Update nixpkgs-dev in devFlake/private

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/4338

.gitea/workflows/create-pr.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# Shared script for creating pull requests in Gitea workflows
+set -euo pipefail
+
+# Required environment variables:
+# - CI_BOT_TOKEN: Gitea bot token for authentication
+# - PR_BRANCH: Branch name for the pull request
+# - PR_TITLE: Title of the pull request
+# - PR_BODY: Body/description of the pull request
+
+if [[ -z "${CI_BOT_TOKEN:-}" ]]; then
+  echo "Error: CI_BOT_TOKEN is not set" >&2
+  exit 1
+fi
+
+if [[ -z "${PR_BRANCH:-}" ]]; then
+  echo "Error: PR_BRANCH is not set" >&2
+  exit 1
+fi
+
+if [[ -z "${PR_TITLE:-}" ]]; then
+  echo "Error: PR_TITLE is not set" >&2
+  exit 1
+fi
+
+if [[ -z "${PR_BODY:-}" ]]; then
+  echo "Error: PR_BODY is not set" >&2
+  exit 1
+fi
+
+# Push the branch
+git push origin "+HEAD:${PR_BRANCH}"
+
+# Create pull request
+resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
+  -H "Authorization: token $CI_BOT_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{
+    \"head\": \"${PR_BRANCH}\",
+    \"base\": \"main\",
+    \"title\": \"${PR_TITLE}\",
+    \"body\": \"${PR_BODY}\"
+  }" \
+  "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls")
+
+pr_number=$(echo "$resp" | jq -r '.number')
+
+if [[ "$pr_number" == "null" ]]; then
+  echo "Error creating pull request:" >&2
+  echo "$resp" | jq . >&2
+  exit 1
+fi
+
+echo "Created pull request #$pr_number"
+
+# Merge when checks succeed
+while true; do
+  resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
+    -H "Authorization: token $CI_BOT_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{
+      "Do": "merge",
+      "merge_when_checks_succeed": true,
+      "delete_branch_after_merge": true
+    }' \
+    "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls/$pr_number/merge")
+  msg=$(echo "$resp" | jq -r '.message')
+  if [[ "$msg" != "Please try again later" ]]; then
+    break
+  fi
+  echo "Retrying in 2 seconds..."
+  sleep 2
+done
+
+echo "Pull request #$pr_number merge initiated"

.gitea/workflows/update-clan-core-for-checks.yml

@@ -19,35 +19,10 @@ jobs:
         run: |
           export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
           git commit -am "Update pinned clan-core for checks"
-          git push origin +HEAD:update-clan-core-for-checks
-          set -x
-          resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-            -H "Authorization: token $CI_BOT_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d '{
-              "head": "update-clan-core-for-checks",
-              "base": "main",
-              "title": "Update Clan Core for Checks",
-              "body": "This PR updates the pinned clan-core flake input that is used for checks."
-            }' \
-           "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls")
-          pr_number=$(echo "$resp" | jq -r '.number')
 
-          # Merge when succeed
-          while true; do
-            resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-              -H "Authorization: token $CI_BOT_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d '{
-                "Do": "merge",
-                "merge_when_checks_succeed": true,
-                "delete_branch_after_merge": true
-              }' \
-              "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls/$pr_number/merge")
-            msg=$(echo $resp | jq -r '.message')
-            if [[ "$msg" != "Please try again later" ]]; then
-              break
-            fi
-            echo "Retrying in 2 seconds..."
-            sleep 2
-          done
+          # Use shared PR creation script
+          export PR_BRANCH="update-clan-core-for-checks"
+          export PR_TITLE="Update Clan Core for Checks"
+          export PR_BODY="This PR updates the pinned clan-core flake input that is used for checks."
+
+          ./.gitea/workflows/create-pr.sh

.gitea/workflows/update-flake-inputs.yml

@@ -0,0 +1,27 @@
+name: Update Flake Inputs
+
+on:
+  schedule:
+    # Run weekly on Sunday at 4:00 AM UTC
+    - cron: "0 4 * * 0"
+  workflow_dispatch:
+  repository_dispatch:
+
+jobs:
+  update-flake-inputs:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure git
+        run: |
+          git config --global user.email "clan-bot@clan.lol"
+          git config --global user.name "clan-bot"
+
+      - name: Update flake inputs
+        uses: Mic92/update-flake-inputs-gitea@main
+        env:
+          # Exclude private flakes and update-clan-core checks flake
+          EXCLUDE_PATTERNS: "devFlake/private/flake.nix,checks/impure/flake.nix"

.gitea/workflows/update-private-flake-inputs.yml

@@ -0,0 +1,40 @@
+name: "Update private flake inputs"
+on:
+  repository_dispatch:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * *" # Run daily at 3 AM
+jobs:
+  update-private-flake:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Update private flake inputs
+        run: |
+          # Update the private flake lock file
+          cd devFlake/private
+          nix flake update
+          cd ../..
+
+          # Update the narHash
+          bash ./devFlake/update-private-narhash
+      - name: Create pull request
+        env:
+          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+        run: |
+          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
+
+          # Check if there are any changes
+          if ! git diff --quiet; then
+            git add devFlake/private/flake.lock devFlake/private.narHash
+            git commit -m "Update dev flake"
+            
+            # Use shared PR creation script
+            export PR_BRANCH="update-dev-flake"
+            export PR_TITLE="Update dev flake"
+            export PR_BODY="This PR updates the dev flake inputs and corresponding narHash."
+          else
+            echo "No changes detected in dev flake inputs"
+          fi

checks/backups/flake-module.nix

@@ -19,11 +19,11 @@
         ...
       }:
       let
-        dependencies = [
-          self
-          pkgs.stdenv.drvPath
-          self.clanInternals.machines.${pkgs.hostPlatform.system}.test-backup.config.system.clan.deployment.file
-        ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+        dependencies =
+          [
+            pkgs.stdenv.drvPath
+          ]
+          ++ builtins.map (i: i.outPath) (builtins.attrValues (builtins.removeAttrs self.inputs [ "self" ]));
         closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
       in
       {
@@ -151,8 +151,8 @@
     in
     {
       checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        backups = self.clanLib.test.containerTest {
-          name = "backups";
+        nixos-test-backups = self.clanLib.test.containerTest {
+          name = "nixos-test-backups";
           nodes.machine = {
             imports =
               [
@@ -162,7 +162,7 @@
               ]
               ++
               # import the inventory generated nixosModules
-              self.clanInternals.inventoryClass.machines.test-backup.machineImports;
+              self.clan.clanInternals.inventoryClass.machines.test-backup.machineImports;
             clan.core.settings.directory = ./.;
           };
 

checks/borgbackup/default.nix

@@ -8,12 +8,12 @@ nixosLib.runTest (
   { ... }:
   {
     imports = [
-      clan-core.modules.nixosVmTest.clanTest
+      clan-core.modules.nixosTest.clanTest
     ];
 
     hostPkgs = pkgs;
 
-    name = "borgbackup";
+    name = "service-borgbackup";
 
     clan = {
       directory = ./.;
@@ -28,6 +28,7 @@ nixosLib.runTest (
           borgone = {
 
             module.name = "@clan/borgbackup";
+            module.input = "self";
 
             roles.client.machines."clientone" = { };
             roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
@@ -46,14 +47,6 @@ nixosLib.runTest (
 
       clientone =
         { config, pkgs, ... }:
-        let
-          dependencies = [
-            clan-core
-            pkgs.stdenv.drvPath
-          ] ++ builtins.map (i: i.outPath) (builtins.attrValues clan-core.inputs);
-          closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-
-        in
         {
 
           services.openssh.enable = true;
@@ -64,15 +57,6 @@ nixosLib.runTest (
 
           environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
 
-          environment.etc.install-closure.source = "${closureInfo}/store-paths";
-          nix.settings = {
-            substituters = pkgs.lib.mkForce [ ];
-            hashed-mirrors = null;
-            connect-timeout = pkgs.lib.mkForce 3;
-            flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-          };
-          system.extraDependencies = dependencies;
-
           clan.core.state.test-backups.folders = [ "/var/test-backups" ];
         };
 

checks/clan-core-for-checks.nix

@@ -1,6 +1,6 @@
 { fetchgit }:
 fetchgit {
   url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "28131afbbcd379a8ff04c79c66c670ef655ed889";
-  sha256 = "1294cwjlnc341fl6zbggn4rgq8z33gqkcyggjfvk9cf7zdgygrf6";
+  rev = "eea93ea22c9818da67e148ba586277bab9e73cea";
+  sha256 = "sha256-PV0Z+97QuxQbkYSVuNIJwUNXMbHZG/vhsA9M4cDTCOE=";
 }

checks/data-mesher/default.nix

@@ -1,89 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  lib,
-  ...
-}:
-let
-  machines = [
-    "admin"
-    "peer"
-    "signer"
-  ];
-in
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-    name = "data-mesher";
-
-    clan = {
-      directory = ./.;
-      inventory = {
-        machines = lib.genAttrs machines (_: { });
-        services = {
-          data-mesher.default = {
-            roles.peer.machines = [ "peer" ];
-            roles.admin.machines = [ "admin" ];
-            roles.signer.machines = [ "signer" ];
-          };
-        };
-      };
-    };
-
-    defaults =
-      { config, ... }:
-      {
-        environment.systemPackages = [
-          config.services.data-mesher.package
-        ];
-
-        clan.data-mesher.network.interface = "eth1";
-        clan.data-mesher.bootstrapNodes = [
-          "[2001:db8:1::1]:7946" # peer1
-          "[2001:db8:1::2]:7946" # peer2
-        ];
-
-        # speed up for testing
-        services.data-mesher.settings = {
-          cluster.join_interval = lib.mkForce "2s";
-          cluster.push_pull_interval = lib.mkForce "5s";
-        };
-      };
-
-    nodes = {
-      admin.clan.data-mesher.network.tld = "foo";
-    };
-
-    # TODO Add better test script.
-    testScript = ''
-
-      def resolve(node, success = {}, fail = [], timeout = 60):
-        for hostname, ips in success.items():
-            for ip in ips:
-                node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout)
-
-        for hostname in fail:
-            node.wait_until_fails(f"getent ahosts {hostname}")
-
-      start_all()
-
-      admin.wait_for_unit("data-mesher")
-      signer.wait_for_unit("data-mesher")
-      peer.wait_for_unit("data-mesher")
-
-      # check dns resolution
-      for node in [admin, signer, peer]:
-        resolve(node, {
-            "admin.foo": ["2001:db8:1::1", "192.168.1.1"],
-            "peer.foo": ["2001:db8:1::2", "192.168.1.2"],
-            "signer.foo": ["2001:db8:1::3", "192.168.1.3"]
-        })
-    '';
-  }
-)

checks/data-mesher/sops/machines/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz",
-  "type": "age"
-}

checks/data-mesher/sops/machines/peer/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l",
-  "type": "age"
-}

checks/data-mesher/sops/machines/signer/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld",
-  "type": "age"
-}

checks/data-mesher/sops/secrets/admin-age.key/secret

@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:7xyb6WoaN7uRWEO8QRkBw7iytP5hFrA94VRi+sy/UhzqT9AyDPmxB/F8ASFsBbzJUwi0Oqd2E1CeIYRoDhG7JHnDyL2bYonz2RQ=,iv:slh3x774m6oTHAXFwcen1qF+jEchOKCyNsJMbNhqXHE=,tag:wtK8H8PZCESPA1vZCd7Ptw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTzZ4RTVNb2I1MTBRMEcy\neU1Eek9GakkydEJBVm9kR3AyY1pEYkorNUYwCkh2WHhNQmc1eWI2cCtEUFFWdzJq\nS0FvQWtoOFkzRVBxVzhuczc0aVprbkkKLS0tIFRLdmpnbzY1Uk9LdklEWnQzZHM2\nVEx3dzhMSnMwaWE0V0J6VTZ5ZVFYMjgKdaICa/hprHxhH89XD7ri0vyTT4rM+Si0\niHcQU4x64dgoJa4gKxgr4k9XncjoNEjJhxL7i/ZNZ5deaaLRn5rKMg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:24:55Z",
-		"mac": "ENC[AES256_GCM,data:TJWDHGSRBfOCW8Q+t3YxG3vlpf9a5u7B27AamnOk95huqIv0htqWV3RuV7NoOZ5v2ijqSe/pLfpwrmtdhO2sUBEvhdhJm8UzLShP7AbH9lxV+icJOsY7VSrp+R5W526V46ONP6p47b7fOQBbp03BMz01G191N68WYOf6k2arGxU=,iv:nEyTBwJ2EA+OAl8Ulo5cvFX6Ow2FwzTWooF/rdkPiXg=,tag:oYcG16zR+Fb5XzVsHhq2Qw==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/sops/secrets/peer-age.key/secret

@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:JOOhvl0clDD/b5YO45CXR3wVopBSNe9dYBG+p5iD+nniN2OgOwBgYPNSCVtc+NemqutD12hFUSfCzXidkv0ijhD1JZeLar9Ygxc=,iv:XctQwSYSvKhDRk/XMacC9uMydZ8e9hnhpoWTgyXiFI0=,tag:foAhBlg4DwpQU2G9DzTo5g==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWMvWkp5TnZQcGs5Ykhp\nWC91YkoyZERqdXpxQm5JVmRhaUhueEJETDJVCkM4V0hSYldkV1U2Q0d1TGh3eGNR\nVjJ1VFd6ZEN0SXZjSVEvcnV2WW0vbVUKLS0tIFRCNW9nWHdYaUxLSVVUSXM0OGtN\nVFMzRXExNkYxcFE3QWlxVUM3ay9INm8KV6r8ftpwarly3qXoU9y8KxKrUKLvP9KX\nGsP0pORsaM+qPMsdfEo35CqhAeQu0+6DWd7/67+fUMp6Jr0DthtTmg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:28Z",
-		"mac": "ENC[AES256_GCM,data:scY9+/fcXhfHEdrsZJLOM6nfjpRaURgTVbCRepUjhUo24B4ByEsAo2B8psVAaGEHEsFRZuoiByqrGzKhyUASmUs+wn+ziOKBTLzu55fOakp8PWYtQ4miiz2TQffp80gCQRJpykcbUgqIKXNSNutt4tosTBL7osXwCEnEQWd+SaA=,iv:1VXNvLP6DUxZYEr1juOLJmZCGbLp33DlwhxHQV9AMD4=,tag:uFM1R8OmkFS74/zkUG0k8A==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/sops/secrets/signer-age.key/secret

@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:i1YBJdK8XmWnVnZKBpmWggSN8JSOr8pm2Zx+CeE8qqeLZ7xwMO8SYCutM8l94M5vzmmX0CmwzeMZ/JVPbEwFd3ZAImUfh685HOY=,iv:N4rHNaX+WmoPb0EZPqMt+CT1BzaWO9LyoemBxKn+u/s=,tag:PnzSvdGwVnTMK8Do8VzFaQ==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RXlmcVNGTnlkY2ZqZFlH\nVnh0eHhRNE5hRDNDVkt0TEE0bmRNN2JIVkN3CkxnaGM4Y3M3a0xoK2xMRzBLMHRV\nT1FzKzNRMFZOeWc2K3E5K2FzdUsvWmsKLS0tIENtVlFSWElHN3RtOUY2alhxajhs\naXI1MmR4WC9EVGVFK3dHM1gvVnlZMVUKCyLz0DkdbWfSfccShO1xjWfxhunEIbD0\n6imeIBhZHvVJmZLXnVl7B0pNXo6be7WSBMAUM9gUtCNh4zaChBNwGw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:52Z",
-		"mac": "ENC[AES256_GCM,data:WFGysoXN95e/RxL094CoL4iueqEcSqCSQZLahwz9HMLi+8HWZIXr55a+jyK7piqR8nBS4BquU5fKhlC6BvEbZFt69t4onTA+LxS3D7A8/TO0CWS0RymUjW9omJUseRQWwAHtE7l0qI5hdOUKhQ+o5pU+2bc3PUlaONM0aOCCoFo=,iv:l1f4aVqLl5VAMfjNxDbxQEQp/qY/nxzgv2GTuPVBoBA=,tag:4PPDCmDrviqdn42RLHQYbA==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:w3bU23Pfe8W89lF+tOmEYPU/A4FkY6n7rgQ6yo+eqCJFxTyHydV6Mg4/g4jaL+4wwIqNYRiMR8J8jLhSvw3Bc59u7Ul+RGwdpiKoBBJfsHjO8r6uOz2u9Raa+iUJH1EJWmGvsQXAILpliZ+klS96VWnGN3pYMEI=,iv:7QbUxta6NPQLZrh6AOcNe+0wkrADuTI9VKVp8q+XoZ8=,tag:ZH0t3RylfQk5U23ZHWaw0g==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTBoSFJVSTdZeW4wZG9p\nWFR1LzVmYS8xWmRqTlNtWFVkSW9jZXpVejJBCkpqZm12L1dDSmNhekVsK1JBOU9r\nZThScGdDakFlRzNsVXp1eE5yOStFSW8KLS0tIFRrTkZBQlRsR2VNcUJvNEkzS2pw\nNksvM296UkFWTkZDVVp1ZVZMNUs4cWsKWTteB1G9Oo38a81PeqKO09NUQetuqosC\nhrToQ6NMo5O7/StmVG228MHbJS3KLXsvh2AFOEPyZrbpB2Opd2wwoA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U2FWRThRNkVQdk9yZ0VE\nM09iSVhmeldMcDZVaFRDNGtjWTdBa0VIT2pJCkdtd04xSXdicDY3OHI1WXl5TndB\nemtQeW1SS2tVVllPUHhLUTRla3haZGMKLS0tIGN0NVNEN3RKeWM0azBBMnBpQU4r\nTFFzQ0lOcGt0ek9UZmZZRjhibTNTc0EKReUwYBVM1NKX0FD/ZeokFAAknwju5Azq\nGzl4UVJBi5Es0GWORdCGElPXMd7jMud1SwgY04AdZj/dzinCSW4CZw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:10Z",
-		"mac": "ENC[AES256_GCM,data:0vl9Gt4QeH+GJcnl8FuWSaqQXC8S6Pe50NmeDg5Nl2NWagz8aLCvOFyTqX/Icp/bTi1XQ5icHHhF3YhM+QAvdUL3aO0WGbh92dPRnFuvlZsdtwCFhT+LyHyYHFf6yP+0h/uFpJv9fE6xY22CezA6ZVQ8ywi1epaC548Gr27uVe4=,iv:G4hZVCLkIpbg9uwB7Y8xtHLdnlmBvFrPjxSoqdyHNvM=,tag:uvKwakhUY2aa7v0tmR/o8A==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value

@@ -1,3 +0,0 @@
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAm204bpSFi4jOjZuXDpIZ/rcJBrbG4zAc7OSA4rAVSYE=
------END PUBLIC KEY-----

checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:kERPY40pyvke0mRBnafa4zOaF46rbueRbhpUCXjYP5ORpC7zoOhbdlVBhOsPqE2vfEP4RWkH+ZPdDYXOKXwotBCmlq2i7TfZeoNXFkzWXc3GyM5mndnjCc8hvYEQF1w6xkkVSUt4n06BAw/gT0ppz+vo5dExIA8=,iv:JmYD2o4DGqds6DV7ucUmUD0BRB61exbRsNAtINOR8cQ=,tag:Z58gVnHD+4s21Z84IRw+Vw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OFluVThBdUJSTmRVTk94\neFZnLytvcnNSdmQvR3ZkT2UvWFVieFV1SUFNCm9jWHlyZXRwaVdFaG9ocnd4S3FU\ndTZ2dklBbkFVL0hVT0Y2L1o5dnUyNG8KLS0tIGFvYlBJR3l2b3F6OU9uMTFkYjli\nNVFLOWQzOStpU2kzb0xyZUFCMnBmMVUK5Jzssf1XBX25bq0RKlJY8NwtKIytxL/c\nBPPFDZywJiUgw1izsdfGVkRhhSFCQIz+yWIJWzr01NU2jLyFjSfCNw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYW92c3Q4SktwSnJ1TkRJ\nZEJyZk96cG8ybkpPQzYzVk0xZGs0eCtISVR3CmhDaWxTem1FMjJKNmZNaTkxN01n\nenUvdFI1UkFmL1lzNlM5N0Ixd0dpc1EKLS0tIHpyS2VHaHRRdUovQVgvRmRHaXh3\naFpSNURjTWkxaW9TOXpKL2IvcUFEbmMKq4Ch7DIL34NetFV+xygTdcpQjjmV8v1n\nlvYcjUO/9c3nVkxNMJYGjuxFLuFc4Gw+AyawCjpsIYXRskYRW4UR1w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:43Z",
-		"mac": "ENC[AES256_GCM,data:YhL2d6i0VpUd15B4ow2BgRpyEm0KEA8NSb7jZcjI58d7d4lAqBMcDQB+8a9e2NZbPk8p1EYl3q4VXbEnuwsJiPZI2kabRusy/IGoHzUTUMFfVaOuUcC0eyINNVSmzJxnCbLCAA1Aj1yXzgRQ0MWr7r0RHMKw0D1e0HxdEsuAPrA=,iv:yPlMmE6+NEEQ9uOZzD3lUTBcfUwGX/Ar+bCu0XKnjIg=,tag:eR22BCFVAlRHdggg9oCeaA==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value

@@ -1,3 +0,0 @@
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAv5dICFue2fYO0Zi1IyfYjoNfR6713WpISo7+2bSjL18=
------END PUBLIC KEY-----

checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret

@@ -1,24 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:U8F7clQ2Tuj8zy5EoEga/Mc9N3LLZrlFf5m7UJKrP5yybFRCJSBs05hOcNe+LQZdEAvvr0Qbkry1pQyE84gCVbxHvwkD+l3GbguBuLMsW96bHcmstb6AvZyhMDBpm73Azf4lXhNaiB8p2pDWdxV77E+PPw1MNYI=,iv:hQhN6Ak8tB6cXSCnTmmQqHEpXWpWck3uIVCk5pUqFqU=,tag:uC4ljcs92WPlUOfwSkrK9Q==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvV05lejQrdUQvQjZPOG9v\nZ01naXlYZ1JxWHhDT1M1aUs1RWJDSU1acVFFCmdHY094aGRPYWxpdVVxSFVHRU9v\nNnVaeTlpSEdtSWRDMmVMSjdSOEQ4ZlEKLS0tIFo5NVk2bzBxYjZ5ZWpDWTMrQ2VF\nVThWUk0rVXpTY2svSCtiVDhTQ2kvbFkKEM2DBuFtdEj1G/vS1TsyIfQxSFFvPTDq\nCmO7L/J5lHdyfIXzp/FlhdKpjvmchb8gbfJn7IWpKopc7Zimy/JnGQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNzVUaHkzUzVEMlh1Q3Qr\nOEo0aDJIMG91amJiZG50MEhqblRCTWxRRVVRCk4xZlp4SkJuUHc2UnFyU1prczkz\nNGtlQlRlNnBDRFFvUGhReTh6MTBZaXMKLS0tIGxtaXhUMDM0RU4yQytualdzdTFt\nWGRiVG54MnYrR2lqZVZoT0VkbmV5WUUKbzAnOkn8RYOo7z4RISQ0yN875vSEQMDa\nnnttzVrQuK0/iZvzJ0Zq8U9+JJJKvFB1tHqye6CN0zMbv55CLLnA0g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:26:07Z",
-		"mac": "ENC[AES256_GCM,data:uMss4+BiVupFqX7nHnMo+0yZ8RPuFD8VHYK2EtJSqzgurQrZVT4tJwY50mz2gVmwbrm49QYKk5S+H29DU0cM0HiEOgB5P5ObpXTRJPagWQ48CEFrDpBzLplobxulwnN6jJ1dpL3JF3jfrzrnSDFXMvx+n5x/86/AYXYRsi/UeyY=,iv:mPT1svKrNGmYpbL9hh2Bxxakml69q+U6gQ0ZnEcbEyg=,tag:zcZx1lTw/bEsX/1g+6T04g==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value

@@ -1,3 +0,0 @@
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAeUkW5UIwA1svbNY71ePyJKX68UhxrqIUGQ2jd06w5WM=
------END PUBLIC KEY-----

checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret

@@ -1,32 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:nRlCMF58cnkdUAE2aVHEG1+vAckKtVt48Jr21Bklfbsqe1yTiHPFAMLL1ywgWWWd7FjI/Z8WID9sWzh9J8Vmotw4aJWU/rIQSeF8cJHALvfOxarJIIyb7purAiPoPPs6ggGmSmVFGB1aw8kH1JMcppQN8OItdQM=,iv:qTwaL2mgw6g7heN/H5qcjei3oY+h46PdSe3v2hDlkTs=,tag:jYNULrOPl9mcQTTrx1SDeA==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRcG44cGFBWXk2Z0pmNklv\nTnJ5b0svLytzZmNNRkxCVU1zaDVhNUs2cld3CklsenpWd0g2OEdKKzBMQlNEejRn\nTlEvY01HYjdvVExadnN3aXZIRTZ4YlEKLS0tIGRPUXdNSHZCRDBMbno2MjJqRHBl\nSzdiSURDYitQWFpaSElkdmdicDVjMWsKweQiRqyzXmzabmU2fmgwHtOa9uDmhx9O\ns9NfUhC3ifooQUSeYp58b1ZGJQx5O5bn9q/DaEoit5LTOUprt1pUPA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTEdlL29sVWFpSDNNaXRJ\ndTJDRkU4VzFPQ0M4MkFha2IxV2FXN2o3ZEFRCjF3UnZ5U1hTc3VvSTIzcWxOZjl0\ncHlLVEFqRk1UbGdxaUxEeDFqbFVYaU0KLS0tIFFyMnJkZnRHdWg4Z1IyRHFkY0I5\nQjdIMGtGLzRGMFM0ektDZ3hzZDdHSmMKvxOQuKgePom0QfPSvn+4vsGHhJ4BoOvW\nc27Vn4/i4hbjfJr4JpULAwyIwt3F0RaTA2M6EkFkY8otEi3vkcpWvA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZzdsaVRnSmsrMGR1Ylg3\nZkpscTdwNUl5NUVXN3kvMU1icE0yZU1WSEJBClB6SlJYZUhDSElRREx5b0VueFUw\nNVFRU3BSU24yWEtpRnJoUC83SDVaUWsKLS0tIGVxNEo3TjlwakpDZlNsSkVCOXlz\nNDgwaE1xNjZkSnJBVlU5YXVHeGxVNFEKsXKyTzq9VsERpXzbFJGv/pbAghFAcXkf\nMmCgQHsfIMBJQUstcO8sAkxv3ced0dAEz8O6NUd0FS2zlhBzt29Rnw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkK1hDMGxCc1IvYXlJMnBF\nWncxaXBQa1RpTWdwUHc3Yk16My8rVHNJc2dFCkNlK2h0dy9oU3Z5ZGhwRWVLYVUz\ncVBKT2x5VnlhbXNmdHkwbmZzVG5sd0EKLS0tIHJaMzhDanF4Rkl3akN4MEIxOHFC\nYWRUZ08xb1UwOFNRaktkMjIzNXZmNkUK1rlbJ96oUNQZLmCmPNDOKxfDMMa+Bl2E\nJPxcNc7XY3WBHa3xFUbcqiPxWxDyaZjhq/LYQGpepiGonGMEzR5JOQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-08T13:25:20Z",
-		"mac": "ENC[AES256_GCM,data:za9ku+9lu1TTRjbPcd5LYDM4tJsAYF/yuWFCGkAhqcYguEducsIfoKBwL42ahAzqLjCZp91YJuINtw16mM+Hmlhi/BVwhnXNHqcfnKoAS/zg9KJvWcvXwKMmjEjaBovqaCWXWoKS7dn/wZ7nfGrlsiUilCDkW4BzTIzkqNkyREU=,iv:2X9apXMatwCPRBIRbPxz6PJQwGrlr7O+z+MrsnFq+sQ=,tag:IYvitoV4MhyJyRO1ySxbLQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}

checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value

@@ -1,3 +0,0 @@
------BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEA/5j+Js7oxwWvZdfjfEO/3UuRqMxLKXsaNc3/5N2WSaw=
------END PUBLIC KEY-----

checks/flake-module.nix

@@ -1,7 +1,19 @@
-{ self, lib, ... }:
+{
+  self,
+  lib,
+  inputs,
+  ...
+}:
 let
   inherit (lib)
+    attrNames
+    attrValues
+    elem
     filter
+    filterAttrs
+    flip
+    genAttrs
+    hasPrefix
     pathExists
     ;
   nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
@@ -10,6 +22,7 @@ in
   imports = filter pathExists [
     ./backups/flake-module.nix
     ../nixosModules/clanCore/machine-id/tests/flake-module.nix
+    ../nixosModules/clanCore/state-version/tests/flake-module.nix
     ./devshell/flake-module.nix
     ./flash/flake-module.nix
     ./impure/flake-module.nix
@@ -18,6 +31,33 @@ in
     ./nixos-documentation/flake-module.nix
     ./dont-depend-on-repo-root.nix
   ];
+  flake.check = genAttrs [ "x86_64-linux" "aarch64-darwin" ] (
+    system:
+    let
+      checks = flip filterAttrs self.checks.${system} (
+        name: _check:
+        !(hasPrefix "nixos-test-" name)
+        && !(hasPrefix "nixos-" name)
+        && !(hasPrefix "darwin-test-" name)
+        && !(hasPrefix "service-" name)
+        && !(hasPrefix "vars-check-" name)
+        && !(hasPrefix "devShell-" name)
+        && !(elem name [
+          "clan-core-for-checks"
+          "clan-deps"
+        ])
+      );
+    in
+    inputs.nixpkgs.legacyPackages.${system}.runCommand "fast-flake-checks-${system}"
+      { passthru.checks = checks; }
+      ''
+        echo "Executed the following checks for ${system}..."
+        echo "  - ${lib.concatStringsSep "\n" (map (n: "  - " + n) (attrNames checks))}"
+        echo ${toString (attrValues checks)} >/dev/null
+        echo "All checks succeeded"
+        touch $out
+      ''
+  );
   perSystem =
     {
       pkgs,
@@ -40,19 +80,20 @@ in
           nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
 
             # Base Tests
-            secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-            borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
-            wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
+            nixos-test-secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
+            nixos-test-borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
+            nixos-test-wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
 
             # Container Tests
-            container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-            postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+            nixos-test-container = self.clanLib.test.containerTest ./container nixosTestArgs;
+            nixos-test-zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
+            nixos-test-matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
+            nixos-test-postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+            nixos-test-user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
+            nixos-test-user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
 
-            dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
-            dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
-            data-mesher = import ./data-mesher nixosTestArgs;
+            service-dummy-test = import ./service-dummy-test nixosTestArgs;
+            service-dummy-test-from-flake = import ./service-dummy-test-from-flake nixosTestArgs;
           };
 
           packagesToBuild = lib.removeAttrs self'.packages [
@@ -65,6 +106,9 @@ in
             lib.mapAttrs' (
               name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
             ) (lib.filterAttrs (n: _: !lib.hasPrefix "test-" n) self.nixosConfigurations)
+            // lib.mapAttrs' (
+              name: config: lib.nameValuePair "darwin-${name}" config.config.system.build.toplevel
+            ) (self.darwinConfigurations or { })
             // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") packagesToBuild
             // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
             // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (
@@ -81,7 +125,7 @@ in
                 _n: m:
                 let
                   schema =
-                    (self.clanLib.inventory.evalClanService {
+                    (self.clanLib.evalService {
                       modules = [ m ];
                       prefix = [
                         "checks"
@@ -122,10 +166,10 @@ in
           in
           lib.optionalAttrs (pkgs.stdenv.isLinux) {
             # import our test
-            secrets = import ./secrets nixosTestArgs;
-            container = import ./container nixosTestArgs;
+            nixos-test-secrets = import ./secrets nixosTestArgs;
+            nixos-test-container = import ./container nixosTestArgs;
             # Clan app tests
-            app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
+            nixos-test-app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
           };
       };
     };

checks/flash/flake-module.nix

@@ -50,18 +50,16 @@
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
         self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.clan.deployment.file
-
       ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
     in
     {
       checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        flash = self.clanLib.test.baseTest {
+        nixos-test-flash = self.clanLib.test.baseTest {
           name = "flash";
           nodes.target = {
             virtualisation.emptyDiskImages = [ 4096 ];
-            virtualisation.memorySize = 3000;
+            virtualisation.memorySize = 4096;
             environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
             environment.etc."install-closure".source = "${closureInfo}/store-paths";
 

checks/installation/flake-module.nix

@@ -1,63 +1,9 @@
 {
   self,
   lib,
+
   ...
 }:
-let
-  installer =
-    { modulesPath, pkgs, ... }:
-    let
-      dependencies = [
-        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
-        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
-        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
-        pkgs.stdenv.drvPath
-        pkgs.bash.drvPath
-        pkgs.nixos-anywhere
-        pkgs.bubblewrap
-        pkgs.buildPackages.xorg.lndir
-      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-    in
-    {
-      imports = [
-        (modulesPath + "/../tests/common/auto-format-root-device.nix")
-      ];
-      networking.useNetworkd = true;
-      services.openssh.enable = true;
-      services.openssh.settings.UseDns = false;
-      services.openssh.settings.PasswordAuthentication = false;
-      system.nixos.variant_id = "installer";
-      environment.systemPackages = [
-        self.packages.${pkgs.system}.clan-cli-full
-        pkgs.nixos-facter
-      ];
-      environment.etc."install-closure".source = "${closureInfo}/store-paths";
-      virtualisation.emptyDiskImages = [ 512 ];
-      virtualisation.diskSize = 8 * 1024;
-      virtualisation.rootDevice = "/dev/vdb";
-      # both installer and target need to use the same diskImage
-      virtualisation.diskImage = "./target.qcow2";
-      virtualisation.memorySize = 3048;
-      nix.settings = {
-        substituters = lib.mkForce [ ];
-        hashed-mirrors = null;
-        connect-timeout = lib.mkForce 3;
-        flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-        experimental-features = [
-          "nix-command"
-          "flakes"
-        ];
-      };
-      users.users.nonrootuser = {
-        isNormalUser = true;
-        openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
-        extraGroups = [ "wheel" ];
-      };
-      security.sudo.wheelNeedsPassword = false;
-      system.extraDependencies = dependencies;
-    };
-in
 {
 
   # The purpose of this test is to ensure `clan machines install` works
@@ -106,6 +52,25 @@ in
 
         environment.etc."install-successful".text = "ok";
 
+        # Enable SSH and add authorized key for testing
+        services.openssh.enable = true;
+        services.openssh.settings.PasswordAuthentication = false;
+        users.users.nonrootuser = {
+          isNormalUser = true;
+          openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+          extraGroups = [ "wheel" ];
+          home = "/home/nonrootuser";
+          createHome = true;
+        };
+        users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+        # Allow users to manage their own SSH keys
+        services.openssh.authorizedKeysFiles = [
+          "/root/.ssh/authorized_keys"
+          "/home/%u/.ssh/authorized_keys"
+          "/etc/ssh/authorized_keys.d/%u"
+        ];
+        security.sudo.wheelNeedsPassword = false;
+
         boot.consoleLogLevel = lib.mkForce 100;
         boot.kernelParams = [ "boot.shell_on_fail" ];
 
@@ -182,55 +147,199 @@ in
       # vm-test-run-test-installation-> target: waiting for the VM to finish booting
       # vm-test-run-test-installation-> target: Guest root shell did not produce any data yet...
       # vm-test-run-test-installation-> target:   To debug, enter the VM and run 'systemctl status backdoor.service'.
-      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        installation = self.clanLib.test.baseTest {
-          name = "installation";
-          nodes.target = {
-            services.openssh.enable = true;
-            virtualisation.diskImage = "./target.qcow2";
-            virtualisation.useBootLoader = true;
+      checks =
+        let
+          # Custom Python package for port management utilities
+          closureInfo = pkgs.closureInfo {
+            rootPaths = [
+              self.checks.x86_64-linux.clan-core-for-checks
+              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
+              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
+              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
+              pkgs.stdenv.drvPath
+              pkgs.bash.drvPath
+              pkgs.buildPackages.xorg.lndir
+            ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
           };
-          nodes.installer = installer;
+        in
+        pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
+          nixos-test-installation = self.clanLib.test.baseTest {
+            name = "installation";
+            nodes.target = (import ./test-helpers.nix { inherit lib pkgs self; }).target;
+            extraPythonPackages = _p: [
+              self.legacyPackages.${pkgs.system}.nixosTestLib
+            ];
 
-          testScript = ''
-            installer.start()
+            testScript = ''
+              import tempfile
+              import os
+              import subprocess
+              from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
+              from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
 
-            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
+              def create_test_machine(oldmachine, qemu_test_bin: str, **kwargs):
+                  """Create a new test machine from an installed disk image"""
+                  start_command = [
+                      f"{qemu_test_bin}/bin/qemu-kvm",
+                      "-cpu",
+                      "max",
+                      "-m",
+                      "3048",
+                      "-virtfs",
+                      "local,path=/nix/store,security_model=none,mount_tag=nix-store",
+                      "-drive",
+                      f"file={oldmachine.state_dir}/target.qcow2,id=drive1,if=none,index=1,werror=report",
+                      "-device",
+                      "virtio-blk-pci,drive=drive1",
+                      "-netdev",
+                      "user,id=net0",
+                      "-device",
+                      "virtio-net-pci,netdev=net0",
+                  ]
+                  machine = create_machine(start_command=" ".join(start_command), **kwargs)
+                  driver.machines.append(machine)
+                  return machine
 
-            installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
+              target.start()
 
-            installer.succeed("clan machines install --no-reboot --debug --flake test-flake --yes test-install-machine-without-system --target-host nonrootuser@localhost --update-hardware-config nixos-facter >&2")
-            installer.shutdown()
+              # Set up test environment
+              with tempfile.TemporaryDirectory() as temp_dir:
+                  # Prepare test flake and Nix store
+                  flake_dir = prepare_test_flake(
+                      temp_dir,
+                      "${self.checks.x86_64-linux.clan-core-for-checks}",
+                      "${closureInfo}"
+                  )
 
-            # We are missing the test instrumentation somehow. Test this later.
-            target.state_dir = installer.state_dir
-            target.start()
-            target.wait_for_unit("multi-user.target")
-          '';
-        } { inherit pkgs self; };
+                  # Set up SSH connection
+                  ssh_conn = setup_ssh_connection(
+                      target,
+                      temp_dir,
+                      "${../assets/ssh/privkey}"
+                  )
 
-        update-hardware-configuration = self.clanLib.test.baseTest {
-          name = "update-hardware-configuration";
-          nodes.installer = installer;
+                  # Run clan install from host using port forwarding
+                  clan_cmd = [
+                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
+                      "machines",
+                      "install",
+                      "--phases", "disko,install",
+                      "--debug",
+                      "--flake", flake_dir,
+                      "--yes", "test-install-machine-without-system",
+                      "--target-host", f"nonrootuser@localhost:{ssh_conn.host_port}",
+                      "-i", ssh_conn.ssh_key,
+                      "--option", "store", os.environ['CLAN_TEST_STORE'],
+                      "--update-hardware-config", "nixos-facter",
+                  ]
 
-          testScript = ''
-            installer.start()
-            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
-            installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
-            installer.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")
-            installer.fail("test -f test-flake/machines/test-install-machine/facter.json")
+                  subprocess.run(clan_cmd, check=True)
 
-            installer.succeed("clan machines update-hardware-config --debug --flake test-flake test-install-machine-without-system nonrootuser@localhost >&2")
-            installer.succeed("test -f test-flake/machines/test-install-machine-without-system/facter.json")
-            installer.succeed("rm test-flake/machines/test-install-machine-without-system/facter.json")
+              # Shutdown the installer machine gracefully
+              try:
+                  target.shutdown()
+              except BrokenPipeError:
+                  # qemu has already exited
+                  pass
 
-            installer.succeed("clan machines update-hardware-config --debug --backend nixos-generate-config --flake test-flake test-install-machine-without-system nonrootuser@localhost >&2")
-            installer.succeed("test -f test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
-            installer.succeed("rm test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
-          '';
-        } { inherit pkgs self; };
-      };
+              # Create a new machine instance that boots from the installed system
+              installed_machine = create_test_machine(target, "${pkgs.qemu_test}", name="after_install")
+              installed_machine.start()
+              installed_machine.wait_for_unit("multi-user.target")
+              installed_machine.succeed("test -f /etc/install-successful")
+            '';
+          } { inherit pkgs self; };
+
+          nixos-test-update-hardware-configuration = self.clanLib.test.baseTest {
+            name = "update-hardware-configuration";
+            nodes.target = (import ./test-helpers.nix { inherit lib pkgs self; }).target;
+            extraPythonPackages = _p: [
+              self.legacyPackages.${pkgs.system}.nixosTestLib
+            ];
+
+            testScript = ''
+              import tempfile
+              import os
+              import subprocess
+              from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
+              from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
+
+              target.start()
+
+              # Set up test environment
+              with tempfile.TemporaryDirectory() as temp_dir:
+                  # Prepare test flake and Nix store
+                  flake_dir = prepare_test_flake(
+                      temp_dir,
+                      "${self.checks.x86_64-linux.clan-core-for-checks}",
+                      "${closureInfo}"
+                  )
+                  
+                  # Set up SSH connection
+                  ssh_conn = setup_ssh_connection(
+                      target,
+                      temp_dir,
+                      "${../assets/ssh/privkey}"
+                  )
+
+                  # Verify files don't exist initially
+                  hw_config_file = os.path.join(flake_dir, "machines/test-install-machine/hardware-configuration.nix")
+                  facter_file = os.path.join(flake_dir, "machines/test-install-machine/facter.json")
+
+                  assert not os.path.exists(hw_config_file), "hardware-configuration.nix should not exist initially"
+                  assert not os.path.exists(facter_file), "facter.json should not exist initially"
+
+                  # Set CLAN_FLAKE for the commands
+                  os.environ["CLAN_FLAKE"] = flake_dir
+
+                  # Test facter backend
+                  clan_cmd = [
+                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
+                      "machines",
+                      "update-hardware-config",
+                      "--debug",
+                      "--flake", ".",
+                      "--host-key-check", "none",
+                      "test-install-machine-without-system",
+                      "-i", ssh_conn.ssh_key,
+                      "--option", "store", os.environ['CLAN_TEST_STORE'],
+                      f"nonrootuser@localhost:{ssh_conn.host_port}"
+                  ]
+
+                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
+                  if result.returncode != 0:
+                      print(f"Clan update-hardware-config failed: {result.stderr.decode()}")
+                      raise Exception(f"Clan update-hardware-config failed with return code {result.returncode}")
+
+                  facter_without_system_file = os.path.join(flake_dir, "machines/test-install-machine-without-system/facter.json")
+                  assert os.path.exists(facter_without_system_file), "facter.json should exist after update"
+                  os.remove(facter_without_system_file)
+
+                  # Test nixos-generate-config backend
+                  clan_cmd = [
+                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
+                      "machines",
+                      "update-hardware-config",
+                      "--debug",
+                      "--backend", "nixos-generate-config",
+                      "--host-key-check", "none",
+                      "--flake", ".",
+                      "test-install-machine-without-system",
+                      "-i", ssh_conn.ssh_key,
+                      "--option", "store", os.environ['CLAN_TEST_STORE'],
+                      f"nonrootuser@localhost:{ssh_conn.host_port}"
+                  ]
+
+                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
+                  if result.returncode != 0:
+                      print(f"Clan update-hardware-config (nixos-generate-config) failed: {result.stderr.decode()}")
+                      raise Exception(f"Clan update-hardware-config failed with return code {result.returncode}")
+
+                  hw_config_without_system_file = os.path.join(flake_dir, "machines/test-install-machine-without-system/hardware-configuration.nix")
+                  assert os.path.exists(hw_config_without_system_file), "hardware-configuration.nix should exist after update"
+            '';
+          } { inherit pkgs self; };
+
+        };
     };
 }

checks/installation/pyproject.toml

@@ -0,0 +1,44 @@
+[build-system]
+requires = ["setuptools", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "nixos-test-lib"
+version = "1.0.0"
+description = "NixOS test utilities for clan VM testing"
+authors = [
+    {name = "Clan Core Team"}
+]
+dependencies = []
+
+[project.optional-dependencies]
+dev = [
+    "mypy",
+    "ruff"
+]
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["nixos_test_lib*"]
+
+[tool.setuptools.package-data]
+"nixos_test_lib" = ["py.typed"]
+
+[tool.mypy]
+python_version = "3.12"
+strict = true
+warn_return_any = true
+warn_unused_configs = true
+
+[tool.ruff]
+target-version = "py312"
+line-length = 88
+
+[tool.ruff.lint]
+select = ["ALL"]
+ignore = [
+    "D", # docstrings
+    "ANN", # type annotations  
+    "COM812", # trailing comma
+    "ISC001", # string concatenation
+]

checks/installation/test-helpers.nix

@@ -0,0 +1,173 @@
+{
+  lib,
+  pkgs,
+  self,
+  ...
+}:
+let
+  # Common target VM configuration used by both installation and update tests
+  target =
+    { modulesPath, pkgs, ... }:
+    {
+      imports = [
+        (modulesPath + "/../tests/common/auto-format-root-device.nix")
+      ];
+      networking.useNetworkd = true;
+      services.openssh.enable = true;
+      services.openssh.settings.UseDns = false;
+      services.openssh.settings.PasswordAuthentication = false;
+      system.nixos.variant_id = "installer";
+      environment.systemPackages = [
+        pkgs.nixos-facter
+      ];
+      # Disable cache.nixos.org to speed up tests
+      nix.settings.substituters = [ ];
+      nix.settings.trusted-public-keys = [ ];
+      virtualisation.emptyDiskImages = [ 512 ];
+      virtualisation.diskSize = 8 * 1024;
+      virtualisation.rootDevice = "/dev/vdb";
+      # both installer and target need to use the same diskImage
+      virtualisation.diskImage = "./target.qcow2";
+      virtualisation.memorySize = 3048;
+      users.users.nonrootuser = {
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+        extraGroups = [ "wheel" ];
+      };
+      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+      # Allow users to manage their own SSH keys
+      services.openssh.authorizedKeysFiles = [
+        "/root/.ssh/authorized_keys"
+        "/home/%u/.ssh/authorized_keys"
+        "/etc/ssh/authorized_keys.d/%u"
+      ];
+      security.sudo.wheelNeedsPassword = false;
+    };
+
+  # Common base test machine configuration
+  baseTestMachine =
+    { lib, modulesPath, ... }:
+    {
+      imports = [
+        (modulesPath + "/testing/test-instrumentation.nix")
+        (modulesPath + "/profiles/qemu-guest.nix")
+        self.clanLib.test.minifyModule
+      ];
+
+      # Enable SSH and add authorized key for testing
+      services.openssh.enable = true;
+      services.openssh.settings.PasswordAuthentication = false;
+      users.users.nonrootuser = {
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+        extraGroups = [ "wheel" ];
+        home = "/home/nonrootuser";
+        createHome = true;
+      };
+      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
+      # Allow users to manage their own SSH keys
+      services.openssh.authorizedKeysFiles = [
+        "/root/.ssh/authorized_keys"
+        "/home/%u/.ssh/authorized_keys"
+        "/etc/ssh/authorized_keys.d/%u"
+      ];
+      security.sudo.wheelNeedsPassword = false;
+
+      boot.consoleLogLevel = lib.mkForce 100;
+      boot.kernelParams = [ "boot.shell_on_fail" ];
+
+      # disko config
+      boot.loader.grub.efiSupport = lib.mkDefault true;
+      boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
+      clan.core.vars.settings.secretStore = "vm";
+      clan.core.vars.generators.test = {
+        files.test.neededFor = "partitioning";
+        script = ''
+          echo "notok" > "$out"/test
+        '';
+      };
+      disko.devices = {
+        disk = {
+          main = {
+            type = "disk";
+            device = "/dev/vda";
+
+            preCreateHook = ''
+              test -e /run/partitioning-secrets/test/test
+            '';
+
+            content = {
+              type = "gpt";
+              partitions = {
+                boot = {
+                  size = "1M";
+                  type = "EF02"; # for grub MBR
+                  priority = 1;
+                };
+                ESP = {
+                  size = "512M";
+                  type = "EF00";
+                  content = {
+                    type = "filesystem";
+                    format = "vfat";
+                    mountpoint = "/boot";
+                    mountOptions = [ "umask=0077" ];
+                  };
+                };
+                root = {
+                  size = "100%";
+                  content = {
+                    type = "filesystem";
+                    format = "ext4";
+                    mountpoint = "/";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+
+  # NixOS test library combining port utils and clan VM test utilities
+  nixosTestLib = pkgs.python3Packages.buildPythonPackage {
+    pname = "nixos-test-lib";
+    version = "1.0.0";
+    format = "pyproject";
+    src = lib.fileset.toSource {
+      root = ./.;
+      fileset = lib.fileset.unions [
+        ./pyproject.toml
+        ./nixos_test_lib
+      ];
+    };
+    nativeBuildInputs = with pkgs.python3Packages; [
+      setuptools
+      wheel
+    ];
+    doCheck = false;
+  };
+
+  # Common closure info
+  closureInfo = pkgs.closureInfo {
+    rootPaths = [
+      self.checks.x86_64-linux.clan-core-for-checks
+      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
+      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
+      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
+      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
+      pkgs.stdenv.drvPath
+      pkgs.bash.drvPath
+      pkgs.buildPackages.xorg.lndir
+    ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+  };
+
+in
+{
+  inherit
+    target
+    baseTestMachine
+    nixosTestLib
+    closureInfo
+    ;
+}

checks/morph/flake-module.nix

@@ -24,7 +24,7 @@
     }:
     {
       checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        morph = self.clanLib.test.baseTest {
+        nixos-test-morph = self.clanLib.test.baseTest {
           name = "morph";
 
           nodes = {
@@ -35,7 +35,6 @@
                   pkgs.stdenv.drvPath
                   pkgs.stdenvNoCC
                   self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
-                  self.nixosConfigurations.test-morph-machine.config.system.clan.deployment.file
                 ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                 closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
               in

checks/mycelium/default.nix

@@ -8,15 +8,14 @@ nixosLib.runTest (
   { ... }:
   {
     imports = [
-      clan-core.modules.nixosVmTest.clanTest
+      clan-core.modules.nixosTest.clanTest
     ];
 
     hostPkgs = pkgs;
 
-    name = "mycelium";
+    name = "service-mycelium";
 
     clan = {
-
       test.useContainers = false;
       directory = ./.;
       modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
@@ -26,6 +25,7 @@ nixosLib.runTest (
         instances = {
           mycelium-test = {
             module.name = "@clan/mycelium";
+            module.input = "self";
             roles.peer.machines."server".settings = {
               openFirewall = true;
               addHostedPublicNodes = true;

checks/service-dummy-test-from-flake/default.nix

@@ -9,7 +9,7 @@ nixosLib.runTest (
   { hostPkgs, config, ... }:
   {
     imports = [
-      clan-core.modules.nixosVmTest.clanTest
+      clan-core.modules.nixosTest.clanTest
     ];
 
     hostPkgs = pkgs;
@@ -18,19 +18,19 @@ nixosLib.runTest (
     # With the test framework
     # - legacy-modules
     # - clan.service modules
-    name = "dummy-inventory-test-from-flake";
+    name = "service-dummy-test-from-flake";
 
     clan.test.fromFlake = ./.;
 
     extraPythonPackages = _p: [
-      clan-core.legacyPackages.${hostPkgs.system}.setupNixInNixPythonPackage
+      clan-core.legacyPackages.${hostPkgs.system}.nixosTestLib
     ];
 
     testScript =
       { nodes, ... }:
       ''
-        from setup_nix_in_nix import setup_nix_in_nix # type: ignore[import-untyped]
-        setup_nix_in_nix()
+        from nixos_test_lib.nix_setup import setup_nix_in_nix # type: ignore[import-untyped]
+        setup_nix_in_nix(None)  # No closure info for this test
 
         def run_clan(cmd: list[str], **kwargs) -> str:
             import subprocess

checks/service-dummy-test-from-flake/flake.nix

@@ -6,7 +6,7 @@
     { self, clan-core, ... }:
     let
       # Usage see: https://docs.clan.lol
-      clan = clan-core.clanLib.buildClan {
+      clan = clan-core.lib.clan {
         inherit self;
 
         inventory =
@@ -24,6 +24,7 @@
 
             instances."test" = {
               module.name = "new-service";
+              module.input = "self";
               roles.peer.machines.peer1 = { };
             };
 
@@ -39,7 +40,7 @@
           perMachine = {
             nixosModule = {
               # This should be generated by:
-              # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
+              # nix run .#generate-test-vars -- checks/service-dummy-test service-dummy-test
               clan.core.vars.generators.new-service = {
                 files.not-a-secret = {
                   secret = false;
@@ -65,6 +66,6 @@
     in
     {
       # all machines managed by Clan
-      inherit (clan) nixosConfigurations nixosModules clanInternals;
+      inherit (clan.config) nixosConfigurations nixosModules clanInternals;
     };
 }

checks/service-dummy-test/default.nix

@@ -8,7 +8,7 @@ nixosLib.runTest (
   { ... }:
   {
     imports = [
-      clan-core.modules.nixosVmTest.clanTest
+      clan-core.modules.nixosTest.clanTest
     ];
 
     hostPkgs = pkgs;
@@ -17,7 +17,7 @@ nixosLib.runTest (
     # With the test framework
     # - legacy-modules
     # - clan.service modules
-    name = "dummy-inventory-test";
+    name = "service-dummy-test";
 
     clan = {
       directory = ./.;
@@ -33,6 +33,7 @@ nixosLib.runTest (
 
         instances."test" = {
           module.name = "new-service";
+          module.input = "self";
           roles.peer.machines.peer1 = { };
         };
 
@@ -47,7 +48,7 @@ nixosLib.runTest (
         perMachine = {
           nixosModule = {
             # This should be generated by:
-            # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
+            # nix run .#generate-test-vars -- checks/service-dummy-test service-dummy-test
             clan.core.vars.generators.new-service = {
               files.not-a-secret = {
                 secret = false;

checks/syncthing/default.nix

@@ -1,87 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  lib,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosVmTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "syncthing";
-
-    clan = {
-      directory = ./.;
-      # TODO: container driver does not support wait_for_file() yet
-      test.useContainers = false;
-      inventory = {
-        machines = lib.genAttrs [
-          "introducer"
-          "peer1"
-          "peer2"
-        ] (_: { });
-        services = {
-          syncthing.default = {
-            roles.peer.machines = [
-              "peer1"
-              "peer2"
-            ];
-            roles.introducer.machines = [ "introducer" ];
-          };
-        };
-      };
-    };
-
-    nodes.introducer = {
-      # Doesn't test zerotier!
-      services.syncthing.openDefaultPorts = true;
-      services.syncthing.settings.folders = {
-        "Shared" = {
-          enable = true;
-          path = "~/Shared";
-          versioning = {
-            type = "trashcan";
-            params = {
-              cleanoutDays = "30";
-            };
-          };
-        };
-      };
-      clan.syncthing.autoAcceptDevices = true;
-      clan.syncthing.autoShares = [ "Shared" ];
-      # For faster Tests
-      systemd.timers.syncthing-auto-accept.timerConfig = {
-        OnActiveSec = 1;
-        OnUnitActiveSec = 1;
-      };
-    };
-    nodes.peer1 = {
-      services.syncthing.openDefaultPorts = true;
-    };
-    nodes.peer2 = {
-      services.syncthing.openDefaultPorts = true;
-    };
-
-    testScript = ''
-      start_all()
-      introducer.wait_for_unit("syncthing")
-      peer1.wait_for_unit("syncthing")
-      peer2.wait_for_unit("syncthing")
-      peer1.execute("ls -la /var/lib/syncthing")
-      peer2.execute("ls -la /var/lib/syncthing")
-      peer1.wait_for_file("/var/lib/syncthing/Shared")
-      peer2.wait_for_file("/var/lib/syncthing/Shared")
-      introducer.shutdown()
-      peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
-      peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
-      out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
-      assert "hello" in out
-    '';
-  }
-)

checks/syncthing/sops/machines/introducer/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
-    "type": "age"
-  }
-]

checks/syncthing/sops/machines/peer1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
-    "type": "age"
-  }
-]

checks/syncthing/sops/machines/peer2/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1dutdww4x48f0e3tzmjlye9n852wx0qqhhcghsrefsq9m8c5flpfs2lxexf",
-    "type": "age"
-  }
-]

checks/syncthing/sops/secrets/introducer-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:f/KzvxsoWQFTSB17lPhe/MThYu4ZjJwvkCxKp7XkLyspFF9Dal4A+H+SY6vPG7yM3+dlE3ZnxjniUeivydDTwwJiWJ6E6XIhnPI=,iv:xat6pYzYV8sfyMKX4OMsr6oSOEOc09DDXGykKKoP14Y=,tag:xMxsIpYv7KrSYvpmvBvSUw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUGdWK1BnNjdCL1l1WlNB\nUEswYm1tYlIxWXltemdlQm1OcmlNbSsvTkdrClpRUjR6TUNUcGtxWWhGdDg5SG84\nSFFiV2p6ZHJwR1VKYW4vVFBHRGFSYTgKLS0tIERJa3hRM28ySHBUME4vTUE1UUFr\nQklDdTBWdWJpdGg0cnR1ZUNWREl6K1EKbRFOr3Rhb2aGnQUHiX+3DzGgrY9C2Dvz\nVlyZ0q6lWtn4qFWPVez03T8QAtLjv2UaGtYTFnyFIWiykhhrWy2PBg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:54:54Z",
-		"mac": "ENC[AES256_GCM,data:LJCCaGNhBgFAKtWYMD6OcXg2FMq1DYDOySIpEY91ILXDUuJSSsuYyQqE6ZvCoThlogHd9inAajsW0GbzYpSflu/WyrqlQsNJSMFkBFBQh/FIjd18GUtZ4flHWRfHqAk/xM/g+n7iOgKMvaBrG1MG1DplLRfk/8ehcqlWX4Wxof0=,iv:PrjIiUYkePPXBRGF/Wnqi1ZgA2j4YtzL/uMC5KchfIQ=,tag:yMMrJ7vGt6urz4WfRAyaNg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}

checks/syncthing/sops/secrets/introducer-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/syncthing/sops/secrets/peer1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:q6mWG65NflVEvX1QUyRVFuRGOVg9wtyWDYQ8Plqw038pEyOrsVcj6Cmo6SRaRcAaxQmAUeplzYfzm2MgXMz1l/DySErH+mCyVSk=,iv:7X4mFSJXpUii+sppSAq8H7vYWGoDq3LnFJMAAjhhm7U=,tag:ep9vzbkzVtC2A8otat8vSg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bjNlZkppR01JT0F0TklO\nSnpIcFgwb0E5dStHQlZLdGNLQ3UxRDNBdEVVCnlpdWlPVVNIdFB3ZjlpSXZURjdS\nMVlCbFV5RXI0d2t5bHJvR3U5b2NDa2MKLS0tIDJLZlE0RjhNaGhBeFVsSE93Z0NX\nVVcyUjJPL1FVTEVOUktYTEMvVFNEdlUKYkmyVjcbAf5IVb/RWBfhbmoBbuz+u8X0\n3J8a/SJsgX3vLJIpVeSQSSFTNXu0+8/QeRiXsV7GCyHu+lwL75ycmA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:54:59Z",
-		"mac": "ENC[AES256_GCM,data:rhi/f3r81Cm+yXJXpnPmyK7jNqJ1Pg4tU7gsOwjCv5CeJn8U6N78ZBiHndjdwzqSdp7+qwx/9gPpLQVoPzO2IhY+uRhg0l6v6N9iK9UD6tjNzsCw8zTIb/ehObRqqpzVn2BGkUte+g0Hu2/bpHFbq6qmGm8YOYnD8K7U2FoiuGQ=,iv:o7RaD5oogpjSgdfFPqb8Tfgn43ydSzA0ZTP2ayNZI9c=,tag:e/zmTPAIWX1uDQxLNznIWQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}

checks/syncthing/sops/secrets/peer1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/syncthing/sops/secrets/peer2-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:2EaSVKRIMKVF9+qAozKl703entUWB04J61UM1QRj1omKUb5sDaOwnQKCZDZxO/CCtam/kz1jHoxCeFiJFcx+DpTyYptpSpYq1dI=,iv:syZ2HKRxQ73urS4Vwz7/3IMBYY6nk78zaooPMDkU1w4=,tag:uGaqxbU6/9DvkGY1Jq/XRw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMnJrb2VHYVdMRHJhYjFH\nL25nN2RIZ3pVeDdYTllrUkF0TkREYmNMMVdrCkNSaGlRd3c3YXZPZmIxWExCaytu\nU3FGTmhUZ0pUUjJJNS9vcVBISmFyZHcKLS0tIHMwaFlEYkFFb2RwS3JDb2VxRFcw\nZmd6S3RXVGcwbmtHVVRmWXkwSnF1RkkKTbg6igFHIakR8EAPuf+x9yhmQHF3TPp/\nC+B1FuorpovudtxmJ1UzBmkE0r13cY6iu9Vdjh1g7tBcXUWoHZsvIA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:55:03Z",
-		"mac": "ENC[AES256_GCM,data:HuQQvWOGIjISxnNShYHLj4QinNoeOTwxpJK35swpcBnJ4JtDnA6F2JjpJI8DXIwO42eDbXIF22lJjqynRFRo6kQrrD8uhBHEFD2R+6U7zFxJ4gknWR1iF3fbM1+2VDiu8L9InpZcfb6Z8tpKPdPiYS3NGdoAJ0ClSw+8WlVsS5E=,iv:pJxsCP5Y6NTNAck0mphbLRnZ48sRRZ/YaYUobi6mGYU=,tag:ewR5QLBh3WRLkHlSGH5MsQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}

checks/syncthing/sops/secrets/peer2-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/syncthing/vars/per-machine/introducer/syncthing/apikey/machines/introducer

@@ -1 +0,0 @@
-../../../../../../sops/machines/introducer

checks/syncthing/vars/per-machine/introducer/syncthing/apikey/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:UVv08bXHtWMWcMC7tBb+xy7+3JRiOfVpRPD/q/TR1/+5,iv:ZNb3GDvtuZFbXlcJyN/kzy8cRppRqWnN308mAAkOc/4=,tag:Jv5MsPQ+gTBROzG6oo0ztg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBha2t2enBPWUhHcXIveGJJ\nZklLeVNkNkhkcXFLczJjeHdFT2haSGF6UnhNCjh1MHJobSs4dmVKTVdzL1JRTXJK\nUlo2MzFOelV5UVNqVjladStHdUlqSGcKLS0tIGlqa1RZVHpva2ZmNnpSRjhseGUw\na0hmSER6VlZsZ1A2TE84OTVyQVVTRDgKoE3UzWOqYhV9Y/vayIGY6ak4MEPR+q5t\n5NY6VDkCwYiactvcSo36jiaru47jRr6ovk5Vfkq/jFO2njDND5mLqQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZGZUVmVBOENtZTJmRTQz\ndUpzYXBwb1NUWmhPU1g0VWFkWUp3Y2JGQ0JVCjZPS1lxL3N0YlU5T2owSS9FSC9L\naWtScmdyclhqcTE3blFEZHRNRHhjOXMKLS0tIGR2MnhRdUpHZ2tqTzVLWFo0WVhm\neXlpWUdwc3ZHOGRXWTNlZC9UMHd2M3cKgabJLSO2rT1u+I4V/XdCt8iDXuFQw+2w\nwr2juhtq3IwBuO6VqQKwAy6hHNbEWa+e/6bPaoXiJAOdA6+LbzfSmg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:54:56Z",
-		"mac": "ENC[AES256_GCM,data:ajkYjU6vAqrNiknSLZOYgFYiL7A6/ut+m3bt/x22Ms7LGZv5BgsTtLDw70gbAQh9fMbQCxCngkUrHk6bvVe9afpNvdw3fPQ9hfMkXquvDjhGHMvr3bmawsBJrShuywYRZY2z++f6FA0ApGVkSG1tSFDt/Tob1wkhxbPonGnsliQ=,iv:6H2X+4RkW48+w1dHWxa4nogKbHHriGyvAOr9ODf7m68=,tag:RWv+zSyqfaKcLAjxFHhqXw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}

checks/syncthing/vars/per-machine/introducer/syncthing/apikey/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/introducer/syncthing/cert/machines/introducer

@@ -1 +0,0 @@
-../../../../../../sops/machines/introducer

checks/syncthing/vars/per-machine/introducer/syncthing/cert/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:DdiIZhVVosBWWyQu52g9bZm4PHlYalIeNQZtiqzN6p0Q3GcIPZkrA7EUtiI/jLOY9ILRKX3yreJWlDQHiEdfjQhqR1Oneb3JVv41GASEIumhuxPU4VQyIMV3u5MNO7H+NkzsBx8JHvm0MOIar76B4Bc+7ZoaahHacNzog+rGxUplecoY8A22Cr9G71OFj4JPQJTK40DhdSxdmSaiI3FzqxyuzbYfMViVqm6X3hX/CUv5nxlNeFUw5ZKruOTq4sjgiy859dOTiTG1L4X5T2G9UNevg5eRAqGdmjB/DB8is8yMUXYloD5TSvoDXCS8rAB7DgrtcF91nv9Wxq5aYGv6ovHpG7sL/aOY507PyaWtItir1+Gy9M8ECQq50wgj308KEMSbllFIhiHaHklpqTZdJejIzVB5nxbMIrcF2537Nfw3T2awveBk7ZjuYFQ3lIZVWNe9mbVubH1JLZS6x/Fm+rY85KnT3hZHCRLuUTvb5b3My73UMmWmAN3DekSr/m7z51cxtvJQJrM9GV6Lv4PAbgzvz8BvWps/9pIQlqVPYk8fRBvKqIAtbM7V6nIH1Fx8hmoMYM+c2CIHhMKxh1b+SGTk3BYXRuF/MX/btAt0kwUh+qPQJEd+i+9qFCS2I26BzoFsjm4M9e5tp1tx0KazrsIrWRAi6faGI+i48VpYxP60BQdK0YZTczTVLw4nIZGWJ1m0cHzeViR/P3mvP0tROo4GyAloUP3QWAwC88I2btHmC008Ldg7XRmOrPtwMuj1Z38Sj1mlRSu3+5hYS7T9wbOg3J/S9o3xbGDzJFAVU5YouAhU3qWwKvmrTKn6WRPyGFafcbBxzoNyOwK1U8MtrvDEUyoevN9kP/nGbD7sfyJpStN5zrn/9NxANVAAWjje1vWVmjFlTdip9USRzmrSIbPb4PwgXjJJObF6VWXF9RTdlZNq486BTC2eE4XQ3stOJ6UJmRwsowU3TuI8xb9wNXZBFmwfkrNhvgOrpf6LTc6ouL5QfSgcj6Gg/mXvE24Y4yhRZA4lnDqbuyl7lIyzTyfiwSEmDbJTVkc=,iv:Sby7ZpP5/ThihlnmxBX485/dtdxHQBPEoHPhbRVc7hk=,tag:9azO7wAzCSkYj/Awv6X+7Q==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreW1Cd3NQWE13NUJHR2Ur\nSmdWK3hvVHpNMzZ1cGxHbEdHd2FETm1tSkZBCkhNMHdReGRpZmVJVUJ6aDY4MW1G\nOFhHRVhpUE1FWThwZ1BDZFJxRnZqYzAKLS0tIDd6QTROa2JYLzd4RmtDODJhM2hJ\nU1NwSTE3TVQ5WEdGVzB5YVdYWWNPazQKot8O9EYCfw4r59Fn/9lYZ0xYd7SUo9lJ\nEsus6BeNg2VLFa5V5q3hlVgRHUgNM4LMqIhdDf9mkxULKt1ilmoB6A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Q213dEI0d2FMUDB2Z2F3\nOVp6anVnVVZSNTdGMktnL2Z1c3JxNEt6ZUhZCnhrRUFrcnRpRVJXbmNjSWJRQ2hO\nVnlCRVdCRUZidUwwNDQyc1UwemRWbkkKLS0tIER1WWhNNERtaEZ1NVZNOXZoczZN\nZHd3U3UrOC9PZWhPMTBCVG03ZVdRdW8KY3bksqIx78GETGEg8q63HvEp+b8GnLFM\nqE7hiC9sNN8THvXV5rZeJdIPYZ6Kan2Q09GxRzDEJBavK3ZK0DKblA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:54:57Z",
-		"mac": "ENC[AES256_GCM,data:SckFGU9nPJi6t3bJdRqE49i7tqzcJQB4+ZZzuzSUTnPJV+Bn+/nr6zqbf40jG4qWPPV1PJsiXoJrTOQZ5O/skLg4++c4op5U+brRZqggeJepHVdHpxe7ldVak64Of7gMJ9S5fsynyRa+96kxf/qN2qZ1f63sk0u9bImPovYOJKA=,iv:EWWRbnySYk07m8oAio71VftGhRUJWiXYKJxsnErx2ng=,tag:MS7JFdlny6OA+MjCCz3kHA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}

checks/syncthing/vars/per-machine/introducer/syncthing/cert/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/introducer/syncthing/id/value

@@ -1 +0,0 @@
-Y45RCSC-Y2OENC7-OI2NQ6Y-VUU6W7X-TQDROMD-JZNYC3B-BZJA2TI-7IMW4Q4

checks/syncthing/vars/per-machine/introducer/syncthing/key/machines/introducer

@@ -1 +0,0 @@
-../../../../../../sops/machines/introducer

checks/syncthing/vars/per-machine/introducer/syncthing/key/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:DkRR6AfyQJh0rnuzIO9gOs+xSmtncpo4zQOOLMeyfRcMRYYMnfzFIDYrOg4AYEmyd/KDfX8O7r/9dfrg4t4VJIFtA78h7hVA3KFpVhyA55AMfiWKJUQZhTvZG2eRP89+S0tChu6spgTXFDXIwCXa8EwzUc5Cqd/3UHs1DFdsuwWpmcbbXY1P3k4iaSpvQse/7BC0TNn2bg2ZPd4i9ovdY9kyMyOT9/54JRr21PeJ2SJYzLEMhzc+VirU4xIWdRMvK+LJRPWQEhvDGUjxAE5B90rHYmAi8eAaEEB52wpQBthJKUdBoZHlZ/DUbk9CVF2UF4B1rBLOtnt+pN9EfBFqrq0my/6bElEQV3P5UcdC7Z/sOjWVQvjBkHc9wkJp0g6e,iv:T0qYtoUeX7FZA8omE4heI6Beeh4gmbYoJ4Ww+6ix5AY=,tag:0FpsipDR1pfQA2/Z+4ogQQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWam5QUlF2K2ZQa3RjYkxt\nZXBmbmhKcC9HeklPL2c3UFRsUGhxL212T25rCmpCYzF4MFd3REk5cWtsSSt4ZFlK\nMzlLUUg3M1J4am1ZSVg0ait3eHFtVjgKLS0tIGpzYXJzWXJ4emhIOS9oL1E1SVBR\nRXZSZlVtMENGR2RNRzRMcGxCZW8xS1UK1BuhZV2eVb545eTg7I+wk5Dth6ZUwb9R\n5KkJ8oNSahtk9J27ZmJNIuof+fEj9yNueKHbvkDGo5rUoeH9u/awsw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c1FmdlRUSXBsaDcvMmlj\nUVovdlRoMzAxeGh1blh1OU1JWTh0OElhZkFZClpyZ0JpcGVFbHRJdHhqNDRnaHhY\nQVVSS3NwcXZWMm83R1BPOTAySmF6QTgKLS0tIDd1OE5VYm5qWUZtd2VvYmdob2lG\nODlpUDAzdENDT1Nvdlo2bnVHRjVRSzQKFiKoA9JY6vY6+StLnLq3Fx0SmCRDro6+\nTLy2MmJM2VjdixMBvSDJATIXdf2T5lRFqGeJIlmLftzwCSJNmar+qg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:54:57Z",
-		"mac": "ENC[AES256_GCM,data:xZlGmeBeMrM4bCYU0j/1rz/lh33Zm3SUKJCSHWQ9rkVzBqD6Zxok+8OLYPIXKmEUQLuD6A3Jj8BIELm7poC0ycDqTCHRP6crPR3TZ9Ha/8ws5yjpbvQA5lvYcF+GindIhTHifo0LlkXsr0Yr3ViErvHHwLifmB2RBYw++gUhxHY=,iv:DT0GgfCrKpVLaBtljUMzSMZ0vP8o24VIiUfp0etNn9Q=,tag:+4kYXei4E1AMpNAusQKcVg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}

checks/syncthing/vars/per-machine/introducer/syncthing/key/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer1/syncthing/apikey/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/syncthing/vars/per-machine/peer1/syncthing/apikey/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:j/cBGXgSdfB1NOuNdj6w8rdF5dVQ6ngu/pIDys7NIwoX,iv:9G2mTyHNtryKqR0hk8sceaYvQMvIMeprH2M34RphhuY=,tag:8eSMKD5PVwGB+rPS7/XBng==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NVlLSjEyZGFoRXVkR2ZE\nSE9NeXV2V3ZDVXF0RVBUamxWdzNIL2ZYdXhjCisyVWxLak54TS9wVU1VUzVjQVEw\nZlZUaXFqSEdFd3BuMmZzNllKSkxxT28KLS0tIHNqai9wYm5oUHdjbElmRlZrRVg1\nK3BSeG9rTGJyQUpKZU95cjNQakRKajQKUBXxIEwTiz5grVKfbWlJnCC9OiHhDFCi\nG5gNsUHcj74tTWSM+nIAzjRsRWXHpz7kWk/05EQ4W0auOhQ2FaHSTw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSkwrclJrRUVqYjZXZ2ZR\naDBMKzdocjBJNlN2U3A3T09jUmNkVDk1aDJNCkQyQVU2RWpGYzJqdVBKdVRCUHdZ\ndENMbGl2VjNCQXE5Q1lBMEVHYVp3UWsKLS0tICtaZFZGRmxpMTdodGd1a2dEMDYr\nNUowMy9MNTQ1bzVxTlJ2bDdmWjJSREUKJUZ8lQ45pQBXrOfeW25v84ywXN52Og1F\nkmtXkBNAOTr5OkJVZbUXa1lQ0CahLluleVufX0wJIyCpBfhmnjHYFQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-04-23T07:55:01Z",
-		"mac": "ENC[AES256_GCM,data:kUDSBhylpGSwaHDw6HK62UgtIAmG6gnAnoooFTBC5XLS/FX1KhWIg+8fmJK8mHbPVGE/Ju7Qa8cxAEEIWa12xoVlsu6UlaHOIwiOTab6gHnxAA/WL+vYjf5H4IVzh6uOJwGIl+Wc//Yovlifs5Kg2ftkiU7rlrm5aMN6GkVGS70=,iv:hRtDatGis5VgWZcyzky5MZADba4ApZhclOxjQNgDXiI=,tag:iHcjmXiHoOHTJ88kFwezdg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.1"
-	}
-}