:12}"
+
+echo -n "$uuid_formatted"

clanModules/dyndns/README.md

@@ -0,0 +1,6 @@
+---
+description = "A dynamic DNS service to update domain IPs"
+---
+
+To understand the possible options that can be set visit the documentation of [ddns-updater](https://github.com/qdm12/ddns-updater?tab=readme-ov-file#versioned-documentation)
+

clanModules/dyndns/default.nix

@@ -0,0 +1,257 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  name = "dyndns";
+  cfg = config.clan.${name};
+
+  # We dedup secrets if they have the same provider + base domain
+  secret_id = opt: "${name}-${opt.provider}-${opt.domain}";
+  secret_path =
+    opt: config.clan.core.vars.generators."${secret_id opt}".files."${secret_id opt}".path;
+
+  # We check that a secret has not been set in extraSettings.
+  extraSettingsSafe =
+    opt:
+    if (builtins.hasAttr opt.secret_field_name opt.extraSettings) then
+      throw "Please do not set ${opt.secret_field_name} in extraSettings, it is automatically set by the dyndns module."
+    else
+      opt.extraSettings;
+  /*
+    We go from:
+    {home.example.com:{value:{domain:example.com,host:home, provider:namecheap}}}
+    To:
+    {settings: [{domain: example.com, host: home, provider: namecheap, password: dyndns-namecheap-example.com}]}
+  */
+  service_config = {
+    settings = builtins.catAttrs "value" (
+      builtins.attrValues (
+        lib.mapAttrs (_: opt: {
+          value =
+            (extraSettingsSafe opt)
+            // {
+              domain = opt.domain;
+              provider = opt.provider;
+            }
+            // {
+              "${opt.secret_field_name}" = secret_id opt;
+            };
+        }) cfg.settings
+      )
+    );
+  };
+
+  secret_generator = _: opt: {
+    name = secret_id opt;
+    value = {
+      share = true;
+      migrateFact = "${secret_id opt}";
+      prompts.${secret_id opt} = {
+        type = "hidden";
+        persist = true;
+      };
+    };
+  };
+in
+{
+  options.clan.${name} = {
+    server = {
+      enable = lib.mkEnableOption "dyndns webserver";
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "Domain to serve the webservice on";
+      };
+      port = lib.mkOption {
+        type = lib.types.int;
+        default = 54805;
+        description = "Port to listen on";
+      };
+    };
+
+    period = lib.mkOption {
+      type = lib.types.int;
+      default = 5;
+      description = "Domain update period in minutes";
+    };
+
+    settings = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { ... }:
+          {
+            options = {
+              provider = lib.mkOption {
+                example = "namecheap";
+                type = lib.types.str;
+                description = "The dyndns provider to use";
+              };
+              domain = lib.mkOption {
+                type = lib.types.str;
+                example = "example.com";
+                description = "The top level domain to update.";
+              };
+              secret_field_name = lib.mkOption {
+                example = [
+                  "password"
+                  "api_key"
+                ];
+                type = lib.types.enum [
+                  "password"
+                  "token"
+                  "api_key"
+                  "secret_api_key"
+                ];
+                default = "password";
+                description = "The field name for the secret";
+              };
+              # TODO: Ideally we would create a gigantic list of all possible settings / types
+              # optimally we would have a way to generate the options from the source code
+              extraSettings = lib.mkOption {
+                type = lib.types.attrsOf lib.types.str;
+                default = { };
+                description = ''
+                  Extra settings for the provider.
+                  Provider specific settings: https://github.com/qdm12/ddns-updater#configuration
+                '';
+              };
+            };
+          }
+        )
+      );
+      default = [ ];
+      description = "Configuration for which domains to update";
+    };
+  };
+
+  imports = [
+    ../nginx
+  ];
+
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.settings != { }) {
+      clan.core.vars.generators = lib.mapAttrs' secret_generator cfg.settings;
+
+      users.groups.${name} = { };
+      users.users.${name} = {
+        group = name;
+        isSystemUser = true;
+        description = "User for ${name} service";
+        home = "/var/lib/${name}";
+        createHome = true;
+      };
+
+      services.nginx = lib.mkIf cfg.server.enable {
+        enable = true;
+        virtualHosts = {
+          "${cfg.server.domain}" = {
+            forceSSL = true;
+            enableACME = true;
+            locations."/" = {
+              proxyPass = "http://localhost:${toString cfg.server.port}";
+            };
+          };
+        };
+      };
+
+      systemd.services.${name} = {
+        path = [ ];
+        description = "Dynamic DNS updater";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        environment = {
+          MYCONFIG = "${builtins.toJSON service_config}";
+          SERVER_ENABLED = if cfg.server.enable then "yes" else "no";
+          PERIOD = "${toString cfg.period}m";
+          LISTENING_ADDRESS = ":${toString cfg.server.port}";
+        };
+
+        serviceConfig =
+          let
+            pyscript =
+              pkgs.writers.writePython3Bin "generate_secret_config.py"
+                {
+                  libraries = [ ];
+                  doCheck = false;
+                }
+                ''
+                  import json
+                  from pathlib import Path
+                  import os
+
+                  cred_dir = Path(os.getenv("CREDENTIALS_DIRECTORY"))
+                  config_str = os.getenv("MYCONFIG")
+
+
+                  def get_credential(name):
+                      secret_p = cred_dir / name
+                      with open(secret_p, 'r') as f:
+                          return f.read().strip()
+
+
+                  config = json.loads(config_str)
+                  print(f"Config: {config}")
+                  for attrset in config["settings"]:
+                      if "password" in attrset:
+                          attrset['password'] = get_credential(attrset['password'])
+                      elif "token" in attrset:
+                          attrset['token'] = get_credential(attrset['token'])
+                      elif "secret_api_key" in attrset:
+                          attrset['secret_api_key'] = get_credential(attrset['secret_api_key'])
+                      elif "api_key" in attrset:
+                          attrset['api_key'] = get_credential(attrset['api_key'])
+                      else:
+                          raise ValueError(f"Missing secret field in {attrset}")
+
+                  # create directory data if it does not exist
+                  data_dir = Path('data')
+                  data_dir.mkdir(mode=0o770, exist_ok=True)
+
+                  # Create a temporary config file
+                  # with appropriate permissions
+                  tmp_config_path = data_dir / '.config.json'
+                  tmp_config_path.touch(mode=0o660, exist_ok=False)
+
+                  # Write the config with secrets back
+                  with open(tmp_config_path, 'w') as f:
+                      f.write(json.dumps(config, indent=4))
+
+                  # Move config into place
+                  config_path = data_dir / 'config.json'
+                  tmp_config_path.rename(config_path)
+
+                  # Set file permissions to read
+                  # and write only by the user and group
+                  for file in data_dir.iterdir():
+                      file.chmod(0o660)
+                '';
+          in
+          {
+            ExecStartPre = lib.getExe pyscript;
+            ExecStart = lib.getExe pkgs.ddns-updater;
+            LoadCredential = lib.mapAttrsToList (_: opt: "${secret_id opt}:${secret_path opt}") cfg.settings;
+            User = name;
+            Group = name;
+            NoNewPrivileges = true;
+            PrivateTmp = true;
+            ProtectSystem = "strict";
+            ReadOnlyPaths = "/";
+            PrivateDevices = "yes";
+            ProtectKernelModules = "yes";
+            ProtectKernelTunables = "yes";
+            WorkingDirectory = "/var/lib/${name}";
+            ReadWritePaths = [
+              "/proc/self"
+              "/var/lib/${name}"
+            ];
+
+            Restart = "always";
+            RestartSec = 60;
+          };
+      };
+    })
+  ];
+}

clanModules/ergochat/README.md

@@ -0,0 +1,5 @@
+---
+description = "A modern IRC server"
+categories = ["Social"]
+features = [ "inventory", "deprecated" ]
+---

clanModules/ergochat/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/ergochat/roles/default.nix

@@ -0,0 +1,21 @@
+_: {
+
+  warnings = [
+    "The clan.ergochat module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+  ];
+
+  services.ergochat = {
+    enable = true;
+
+    settings = {
+      datastore = {
+        autoupgrade = true;
+        path = "/var/lib/ergo/ircd.db";
+      };
+    };
+  };
+
+  clan.core.state.ergochat.folders = [ "/var/lib/ergo" ];
+}

clanModules/flake-module.nix

@@ -1,23 +1,51 @@
-{ ... }:
-
+{ lib, ... }:
 let
-  error = builtins.throw ''
-    clanModules have been removed!
-
-    Refer to https://docs.clan.lol/guides/migrations/migrate-inventory-services for migration.
-  '';
+  inherit (lib)
+    filterAttrs
+    pathExists
+    ;
 in
-
 {
-  flake.clanModules = {
-    outPath = "removed-clan-modules";
-    value = error;
+  # only import available files, as this allows to filter the files for tests.
+  flake.clanModules = filterAttrs (_name: pathExists) {
+    auto-upgrade = ./auto-upgrade;
+    admin = ./admin;
+    borgbackup = ./borgbackup;
+    borgbackup-static = ./borgbackup-static;
+    deltachat = ./deltachat;
+    data-mesher = ./data-mesher;
+    disk-id = ./disk-id;
+    dyndns = ./dyndns;
+    ergochat = ./ergochat;
+    garage = ./garage;
+    heisenbridge = ./heisenbridge;
+    importer = ./importer;
+    iwd = ./iwd;
+    localbackup = ./localbackup;
+    localsend = ./localsend;
+    matrix-synapse = ./matrix-synapse;
+    moonlight = ./moonlight;
+    mumble = ./mumble;
+    mycelium = ./mycelium;
+    nginx = ./nginx;
+    packages = ./packages;
+    postgresql = ./postgresql;
+    root-password = ./root-password;
+    single-disk = ./single-disk;
+    sshd = ./sshd;
+    state-version = ./state-version;
+    static-hosts = ./static-hosts;
+    sunshine = ./sunshine;
+    syncthing = ./syncthing;
+    syncthing-static-peers = ./syncthing-static-peers;
+    thelounge = ./thelounge;
+    trusted-nix-caches = ./trusted-nix-caches;
+    user-password = ./user-password;
+    vaultwarden = ./vaultwarden;
+    wifi = ./wifi;
+    xfce = ./xfce;
+    zerotier = ./zerotier;
+    zerotier-static-peers = ./zerotier-static-peers;
+    zt-tcp-relay = ./zt-tcp-relay;
   };
-
-  # builtins.listToAttrs (
-  #   map (name: {
-  #     inherit name;
-  #     value = error;
-  #   }) modnames
-  # );
 }

clanModules/garage/README.md

@@ -0,0 +1,11 @@
+---
+description = "S3-compatible object store for small self-hosted geo-distributed deployments"
+categories = ["System"]
+features = [ "inventory", "deprecated" ]
+---
+
+This module generates garage specific keys automatically.
+Also shares the `rpc_secret` between instances.
+
+Options: [NixosModuleOptions](https://search.nixos.org/options?channel=unstable&size=50&sort=relevance&type=packages&query=garage)
+Documentation: https://garagehq.deuxfleurs.fr/

clanModules/garage/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/garage/roles/default.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, ... }:
+{
+
+  warnings = [
+    "The clan.ergochat module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+  ];
+
+  systemd.services.garage.serviceConfig = {
+    LoadCredential = [
+      "rpc_secret_path:${config.clan.core.vars.generators.garage-shared.files.rpc_secret.path}"
+      "admin_token_path:${config.clan.core.vars.generators.garage.files.admin_token.path}"
+      "metrics_token_path:${config.clan.core.vars.generators.garage.files.metrics_token.path}"
+    ];
+    Environment = [
+      "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
+      "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
+      "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
+      "GARAGE_METRICS_TOKEN_FILE=%d/metrics_token_path"
+    ];
+  };
+
+  clan.core.vars.generators.garage = {
+    files.admin_token = { };
+    files.metrics_token = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -base64 -out "$out"/admin_token 32
+      openssl rand -base64 -out "$out"/metrics_token 32
+    '';
+  };
+
+  clan.core.vars.generators.garage-shared = {
+    share = true;
+    files.rpc_secret = { };
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    script = ''
+      openssl rand -hex -out "$out"/rpc_secret 32
+    '';
+  };
+
+  clan.core.state.garage.folders = [ config.services.garage.settings.metadata_dir ];
+}

clanModules/heisenbridge/README.md

@@ -0,0 +1,5 @@
+---
+description = "A matrix bridge to communicate with IRC"
+categories = ["Social"]
+features = [ "inventory", "deprecated" ]
+---

clanModules/heisenbridge/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/heisenbridge/roles/default.nix

@@ -0,0 +1,27 @@
+{
+  lib,
+  ...
+}:
+{
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "heisenbridge"
+      "enable"
+    ] "Importing the module will already enable the service.")
+  ];
+  config = {
+    warnings = [
+      "The clan.heisenbridge module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+    services.heisenbridge = {
+      enable = true;
+      homeserver = "http://localhost:8008"; # TODO: Sync with matrix-synapse
+    };
+    services.matrix-synapse.settings.app_service_config_files = [
+      "/var/lib/heisenbridge/registration.yml"
+    ];
+  };
+}

clanModules/importer/roles/default.nix

@@ -0,0 +1 @@
+{ }

clanModules/iwd/README.md

@@ -0,0 +1,9 @@
+---
+description = "Automatically provisions wifi credentials"
+features = [ "inventory", "deprecated" ]
+categories = [ "Network" ]
+---
+
+!!! Warning
+    If you've been using network manager + wpa_supplicant and now are switching to IWD read this migration guide:
+    https://archive.kernel.org/oldwiki/iwd.wiki.kernel.org/networkmanager.html#converting_network_profiles

clanModules/iwd/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/iwd/roles/default.nix

@@ -0,0 +1,106 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.clan.iwd;
+  secret_path = ssid: config.clan.core.vars.generators."iwd.${ssid}".files."iwd.${ssid}".path;
+  secret_generator = name: value: {
+    name = "iwd.${value.ssid}";
+    value =
+      let
+        secret_name = "iwd.${value.ssid}";
+      in
+      {
+        prompts.${secret_name} = {
+          description = "Wifi password for '${value.ssid}'";
+          persist = true;
+        };
+        migrateFact = secret_name;
+        # ref. man iwd.network
+        script = ''
+          config="
+          [Settings]
+            AutoConnect=${if value.AutoConnect then "true" else "false"}
+          [Security]
+            Passphrase=$(echo -e "$prompt_value/${secret_name}" | ${lib.getExe pkgs.gnused} "s=\\\=\\\\\\\=g;s=\t=\\\t=g;s=\r=\\\r=g;s=^ =\\\s=")
+          "
+          echo "$config" > "$out/${secret_name}"
+        '';
+      };
+  };
+in
+{
+  options.clan.iwd = {
+    networks = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { name, ... }:
+          {
+            options = {
+              ssid = lib.mkOption {
+                type = lib.types.str;
+                default = name;
+                description = "The name of the wifi network";
+              };
+              AutoConnect = lib.mkOption {
+                type = lib.types.bool;
+                default = true;
+                description = "Automatically try to join this wifi network";
+              };
+            };
+          }
+        )
+      );
+      default = { };
+      description = "Wifi networks to predefine";
+    };
+  };
+
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "iwd"
+      "enable"
+    ] "Just define clan.iwd.networks to enable it")
+  ];
+
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.networks != { }) {
+      # Systemd tmpfiles rule to create /var/lib/iwd/example.psk file
+      systemd.tmpfiles.rules = lib.mapAttrsToList (
+        _: value: "C /var/lib/iwd/${value.ssid}.psk 0600 root root - ${secret_path value.ssid}"
+      ) cfg.networks;
+
+      clan.core.vars.generators = lib.mapAttrs' secret_generator cfg.networks;
+
+      # TODO: restart the iwd.service if something changes
+    })
+    {
+      warnings = [
+        "The clan.iwd module is deprecated and will be removed on 2025-07-15. Please migrate to a user-maintained configuration or use the wifi service."
+      ];
+
+      # disable wpa supplicant
+      networking.wireless.enable = false;
+
+      # Set the network manager backend to iwd
+      networking.networkmanager.wifi.backend = "iwd";
+
+      # Use iwd instead of wpa_supplicant. It has a user friendly CLI
+      networking.wireless.iwd = {
+        enable = true;
+        settings = {
+          Network = {
+            EnableIPv6 = true;
+            RoutePriorityOffset = 300;
+          };
+          Settings.AutoConnect = true;
+        };
+      };
+    }
+  ];
+}

clanModules/localbackup/README.md

@@ -0,0 +1,3 @@
+---
+description = "Automatically backups current machine to local directory."
+---

clanModules/localbackup/default.nix

@@ -0,0 +1,241 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.clan.localbackup;
+  uniqueFolders = lib.unique (
+    lib.flatten (lib.mapAttrsToList (_name: state: state.folders) config.clan.core.state)
+  );
+  rsnapshotConfig = target: ''
+    config_version	1.2
+    snapshot_root	${target.directory}
+    sync_first	1
+    cmd_cp	${pkgs.coreutils}/bin/cp
+    cmd_rm	${pkgs.coreutils}/bin/rm
+    cmd_rsync	${pkgs.rsync}/bin/rsync
+    cmd_ssh	${pkgs.openssh}/bin/ssh
+    cmd_logger	${pkgs.inetutils}/bin/logger
+    cmd_du	${pkgs.coreutils}/bin/du
+    cmd_rsnapshot_diff	${pkgs.rsnapshot}/bin/rsnapshot-diff
+
+    ${lib.optionalString (target.postBackupHook != null) ''
+      cmd_postexec	${pkgs.writeShellScript "postexec.sh" ''
+        set -efu -o pipefail
+        ${target.postBackupHook}
+      ''}
+    ''}
+    retain	snapshot	${builtins.toString config.clan.localbackup.snapshots}
+    ${lib.concatMapStringsSep "\n" (folder: ''
+      backup	${folder}	${config.networking.hostName}/
+    '') uniqueFolders}
+  '';
+in
+{
+  options.clan.localbackup = {
+    targets = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { name, ... }:
+          {
+            options = {
+              name = lib.mkOption {
+                type = lib.types.strMatching "^[a-zA-Z0-9._-]+$";
+                default = name;
+                description = "the name of the backup job";
+              };
+              directory = lib.mkOption {
+                type = lib.types.str;
+                description = "the directory to backup";
+              };
+              mountpoint = lib.mkOption {
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                description = "mountpoint of the directory to backup. If set, the directory will be mounted before the backup and unmounted afterwards";
+              };
+              preMountHook = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Shell commands to run before the directory is mounted";
+              };
+              postMountHook = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Shell commands to run after the directory is mounted";
+              };
+              preUnmountHook = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Shell commands to run before the directory is unmounted";
+              };
+              postUnmountHook = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Shell commands to run after the directory is unmounted";
+              };
+              preBackupHook = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Shell commands to run before the backup";
+              };
+              postBackupHook = lib.mkOption {
+                type = lib.types.nullOr lib.types.lines;
+                default = null;
+                description = "Shell commands to run after the backup";
+              };
+            };
+          }
+        )
+      );
+      default = { };
+      description = "List of directories where backups are stored";
+    };
+
+    snapshots = lib.mkOption {
+      type = lib.types.int;
+      default = 20;
+      description = "Number of snapshots to keep";
+    };
+  };
+
+  config =
+    let
+      mountHook = target: ''
+        if [[ -x /run/current-system/sw/bin/localbackup-mount-${target.name} ]]; then
+          /run/current-system/sw/bin/localbackup-mount-${target.name}
+        fi
+        if [[ -x /run/current-system/sw/bin/localbackup-unmount-${target.name} ]]; then
+          trap "/run/current-system/sw/bin/localbackup-unmount-${target.name}" EXIT
+        fi
+      '';
+    in
+    lib.mkIf (cfg.targets != { }) {
+      environment.systemPackages = [
+        (pkgs.writeShellScriptBin "localbackup-create" ''
+          set -efu -o pipefail
+          export PATH=${
+            lib.makeBinPath [
+              pkgs.rsnapshot
+              pkgs.coreutils
+              pkgs.util-linux
+            ]
+          }
+          ${lib.concatMapStringsSep "\n" (target: ''
+            ${mountHook target}
+            echo "Creating backup '${target.name}'"
+
+            ${lib.optionalString (target.preBackupHook != null) ''
+              (
+                ${target.preBackupHook}
+              )
+            ''}
+
+            declare -A preCommandErrors
+            ${lib.concatMapStringsSep "\n" (
+              state:
+              lib.optionalString (state.preBackupCommand != null) ''
+                echo "Running pre-backup command for ${state.name}"
+                if ! /run/current-system/sw/bin/${state.preBackupCommand}; then
+                  preCommandErrors["${state.name}"]=1
+                fi
+              ''
+            ) (builtins.attrValues config.clan.core.state)}
+
+            rsnapshot -c "${pkgs.writeText "rsnapshot.conf" (rsnapshotConfig target)}" sync
+            rsnapshot -c "${pkgs.writeText "rsnapshot.conf" (rsnapshotConfig target)}" snapshot
+          '') (builtins.attrValues cfg.targets)}'')
+        (pkgs.writeShellScriptBin "localbackup-list" ''
+          set -efu -o pipefail
+          export PATH=${
+            lib.makeBinPath [
+              pkgs.jq
+              pkgs.findutils
+              pkgs.coreutils
+              pkgs.util-linux
+            ]
+          }
+          (${
+            lib.concatMapStringsSep "\n" (target: ''
+              (
+                ${mountHook target}
+                find ${lib.escapeShellArg target.directory} -mindepth 1 -maxdepth 1 -name "snapshot.*" -print0 -type d \
+                  | jq -Rs 'split("\u0000") | .[] | select(. != "") | { "name": ("${target.name}::" + .)}'
+              )
+            '') (builtins.attrValues cfg.targets)
+          }) | jq -s .
+        '')
+        (pkgs.writeShellScriptBin "localbackup-restore" ''
+          set -efu -o pipefail
+          export PATH=${
+            lib.makeBinPath [
+              pkgs.rsync
+              pkgs.coreutils
+              pkgs.util-linux
+              pkgs.gawk
+            ]
+          }
+          if [[ "''${NAME:-}" == "" ]]; then
+            echo "No backup name given via NAME environment variable"
+            exit 1
+          fi
+          if [[ "''${FOLDERS:-}" == "" ]]; then
+            echo "No folders given via FOLDERS environment variable"
+            exit 1
+          fi
+          name=$(awk -F'::' '{print $1}' <<< $NAME)
+          backupname=''${NAME#$name::}
+
+          if command -v localbackup-mount-$name; then
+            localbackup-mount-$name
+          fi
+          if command -v localbackup-unmount-$name; then
+            trap "localbackup-unmount-$name" EXIT
+          fi
+
+          if [[ ! -d $backupname ]]; then
+            echo "No backup found $backupname"
+            exit 1
+          fi
+
+          IFS=':' read -ra FOLDER <<< "''$FOLDERS"
+          for folder in "''${FOLDER[@]}"; do
+            mkdir -p "$folder"
+            rsync -a "$backupname/${config.networking.hostName}$folder/" "$folder"
+          done
+        '')
+      ]
+      ++ (lib.mapAttrsToList (
+        name: target:
+        pkgs.writeShellScriptBin ("localbackup-mount-" + name) ''
+          set -efu -o pipefail
+          ${lib.optionalString (target.preMountHook != null) target.preMountHook}
+          ${lib.optionalString (target.mountpoint != null) ''
+            if ! ${pkgs.util-linux}/bin/mountpoint -q ${lib.escapeShellArg target.mountpoint}; then
+              ${pkgs.util-linux}/bin/mount -o X-mount.mkdir ${lib.escapeShellArg target.mountpoint}
+            fi
+          ''}
+          ${lib.optionalString (target.postMountHook != null) target.postMountHook}
+        ''
+      ) cfg.targets)
+      ++ lib.mapAttrsToList (
+        name: target:
+        pkgs.writeShellScriptBin ("localbackup-unmount-" + name) ''
+          set -efu -o pipefail
+          ${lib.optionalString (target.preUnmountHook != null) target.preUnmountHook}
+          ${lib.optionalString (
+            target.mountpoint != null
+          ) "${pkgs.util-linux}/bin/umount ${lib.escapeShellArg target.mountpoint}"}
+          ${lib.optionalString (target.postUnmountHook != null) target.postUnmountHook}
+        ''
+      ) cfg.targets;
+
+      clan.core.backups.providers.localbackup = {
+        # TODO list needs to run locally or on the remote machine
+        list = "localbackup-list";
+        create = "localbackup-create";
+        restore = "localbackup-restore";
+      };
+    };
+}

clanModules/localsend/README.md

@@ -0,0 +1,5 @@
+---
+description = "Securely sharing files and messages over a local network without internet connectivity."
+categories = ["Utility"]
+features = [ "inventory", "deprecated" ]
+---

clanModules/localsend/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/localsend/localsend-ensure-config/default.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  writers,
+  writeShellScriptBin,
+  localsend,
+  alias ? null,
+}:
+let
+  localsend-ensure-config = writers.writePython3 "localsend-ensure-config" {
+    flakeIgnore = [
+      # We don't live in the dark ages anymore.
+      # Languages like Python that are whitespace heavy will overrun
+      # 79 characters..
+      "E501"
+    ];
+  } (builtins.readFile ./localsend-ensure-config.py);
+in
+writeShellScriptBin "localsend" ''
+  set -xeu
+  ${localsend-ensure-config} ${lib.optionalString (alias != null) alias}
+  ${lib.getExe localsend}
+''

clanModules/localsend/localsend-ensure-config/localsend-ensure-config.py

@@ -0,0 +1,64 @@
+import json
+import sys
+from pathlib import Path
+
+
+def load_json(file_path: Path) -> dict[str, any]:
+    try:
+        with file_path.open("r") as file:
+            return json.load(file)
+    except FileNotFoundError:
+        return {}
+
+
+def save_json(file_path: Path, data: dict[str, any]) -> None:
+    with file_path.open("w") as file:
+        json.dump(data, file, indent=4)
+
+
+def update_json(file_path: Path, updates: dict[str, any]) -> None:
+    data = load_json(file_path)
+    data.update(updates)
+    save_json(file_path, data)
+
+
+def config_location() -> str:
+    config_file = "shared_preferences.json"
+    config_directory = ".local/share/org.localsend.localsend_app"
+    config_path = Path.home() / Path(config_directory) / Path(config_file)
+    return config_path
+
+
+def ensure_config_directory() -> None:
+    config_directory = Path(config_location()).parent
+    config_directory.mkdir(parents=True, exist_ok=True)
+
+
+def load_config() -> dict[str, any]:
+    return load_json(config_location())
+
+
+def save_config(data: dict[str, any]) -> None:
+    save_json(config_location(), data)
+
+
+def update_username(username: str, data: dict[str, any]) -> dict[str, any]:
+    data["flutter.ls_alias"] = username
+    return data
+
+
+def main(argv: list[str]) -> None:
+    try:
+        display_name = argv[1]
+    except IndexError:
+        # This is not an error, just don't update the name
+        print("No display name provided.")
+        sys.exit(0)
+
+    ensure_config_directory()
+    updated_data = update_username(display_name, load_config())
+    save_config(updated_data)
+
+
+if __name__ == "__main__":
+    main(sys.argv[:2])

clanModules/localsend/roles/default.nix

@@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.clan.localsend;
+in
+{
+  # Integration can be improved, if the following issues get implemented:
+  # - cli frontend: https://github.com/localsend/localsend/issues/11
+  # - ipv6 support: https://github.com/localsend/localsend/issues/549
+  options.clan.localsend = {
+
+    displayName = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "The name that localsend will use to display your instance.";
+    };
+
+    package = lib.mkPackageOption pkgs "localsend" { };
+
+    ipv4Addr = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "192.168.56.2/24";
+      description = "Optional IPv4 address for ZeroTier network.";
+    };
+  };
+
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "localsend"
+      "enable"
+    ] "Importing the module will already enable the service.")
+  ];
+  config = {
+    warnings = [
+      "The clan.localsend module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+
+    clan.core.state.localsend.folders = [
+      "/var/localsend"
+    ];
+    environment.systemPackages = [
+      (pkgs.callPackage ./localsend-ensure-config {
+        localsend = config.clan.localsend.package;
+        alias = config.clan.localsend.displayName;
+      })
+    ];
+
+    networking.firewall.interfaces."zt+".allowedTCPPorts = [ 53317 ];
+    networking.firewall.interfaces."zt+".allowedUDPPorts = [ 53317 ];
+
+    #TODO: This is currently needed because there is no ipv6 multicasting support yet
+    systemd.network.networks = lib.mkIf (cfg.ipv4Addr != null) {
+      "09-zerotier" = {
+        networkConfig = {
+          Address = cfg.ipv4Addr;
+        };
+      };
+    };
+  };
+}

clanModules/matrix-synapse/README.md

@@ -0,0 +1,3 @@
+---
+description = "A federated messaging server with end-to-end encryption."
+---

clanModules/matrix-synapse/default.nix

@@ -0,0 +1,207 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.clan.matrix-synapse;
+  element-web =
+    pkgs.runCommand "element-web-with-config" { nativeBuildInputs = [ pkgs.buildPackages.jq ]; }
+      ''
+        cp -r ${pkgs.element-web} $out
+        chmod -R u+w $out
+        jq '."default_server_config"."m.homeserver" = { "base_url": "https://${cfg.app_domain}:443", "server_name": "${cfg.server_tld}" }' \
+          > $out/config.json < ${pkgs.element-web}/config.json
+        ln -s $out/config.json $out/config.${cfg.app_domain}.json
+      '';
+in
+# FIXME: This was taken from upstream. Drop this when our patch is upstream
+{
+  options.services.matrix-synapse.package = lib.mkOption { readOnly = false; };
+  options.clan.matrix-synapse = {
+    server_tld = lib.mkOption {
+      type = lib.types.str;
+      description = "The address that is suffixed after your username i.e @alice:example.com";
+      example = "example.com";
+    };
+
+    app_domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The matrix server hostname also serves the element client";
+      example = "matrix.example.com";
+    };
+
+    users = lib.mkOption {
+      default = { };
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { name, ... }:
+          {
+            options = {
+              name = lib.mkOption {
+                type = lib.types.str;
+                default = name;
+                description = "The name of the user";
+              };
+
+              admin = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description = "Whether the user should be an admin";
+              };
+            };
+          }
+        )
+      );
+      description = "A list of users. Not that only new users will be created and existing ones are not modified.";
+      example.alice = {
+        admin = true;
+      };
+    };
+  };
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "matrix-synapse"
+      "enable"
+    ] "Importing the module will already enable the service.")
+    ../nginx
+  ];
+  config = {
+    services.matrix-synapse = {
+      enable = true;
+      settings = {
+        server_name = cfg.server_tld;
+        database = {
+          args.user = "matrix-synapse";
+          args.database = "matrix-synapse";
+          name = "psycopg2";
+        };
+        turn_uris = [
+          "turn:turn.matrix.org?transport=udp"
+          "turn:turn.matrix.org?transport=tcp"
+        ];
+        registration_shared_secret_path = "/run/synapse-registration-shared-secret";
+        listeners = [
+          {
+            port = 8008;
+            bind_addresses = [ "::1" ];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [
+              {
+                names = [ "client" ];
+                compress = true;
+              }
+              {
+                names = [ "federation" ];
+                compress = false;
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    clan.core.postgresql.enable = true;
+    clan.core.postgresql.users.matrix-synapse = { };
+    clan.core.postgresql.databases.matrix-synapse.create.options = {
+      TEMPLATE = "template0";
+      LC_COLLATE = "C";
+      LC_CTYPE = "C";
+      ENCODING = "UTF8";
+      OWNER = "matrix-synapse";
+    };
+    clan.core.postgresql.databases.matrix-synapse.restore.stopOnRestore = [ "matrix-synapse" ];
+
+    clan.core.vars.generators = {
+      "matrix-synapse" = {
+        files."synapse-registration_shared_secret" = { };
+        runtimeInputs = with pkgs; [
+          coreutils
+          pwgen
+        ];
+        migrateFact = "matrix-synapse";
+        script = ''
+          echo -n "$(pwgen -s 32 1)" > "$out"/synapse-registration_shared_secret
+        '';
+      };
+    }
+    // lib.mapAttrs' (
+      name: user:
+      lib.nameValuePair "matrix-password-${user.name}" {
+        files."matrix-password-${user.name}" = { };
+        migrateFact = "matrix-password-${user.name}";
+        runtimeInputs = with pkgs; [ xkcdpass ];
+        script = ''
+          xkcdpass -n 4 -d - > "$out"/${lib.escapeShellArg "matrix-password-${user.name}"}
+        '';
+      }
+    ) cfg.users;
+
+    systemd.services.matrix-synapse =
+      let
+        usersScript = ''
+          while ! ${pkgs.netcat}/bin/nc -z -v ::1 8008; do
+            if ! kill -0 "$MAINPID"; then exit 1; fi
+            sleep 1;
+          done
+        ''
+        + lib.concatMapStringsSep "\n" (user: ''
+          # only create user if it doesn't exist
+          /run/current-system/sw/bin/matrix-synapse-register_new_matrix_user --exists-ok --password-file ${
+            config.clan.core.vars.generators."matrix-password-${user.name}".files."matrix-password-${user.name}".path
+          } --user "${user.name}" ${if user.admin then "--admin" else "--no-admin"}
+        '') (lib.attrValues cfg.users);
+      in
+      {
+        path = [ pkgs.curl ];
+        serviceConfig.ExecStartPre = lib.mkBefore [
+          "+${pkgs.coreutils}/bin/install -o matrix-synapse -g matrix-synapse ${
+            lib.escapeShellArg
+              config.clan.core.vars.generators.matrix-synapse.files."synapse-registration_shared_secret".path
+          } /run/synapse-registration-shared-secret"
+        ];
+        serviceConfig.ExecStartPost = [
+          ''+${pkgs.writeShellScript "matrix-synapse-create-users" usersScript}''
+        ];
+      };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "${cfg.server_tld}" = {
+          locations."= /.well-known/matrix/server".extraConfig = ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON { "m.server" = "${cfg.app_domain}:443"; }}';
+          '';
+          locations."= /.well-known/matrix/client".extraConfig = ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${
+              builtins.toJSON {
+                "m.homeserver" = {
+                  "base_url" = "https://${cfg.app_domain}";
+                };
+                "m.identity_server" = {
+                  "base_url" = "https://vector.im";
+                };
+              }
+            }';
+          '';
+          forceSSL = true;
+          enableACME = true;
+        };
+        "${cfg.app_domain}" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".root = element-web;
+          locations."/_matrix".proxyPass = "http://localhost:8008"; # TODO: We should make the port configurable
+          locations."/_synapse".proxyPass = "http://localhost:8008";
+        };
+      };
+    };
+  };
+}

clanModules/moonlight/README.md

@@ -0,0 +1,5 @@
+---
+description = "A desktop streaming client optimized for remote gaming and synchronized movie viewing."
+---
+
+**Warning**: This module was written with our VM integration in mind likely won't work outside of this context. They will be generalized in future.

clanModules/moonlight/default.nix

@@ -0,0 +1,91 @@
+{ pkgs, config, ... }:
+let
+  ms-accept = pkgs.callPackage ../../pkgs/moonlight-sunshine-accept { };
+  defaultPort = 48011;
+in
+{
+  warnings = [
+    "The clan.moonlight module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
+  ];
+
+  hardware.opengl.enable = true;
+  environment.systemPackages = [
+    pkgs.moonlight-qt
+    ms-accept
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d '/var/lib/moonlight' 0770 'user' 'users' - -"
+    "C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
+      config.clan.core.vars.generators.moonlight.files."moonlight.cert".path or ""
+    }"
+    "C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
+      config.clan.core.vars.generators.moonlight.files."moonlight.key".path or ""
+    }"
+  ];
+
+  systemd.user.services.init-moonlight = {
+    enable = false;
+    description = "Initializes moonlight";
+    wantedBy = [ "graphical-session.target" ];
+    script = ''
+      ${ms-accept}/bin/moonlight-sunshine-accept moonlight init-config --key /var/lib/moonlight/moonlight.key --cert /var/lib/moonlight/moonlight.cert
+    '';
+    serviceConfig = {
+      user = "user";
+      Type = "oneshot";
+      WorkingDirectory = "/home/user/";
+      RunTimeDirectory = "moonlight";
+      TimeoutSec = "infinity";
+      Restart = "on-failure";
+      RemainAfterExit = true;
+      ReadOnlyPaths = [
+        "/var/lib/moonlight/moonlight.key"
+        "/var/lib/moonlight/moonlight.cert"
+      ];
+    };
+  };
+
+  systemd.user.services.moonlight-join = {
+    description = "Join sunshine hosts";
+    script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
+      config.clan.core.vars.generators.moonlight.files."moonlight.cert".value or ""
+    }' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
+    serviceConfig = {
+      Type = "oneshot";
+      TimeoutSec = "infinity";
+      Restart = "on-failure";
+      ReadOnlyPaths = [
+        "/var/lib/moonlight/moonlight.key"
+        "/var/lib/moonlight/moonlight.cert"
+      ];
+    };
+  };
+  systemd.user.timers.moonlight-join = {
+    description = "Join sunshine hosts";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnUnitActiveSec = "5min";
+      OnBootSec = "0min";
+      Persistent = true;
+      Unit = "moonlight-join.service";
+    };
+  };
+
+  clan.core.vars.generators.moonlight = {
+    migrateFact = "moonlight";
+    files."moonlight.key" = { };
+    files."moonlight.cert" = { };
+    files."moonlight.cert".secret = false;
+    runtimeInputs = [
+      pkgs.coreutils
+      ms-accept
+    ];
+    script = ''
+      moonlight-sunshine-accept moonlight init
+      mv credentials/cakey.pem "$out"/moonlight.key
+      cp credentials/cacert.pem "$out"/moonlight.cert
+      mv credentials/cacert.pem "$out"/moonlight.cert
+    '';
+  };
+}

clanModules/mumble/README.md

@@ -0,0 +1,19 @@
+---
+description = "Open Source, Low Latency, High Quality Voice Chat."
+categories = ["Audio", "Social"]
+features = [ "inventory" ]
+
+[constraints]
+roles.server.min = 1
+---
+
+The mumble clan module gives you:
+
+- True low latency voice communication.
+- Secure, authenticated encryption.
+- Free software.
+- Backed by a large and active open-source community.
+
+This all set up in a way that allows peer-to-peer hosting.
+Every machine inside the clan can be a host for mumble,
+and thus it doesn't matter who in the network is online - as long as two people are online they are able to chat with each other.

clanModules/mumble/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/server.nix ];
+}

clanModules/mumble/roles/mumble-populate-channels.py

@@ -0,0 +1,247 @@
+import argparse
+import json
+import sqlite3
+from pathlib import Path
+
+
+def ensure_config(path: Path, db_path: Path) -> None:
+    # Default JSON structure if the file doesn't exist
+    default_json = {
+        "misc": {
+            "audio_wizard_has_been_shown": True,
+            "database_location": str(db_path),
+            "viewed_server_ping_consent_message": True,
+        },
+        "settings_version": 1,
+    }
+
+    # Check if the file exists
+    if path.exists():
+        data = json.loads(path.read_text())
+    else:
+        data = default_json
+        # Create the file with default JSON structure
+        with path.open("w") as file:
+            json.dump(data, file, indent=4)
+
+    # TODO: make sure to only update the diff
+    updated_data = {**default_json, **data}
+
+    # Write the modified JSON object back to the file
+    with path.open("w") as file:
+        json.dump(updated_data, file, indent=4)
+
+
+def initialize_database(db_location: str) -> None:
+    """
+    Initializes the database. If the database or the servers table does not exist, it creates them.
+
+    :param db_location: The path to the SQLite database
+    """
+    conn = sqlite3.connect(db_location)
+    try:
+        cursor = conn.cursor()
+
+        # Create the servers table if it doesn't exist
+        cursor.execute("""
+        CREATE TABLE IF NOT EXISTS servers (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            name TEXT NOT NULL,
+            hostname TEXT NOT NULL,
+            port INTEGER NOT NULL,
+            username TEXT NOT NULL,
+            password TEXT NOT NULL,
+            url TEXT
+        )
+        """)
+
+        # Commit the changes
+        conn.commit()
+
+    except sqlite3.Error as e:
+        print(f"An error occurred while initializing the database: {e}")
+    finally:
+        conn.close()
+
+
+def initialize_certificates(
+    db_location: str, hostname: str, port: str, digest: str
+) -> None:
+    # Connect to the SQLite database
+    conn = sqlite3.connect(db_location)
+
+    try:
+        # Create a cursor object
+        cursor = conn.cursor()
+
+        # TODO: check if cert already there
+        # if server_check(cursor, name, hostname):
+        #     print(
+        #         f"Server with name '{name}' and hostname '{hostname}' already exists."
+        #     )
+        #     return
+
+        # SQL command to insert data into the servers table
+        insert_query = """
+        INSERT INTO cert (hostname, port, digest)
+        VALUES (?, ?, ?)
+        """
+
+        # Data to be inserted
+        data = (hostname, port, digest)
+
+        # Execute the insert command with the provided data
+        cursor.execute(insert_query, data)
+
+        # Commit the changes
+        conn.commit()
+
+        print("Data has been successfully inserted.")
+    except sqlite3.Error as e:
+        print(f"An error occurred: {e}")
+    finally:
+        # Close the connection
+        conn.close()
+
+
+def calculate_digest(cert: str) -> str:
+    from cryptography import x509
+    from cryptography.hazmat.backends import default_backend
+    from cryptography.hazmat.primitives import hashes
+
+    cert = cert.strip()
+    cert = cert.encode("utf-8")
+    cert = x509.load_pem_x509_certificate(cert, default_backend())
+    digest = cert.fingerprint(hashes.SHA1()).hex()
+    return digest
+
+
+def server_check(cursor: str, name: str, hostname: str) -> bool:
+    """
+    Check if a server with the given name and hostname already exists.
+
+    :param cursor: The database cursor
+    :param name: The name of the server
+    :param hostname: The hostname of the server
+    :return: True if the server exists, False otherwise
+    """
+    check_query = """
+    SELECT 1 FROM servers WHERE name = ? AND hostname = ?
+    """
+    cursor.execute(check_query, (name, hostname))
+    return cursor.fetchone() is not None
+
+
+def insert_server(
+    name: str,
+    hostname: str,
+    port: str,
+    username: str,
+    password: str,
+    url: str,
+    db_location: str,
+) -> None:
+    """
+    Inserts a new server record into the servers table.
+
+    :param name: The name of the server
+    :param hostname: The hostname of the server
+    :param port: The port number
+    :param username: The username
+    :param password: The password
+    :param url: The URL
+    """
+    # Connect to the SQLite database
+    conn = sqlite3.connect(db_location)
+
+    try:
+        # Create a cursor object
+        cursor = conn.cursor()
+
+        if server_check(cursor, name, hostname):
+            print(
+                f"Server with name '{name}' and hostname '{hostname}' already exists."
+            )
+            return
+
+        # SQL command to insert data into the servers table
+        insert_query = """
+        INSERT INTO servers (name, hostname, port, username, password, url)
+        VALUES (?, ?, ?, ?, ?, ?)
+        """
+
+        # Data to be inserted
+        data = (name, hostname, port, username, password, url)
+
+        # Execute the insert command with the provided data
+        cursor.execute(insert_query, data)
+
+        # Commit the changes
+        conn.commit()
+
+        print("Data has been successfully inserted.")
+    except sqlite3.Error as e:
+        print(f"An error occurred: {e}")
+    finally:
+        # Close the connection
+        conn.close()
+
+
+if __name__ == "__main__":
+    port = 64738
+    password = ""
+    url = None
+
+    parser = argparse.ArgumentParser(
+        prog="initialize_mumble",
+    )
+
+    subparser = parser.add_subparsers(dest="certificates")
+    # cert_parser = subparser.add_parser("certificates")
+
+    parser.add_argument("--cert")
+    parser.add_argument("--digest")
+    parser.add_argument("--machines")
+    parser.add_argument("--servers")
+    parser.add_argument("--username")
+    parser.add_argument("--db-location")
+    parser.add_argument("--ensure-config", type=Path)
+    args = parser.parse_args()
+
+    print(args)
+
+    if args.ensure_config:
+        ensure_config(args.ensure_config, args.db_location)
+        print("Initialized config")
+        exit(0)
+
+    if args.servers:
+        print(args.servers)
+        servers = json.loads(f"{args.servers}")
+        db_location = args.db_location
+        for server in servers:
+            digest = calculate_digest(server.get("value"))
+            name = server.get("name")
+            initialize_certificates(db_location, name, port, digest)
+        print("Initialized certificates")
+        exit(0)
+
+    initialize_database(args.db_location)
+
+    # Insert the server into the database
+    print(args.machines)
+    machines = json.loads(f"{args.machines}")
+    print(machines)
+    print(list(machines))
+
+    for machine in list(machines):
+        print(f"Inserting {machine}.")
+        insert_server(
+            machine,
+            machine,
+            port,
+            args.username,
+            password,
+            url,
+            args.db_location,
+        )

clanModules/mumble/roles/server.nix

@@ -0,0 +1,150 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  dir = config.clan.core.settings.directory;
+  # TODO: this should actually use the inventory to figure out which machines to use.
+  machineDir = dir + "/vars/per-machine";
+  machinesFileSet = builtins.readDir machineDir;
+  machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
+  machineJson = builtins.toJSON machines;
+  certificateMachinePath = machines: machineDir + "/${machines}" + "/mumble/mumble-cert/value";
+  certificatesUnchecked = builtins.map (
+    machine:
+    let
+      fullPath = certificateMachinePath machine;
+    in
+    if builtins.pathExists fullPath then machine else null
+  ) machines;
+  certificate = lib.filter (machine: machine != null) certificatesUnchecked;
+  machineCert = builtins.map (
+    machine: (lib.nameValuePair machine (builtins.readFile (certificateMachinePath machine)))
+  ) certificate;
+  machineCertJson = builtins.toJSON machineCert;
+
+in
+{
+  options.clan.services.mumble = {
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "alice";
+      description = "The user mumble should be set up for.";
+    };
+  };
+
+  config = {
+
+    warnings = [
+      "The clan.mumble module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+
+    services.murmur = {
+      enable = true;
+      logDays = -1;
+      registerName = config.clan.core.settings.machine.name;
+      openFirewall = true;
+      bonjour = true;
+      sslKey = "/var/lib/murmur/sslKey";
+      sslCert = "/var/lib/murmur/sslCert";
+    };
+
+    clan.core.state.mumble.folders = [
+      "/var/lib/mumble"
+      "/var/lib/murmur"
+    ];
+
+    systemd.tmpfiles.rules = [
+      "d '/var/lib/mumble' 0770 '${config.clan.services.mumble.user}' 'users' - -"
+    ];
+
+    systemd.tmpfiles.settings."murmur" = {
+      "/var/lib/murmur/sslKey" = {
+        C.argument = config.clan.core.vars.generators.mumble.files.mumble-key.path;
+        Z = {
+          mode = "0400";
+          user = "murmur";
+        };
+      };
+      "/var/lib/murmur/sslCert" = {
+        C.argument = config.clan.core.vars.generators.mumble.files.mumble-cert.path;
+        Z = {
+          mode = "0400";
+          user = "murmur";
+        };
+      };
+    };
+
+    environment.systemPackages =
+      let
+        mumbleCfgDir = "/var/lib/mumble";
+        mumbleDatabasePath = "${mumbleCfgDir}/mumble.sqlite";
+        mumbleCfgPath = "/var/lib/mumble/mumble_settings.json";
+        populate-channels = pkgs.writers.writePython3 "mumble-populate-channels" {
+          libraries = [
+            pkgs.python3Packages.cryptography
+            pkgs.python3Packages.pyopenssl
+          ];
+          flakeIgnore = [
+            # We don't live in the dark ages anymore.
+            # Languages like Python that are whitespace heavy will overrun
+            # 79 characters..
+            "E501"
+          ];
+        } (builtins.readFile ./mumble-populate-channels.py);
+        mumble = pkgs.writeShellScriptBin "mumble" ''
+          set -xeu
+          mkdir -p ${mumbleCfgDir}
+          pushd "${mumbleCfgDir}"
+          XDG_DATA_HOME=${mumbleCfgDir}
+          XDG_DATA_DIR=${mumbleCfgDir}
+          ${populate-channels} --ensure-config '${mumbleCfgPath}' --db-location ${mumbleDatabasePath}
+          ${populate-channels} --machines '${machineJson}' --username ${config.clan.core.settings.machine.name} --db-location ${mumbleDatabasePath}
+          ${populate-channels} --servers '${machineCertJson}' --username ${config.clan.core.settings.machine.name} --db-location ${mumbleDatabasePath} --cert True
+          ${pkgs.mumble}/bin/mumble --config ${mumbleCfgPath} "$@"
+          popd
+        '';
+      in
+      [ mumble ];
+
+    clan.core.vars.generators.mumble = {
+      migrateFact = "mumble";
+      files.mumble-key = { };
+      files.mumble-cert.secret = false;
+      runtimeInputs = [
+        pkgs.coreutils
+        pkgs.openssl
+      ];
+      script = ''
+        openssl genrsa -out "$out/mumble-key" 2048
+
+        cat > mumble-cert.conf <<EOF
+        [ req ]
+        default_bits = 2048
+        distinguished_name = req_distinguished_name
+        req_extensions = req_ext
+        prompt = no
+        [ req_distinguished_name ]
+        C = "US"
+        ST = "California"
+        L = "San Francisco"
+        O = "Clan"
+        OU = "Clan"
+        CN = "${config.clan.core.settings.machine.name}"
+        [ req_ext ]
+        subjectAltName = @alt_names
+        [ alt_names ]
+        DNS.1 = "${config.clan.core.settings.machine.name}"
+        EOF
+
+        openssl req -new -x509 -config mumble-cert.conf -key "$out/mumble-key" -out "$out/mumble-cert" < /dev/null
+      '';
+    };
+  };
+
+}

clanModules/mycelium/README.md

@@ -0,0 +1,30 @@
+---
+description = "End-2-end encrypted IPv6 overlay network"
+categories = ["System", "Network"]
+features = [ "inventory", "deprecated" ]
+---
+Mycelium is an IPv6 overlay network written in Rust. Each node that joins the overlay network will receive an overlay network IP in the 400::/7 range.
+
+Features:
+- Mycelium, is locality aware, it will look for the shortest path between nodes
+- All traffic between the nodes is end-2-end encrypted
+- Traffic can be routed over nodes of friends, location aware
+- If a physical link goes down Mycelium will automatically reroute your traffic
+- The IP address is IPV6 and linked to private key
+- A simple reliable messagebus is implemented on top of Mycelium
+- Mycelium has multiple ways how to communicate quic, tcp, ... and we are working on holepunching for Quick which means P2P traffic without middlemen for NATted networks e.g. most homes
+- Scalability is very important for us, we tried many overlay networks before and got stuck on all of them, we are trying to design a network which scales to a planetary level
+- You can run mycelium without TUN and only use it as reliable message bus.
+
+
+An example configuration might look like this in the inventory:
+```nix
+mycelium.default = {
+  roles.peer.machines = [
+    "berlin"
+    "munich"
+  ];
+};
+```
+
+This will add the machines named `berlin` and `munich` to the `mycelium` vpn.

clanModules/mycelium/roles/peer.nix

@@ -0,0 +1,51 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  options = {
+    clan.mycelium.openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Open the firewall for mycelium";
+    };
+
+    clan.mycelium.addHostedPublicNodes = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Add hosted Public nodes";
+    };
+  };
+
+  config.warnings = [
+    "The clan.mycelium module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+  ];
+
+  config.services.mycelium = {
+    enable = true;
+    addHostedPublicNodes = lib.mkDefault config.clan.mycelium.addHostedPublicNodes;
+    openFirewall = lib.mkDefault config.clan.mycelium.openFirewall;
+    keyFile = config.clan.core.vars.generators.mycelium.files.key.path;
+  };
+
+  config.clan.core.vars.generators.mycelium = {
+    files."key" = { };
+    files."ip".secret = false;
+    files."pubkey".secret = false;
+    runtimeInputs = [
+      pkgs.mycelium
+      pkgs.coreutils
+      pkgs.jq
+    ];
+    script = ''
+      timeout 5 mycelium --key-file "$out"/key || :
+      mycelium inspect --key-file "$out"/key --json | jq -r .publicKey > "$out"/pubkey
+      mycelium inspect --key-file "$out"/key --json | jq -r .address > "$out"/ip
+    '';
+  };
+
+}

clanModules/nginx/README.md

@@ -0,0 +1,3 @@
+---
+description = "Good defaults for the nginx webserver"
+---

clanModules/nginx/default.nix

@@ -0,0 +1,68 @@
+{ config, lib, ... }:
+
+{
+
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "nginx"
+      "enable"
+    ] "Importing the module will already enable the service.")
+
+  ];
+  options = {
+    clan.nginx.acme.email = lib.mkOption {
+      type = lib.types.str;
+      description = ''
+        Email address for account creation and correspondence from the CA.
+        It is recommended to use the same email for all certs to avoid account
+        creation limits.
+      '';
+    };
+  };
+  config = {
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = config.clan.nginx.acme.email;
+
+    networking.firewall.allowedTCPPorts = [
+      443
+      80
+    ];
+
+    services.nginx = {
+      enable = true;
+
+      statusPage = lib.mkDefault true;
+      recommendedBrotliSettings = lib.mkDefault true;
+      recommendedGzipSettings = lib.mkDefault true;
+      recommendedOptimisation = lib.mkDefault true;
+      recommendedProxySettings = lib.mkDefault true;
+      recommendedTlsSettings = lib.mkDefault true;
+
+      # Nginx sends all the access logs to /var/log/nginx/access.log by default.
+      # instead of going to the journal!
+      commonHttpConfig = "access_log syslog:server=unix:/dev/log;";
+
+      resolver.addresses =
+        let
+          isIPv6 = addr: builtins.match ".*:.*:.*" addr != null;
+          escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr;
+          cloudflare = [
+            "1.1.1.1"
+            "2606:4700:4700::1111"
+          ];
+          resolvers =
+            if config.networking.nameservers == [ ] then cloudflare else config.networking.nameservers;
+        in
+        map escapeIPv6 resolvers;
+
+      sslDhparam = config.security.dhparams.params.nginx.path;
+    };
+
+    security.dhparams = {
+      enable = true;
+      params.nginx = { };
+    };
+  };
+
+}

clanModules/packages/README.md

@@ -0,0 +1,5 @@
+---
+description = "Define package sets from nixpkgs and install them on one or more machines"
+categories = ["System"]
+features = [ "inventory", "deprecated" ]
+---

clanModules/packages/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/packages/roles/default.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.clan.packages = {
+    packages = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "The packages to install on the machine";
+    };
+  };
+  config = {
+
+    warnings = [
+      "The clan.packages module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+    ];
+    environment.systemPackages = map (
+      pName: lib.getAttrFromPath (lib.splitString "." pName) pkgs
+    ) config.clan.packages.packages;
+  };
+}

clanModules/postgresql/README.md

@@ -0,0 +1,3 @@
+---
+description = "A free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance."
+---

clanModules/postgresql/default.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  imports = [
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "postgresql"
+    ] "The postgresql module has been migrated to a clan core option. Use clan.core.postgresql instead")
+  ];
+}

clanModules/root-password/README.md

@@ -0,0 +1,20 @@
+---
+description = "Automatically generates and configures a password for the root user."
+categories = ["System"]
+features = ["inventory", "deprecated"]
+---
+
+This module is deprecated and will be removed in a future release. It's functionality has been replaced by the user-password service.
+
+After the system was installed/deployed the following command can be used to display the root-password:
+
+```bash
+clan vars get [machine_name] root-password/root-password
+```
+
+See also: [Vars](../../concepts/generators.md)
+
+To regenerate the password run:
+```
+clan vars generate --regenerate [machine_name] --generator root-password
+```

clanModules/root-password/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/root-password/roles/default.nix

@@ -0,0 +1,50 @@
+{
+  _class,
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+
+  warnings = [
+    "The clan.root-password module is deprecated and will be removed on 2025-07-15.
+      Please migrate to user-maintained configuration or the new equivalent clan services
+      (https://docs.clan.lol/reference/clanServices)."
+  ];
+
+  users.mutableUsers = false;
+  users.users.root.hashedPasswordFile =
+    config.clan.core.vars.generators.root-password.files.password-hash.path;
+
+  clan.core.vars.generators.root-password = {
+    files.password-hash = {
+      neededFor = "users";
+    }
+    // (lib.optionalAttrs (_class == "nixos") {
+      restartUnits = lib.optional (config.services.userborn.enable) "userborn.service";
+    });
+    files.password = {
+      deploy = false;
+    };
+    migrateFact = "root-password";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.mkpasswd
+      pkgs.xkcdpass
+    ];
+    prompts.password.type = "hidden";
+    prompts.password.persist = true;
+    prompts.password.description = "You can autogenerate a password, if you leave this prompt blank.";
+
+    script = ''
+      prompt_value="$(cat "$prompts"/password)"
+      if [[ -n "''${prompt_value-}" ]]; then
+        echo "$prompt_value" | tr -d "\n" > "$out"/password
+      else
+        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
+      fi
+      mkpasswd -s -m sha-512 < "$out"/password | tr -d "\n" > "$out"/password-hash
+    '';
+  };
+}

clanModules/single-disk/README.md

@@ -0,0 +1,43 @@
+---
+description = "Configures partitioning of the main disk"
+categories = ["System"]
+features = [ "inventory" ]
+---
+# Primary Disk Layout
+
+A module for the "disk-layout" category MUST be chosen.
+
+There is exactly one slot for this type of module in the UI, if you don't fill the slot, your machine cannot boot
+
+This module is a good choice for most machines. In the future clan will offer a broader choice of disk-layouts
+
+The UI will ask for the options of this module:
+
+`device: "/dev/null"`
+
+# Usage example
+
+`inventory.json`
+```json
+"services": {
+    "single-disk": {
+        "default": {
+            "meta": {
+                "name": "single-disk"
+            },
+            "roles": {
+                "default": {
+                    "machines": ["jon"]
+                }
+            },
+            "machines": {
+                "jon": {
+                    "config": {
+                        "device": "/dev/null"
+                    }
+                }
+            }
+        }
+    }
+}
+```

clanModules/single-disk/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/single-disk/roles/default.nix

@@ -0,0 +1,56 @@
+{ lib, config, ... }:
+{
+  options.clan.single-disk = {
+    device = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.str;
+      description = "The primary disk device to install the system on";
+    };
+  };
+  config = {
+    warnings = [
+      "clanModules.single-disk is deprecated. Please copy the disko config from the module into your machine config."
+    ];
+
+    boot.loader.grub.efiSupport = lib.mkDefault true;
+    boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
+    disko.devices = {
+      disk = {
+        main = {
+          type = "disk";
+          # This is set through the UI
+          device = config.clan.single-disk.device;
+
+          content = {
+            type = "gpt";
+            partitions = {
+              boot = {
+                size = "1M";
+                type = "EF02"; # for grub MBR
+                priority = 1;
+              };
+              ESP = {
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "umask=0077" ];
+                };
+              };
+              root = {
+                size = "100%";
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

clanModules/sshd/README.md

@@ -0,0 +1,11 @@
+---
+description = "Enables secure remote access to the machine over ssh."
+categories = ["System", "Network"]
+features = [ "inventory", "deprecated" ]
+---
+
+This module will setup the opensshd service.
+It will generate a host key for each machine
+
+
+## Roles

clanModules/sshd/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/server.nix ];
+}

clanModules/sshd/roles/client.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ../shared.nix
+  ];
+}

clanModules/sshd/roles/server.nix

@@ -32,17 +32,16 @@ in
         cfg.certificate.searchDomains != [ ]
       ) config.clan.core.vars.generators.openssh-cert.files."ssh.id_ed25519-cert.pub".path;
 
-      hostKeys =
-        [
-          {
-            path = config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path;
-            type = "ed25519";
-          }
-        ]
-        ++ lib.optional cfg.hostKeys.rsa.enable {
-          path = config.clan.core.vars.generators.openssh-rsa.files."ssh.id_rsa".path;
-          type = "rsa";
-        };
+      hostKeys = [
+        {
+          path = config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path;
+          type = "ed25519";
+        }
+      ]
+      ++ lib.optional cfg.hostKeys.rsa.enable {
+        path = config.clan.core.vars.generators.openssh-rsa.files."ssh.id_rsa".path;
+        type = "rsa";
+      };
     };
 
     clan.core.vars.generators.openssh = {
@@ -62,7 +61,8 @@ in
       hostNames = [
         "localhost"
         config.networking.hostName
-      ] ++ (lib.optional (config.networking.domain != null) config.networking.fqdn);
+      ]
+      ++ (lib.optional (config.networking.domain != null) config.networking.fqdn);
       publicKey = config.clan.core.vars.generators.openssh.files."ssh.id_ed25519.pub".value;
     };
 

clanModules/state-version/README.md

@@ -0,0 +1,18 @@
+---
+description = "Automatically generate the state version of the nixos installation."
+features = [ "inventory", "deprecated" ]
+---
+
+This module generates the `system.stateVersion` of the nixos installation automatically.
+
+Options: [system.stateVersion](https://search.nixos.org/options?channel=unstable&show=system.stateVersion&from=0&size=50&sort=relevance&type=packages&query=stateVersion)
+
+Migration:
+If you are already setting `system.stateVersion`, then import the module and then either let the automatic generation happen, or trigger the generation manually for the machine. The module will take the specified version, if one is already supplied through the config.
+To manually generate the version for a specified machine run:
+
+```
+clan vars generate [MACHINE]
+```
+
+If the setting was already set you can then remove `system.stateVersion` from your machine configuration. For new machines, just import the module.

clanModules/state-version/default.nix

@@ -0,0 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
+{
+  imports = [ ./roles/default.nix ];
+}

clanModules/state-version/roles/default.nix

@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+let
+  var = config.clan.core.vars.generators.state-version.files.version or { };
+in
+{
+
+  warnings = [
+    ''
+      The clan.state-version service is deprecated and will be
+      removed on 2025-07-15 in favor of a nix option.
+
+      Please migrate your configuration to use `clan.core.settings.state-version.enable = true` instead.
+    ''
+  ];
+
+  system.stateVersion = lib.mkDefault (lib.removeSuffix "\n" var.value);
+
+  clan.core.vars.generators.state-version = {
+    files.version = {
+      secret = false;
+      value = lib.mkDefault config.system.nixos.release;
+    };
+    runtimeInputs = [ ];
+    script = ''
+      echo -n ${config.system.stateVersion} > "$out"/version
+    '';
+  };
+}

clanModules/static-hosts/README.md

@@ -0,0 +1,3 @@
+---
+description = "Statically configure the host names of machines based on their respective zerotier-ip."
+---

clanModules/static-hosts/default.nix

@@ -0,0 +1,63 @@
+{ lib, config, ... }:
+{
+  options.clan.static-hosts = {
+    excludeHosts = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default =
+        if config.clan.static-hosts.topLevelDomain != "" then
+          [ ]
+        else
+          [ config.clan.core.settings.machine.name ];
+      defaultText = lib.literalExpression ''
+        if config.clan.static-hosts.topLevelDomain != "" then
+          [ ]
+        else
+          [ config.clan.core.settings.machine.name ];
+      '';
+      description = "Hosts that should be excluded";
+    };
+    topLevelDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Top level domain to reach hosts";
+    };
+  };
+
+  config.networking.hosts =
+    let
+      dir = config.clan.core.settings.directory;
+      machineDir = "${dir}/vars/per-machine";
+      zerotierIpMachinePath = machine: "${machineDir}/${machine}/zerotier/zerotier-ip/value";
+      machinesFileSet = builtins.readDir machineDir;
+      machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
+      networkIpsUnchecked = builtins.map (
+        machine:
+        let
+          fullPath = zerotierIpMachinePath machine;
+        in
+        if builtins.pathExists fullPath then machine else null
+      ) machines;
+      networkIps = lib.filter (machine: machine != null) networkIpsUnchecked;
+      machinesWithIp = lib.filterAttrs (name: _: (lib.elem name networkIps)) machinesFileSet;
+      filteredMachines = lib.filterAttrs (
+        name: _: !(lib.elem name config.clan.static-hosts.excludeHosts)
+      ) machinesWithIp;
+    in
+    lib.filterAttrs (_: value: value != null) (
+      lib.mapAttrs' (
+        machine: _:
+        let
+          path = zerotierIpMachinePath machine;
+        in
+        if builtins.pathExists path then
+          lib.nameValuePair (builtins.readFile path) (
+            if (config.clan.static-hosts.topLevelDomain == "") then
+              [ machine ]
+            else
+              [ "${machine}.${config.clan.static-hosts.topLevelDomain}" ]
+          )
+        else
+          { }
+      ) filteredMachines
+    );
+}

clanModules/sunshine/README.md

@@ -0,0 +1,5 @@
+---
+description = "A desktop streaming server optimized for remote gaming and synchronized movie viewing."
+---
+
+**Warning**: This module was written with our VM integration in mind likely won't work outside of this context. They will be generalized in future.

clanModules/sunshine/default.nix

@@ -0,0 +1,203 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  ms-accept = pkgs.callPackage ../../pkgs/moonlight-sunshine-accept { };
+  sunshineConfiguration = pkgs.writeText "sunshine.conf" ''
+    address_family = both
+    channels = 5
+    pkey = /var/lib/sunshine/sunshine.key
+    cert = /var/lib/sunshine/sunshine.cert
+    file_state = /var/lib/sunshine/state.json
+    credentials_file = /var/lib/sunshine/credentials.json
+  '';
+  listenPort = 48011;
+in
+{
+  warnings = [
+    "The clan.sunshine module is deprecated and will be removed on 2025-07-15. Please migrate to user-maintained configuration."
+  ];
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      47984
+      47989
+      47990
+      48010
+      48011
+    ];
+
+    allowedUDPPorts = [
+      47998
+      47999
+      48000
+      48002
+      48010
+    ];
+  };
+
+  networking.firewall.allowedTCPPortRanges = [
+    {
+      from = 47984;
+      to = 48010;
+    }
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    {
+      from = 47998;
+      to = 48010;
+    }
+  ];
+
+  environment.systemPackages = [
+    ms-accept
+    pkgs.sunshine
+    pkgs.avahi
+    # Convenience script, until we find a better UX
+    (pkgs.writers.writeDashBin "sun" ''
+      ${pkgs.sunshine}/bin/sunshine -0 ${sunshineConfiguration} "$@"
+    '')
+    # Create a dummy account, for easier setup,
+    # don't use this account in actual production yet.
+    (pkgs.writers.writeDashBin "init-sun" ''
+      ${pkgs.sunshine}/bin/sunshine \
+      --creds "sunshine" "sunshine"
+    '')
+  ];
+
+  # Required to simulate input
+  boot.kernelModules = [ "uinput" ];
+
+  services.udev.extraRules = ''
+    KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess"
+  '';
+
+  security = {
+    rtkit.enable = true;
+    wrappers.sunshine = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_sys_admin+p";
+      source = "${pkgs.sunshine}/bin/sunshine";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d '/var/lib/sunshine' 0770 'user' 'users' - -"
+    "C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
+      config.clan.core.vars.generators.sunshine.files."sunshine.cert".path or ""
+    }"
+    "C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
+      config.clan.core.vars.generators.sunshine.files."sunshine.key".path or ""
+    }"
+  ];
+
+  hardware.graphics.enable = true;
+
+  systemd.user.services.sunshine = {
+    enable = true;
+    description = "Sunshine self-hosted game stream host for Moonlight";
+    startLimitBurst = 5;
+    startLimitIntervalSec = 500;
+    script = "/run/current-system/sw/bin/env /run/wrappers/bin/sunshine ${sunshineConfiguration}";
+    serviceConfig = {
+      Restart = "on-failure";
+      RestartSec = "5s";
+      ReadWritePaths = [ "/var/lib/sunshine" ];
+      ReadOnlyPaths = [
+        (config.clan.core.vars.services.sunshine.files."sunshine.key".path or "")
+        (config.clan.core.vars.services.sunshine.files."sunshine.cert".path or "")
+      ];
+    };
+    wantedBy = [ "graphical-session.target" ];
+    partOf = [ "graphical-session.target" ];
+    wants = [ "graphical-session.target" ];
+    after = [
+      "sunshine-init-state.service"
+      "sunshine-init-credentials.service"
+    ];
+  };
+
+  systemd.user.services.sunshine-init-state = {
+    enable = true;
+    description = "Sunshine self-hosted game stream host for Moonlight";
+    startLimitBurst = 5;
+    startLimitIntervalSec = 500;
+    script = ''
+      ${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state \
+        --uuid ${config.clan.core.vars.generators.sunshine.files.sunshine-uuid.value} \
+        --state-file /var/lib/sunshine/state.json
+    '';
+    serviceConfig = {
+      Restart = "on-failure";
+      RestartSec = "5s";
+      Type = "oneshot";
+      ReadWritePaths = [ "/var/lib/sunshine" ];
+    };
+    wantedBy = [ "graphical-session.target" ];
+  };
+
+  systemd.user.services.sunshine-init-credentials = {
+    enable = true;
+    description = "Sunshine self-hosted game stream host for Moonlight";
+    startLimitBurst = 5;
+    startLimitIntervalSec = 500;
+    script = ''
+      ${lib.getExe pkgs.sunshine} ${sunshineConfiguration} --creds sunshine sunshine
+    '';
+    serviceConfig = {
+      Restart = "on-failure";
+      RestartSec = "5s";
+      Type = "oneshot";
+      ReadWritePaths = [ "/var/lib/sunshine" ];
+    };
+    wantedBy = [ "graphical-session.target" ];
+  };
+
+  systemd.user.services.sunshine-listener = {
+    enable = true;
+    description = "Sunshine self-hosted game stream host for Moonlight";
+    startLimitBurst = 5;
+    startLimitIntervalSec = 500;
+    script = ''
+      ${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} \
+        --uuid ${config.clan.core.vars.generators.sunshine.files.sunshine-uuid.value} \
+        --state /var/lib/sunshine/state.json --cert '${
+          config.clan.core.vars.generators.sunshine.files."sunshine.cert".value
+        }'
+    '';
+    serviceConfig = {
+      # );
+      Restart = "on-failure";
+      RestartSec = 5;
+      ReadWritePaths = [ "/var/lib/sunshine" ];
+    };
+    wantedBy = [ "graphical-session.target" ];
+  };
+
+  clan.core.vars.generators.sunshine = {
+    # generator was named incorrectly in the past
+    migrateFact = "ergochat";
+
+    files."sunshine.key" = { };
+    files."sunshine.cert" = { };
+    files."sunshine-uuid".secret = false;
+    files."sunshine.cert".secret = false;
+
+    runtimeInputs = [
+      pkgs.coreutils
+      ms-accept
+    ];
+
+    script = ''
+      moonlight-sunshine-accept sunshine init
+      mv credentials/cakey.pem "$out"/sunshine.key
+      cp credentials/cacert.pem "$out"/sunshine.cert
+      mv credentials/cacert.pem "$out"/sunshine.cert
+      mv uuid "$out"/sunshine-uuid
+    '';
+  };
+}