clan-app: Move middleware to it's own folder

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/5160
Reviewed-by: Kenji Berthold <aks.kenji@protonmail.com>

README.md

@@ -30,7 +30,7 @@ In the Clan ecosystem, security is paramount. Learn how to handle secrets effect
 
 The Clan project thrives on community contributions. We welcome everyone to contribute and collaborate:
 
-- **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/contributing/contributing/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
+- **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/guides/contributing/CONTRIBUTING/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
 
 ## Join the revolution
 

checks/clan-core-for-checks.nix

@@ -1,6 +0,0 @@
-{ fetchgit }:
-fetchgit {
-  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "5d884cecc2585a29b6a3596681839d081b4de192";
-  sha256 = "09is1afmncamavb2q88qac37vmsijxzsy1iz1vr6gsyjq2rixaxc";
-}

checks/flash/flake-module.nix

@@ -50,6 +50,7 @@
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
+        (import ../installation/facter-report.nix pkgs.hostPlatform.system)
       ]
       ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };

checks/installation/facter-report.nix

@@ -0,0 +1,10 @@
+system:
+builtins.fetchurl {
+  url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${system}.json";
+  sha256 =
+    {
+      aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
+      x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
+    }
+    .${system};
+}

checks/installation/flake-module.nix

@@ -18,27 +18,23 @@
     fileSystems."/".device = lib.mkDefault "/dev/vda";
     boot.loader.grub.device = lib.mkDefault "/dev/vda";
 
-    imports = [ self.nixosModules.test-install-machine-without-system ];
+    imports = [
+      self.nixosModules.test-install-machine-without-system
+    ];
   };
+
   clan.machines.test-install-machine-with-system =
     { pkgs, ... }:
     {
       # https://git.clan.lol/clan/test-fixtures
-      facter.reportPath = builtins.fetchurl {
-        url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${pkgs.hostPlatform.system}.json";
-        sha256 =
-          {
-            aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
-            x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
-          }
-          .${pkgs.hostPlatform.system};
-      };
+      facter.reportPath = import ./facter-report.nix pkgs.hostPlatform.system;
 
       fileSystems."/".device = lib.mkDefault "/dev/vda";
       boot.loader.grub.device = lib.mkDefault "/dev/vda";
 
       imports = [ self.nixosModules.test-install-machine-without-system ];
     };
+
   flake.nixosModules = {
     test-install-machine-without-system =
       { lib, modulesPath, ... }:
@@ -159,6 +155,7 @@
               pkgs.stdenv.drvPath
               pkgs.bash.drvPath
               pkgs.buildPackages.xorg.lndir
+              (import ./facter-report.nix pkgs.hostPlatform.system)
             ]
             ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
           };

checks/morph/flake-module.nix

@@ -35,6 +35,7 @@
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
+                  (import ../installation/facter-report.nix pkgs.hostPlatform.system)
                 ]
                 ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 closureInfo = pkgs.closureInfo { rootPaths = dependencies; };

checks/update/flake-module.nix

@@ -112,6 +112,7 @@
                     pkgs.stdenv.drvPath
                     pkgs.bash.drvPath
                     pkgs.buildPackages.xorg.lndir
+                    (import ../installation/facter-report.nix pkgs.hostPlatform.system)
                   ]
                   ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 };

clanServices/borgbackup/README.md

@@ -5,7 +5,7 @@ inventory.instances = {
   borgbackup = {
     module = {
       name = "borgbackup";
-      input = "clan";
+      input = "clan-core";
     };
     roles.client.machines."jon".settings = {
       destinations."storagebox" = {

clanServices/certificates/README.md

@@ -0,0 +1,32 @@
+This service sets up a certificate authority (CA) that can issue certificates to
+other machines in your clan. For this the `ca` role is used.
+It additionally provides a `default` role, that can be applied to all machines
+in your clan and will make sure they trust your CA.
+
+## Example Usage
+
+The following configuration would add a CA for the top level domain `.foo`. If
+the machine `server` now hosts a webservice at `https://something.foo`, it will
+get a certificate from `ca` which is valid inside your clan. The machine
+`client` will trust this certificate if it makes a request to
+`https://something.foo`.
+
+This clan service can be combined with the `coredns` service for easy to deploy,
+SSL secured clan-internal service hosting.
+
+```nix
+inventory = {
+  machines.ca = { };
+  machines.client = { };
+  machines.server = { };
+
+  instances."certificates" = {
+    module.name = "certificates";
+    module.input = "self";
+
+    roles.ca.machines.ca.settings.tlds = [ "foo" ];
+    roles.default.machines.client = { };
+    roles.default.machines.server = { };
+  };
+};
+```

clanServices/certificates/default.nix

@@ -0,0 +1,245 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "certificates";
+  manifest.description = "Sets up a certificates internal to your Clan";
+  manifest.categories = [ "Network" ];
+  manifest.readme = builtins.readFile ./README.md;
+
+  roles.ca = {
+
+    interface =
+      { lib, ... }:
+      {
+
+        options.acmeEmail = lib.mkOption {
+          type = lib.types.str;
+          default = "none@none.tld";
+          description = ''
+            Email address for account creation and correspondence from the CA.
+            It is recommended to use the same email for all certs to avoid account
+            creation limits.
+          '';
+        };
+
+        options.tlds = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          description = "Top level domain for this CA. Certificates will be issued and trusted for *.<tld>";
+        };
+
+        options.expire = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          description = "When the certificate should expire.";
+          default = "8760h";
+          example = "8760h";
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule =
+          {
+            config,
+            pkgs,
+            lib,
+            ...
+          }:
+          let
+            domains = map (tld: "ca.${tld}") settings.tlds;
+          in
+          {
+            security.acme.defaults.email = settings.acmeEmail;
+            security.acme = {
+              certs = builtins.listToAttrs (
+                map (domain: {
+                  name = domain;
+                  value = {
+                    server = "https://${domain}:1443/acme/acme/directory";
+                  };
+                }) domains
+              );
+            };
+
+            networking.firewall.allowedTCPPorts = [
+              80
+              443
+            ];
+
+            services.nginx = {
+              enable = true;
+              recommendedProxySettings = true;
+              virtualHosts = builtins.listToAttrs (
+                map (domain: {
+                  name = domain;
+                  value = {
+                    addSSL = true;
+                    enableACME = true;
+                    locations."/".proxyPass = "https://localhost:1443";
+                    locations."= /ca.crt".alias =
+                      config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
+                  };
+                }) domains
+              );
+            };
+
+            clan.core.vars.generators = {
+
+              # Intermediate key generator
+              "step-intermediate-key" = {
+                files."intermediate.key" = {
+                  secret = true;
+                  deploy = true;
+                  owner = "step-ca";
+                  group = "step-ca";
+                };
+                runtimeInputs = [ pkgs.step-cli ];
+                script = ''
+                  step crypto keypair --kty EC --curve P-256 --no-password --insecure $out/intermediate.pub $out/intermediate.key
+                '';
+              };
+
+              # Intermediate certificate generator
+              "step-intermediate-cert" = {
+                files."intermediate.crt".secret = false;
+                dependencies = [
+                  "step-ca"
+                  "step-intermediate-key"
+                ];
+                runtimeInputs = [ pkgs.step-cli ];
+                script = ''
+                  # Create intermediate certificate
+                  step certificate create \
+                    --ca $in/step-ca/ca.crt \
+                    --ca-key $in/step-ca/ca.key \
+                    --ca-password-file /dev/null \
+                    --key $in/step-intermediate-key/intermediate.key \
+                    --template ${pkgs.writeText "intermediate.tmpl" ''
+                      {
+                        "subject": {{ toJson .Subject }},
+                        "keyUsage": ["certSign", "crlSign"],
+                        "basicConstraints": {
+                          "isCA": true,
+                          "maxPathLen": 0
+                        },
+                        "nameConstraints": {
+                          "critical": true,
+                          "permittedDNSDomains": [${
+                            (lib.strings.concatStringsSep "," (map (tld: ''"${tld}"'') settings.tlds))
+                          }]
+                        }
+                      }
+                    ''} ${lib.optionalString (settings.expire != null) "--not-after ${settings.expire}"} \
+                    --not-before=-12h \
+                    --no-password --insecure \
+                    "Clan Intermediate CA" \
+                    $out/intermediate.crt
+                '';
+              };
+            };
+
+            services.step-ca = {
+              enable = true;
+              intermediatePasswordFile = "/dev/null";
+              address = "0.0.0.0";
+              port = 1443;
+              settings = {
+                root = config.clan.core.vars.generators.step-ca.files."ca.crt".path;
+                crt = config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
+                key = config.clan.core.vars.generators.step-intermediate-key.files."intermediate.key".path;
+                dnsNames = domains;
+                logger.format = "text";
+                db = {
+                  type = "badger";
+                  dataSource = "/var/lib/step-ca/db";
+                };
+                authority = {
+                  provisioners = [
+                    {
+                      type = "ACME";
+                      name = "acme";
+                      forceCN = true;
+                    }
+                  ];
+                  claims = {
+                    maxTLSCertDuration = "2160h";
+                    defaultTLSCertDuration = "2160h";
+                  };
+                  backdate = "1m0s";
+                };
+                tls = {
+                  cipherSuites = [
+                    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+                  ];
+                  minVersion = 1.2;
+                  maxVersion = 1.3;
+                  renegotiation = false;
+                };
+              };
+            };
+          };
+      };
+  };
+
+  # Empty role, so we can add non-ca machins to the instance to trust the CA
+  roles.default = {
+    interface =
+      { lib, ... }:
+      {
+        options.acmeEmail = lib.mkOption {
+          type = lib.types.str;
+          default = "none@none.tld";
+          description = ''
+            Email address for account creation and correspondence from the CA.
+            It is recommended to use the same email for all certs to avoid account
+            creation limits.
+          '';
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      {
+        nixosModule.security.acme.defaults.email = settings.acmeEmail;
+      };
+  };
+
+  # All machines (independent of role) will trust the CA
+  perMachine.nixosModule =
+    { pkgs, config, ... }:
+    {
+      # Root CA generator
+      clan.core.vars.generators = {
+        "step-ca" = {
+          share = true;
+          files."ca.key" = {
+            secret = true;
+            deploy = false;
+          };
+          files."ca.crt".secret = false;
+          runtimeInputs = [ pkgs.step-cli ];
+          script = ''
+            step certificate create --template ${pkgs.writeText "root.tmpl" ''
+              {
+                "subject": {{ toJson .Subject }},
+                "issuer": {{ toJson .Subject }},
+                "keyUsage": ["certSign", "crlSign"],
+                "basicConstraints": {
+                  "isCA": true,
+                  "maxPathLen": 1
+                }
+              }
+            ''} "Clan Root CA" $out/ca.crt $out/ca.key \
+              --kty EC --curve P-256 \
+              --not-after=8760h \
+              --not-before=-12h \
+              --no-password --insecure
+          '';
+        };
+      };
+      security.pki.certificateFiles = [ config.clan.core.vars.generators."step-ca".files."ca.crt".path ];
+      environment.systemPackages = [ pkgs.openssl ];
+      security.acme.acceptTerms = true;
+    };
+}

clanServices/certificates/flake-module.nix

@@ -0,0 +1,21 @@
+{
+  self,
+  lib,
+  ...
+}:
+let
+  module = lib.modules.importApply ./default.nix {
+    inherit (self) packages;
+  };
+in
+{
+  clan.modules.certificates = module;
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.certificates = {
+        imports = [ ./tests/vm/default.nix ];
+        clan.modules.certificates = module;
+      };
+    };
+}

clanServices/certificates/tests/vm/default.nix

@@ -0,0 +1,84 @@
+{
+  name = "certificates";
+
+  clan = {
+    directory = ./.;
+    inventory = {
+
+      machines.ca = { }; # 192.168.1.1
+      machines.client = { }; # 192.168.1.2
+      machines.server = { }; # 192.168.1.3
+
+      instances."certificates" = {
+        module.name = "certificates";
+        module.input = "self";
+
+        roles.ca.machines.ca.settings.tlds = [ "foo" ];
+        roles.default.machines.client = { };
+        roles.default.machines.server = { };
+      };
+    };
+  };
+
+  nodes =
+    let
+      hostConfig = ''
+        192.168.1.1 ca.foo
+        192.168.1.3 test.foo
+      '';
+    in
+    {
+
+      client.networking.extraHosts = hostConfig;
+      ca.networking.extraHosts = hostConfig;
+
+      server = {
+
+        networking.extraHosts = hostConfig;
+
+        # TODO: Could this be set automatically?
+        # I would like to get this information from the coredns module, but we
+        # cannot model dependencies yet
+        security.acme.certs."test.foo".server = "https://ca.foo/acme/acme/directory";
+
+        # Host a simple service on 'server', with SSL provided via our CA. 'client'
+        # should be able to curl it via https and accept the certificates
+        # presented
+        networking.firewall.allowedTCPPorts = [
+          80
+          443
+        ];
+
+        services.nginx = {
+          enable = true;
+          virtualHosts."test.foo" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/" = {
+              return = "200 'test server response'";
+              extraConfig = "add_header Content-Type text/plain;";
+            };
+          };
+        };
+      };
+    };
+
+  testScript = ''
+    start_all()
+
+    import time
+
+    time.sleep(3)
+    ca.succeed("systemctl restart acme-order-renew-ca.foo.service ")
+
+    time.sleep(3)
+    server.succeed("systemctl restart acme-test.foo.service")
+
+    # It takes a while for the correct certs to appear (before that self-signed
+    # are presented by nginx) so we wait for a bit.
+    client.wait_until_succeeds("curl -v https://test.foo")
+
+    # Show certificate information for debugging
+    client.succeed("openssl s_client -connect test.foo:443 -servername test.foo </dev/null 2>/dev/null | openssl x509 -text -noout 1>&2")
+  '';
+}

clanServices/certificates/tests/vm/sops/machines/ca/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/machines/client/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1js225d8jc507sgcg0fdfv2x3xv3asm4ds5c6s4hp37nq8spxu95sc5x3ce",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/machines/server/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1nwuh8lc604mnz5r8ku8zswyswnwv02excw237c0cmtlejp7xfp8sdrcwfa",
+    "type": "age"
+  }
+]

clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:6+XilULKRuWtAZ6B8Lj9UqCfi1T6dmqrDqBNXqS4SvBwM1bIWiL6juaT1Q7ByOexzID7tY740gmQBqTey54uLydh8mW0m4ZtUqw=,iv:9kscsrMPBGkutTnxrc5nrc7tQXpzLxw+929pUDKqTu0=,tag:753uIjm8ZRs0xsjiejEY8g==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d3kycldZRXhmR0FqTXJp\nWWU0MDBYNmxxbFE5M2xKYm5KWnQ0MXBHNEM4CjN4RFFVcFlkd3pjTFVDQ3Vackdj\nVTVhMWoxdFpsWHp5S1p4L05kYk5LUkkKLS0tIENtZFZZTjY2amFVQmZLZFplQzBC\nZm1vWFI4MXR1ZHIxTTQ5VXdSYUhvOTQKte0bKjXQ0xA8FrpuChjDUvjVqp97D8kT\n3tVh6scdjxW48VSBZP1GRmqcMqCdj75GvJTbWeNEV4PDBW7GI0UW+Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:39Z",
+		"mac": "ENC[AES256_GCM,data:AftMorrH7qX5ctVu5evYHn5h9pC4Mmm2VYaAV8Hy0PKTc777jNsL6DrxFVV3NVqtecpwrzZFWKgzukcdcRJe4veVeBrusmoZYtifH0AWZTEVpVlr2UXYYxCDmNZt1WHfVUo40bT//X6QM0ye6a/2Y1jYPbMbryQNcGmnpk9PDvU=,iv:5nk+d8hzA05LQp7ZHRbIgiENg2Ha6J6YzyducM6zcNU=,tag:dy1hqWVzMu/+fSK57h9ZCA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:jdTuGQUYvT1yXei1RHKsOCsABmMlkcLuziHDVhA7NequZeNu0fSbrJTXQDCHsDGhlYRcjU5EsEDT750xdleXuD3Gs9zWvPVobI4=,iv:YVow3K1j6fzRF9bRfIEpuOkO/nRpku/UQxWNGC+UJQQ=,tag:cNLM5R7uu6QpwPB9K6MYzg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOVF2WXRSL0NpQzFZR01I\nNU85TGcyQmVDazN1dmpuRFVTZEg5NDRKTGhrCk1IVjFSU1V6WHBVRnFWcHkyVERr\nTjFKbW1mQ2FWOWhjN2VPamMxVEQ5VkkKLS0tIENVUGlhanhuWGtDKzBzRmk2dE4v\nMXZBRXNMa3IrOTZTNHRUWVE3UXEwSWMK2cBLoL/H/Vxd/klVrqVLdX9Mww5j7gw/\nEWc5/hN+km6XoW+DiJxVG4qaJ7qqld6u5ZnKgJT+2h9CfjA04I2akg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:51Z",
+		"mac": "ENC[AES256_GCM,data:zOBQVM2Ydu4v0+Fw3p3cEU+5+7eKaadV0tKro1JVOxclG1Vs6Myq57nw2eWf5JxIl0ulL+FavPKY26qOQ3aqcGOT3PMRlCda9z+0oSn9Im9bE/DzAGmoH/bp76kFkgTTOCZTMUoqJ+UJqv0qy1BH/92sSSKmYshEX6d1vr5ISrw=,iv:i9ZW4sLxOCan4UokHlySVr1CW39nCTusG4DmEPj/gIw=,tag:iZBDPHDkE3Vt5mFcFu1TPQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:5CJuHcxJMXZJ8GqAeG3BrbWtT1kade4kxgJsn1cRpmr1UgN0ZVYnluPEiBscClNSOzcc6vcrBpfTI3dj1tASKTLP58M+GDBFQDo=,iv:gsK7XqBGkYCoqAvyFlIXuJ27PKSbTmy7f6cgTmT2gow=,tag:qG5KejkBvy9ytfhGXa/Mnw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzVqYkplTzJKN1pwS3VM\naFFIK2VsR3lYUVExYW9ieERBL0tlcFZtVzJRCkpiLzdmWmFlOUZ5QUJ4WkhXZ2tQ\nZm92YXBCV0RpYnIydUdEVTRiamI4bjAKLS0tIG93a2htS1hFcjBOeVFnNCtQTHVr\na2FPYjVGbWtORjJVWXE5bndPU1RWcXMKikMEB7X+kb7OtiyqXn3HRpLYkCdoayDh\n7cjGnplk17q25/lRNHM4JVS5isFfuftCl01enESqkvgq+cwuFwa9DQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:59Z",
+		"mac": "ENC[AES256_GCM,data:xybV2D0xukZnH2OwRpIugPnS7LN9AbgGKwFioPJc1FQWx9TxMUVDwgMN6V5WrhWkXgF2zP4krtDYpEz4Vq+LbOjcnTUteuCc+7pMHubuRuip7j+M32MH1kuf4bVZuXbCfvm7brGxe83FzjoioLqzA8g/X6Q1q7/ErkNeFjluC3Q=,iv:QEW3EUKSRZY3fbXlP7z+SffWkQeXwMAa5K8RQW7NvPE=,tag:DhFxY7xr7H1Wbd527swD0Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

clanServices/certificates/tests/vm/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVegAwIBAgIQbT1Ivm+uwyf0HNkJfan2BTAKBggqhkjOPQQDAjAXMRUw
+EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwOTAxMjA0MzAzWhcNMjYwOTAyMDg0
+MzAzWjAfMR0wGwYDVQQDExRDbGFuIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABDXCNrUIotju9P1U6JxLV43sOxLlRphQJS4dM+lvjTZc
+aQ+HwQg0AHVlQNRwS3JqKrJJtJVyKbZklh6eFaDPoj6jfTB7MA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRKHaccHgP2ccSWVBWN
+zGoDdTg7aTAfBgNVHSMEGDAWgBSfsnz4phMJx9su/kgeF/FbZQCBgzAVBgNVHR4B
+Af8ECzAJoAcwBYIDZm9vMAoGCCqGSM49BAMCA0cAMEQCICiUDk1zGNzpS/iVKLfW
+zUGaCagpn2mCx4xAXQM9UranAiAn68nVYGWjkzhU31wyCAupxOjw7Bt96XXqIAz9
+hLLtMA==
+-----END CERTIFICATE-----

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca

@@ -0,0 +1 @@
+../../../../../../sops/machines/ca

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:Auonh9fa7jSkld1Zyxw74x5ydj6Xc+0SOgiqumVETNCfner9K96Rmv1PkREuHNGWPsnzyEM3pRT8ijvu3QoKvy9QPCCewyT07Wqe4G74+bk1iMeAHsV3To6kHs6M8OISvE+CmG0+hlLmdfRSabTzyWPLHbOjvFTEEuA5G7xiryacSYOE++eeEHdn+oUDh/IMTcfLjCGMjsXFikx1Hb+ofeRTlCg47+0w4MXVvQkOzQB5V2C694jZXvZ19jd/ioqr8YASz2xatGvqwW6cpZxqOWyZJ0UAj/6yFk6tZWifqVB3wgU=,iv:ITFCrDkeWl4GWCebVq15ei9QmkOLDwUIYojKZ2TU6JU=,tag:8k4iYbCIusUykY79H86WUQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsT25UbjJTQ2tzbnQyUm9p\neWx1UlZIeVpocnBqUCt0YnFlN2FOU25Lb0hNCmdXUUsyalRTbHRRQ0NLSGc1YllV\nUXRwaENhaXU1WmdnVDE0UWprUUUyeDAKLS0tIHV3dHU3aG5JclM0V3FadzN0SU14\ndFptbEJUNXQ4QVlqbkJ1TjAvdDQwSGsKcKPWUjhK7wzIpdIdksMShF2fpLdDTUBS\nZiU7P1T+3psxad9qhapvU0JrAY+9veFaYVEHha2aN/XKs8HqUcTp3A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yd2cden7jav8x4nzx2fwze2fsa5j0qm2m3t7zum765z3u4gj433q7dqj43",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZFVteVZwVGVmRE9NT3hG\nNGMyS3FSaXluM1FpeUp6SDVMUEpwYzg5SmdvCkRPU0QyU1JicGNkdlMyQWVkT0k3\nL2YrbDhWeGk4WFhxcUFmTmhZQ0pEQncKLS0tIG85Ui9rKzBJQ2VkMFBUQTMvSTlu\nbm8rZ09Wa24rQkNvTTNtYTZBN3MrZlkK7cjNhlUKZdOrRq/nKUsbUQgNTzX8jO+0\nzADpz6WCMvsJ15xazc10BGh03OtdMWl5tcoWMaZ71HWtI9Gip5DH0w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:42:42Z",
+		"mac": "ENC[AES256_GCM,data:9xlO5Yis8DG/y8GjvP63NltD4xEL7zqdHL2cQE8gAoh/ZamAmK5ZL0ld80mB3eIYEPKZYvmUYI4Lkrge2ZdqyDoubrW+eJ3dxn9+StxA9FzXYwUE0t+bbsNJfOOp/kDojf060qLGsu0kAGKd2ca4WiDccR0Cieky335C7Zzhi/Q=,iv:bWQ4wr0CJHSN+6ipUbkYTDWZJyFQjDKszfpVX9EEUsY=,tag:kADIFgJBEGCvr5fPbbdEDA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value

@@ -0,0 +1 @@
+25.11

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcTCCARigAwIBAgIRAIix99+AE7Y+uyiLGaRHEhUwCgYIKoZIzj0EAwIwFzEV
+MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDkwMTIwNDI1N1oXDTI2MDkwMjA4
+NDI1N1owFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEk7nn9kzxI+xkRmNMlxD+7T78UqV3aqus0foJh6uu1CHC+XaebMcw
+JN95nAe3oYA3yZG6Mnq9nCxsYha4EhzGYqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIG
+A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFJ+yfPimEwnH2y7+SB4X8VtlAIGD
+MAoGCCqGSM49BAMCA0cAMEQCIBId/CcbT5MPFL90xa+XQz+gVTdRwsu6Bg7ehMso
+Bj0oAiBjSlttd5yeuZGXBm+O0Gl+WdKV60QlrWutNewXFS4UpQ==
+-----END CERTIFICATE-----

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:PnEXteU3I7U0OKgE+oR3xjHdLWYTpJjM/jlzxtGU0uP2pUBuQv3LxtEz+cP0ZsafHLNq2iNJ7xpUEE0g4d3M296S56oSocK3fREWBiJFiaC7SAEUiil1l3UCwHn7LzmdEmn8Kq7T+FK89wwqtVWIASLo2gZC/yHE5eEanEATTchGLSNiHJRzZ8n0Ekm8EFUA6czOqA5nPQHaSmeLzu1g80lSSi1ICly6dJksa6DVucwOyVFYFEeq8Dfyc1eyP8L1ee0D7QFYBMduYOXTKPtNnyDmdaQMj7cMMvE7fn04idIiAqw=,iv:nvLmAfFk2GXnnUy+Afr648R60Ou13eu9UKykkiA8Y+4=,tag:lTTAxfG0EDCU6u7xlW6xSQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMjNWUm5NbktQeTRWRjJE\nWWFZc2Rsa3I5aitPSno1WnhORENNcng5OHprCjNUQVhBVHFBcWFjaW5UdmxKTnZw\nQlI4MDk5Wkp0RElCeWgzZ2dFQkF2dkkKLS0tIDVreTkydnJ0RDdHSHlQeVV6bGlP\nTmpJOVBSb2dkVS9TZG5SRmFjdnQ1b3cKQ5XvwH1jD4XPVs5RzOotBDq8kiE6S5k2\nDBv6ugjsM5qV7/oGP9H69aSB4jKPZjEn3yiNw++Oorc8uXd5kSGh7w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-02T08:43:00Z",
+		"mac": "ENC[AES256_GCM,data:3jFf66UyZUWEtPdPu809LCS3K/Hc6zbnluystl3eXS+KGI+dCoYmN9hQruRNBRxf6jli2RIlArmmEPBDQVt67gG/qugTdT12krWnYAZ78iocmOnkf44fWxn/pqVnn4JYpjEYRgy8ueGDnUkwvpGWVZpcXw5659YeDQuYOJ2mq0U=,iv:3k7fBPrABdLItQ2Z+Mx8Nx0eIEKo93zG/23K+Q5Hl3I=,tag:aehAObdx//DEjbKlOeM7iQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin

@@ -0,0 +1 @@
+../../../../../sops/users/admin

clanServices/coredns/README.md

@@ -8,7 +8,7 @@ The service consists of two roles:
 - A `server` role: This is the DNS-server that will be queried when trying to
   resolve clan-internal services. It defines the top-level domain.
 - A `default` role: This does two things. First, it sets up the nameservers so
-  thatclan-internal queries are resolved via the `server` machine, while
+  that clan-internal queries are resolved via the `server` machine, while
   external queries are resolved as normal via DHCP. Second, it allows exposing
   services (see example below).
 

clanServices/coredns/default.nix

@@ -1,4 +1,5 @@
 { ... }:
+
 {
   _class = "clan.service";
   manifest.name = "coredns";
@@ -25,6 +26,12 @@
           # TODO: Set a default
           description = "IP for the DNS to listen on";
         };
+
+        options.dnsPort = lib.mkOption {
+          type = lib.types.int;
+          default = 1053;
+          description = "Port of the clan-internal DNS server";
+        };
       };
 
     perInstance =
@@ -42,8 +49,8 @@
           }:
           {
 
-            networking.firewall.allowedTCPPorts = [ 53 ];
-            networking.firewall.allowedUDPPorts = [ 53 ];
+            networking.firewall.allowedTCPPorts = [ settings.dnsPort ];
+            networking.firewall.allowedUDPPorts = [ settings.dnsPort ];
 
             services.coredns =
               let
@@ -74,16 +81,22 @@
               in
               {
                 enable = true;
-                config = ''
-                  . {
-                      forward . 1.1.1.1
-                      cache 30
-                  }
+                config =
 
-                  ${settings.tld} {
-                      file ${zonefile}
-                  }
-                '';
+                  let
+                    dnsPort = builtins.toString settings.dnsPort;
+                  in
+
+                  ''
+                    .:${dnsPort} {
+                        forward . 1.1.1.1
+                        cache 30
+                    }
+
+                    ${settings.tld}:${dnsPort} {
+                        file ${zonefile}
+                    }
+                  '';
               };
           };
       };
@@ -107,10 +120,16 @@
           # TODO: Set a default
           description = "IP on which the services will listen";
         };
+
+        options.dnsPort = lib.mkOption {
+          type = lib.types.int;
+          default = 1053;
+          description = "Port of the clan-internal DNS server";
+        };
       };
 
     perInstance =
-      { roles, ... }:
+      { roles, settings, ... }:
       {
         nixosModule =
           { lib, ... }:
@@ -147,7 +166,7 @@
                 ];
                 stub-zone = map (m: {
                   name = "${roles.server.machines.${m}.settings.tld}.";
-                  stub-addr = "${roles.server.machines.${m}.settings.ip}";
+                  stub-addr = "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}";
                 }) (lib.attrNames roles.server.machines);
               };
             };

clanServices/coredns/tests/vm/default.nix

@@ -95,18 +95,15 @@
     for m in machines:
         m.wait_for_unit("network-online.target")
 
-    # import time
-    # time.sleep(2333333)
-
     # This should work, but is borken in tests i think? Instead we dig directly
 
     # client.succeed("curl -k -v http://one.foo")
     # client.succeed("curl -k -v http://two.foo")
 
-    answer = client.succeed("dig @192.168.1.2 one.foo")
+    answer = client.succeed("dig @192.168.1.2 -p 1053 one.foo")
     assert "192.168.1.3" in answer, "IP not found"
 
-    answer = client.succeed("dig @192.168.1.2 two.foo")
+    answer = client.succeed("dig @192.168.1.2 -p 1053 two.foo")
     assert "192.168.1.4" in answer, "IP not found"
 
   '';

clanServices/monitoring/telegraf.nix

@@ -56,6 +56,11 @@
           systemd.services.telegraf-json = {
             enable = true;
             wantedBy = [ "multi-user.target" ];
+            after = [ "telegraf.service" ];
+            wants = [ "telegraf.service" ];
+            serviceConfig = {
+              Restart = "on-failure";
+            };
             script = "${pkgs.miniserve}/bin/miniserve -p 9990 ${jsonpath} --auth-file ${config.clan.core.vars.generators.telegraf.files.miniserve-auth.path}";
           };
 

clanServices/trusted-nix-caches/README.md

@@ -7,7 +7,7 @@ inventory.instances = {
   clan-cache = {
     module = {
       name = "trusted-nix-caches";
-      input = "clan";
+      input = "clan-core";
     };
     roles.default.machines.draper = { };
   };

clanServices/users/README.md

@@ -8,7 +8,7 @@
     user-alice = {
       module = {
         name = "users";
-        input = "clan";
+        input = "clan-core";
       };
       roles.default.tags.all = { };
       roles.default.settings = {
@@ -35,7 +35,7 @@
     user-bob = {
       module = {
         name = "users";
-        input = "clan";
+        input = "clan-core";
       };
       roles.default.machines.bobs-laptop = { };
       roles.default.settings.user = "bob";

clanServices/zerotier/README.md

@@ -5,7 +5,7 @@ inventory.instances = {
   zerotier = {
     module = {
       name = "zerotier";
-      input = "clan";
+      input = "clan-core";
     };
     roles.peer.tags.all = { };
     roles.controller.machines.jon = { };
@@ -18,7 +18,6 @@ All machines will be peers and connected to the zerotier network.
 Jon is the controller machine, which will will accept other machines into the network.
 Sara is a moon and sets the `stableEndpoint` setting with a publicly reachable IP, the moon is optional.
 
-
 ## Overview
 
 This guide explains how to set up and manage a [ZeroTier VPN](https://zerotier.com) for a clan network. Each VPN requires a single controller and can support multiple peers and optional moons for better connectivity.

clanServices/zerotier/default.nix

@@ -45,7 +45,7 @@
             It will be reachable under the given stable endpoints.
           '';
           example = ''
-            [ 1.2.3.4" "10.0.0.3/9993" "2001:abcd:abcd::3/9993" ]
+            [ "1.2.3.4" "10.0.0.3/9993" "2001:abcd:abcd::3/9993" ]
           '';
         };
 

devFlake/flake.lock

@@ -84,11 +84,11 @@
     },
     "nixpkgs-dev": {
       "locked": {
-        "lastModified": 1756400612,
-        "narHash": "sha256-0xm2D8u6y1+hCT+o4LCUCm3GCmSJHLAF0jRELyIb1go=",
+        "lastModified": 1757924820,
+        "narHash": "sha256-to/hwbY9/jsRaejPa5oJmPUFZsJfFCB3WReKhD0+/+E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "593cac9f894d7d4894e0155bacbbc69e7ef552dd",
+        "rev": "aa54acd34af0e86f49d55ea52823031e2da399df",
         "type": "github"
       },
       "original": {
@@ -107,11 +107,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755555503,
-        "narHash": "sha256-WiOO7GUOsJ4/DoMy2IC5InnqRDSo2U11la48vCCIjjY=",
+        "lastModified": 1757885130,
+        "narHash": "sha256-56CMb5W/pgjKLh0bx2ekhn5rde/YmgR63HAqrY9/BCw=",
         "owner": "NuschtOS",
         "repo": "search",
-        "rev": "6f3efef888b92e6520f10eae15b86ff537e1d2ea",
+        "rev": "fae3c59a646e00c4b1d359c50b27458a0713d2fd",
         "type": "github"
       },
       "original": {
@@ -165,11 +165,11 @@
         "nixpkgs": []
       },
       "locked": {
-        "lastModified": 1755934250,
-        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "lastModified": 1756662192,
+        "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4",
         "type": "github"
       },
       "original": {

docs/mkdocs.yml

@@ -61,9 +61,16 @@ nav:
           - Continuous Integration: guides/getting-started/flake-check.md
           - Convert Existing NixOS Config: guides/getting-started/convert-flake.md
       - ClanServices: guides/clanServices.md
+      - Vars:
+          - Overview: guides/vars/vars-overview.md
+          - Getting Started: guides/vars/vars-backend.md
+          - Concepts: guides/vars/vars-concepts.md
+          - Sops Backend:
+              - Yubikeys & Age Plugins: guides/vars/sops/age-plugins.md
+          - Advanced Examples: guides/vars/vars-advanced-examples.md
+          - Troubleshooting: guides/vars/vars-troubleshooting.md
       - Backup & Restore: guides/backups.md
       - Disk Encryption: guides/disk-encryption.md
-      - Age Plugins: guides/age-plugins.md
       - Secrets management: guides/secrets.md
       - Networking: guides/networking.md
       - Zerotier VPN: guides/mesh-vpn.md
@@ -83,7 +90,6 @@ nav:
           - Disk id: guides/migrations/disk-id.md
   - Concepts:
       - Inventory: concepts/inventory.md
-      - Generators: concepts/generators.md
       - Autoincludes: concepts/autoincludes.md
       - Templates: concepts/templates.md
   - Reference:
@@ -94,6 +100,7 @@ nav:
               - reference/clanServices/index.md
               - reference/clanServices/admin.md
               - reference/clanServices/borgbackup.md
+              - reference/clanServices/certificates.md
               - reference/clanServices/coredns.md
               - reference/clanServices/data-mesher.md
               - reference/clanServices/dyndns.md
@@ -217,4 +224,4 @@ plugins:
   - redoc-tag
   - redirects:
       redirect_maps:
-        guides/getting-started/secrets.md: concepts/generators.md
+        guides/getting-started/secrets.md: guides/vars/vars-overview.md

docs/nix/options/flake-module.nix

@@ -205,25 +205,31 @@
       # };
 
       packages = {
-        docs-options = privateInputs.nuschtos.packages.${pkgs.stdenv.hostPlatform.system}.mkMultiSearch {
-          inherit baseHref;
-          title = "Clan Options";
-          # scopes = mapAttrsToList mkScope serviceModules;
-          scopes = [
-            {
+        docs-options =
+          if privateInputs ? nuschtos then
+            privateInputs.nuschtos.packages.${pkgs.stdenv.hostPlatform.system}.mkMultiSearch {
               inherit baseHref;
-              name = "Flake Options (clan.nix file)";
-              modules = docModules;
-              urlPrefix = "https://git.clan.lol/clan/clan-core/src/branch/main/";
+              title = "Clan Options";
+              # scopes = mapAttrsToList mkScope serviceModules;
+              scopes = [
+                {
+                  inherit baseHref;
+                  name = "Flake Options (clan.nix file)";
+                  modules = docModules;
+                  urlPrefix = "https://git.clan.lol/clan/clan-core/src/branch/main/";
+                }
+                {
+                  name = "Machine Options (clan.core NixOS options)";
+                  optionsJSON = "${coreOptions}/share/doc/nixos/options.json";
+                  urlPrefix = "https://git.clan.lol/clan/clan-core/src/branch/main/";
+                }
+              ];
             }
-            {
-              name = "Machine Options (clan.core NixOS options)";
-              optionsJSON = "${coreOptions}/share/doc/nixos/options.json";
-              urlPrefix = "https://git.clan.lol/clan/clan-core/src/branch/main/";
-
-            }
-          ];
-        };
+          else
+            pkgs.stdenv.mkDerivation {
+              name = "empty";
+              buildCommand = "echo 'This is an empty derivation' > $out";
+            };
       };
     };
 }

docs/site/concepts/inventory.md

@@ -21,7 +21,7 @@ The following tutorial will walk through setting up a Backup service where the t
 
 ## Services
 
-The inventory defines `services`. Membership of `machines` is defined via `roles` exclusively.
+The inventory defines `instances` of clan services. Membership of `machines` is defined via `roles` exclusively.
 
 See each [modules documentation](../reference/clanServices/index.md) for its available roles.
 
@@ -31,9 +31,8 @@ A service can be added to one or multiple machines via `Roles`. Clan's `Role` in
 
 Each service can still be customized and configured according to the modules options.
 
-- Per instance configuration via `services.<serviceName>.<instanceName>.config`
-- Per role configuration via `services.<serviceName>.<instanceName>.roles.<roleName>.config`
-- Per machine configuration via `services.<serviceName>.<instanceName>.machines.<machineName>.config`
+- Per role configuration via `inventory.instances.<instanceName>.roles.<roleName>.settings`
+- Per machine configuration via `inventory.instances.<instanceName>.roles.<roleName>.machines.<machineName>.settings`
 
 ### Setting up the Backup Service
 
@@ -44,16 +43,17 @@ Each service can still be customized and configured according to the modules opt
 
     See also: [Multiple Service Instances](#multiple-service-instances)
 
-    ```{.nix hl_lines="6-7"}
-    clan-core.lib.clan {
-        inventory = {
-            services = {
-                borgbackup.instance_1 = {
-                    # Machines can be added here.
-                    roles.client.machines = [ "jon" ];
-                    roles.server.machines = [ "backup_server" ];
-                };
+    ```{.nix hl_lines="9-10"}
+    {
+        inventory.instances.instance_1 = {
+            module =  {
+                name = "borgbackup";
+                input = "clan-core";
             };
+
+            # Machines can be added here.
+            roles.client.machines."jon" {};
+            roles.server.machines."backup_server" = {};
         };
     }
     ```
@@ -66,8 +66,8 @@ It is possible to add services to multiple machines via tags as shown
 
 !!! Example "Tags Example"
 
-    ```{.nix hl_lines="5 8 14"}
-    clan-core.lib.clan {
+    ```{.nix hl_lines="5 8 18"}
+    {
         inventory = {
             machines = {
                 "jon" = {
@@ -76,13 +76,16 @@ It is possible to add services to multiple machines via tags as shown
                 "sara" = {
                     tags = [ "backup" ];
                 };
-                # ...
             };
-            services = {
-                borgbackup.instance_1 = {
-                    roles.client.tags = [ "backup" ];
-                    roles.server.machines = [ "backup_server" ];
+
+            instances.instance_1 = {
+                module =  {
+                    name = "borgbackup";
+                    input = "clan-core";
                 };
+
+                roles.client.tags =  [ "backup" ];
+                roles.server.machines."backup_server" = {};
             };
         };
     }
@@ -98,22 +101,34 @@ It is possible to add services to multiple machines via tags as shown
 
     In this example `backup_server` has role `client` and `server` in different instances.
 
-    ```{.nix hl_lines="11 14"}
-    clan-core.lib.clan {
+    ```{.nix hl_lines="17 26"}
+    {
         inventory = {
             machines = {
                 "jon" = {};
                 "backup_server" = {};
-                "backup_backup_server" = {}
+                "backup_backup_server" = {};
             };
-            services = {
-                borgbackup.instance_1 = {
-                    roles.client.machines = [ "jon" ];
-                    roles.server.machines = [ "backup_server" ];
+
+            instances = {
+                instance_1 = {
+                    module =  {
+                        name = "borgbackup";
+                        input = "clan-core";
+                    };
+
+                    roles.client.machines."jon" = {};
+                    roles.server.machines."backup_server" = {};
                 };
-                borgbackup.instance_2 = {
-                    roles.client.machines = [ "backup_server" ];
-                    roles.server.machines = [ "backup_backup_server" ];
+
+                instance_2 = {
+                    module =  {
+                        name = "borgbackup";
+                        input = "clan-core";
+                    };
+
+                    roles.client.machines."backup_server" = {};
+                    roles.server.machines."backup_backup_server" = {};
                 };
             };
         };

docs/site/guides/age-plugins.md

@@ -1,59 +0,0 @@
-## Using Age Plugins
-
-If you wish to use a key generated using an [age plugin] as your admin key, extra care is needed.
-
-You must **precede your secret key with a comment that contains its corresponding recipient**.
-
-This is usually output as part of the generation process
-and is only required because there is no unified mechanism for recovering a recipient from a plugin secret key.
-
-Here is an example:
-
-```title="~/.config/sops/age/keys.txt"
-# public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l
-AGE-PLUGIN-FIDO2-HMAC-1QQPQZRFR7ZZ2WCV...
-```
-
-!!! note
-    The comment that precedes the plugin secret key need only contain the recipient.
-    Any other text is ignored.
-
-    In the example above, you can specify `# recipient: age1zdy...`, `# public: age1zdy....` or even
-    just `# age1zdy....`
-
-You will need to add an entry into your `flake.nix` to ensure that the necessary `age` plugins
-are loaded when using Clan:
-
-```nix title="flake.nix"
-{
-  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
-  inputs.nixpkgs.follows = "clan-core/nixpkgs";
-
-  outputs =
-    { self, clan-core, ... }:
-    let
-      # Sometimes this attribute set is defined in clan.nix
-      clan = clan-core.lib.clan {
-        inherit self;
-
-        meta.name = "myclan";
-
-        # Add Yubikey and FIDO2 HMAC plugins
-        # Note: the plugins listed here must be available in nixpkgs.
-        secrets.age.plugins = [
-          "age-plugin-yubikey"
-          "age-plugin-fido2-hmac"
-        ];
-
-        machines = {
-          # elided for brevity
-        };
-      };
-    in
-    {
-      inherit (clan) nixosConfigurations nixosModules clanInternals;
-
-      # elided for brevity
-    };
-}
-```

docs/site/guides/backups.md

@@ -1,4 +1,3 @@
-
 This guide explains how to set up and manage
 [BorgBackup](https://borgbackup.readthedocs.io/) for secure, efficient backups
 in a clan network. BorgBackup provides:
@@ -18,7 +17,7 @@ inventory.instances = {
   borgbackup = {
     module = {
       name = "borgbackup";
-      input = "clan";
+      input = "clan-core";
     };
     roles.client.machines."jon".settings = {
       destinations."storagebox" = {
@@ -177,7 +176,7 @@ storagebox::username@username.your-storagebox.de:/./borgbackup::jon-storagebox-2
 
 ### Restoring backups
 
-For restoring a backup you have two options. 
+For restoring a backup you have two options.
 
 #### Full restoration
 
@@ -194,6 +193,3 @@ To restore only a specific service (e.g., `linkding`):
 ```bash
 clan backups restore --service linkding jon borgbackup storagebox::u444061@u444061.your-storagebox.de:/./borgbackup::jon-storagebox-2025-07-24T06:02:35
 ```
-
-
-

docs/site/guides/disk-encryption.md

@@ -4,6 +4,8 @@ This guide provides an example setup for a single-disk ZFS system with native en
 !!! Warning
     This configuration only applies to `systemd-boot` enabled systems and **requires** UEFI booting.
 
+!!! Info "Secure Boot"
+    This guide is compatible with systems that have [secure boot disabled](../guides/secure-boot.md). If you encounter boot issues, check if secure boot needs to be disabled in your UEFI settings.
 
 Replace the highlighted lines with your own disk-id.
 You can find our your disk-id by executing:

docs/site/guides/macos.md

@@ -7,7 +7,7 @@ This guide explains how to manage macOS machines using Clan.
 Currently, Clan supports the following features for macOS:
 
 - `clan machines update` for existing [nix-darwin](https://github.com/nix-darwin/nix-darwin) installations
-- Support for [vars](../concepts/generators.md)
+- Support for [vars](../guides/vars/vars-overview.md)
 
 ## Add Your Machine to Your Clan Flake
 

docs/site/guides/migrations/migration-facts-vars.md

@@ -3,7 +3,7 @@
 For a high level overview about `vars` see our [blog post](https://clan.lol/blog/vars/).
 
 This guide will help you migrate your modules that still use our [`facts`](../../guides/secrets.md) backend
-to the [`vars`](../../concepts/generators.md) backend.
+to the [`vars`](../../guides/vars/vars-overview.md) backend.
 
 The `vars` [module](../../reference/clan.core/vars.md) and the clan [command](../../reference/cli/vars.md) work in tandem, they should ideally be kept in sync.
 

docs/site/guides/networking.md

@@ -19,10 +19,10 @@ For machines with public IPs or DNS names, use the `internet` service to configu
           # Direct SSH with fallback support
           internet = {
             roles.default.machines.server1 = {
-              settings.address = "server1.example.com";
+              settings.host = "server1.example.com";
             };
             roles.default.machines.server2 = {
-              settings.address = "192.168.1.100";
+              settings.host = "192.168.1.100";
             };
           };
 
@@ -50,7 +50,7 @@ For machines with public IPs or DNS names, use the `internet` service to configu
           # Priority 1: Try direct connection first
           internet = {
             roles.default.machines.publicserver = {
-              settings.address = "public.example.com";
+              settings.host = "public.example.com";
             };
           };
 

docs/site/guides/secrets.md

@@ -1,5 +1,5 @@
-This article provides an overview over the underlying secrets system which is used by [Vars](../concepts/generators.md).
-Under most circumstances you should use [Vars](../concepts/generators.md) directly instead.
+This article provides an overview over the underlying secrets system which is used by [Vars](../guides/vars/vars-overview.md).
+Under most circumstances you should use [Vars](../guides/vars/vars-overview.md) directly instead.
 
 Consider using `clan secrets` only for managing admin users and groups, as well as a debugging tool.
 
@@ -292,15 +292,14 @@ The following diagrams illustrates how a user can provide a secret (i.e. a Passw
 
 ```plantuml
 @startuml
-!include C4_Container.puml
 
-Person(user, "User", "Someone who manages secrets")
-ContainerDb(secret, "Secret")
-Container(machine, "Machine", "A Machine. i.e. Needs the Secret for a given Service." )
+actor "User" as user
+database "Secret" as secret
+rectangle "Machine" as machine
 
-Rel_R(user, secret, "Encrypt", "", "Pubkeys: User, Machine")
-Rel_L(secret, user, "Decrypt", "",  "user privkey")
-Rel_R(secret, machine, "Decrypt", "", "machine privkey" )
+user -right-> secret : Encrypt\n(Pubkeys: User, Machine)
+secret -left-> user : Decrypt\n(user privkey)
+secret -right-> machine : Decrypt\n(machine privkey)
 
 @enduml
 ```
@@ -316,19 +315,18 @@ Common use cases:
 
 ```plantuml
 @startuml
-!include C4_Container.puml
 
-System_Boundary(c1, "Group") {
-    Person(user1, "User A", "has access")
-    Person(user2, "User B", "has access")
+rectangle "Group" {
+    actor "User A" as user1
+    actor "User B" as user2
 }
 
-ContainerDb(secret, "Secret")
-Container(machine, "Machine", "A Machine. i.e. Needs the Secret for a given Service." )
-
-Rel_R(c1, secret, "Encrypt", "", "Pubkeys: User A, User B, Machine")
-Rel_R(secret, machine, "Decrypt", "", "machine privkey" )
+database "Secret" as secret
+rectangle "Machine" as machine
 
+user1 -right-> secret : Encrypt
+user2 -right-> secret : (Pubkeys: User A, User B, Machine)
+secret -right-> machine : Decrypt\n(machine privkey)
 
 @enduml
 ```
@@ -347,19 +345,17 @@ Common use cases:
 
 ```plantuml
 @startuml
-!include C4_Container.puml
-!include C4_Deployment.puml
 
-Person(user, "User", "Someone who manages secrets")
-ContainerDb(secret, "Secret")
-System_Boundary(c1, "Group") {
-    Container(machine1, "Machine A", "Both machines need the same secret" )
-    Container(machine2, "Machine B", "Both machines need the same secret" )
+actor "User" as user
+database "Secret" as secret
+rectangle "Group" {
+    rectangle "Machine A" as machine1
+    rectangle "Machine B" as machine2
 }
 
-Rel_R(user, secret, "Encrypt", "", "Pubkeys: machine A, machine B, User")
-Rel(secret, c1, "Decrypt", "", "Both machine A or B can decrypt using their private key" )
-
+user -right-> secret : Encrypt\n(Pubkeys: machine A, machine B, User)
+secret -down-> machine1 : Decrypt
+secret -down-> machine2 : (Both machines can decrypt\nusing their private key)
 
 @enduml
 ```

docs/site/guides/vars/sops/age-plugins.md

@@ -0,0 +1,85 @@
+# Using Age Plugins with Clan Vars
+
+This guide explains how to set up YubiKey and other plugins for `clan vars` secrets.
+
+By default the `clan vars` subcommand uses the `age` encryption tool, which supports various plugins.
+
+---
+
+## Supported Age Plugins
+
+Below is a [list of popular `age` plugins](https://github.com/FiloSottile/awesome-age?tab=readme-ov-file#plugins) you can use with Clan. (Last updated: **September 12, 2025**)
+
+- ⭐️ [**age-plugin-yubikey**](https://github.com/str4d/age-plugin-yubikey): YubiKey (and other PIV tokens) plugin.
+-  [**age-plugin-se**](https://github.com/remko/age-plugin-se): Apple Secure Enclave plugin.
+- 🧪 [**age-plugin-tpm**](https://github.com/Foxboron/age-plugin-tpm): TPM 2.0 plugin.
+- 🧪 [**age-plugin-tkey**](https://github.com/quite/age-plugin-tkey): Tillitis TKey plugin.
+   [**age-plugin-trezor**](https://github.com/romanz/trezor-agent/blob/master/doc/README-age.md): Hardware wallet plugin (TREZOR, Ledger, etc.).
+- 🧪 [**age-plugin-sntrup761x25519**](https://github.com/keisentraut/age-plugin-sntrup761x25519): Post-quantum hybrid plugin (NTRU Prime + X25519).
+- 🧪 [**age-plugin-fido**](https://github.com/riastradh/age-plugin-fido): Prototype symmetric encryption plugin for FIDO2 keys.
+- 🧪 [**age-plugin-fido2-hmac**](https://github.com/olastor/age-plugin-fido2-hmac): FIDO2 plugin with PIN support.
+- 🧪 [**age-plugin-sss**](https://github.com/olastor/age-plugin-sss): Shamir's Secret Sharing (SSS) plugin.
+- 🧪 [**age-plugin-amnesia**](https://github.com/cedws/amnesia/blob/master/README.md#age-plugin-experimental): Adds Q&A-based identity wrapping.
+
+> **Note:** Plugins marked with 🧪 are experimental. Plugins marked with ⭐️ are official.
+
+---
+
+## Using Plugin-Generated Keys
+
+If you want to use `fido2 tokens` to encrypt your secret instead of the normal age secret key then you need to prefix your age secret key with the corresponding plugin name. In our case we want to use the `age-plugin-fido2-hmac` plugin so we replace `AGE-SECRET-KEY` with `AGE-PLUGIN-FIDO2-HMAC`.
+
+??? tip
+    - On Linux the age secret key is located at `~/.config/sops/age/keys.txt`
+    - On macOS it is located at `/Users/admin/Library/Application Support/sops/age/keys.txt`
+
+**Before**:
+  ```hl_lines="2"
+  # public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l
+  AGE-SECRET-KEY-1QQPQZRFR7ZZ2WCV...
+  ```
+
+  **After**:
+```hl_lines="2"
+# public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l
+AGE-PLUGIN-FIDO2-HMAC-1QQPQZRFR7ZZ2WCV...
+```
+
+
+
+## Configuring Plugins in `flake.nix`
+
+To use `age` plugins with Clan, you need to configure them in your `flake.nix` file. Here’s an example:
+
+```nix title="flake.nix"
+{
+  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
+  inputs.nixpkgs.follows = "clan-core/nixpkgs";
+
+  outputs = { self, clan-core, ... }:
+  let
+    # Define Clan configuration
+    clan = clan-core.lib.clan {
+      inherit self;
+
+      meta.name = "myclan";
+
+      # Add YubiKey and FIDO2 HMAC plugins
+      # Note: Plugins must be available in nixpkgs.
+      secrets.age.plugins = [
+        "age-plugin-yubikey"
+        "age-plugin-fido2-hmac"
+      ];
+
+      machines = {
+        # Machine configurations (elided for brevity)
+      };
+    };
+  in
+  {
+    inherit (clan) nixosConfigurations nixosModules clanInternals;
+
+    # Additional configurations (elided for brevity)
+  };
+}
+```

docs/site/guides/vars/vars-advanced-examples.md

@@ -0,0 +1,290 @@
+# Advanced Vars Examples
+
+This guide demonstrates complex, real-world patterns for the vars system. 
+
+
+## Certificate Authority with Intermediate Certificates
+
+This example shows how to create a complete certificate authority with root and intermediate certificates using dependencies.
+
+```nix
+{
+  # Generate root CA (not deployed to machines)
+  clan.core.vars.generators.root-ca = {
+    files."ca.key" = {
+      secret = true;
+      deploy = false;  # Keep root key offline
+    };
+    files."ca.crt".secret = false;
+    runtimeInputs = [ pkgs.step-cli ];
+    script = ''
+      step certificate create "My Root CA" \
+        $out/ca.crt $out/ca.key \
+        --profile root-ca \
+        --no-password \
+        --not-after 87600h
+    '';
+  };
+
+  # Generate intermediate key
+  clan.core.vars.generators.intermediate-key = {
+    files."intermediate.key" = {
+      secret = true;
+      deploy = true;
+    };
+    runtimeInputs = [ pkgs.step-cli ];
+    script = ''
+      step crypto keypair \
+        $out/intermediate.pub \
+        $out/intermediate.key \
+        --no-password
+    '';
+  };
+
+  # Generate intermediate certificate signed by root
+  clan.core.vars.generators.intermediate-cert = {
+    files."intermediate.crt".secret = false;
+    dependencies = [
+      "root-ca"
+      "intermediate-key"
+    ];
+    runtimeInputs = [ pkgs.step-cli ];
+    script = ''
+      step certificate create "My Intermediate CA" \
+        $out/intermediate.crt \
+        $in/intermediate-key/intermediate.key \
+        --ca $in/root-ca/ca.crt \
+        --ca-key $in/root-ca/ca.key \
+        --profile intermediate-ca \
+        --not-after 8760h \
+        --no-password
+    '';
+  };
+
+  # Use the certificates in services
+  services.nginx.virtualHosts."example.com" = {
+    sslCertificate = config.clan.core.vars.generators.intermediate-cert.files."intermediate.crt".value;
+    sslCertificateKey = config.clan.core.vars.generators.intermediate-key.files."intermediate.key".path;
+  };
+}
+```
+
+## Multi-Service Secret Sharing
+
+Generate secrets that multiple services can use:
+
+```nix
+{
+  # Generate database credentials
+  clan.core.vars.generators.database = {
+    share = true;  # Share across machines
+    files."password" = { };
+    files."connection-string" = { };
+    prompts.dbname = {
+      description = "Database name";
+      type = "line";
+    };
+    script = ''
+      # Generate password
+      tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32 > $out/password
+      
+      # Create connection string
+      echo "postgresql://app:$(cat $out/password)@localhost/$prompts/dbname" \
+        > $out/connection-string
+    '';
+  };
+
+  # PostgreSQL uses the password
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "init.sql" ''
+      CREATE USER app WITH PASSWORD '${
+        builtins.readFile config.clan.core.vars.generators.database.files."password".path
+      }';
+    '';
+  };
+
+  # Application uses the connection string
+  systemd.services.myapp = {
+    serviceConfig.EnvironmentFile = 
+      config.clan.core.vars.generators.database.files."connection-string".path;
+  };
+}
+```
+
+## SSH Host Keys with Certificates
+
+Generate SSH host keys and sign them with a CA:
+
+```nix
+{
+  # SSH Certificate Authority (shared)
+  clan.core.vars.generators.ssh-ca = {
+    share = true;
+    files."ca" = { secret = true; deploy = false; };
+    files."ca.pub" = { secret = false; };
+    runtimeInputs = [ pkgs.openssh ];
+    script = ''
+      ssh-keygen -t ed25519 -N "" -f $out/ca
+      mv $out/ca.pub $out/ca.pub
+    '';
+  };
+
+  # Host-specific SSH keys
+  clan.core.vars.generators.ssh-host = {
+    files."ssh_host_ed25519_key" = {
+      secret = true;
+      owner = "root";
+      group = "root";
+      mode = "0600";
+    };
+    files."ssh_host_ed25519_key.pub" = { secret = false; };
+    files."ssh_host_ed25519_key-cert.pub" = { secret = false; };
+    dependencies = [ "ssh-ca" ];
+    runtimeInputs = [ pkgs.openssh ];
+    script = ''
+      # Generate host key
+      ssh-keygen -t ed25519 -N "" -f $out/ssh_host_ed25519_key
+      
+      # Sign with CA
+      ssh-keygen -s $in/ssh-ca/ca \
+        -I "host:${config.networking.hostName}" \
+        -h \
+        -V -5m:+365d \
+        $out/ssh_host_ed25519_key.pub
+    '';
+  };
+
+  # Configure SSH to use the generated keys
+  services.openssh = {
+    hostKeys = [{
+      path = config.clan.core.vars.generators.ssh-host.files."ssh_host_ed25519_key".path;
+      type = "ed25519";
+    }];
+  };
+}
+```
+
+## WireGuard Mesh Network
+
+Create a WireGuard configuration with pre-shared keys:
+
+```nix
+{
+  # Generate WireGuard keys for this host
+  clan.core.vars.generators.wireguard = {
+    files."privatekey" = {
+      secret = true;
+      owner = "systemd-network";
+      mode = "0400";
+    };
+    files."publickey" = { secret = false; };
+    files."preshared" = { secret = true; };
+    runtimeInputs = [ pkgs.wireguard-tools ];
+    script = ''
+      # Generate key pair
+      wg genkey > $out/privatekey
+      wg pubkey < $out/privatekey > $out/publickey
+      
+      # Generate pre-shared key
+      wg genpsk > $out/preshared
+    '';
+  };
+
+  # Configure WireGuard
+  networking.wireguard.interfaces.wg0 = {
+    privateKeyFile = config.clan.core.vars.generators.wireguard.files."privatekey".path;
+    
+    peers = [{
+      publicKey = "peer-public-key-here";
+      presharedKeyFile = config.clan.core.vars.generators.wireguard.files."preshared".path;
+      allowedIPs = [ "10.0.0.2/32" ];
+    }];
+  };
+}
+```
+
+## Conditional Generation Based on Machine Role
+
+Generate different secrets based on machine configuration:
+
+```nix
+{
+  clan.core.vars.generators = lib.mkMerge [
+    # All machines get basic auth
+    {
+      basic-auth = {
+        files."htpasswd" = { };
+        prompts.username = {
+          description = "Username for basic auth";
+          type = "line";
+        };
+        prompts.password = {
+          description = "Password for basic auth";
+          type = "hidden";
+        };
+        runtimeInputs = [ pkgs.apacheHttpd ];
+        script = ''
+          htpasswd -nbB "$prompts/username" "$prompts/password" > $out/htpasswd
+        '';
+      };
+    }
+
+    # Only servers get API tokens
+    (lib.mkIf config.services.myapi.enable {
+      api-tokens = {
+        files."admin-token" = { };
+        files."readonly-token" = { };
+        runtimeInputs = [ pkgs.openssl ];
+        script = ''
+          openssl rand -hex 32 > $out/admin-token
+          openssl rand -hex 16 > $out/readonly-token
+        '';
+      };
+    })
+  ];
+}
+```
+
+## Backup Encryption Keys
+
+Generate and manage backup encryption keys:
+
+```nix
+{
+  clan.core.vars.generators.backup = {
+    share = true;  # Same key for all backup sources
+    files."encryption.key" = {
+      secret = true;
+      deploy = true;
+    };
+    files."encryption.pub" = { secret = false; };
+    runtimeInputs = [ pkgs.age ];
+    script = ''
+      # Generate age key pair
+      age-keygen -o $out/encryption.key 2>/dev/null
+      
+      # Extract public key
+      grep "public key:" $out/encryption.key | cut -d: -f2 | tr -d ' ' \
+        > $out/encryption.pub
+    '';
+  };
+
+  # Use in backup service
+  services.borgbackup.jobs.system = {
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.clan.core.vars.generators.backup.files."encryption.key".path}";
+    };
+  };
+}
+```
+
+## Tips and Best Practices
+
+1. **Use dependencies** to build complex multi-stage generations
+2. **Share generators** when the same secret is needed across machines
+3. **Set appropriate permissions** for service-specific secrets
+4. **Use prompts** for user-specific values that shouldn't be generated
+5. **Combine secret and non-secret files** in the same generator when they're related
+6. **Use conditional generation** with `lib.mkIf` for role-specific secrets

docs/site/guides/vars/vars-backend.md

@@ -1,26 +1,21 @@
-# Generators
+The `clan vars` subcommand is a powerful tool for managing machine-specific variables in a declarative and reproducible way. This guide will walk you through its usage, from setting up a generator to sharing and updating variables across machines.
 
-Defining a linux user's password via the nixos configuration previously required running `mkpasswd ...` and then copying the hash back into the nix configuration.
+For a detailed API reference, see the [vars module documentation](../../reference/clan.core/vars.md).
 
-In this example, we will guide you through automating that interaction using clan `vars`.
+In this guide, you will learn how to:
 
-For a more general explanation of what clan vars are and how it works, see the intro of the [Reference Documentation for vars](../reference/clan.core/vars.md)
+1. Declare a `generator` in the machine's NixOS configuration.
+2. Inspect the status of variables using the Clan CLI.
+3. Generate variables interactively.
+4. Observe the changes made to your repository.
+5. Update the machine configuration.
+6. Share the root password between multiple machines.
+7. Change the root password when needed.
 
-This guide assumes
-- Clan is set up already (see [Getting Started](../guides/getting-started/index.md))
-- a machine has been added to the clan (see [Adding Machines](../guides/getting-started/add-machines.md))
+By the end of this guide, you will have a clear understanding of how to use `clan vars` to manage sensitive data, such as passwords, in a secure and efficient manner.
 
-This section will walk you through the following steps:
 
-1. declare a `generator` in the machine's nixos configuration
-2. inspect the status via the Clan CLI
-3. generate the vars
-4. observe the changes
-5. update the machine
-6. share the root password between machines
-7. change the password
-
-## Declare a generator
+## Declare the generator
 
 In this example, a `vars` `generator` is used to:
 
@@ -114,7 +109,7 @@ If we just imported the `root-password.nix` from above into more machines, clan
 If the root password instead should only be entered once and shared across all machines, the generator defined above needs to be declared as `shared`, by adding `share = true` to it:
 ```nix
 {config, pkgs, ...}: {
-  clan.vars.generators.root-password = {
+  clan.core.vars.generators.root-password = {
     share = true;
     # ...
   }
@@ -141,8 +136,3 @@ Updated var root-password/password-hash
   new: $6$OyoQtDVzeemgh8EQ$zRK...
 ```
 
-
-## Further Reading
-
-- [Reference Documentation for `clan.core.vars` NixOS options](../reference/clan.core/vars.md)
-- [Reference Documentation for the `clan vars` CLI command](../reference/cli/vars.md)

docs/site/guides/vars/vars-concepts.md

@@ -0,0 +1,123 @@
+# Understanding Clan Vars - Concepts & Architecture
+
+This guide explains the architecture and design principles behind the vars system. 
+
+## Architecture Overview
+
+The vars system provides a declarative, reproducible way to manage generated files (especially secrets) in NixOS configurations.
+
+## Data Flow
+
+```mermaid
+graph LR
+    A[Generator Script] --> B[Output Files]
+    C[User Prompts] --> A
+    D[Dependencies] --> A
+    B --> E[Secret Storage<br/>sops/password-store]
+    B --> F[Nix Store<br/>public files]
+    E --> G[Machine Deployment]
+    F --> G
+```
+
+## Key Design Principles
+
+### 1. Declarative Generation
+
+Unlike imperative secret management, vars are declared in your NixOS configuration and generated deterministically. This ensures reproducibility across deployments.
+
+### 2. Separation of Concerns
+
+- **Generation logic**: Defined in generator scripts
+- **Storage**: Handled by pluggable backends (sops, password-store, etc.)
+- **Deployment**: Managed by NixOS activation scripts
+- **Access control**: Enforced through file permissions and ownership
+
+### 3. Composability Through Dependencies
+
+Generators can depend on outputs from other generators, enabling complex workflows:
+
+```nix
+# Dependencies create a directed acyclic graph (DAG)
+A → B → C
+    ↓
+    D
+```
+
+This allows building sophisticated systems like certificate authorities where intermediate certificates depend on root certificates.
+
+### 4. Type Safety
+
+The vars system distinguishes between:
+- **Secret files**: Only accessible via `.path`, deployed to `/run/secrets/`
+- **Public files**: Accessible via `.value`, stored in nix store
+
+This prevents accidental exposure of secrets in the nix store.
+
+## Storage Backend Architecture
+
+The vars system uses pluggable storage backends:
+
+- **sops** (default): Integrates with clan's existing sops encryption
+- **password-store**: For users already using pass
+
+Each backend handles encryption/decryption transparently, allowing the same generator definitions to work across different security models.
+
+## Timing and Lifecycle
+
+### Generation Phases
+
+1. **Pre-deployment**: `clan vars generate` creates vars before deployment
+2. **During deployment**: Missing vars are generated automatically
+3. **Regeneration**: Explicit regeneration with `--regenerate` flag
+
+### The `neededFor` Option
+
+Control when vars are available during system activation:
+
+```nix
+files."early-secret" = {
+  secret = true;
+  neededFor = [ "users" "groups" ];  # Available early in activation
+};
+```
+
+## Advanced Patterns
+
+### Multi-Machine Coordination
+
+The `share` option enables cross-machine secret sharing:
+
+```mermaid
+graph LR
+    A[Shared Generator] --> B[Machine 1]
+    A --> C[Machine 2]
+    A --> D[Machine 3]
+```
+
+This is useful for:
+- Shared certificate authorities
+- Mesh VPN pre-shared keys
+- Cluster join tokens
+
+### Generator Composition
+
+Complex systems can be built by composing simple generators:
+
+```
+root-ca → intermediate-ca → service-cert
+         ↓
+     ocsp-responder
+```
+
+Each generator focuses on one task, making the system modular and testable.
+
+## Key Advantages
+
+Compared to manual secret management, vars provides:
+
+- **Declarative configuration**: Define once, generate consistently
+- **Dependency management**: Build complex systems with generator dependencies
+- **Type safety**: Separate handling of secret and public files
+- **User prompts**: Gather input when needed
+- **Easy regeneration**: Update secrets with a single command
+

docs/site/guides/vars/vars-overview.md

@@ -0,0 +1,145 @@
+# Vars System Overview
+
+The vars system is clan's declarative solution for managing generated files, secrets, and dynamic configuration in your NixOS deployments. It eliminates the manual steps of generating credentials, certificates, and other dynamic values by automating these processes within your infrastructure-as-code workflow.
+
+## What Problems Does Vars Solve?
+
+### Before Vars: Manual Secret Management
+
+Traditional NixOS deployments require manual steps for secrets and generated files:
+
+```bash
+# Generate password hash manually
+mkpasswd -m sha-512 > /tmp/root-password-hash
+# Copy hash into configuration
+users.users.root.hashedPasswordFile = "/tmp/root-password-hash";
+```
+
+This approach has several problems:
+
+- **Not reproducible**: Manual steps vary between team members
+
+- **Hard to maintain**: Updating secrets requires remembering manual commands  
+
+- **Deployment friction**: Secrets must be managed outside of your configuration
+
+- **Team collaboration issues**: Sharing credentials securely is complex
+
+### After Vars: Declarative Generation
+
+With vars, the same process becomes declarative and automated:
+
+```nix
+clan.core.vars.generators.root-password = {
+  prompts.password.description = "Root password";
+  prompts.password.type = "hidden";
+  files.hash.secret = false;
+  script = "mkpasswd -m sha-512 < $prompts/password > $out/hash";
+  runtimeInputs = [ pkgs.mkpasswd ];
+};
+
+users.users.root.hashedPasswordFile = 
+  config.clan.core.vars.generators.root-password.files.hash.path;
+```
+
+## Core Benefits
+
+- **🔄 Reproducible**: Same inputs always produce the same outputs
+- **📝 Declarative**: Defined alongside your NixOS configuration
+- **🔐 Secure**: Automatic secret storage and encrypted deployment
+- **👥 Collaborative**: Built-in sharing for team environments
+- **🚀 Automated**: No manual intervention required for deployments
+- **🔗 Integrated**: Works seamlessly with clan's deployment workflow
+
+## How It Works
+
+```mermaid
+graph TB
+    A[Generator Declaration] --> B[clan vars generate]
+    B --> C{Prompts User}
+    C --> D[Execute Script]
+    D --> E[Output Files]
+    E --> F{Secret?}
+    F -->|Yes| G[Encrypted Storage]
+    F -->|No| H[Git Repository]
+    G --> I[Deploy to Machine]
+    H --> I
+    I --> J[Available in NixOS]
+```
+
+1. **Declare generators** in your NixOS configuration
+2. **Generate values** using `clan vars generate` (or automatically during deployment)
+3. **Store securely** in encrypted backends or version control
+4. **Deploy seamlessly** to your machines where they're accessible as file paths
+
+## Common Use Cases
+
+| Use Case | What Gets Generated | Benefits |
+|----------|-------------------|----------|
+| **User passwords** | Password hashes | No plaintext in config |
+| **SSH keys** | Host/user keypairs | Automated key rotation |
+| **TLS certificates** | Certificates + private keys | Automated PKI |
+| **Database credentials** | Passwords + connection strings | Secure service communication |
+| **API tokens** | Random tokens | Service authentication |
+| **Configuration files** | Complex configs with secrets | Dynamic config generation |
+
+## Architecture Overview
+
+The vars system has three main components:
+
+### 1. **Generators**
+Define how to create files from inputs:
+
+- **Prompts**: Values requested from users
+
+- **Scripts**: Generation logic  
+
+- **Dependencies**: Other generators this depends on
+
+- **Outputs**: Files that get created
+
+### 2. **Storage Backends**
+Handle secret storage and deployment:
+
+- **sops**: Encrypted files in git (recommended)
+
+- **password-store**: GPG/age-based secret storage
+
+## Quick Start Example
+
+Here's a complete example showing password generation and usage:
+
+```nix
+# generator.nix
+{ config, pkgs, ... }: {
+  clan.core.vars.generators.user-password = {
+    prompts.password = {
+      description = "User password";
+      type = "hidden";
+    };
+    files.hash = { secret = false; };
+    script = ''
+      mkpasswd -m sha-512 < $prompts/password > $out/hash
+    '';
+    runtimeInputs = [ pkgs.mkpasswd ];
+  };
+  
+  users.users.myuser = {
+    hashedPasswordFile = 
+      config.clan.core.vars.generators.user-password.files.hash.path;
+  };
+}
+```
+
+```bash
+# Generate the password
+clan vars generate my-machine
+
+# Deploy to machine
+clan machines update my-machine
+```
+
+## Migration from Facts
+
+If you're currently using the legacy facts system, see our [Migration Guide](../migrations/migration-facts-vars.md) for step-by-step instructions on upgrading to vars.
+

docs/site/guides/vars/vars-troubleshooting.md

@@ -0,0 +1,272 @@
+# Troubleshooting Vars
+
+Quick reference for diagnosing and fixing vars issues.
+
+## Common Issues
+
+### Generator Script Fails
+
+**Symptom**: Error during `clan vars generate` or deployment
+
+**Possible causes and solutions**:
+
+1. **Missing runtime inputs**
+   ```nix
+   # Wrong - missing required tool
+   runtimeInputs = [ ];
+   script = ''
+     openssl rand -hex 32 > $out/secret  # openssl not found!
+   '';
+   
+   # Correct
+   runtimeInputs = [ pkgs.openssl ];
+   ```
+
+2. **Wrong output path**
+   ```nix
+   # Wrong - must use $out
+   script = ''
+     echo "secret" > ./myfile
+   '';
+   
+   # Correct
+   script = ''
+     echo "secret" > $out/myfile
+   '';
+   ```
+
+3. **Missing declared files**
+   ```nix
+   files."config" = { };
+   files."key" = { };
+   script = ''
+     # Wrong - only generates one file
+     echo "data" > $out/config
+   '';
+   
+   # Correct - must generate all declared files
+   script = ''
+     echo "data" > $out/config
+     echo "key" > $out/key
+   '';
+   ```
+
+### Cannot Access Generated Files
+
+**Symptom**: "attribute 'value' missing" or file not found
+
+**Solutions**:
+
+1. **Secret files don't have `.value`**
+   ```nix
+   # Wrong - secret files can't use .value
+   files."secret" = { secret = true; };
+   # ...
+   environment.etc."app.conf".text = 
+     config.clan.core.vars.generators.app.files."secret".value;
+   
+   # Correct - use .path for secrets
+   environment.etc."app.conf".source = 
+     config.clan.core.vars.generators.app.files."secret".path;
+   ```
+
+2. **Public files should use `.value`**
+   ```nix
+   # Better for non-secrets
+   files."cert.pem" = { secret = false; };
+   # ...
+   sslCertificate = 
+     config.clan.core.vars.generators.ca.files."cert.pem".value;
+   ```
+
+### Dependencies Not Available
+
+**Symptom**: "No such file or directory" when accessing `$in/...`
+
+**Solution**: Declare dependencies correctly
+```nix
+clan.core.vars.generators.child = {
+  # Wrong - missing dependency
+  script = ''
+    cat $in/parent/file > $out/newfile
+  '';
+  
+  # Correct
+  dependencies = [ "parent" ];
+  script = ''
+    cat $in/parent/file > $out/newfile
+  '';
+};
+```
+
+### Permission Denied
+
+**Symptom**: Service cannot read generated secret file
+
+**Solution**: Set correct ownership and permissions
+```nix
+files."service.key" = {
+  secret = true;
+  owner = "myservice";  # Match service user
+  group = "myservice";
+  mode = "0400";       # Read-only for owner
+};
+```
+
+### Vars Not Regenerating
+
+**Symptom**: Changes to generator script don't trigger regeneration
+
+**Solution**: Use `--regenerate` flag
+```bash
+clan vars generate my-machine --generator my-generator --regenerate
+```
+
+### Prompts Not Working
+
+**Symptom**: Script fails with "No such file or directory" for prompts
+
+**Solution**: Access prompts correctly
+```nix
+# Wrong
+script = ''
+  echo $password > $out/file
+'';
+
+# Correct
+prompts.password.type = "hidden";
+script = ''
+  cat $prompts/password > $out/file
+'';
+```
+
+## Debugging Techniques
+
+### 1. Check Generator Status
+
+See what vars are set:
+```bash
+clan vars list my-machine
+```
+
+### 2. Inspect Generated Files
+
+For shared vars:
+```bash
+ls -la vars/shared/my-generator/
+```
+
+For per-machine vars:
+```bash
+ls -la vars/per-machine/my-machine/my-generator/
+```
+
+### 3. Test Generators Locally
+
+Create a test script to debug:
+```nix
+# test-generator.nix
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.stdenv.mkDerivation {
+  name = "test-generator";
+  buildInputs = [ pkgs.openssl ];  # Your runtime inputs
+  buildCommand = ''
+    # Your generator script here
+    mkdir -p $out
+    openssl rand -hex 32 > $out/secret
+    ls -la $out/
+  '';
+}
+```
+
+Run with:
+```bash
+nix-build test-generator.nix
+```
+
+### 4. Enable Debug Logging
+
+Set debug mode:
+```bash
+clan --debug vars generate my-machine
+```
+
+### 5. Check File Permissions
+
+Verify generated secret permissions:
+```bash
+# On the target machine
+ls -la /run/secrets/
+```
+
+## Recovery Procedures
+
+### Regenerate All Vars
+
+If vars are corrupted or need refresh:
+```bash
+# Regenerate all for a machine
+clan vars generate my-machine --regenerate
+
+# Regenerate specific generator
+clan vars generate my-machine --generator my-generator --regenerate
+```
+
+### Manual Secret Injection
+
+For recovery or testing:
+```bash
+# Set a var manually (bypass generator)
+echo "temporary-secret" | clan vars set my-machine my-generator/my-file
+```
+
+### Restore from Backup
+
+Vars are stored in the repository:
+```bash
+# Restore previous version
+git checkout HEAD~1 -- vars/
+
+# Check and regenerate if needed
+clan vars list my-machine
+```
+
+## Storage Backend Issues
+
+### SOPS Decryption Fails
+
+**Symptom**: "Failed to decrypt" or permission errors
+
+**Solution**: Ensure your user/machine has the correct age keys configured. Clan manages encryption keys automatically based on the configured users and machines in your flake.
+
+Check that:
+
+1. Your machine is properly configured in the flake
+  
+2. Your user has access to the machine's secrets
+   
+3. The age key is available in the expected location
+
+### Password Store Issues
+
+**Symptom**: "pass: store not initialized"
+
+**Solution**: Initialize password store:
+```bash
+export PASSWORD_STORE_DIR=/path/to/clan/vars
+pass init your-gpg-key
+```
+
+## Getting Help
+
+If these solutions don't resolve your issue:
+
+1. Check the [clan-core issue tracker](https://git.clan.lol/clan/clan-core/issues)
+2. Ask in the Clan community channels
+3. Provide:
+  
+     - The generator configuration
+
+     - The exact error message
+
+     - Output of `clan --debug vars generate`

docs/site/index.md

@@ -55,7 +55,7 @@ Explore the underlying principles of Clan
 
 <div class="grid cards" markdown>
 
--   [Generators](./concepts/generators.md)
+-   [Vars](./guides/vars/vars-overview.md)
 
     ---
 

flake.lock

@@ -13,11 +13,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756091210,
-        "narHash": "sha256-oEUEAZnLbNHi8ti4jY8x10yWcIkYoFc5XD+2hjmOS04=",
-        "rev": "eb831bca21476fa8f6df26cb39e076842634700d",
+        "lastModified": 1757905600,
+        "narHash": "sha256-Yd7buL9N7N7IaDVViItqP9HsECfnlDFykxvvNgMYcKk=",
+        "rev": "c10c4002bdc5aef040fcbb814d5f482e82dc8345",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/eb831bca21476fa8f6df26cb39e076842634700d.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/c10c4002bdc5aef040fcbb814d5f482e82dc8345.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756115622,
-        "narHash": "sha256-iv8xVtmLMNLWFcDM/HcAPLRGONyTRpzL9NS09RnryRM=",
+        "lastModified": 1757508292,
+        "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "bafad29f89e83b2d861b493aa23034ea16595560",
+        "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
         "type": "github"
       },
       "original": {
@@ -51,11 +51,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754487366,
-        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
         "type": "github"
       },
       "original": {
@@ -71,11 +71,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755825449,
-        "narHash": "sha256-XkiN4NM9Xdy59h69Pc+Vg4PxkSm9EWl6u7k6D5FZ5cM=",
+        "lastModified": 1757430124,
+        "narHash": "sha256-MhDltfXesGH8VkGv3hmJ1QEKl1ChTIj9wmGAFfWj/Wk=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "8df64f819698c1fee0c2969696f54a843b2231e8",
+        "rev": "830b3f0b50045cf0bcfd4dab65fad05bf882e196",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
     },
     "nixos-facter-modules": {
       "locked": {
-        "lastModified": 1756291602,
-        "narHash": "sha256-FYhiArSzcx60OwoH3JBp5Ho1D5HEwmZx6WoquauDv3g=",
+        "lastModified": 1756491981,
+        "narHash": "sha256-lXyDAWPw/UngVtQfgQ8/nrubs2r+waGEYIba5UX62+k=",
         "owner": "nix-community",
         "repo": "nixos-facter-modules",
-        "rev": "5c37cee817c94f50710ab11c25de572bc3604bd5",
+        "rev": "c1b29520945d3e148cd96618c8a0d1f850965d8c",
         "type": "github"
       },
       "original": {
@@ -146,11 +146,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754988908,
-        "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
+        "lastModified": 1757449901,
+        "narHash": "sha256-qwN8nYdSRnmmyyi+uR6m4gXnVktmy5smG1MOrSFD8PI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
+        "rev": "3b4a369df9dd6ee171a7ea4448b50e2528faf850",
         "type": "github"
       },
       "original": {
@@ -181,11 +181,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755934250,
-        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
+        "lastModified": 1756662192,
+        "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
+        "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4",
         "type": "github"
       },
       "original": {

flake.nix

@@ -51,7 +51,7 @@
         ;
 
       privateInputs =
-        if builtins.pathExists (./. + ".skip-private-inputs") then
+        if builtins.pathExists (./. + "/.skip-private-inputs") then
           { }
         else
           (import ./devFlake/flake-compat.nix {

lib/clanTest/flake-module.nix

@@ -87,6 +87,8 @@ in
       relativeDir = removePrefix "${self}/" (toString config.clan.directory);
 
       update-vars = hostPkgs.writeShellScriptBin "update-vars" ''
+        set -x
+        export PRJ_ROOT=$(git rev-parse --show-toplevel)
         ${update-vars-script} $PRJ_ROOT/${relativeDir} ${testName}
       '';
 

lib/modules/clan/module.nix

@@ -245,6 +245,8 @@ in
               in
               { config, ... }:
               {
+                staticModules = clan-core.clan.modules;
+
                 distributedServices = clanLib.inventory.mapInstances {
                   inherit (clanConfig) inventory exportsModule;
                   inherit flakeInputs directory;

lib/modules/inventoryClass/service-list-from-inputs.nix

@@ -23,6 +23,12 @@ let
     };
 in
 {
+  options.staticModules = lib.mkOption {
+    readOnly = true;
+    type = lib.types.raw;
+
+    apply = moduleSet: lib.mapAttrs (inspectModule "<clan-core>") moduleSet;
+  };
   options.modulesPerSource = lib.mkOption {
     # { sourceName :: { moduleName :: {} }}
     readOnly = true;

lib/test/container-test-driver/test_driver/__init__.py

@@ -268,8 +268,14 @@ class Machine:
         )
 
     def nsenter_command(self, command: str) -> list[str]:
+        nsenter = shutil.which("nsenter")
+
+        if not nsenter:
+            msg = "nsenter command not found"
+            raise RuntimeError(msg)
+
         return [
-            "nsenter",
+            nsenter,
             "--target",
             str(self.container_pid),
             "--mount",
@@ -326,6 +332,7 @@ class Machine:
 
         return subprocess.run(
             self.nsenter_command(command),
+            env={},
             timeout=timeout,
             check=False,
             stdout=subprocess.PIPE,

nixosModules/clanCore/defaults.nix

@@ -10,7 +10,7 @@
     lib.mkIf config.clan.core.enableRecommendedDefaults {
 
       # Enable automatic state-version generation.
-      clan.core.settings.state-version.enable = true;
+      clan.core.settings.state-version.enable = lib.mkDefault true;
 
       # Use systemd during boot as well except:
       # - systems with raids as this currently require manual configuration: https://github.com/NixOS/nixpkgs/issues/210210

nixosModules/clanCore/zerotier/default.nix

@@ -189,8 +189,12 @@ in
       clan.core.vars.generators.zerotier = {
         migrateFact = "zerotier";
         files.zerotier-ip.secret = false;
+        files.zerotier-ip.restartUnits = [ "zerotierone.service" ];
         files.zerotier-network-id.secret = false;
-        files.zerotier-identity-secret = { };
+        files.zerotier-network-id.restartUnits = [ "zerotierone.service" ];
+        files.zerotier-identity-secret = {
+          restartUnits = [ "zerotierone.service" ];
+        };
         runtimeInputs = [
           config.services.zerotierone.package
           pkgs.python3
@@ -211,7 +215,10 @@ in
       clan.core.vars.generators.zerotier = {
         migrateFact = "zerotier";
         files.zerotier-ip.secret = false;
-        files.zerotier-identity-secret = { };
+        files.zerotier-ip.restartUnits = [ "zerotierone.service" ];
+        files.zerotier-identity-secret = {
+          restartUnits = [ "zerotierone.service" ];
+        };
         runtimeInputs = [
           config.services.zerotierone.package
           pkgs.python3

nixosModules/installer/zfs-latest.nix

@@ -12,8 +12,14 @@ let
     (builtins.match "linux_[0-9]+_[0-9]+" name) != null
     && (builtins.tryEval kernelPackages).success
     && (
-      (!isUnstable && !kernelPackages.zfs.meta.broken)
-      || (isUnstable && !kernelPackages.zfs_unstable.meta.broken)
+      let
+        zfsPackage =
+          if isUnstable then
+            kernelPackages.zfs_unstable
+          else
+            kernelPackages.${pkgs.zfs.kernelModuleAttribute};
+      in
+      !(zfsPackage.meta.broken or false)
     )
   ) pkgs.linuxKernel.packages;
   latestKernelPackage = lib.last (
@@ -24,5 +30,5 @@ let
 in
 {
   # Note this might jump back and worth as kernel get added or removed.
-  boot.kernelPackages = latestKernelPackage;
+  boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.hostPlatform pkgs.zfs) latestKernelPackage;
 }

pkgs/clan-app/clan_app/api/api_bridge.py

@@ -1,16 +1,15 @@
 import logging
 import threading
-from abc import ABC, abstractmethod
 from contextlib import ExitStack
-from dataclasses import dataclass, field
-from typing import TYPE_CHECKING, Any
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Any, Protocol
 
 from clan_lib.api import ApiError, ApiResponse, ErrorDataClass
 from clan_lib.api.tasks import WebThread
 from clan_lib.async_run import set_current_thread_opkey, set_should_cancel
 
 if TYPE_CHECKING:
-    from .middleware import Middleware
+    from clan_app.middleware.base import Middleware
 
 log = logging.getLogger(__name__)
 
@@ -30,20 +29,17 @@ class BackendResponse:
     _op_key: str
 
 
-@dataclass
-class ApiBridge(ABC):
+class ApiBridge(Protocol):
     """Generic interface for API bridges that can handle method calls from different sources."""
 
     middleware_chain: tuple["Middleware", ...]
-    threads: dict[str, WebThread] = field(default_factory=dict)
+    threads: dict[str, WebThread]
 
-    @abstractmethod
-    def send_api_response(self, response: BackendResponse) -> None:
-        """Send response back to the client."""
+    def send_api_response(self, response: BackendResponse) -> None: ...
 
     def process_request(self, request: BackendRequest) -> None:
         """Process an API request through the middleware chain."""
-        from .middleware import MiddlewareContext  # noqa: PLC0415
+        from clan_app.middleware.base import MiddlewareContext  # noqa: PLC0415
 
         with ExitStack() as stack:
             context = MiddlewareContext(

pkgs/clan-app/clan_app/api/middleware.py

@@ -0,0 +1,20 @@
+"""Compatibility wrapper for relocated middleware components.
+
+This module preserves the legacy import path ``clan_app.api.middleware`` while
+the actual middleware implementations now live in ``clan_app.middleware``.
+"""
+
+from __future__ import annotations
+
+from warnings import warn
+
+import clan_app.middleware as _middleware
+from clan_app.middleware import *  # noqa: F403
+
+warn(
+    "clan_app.api.middleware is deprecated; use clan_app.middleware instead",
+    DeprecationWarning,
+    stacklevel=2,
+)
+
+__all__ = _middleware.__all__

pkgs/clan-app/clan_app/app.py

@@ -12,13 +12,13 @@ from clan_lib.log_manager import LogGroupConfig, LogManager
 from clan_lib.log_manager import api as log_manager_api
 
 from clan_app.api.file_gtk import get_clan_folder, get_system_file
-from clan_app.api.middleware import (
+from clan_app.deps.http.http_server import HttpApiServer
+from clan_app.deps.webview.webview import Size, SizeHint, Webview
+from clan_app.middleware import (
     ArgumentParsingMiddleware,
     LoggingMiddleware,
     MethodExecutionMiddleware,
 )
-from clan_app.deps.http.http_server import HttpApiServer
-from clan_app.deps.webview.webview import Size, SizeHint, Webview
 
 log = logging.getLogger(__name__)
 
@@ -109,6 +109,7 @@ def app_run(app_opts: ClanAppOptions) -> int:
             title="Clan App",
             size=Size(1280, 1024, SizeHint.NONE),
             shared_threads=shared_threads,
+            app_id="org.clan.app",
         )
 
         API.overwrite_fn(get_system_file)

pkgs/clan-app/clan_app/deps/http/http_bridge.py

@@ -21,7 +21,7 @@ from clan_lib.async_run import (
 from clan_app.api.api_bridge import ApiBridge, BackendRequest, BackendResponse
 
 if TYPE_CHECKING:
-    from clan_app.api.middleware import Middleware
+    from clan_app.middleware.base import Middleware
 
 log = logging.getLogger(__name__)
 

pkgs/clan-app/clan_app/deps/http/http_server.py

@@ -8,7 +8,7 @@ from clan_lib.api import MethodRegistry
 from clan_lib.api.tasks import WebThread
 
 if TYPE_CHECKING:
-    from clan_app.api.middleware import Middleware
+    from clan_app.middleware.base import Middleware
 
 from .http_bridge import HttpBridge
 

pkgs/clan-app/clan_app/deps/http/test_http_api.py

@@ -10,11 +10,11 @@ import pytest
 from clan_lib.api import MethodRegistry, tasks
 from clan_lib.async_run import is_async_cancelled
 
-from clan_app.api.middleware import (
+from clan_app.deps.http.http_server import HttpApiServer
+from clan_app.middleware import (
     ArgumentParsingMiddleware,
     MethodExecutionMiddleware,
 )
-from clan_app.deps.http.http_server import HttpApiServer
 
 log = logging.getLogger(__name__)
 

pkgs/clan-app/clan_app/deps/webview/_webview_ffi.py

@@ -5,6 +5,11 @@ import platform
 from ctypes import CFUNCTYPE, c_char_p, c_int, c_void_p
 from pathlib import Path
 
+# Native handle kinds
+WEBVIEW_NATIVE_HANDLE_KIND_UI_WINDOW = 0
+WEBVIEW_NATIVE_HANDLE_KIND_UI_WIDGET = 1
+WEBVIEW_NATIVE_HANDLE_KIND_BROWSER_CONTROLLER = 2
+
 
 def _encode_c_string(s: str) -> bytes:
     return s.encode("utf-8")
@@ -72,6 +77,10 @@ class _WebviewLibrary:
         self.webview_create.argtypes = [c_int, c_void_p]
         self.webview_create.restype = c_void_p
 
+        self.webview_create_with_app_id = self.lib.webview_create_with_app_id
+        self.webview_create_with_app_id.argtypes = [c_int, c_void_p, c_char_p]
+        self.webview_create_with_app_id.restype = c_void_p
+
         self.webview_destroy = self.lib.webview_destroy
         self.webview_destroy.argtypes = [c_void_p]
 
@@ -105,6 +114,10 @@ class _WebviewLibrary:
         self.webview_return = self.lib.webview_return
         self.webview_return.argtypes = [c_void_p, c_char_p, c_int, c_char_p]
 
+        self.webview_get_native_handle = self.lib.webview_get_native_handle
+        self.webview_get_native_handle.argtypes = [c_void_p, c_int]
+        self.webview_get_native_handle.restype = c_void_p
+
         self.binding_callback_t = CFUNCTYPE(None, c_char_p, c_char_p, c_void_p)
 
         self.CFUNCTYPE = CFUNCTYPE

pkgs/clan-app/clan_app/deps/webview/webview.py

@@ -1,6 +1,7 @@
 import functools
 import json
 import logging
+import platform
 import threading
 from collections.abc import Callable
 from dataclasses import dataclass, field
@@ -11,11 +12,14 @@ from typing import TYPE_CHECKING, Any
 from clan_lib.api import MethodRegistry, message_queue
 from clan_lib.api.tasks import WebThread
 
-from ._webview_ffi import _encode_c_string, _webview_lib
+from ._webview_ffi import (
+    _encode_c_string,
+    _webview_lib,
+)
 from .webview_bridge import WebviewBridge
 
 if TYPE_CHECKING:
-    from clan_app.api.middleware import Middleware
+    from clan_app.middleware.base import Middleware
 
 log = logging.getLogger(__name__)
 
@@ -32,6 +36,21 @@ class FuncStatus(IntEnum):
     FAILURE = 1
 
 
+class NativeHandleKind(IntEnum):
+    # Top-level window. @c GtkWindow pointer (GTK), @c NSWindow pointer (Cocoa)
+    # or @c HWND (Win32)
+    UI_WINDOW = 0
+
+    # Browser widget. @c GtkWidget pointer (GTK), @c NSView pointer (Cocoa) or
+    # @c HWND (Win32).
+    UI_WIDGET = 1
+
+    # Browser controller. @c WebKitWebView pointer (WebKitGTK), @c WKWebView
+    # pointer (Cocoa/WebKit) or @c ICoreWebView2Controller pointer
+    # (Win32/WebView2).
+    BROWSER_CONTROLLER = 2
+
+
 @dataclass(frozen=True)
 class Size:
     width: int
@@ -46,6 +65,7 @@ class Webview:
     size: Size | None = None
     window: int | None = None
     shared_threads: dict[str, WebThread] | None = None
+    app_id: str | None = None
 
     # initialized later
     _bridge: WebviewBridge | None = None
@@ -56,7 +76,14 @@ class Webview:
     def _create_handle(self) -> None:
         # Initialize the webview handle
         with_debugger = True
-        handle = _webview_lib.webview_create(int(with_debugger), self.window)
+
+        # Use webview_create_with_app_id only on Linux if app_id is provided
+        if self.app_id and platform.system() == "Linux":
+            handle = _webview_lib.webview_create_with_app_id(
+                int(with_debugger), self.window, _encode_c_string(self.app_id)
+            )
+        else:
+            handle = _webview_lib.webview_create(int(with_debugger), self.window)
         callbacks: dict[str, Callable[..., Any]] = {}
 
         # Since we can't use object.__setattr__, we'll initialize differently
@@ -217,6 +244,21 @@ class Webview:
         self._callbacks[name] = c_callback
         _webview_lib.webview_bind(self.handle, _encode_c_string(name), c_callback, None)
 
+    def get_native_handle(
+        self, kind: NativeHandleKind = NativeHandleKind.UI_WINDOW
+    ) -> int | None:
+        """Get the native handle (platform-dependent).
+
+        Args:
+            kind: Handle kind - NativeHandleKind enum value
+
+        Returns:
+            Native handle as integer, or None if failed
+
+        """
+        handle = _webview_lib.webview_get_native_handle(self.handle, kind.value)
+        return handle if handle else None
+
     def unbind(self, name: str) -> None:
         if name in self._callbacks:
             _webview_lib.webview_unbind(self.handle, _encode_c_string(name))

pkgs/clan-app/clan_app/deps/webview/webview_bridge.py

@@ -1,6 +1,6 @@
 import json
 import logging
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 from typing import TYPE_CHECKING
 
 from clan_lib.api import dataclass_to_dict
@@ -9,6 +9,8 @@ from clan_lib.api.tasks import WebThread
 from clan_app.api.api_bridge import ApiBridge, BackendRequest, BackendResponse
 
 if TYPE_CHECKING:
+    from clan_app.middleware.base import Middleware
+
     from .webview import Webview
 
 log = logging.getLogger(__name__)
@@ -19,7 +21,8 @@ class WebviewBridge(ApiBridge):
     """Webview-specific implementation of the API bridge."""
 
     webview: "Webview"
-    threads: dict[str, WebThread]  # Inherited from ApiBridge
+    middleware_chain: tuple["Middleware", ...]
+    threads: dict[str, WebThread] = field(default_factory=dict)
 
     def send_api_response(self, response: BackendResponse) -> None:
         """Send response back to the webview client."""

pkgs/clan-app/clan_app/middleware/__init__.py

@@ -1,4 +1,4 @@
-"""Middleware components for the webview API bridge."""
+"""Middleware components shared by API bridge implementations."""
 
 from .argument_parsing import ArgumentParsingMiddleware
 from .base import Middleware, MiddlewareContext

pkgs/clan-app/default.nix

@@ -11,6 +11,11 @@
   gobject-introspection,
   gtk4,
   lib,
+  stdenv,
+  # macOS-specific dependencies
+  imagemagick,
+  makeWrapper,
+  libicns,
 }:
 let
   source =
@@ -91,7 +96,12 @@ pythonRuntime.pkgs.buildPythonApplication {
     # gtk4 deps
     wrapGAppsHook4
   ]
-  ++ runtimeDependencies;
+  ++ runtimeDependencies
+  ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    imagemagick
+    makeWrapper
+    libicns
+  ];
 
   # The necessity of setting buildInputs and propagatedBuildInputs to the
   # same values for your Python package within Nix largely stems from ensuring
@@ -148,16 +158,113 @@ pythonRuntime.pkgs.buildPythonApplication {
   postInstall = ''
     mkdir -p $out/${pythonRuntime.sitePackages}/clan_app/.webui
     cp -r ${clan-app-ui}/lib/node_modules/@clan/ui/dist/* $out/${pythonRuntime.sitePackages}/clan_app/.webui
-    mkdir -p $out/share/icons/hicolor
-    cp -r ./clan_app/assets/white-favicons/* $out/share/icons/hicolor
+
+    ${lib.optionalString (!stdenv.hostPlatform.isDarwin) ''
+      mkdir -p $out/share/icons/hicolor
+      cp -r ./clan_app/assets/white-favicons/* $out/share/icons/hicolor
+    ''}
+
+    ${lib.optionalString stdenv.hostPlatform.isDarwin ''
+      set -eu pipefail
+      # Create macOS app bundle structure
+      mkdir -p "$out/Applications/Clan App.app/Contents/"{MacOS,Resources}
+
+      # Create Info.plist
+      cat > "$out/Applications/Clan App.app/Contents/Info.plist" << 'EOF'
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+      <dict>
+          <key>CFBundleDisplayName</key>
+          <string>Clan App</string>
+          <key>CFBundleExecutable</key>
+          <string>Clan App</string>
+          <key>CFBundleIconFile</key>
+          <string>clan-app.icns</string>
+          <key>CFBundleIdentifier</key>
+          <string>org.clan.app</string>
+          <key>CFBundleName</key>
+          <string>Clan App</string>
+          <key>CFBundlePackageType</key>
+          <string>APPL</string>
+          <key>CFBundleShortVersionString</key>
+          <string>1.0</string>
+          <key>CFBundleVersion</key>
+          <string>1.0</string>
+          <key>NSHighResolutionCapable</key>
+          <true/>
+          <key>NSPrincipalClass</key>
+          <string>NSApplication</string>
+          <key>CFBundleInfoDictionaryVersion</key>
+          <string>6.0</string>
+          <key>CFBundleURLTypes</key>
+          <array>
+              <dict>
+                  <key>CFBundleURLName</key>
+                  <string>Clan Protocol</string>
+                  <key>CFBundleURLSchemes</key>
+                  <array>
+                      <string>clan</string>
+                  </array>
+              </dict>
+          </array>
+      </dict>
+      </plist>
+      EOF
+
+      # Create app icon (convert PNG to ICNS using minimal approach to avoid duplicates)
+      # Create a temporary iconset directory structure
+      mkdir clan-app.iconset
+
+      # Create a minimal iconset with only essential, non-duplicate sizes
+      # Each PNG file should map to a unique ICNS type
+      cp ./clan_app/assets/white-favicons/16x16/apps/clan-app.png clan-app.iconset/icon_16x16.png
+      cp ./clan_app/assets/white-favicons/128x128/apps/clan-app.png clan-app.iconset/icon_128x128.png
+
+      # Use libicns png2icns tool to create proper ICNS file with minimal set
+      png2icns "$out/Applications/Clan App.app/Contents/Resources/clan-app.icns" \
+        clan-app.iconset/icon_16x16.png \
+        clan-app.iconset/icon_128x128.png
+
+      # Create PkgInfo file (standard requirement for macOS apps)
+      echo -n "APPL????" > "$out/Applications/Clan App.app/Contents/PkgInfo"
+
+      # Create the main executable script with proper process name
+      cat > "$out/Applications/Clan App.app/Contents/MacOS/Clan App" << EOF
+      #!/bin/bash
+      # Execute with the correct process name for app icon to appear
+      exec -a "\$0" "$out/bin/.clan-app-orig" "\$@"
+      EOF
+
+      chmod +x "$out/Applications/Clan App.app/Contents/MacOS/Clan App"
+      set +eu pipefail
+    ''}
   '';
 
+  # TODO: If we start clan-app over the cli the process name is "python" and icons don't show up correctly on macOS
+  # I looked in how blender does it, but couldn't figure it out yet.
+  # They do an exec -a in their wrapper script, but that doesn't seem to work here.
+
   # Don't leak python packages into a devshell.
   # It can be very confusing if you `nix run` than load the cli from the devshell instead.
   postFixup = ''
     rm $out/nix-support/propagated-build-inputs
+  ''
+  + lib.optionalString stdenv.hostPlatform.isDarwin ''
+    set -eu pipefail
+    mv $out/bin/clan-app $out/bin/.clan-app-orig
+
+
+    # Create command line wrapper that executes the app bundle
+    cat > $out/bin/clan-app << EOF
+    #!/bin/bash
+    exec "$out/Applications/Clan App.app/Contents/MacOS/Clan App" "\$@"
+    EOF
+    chmod +x $out/bin/clan-app
+    set +eu pipefail
   '';
   checkPhase = ''
+    set -eu pipefail
     export FONTCONFIG_FILE=${fontconfig.out}/etc/fonts/fonts.conf
     export FONTCONFIG_PATH=${fontconfig.out}/etc/fonts
 
@@ -171,6 +278,7 @@ pythonRuntime.pkgs.buildPythonApplication {
     fc-list
 
     PYTHONPATH= $out/bin/clan-app --help
+    set +eu pipefail
   '';
   desktopItems = [ desktop-file ];
 }

pkgs/clan-app/fonts.nix

@@ -48,6 +48,10 @@ let
     url = "https://github.com/eigilnikolajsen/commit-mono/raw/0b3b192f035cdc8d1ea8ffb5463cc23d73d0b89f/src/fonts/fontlab/CommitMonoV143-VF.woff2";
     hash = "sha256-80LKbD8ll+bA/NhLPz7WTTzlvbbQrxnRkNZFpVixzyk=";
   };
+  archivoSemi_ttf = fetchurl {
+    url = "https://github.com/Omnibus-Type/Archivo/raw/b5d63988ce19d044d3e10362de730af00526b672/fonts/ttf/ArchivoSemiCondensed-Medium.ttf";
+    hash = "sha256-Kot1CvKqnXW1VZ7zX2wYZEziSA/l9J0gdfKkSdBxZ0w=";
+  };
 
 in
 runCommand "" { } ''
@@ -62,4 +66,5 @@ runCommand "" { } ''
   cp ${archivoSemi.semiBold} $out/ArchivoSemiCondensed-SemiBold.woff2
 
   cp ${commitMono} $out/CommitMonoV143-VF.woff2
+  cp ${archivoSemi_ttf} $out/ArchivoSemiCondensed-Medium.ttf
 ''

pkgs/clan-app/install-desktop.sh

@@ -1,10 +1,5 @@
 #!/usr/bin/env bash
 
-
-if ! command -v xdg-mime &> /dev/null; then
-  echo "Warning: 'xdg-mime' is not available. The desktop file cannot be installed."
-fi
-
 ALREADY_INSTALLED=$(nix profile list --json |  jq 'has("elements") and (.elements | has("clan-app"))')
 
 if [ "$ALREADY_INSTALLED" = "true" ]; then
@@ -14,9 +9,23 @@ else
   nix profile install .#clan-app
 fi
 
+# Check OS type
+if [[ "$OSTYPE" == "linux-gnu"* ]]; then
 
-# install desktop file
-set -eou pipefail
-DESKTOP_FILE_NAME=org.clan.app.desktop
+  if ! command -v xdg-mime &> /dev/null; then
+    echo "Warning: 'xdg-mime' is not available. The desktop file cannot be installed."
+  fi
 
-xdg-mime default "$DESKTOP_FILE_NAME"  x-scheme-handler/clan
+  # install desktop file on Linux
+  set -eou pipefail
+  DESKTOP_FILE_NAME=org.clan.app.desktop
+  xdg-mime default "$DESKTOP_FILE_NAME" x-scheme-handler/clan
+
+elif [[ "$OSTYPE" == "darwin"* ]]; then
+  echo "macOS detected."
+  mkdir -p ~/Applications
+  ln -sf ~/.nix-profile/Applications/Clan\ App.app ~/Applications
+  /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f ~/Applications/Clan\ App.app
+else
+  echo "Unsupported OS: $OSTYPE"
+fi

pkgs/clan-app/macos-remote.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+rsync --exclude result --exclude .direnv --exclude node_modules --delete -r ~/Projects/clan-core/pkgs/clan-app  mac-mini-dev:~/clan-core/pkgs
+
+ssh mac-mini-dev "cd \$HOME/clan-core/pkgs/clan-app && nix build .#clan-app -Lv --show-trace"
+ssh mac-mini-dev "cd \$HOME/clan-core/pkgs/clan-app && ./install-desktop.sh"
+

pkgs/clan-app/shell.nix

@@ -91,6 +91,8 @@ mkShell {
     pushd "$CLAN_CORE_PATH/pkgs/clan-app/ui"
     export NODE_PATH="$(pwd)/node_modules"
     export PATH="$NODE_PATH/.bin:$(pwd)/bin:$PATH"
+
+    rm -rf .fonts || true
     cp -r ${self'.packages.fonts} .fonts
     chmod -R +w .fonts
     mkdir -p api

pkgs/clan-app/ui/gtk.webview.js

@@ -38,7 +38,7 @@ fs.readFile(manifestPath, { encoding: "utf8" }, (err, data) => {
   assets.forEach((asset) => {
     // console.log(asset);
     if (asset.src === "index.html") {
-      asset.css.forEach((cssEntry) => {
+      asset.css?.forEach((cssEntry) => {
         // css to be processed
 
         const css = fs.readFileSync(`dist/${cssEntry}`, "utf8");

pkgs/clan-app/ui/package-lock.json

@@ -23,6 +23,7 @@
         "solid-js": "^1.9.7",
         "solid-toast": "^0.5.0",
         "three": "^0.176.0",
+        "troika-three-text": "^0.52.4",
         "valibot": "^1.1.0"
       },
       "devDependencies": {
@@ -3807,6 +3808,15 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/bidi-js": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+      "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+      "license": "MIT",
+      "dependencies": {
+        "require-from-string": "^2.0.2"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -7528,6 +7538,15 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/requires-port": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz",
@@ -8655,6 +8674,36 @@
         "tree-kill": "cli.js"
       }
     },
+    "node_modules/troika-three-text": {
+      "version": "0.52.4",
+      "resolved": "https://registry.npmjs.org/troika-three-text/-/troika-three-text-0.52.4.tgz",
+      "integrity": "sha512-V50EwcYGruV5rUZ9F4aNsrytGdKcXKALjEtQXIOBfhVoZU9VAqZNIoGQ3TMiooVqFAbR1w15T+f+8gkzoFzawg==",
+      "license": "MIT",
+      "dependencies": {
+        "bidi-js": "^1.0.2",
+        "troika-three-utils": "^0.52.4",
+        "troika-worker-utils": "^0.52.0",
+        "webgl-sdf-generator": "1.1.1"
+      },
+      "peerDependencies": {
+        "three": ">=0.125.0"
+      }
+    },
+    "node_modules/troika-three-utils": {
+      "version": "0.52.4",
+      "resolved": "https://registry.npmjs.org/troika-three-utils/-/troika-three-utils-0.52.4.tgz",
+      "integrity": "sha512-NORAStSVa/BDiG52Mfudk4j1FG4jC4ILutB3foPnfGbOeIs9+G5vZLa0pnmnaftZUGm4UwSoqEpWdqvC7zms3A==",
+      "license": "MIT",
+      "peerDependencies": {
+        "three": ">=0.125.0"
+      }
+    },
+    "node_modules/troika-worker-utils": {
+      "version": "0.52.0",
+      "resolved": "https://registry.npmjs.org/troika-worker-utils/-/troika-worker-utils-0.52.0.tgz",
+      "integrity": "sha512-W1CpvTHykaPH5brv5VHLfQo9D1OYuo0cSBEUQFFT/nBUzM8iD6Lq2/tgG/f1OelbAS1WtaTPQzE5uM49egnngw==",
+      "license": "MIT"
+    },
     "node_modules/ts-api-utils": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.1.0.tgz",
@@ -9268,6 +9317,12 @@
         "node": "20 || >=22"
       }
     },
+    "node_modules/webgl-sdf-generator": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/webgl-sdf-generator/-/webgl-sdf-generator-1.1.1.tgz",
+      "integrity": "sha512-9Z0JcMTFxeE+b2x1LJTdnaT8rT8aEp7MVxkNwoycNmJWwPdzoXzMh0BjJSh/AEFP+KPYZUli814h8bJZFIZ2jA==",
+      "license": "MIT"
+    },
     "node_modules/webidl-conversions": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",

pkgs/clan-app/ui/package.json

@@ -80,6 +80,7 @@
     "solid-js": "^1.9.7",
     "solid-toast": "^0.5.0",
     "three": "^0.176.0",
+    "troika-three-text": "^0.52.4",
     "valibot": "^1.1.0"
   },
   "optionalDependencies": {

pkgs/clan-app/ui/src/components/ContextMenu/ContextMenu.module.css

@@ -0,0 +1,33 @@
+.list {
+  display: flex;
+  width: 113px;
+  padding: 8px;
+  flex-direction: column;
+  align-items: flex-start;
+
+  border-radius: 5px;
+  border: 1px solid var(--clr-border-def-2, #d8e8eb);
+  background: var(--clr-bg-def-1, #fff);
+  box-shadow: 0 3px 8px 0 rgba(0, 0, 0, 0.24);
+}
+
+.item {
+  max-height: 28px;
+  height: 28px;
+  padding: 4px 8px;
+  cursor: pointer;
+
+  display: flex;
+  align-items: center;
+  align-self: stretch;
+  gap: 4px;
+
+  &:hover {
+    @apply bg-def-3;
+    border-radius: 2px;
+  }
+  &[aria-disabled="true"] {
+    cursor: not-allowed;
+    pointer-events: none;
+  }
+}

pkgs/clan-app/ui/src/components/ContextMenu/ContextMenu.tsx

@@ -0,0 +1,66 @@
+import { onCleanup, onMount } from "solid-js";
+import styles from "./ContextMenu.module.css";
+import { Typography } from "../Typography/Typography";
+
+export const Menu = (props: {
+  x: number;
+  y: number;
+  onSelect: (option: "move") => void;
+  close: () => void;
+  intersect: string[];
+}) => {
+  let ref: HTMLUListElement;
+
+  const handleClickOutside = (e: MouseEvent) => {
+    if (!ref.contains(e.target as Node)) {
+      props.close();
+    }
+  };
+
+  onMount(() => {
+    document.addEventListener("mousedown", handleClickOutside);
+  });
+
+  onCleanup(() =>
+    document.removeEventListener("mousedown", handleClickOutside),
+  );
+  const currentMachine = () => props.intersect.at(0) || null;
+
+  return (
+    <ul
+      ref={(el) => (ref = el)}
+      style={{
+        position: "absolute",
+        top: `${props.y}px`,
+        left: `${props.x}px`,
+        "z-index": 1000,
+        "pointer-events": "auto",
+      }}
+      class={styles.list}
+      onContextMenu={(e) => {
+        // Prevent default context menu
+        e.preventDefault();
+        e.stopPropagation();
+      }}
+    >
+      <li
+        class={styles.item}
+        aria-disabled={!currentMachine()}
+        onClick={() => {
+          console.log("Move clicked", currentMachine());
+          props.onSelect("move");
+          props.close();
+        }}
+      >
+        <Typography
+          hierarchy="label"
+          size="s"
+          weight="bold"
+          color={currentMachine() ? "primary" : "quaternary"}
+        >
+          Move
+        </Typography>
+      </li>
+    </ul>
+  );
+};

pkgs/clan-app/ui/src/components/Form/Fieldset.css

@@ -1,4 +1,4 @@
-fieldset {
+.fieldset {
   @apply flex flex-col w-full;
 
   legend {

pkgs/clan-app/ui/src/components/Form/Fieldset.tsx

@@ -35,10 +35,10 @@ export const Fieldset = (props: FieldsetProps) => {
       : props.children;
 
   return (
-    <fieldset
+    <div
       role="group"
-      class={cx({ inverted: props.inverted })}
-      disabled={props.disabled || false}
+      class={cx("fieldset", { inverted: props.inverted })}
+      aria-disabled={props.disabled || undefined}
     >
       {props.legend && (
         <legend>
@@ -69,6 +69,6 @@ export const Fieldset = (props: FieldsetProps) => {
           </Typography>
         </div>
       )}
-    </fieldset>
+    </div>
   );
 };

pkgs/clan-app/ui/src/components/Form/MachineTags.css

@@ -1,221 +0,0 @@
-div.form-field.machine-tags {
-  div.control {
-    @apply flex flex-col size-full gap-2;
-
-    div.selected-options {
-      @apply flex flex-wrap gap-2 size-full min-h-5;
-    }
-
-    div.input-container {
-      @apply relative left-0 top-0;
-      @apply inline-flex justify-between w-full;
-
-      input {
-        @apply w-full px-2 py-1.5 rounded-sm;
-        @apply outline outline-1 outline-def-acc-1 bg-def-1 fg-def-1;
-
-        font-size: 0.875rem;
-        font-weight: 500;
-        font-family: "Archivo", sans-serif;
-        line-height: 1;
-
-        &::placeholder {
-          @apply fg-def-4;
-        }
-
-        &:hover {
-          @apply bg-def-acc-1 outline-def-acc-2;
-        }
-
-        &:not(:read-only):focus-visible {
-          @apply bg-def-1 outline-def-acc-3;
-
-          box-shadow:
-            0 0 0 0.125rem theme(colors.bg.def.1),
-            0 0 0 0.1875rem theme(colors.border.semantic.info.1);
-        }
-
-        &[data-invalid] {
-          @apply outline-semantic-error-4;
-        }
-
-        &[data-disabled] {
-          @apply outline-def-2 fg-def-4 cursor-not-allowed;
-        }
-
-        &[data-readonly] {
-          @apply outline-none border-none bg-inherit;
-          @apply p-0 resize-none;
-        }
-      }
-
-      & > button.trigger {
-        @apply flex items-center justify-center w-8;
-        @apply absolute right-2 top-1 h-5 w-6 bg-def-2 rounded-sm;
-
-        &[data-disabled] {
-          @apply cursor-not-allowed;
-        }
-
-        & > span.icon {
-          @apply h-full w-full py-0.5 px-1;
-        }
-      }
-    }
-  }
-
-  &.horizontal {
-    @apply flex-row gap-2 justify-between;
-
-    div.control {
-      @apply w-1/2 grow;
-    }
-  }
-
-  &.s {
-    div.control > div.input-container {
-      & > input {
-        @apply px-1.5 py-1;
-        font-size: 0.75rem;
-
-        &[data-readonly] {
-          @apply p-0;
-        }
-      }
-
-      & > button.trigger {
-        @apply top-[0.1875rem] h-4 w-5;
-      }
-    }
-  }
-
-  &.inverted {
-    div.control > div.input-container {
-      & > button.trigger {
-        @apply bg-inv-2;
-      }
-
-      & > input {
-        @apply bg-inv-1 fg-inv-1 outline-inv-acc-1;
-
-        &::placeholder {
-          @apply fg-inv-4;
-        }
-
-        &:hover {
-          @apply bg-inv-acc-2 outline-inv-acc-2;
-        }
-
-        &:not(:read-only):focus-visible {
-          @apply bg-inv-acc-4;
-          box-shadow:
-            0 0 0 0.125rem theme(colors.bg.inv.1),
-            0 0 0 0.1875rem theme(colors.border.semantic.info.1);
-        }
-
-        &[data-invalid] {
-          @apply outline-semantic-error-4;
-        }
-
-        &[data-readonly] {
-          @apply outline-none border-none bg-inherit cursor-auto;
-        }
-      }
-    }
-  }
-
-  &.ghost {
-    div.control > div.input-container {
-      & > input {
-        @apply outline-none;
-
-        &:hover {
-          @apply outline-none;
-        }
-      }
-    }
-  }
-}
-
-div.machine-tags-content {
-  @apply rounded-sm bg-def-1 border border-def-2 z-10;
-
-  transform-origin: var(--kb-combobox-content-transform-origin);
-  animation: machineTagsContentHide 250ms ease-in forwards;
-
-  &[data-expanded] {
-    animation: machineTagsContentShow 250ms ease-out;
-  }
-
-  & > ul.listbox {
-    overflow-y: auto;
-    max-height: 360px;
-
-    @apply px-2 py-3;
-
-    &:focus {
-      outline: none;
-    }
-
-    li.item {
-      @apply flex items-center justify-between;
-      @apply relative px-2 py-1;
-      @apply select-none outline-none rounded-[0.25rem];
-
-      color: hsl(240 4% 16%);
-      height: 32px;
-
-      &[data-disabled] {
-        color: hsl(240 5% 65%);
-        opacity: 0.5;
-        pointer-events: none;
-      }
-
-      &[data-highlighted] {
-        @apply outline-none bg-def-4;
-      }
-    }
-
-    .item-indicator {
-      height: 20px;
-      width: 20px;
-      display: inline-flex;
-      align-items: center;
-      justify-content: center;
-    }
-  }
-}
-
-div.machine-tags-control {
-  @apply flex flex-col w-full gap-2;
-
-  & > div.selected-options {
-    @apply flex gap-2 flex-wrap w-full;
-  }
-
-  & > div.input-container {
-    @apply w-full flex gap-2;
-  }
-}
-
-@keyframes machineTagsContentShow {
-  from {
-    opacity: 0;
-    transform: translateY(-8px);
-  }
-  to {
-    opacity: 1;
-    transform: translateY(0);
-  }
-}
-
-@keyframes machineTagsContentHide {
-  from {
-    opacity: 1;
-    transform: translateY(0);
-  }
-  to {
-    opacity: 0;
-    transform: translateY(-8px);
-  }
-}

pkgs/clan-app/ui/src/components/Form/MachineTags.module.css

@@ -0,0 +1,207 @@
+.machineTags {
+  &.horizontal {
+    @apply flex-row gap-2 justify-between;
+  }
+}
+
+.control {
+  @apply flex flex-col size-full gap-2;
+
+  &.horizontal {
+    @apply w-1/2 grow;
+  }
+}
+
+.selectedOptions {
+  @apply flex flex-wrap gap-2 size-full min-h-5;
+}
+
+.trigger {
+  @apply w-full relative;
+}
+
+.icon {
+  @apply absolute left-1.5;
+  top: calc(50% - 0.5rem);
+
+  &.iconSmall {
+    @apply left-[0.3125rem] size-[0.75rem];
+    top: calc(50% - 0.3125rem);
+  }
+}
+
+.input {
+  @apply outline outline-1 outline-def-acc-1 bg-def-1 fg-def-1 w-full;
+  @apply px-[1.625rem] py-1.5 rounded-sm;
+
+  font-size: 0.875rem;
+  font-weight: 500;
+  font-family: "Archivo", sans-serif;
+  line-height: 1;
+
+  &::placeholder {
+    @apply fg-def-4;
+  }
+
+  &:hover {
+    @apply bg-def-acc-1 outline-def-acc-2;
+  }
+
+  &:not(:read-only):focus-visible {
+    @apply bg-def-1 outline-def-acc-3;
+
+    box-shadow:
+      0 0 0 0.125rem theme(colors.bg.def.1),
+      0 0 0 0.1875rem theme(colors.border.semantic.info.1);
+  }
+
+  &[data-invalid] {
+    @apply outline-semantic-error-4;
+  }
+
+  &[data-disabled] {
+    @apply outline-def-2 fg-def-4 cursor-not-allowed;
+  }
+
+  &[data-readonly] {
+    @apply outline-none border-none bg-inherit;
+    @apply p-0 resize-none;
+  }
+
+  &.inputSmall {
+    @apply px-[1.25rem] py-1;
+    font-size: 0.8125rem;
+
+    &[data-readonly] {
+      @apply p-0;
+    }
+  }
+
+  &.inputInverted {
+    @apply bg-inv-1 fg-inv-1 outline-inv-acc-1;
+
+    &::placeholder {
+      @apply fg-inv-4;
+    }
+
+    &:hover {
+      @apply bg-inv-acc-2 outline-inv-acc-2;
+    }
+
+    &:not(:read-only):focus-visible {
+      @apply bg-inv-acc-4;
+      box-shadow:
+        0 0 0 0.125rem theme(colors.bg.inv.1),
+        0 0 0 0.1875rem theme(colors.border.semantic.info.1);
+    }
+
+    &[data-invalid] {
+      @apply outline-semantic-error-4;
+    }
+
+    &[data-readonly] {
+      @apply outline-none border-none bg-inherit cursor-auto;
+    }
+  }
+
+  &.inputGhost {
+    @apply outline-none;
+
+    &:hover {
+      @apply outline-none;
+    }
+  }
+}
+
+.comboboxContent {
+  @apply rounded-sm bg-def-1 border border-def-2 z-20;
+
+  transform-origin: var(--kb-combobox-content-transform-origin);
+  animation: machineTagsContentHide 250ms ease-in forwards;
+
+  &[data-expanded] {
+    animation: machineTagsContentShow 250ms ease-out;
+  }
+
+  .listbox {
+    overflow-y: auto;
+    max-height: 360px;
+
+    @apply px-2 py-3;
+
+    &:focus {
+      outline: none;
+    }
+
+    .listboxItem {
+      @apply flex items-center justify-between;
+      @apply relative px-2 py-1;
+      @apply select-none outline-none rounded-[0.25rem];
+
+      color: hsl(240 4% 16%);
+      height: 32px;
+
+      &[data-disabled] {
+        color: hsl(240 5% 65%);
+        opacity: 0.5;
+        pointer-events: none;
+      }
+
+      &[data-highlighted] {
+        @apply outline-none bg-def-4;
+      }
+
+      &.listboxItemInverted {
+        &[data-highlighted] {
+          @apply bg-inv-4;
+        }
+      }
+    }
+
+    .itemIndicator {
+      height: 20px;
+      width: 20px;
+      display: inline-flex;
+      align-items: center;
+      justify-content: center;
+    }
+  }
+
+  &.comboboxContentInverted {
+    @apply bg-inv-1 border-inv-2;
+  }
+}
+
+.machineTagsControl {
+  @apply flex flex-col w-full gap-2;
+
+  /*& > div.selected-options {*/
+  /*    @apply flex gap-2 flex-wrap w-full;*/
+  /*}*/
+
+  & > div.input-container {
+    @apply w-full flex gap-2;
+  }
+}
+
+@keyframes machineTagsContentShow {
+  from {
+    opacity: 0;
+    transform: translateY(-8px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+@keyframes machineTagsContentHide {
+  from {
+    opacity: 1;
+    transform: translateY(0);
+  }
+  to {
+    opacity: 0;
+    transform: translateY(-8px);
+  }
+}

pkgs/clan-app/ui/src/components/Form/MachineTags.stories.tsx

@@ -0,0 +1,50 @@
+import type { Meta, StoryObj } from "@kachurun/storybook-solid";
+import { MachineTags, MachineTagsProps } from "./MachineTags";
+import { createForm, setValue } from "@modular-forms/solid";
+import { Button } from "../Button/Button";
+
+const meta = {
+  title: "Components/MachineTags",
+  component: MachineTags,
+} satisfies Meta<MachineTagsProps>;
+
+export default meta;
+
+export type Story = StoryObj<typeof meta>;
+
+export const Default: Story = {
+  render: () => {
+    const [formStore, { Field, Form }] = createForm<{ tags: string[] }>({
+      initialValues: { tags: ["nixos"] },
+    });
+    const handleSubmit = (values: { tags: string[] }) => {
+      console.log("submitting", values);
+    };
+
+    const readonly = ["nixos"];
+    const options = ["foo"];
+
+    return (
+      <Form onSubmit={handleSubmit}>
+        <Field name="tags" type="string[]">
+          {(field, props) => (
+            <MachineTags
+              onChange={(newVal) => {
+                // Workaround for now, until we manage to use native events
+                setValue(formStore, field.name, newVal);
+              }}
+              name="Tags"
+              defaultOptions={options}
+              readonlyOptions={readonly}
+              readOnly={false}
+              defaultValue={field.value}
+            />
+          )}
+        </Field>
+        <Button type="submit" hierarchy="primary">
+          Submit
+        </Button>
+      </Form>
+    );
+  },
+};

pkgs/clan-app/ui/src/components/Form/MachineTags.tsx

@@ -1,29 +1,35 @@
 import { Combobox } from "@kobalte/core/combobox";
 import { FieldProps } from "./Field";
-import { ComponentProps, createSignal, For, Show, splitProps } from "solid-js";
+import {
+  createEffect,
+  on,
+  createSignal,
+  For,
+  Show,
+  splitProps,
+} from "solid-js";
 import Icon from "../Icon/Icon";
 import cx from "classnames";
 import { Typography } from "@/src/components/Typography/Typography";
 import { Tag } from "@/src/components/Tag/Tag";
 
-import "./MachineTags.css";
 import { Label } from "@/src/components/Form/Label";
 import { Orienter } from "@/src/components/Form/Orienter";
 import { CollectionNode } from "@kobalte/core";
+import styles from "./MachineTags.module.css";
 
 export interface MachineTag {
   value: string;
   disabled?: boolean;
-  new?: boolean;
 }
 
 export type MachineTagsProps = FieldProps & {
   name: string;
-  input: ComponentProps<"select">;
+  onChange: (values: string[]) => void;
+  defaultValue?: string[];
   readOnly?: boolean;
   disabled?: boolean;
   required?: boolean;
-  defaultValue?: string[];
   defaultOptions?: string[];
   readonlyOptions?: string[];
 };
@@ -44,26 +50,12 @@ const sortedOptions = (options: MachineTag[]) =>
 const sortedAndUniqueOptions = (options: MachineTag[]) =>
   sortedOptions(uniqueOptions(options));
 
-// customises how each option is displayed in the dropdown
-const ItemComponent = (props: { item: CollectionNode<MachineTag> }) => {
-  return (
-    <Combobox.Item item={props.item} class="item">
-      <Combobox.ItemLabel>
-        <Typography hierarchy="body" size="xs" weight="bold">
-          {props.item.textValue}
-        </Typography>
-      </Combobox.ItemLabel>
-      <Combobox.ItemIndicator class="item-indicator">
-        <Icon icon="Checkmark" />
-      </Combobox.ItemIndicator>
-    </Combobox.Item>
-  );
-};
-
 export const MachineTags = (props: MachineTagsProps) => {
-  // convert default value string[] into MachineTag[]
+  const [local, rest] = splitProps(props, ["defaultValue"]);
+
+  // // convert default value string[] into MachineTag[]
   const defaultValue = sortedAndUniqueOptions(
-    (props.defaultValue || []).map((value) => ({ value })),
+    (local.defaultValue || []).map((value) => ({ value })),
   );
 
   // convert default options string[] into MachineTag[]
@@ -77,6 +69,51 @@ export const MachineTags = (props: MachineTagsProps) => {
     ]),
   );
 
+  const [selectedOptions, setSelectedOptions] =
+    createSignal<MachineTag[]>(defaultValue);
+
+  const handleToggle = (item: CollectionNode<MachineTag>) => () => {
+    setSelectedOptions((current) => {
+      const exists = current.find(
+        (option) => option.value === item.rawValue.value,
+      );
+      if (exists) {
+        return current.filter((option) => option.value !== item.rawValue.value);
+      }
+      return [...current, item.rawValue];
+    });
+  };
+
+  // customises how each option is displayed in the dropdown
+  const ItemComponent =
+    (inverted: boolean) => (props: { item: CollectionNode<MachineTag> }) => {
+      return (
+        <Combobox.Item
+          item={props.item}
+          class={cx(styles.listboxItem, {
+            [styles.listboxItemInverted]: inverted,
+          })}
+          onClick={handleToggle(props.item)}
+        >
+          <Combobox.ItemLabel>
+            <Typography
+              hierarchy="body"
+              size="xs"
+              weight="bold"
+              inverted={inverted}
+            >
+              {props.item.textValue}
+            </Typography>
+          </Combobox.ItemLabel>
+          <Combobox.ItemIndicator class={styles.itemIndicator}>
+            <Icon icon="Checkmark" inverted={inverted} />
+          </Combobox.ItemIndicator>
+        </Combobox.Item>
+      );
+    };
+
+  let selectRef: HTMLSelectElement;
+
   const onKeyDown = (event: KeyboardEvent) => {
     // react when enter is pressed inside of the text input
     if (event.key === "Enter") {
@@ -85,22 +122,49 @@ export const MachineTags = (props: MachineTagsProps) => {
 
       // get the current input value, exiting early if it's empty
       const input = event.currentTarget as HTMLInputElement;
-      if (input.value === "") return;
+      const trimmed = input.value.trim();
+      if (!trimmed) return;
 
-      setAvailableOptions((options) => {
-        return options.map((option) => {
-          return {
-            ...option,
-            new: undefined,
-          };
-        });
+      setAvailableOptions((curr) => {
+        if (curr.find((option) => option.value === trimmed)) {
+          return curr;
+        }
+        return [
+          ...curr,
+          {
+            value: trimmed,
+          },
+        ];
+      });
+      setSelectedOptions((curr) => {
+        if (curr.find((option) => option.value === trimmed)) {
+          return curr;
+        }
+        return [
+          ...curr,
+          {
+            value: trimmed,
+          },
+        ];
       });
 
-      // reset the input value
+      selectRef.dispatchEvent(
+        new Event("input", { bubbles: true, cancelable: true }),
+      );
+      selectRef.dispatchEvent(
+        new Event("change", { bubbles: true, cancelable: true }),
+      );
       input.value = "";
     }
   };
 
+  // Notify when selected options change
+  createEffect(
+    on(selectedOptions, (options) => {
+      props.onChange(options.map((o) => o.value));
+    }),
+  );
+
   const align = () => {
     if (props.readOnly) {
       return "center";
@@ -112,41 +176,19 @@ export const MachineTags = (props: MachineTagsProps) => {
   return (
     <Combobox<MachineTag>
       multiple
-      class={cx("form-field", "machine-tags", props.size, props.orientation, {
-        inverted: props.inverted,
-        ghost: props.ghost,
-      })}
+      class={cx("form-field", styles.machineTags, props.orientation)}
       {...splitProps(props, ["defaultValue"])[1]}
       defaultValue={defaultValue}
+      value={selectedOptions()}
       options={availableOptions()}
       optionValue="value"
       optionTextValue="value"
       optionLabel="value"
       optionDisabled="disabled"
-      itemComponent={ItemComponent}
-      placeholder="Enter a tag name"
-      // triggerMode="focus"
-      removeOnBackspace={false}
-      defaultFilter={() => true}
-      onInput={(event) => {
-        const input = event.target as HTMLInputElement;
-
-        // as the user types in the input box, we maintain a "new" option
-        // in the list of available options
-        setAvailableOptions((options) => {
-          return [
-            // remove the old "new" entry
-            ...options.filter((option) => !option.new),
-            // add the updated "new" entry
-            { value: input.value, new: true },
-          ];
-        });
-      }}
-      onBlur={() => {
-        // clear the in-progress "new" option from the list of available options
-        setAvailableOptions((options) => {
-          return options.filter((option) => !option.new);
-        });
+      itemComponent={ItemComponent(props.inverted || false)}
+      placeholder="Start typing a name and press enter"
+      onChange={() => {
+        // noop, we handle this via the selectedOptions signal
       }}
     >
       <Orienter orientation={props.orientation} align={align()}>
@@ -156,11 +198,18 @@ export const MachineTags = (props: MachineTagsProps) => {
           {...props}
         />
 
-        <Combobox.HiddenSelect {...props.input} multiple />
+        <Combobox.HiddenSelect
+          multiple
+          ref={(el) => {
+            selectRef = el;
+          }}
+        />
 
-        <Combobox.Control<MachineTag> class="control">
+        <Combobox.Control<MachineTag>
+          class={cx(styles.control, props.orientation)}
+        >
           {(state) => (
-            <div class="selected-options">
+            <div class={styles.selectedOptions}>
               <For each={state.selectedOptions()}>
                 {(option) => (
                   <Tag
@@ -177,7 +226,13 @@ export const MachineTags = (props: MachineTagsProps) => {
                           icon={"Close"}
                           size="0.5rem"
                           inverted={inverted}
-                          onClick={() => state.remove(option)}
+                          onClick={() =>
+                            setSelectedOptions((curr) => {
+                              return curr.filter(
+                                (o) => o.value !== option.value,
+                              );
+                            })
+                          }
                         />
                       )
                     }
@@ -187,27 +242,36 @@ export const MachineTags = (props: MachineTagsProps) => {
                 )}
               </For>
               <Show when={!props.readOnly}>
-                <div class="input-container">
-                  <Combobox.Input onKeyDown={onKeyDown} />
-                  <Combobox.Trigger class="trigger">
-                    <Combobox.Icon class="icon">
-                      <Icon
-                        icon="Expand"
-                        inverted={!props.inverted}
-                        size="100%"
-                      />
-                    </Combobox.Icon>
-                  </Combobox.Trigger>
-                </div>
+                <Combobox.Trigger class={styles.trigger}>
+                  <Icon
+                    icon="Tag"
+                    color="secondary"
+                    inverted={props.inverted}
+                    class={cx(styles.icon, {
+                      [styles.iconSmall]: props.size == "s",
+                    })}
+                  />
+                  <Combobox.Input
+                    onKeyDown={onKeyDown}
+                    class={cx(styles.input, {
+                      [styles.inputSmall]: props.size == "s",
+                      [styles.inputGhost]: props.ghost,
+                      [styles.inputInverted]: props.inverted,
+                    })}
+                  />
+                </Combobox.Trigger>
               </Show>
             </div>
           )}
         </Combobox.Control>
       </Orienter>
-
       <Combobox.Portal>
-        <Combobox.Content class="machine-tags-content">
-          <Combobox.Listbox class="listbox" />
+        <Combobox.Content
+          class={cx(styles.comboboxContent, {
+            [styles.comboboxContentInverted]: props.inverted,
+          })}
+        >
+          <Combobox.Listbox class={styles.listbox} />
         </Combobox.Content>
       </Combobox.Portal>
     </Combobox>

pkgs/clan-app/ui/src/components/Form/TextInput.css

@@ -76,6 +76,19 @@ div.form-field {
       @apply absolute left-2 top-1/2 transform -translate-y-1/2;
       @apply w-[0.875rem] h-[0.875rem] pointer-events-none;
     }
+
+    & > .start-component {
+      @apply absolute left-2 top-1/2 transform -translate-y-1/2;
+    }
+
+    & > .end-component {
+      @apply absolute right-2 top-1/2 transform -translate-y-1/2;
+    }
+
+    & > .start-component,
+    & > .end-component {
+      @apply size-fit;
+    }
   }
 
   &.s {
@@ -101,7 +114,7 @@ div.form-field {
       }
 
       & > .icon {
-        @apply w-[0.6875rem] h-[0.6875rem] transform -translate-y-1/2;
+        @apply w-[0.6875rem] h-[0.6875rem];
       }
     }
   }

pkgs/clan-app/ui/src/components/Form/TextInput.stories.tsx

@@ -1,6 +1,8 @@
 import type { Meta, StoryContext, StoryObj } from "@kachurun/storybook-solid";
 import cx from "classnames";
 import { TextInput, TextInputProps } from "@/src/components/Form/TextInput";
+import Icon from "../Icon/Icon";
+import { Button } from "@kobalte/core/button";
 
 const Examples = (props: TextInputProps) => (
   <div class="flex flex-col gap-8">
@@ -83,16 +85,38 @@ export const Tooltip: Story = {
   },
 };
 
-export const Icon: Story = {
+export const WithIcon: Story = {
   args: {
     ...Tooltip.args,
-    icon: "Checkmark",
+    startComponent: () => <Icon icon="EyeClose" color="quaternary" inverted />,
+  },
+};
+
+export const WithStartComponent: Story = {
+  args: {
+    ...Tooltip.args,
+    startComponent: (props: { inverted?: boolean }) => (
+      <Button>
+        <Icon icon="EyeClose" color="quaternary" {...props} />
+      </Button>
+    ),
+  },
+};
+
+export const WithEndComponent: Story = {
+  args: {
+    ...Tooltip.args,
+    endComponent: (props: { inverted?: boolean }) => (
+      <Button>
+        <Icon icon="EyeOpen" color="quaternary" {...props} />
+      </Button>
+    ),
   },
 };
 
 export const Ghost: Story = {
   args: {
-    ...Icon.args,
+    ...WithIcon.args,
     ghost: true,
   },
 };
@@ -106,14 +130,14 @@ export const Invalid: Story = {
 
 export const Disabled: Story = {
   args: {
-    ...Icon.args,
+    ...WithIcon.args,
     disabled: true,
   },
 };
 
 export const ReadOnly: Story = {
   args: {
-    ...Icon.args,
+    ...WithIcon.args,
     readOnly: true,
     defaultValue: "14/05/02",
   },

pkgs/clan-app/ui/src/components/Form/TextInput.tsx

@@ -11,12 +11,20 @@ import "./TextInput.css";
 import { PolymorphicProps } from "@kobalte/core/polymorphic";
 import { FieldProps } from "./Field";
 import { Orienter } from "./Orienter";
-import { splitProps } from "solid-js";
+import {
+  Component,
+  createEffect,
+  createSignal,
+  onMount,
+  splitProps,
+} from "solid-js";
 
 export type TextInputProps = FieldProps &
   TextFieldRootProps & {
     icon?: IconVariant;
     input?: PolymorphicProps<"input", TextFieldInputProps<"input">>;
+    startComponent?: Component<Pick<FieldProps, "inverted">>;
+    endComponent?: Component<Pick<FieldProps, "inverted">>;
   };
 
 export const TextInput = (props: TextInputProps) => {
@@ -28,6 +36,39 @@ export const TextInput = (props: TextInputProps) => {
     "ghost",
   ]);
 
+  let inputRef: HTMLInputElement | undefined;
+  let startComponentRef: HTMLDivElement | undefined;
+  let endComponentRef: HTMLDivElement | undefined;
+
+  const [startComponentSize, setStartComponentSize] = createSignal({
+    width: 0,
+    height: 0,
+  });
+  const [endComponentSize, setEndComponentSize] = createSignal({
+    width: 0,
+    height: 0,
+  });
+
+  onMount(() => {
+    if (startComponentRef) {
+      const rect = startComponentRef.getBoundingClientRect();
+      setStartComponentSize({ width: rect.width, height: rect.height });
+    }
+    if (endComponentRef) {
+      const rect = endComponentRef.getBoundingClientRect();
+      setEndComponentSize({ width: rect.width, height: rect.height });
+    }
+  });
+
+  createEffect(() => {
+    if (inputRef) {
+      const padding = props.size == "s" ? 6 : 8;
+
+      inputRef.style.paddingLeft = `${startComponentSize().width + padding * 2}px`;
+      inputRef.style.paddingRight = `${endComponentSize().width + padding * 2}px`;
+    }
+  });
+
   return (
     <TextField
       class={cx(
@@ -50,6 +91,11 @@ export const TextInput = (props: TextInputProps) => {
           {...props}
         />
         <div class="input-container">
+          {props.startComponent && !props.readOnly && (
+            <div ref={startComponentRef} class="start-component">
+              {props.startComponent({ inverted: props.inverted })}
+            </div>
+          )}
           {props.icon && !props.readOnly && (
             <Icon
               icon={props.icon}
@@ -58,9 +104,17 @@ export const TextInput = (props: TextInputProps) => {
             />
           )}
           <TextField.Input
+            ref={inputRef}
             {...props.input}
-            classList={{ "has-icon": props.icon && !props.readOnly }}
+            class={cx({
+              "has-icon": props.icon && !props.readOnly,
+            })}
           />
+          {props.endComponent && !props.readOnly && (
+            <div ref={endComponentRef} class="end-component">
+              {props.endComponent({ inverted: props.inverted })}
+            </div>
+          )}
         </div>
       </Orienter>
     </TextField>