Added demo.sh to prepare demo environment

This reverts commit 6adc68a354.

.envrc

@@ -1,13 +1,5 @@
-# shellcheck shell=bash
 if ! has nix_direnv_version || ! nix_direnv_version 3.0.4; then
   source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.4/direnvrc" "sha256-DzlYZ33mWF/Gs8DDeyjr8mnVmQGx7ASYqA5WlxwvBG4="
 fi
 
-watch_file .direnv/selected-shell 
-watch_file formatter.nix
-
-if [ -e .direnv/selected-shell ]; then
-  use flake ".#$(cat .direnv/selected-shell)"
-else
-  use flake
-fi
+use flake

.gitea/workflows/build-clan-app-darwin.yml

@@ -1,20 +0,0 @@
-name: Build Clan App (Darwin)
-
-on:
-  schedule:
-    # Run every 4 hours
-    - cron: "0 */4 * * *"
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-
-jobs:
-  build-clan-app-darwin:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Build clan-app for x86_64-darwin
-        run: |
-          nix build .#packages.x86_64-darwin.clan-app --system x86_64-darwin --log-format bar-with-logs

.gitea/workflows/checks-impure.yaml

@@ -0,0 +1,12 @@
+name: checks-impure
+on:
+  pull_request:
+  push:
+    branches: main
+jobs:
+  test:
+    if: ${{ github.actor != 'ui-asset-bot' }}
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+      - run: nix run .#impure-checks

.gitea/workflows/checks.yaml

@@ -1,9 +1,12 @@
 name: checks
 on:
   pull_request:
+  push:
+    branches: main
 jobs:
-  checks-impure:
+  test:
+    if: ${{ github.actor != 'ui-asset-bot' }}
     runs-on: nix
     steps:
-      - uses: actions/checkout@v4
-      - run: nix run .#impure-checks
+      - uses: actions/checkout@v3
+      - run: nix run --refresh github:Mic92/nix-fast-build -- --no-nom --eval-workers 20

.gitea/workflows/create-pr.sh

@@ -1,82 +0,0 @@
-#!/bin/sh
-
-# Shared script for creating pull requests in Gitea workflows
-set -eu
-
-# Required environment variables:
-# - CI_BOT_TOKEN: Gitea bot token for authentication
-# - PR_BRANCH: Branch name for the pull request
-# - PR_TITLE: Title of the pull request
-# - PR_BODY: Body/description of the pull request
-
-if [ -z "${CI_BOT_TOKEN:-}" ]; then
-  echo "Error: CI_BOT_TOKEN is not set" >&2
-  exit 1
-fi
-
-if [ -z "${PR_BRANCH:-}" ]; then
-  echo "Error: PR_BRANCH is not set" >&2
-  exit 1
-fi
-
-if [ -z "${PR_TITLE:-}" ]; then
-  echo "Error: PR_TITLE is not set" >&2
-  exit 1
-fi
-
-if [ -z "${PR_BODY:-}" ]; then
-  echo "Error: PR_BODY is not set" >&2
-  exit 1
-fi
-
-# Push the branch
-git push origin "+HEAD:${PR_BRANCH}"
-
-# Create pull request
-resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-  -H "Authorization: token $CI_BOT_TOKEN" \
-  -H "Content-Type: application/json" \
-  -d "{
-    \"head\": \"${PR_BRANCH}\",
-    \"base\": \"main\",
-    \"title\": \"${PR_TITLE}\",
-    \"body\": \"${PR_BODY}\"
-  }" \
-  "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls")
-
-if ! pr_number=$(echo "$resp" | jq -r '.number'); then
-  echo "Error parsing response from pull request creation" >&2
-  exit 1
-fi
-
-if [ "$pr_number" = "null" ]; then
-  echo "Error creating pull request:" >&2
-  echo "$resp" | jq . >&2
-  exit 1
-fi
-
-echo "Created pull request #$pr_number"
-
-# Merge when checks succeed
-while true; do
-  resp=$(nix run --inputs-from . nixpkgs#curl -- -X POST \
-    -H "Authorization: token $CI_BOT_TOKEN" \
-    -H "Content-Type: application/json" \
-    -d '{
-      "Do": "merge",
-      "merge_when_checks_succeed": true,
-      "delete_branch_after_merge": true
-    }' \
-    "https://git.clan.lol/api/v1/repos/clan/clan-core/pulls/$pr_number/merge")
-  if ! msg=$(echo "$resp" | jq -r '.message'); then
-    echo "Error parsing merge response" >&2
-    exit 1
-  fi
-  if [ "$msg" != "Please try again later" ]; then
-    break
-  fi
-  echo "Retrying in 2 seconds..."
-  sleep 2
-done
-
-echo "Pull request #$pr_number merge initiated"

.gitea/workflows/deploy.yaml

@@ -1,13 +0,0 @@
-name: deploy
-on:
-  push:
-    branches:
-      - main
-jobs:
-  deploy-docs:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix run .#deploy-docs
-    env:
-      SSH_HOMEPAGE_KEY: ${{ secrets.SSH_HOMEPAGE_KEY }}

.gitea/workflows/update-clan-core-for-checks.yml

@@ -1,28 +0,0 @@
-name: "Update pinned clan-core for checks"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "51 2 * * *"
-jobs:
-  update-pinned-clan-core:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-      - name: Update clan-core for checks
-        run: nix run .#update-clan-core-for-checks
-      - name: Create pull request
-        env:
-          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-        run: |
-          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
-          git commit -am "Update pinned clan-core for checks"
-
-          # Use shared PR creation script
-          export PR_BRANCH="update-clan-core-for-checks"
-          export PR_TITLE="Update Clan Core for Checks"
-          export PR_BODY="This PR updates the pinned clan-core flake input that is used for checks."
-
-          ./.gitea/workflows/create-pr.sh

.gitea/workflows/update-flake-inputs.yml

@@ -1,26 +0,0 @@
-name: Update Flake Inputs
-
-on:
-  schedule:
-    # Run every 5 hours
-    - cron: "0 */5 * * *"
-  workflow_dispatch:
-  repository_dispatch:
-
-jobs:
-  update-flake-inputs:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Update flake inputs
-        uses: Mic92/update-flake-inputs-gitea@main
-        with:
-          # Exclude private flakes and update-clan-core checks flake
-
-          exclude-patterns: "devFlake/private/flake.nix,checks/impure/flake.nix"
-          auto-merge: true
-          gitea-token: ${{ secrets.CI_BOT_TOKEN }}
-          github-token: ${{ secrets.CI_BOT_GITHUB_TOKEN }}

.gitea/workflows/update-private-flake-inputs.yml

@@ -1,40 +0,0 @@
-name: "Update private flake inputs"
-on:
-  repository_dispatch:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 3 * * *" # Run daily at 3 AM
-jobs:
-  update-private-flake:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-      - name: Update private flake inputs
-        run: |
-          # Update the private flake lock file
-          cd devFlake/private
-          nix flake update
-          cd ../..
-
-          # Update the narHash
-          bash ./devFlake/update-private-narhash
-      - name: Create pull request
-        env:
-          CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-        run: |
-          export GIT_AUTHOR_NAME=clan-bot GIT_AUTHOR_EMAIL=clan-bot@clan.lol GIT_COMMITTER_NAME=clan-bot GIT_COMMITTER_EMAIL=clan-bot@clan.lol
-
-          # Check if there are any changes
-          if ! git diff --quiet; then
-            git add devFlake/private/flake.lock devFlake/private.narHash
-            git commit -m "Update dev flake"
-            
-            # Use shared PR creation script
-            export PR_BRANCH="update-dev-flake"
-            export PR_TITLE="Update dev flake"
-            export PR_BODY="This PR updates the dev flake inputs and corresponding narHash."
-          else
-            echo "No changes detected in dev flake inputs"
-          fi

.github/dependabot.yml

@@ -1,6 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"

.github/workflows/repo-sync.yml

@@ -1,28 +0,0 @@
-name: Github<->Gitea sync
-on:
-  schedule:
-    - cron: "39 * * * *"
-  workflow_dispatch:
-permissions:
-  contents: write
-jobs:
-  repo-sync:
-    if: github.repository_owner == 'clan-lol'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/create-github-app-token@v2
-        id: app-token
-        with:
-          app-id: ${{ vars.CI_APP_ID }}
-          private-key: ${{ secrets.CI_PRIVATE_KEY }}
-      - name: repo-sync
-        uses: repo-sync/github-sync@v2
-        env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-        with:
-          source_repo: "https://git.clan.lol/clan/clan-core.git"
-          source_branch: "main"
-          destination_branch: "main"

.gitignore

@@ -1,23 +1,17 @@
 .direnv
-.nixos-test-history
-.hypothesis
+***/.hypothesis
 out.log
 .coverage.*
-pkgs/repro-hook
-testdir
+**/qubeclan
+**/testdir
 democlan
 example_clan
 result*
-/pkgs/clan-cli/clan_lib/nixpkgs
+/pkgs/clan-cli/clan_cli/nixpkgs
 /pkgs/clan-cli/clan_cli/webui/assets
+/machines
 nixos.qcow2
-*.glade~
-/docs/out
-/pkgs/clan-cli/clan_lib/select
-.local.env
-
-# macOS stuff
-.DS_Store
+**/*.glade~
 
 # python
 __pycache__
@@ -27,29 +21,3 @@ __pycache__
 .reports
 .ruff_cache
 htmlcov
-
-# node
-node_modules
-dist
-.webui
-
-# TODO: remove after bug in select is fixed
-select
-
-# Generated files
-pkgs/clan-app/ui/api/API.json
-pkgs/clan-app/ui/api/API.ts
-pkgs/clan-app/ui/api/Inventory.ts
-pkgs/clan-app/ui/api/modules_schemas.json
-pkgs/clan-app/ui/api/schema.json
-pkgs/clan-app/ui/.fonts
-
-# To avoid accidentally committing large files
-# Can be added with `git add -f` after reviewing the filesize
-# Large files should be avoided or stored externally i.e. a gitea release
-*.jpg
-*.png
-*.jpeg
-*.gif
-*.mp4
-*.mkv

CODEOWNERS

@@ -1,2 +0,0 @@
-nixosModules/clanCore/vars/.* @lopter
-pkgs/clan-cli/clan_cli/(secrets|vars)/.* @lopter

CONTRIBUTING.md

@@ -1,4 +0,0 @@
-# Contributing to Clan
-
-<!-- Local file: docs/CONTRIBUTING.md -->
-Go to the Contributing guide at https://docs.clan.lol/guides/contributing/CONTRIBUTING

LICENSE.md

@@ -1,19 +0,0 @@
-Copyright 2023-2024 Clan contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-

README.md

@@ -1,45 +1,23 @@
-# Clan core repository
+# cLAN Core Repository
 
-Welcome to the Clan core repository, the heart of the [clan.lol](https://clan.lol/) project! This monorepo is the foundation of Clan, a revolutionary open-source project aimed at restoring fun, freedom, and functionality to computing. Here, you'll find all the essential packages, NixOS modules, CLI tools, and tests needed to contribute to and work with the Clan project. Clan leverages the Nix system to ensure reliability, security, and seamless management of digital environments, putting the power back into the hands of users.
+Welcome to the cLAN Core Repository, the heart of the [clan.lol](https://clan.lol/) project! This monorepo houses all the essential packages, NixOS modules, CLI tools, and tests you need to contribute and work with the cLAN project.
 
-## Why Clan?
+## Getting Started
 
-Our mission is simple: to democratize computing by providing tools that empower users, foster innovation, and challenge outdated paradigms. Clan represents our contribution to a future where technology serves humanity, not the other way around. By participating in Clan, you're joining a movement dedicated to creating a secure, user-empowered digital future.
+If you're new to cLAN and eager to dive in, start with our quickstart guide:
 
-## Features of Clan
+- **Quickstart Guide**: Check out [quickstart.md](docs/quickstart.md) to get up and running with cLAN in no time.
 
-- **Full-Stack System Deployment:** Utilize Clan’s toolkit alongside Nix's reliability to build and manage systems effortlessly.
-- **Overlay Networks:** Secure, private communication channels between devices.
-- **Virtual Machine Integration:** Seamless operation of VM applications within the main operating system.
-- **Robust Backup Management:** Long-term, self-hosted data preservation.
-- **Intuitive Secret Management:** Simplified encryption and password management processes.
+## Managing Secrets
 
-## Getting started with Clan
+Security is paramount, and cLAN provides guidelines for handling secrets effectively:
 
-If you're new to Clan and eager to dive in, start with our quickstart guide and explore the core functionalities that Clan offers:
+- **Secrets Management**: Learn how to manage secrets securely by reading [secrets-management.md](docs/secrets-management.md).
 
-- **Quickstart Guide**: Check out [getting started](https://docs.clan.lol/#starting-with-a-new-clan-project)<!-- [docs/site/index.md](docs/site/index.md) --> to get up and running with Clan in no time.
+## Contributing to cLAN
 
-### Managing secrets
+We welcome contributions from the community, and we've prepared a comprehensive guide to help you get started:
 
-In the Clan ecosystem, security is paramount. Learn how to handle secrets effectively:
-
-- **Secrets Management**: Securely manage secrets by consulting [Vars](https://docs.clan.lol/guides/vars-backend/)<!-- [secrets.md](docs/site/guides/vars-backend.md) -->.
-
-### Contributing to Clan
-
-The Clan project thrives on community contributions. We welcome everyone to contribute and collaborate:
-
-- **Contribution Guidelines**: Make a meaningful impact by following the steps in [contributing](https://docs.clan.lol/contributing/contributing/)<!-- [contributing.md](docs/CONTRIBUTING.md) -->.
-
-## Join the revolution
-
-Clan is more than a tool; it's a movement towards a better digital future. By contributing to the Clan project, you're part of changing technology for the better, together.
-
-### Community and support
-
-Connect with us and the Clan community for support and discussion:
-
-- [Matrix channel](https://matrix.to/#/#clan:clan.lol) for live discussions.
-- IRC bridge on [hackint#clan](https://chat.hackint.org/#/connect?join=clan) for real-time chat support.
+- **Contribution Guidelines**: Find out how to contribute and make a meaningful impact on the cLAN project by reading [contributing.md](docs/contributing.md).
 
+Whether you're a newcomer or a seasoned developer, we look forward to your contributions and collaboration on the cLAN project. Let's build amazing things together!

checks/app-ocr/default.nix

@@ -1,41 +0,0 @@
-{ self, pkgs, ... }:
-{
-  name = "app-ocr-smoke-test";
-
-  enableOCR = true;
-
-  nodes = {
-    wayland =
-      { modulesPath, ... }:
-      {
-        imports = [ (modulesPath + "/../tests/common/wayland-cage.nix") ];
-        services.cage.program = "${self.packages.${pkgs.system}.clan-app}/bin/clan-app";
-        virtualisation.memorySize = 2047;
-        # TODO: get rid of this and fix debus-proxy error instead
-        services.cage.environment.WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS = "1";
-      };
-    xorg =
-      { pkgs, modulesPath, ... }:
-      {
-        imports = [
-          (modulesPath + "/../tests/common/user-account.nix")
-          (modulesPath + "/../tests/common/x11.nix")
-        ];
-        virtualisation.memorySize = 2047;
-        services.xserver.enable = true;
-        services.xserver.displayManager.sessionCommands = "${
-          self.packages.${pkgs.system}.clan-app
-        }/bin/clan-app";
-        test-support.displayManager.auto.user = "alice";
-      };
-  };
-  testScript = ''
-    start_all()
-
-    wayland.wait_for_unit('graphical.target')
-    xorg.wait_for_unit('graphical.target')
-
-    wayland.wait_for_text('Welcome to Clan')
-    xorg.wait_for_text('Welcome to Clan')
-  '';
-}

checks/backups/flake-module.nix

@@ -1,106 +1,52 @@
 { self, ... }:
-{
-  clan.machines.test-backup = {
-    imports = [ self.nixosModules.test-backup ];
-    fileSystems."/".device = "/dev/null";
-    boot.loader.grub.device = "/dev/null";
-  };
-  clan.inventory.services = {
-    borgbackup.test-backup = {
-      roles.client.machines = [ "test-backup" ];
-      roles.server.machines = [ "test-backup" ];
+let
+  clan = self.lib.buildClan {
+    clanName = "testclan";
+    directory = ../..;
+    machines = {
+      test_backup_client = {
+        imports = [ self.nixosModules.test_backup_client ];
+        fileSystems."/".device = "/dev/null";
+        boot.loader.grub.device = "/dev/null";
+      };
     };
   };
+in
+{
+  flake.nixosConfigurations = { inherit (clan.nixosConfigurations) test_backup_client; };
+  flake.clanInternals.machines = clan.clanInternals.machines;
   flake.nixosModules = {
-    test-backup =
-      {
-        pkgs,
-        lib,
-        ...
-      }:
+    test_backup_server = { ... }: {
+      imports = [
+        self.clanModules.borgbackup
+      ];
+      services.sshd.enable = true;
+      services.borgbackup.repos.testrepo = {
+        authorizedKeys = [
+          (builtins.readFile ../lib/ssh/pubkey)
+        ];
+      };
+    };
+    test_backup_client = { pkgs, lib, config, ... }:
       let
-        dependencies =
-          [
-            pkgs.stdenv.drvPath
-          ]
-          ++ builtins.map (i: i.outPath) (builtins.attrValues (builtins.removeAttrs self.inputs [ "self" ]));
+        dependencies = [
+          self
+          pkgs.stdenv.drvPath
+          clan.clanInternals.machines.x86_64-linux.test_backup_client.config.system.clan.deployment.file
+        ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
         closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
       in
       {
         imports = [
-          # Do not import inventory modules. They should be configured via 'clan.inventory'
-          #
-          # TODO: Configure localbackup via inventory
-          self.clanModules.localbackup
+          self.clanModules.borgbackup
+        ];
+        networking.hostName = "client";
+        services.sshd.enable = true;
+        users.users.root.openssh.authorizedKeys.keyFiles = [
+          ../lib/ssh/pubkey
         ];
-        # Borgbackup overrides
-        services.borgbackup.repos.test-backups = {
-          path = "/var/lib/borgbackup/test-backups";
-          authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-        };
-        clan.borgbackup.destinations.test-backup.repo = lib.mkForce "borg@machine:.";
-
-        clan.core.networking.targetHost = "machine";
-        networking.hostName = "machine";
-
-        programs.ssh.knownHosts = {
-          machine.hostNames = [ "machine" ];
-          machine.publicKey = builtins.readFile ../assets/ssh/pubkey;
-        };
-
-        services.openssh = {
-          enable = true;
-          settings.UsePAM = false;
-          settings.UseDns = false;
-          hostKeys = [
-            {
-              path = "/root/.ssh/id_ed25519";
-              type = "ed25519";
-            }
-          ];
-        };
-
-        users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
-
-        # This is needed to unlock the user for sshd
-        # Because we use sshd without setuid binaries
-        users.users.borg.initialPassword = "hello";
-
-        systemd.tmpfiles.settings."vmsecrets" = {
-          "/root/.ssh/id_ed25519" = {
-            C.argument = "${../assets/ssh/privkey}";
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-          "/etc/secrets/ssh.id_ed25519" = {
-            C.argument = "${../assets/ssh/privkey}";
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-          "/etc/secrets/borgbackup/borgbackup.ssh" = {
-            C.argument = "${../assets/ssh/privkey}";
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-          "/etc/secrets/borgbackup/borgbackup.repokey" = {
-            C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-            z = {
-              mode = "0400";
-              user = "root";
-            };
-          };
-        };
-        clan.core.facts.secretStore = "vm";
-        clan.core.vars.settings.secretStore = "vm";
-
         environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
-        environment.etc.install-closure.source = "${closureInfo}/store-paths";
+        environment.etc."install-closure".source = "${closureInfo}/store-paths";
         nix.settings = {
           substituters = lib.mkForce [ ];
           hashed-mirrors = null;
@@ -108,103 +54,75 @@
           flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
         };
         system.extraDependencies = dependencies;
-        clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-
-        clan.core.state.test-service = {
-          preBackupScript = ''
-            touch /var/test-service/pre-backup-command
-          '';
-          preRestoreScript = ''
-            touch /var/test-service/pre-restore-command
-          '';
-          postRestoreScript = ''
-            touch /var/test-service/post-restore-command
-          '';
-          folders = [ "/var/test-service" ];
-        };
-
-        fileSystems."/mnt/external-disk" = {
-          device = "/dev/vdb"; # created in tests with virtualisation.emptyDisks
-          autoFormat = true;
-          fsType = "ext4";
-          options = [
-            "defaults"
-            "noauto"
-          ];
-        };
-
-        clan.localbackup.targets.hdd = {
-          directory = "/mnt/external-disk";
-          preMountHook = ''
-            touch /run/mount-external-disk
-          '';
-          postUnmountHook = ''
-            touch /run/unmount-external-disk
-          '';
+        clanCore.state.test-backups.folders = [ "/var/test-backups" ];
+        clan.borgbackup = {
+          enable = true;
+          destinations.test_backup_server = {
+            repo = "borg@server:.";
+            rsh = "ssh -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=no";
+          };
         };
       };
   };
-  perSystem =
-    { pkgs, ... }:
-    let
-      clanCore = self.checks.x86_64-linux.clan-core-for-checks;
-    in
-    {
-      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        nixos-test-backups = self.clanLib.test.containerTest {
-          name = "nixos-test-backups";
-          nodes.machine = {
-            imports =
-              [
+  perSystem = { nodes, pkgs, ... }: {
+    checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) {
+      test-backups =
+        (import ../lib/test-base.nix)
+          {
+            name = "test-backups";
+            nodes.server = {
+              imports = [
+                self.nixosModules.test_backup_server
                 self.nixosModules.clanCore
-                # Some custom overrides for the backup tests
-                self.nixosModules.test-backup
-              ]
-              ++
-              # import the inventory generated nixosModules
-              self.clan.clanInternals.inventoryClass.machines.test-backup.machineImports;
-            clan.core.settings.directory = ./.;
-          };
+                {
+                  clanCore.machineName = "server";
+                  clanCore.clanDir = ../..;
+                }
+              ];
+            };
+            nodes.client = {
+              imports = [
+                self.nixosModules.test_backup_client
+                self.nixosModules.clanCore
+                {
+                  clanCore.machineName = "client";
+                  clanCore.clanDir = ../..;
+                }
+              ];
+            };
 
-          testScript = ''
-            import json
-            start_all()
+            testScript = ''
+              import json
+              start_all()
 
-            # dummy data
-            machine.succeed("mkdir -p /var/test-backups /var/test-service")
-            machine.succeed("echo testing > /var/test-backups/somefile")
+              # setup
+              client.succeed("mkdir -m 700 /root/.ssh")
+              client.succeed(
+                  "cat ${../lib/ssh/privkey} > /root/.ssh/id_ed25519"
+              )
+              client.succeed("chmod 600 /root/.ssh/id_ed25519")
+              client.wait_for_unit("sshd", timeout=30)
+              client.succeed("ssh -o StrictHostKeyChecking=accept-new root@client hostname")
 
-            # create
-            machine.succeed("clan backups create --debug --flake ${clanCore} test-backup")
-            machine.wait_until_succeeds("! systemctl is-active borgbackup-job-test-backup >&2")
-            machine.succeed("test -f /run/mount-external-disk")
-            machine.succeed("test -f /run/unmount-external-disk")
+              # dummy data
+              client.succeed("mkdir /var/test-backups")
+              client.succeed("echo testing > /var/test-backups/somefile")
 
-            # list
-            backup_id = json.loads(machine.succeed("borg-job-test-backup list --json"))["archives"][0]["archive"]
-            out = machine.succeed("clan backups list --debug --flake ${clanCore} test-backup").strip()
-            print(out)
-            assert backup_id in out, f"backup {backup_id} not found in {out}"
-            localbackup_id = "hdd::/mnt/external-disk/snapshot.0"
-            assert localbackup_id in out, "localbackup not found in {out}"
+              # create
+              client.succeed("clan --flake ${../..} backups create test_backup_client")
+              client.wait_until_succeeds("! systemctl is-active borgbackup-job-test_backup_server")
 
-            ## borgbackup restore
-            machine.succeed("rm -f /var/test-backups/somefile")
-            machine.succeed(f"clan backups restore --debug --flake ${clanCore} test-backup borgbackup 'test-backup::borg@machine:.::{backup_id}' >&2")
-            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
-            machine.succeed("test -f /var/test-service/pre-restore-command")
-            machine.succeed("test -f /var/test-service/post-restore-command")
-            machine.succeed("test -f /var/test-service/pre-backup-command")
+              # list
+              backup_id = json.loads(client.succeed("borg-job-test_backup_server list --json"))["archives"][0]["archive"]
+              assert(backup_id in client.succeed("clan --flake ${../..} backups list test_backup_client"))
 
-            ## localbackup restore
-            machine.succeed("rm -rf /var/test-backups/somefile /var/test-service/ && mkdir -p /var/test-service")
-            machine.succeed(f"clan backups restore --debug --flake ${clanCore} test-backup localbackup '{localbackup_id}' >&2")
-            assert machine.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
-            machine.succeed("test -f /var/test-service/pre-restore-command")
-            machine.succeed("test -f /var/test-service/post-restore-command")
-            machine.succeed("test -f /var/test-service/pre-backup-command")
-          '';
-        } { inherit pkgs self; };
-      };
+              # restore
+              client.succeed("rm -f /var/test-backups/somefile")
+              client.succeed(f"clan --flake ${../..} backups restore test_backup_client borgbackup {backup_id}")
+              assert(client.succeed("cat /var/test-backups/somefile").strip() == "testing")
+            '';
+          }
+          { inherit pkgs self; };
     };
+  };
 }

checks/borgbackup-legacy/default.nix

@@ -1,51 +0,0 @@
-(
-  { ... }:
-  {
-    name = "borgbackup";
-
-    nodes.machine =
-      { self, pkgs, ... }:
-      {
-        imports = [
-          self.clanModules.borgbackup
-          self.nixosModules.clanCore
-          {
-            services.openssh.enable = true;
-            services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-            };
-          }
-          {
-            clan.core.settings.directory = ./.;
-            clan.core.state.testState.folders = [ "/etc/state" ];
-            environment.etc.state.text = "hello world";
-            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../assets/ssh/privkey}";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/borgbackup/borgbackup.repokey" = {
-                C.argument = builtins.toString (pkgs.writeText "repokey" "repokey12345");
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-            # clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
-
-            clan.borgbackup.destinations.test.repo = "borg@localhost:.";
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.systemctl("start --wait borgbackup-job-test.service")
-      assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
-    '';
-  }
-)

checks/borgbackup/default.nix

@@ -1,102 +1,36 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
+(import ../lib/container-test.nix) ({ ... }: {
+  name = "borgbackup";
+
+  nodes.machine = { self, ... }: {
     imports = [
-      clan-core.modules.nixosTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "service-borgbackup";
-
-    clan = {
-      directory = ./.;
-      test.useContainers = true;
-      modules."@clan/borgbackup" = ../../clanServices/borgbackup/default.nix;
-      inventory = {
-
-        machines.clientone = { };
-        machines.serverone = { };
-
-        instances = {
-          borgone = {
-
-            module.name = "@clan/borgbackup";
-            module.input = "self";
-
-            roles.client.machines."clientone" = { };
-            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
+      self.clanModules.borgbackup
+      self.nixosModules.clanCore
+      {
+        services.openssh.enable = true;
+        services.borgbackup.repos.testrepo = {
+          authorizedKeys = [
+            (builtins.readFile ../lib/ssh/pubkey)
+          ];
+        };
+      }
+      {
+        clanCore.machineName = "machine";
+        clanCore.clanDir = ./.;
+        clanCore.state.testState.folders = [ "/etc/state" ];
+        environment.etc.state.text = "hello world";
+        clan.borgbackup = {
+          enable = true;
+          destinations.test = {
+            repo = "borg@localhost:.";
+            rsh = "ssh -i ${../lib/ssh/privkey} -o StrictHostKeyChecking=no";
           };
         };
-      };
-    };
-
-    nodes = {
-
-      serverone = {
-        services.openssh.enable = true;
-        # Needed so PAM doesn't see the user as locked
-        users.users.borg.password = "borg";
-      };
-
-      clientone =
-        { config, pkgs, ... }:
-        {
-
-          services.openssh.enable = true;
-
-          users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
-
-          clan.core.networking.targetHost = config.networking.hostName;
-
-          environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ];
-
-          clan.core.state.test-backups.folders = [ "/var/test-backups" ];
-        };
-
-    };
-
-    testScript = ''
-      import json
-      start_all()
-
-      machines = [clientone, serverone]
-
-      for m in machines:
-          m.systemctl("start network-online.target")
-
-      for m in machines:
-          m.wait_for_unit("network-online.target")
-
-      # dummy data
-      clientone.succeed("mkdir -p /var/test-backups /var/test-service")
-      clientone.succeed("echo testing > /var/test-backups/somefile")
-
-      clientone.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
-      clientone.succeed("${pkgs.coreutils}/bin/touch /root/.ssh/known_hosts")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new localhost hostname")
-      clientone.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new $(hostname) hostname")
-
-      # create
-      clientone.succeed("borgbackup-create >&2")
-      clientone.wait_until_succeeds("! systemctl is-active borgbackup-job-serverone >&2")
-
-      # list
-      backup_id = json.loads(clientone.succeed("borg-job-serverone list --json"))["archives"][0]["archive"]
-      out = clientone.succeed("borgbackup-list").strip()
-      print(out)
-      assert backup_id in out, f"backup {backup_id} not found in {out}"
-
-      # borgbackup restore
-      clientone.succeed("rm -f /var/test-backups/somefile")
-      clientone.succeed(f"NAME='serverone::borg@serverone:.::{backup_id}' borgbackup-restore >&2")
-      assert clientone.succeed("cat /var/test-backups/somefile").strip() == "testing", "restore failed"
-    '';
-  }
-)
+      }
+    ];
+  };
+  testScript = ''
+    start_all()
+    machine.systemctl("start --wait borgbackup-job-test.service")
+    assert "machine-test" in machine.succeed("BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes /run/current-system/sw/bin/borg-job-test list")
+  '';
+})

checks/borgbackup/sops/machines/clientone/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-    "type": "age"
-  }
-]

checks/borgbackup/sops/secrets/clientone-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:wCKoKuJo4uXycfqEUYAXDlRRMGJaWgOFiaQa4Wigs0jx1eCI80lP3cEZ1QKyrU/9m9POoZz0JlaKHcuhziTKUqaevHvGfVq2y00=,iv:pH5a90bJbK9Ro6zndNJ18qd4/rU+Tdm+y+jJZtY7UGg=,tag:9lHZJ9C/zIfy8nFrYt9JBQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUDhpd1ZqbWFqR0I3dVFI\nOHlyZnFUYXJnWElrRWhoUHVNMzdKd0VrcGdRCkphQVhuYzlJV0p1MG9MSW5ncWJ3\nREp1OEJxMzQzS2MxTk9aMkJ1a3B0Q0kKLS0tIENweVJ2Tk1yeXlFc2F5cTNIV3F3\nTkRFOVZ1amRIYmg1K3hGWUFSTTl4Wk0KHJRJ7756Msod7Bsmn9SgtwRo53B8Ilp3\nhsAPv+TtdmOD8He9MvGV+BElKEXCsLUwhp/Py6n6CJCczu0VIr8owg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:56Z",
-		"mac": "ENC[AES256_GCM,data:FyfxXhnI6o4SVGJY2e1eMDnfkbMWiCkP4JL/G4PQvzz+c7OIuz8xaa03P3VW7b7o85NP2Tln4FMNTZ0FYtQwd0kKypLUnIxAHsixAHFCv4X8ul1gtZynzgbFbmc0GkfVWW8Lf+U+vvDwT+UrEVfcmksCjdvAOwP26PvlEhYEkSw=,iv:H+VrWYL+kLOLezCZrI8ZgeCsaUdpb7LxDMiLotezVPs=,tag:B/cbPdiEFumGKQHby5inCA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/sops/secrets/clientone-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/borgbackup/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/machines/clientone

@@ -1 +0,0 @@
-../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:52vY68gqbwiZRMUBKc9SeXR06fuKAhuAPciLpxXgEOxI,iv:Y34AVoHaZzRiFFTDbekXP1X3W8zSXJmzVCYODYkdxnY=,tag:8WQaGEHQKT/n+auHUZCE0w==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUFUZUZ2M00zTGlhNjF4\nL0VlMVY4Z2xMbWRWR29zZlFwdm1XRk12NGtBCnkrb3A4M3BkalMyeWdDaUdQdStt\nUWY3SXJROXdpRzN0NlBJNEpjTEZ0aFkKLS0tIGZkMGhsTXB2RnRqVHVrUFQwL2lw\nZnBreWhWa3Jrcm4yOXBiaUlPWFM1aDAKRE+Zzrja7KeANEJUbmFYuVoO3qGyi4iH\n0cfH0W8irRe9vsKMXz7YJxtByYLwRulrT8tXtElHvIEVJG0mwwaf0Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNEljUFdnQ0tTQ1IxZ2Zo\nYkc4V2dCaUk0YXh5SzlSazhsRTVKVzFvVXhFCkRyMlMxR3EyWEZIRzFQV3d2dVpz\na3NPbk9XdWR1NmtMQlZsNlBuU0NkQWMKLS0tIDlDYzMzOExVL1g5SVRHYlpUQlBV\na2lpdTUwaEd4OXhWUWxuV04xRVVKNHcK9coohAD1IoarLOXSGg3MIRXQ3BsTIA4y\nKrcS/PxITKJs7ihg93RZin70R79Qsij1RHZLKGfgGJ67i8ZCxc4N0g==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:59Z",
-		"mac": "ENC[AES256_GCM,data:eABMaIe07dwAMMlgrIUUpfpj73q1H5Keafql91MBQ5NN9Znr5lI/ennQsQsuLO8ZTCC34US/MJndliW34SqVM9y53p0jjPzqBxSKYq74iNcBz7+TxbjlY1aapgTRPr6Ta8I/5loohnxlHqjvLL70ZzfbChDN0/4jZsDVXYNfbIk=,iv:41Mz2u40JN0iE5zPUK6siaxo0rTtlk7fGWq7TF5NyUI=,tag:1A+h6XPH7DeQ6kxGDV3PgQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.repokey/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh.pub/value

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3clYF6BDZ0PxfDdprx7YYM4U4PKEZkWUuhpre0wb7w nixbld@kiwi

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/machines/clientone

@@ -1 +0,0 @@
-../../../../../../sops/machines/clientone

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:tAjfBW75XDS8lfJCf/+9rPYH3aMjRX1nmdN5dPMxnrlhuEPM3Smv9AM93Tz36k7BKk31bUWcV/99ax+KaIK1Rzgym/CwKGGxIUziuVOEOwrCOBeOw7amZ9YGsgiLUTLIhoeO6SjfdZ4q2JxGPw7KqNfUM9kiZT01vx5JTLa24JdvBKpizbtHRlL1lappTRVt0dG2WhT9/YhQUGu9ZFqPs8+bPOBclc78qjCm2DAPgsprK+JCBuq+r+qHgAx4Ee1QHI7FC39e5NeGBTBeZfZ5d95+0klKuTx9FCPs6QRBkQ0tN29OpwzkdSuRAXGGHpzPkZ+FupbETtSQWCmnjma6jPzEl8oDUTWooKK0mUEz8icvTQvRfyM3Qt3mQpkX3e0rTEbZzoLdWCwTufP/tRQNDCWvI/NV7OjIHpNPjymqE5uPmiBpA6y6hhCH7zL1eDo11ICSIX3hkyFJH2svvFQn6oLrPAoByvNutfetKhd8z7NFpVeIOWwtuPzO7wU5M7zESHww0JF78vjFwimQYYhQ,iv:fVjeVez4dTGSrANi5ZeP9PJhsSySqeqqJzBDbd0gFW4=,tag:Aa89+bWLljxV1tlSHtpddw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaW94M3VwcFJ2elcrRGlv\nUGdzVk9vU2ZweFpIVVlIRUEyRVlSMlEyeHpVCnJuV0xIS3hMLy9IbG92S0pvL2RP\nL0J0WkVuWVhQdldHekdYNTVXdFkrUlEKLS0tIFQzdGErZVBwQUFNMXErbDBQVURZ\naHlsY2hDa1Zud1E2dFh0ZHl4VEJ2S0kKVABqwRcCUTcsBInfo9CpFtoM3kl4KMyU\nGXDjHOSjlX5df7OKZAvYukgX7Q2penvq+Fq4fa4A1Cmkqga7cHdJ+A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1tyyx2ratu8s9ugyre36xyksnquth9gxeh7wjdhvsk89rtf8yu5wq0pk04c",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbHRSVEg3Vi9qTnAwWGF6\nbEdIR2gvZ2laZnJMbVF3NjcvN25OdXF3WXowCnVUODdEa1NWU3JISXlrNldOMjVi\ndUlMTVdBaWxvZHlwSTdJY3NCcll4SjAKLS0tIEp6ZVlDTklqVXdNYzJ2dElCR21o\nUWphMDdyVVppVnFHOVlHZTNtajZzOXMKRB61lUrAkUXSYl3ffOOK8k4QgLA4bFln\naQ7GOol8f8W5H68zXBMZrhjP6k4kZDfknc9jgyoWM7jaZNSWC5J19Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-20T13:33:59Z",
-		"mac": "ENC[AES256_GCM,data:NjVpDweqxTSQGt9VKR/CMfvbvHQJHCi8P7XbOuKLZKQ4GVoeZ5r4PsC6nxKHHikN6YL1oJCmaSxr0mJRk/sFZg/+wdW8L7F5aQeFRiWo9jCjH0MDMnfiu5a0xjRt21uPl/7LUJ9jNon5nyxPTlZMeYSvTP2Q9spnNuN8vqipP68=,iv:DPvbN9IvWiUfxiJk6mey/us8N1GGVJcSJrT8Bty4kB4=,tag:+emK8uSkfIGUXoYpaWeu3A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/borgbackup/vars/per-machine/clientone/borgbackup/borgbackup.ssh/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/clan-core-for-checks.nix

@@ -1,6 +0,0 @@
-{ fetchgit }:
-fetchgit {
-  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "eea93ea22c9818da67e148ba586277bab9e73cea";
-  sha256 = "sha256-PV0Z+97QuxQbkYSVuNIJwUNXMbHZG/vhsA9M4cDTCOE=";
-}

checks/container/default.nix

@@ -1,44 +1,14 @@
-(
-  { ... }:
-  {
-    name = "container";
+(import ../lib/container-test.nix) ({ ... }: {
+  name = "secrets";
 
-    nodes.machine1 =
-      { ... }:
-      {
-        networking.hostName = "machine1";
-        services.openssh.enable = true;
-        services.openssh.startWhenNeeded = false;
-      };
-
-    nodes.machine2 =
-      { ... }:
-      {
-        networking.hostName = "machine2";
-        services.openssh.enable = true;
-        services.openssh.startWhenNeeded = false;
-      };
-
-    testScript = ''
-      import subprocess
-      start_all()
-      machine1.succeed("systemctl status sshd")
-      machine2.succeed("systemctl status sshd")
-      machine1.wait_for_unit("sshd")
-      machine2.wait_for_unit("sshd")
-
-      p1 = subprocess.run(["ip", "a"], check=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-      assert p1.returncode == 0
-      bridge_output = p1.stdout.decode("utf-8")
-      assert "br0" in bridge_output, f"bridge not found in ip a output: {bridge_output}"
-
-      for m in [machine1, machine2]:
-          out = machine1.succeed("ip addr show eth1")
-          assert "UP" in out, f"UP not found in ip addr show output: {out}"
-          assert "inet" in out, f"inet not found in ip addr show output: {out}"
-          assert "inet6" in out, f"inet6 not found in ip addr show output: {out}"
-
-      machine1.succeed("ping -c 1 machine2")
-    '';
-  }
-)
+  nodes.machine = { ... }: {
+    networking.hostName = "machine";
+    services.openssh.enable = true;
+    services.openssh.startWhenNeeded = false;
+  };
+  testScript = ''
+    start_all()
+    machine.succeed("systemctl status sshd")
+    machine.wait_for_unit("sshd")
+  '';
+})

checks/deltachat/default.nix

@@ -0,0 +1,24 @@
+(import ../lib/container-test.nix) ({ pkgs, ... }: {
+  name = "secrets";
+
+  nodes.machine = { self, ... }: {
+    imports = [
+      self.clanModules.deltachat
+      self.nixosModules.clanCore
+      {
+        clanCore.machineName = "machine";
+        clanCore.clanDir = ./.;
+      }
+    ];
+  };
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("maddy")
+    # imap
+    machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 143")
+    # smtp submission
+    machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 587")
+    # smtp
+    machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 25")
+  '';
+})

checks/devshell/flake-module.nix

@@ -1,22 +0,0 @@
-{ ... }:
-{
-  perSystem =
-    { self', pkgs, ... }:
-    {
-      checks.devshell =
-        pkgs.runCommand "check-devshell-not-depends-on-clan-cli"
-          {
-            exportReferencesGraph = [
-              "graph"
-              self'.devShells.default
-            ];
-          }
-          ''
-            if grep -q "${self'.packages.clan-cli}" ./graph; then
-              echo "devshell depends on clan-cli, which is not allowed";
-              exit 1;
-            fi
-            mkdir $out
-          '';
-    };
-}

checks/dont-depend-on-repo-root.nix

@@ -1,122 +0,0 @@
-{
-  ...
-}:
-{
-  perSystem =
-    {
-      system,
-      pkgs,
-      self',
-      lib,
-      ...
-    }:
-    let
-      clanCore = self'.packages.clan-core-flake;
-      clanCoreHash = lib.substring 0 12 (builtins.hashString "sha256" "${clanCore}");
-      /*
-        construct a flake for the test which contains a single check which depends
-        on all checks of clan-core.
-      */
-      testFlakeFile = pkgs.writeText "flake.nix" ''
-        {
-          inputs.clan-core.url = path:///to/nowhere;
-          outputs = {clan-core, ...}:
-            let
-              checks =
-                builtins.removeAttrs
-                  clan-core.checks.${system}
-                  [
-                    "dont-depend-on-repo-root"
-                    "package-dont-depend-on-repo-root"
-                    "package-clan-core-flake"
-                  ];
-              checksOutPaths = map (x: "''${x}") (builtins.attrValues checks);
-            in
-            {
-              checks.${system}.check = builtins.derivation {
-                name = "all-clan-core-checks";
-                system = "${system}";
-                builder = "/bin/sh";
-                args = ["-c" '''
-                  of outPath in ''${toString checksOutPaths}; do
-                    echo "$outPath" >> $out
-                  done
-                '''];
-              };
-            };
-        }
-      '';
-    in
-    lib.optionalAttrs (system == "x86_64-linux") {
-      packages.dont-depend-on-repo-root =
-        pkgs.runCommand
-          # append repo hash to this tests name to ensure it gets invalidated on each chain
-          # This is needed because this test is an FOD (due to networking) and would get cached indefinitely.
-          "check-dont-depend-on-repo-root-${clanCoreHash}"
-          {
-            buildInputs = [
-              pkgs.nix
-              pkgs.cacert
-              pkgs.nix-diff
-            ];
-            outputHashAlgo = "sha256";
-            outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";
-          }
-          ''
-            mkdir clanCore testFlake store
-            clanCore=$(realpath clanCore)
-            testFlake=$(realpath testFlake)
-
-            # copy clan core flake and make writable
-            cp -r ${clanCore}/* clanCore/
-            chmod +w -R clanCore\
-
-            # copy test flake and make writable
-            cp ${testFlakeFile} testFlake/flake.nix
-            chmod +w -R testFlake
-
-            # enable flakes
-            export NIX_CONFIG="experimental-features = nix-command flakes"
-
-            # give nix a $HOME
-            export HOME=$(realpath ./store)
-
-            # override clan-core flake input to point to $clanCore\
-            echo "locking clan-core to $clanCore"
-            nix flake lock --override-input clan-core "path://$clanCore" "$testFlake" --store "$HOME"
-
-            # evaluate all tests
-            echo "evaluating all tests for clan core"
-            nix eval "$testFlake"#checks.${system}.check.drvPath --store "$HOME" --raw > drvPath1 &
-
-            # slightly modify clan core
-            cp -r $clanCore clanCore2
-            cp -r $testFlake testFlake2
-            export clanCore2=$(realpath clanCore2)
-            export testFlake2=$(realpath testFlake2)
-            touch clanCore2/fly-fpv
-
-            # re-evaluate all tests
-            echo "locking clan-core to $clanCore2"
-            nix flake lock --override-input clan-core "path://$clanCore2" "$testFlake2" --store "$HOME"
-            echo "evaluating all tests for clan core with added file"
-            nix eval "$testFlake2"#checks.${system}.check.drvPath --store "$HOME" --raw > drvPath2
-
-            # wait for first nix eval to return as well
-            while ! grep -q drv drvPath1; do sleep 1; done
-
-            # raise error if outputs are different
-            if [ "$(cat drvPath1)" != "$(cat drvPath2)" ]; then
-              echo -e "\n\nERROR: Something in clan-core depends on the whole repo" > /dev/stderr
-              echo -e "See details in the nix-diff below which shows the difference between two evaluations:"
-              echo -e "  1. Evaluation of clan-core checks without any changes"
-              echo -e "  1. Evaluation of clan-core checks after adding a file to the top-level of the repo"
-              echo "nix-diff:"
-              export NIX_REMOTE="$HOME"
-              nix-diff $(cat drvPath1) $(cat drvPath2)
-              exit 1
-            fi
-            touch $out
-          '';
-    };
-}

checks/flake-module.nix

@@ -1,176 +1,54 @@
-{
-  self,
-  lib,
-  inputs,
-  ...
-}:
-let
-  inherit (lib)
-    attrNames
-    attrValues
-    elem
-    filter
-    filterAttrs
-    flip
-    genAttrs
-    hasPrefix
-    pathExists
-    ;
-  nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
-in
-{
-  imports = filter pathExists [
-    ./backups/flake-module.nix
-    ../nixosModules/clanCore/machine-id/tests/flake-module.nix
-    ../nixosModules/clanCore/state-version/tests/flake-module.nix
-    ./devshell/flake-module.nix
-    ./flash/flake-module.nix
+{ self, ... }: {
+  imports = [
     ./impure/flake-module.nix
+    ./backups/flake-module.nix
     ./installation/flake-module.nix
-    ./morph/flake-module.nix
-    ./nixos-documentation/flake-module.nix
-    ./dont-depend-on-repo-root.nix
   ];
-  flake.check = genAttrs [ "x86_64-linux" "aarch64-darwin" ] (
-    system:
-    let
-      checks = flip filterAttrs self.checks.${system} (
-        name: _check:
-        !(hasPrefix "nixos-test-" name)
-        && !(hasPrefix "nixos-" name)
-        && !(hasPrefix "darwin-test-" name)
-        && !(hasPrefix "service-" name)
-        && !(hasPrefix "vars-check-" name)
-        && !(hasPrefix "devShell-" name)
-        && !(elem name [
-          "clan-core-for-checks"
-          "clan-deps"
-        ])
-      );
-    in
-    inputs.nixpkgs.legacyPackages.${system}.runCommand "fast-flake-checks-${system}"
-      { passthru.checks = checks; }
-      ''
-        echo "Executed the following checks for ${system}..."
-        echo "  - ${lib.concatStringsSep "\n" (map (n: "  - " + n) (attrNames checks))}"
-        echo ${toString (attrValues checks)} >/dev/null
-        echo "All checks succeeded"
-        touch $out
-      ''
-  );
-  perSystem =
-    {
-      pkgs,
-      lib,
-      self',
-      system,
-      ...
-    }:
-    {
-      checks =
+  perSystem = { pkgs, lib, self', ... }: {
+    checks =
+      let
+        nixosTestArgs = {
+          # reference to nixpkgs for the current system
+          inherit pkgs;
+          # this gives us a reference to our flake but also all flake inputs
+          inherit self;
+        };
+        nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+          # import our test
+          secrets = import ./secrets nixosTestArgs;
+          container = import ./container nixosTestArgs;
+          deltachat = import ./deltachat nixosTestArgs;
+          meshnamed = import ./meshnamed nixosTestArgs;
+          zt-tcp-relay = import ./zt-tcp-relay nixosTestArgs;
+          borgbackup = import ./borgbackup nixosTestArgs;
+          syncthing = import ./syncthing nixosTestArgs;
+          wayland-proxy-virtwl = import ./wayland-proxy-virtwl nixosTestArgs;
+        };
+        schemaTests = pkgs.callPackages ./schemas.nix {
+          inherit self;
+        };
+
+        flakeOutputs = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.nixosConfigurations
+          // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages
+          // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
+          // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (self'.legacyPackages.homeConfigurations or { });
+      in
+      nixosTests // schemaTests // flakeOutputs;
+    legacyPackages = {
+      nixosTests =
         let
           nixosTestArgs = {
             # reference to nixpkgs for the current system
-            inherit pkgs lib nixosLib;
+            inherit pkgs;
             # this gives us a reference to our flake but also all flake inputs
             inherit self;
-            inherit (self) clanLib;
-            clan-core = self;
           };
-          nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-
-            # Base Tests
-            nixos-test-secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-            nixos-test-borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
-            nixos-test-wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
-
-            # Container Tests
-            nixos-test-container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            nixos-test-zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            nixos-test-matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-            nixos-test-postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
-            nixos-test-user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
-            nixos-test-user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
-
-            service-dummy-test = import ./service-dummy-test nixosTestArgs;
-            service-dummy-test-from-flake = import ./service-dummy-test-from-flake nixosTestArgs;
-          };
-
-          packagesToBuild = lib.removeAttrs self'.packages [
-            # exclude the check that checks that nothing depends on the repo root
-            # We might want to include this later once everything is fixed
-            "dont-depend-on-repo-root"
-          ];
-
-          flakeOutputs =
-            lib.mapAttrs' (
-              name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
-            ) (lib.filterAttrs (n: _: !lib.hasPrefix "test-" n) self.nixosConfigurations)
-            // lib.mapAttrs' (
-              name: config: lib.nameValuePair "darwin-${name}" config.config.system.build.toplevel
-            ) (self.darwinConfigurations or { })
-            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") packagesToBuild
-            // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
-            // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (
-              self'.legacyPackages.homeConfigurations or { }
-            );
         in
-        nixosTests
-        // flakeOutputs
-        // {
-          # TODO: Automatically provide this check to downstream users to check their modules
-          clan-modules-json-compatible =
-            let
-              allSchemas = lib.mapAttrs (
-                _n: m:
-                let
-                  schema =
-                    (self.clanLib.evalService {
-                      modules = [ m ];
-                      prefix = [
-                        "checks"
-                        system
-                      ];
-                    }).config.result.api.schema;
-                in
-                schema
-              ) self.clan.modules;
-            in
-            pkgs.runCommand "combined-result"
-              {
-                schemaFile = builtins.toFile "schemas.json" (builtins.toJSON allSchemas);
-              }
-              ''
-                mkdir -p $out
-                cat $schemaFile > $out/allSchemas.json
-              '';
-
-          clan-core-for-checks = pkgs.runCommand "clan-core-for-checks" { } ''
-            cp -r ${pkgs.callPackage ./clan-core-for-checks.nix { }} $out
-            chmod +w $out/flake.lock
-            cp ${../flake.lock} $out/flake.lock
-          '';
+        lib.optionalAttrs (pkgs.stdenv.isLinux) {
+          # import our test
+          secrets = import ./secrets nixosTestArgs;
+          container = import ./container nixosTestArgs;
         };
-      packages = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-        run-vm-test-offline = pkgs.callPackage ../pkgs/run-vm-test-offline { };
-      };
-      legacyPackages = {
-        nixosTests =
-          let
-            nixosTestArgs = {
-              # reference to nixpkgs for the current system
-              inherit pkgs;
-              # this gives us a reference to our flake but also all flake inputs
-              inherit self;
-            };
-          in
-          lib.optionalAttrs (pkgs.stdenv.isLinux) {
-            # import our test
-            nixos-test-secrets = import ./secrets nixosTestArgs;
-            nixos-test-container = import ./container nixosTestArgs;
-            # Clan app tests
-            nixos-test-app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
-          };
-      };
     };
+  };
 }

checks/flash/flake-module.nix

@@ -1,87 +0,0 @@
-{
-  config,
-  self,
-  lib,
-  ...
-}:
-{
-  clan.machines = lib.listToAttrs (
-    lib.map (
-      system:
-      lib.nameValuePair "test-flash-machine-${system}" {
-        clan.core.networking.targetHost = "test-flash-machine";
-        fileSystems."/".device = lib.mkDefault "/dev/vda";
-        boot.loader.grub.device = lib.mkDefault "/dev/vda";
-
-        # We need to use `mkForce` because we inherit from `test-install-machine`
-        # which currently hardcodes `nixpkgs.hostPlatform`
-        nixpkgs.hostPlatform = lib.mkForce system;
-
-        imports = [ self.nixosModules.test-flash-machine ];
-      }
-    ) (lib.filter (lib.hasSuffix "linux") config.systems)
-  );
-
-  flake.nixosModules = {
-    test-flash-machine =
-      { lib, ... }:
-      {
-        imports = [ self.nixosModules.test-install-machine-without-system ];
-
-        clan.core.vars.generators.test = lib.mkForce { };
-
-        disko.devices.disk.main.preCreateHook = lib.mkForce "";
-      };
-  };
-
-  perSystem =
-    {
-      pkgs,
-      lib,
-      ...
-    }:
-    let
-      dependencies = [
-        pkgs.disko
-        pkgs.buildPackages.xorg.lndir
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
-
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
-        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
-      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-    in
-    {
-      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        nixos-test-flash = self.clanLib.test.baseTest {
-          name = "flash";
-          nodes.target = {
-            virtualisation.emptyDiskImages = [ 4096 ];
-            virtualisation.memorySize = 4096;
-            environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
-            environment.etc."install-closure".source = "${closureInfo}/store-paths";
-
-            nix.settings = {
-              substituters = lib.mkForce [ ];
-              hashed-mirrors = null;
-              connect-timeout = lib.mkForce 3;
-              flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
-              experimental-features = [
-                "nix-command"
-                "flakes"
-              ];
-            };
-          };
-          testScript = ''
-            start_all()
-
-            # Some distros like to automount disks with spaces
-            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdb && mount /dev/vdb "/mnt/with spaces"')
-            machine.succeed("clan flash write --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdb test-flash-machine-${pkgs.hostPlatform.system}")
-          '';
-        } { inherit pkgs self; };
-      };
-    };
-}

checks/impure/flake-module.nix

@@ -1,51 +1,18 @@
 {
-  perSystem =
-    {
-      pkgs,
-      lib,
-      self',
-      ...
-    }:
-    {
-      # a script that executes all other checks
-      packages.impure-checks = pkgs.writeShellScriptBin "impure-checks" ''
-        #!${pkgs.bash}/bin/bash
-        set -euo pipefail
+  perSystem = { pkgs, lib, ... }: {
+    # a script that executes all other checks
+    packages.impure-checks = pkgs.writeShellScriptBin "impure-checks" ''
+      #!${pkgs.bash}/bin/bash
+      set -euo pipefail
 
-        unset CLAN_DIR
-
-        export PATH="${
-          lib.makeBinPath (
-            [
-              pkgs.gitMinimal
-              pkgs.nix
-              pkgs.coreutils
-              pkgs.rsync # needed to have rsync installed on the dummy ssh server
-            ]
-            ++ self'.packages.clan-cli-full.runtimeDependencies
-          )
-        }"
-        ROOT=$(git rev-parse --show-toplevel)
-        cd "$ROOT/pkgs/clan-cli"
-
-        # Set up custom git configuration for tests
-        export GIT_CONFIG_GLOBAL=$(mktemp)
-        git config --file "$GIT_CONFIG_GLOBAL" user.name "Test User"
-        git config --file "$GIT_CONFIG_GLOBAL" user.email "test@example.com"
-        export GIT_CONFIG_SYSTEM=/dev/null
-
-        # this disables dynamic dependency loading in clan-cli
-        export CLAN_NO_DYNAMIC_DEPS=1
-
-        jobs=$(nproc)
-        # Spawning worker in pytest is relatively slow, so we limit the number of jobs to 13
-        # (current number of impure tests)
-        jobs="$((jobs > 13 ? 13 : jobs))"
-
-        nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -n $jobs -m impure ./clan_cli $@"
-
-        # Clean up temporary git config
-        rm -f "$GIT_CONFIG_GLOBAL"
-      '';
-    };
+      export PATH="${lib.makeBinPath [
+        pkgs.gitMinimal
+        pkgs.nix
+        pkgs.rsync # needed to have rsync installed on the dummy ssh server
+      ]}"
+      ROOT=$(git rev-parse --show-toplevel)
+      cd "$ROOT/pkgs/clan-cli"
+      nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -s -m impure ./tests $@"
+    '';
+  };
 }

checks/installation/flake-module.nix

@@ -1,345 +1,123 @@
-{
-  self,
-  lib,
-
-  ...
-}:
-{
-
-  # The purpose of this test is to ensure `clan machines install` works
-  # for machines that don't have a hardware config yet.
-
-  # If this test starts failing it could be due to the `facter.json` being out of date
-  # you can get a new one by adding
-  # client.fail("cat test-flake/machines/test-install-machine/facter.json >&2")
-  # to the installation test.
-  clan.machines.test-install-machine-without-system = {
-    fileSystems."/".device = lib.mkDefault "/dev/vda";
-    boot.loader.grub.device = lib.mkDefault "/dev/vda";
-
-    imports = [ self.nixosModules.test-install-machine-without-system ];
-  };
-  clan.machines.test-install-machine-with-system =
-    { pkgs, ... }:
-    {
-      # https://git.clan.lol/clan/test-fixtures
-      facter.reportPath = builtins.fetchurl {
-        url = "https://git.clan.lol/clan/test-fixtures/raw/commit/4a2bc56d886578124b05060d3fb7eddc38c019f8/nixos-vm-facter-json/${pkgs.hostPlatform.system}.json";
-        sha256 =
-          {
-            aarch64-linux = "sha256:1rlfymk03rmfkm2qgrc8l5kj5i20srx79n1y1h4nzlpwaz0j7hh2";
-            x86_64-linux = "sha256:16myh0ll2gdwsiwkjw5ba4dl23ppwbsanxx214863j7nvzx42pws";
-          }
-          .${pkgs.hostPlatform.system};
+{ self, ... }:
+let
+  clan = self.lib.buildClan {
+    clanName = "testclan";
+    directory = ../..;
+    machines = {
+      test_install_machine = {
+        imports = [ self.nixosModules.test_install_machine ];
       };
-
-      fileSystems."/".device = lib.mkDefault "/dev/vda";
-      boot.loader.grub.device = lib.mkDefault "/dev/vda";
-
-      imports = [ self.nixosModules.test-install-machine-without-system ];
     };
+  };
+in
+{
+  flake.nixosConfigurations = { inherit (clan.nixosConfigurations) test_install_machine; };
+  flake.clanInternals.machines = clan.clanInternals.machines;
   flake.nixosModules = {
-    test-install-machine-without-system =
-      { lib, modulesPath, ... }:
-      {
-        imports = [
-          (modulesPath + "/testing/test-instrumentation.nix") # we need these 2 modules always to be able to run the tests
-          (modulesPath + "/profiles/qemu-guest.nix")
-          self.clanLib.test.minifyModule
-        ];
+    test_install_machine = { lib, modulesPath, ... }: {
+      imports = [
+        self.clanModules.diskLayouts
+        (modulesPath + "/testing/test-instrumentation.nix") # we need these 2 modules always to be able to run the tests
+        (modulesPath + "/profiles/qemu-guest.nix")
+      ];
+      fileSystems."/nix/store" = lib.mkForce {
+        device = "nix-store";
+        fsType = "9p";
+        neededForBoot = true;
+        options = [ "trans=virtio" "version=9p2000.L" "cache=loose" ];
+      };
+      clan.diskLayouts.singleDiskExt4.device = "/dev/vdb";
 
-        networking.hostName = "test-install-machine";
+      environment.etc."install-successful".text = "ok";
 
-        environment.etc."install-successful".text = "ok";
-
-        # Enable SSH and add authorized key for testing
-        services.openssh.enable = true;
-        services.openssh.settings.PasswordAuthentication = false;
-        users.users.nonrootuser = {
-          isNormalUser = true;
-          openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-          extraGroups = [ "wheel" ];
-          home = "/home/nonrootuser";
-          createHome = true;
-        };
-        users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-        # Allow users to manage their own SSH keys
-        services.openssh.authorizedKeysFiles = [
-          "/root/.ssh/authorized_keys"
-          "/home/%u/.ssh/authorized_keys"
-          "/etc/ssh/authorized_keys.d/%u"
-        ];
-        security.sudo.wheelNeedsPassword = false;
-
-        boot.consoleLogLevel = lib.mkForce 100;
-        boot.kernelParams = [ "boot.shell_on_fail" ];
-
-        # disko config
-        boot.loader.grub.efiSupport = lib.mkDefault true;
-        boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
-        clan.core.vars.settings.secretStore = "vm";
-        clan.core.vars.generators.test = {
-          files.test.neededFor = "partitioning";
-          script = ''
-            echo "notok" > "$out"/test
-          '';
-        };
-        disko.devices = {
-          disk = {
-            main = {
-              type = "disk";
-              device = "/dev/vda";
-
-              preCreateHook = ''
-                test -e /run/partitioning-secrets/test/test
-              '';
-
-              content = {
-                type = "gpt";
-                partitions = {
-                  boot = {
-                    size = "1M";
-                    type = "EF02"; # for grub MBR
-                    priority = 1;
-                  };
-                  ESP = {
-                    size = "512M";
-                    type = "EF00";
-                    content = {
-                      type = "filesystem";
-                      format = "vfat";
-                      mountpoint = "/boot";
-                      mountOptions = [ "umask=0077" ];
-                    };
-                  };
-                  root = {
-                    size = "100%";
-                    content = {
-                      type = "filesystem";
-                      format = "ext4";
-                      mountpoint = "/";
-                    };
-                  };
+      boot.consoleLogLevel = lib.mkForce 100;
+      boot.kernelParams = [
+        "boot.shell_on_fail"
+      ];
+    };
+  };
+  perSystem = { nodes, pkgs, lib, ... }:
+    let
+      dependencies = [
+        self
+        pkgs.stdenv.drvPath
+        clan.clanInternals.machines.x86_64-linux.test_install_machine.config.system.build.toplevel
+        clan.clanInternals.machines.x86_64-linux.test_install_machine.config.system.build.diskoScript
+        clan.clanInternals.machines.x86_64-linux.test_install_machine.config.system.clan.deployment.file
+        pkgs.nixos-anywhere
+      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
+      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
+    in
+    {
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) {
+        test-installation =
+          (import ../lib/test-base.nix)
+            {
+              name = "test-installation";
+              nodes.target = {
+                services.openssh.enable = true;
+                users.users.root.openssh.authorizedKeys.keyFiles = [
+                  ../lib/ssh/pubkey
+                ];
+                system.nixos.variant_id = "installer";
+                virtualisation.emptyDiskImages = [ 4096 ];
+                nix.settings = {
+                  substituters = lib.mkForce [ ];
+                  hashed-mirrors = null;
+                  connect-timeout = lib.mkForce 3;
+                  flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+                  experimental-features = [
+                    "nix-command"
+                    "flakes"
+                  ];
                 };
               };
-            };
-          };
-        };
-      };
-  };
+              nodes.client = {
+                environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+                environment.etc."install-closure".source = "${closureInfo}/store-paths";
+                virtualisation.memorySize = 2048;
+                nix.settings = {
+                  substituters = lib.mkForce [ ];
+                  hashed-mirrors = null;
+                  connect-timeout = lib.mkForce 3;
+                  flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
+                  experimental-features = [
+                    "nix-command"
+                    "flakes"
+                  ];
+                };
+                system.extraDependencies = dependencies;
+              };
 
-  perSystem =
-    {
-      pkgs,
-      ...
-    }:
-    {
-      # On aarch64-linux, hangs on reboot with after installation:
-      # vm-test-run-test-installation-> installer # [  288.002871] reboot: Restarting system
-      # vm-test-run-test-installation-> server # [test-install-machine] ### Done! ###
-      # vm-test-run-test-installation-> server # [test-install-machine] + step 'Done!'
-      # vm-test-run-test-installation-> server # [test-install-machine] + echo '### Done! ###'
-      # vm-test-run-test-installation-> server # [test-install-machine] + rm -rf /tmp/tmp.qb16EAq7hJ
-      # vm-test-run-test-installation-> (finished: must succeed: clan machines install --debug --flake test-flake --yes test-install-machine --target-host root@installer --update-hardware-config nixos-facter >&2, in 154.62 seconds)
-      # vm-test-run-test-installation-> target: starting vm
-      # vm-test-run-test-installation-> target: QEMU running (pid 144)
-      # vm-test-run-test-installation-> target: waiting for unit multi-user.target
-      # vm-test-run-test-installation-> target: waiting for the VM to finish booting
-      # vm-test-run-test-installation-> target: Guest root shell did not produce any data yet...
-      # vm-test-run-test-installation-> target:   To debug, enter the VM and run 'systemctl status backdoor.service'.
-      checks =
-        let
-          # Custom Python package for port management utilities
-          closureInfo = pkgs.closureInfo {
-            rootPaths = [
-              self.checks.x86_64-linux.clan-core-for-checks
-              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
-              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
-              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
-              pkgs.stdenv.drvPath
-              pkgs.bash.drvPath
-              pkgs.buildPackages.xorg.lndir
-            ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-          };
-        in
-        pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-          nixos-test-installation = self.clanLib.test.baseTest {
-            name = "installation";
-            nodes.target = (import ./test-helpers.nix { inherit lib pkgs self; }).target;
-            extraPythonPackages = _p: [
-              self.legacyPackages.${pkgs.system}.nixosTestLib
-            ];
+              testScript = ''
+                def create_test_machine(oldmachine=None, args={}): # taken from <nixpkgs/nixos/tests/installer.nix>
+                    machine = create_machine({
+                      "qemuFlags":
+                        '-cpu max -m 1024 -virtfs local,path=/nix/store,security_model=none,mount_tag=nix-store,'
+                        f' -drive file={oldmachine.state_dir}/empty0.qcow2,id=drive1,if=none,index=1,werror=report'
+                        f' -device virtio-blk-pci,drive=drive1',
+                    } | args)
+                    driver.machines.append(machine)
+                    return machine
 
-            testScript = ''
-              import tempfile
-              import os
-              import subprocess
-              from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
-              from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
 
-              def create_test_machine(oldmachine, qemu_test_bin: str, **kwargs):
-                  """Create a new test machine from an installed disk image"""
-                  start_command = [
-                      f"{qemu_test_bin}/bin/qemu-kvm",
-                      "-cpu",
-                      "max",
-                      "-m",
-                      "3048",
-                      "-virtfs",
-                      "local,path=/nix/store,security_model=none,mount_tag=nix-store",
-                      "-drive",
-                      f"file={oldmachine.state_dir}/target.qcow2,id=drive1,if=none,index=1,werror=report",
-                      "-device",
-                      "virtio-blk-pci,drive=drive1",
-                      "-netdev",
-                      "user,id=net0",
-                      "-device",
-                      "virtio-net-pci,netdev=net0",
-                  ]
-                  machine = create_machine(start_command=" ".join(start_command), **kwargs)
-                  driver.machines.append(machine)
-                  return machine
+                start_all()
 
-              target.start()
+                client.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
+                client.wait_until_succeeds("ssh -o StrictHostKeyChecking=accept-new -v root@target hostname")
 
-              # Set up test environment
-              with tempfile.TemporaryDirectory() as temp_dir:
-                  # Prepare test flake and Nix store
-                  flake_dir = prepare_test_flake(
-                      temp_dir,
-                      "${self.checks.x86_64-linux.clan-core-for-checks}",
-                      "${closureInfo}"
-                  )
-
-                  # Set up SSH connection
-                  ssh_conn = setup_ssh_connection(
-                      target,
-                      temp_dir,
-                      "${../assets/ssh/privkey}"
-                  )
-
-                  # Run clan install from host using port forwarding
-                  clan_cmd = [
-                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
-                      "machines",
-                      "install",
-                      "--phases", "disko,install",
-                      "--debug",
-                      "--flake", flake_dir,
-                      "--yes", "test-install-machine-without-system",
-                      "--target-host", f"nonrootuser@localhost:{ssh_conn.host_port}",
-                      "-i", ssh_conn.ssh_key,
-                      "--option", "store", os.environ['CLAN_TEST_STORE'],
-                      "--update-hardware-config", "nixos-facter",
-                  ]
-
-                  subprocess.run(clan_cmd, check=True)
-
-              # Shutdown the installer machine gracefully
-              try:
+                client.succeed("clan --flake ${../..} machines install test_install_machine root@target >&2")
+                try:
                   target.shutdown()
-              except BrokenPipeError:
+                except BrokenPipeError:
                   # qemu has already exited
                   pass
 
-              # Create a new machine instance that boots from the installed system
-              installed_machine = create_test_machine(target, "${pkgs.qemu_test}", name="after_install")
-              installed_machine.start()
-              installed_machine.wait_for_unit("multi-user.target")
-              installed_machine.succeed("test -f /etc/install-successful")
-            '';
-          } { inherit pkgs self; };
-
-          nixos-test-update-hardware-configuration = self.clanLib.test.baseTest {
-            name = "update-hardware-configuration";
-            nodes.target = (import ./test-helpers.nix { inherit lib pkgs self; }).target;
-            extraPythonPackages = _p: [
-              self.legacyPackages.${pkgs.system}.nixosTestLib
-            ];
-
-            testScript = ''
-              import tempfile
-              import os
-              import subprocess
-              from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
-              from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
-
-              target.start()
-
-              # Set up test environment
-              with tempfile.TemporaryDirectory() as temp_dir:
-                  # Prepare test flake and Nix store
-                  flake_dir = prepare_test_flake(
-                      temp_dir,
-                      "${self.checks.x86_64-linux.clan-core-for-checks}",
-                      "${closureInfo}"
-                  )
-                  
-                  # Set up SSH connection
-                  ssh_conn = setup_ssh_connection(
-                      target,
-                      temp_dir,
-                      "${../assets/ssh/privkey}"
-                  )
-
-                  # Verify files don't exist initially
-                  hw_config_file = os.path.join(flake_dir, "machines/test-install-machine/hardware-configuration.nix")
-                  facter_file = os.path.join(flake_dir, "machines/test-install-machine/facter.json")
-
-                  assert not os.path.exists(hw_config_file), "hardware-configuration.nix should not exist initially"
-                  assert not os.path.exists(facter_file), "facter.json should not exist initially"
-
-                  # Set CLAN_FLAKE for the commands
-                  os.environ["CLAN_FLAKE"] = flake_dir
-
-                  # Test facter backend
-                  clan_cmd = [
-                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
-                      "machines",
-                      "update-hardware-config",
-                      "--debug",
-                      "--flake", ".",
-                      "--host-key-check", "none",
-                      "test-install-machine-without-system",
-                      "-i", ssh_conn.ssh_key,
-                      "--option", "store", os.environ['CLAN_TEST_STORE'],
-                      f"nonrootuser@localhost:{ssh_conn.host_port}"
-                  ]
-
-                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
-                  if result.returncode != 0:
-                      print(f"Clan update-hardware-config failed: {result.stderr.decode()}")
-                      raise Exception(f"Clan update-hardware-config failed with return code {result.returncode}")
-
-                  facter_without_system_file = os.path.join(flake_dir, "machines/test-install-machine-without-system/facter.json")
-                  assert os.path.exists(facter_without_system_file), "facter.json should exist after update"
-                  os.remove(facter_without_system_file)
-
-                  # Test nixos-generate-config backend
-                  clan_cmd = [
-                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
-                      "machines",
-                      "update-hardware-config",
-                      "--debug",
-                      "--backend", "nixos-generate-config",
-                      "--host-key-check", "none",
-                      "--flake", ".",
-                      "test-install-machine-without-system",
-                      "-i", ssh_conn.ssh_key,
-                      "--option", "store", os.environ['CLAN_TEST_STORE'],
-                      f"nonrootuser@localhost:{ssh_conn.host_port}"
-                  ]
-
-                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
-                  if result.returncode != 0:
-                      print(f"Clan update-hardware-config (nixos-generate-config) failed: {result.stderr.decode()}")
-                      raise Exception(f"Clan update-hardware-config failed with return code {result.returncode}")
-
-                  hw_config_without_system_file = os.path.join(flake_dir, "machines/test-install-machine-without-system/hardware-configuration.nix")
-                  assert os.path.exists(hw_config_without_system_file), "hardware-configuration.nix should exist after update"
-            '';
-          } { inherit pkgs self; };
-
-        };
+                new_machine = create_test_machine(oldmachine=target, args={ "name": "new_machine" })
+                assert(new_machine.succeed("cat /etc/install-successful").strip() == "ok")
+              '';
+            }
+            { inherit pkgs self; };
+      };
     };
 }

checks/installation/pyproject.toml

@@ -1,44 +0,0 @@
-[build-system]
-requires = ["setuptools", "wheel"]
-build-backend = "setuptools.build_meta"
-
-[project]
-name = "nixos-test-lib"
-version = "1.0.0"
-description = "NixOS test utilities for clan VM testing"
-authors = [
-    {name = "Clan Core Team"}
-]
-dependencies = []
-
-[project.optional-dependencies]
-dev = [
-    "mypy",
-    "ruff"
-]
-
-[tool.setuptools.packages.find]
-where = ["."]
-include = ["nixos_test_lib*"]
-
-[tool.setuptools.package-data]
-"nixos_test_lib" = ["py.typed"]
-
-[tool.mypy]
-python_version = "3.12"
-strict = true
-warn_return_any = true
-warn_unused_configs = true
-
-[tool.ruff]
-target-version = "py312"
-line-length = 88
-
-[tool.ruff.lint]
-select = ["ALL"]
-ignore = [
-    "D", # docstrings
-    "ANN", # type annotations  
-    "COM812", # trailing comma
-    "ISC001", # string concatenation
-]

checks/installation/test-helpers.nix

@@ -1,173 +0,0 @@
-{
-  lib,
-  pkgs,
-  self,
-  ...
-}:
-let
-  # Common target VM configuration used by both installation and update tests
-  target =
-    { modulesPath, pkgs, ... }:
-    {
-      imports = [
-        (modulesPath + "/../tests/common/auto-format-root-device.nix")
-      ];
-      networking.useNetworkd = true;
-      services.openssh.enable = true;
-      services.openssh.settings.UseDns = false;
-      services.openssh.settings.PasswordAuthentication = false;
-      system.nixos.variant_id = "installer";
-      environment.systemPackages = [
-        pkgs.nixos-facter
-      ];
-      # Disable cache.nixos.org to speed up tests
-      nix.settings.substituters = [ ];
-      nix.settings.trusted-public-keys = [ ];
-      virtualisation.emptyDiskImages = [ 512 ];
-      virtualisation.diskSize = 8 * 1024;
-      virtualisation.rootDevice = "/dev/vdb";
-      # both installer and target need to use the same diskImage
-      virtualisation.diskImage = "./target.qcow2";
-      virtualisation.memorySize = 3048;
-      users.users.nonrootuser = {
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-        extraGroups = [ "wheel" ];
-      };
-      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-      # Allow users to manage their own SSH keys
-      services.openssh.authorizedKeysFiles = [
-        "/root/.ssh/authorized_keys"
-        "/home/%u/.ssh/authorized_keys"
-        "/etc/ssh/authorized_keys.d/%u"
-      ];
-      security.sudo.wheelNeedsPassword = false;
-    };
-
-  # Common base test machine configuration
-  baseTestMachine =
-    { lib, modulesPath, ... }:
-    {
-      imports = [
-        (modulesPath + "/testing/test-instrumentation.nix")
-        (modulesPath + "/profiles/qemu-guest.nix")
-        self.clanLib.test.minifyModule
-      ];
-
-      # Enable SSH and add authorized key for testing
-      services.openssh.enable = true;
-      services.openssh.settings.PasswordAuthentication = false;
-      users.users.nonrootuser = {
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-        extraGroups = [ "wheel" ];
-        home = "/home/nonrootuser";
-        createHome = true;
-      };
-      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
-      # Allow users to manage their own SSH keys
-      services.openssh.authorizedKeysFiles = [
-        "/root/.ssh/authorized_keys"
-        "/home/%u/.ssh/authorized_keys"
-        "/etc/ssh/authorized_keys.d/%u"
-      ];
-      security.sudo.wheelNeedsPassword = false;
-
-      boot.consoleLogLevel = lib.mkForce 100;
-      boot.kernelParams = [ "boot.shell_on_fail" ];
-
-      # disko config
-      boot.loader.grub.efiSupport = lib.mkDefault true;
-      boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
-      clan.core.vars.settings.secretStore = "vm";
-      clan.core.vars.generators.test = {
-        files.test.neededFor = "partitioning";
-        script = ''
-          echo "notok" > "$out"/test
-        '';
-      };
-      disko.devices = {
-        disk = {
-          main = {
-            type = "disk";
-            device = "/dev/vda";
-
-            preCreateHook = ''
-              test -e /run/partitioning-secrets/test/test
-            '';
-
-            content = {
-              type = "gpt";
-              partitions = {
-                boot = {
-                  size = "1M";
-                  type = "EF02"; # for grub MBR
-                  priority = 1;
-                };
-                ESP = {
-                  size = "512M";
-                  type = "EF00";
-                  content = {
-                    type = "filesystem";
-                    format = "vfat";
-                    mountpoint = "/boot";
-                    mountOptions = [ "umask=0077" ];
-                  };
-                };
-                root = {
-                  size = "100%";
-                  content = {
-                    type = "filesystem";
-                    format = "ext4";
-                    mountpoint = "/";
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-
-  # NixOS test library combining port utils and clan VM test utilities
-  nixosTestLib = pkgs.python3Packages.buildPythonPackage {
-    pname = "nixos-test-lib";
-    version = "1.0.0";
-    format = "pyproject";
-    src = lib.fileset.toSource {
-      root = ./.;
-      fileset = lib.fileset.unions [
-        ./pyproject.toml
-        ./nixos_test_lib
-      ];
-    };
-    nativeBuildInputs = with pkgs.python3Packages; [
-      setuptools
-      wheel
-    ];
-    doCheck = false;
-  };
-
-  # Common closure info
-  closureInfo = pkgs.closureInfo {
-    rootPaths = [
-      self.checks.x86_64-linux.clan-core-for-checks
-      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
-      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
-      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
-      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
-      pkgs.stdenv.drvPath
-      pkgs.bash.drvPath
-      pkgs.buildPackages.xorg.lndir
-    ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-  };
-
-in
-{
-  inherit
-    target
-    baseTestMachine
-    nixosTestLib
-    closureInfo
-    ;
-}

checks/lib/container-driver/module.nix

@@ -0,0 +1,88 @@
+{ hostPkgs, lib, config, ... }:
+let
+  testDriver = hostPkgs.python3.pkgs.callPackage ./package.nix {
+    inherit (config) extraPythonPackages;
+    inherit (hostPkgs.pkgs) util-linux systemd;
+  };
+  containers = map (m: m.system.build.toplevel) (lib.attrValues config.nodes);
+  pythonizeName = name:
+    let
+      head = lib.substring 0 1 name;
+      tail = lib.substring 1 (-1) name;
+    in
+    (if builtins.match "[A-z_]" head == null then "_" else head) +
+    lib.stringAsChars (c: if builtins.match "[A-z0-9_]" c == null then "_" else c) tail;
+  nodeHostNames =
+    let
+      nodesList = map (c: c.system.name) (lib.attrValues config.nodes);
+    in
+    nodesList ++ lib.optional (lib.length nodesList == 1 && !lib.elem "machine" nodesList) "machine";
+  machineNames = map (name: "${name}: Machine;") pythonizedNames;
+  pythonizedNames = map pythonizeName nodeHostNames;
+in
+{
+  driver = lib.mkForce (hostPkgs.runCommand "nixos-test-driver-${config.name}"
+    {
+      nativeBuildInputs = [
+        hostPkgs.makeWrapper
+      ] ++ lib.optionals (!config.skipTypeCheck) [ hostPkgs.mypy ];
+      buildInputs = [ testDriver ];
+      testScript = config.testScriptString;
+      preferLocalBuild = true;
+      passthru = config.passthru;
+      meta = config.meta // {
+        mainProgram = "nixos-test-driver";
+      };
+    }
+    ''
+      mkdir -p $out/bin
+
+      containers=(${toString containers})
+
+      ${lib.optionalString (!config.skipTypeCheck) ''
+        # prepend type hints so the test script can be type checked with mypy
+        cat "${./test-script-prepend.py}" >> testScriptWithTypes
+        echo "${builtins.toString machineNames}" >> testScriptWithTypes
+        echo -n "$testScript" >> testScriptWithTypes
+
+        echo "Running type check (enable/disable: config.skipTypeCheck)"
+        echo "See https://nixos.org/manual/nixos/stable/#test-opt-skipTypeCheck"
+
+        mypy  --no-implicit-optional \
+              --pretty \
+              --no-color-output \
+              testScriptWithTypes
+      ''}
+
+      echo -n "$testScript" >> $out/test-script
+
+      ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-test-driver
+
+      wrapProgram $out/bin/nixos-test-driver \
+        ${lib.concatStringsSep " " (map (name: "--add-flags '--container ${name}'") containers)} \
+        --add-flags "--test-script '$out/test-script'"
+    '');
+
+  test = lib.mkForce (lib.lazyDerivation {
+    # lazyDerivation improves performance when only passthru items and/or meta are used.
+    derivation = hostPkgs.stdenv.mkDerivation {
+      name = "vm-test-run-${config.name}";
+
+      requiredSystemFeatures = [ "uid-range" ];
+
+      buildCommand = ''
+        mkdir -p $out
+
+        # effectively mute the XMLLogger
+        export LOGFILE=/dev/null
+
+        ${config.driver}/bin/nixos-test-driver -o $out
+      '';
+
+      passthru = config.passthru;
+
+      meta = config.meta;
+    };
+    inherit (config) passthru meta;
+  });
+}

checks/lib/container-driver/package.nix

@@ -0,0 +1,9 @@
+{ extraPythonPackages, python3Packages, buildPythonApplication, setuptools, util-linux, systemd }:
+buildPythonApplication {
+  pname = "test-driver";
+  version = "0.0.1";
+  propagatedBuildInputs = [ util-linux systemd ] ++ extraPythonPackages python3Packages;
+  nativeBuildInputs = [ setuptools ];
+  format = "pyproject";
+  src = ./.;
+}

checks/lib/container-driver/pyproject.toml

@@ -14,8 +14,16 @@ find = {}
 
 [tool.setuptools.package-data]
 test_driver = ["py.typed"]
+
+[tool.ruff]
+target-version = "py311"
+line-length = 88
+
+select = [ "E", "F", "I", "U", "N", "RUF", "ANN", "A" ]
+ignore = ["E501", "ANN101", "ANN401", "A003"]
+
 [tool.mypy]
-python_version = "3.13"
+python_version = "3.11"
 warn_redundant_casts = true
 disallow_untyped_calls = true
 disallow_untyped_defs = true

checks/lib/container-driver/test_driver/__init__.py

@@ -0,0 +1,354 @@
+import argparse
+import os
+import re
+import subprocess
+import time
+from collections.abc import Callable
+from pathlib import Path
+from tempfile import TemporaryDirectory
+from typing import Any
+
+
+def prepare_machine_root(machinename: str, root: Path) -> None:
+    root.mkdir(parents=True, exist_ok=True)
+    root.joinpath("etc").mkdir(parents=True, exist_ok=True)
+    root.joinpath(".env").write_text(
+        "\n".join(f"{k}={v}" for k, v in os.environ.items())
+    )
+
+
+def pythonize_name(name: str) -> str:
+    return re.sub(r"^[^A-z_]|[^A-z0-9_]", "_", name)
+
+
+def retry(fn: Callable, timeout: int = 900) -> None:
+    """Call the given function repeatedly, with 1 second intervals,
+    until it returns True or a timeout is reached.
+    """
+
+    for _ in range(timeout):
+        if fn(False):
+            return
+        time.sleep(1)
+
+    if not fn(True):
+        raise Exception(f"action timed out after {timeout} seconds")
+
+
+class Machine:
+    def __init__(self, name: str, toplevel: Path, rootdir: Path, out_dir: str) -> None:
+        self.name = name
+        self.toplevel = toplevel
+        self.out_dir = out_dir
+        self.process: subprocess.Popen | None = None
+        self.rootdir: Path = rootdir
+
+    def start(self) -> None:
+        prepare_machine_root(self.name, self.rootdir)
+        cmd = [
+            "systemd-nspawn",
+            "--keep-unit",
+            "-M",
+            self.name,
+            "-D",
+            self.rootdir,
+            "--register=no",
+            "--resolv-conf=off",
+            "--bind-ro=/nix/store",
+            "--bind",
+            self.out_dir,
+            "--bind=/proc:/run/host/proc",
+            "--bind=/sys:/run/host/sys",
+            "--private-network",
+            self.toplevel.joinpath("init"),
+        ]
+        env = os.environ.copy()
+        env["SYSTEMD_NSPAWN_UNIFIED_HIERARCHY"] = "1"
+        self.process = subprocess.Popen(cmd, stdout=subprocess.PIPE, text=True, env=env)
+        self.container_pid = self.get_systemd_process()
+
+    def get_systemd_process(self) -> int:
+        assert self.process is not None, "Machine not started"
+        assert self.process.stdout is not None, "Machine has no stdout"
+        for line in self.process.stdout:
+            print(line, end="")
+            if line.startswith("systemd[1]: Startup finished in"):
+                break
+        else:
+            raise RuntimeError(f"Failed to start container {self.name}")
+        childs = (
+            Path(f"/proc/{self.process.pid}/task/{self.process.pid}/children")
+            .read_text()
+            .split()
+        )
+        assert (
+            len(childs) == 1
+        ), f"Expected exactly one child process for systemd-nspawn, got {childs}"
+        try:
+            return int(childs[0])
+        except ValueError:
+            raise RuntimeError(f"Failed to parse child process id {childs[0]}")
+
+    def get_unit_info(self, unit: str) -> dict[str, str]:
+        proc = self.systemctl(f'--no-pager show "{unit}"')
+        if proc.returncode != 0:
+            raise Exception(
+                f'retrieving systemctl info for unit "{unit}"'
+                + f" failed with exit code {proc.returncode}"
+            )
+
+        line_pattern = re.compile(r"^([^=]+)=(.*)$")
+
+        def tuple_from_line(line: str) -> tuple[str, str]:
+            match = line_pattern.match(line)
+            assert match is not None
+            return match[1], match[2]
+
+        return dict(
+            tuple_from_line(line)
+            for line in proc.stdout.split("\n")
+            if line_pattern.match(line)
+        )
+
+    def execute(
+        self,
+        command: str,
+        check_return: bool = True,
+        check_output: bool = True,
+        timeout: int | None = 900,
+    ) -> subprocess.CompletedProcess:
+        """
+        Execute a shell command, returning a list `(status, stdout)`.
+
+        Commands are run with `set -euo pipefail` set:
+
+        -   If several commands are separated by `;` and one fails, the
+            command as a whole will fail.
+
+        -   For pipelines, the last non-zero exit status will be returned
+            (if there is one; otherwise zero will be returned).
+
+        -   Dereferencing unset variables fails the command.
+
+        -   It will wait for stdout to be closed.
+
+        If the command detaches, it must close stdout, as `execute` will wait
+        for this to consume all output reliably. This can be achieved by
+        redirecting stdout to stderr `>&2`, to `/dev/console`, `/dev/null` or
+        a file. Examples of detaching commands are `sleep 365d &`, where the
+        shell forks a new process that can write to stdout and `xclip -i`, where
+        the `xclip` command itself forks without closing stdout.
+
+        Takes an optional parameter `check_return` that defaults to `True`.
+        Setting this parameter to `False` will not check for the return code
+        and return -1 instead. This can be used for commands that shut down
+        the VM and would therefore break the pipe that would be used for
+        retrieving the return code.
+
+        A timeout for the command can be specified (in seconds) using the optional
+        `timeout` parameter, e.g., `execute(cmd, timeout=10)` or
+        `execute(cmd, timeout=None)`. The default is 900 seconds.
+        """
+
+        # Always run command with shell opts
+        command = f"set -euo pipefail; {command}"
+
+        proc = subprocess.run(
+            [
+                "nsenter",
+                "--target",
+                str(self.container_pid),
+                "--mount",
+                "--uts",
+                "--ipc",
+                "--net",
+                "--pid",
+                "--cgroup",
+                "/bin/sh",
+                "-c",
+                command,
+            ],
+            timeout=timeout,
+            check=False,
+            stdout=subprocess.PIPE,
+            text=True,
+        )
+        return proc
+
+    def systemctl(self, q: str) -> subprocess.CompletedProcess:
+        """
+        Runs `systemctl` commands with optional support for
+        `systemctl --user`
+
+        ```py
+        # run `systemctl list-jobs --no-pager`
+        machine.systemctl("list-jobs --no-pager")
+
+        # spawn a shell for `any-user` and run
+        # `systemctl --user list-jobs --no-pager`
+        machine.systemctl("list-jobs --no-pager", "any-user")
+        ```
+        """
+        return self.execute(f"systemctl {q}")
+
+    def wait_for_unit(self, unit: str, timeout: int = 900) -> None:
+        """
+        Wait for a systemd unit to get into "active" state.
+        Throws exceptions on "failed" and "inactive" states as well as after
+        timing out.
+        """
+
+        def check_active(_: bool) -> bool:
+            info = self.get_unit_info(unit)
+            state = info["ActiveState"]
+            if state == "failed":
+                raise Exception(f'unit "{unit}" reached state "{state}"')
+
+            if state == "inactive":
+                proc = self.systemctl("list-jobs --full 2>&1")
+                if "No jobs" in proc.stdout:
+                    info = self.get_unit_info(unit)
+                    if info["ActiveState"] == state:
+                        raise Exception(
+                            f'unit "{unit}" is inactive and there are no pending jobs'
+                        )
+
+            return state == "active"
+
+        retry(check_active, timeout)
+
+    def succeed(self, command: str, timeout: int | None = None) -> str:
+        res = self.execute(command, timeout=timeout)
+        if res.returncode != 0:
+            raise RuntimeError(f"Failed to run command {command}")
+        return res.stdout
+
+    def shutdown(self) -> None:
+        """
+        Shut down the machine, waiting for the VM to exit.
+        """
+        if self.process:
+            self.process.terminate()
+            self.process.wait()
+            self.process = None
+
+    def release(self) -> None:
+        self.shutdown()
+
+
+def setup_filesystems() -> None:
+    # We don't care about cleaning up the mount points, since we're running in a nix sandbox.
+    Path("/run").mkdir(parents=True, exist_ok=True)
+    subprocess.run(["mount", "-t", "tmpfs", "none", "/run"], check=True)
+    subprocess.run(["mount", "-t", "cgroup2", "none", "/sys/fs/cgroup"], check=True)
+    Path("/etc").chmod(0o755)
+    Path("/etc/os-release").touch()
+    Path("/etc/machine-id").write_text("a5ea3f98dedc0278b6f3cc8c37eeaeac")
+
+
+class Driver:
+    def __init__(self, containers: list[Path], testscript: str, out_dir: str) -> None:
+        self.containers = containers
+        self.testscript = testscript
+        self.out_dir = out_dir
+        setup_filesystems()
+
+        self.tempdir = TemporaryDirectory()
+        tempdir_path = Path(self.tempdir.name)
+
+        self.machines = []
+        for container in containers:
+            name_match = re.match(r".*-nixos-system-(.+)-\d.+", container.name)
+            if not name_match:
+                raise ValueError(f"Unable to extract hostname from {container.name}")
+            name = name_match.group(1)
+            self.machines.append(
+                Machine(
+                    name=name,
+                    toplevel=container,
+                    rootdir=tempdir_path / name,
+                    out_dir=self.out_dir,
+                )
+            )
+
+    def start_all(self) -> None:
+        for machine in self.machines:
+            machine.start()
+
+    def test_symbols(self) -> dict[str, Any]:
+        general_symbols = dict(
+            start_all=self.start_all,
+            machines=self.machines,
+            driver=self,
+            Machine=Machine,  # for typing
+        )
+        machine_symbols = {pythonize_name(m.name): m for m in self.machines}
+        # If there's exactly one machine, make it available under the name
+        # "machine", even if it's not called that.
+        if len(self.machines) == 1:
+            (machine_symbols["machine"],) = self.machines
+        print(
+            "additionally exposed symbols:\n    "
+            + ", ".join(map(lambda m: m.name, self.machines))
+            + ",\n    "
+            + ", ".join(list(general_symbols.keys()))
+        )
+        return {**general_symbols, **machine_symbols}
+
+    def test_script(self) -> None:
+        """Run the test script"""
+        exec(self.testscript, self.test_symbols(), None)
+
+    def run_tests(self) -> None:
+        """Run the test script (for non-interactive test runs)"""
+        self.test_script()
+
+    def __enter__(self) -> "Driver":
+        return self
+
+    def __exit__(self, exc_type: Any, exc_value: Any, traceback: Any) -> None:
+        for machine in self.machines:
+            machine.release()
+
+
+def writeable_dir(arg: str) -> Path:
+    """Raises an ArgumentTypeError if the given argument isn't a writeable directory
+    Note: We want to fail as early as possible if a directory isn't writeable,
+    since an executed nixos-test could fail (very late) because of the test-driver
+    writing in a directory without proper permissions.
+    """
+    path = Path(arg)
+    if not path.is_dir():
+        raise argparse.ArgumentTypeError(f"{path} is not a directory")
+    if not os.access(path, os.W_OK):
+        raise argparse.ArgumentTypeError(f"{path} is not a writeable directory")
+    return path
+
+
+def main() -> None:
+    arg_parser = argparse.ArgumentParser(prog="nixos-test-driver")
+    arg_parser.add_argument(
+        "--containers",
+        nargs="+",
+        type=Path,
+        help="container system toplevel paths",
+    )
+    arg_parser.add_argument(
+        "--test-script",
+        help="the test script to run",
+        type=Path,
+    )
+    arg_parser.add_argument(
+        "-o",
+        "--output-directory",
+        default=Path.cwd(),
+        help="the directory to bind to /run/test-results",
+        type=writeable_dir,
+    )
+    args = arg_parser.parse_args()
+    with Driver(
+        args.containers,
+        args.test_script.read_text(),
+        args.output_directory.resolve(),
+    ) as driver:
+        driver.run_tests()

checks/lib/container-test.nix

@@ -0,0 +1,33 @@
+test:
+{ pkgs
+, self
+, ...
+}:
+let
+  inherit (pkgs) lib;
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest ({ hostPkgs, ... }: {
+  hostPkgs = pkgs;
+  # speed-up evaluation
+  defaults = {
+    documentation.enable = lib.mkDefault false;
+    boot.isContainer = true;
+
+    # undo qemu stuff
+    system.build.initialRamdisk = "";
+    virtualisation.sharedDirectories = lib.mkForce { };
+    networking.useDHCP = false;
+
+    # we have not private networking so far
+    networking.interfaces = lib.mkForce { };
+    #networking.primaryIPAddress = lib.mkForce null;
+    systemd.services.backdoor.enable = false;
+  };
+  # to accept external dependencies such as disko
+  node.specialArgs.self = self;
+  imports = [
+    test
+    ./container-driver/module.nix
+  ];
+})).config.result

checks/lib/test-base.nix

@@ -0,0 +1,21 @@
+test:
+{ pkgs
+, self
+, ...
+}:
+let
+  inherit (pkgs) lib;
+  nixos-lib = import (pkgs.path + "/nixos/lib") { };
+in
+(nixos-lib.runTest {
+  hostPkgs = pkgs;
+  # speed-up evaluation
+  defaults = {
+    documentation.enable = lib.mkDefault false;
+    nix.settings.min-free = 0;
+  };
+
+  # to accept external dependencies such as disko
+  node.specialArgs.self = self;
+  imports = [ test ];
+}).config.result

checks/matrix-synapse/default.nix

@@ -1,83 +0,0 @@
-(
-  { pkgs, ... }:
-  {
-    name = "matrix-synapse";
-
-    nodes.machine =
-      {
-        config,
-        self,
-        lib,
-        ...
-      }:
-      {
-        imports = [
-          self.clanModules.matrix-synapse
-          self.nixosModules.clanCore
-          {
-            clan.core.settings.directory = ./.;
-
-            services.nginx.virtualHosts."matrix.clan.test" = {
-              enableACME = lib.mkForce false;
-              forceSSL = lib.mkForce false;
-            };
-            clan.nginx.acme.email = "admins@clan.lol";
-            clan.matrix-synapse = {
-              server_tld = "clan.test";
-              app_domain = "matrix.clan.test";
-            };
-            clan.matrix-synapse.users.admin.admin = true;
-            clan.matrix-synapse.users.someuser = { };
-
-            clan.core.facts.secretStore = "vm";
-            clan.core.vars.settings.secretStore = "vm";
-            clan.core.vars.settings.publicStore = "in_repo";
-
-            # because we use systemd-tmpfiles to copy the secrets, we need to a separate systemd-tmpfiles call to provision them.
-            boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf";
-
-            systemd.tmpfiles.settings."00-vmsecrets" = {
-              # run before 00-nixos.conf
-              "/etc/secrets" = {
-                d.mode = "0700";
-                z.mode = "0700";
-              };
-              "/etc/secrets/matrix-synapse/synapse-registration_shared_secret" = {
-                f.argument = "supersecret";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/matrix-password-admin/matrix-password-admin" = {
-                f.argument = "matrix-password1";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-              "/etc/secrets/matrix-password-someuser/matrix-password-someuser" = {
-                f.argument = "matrix-password2";
-                z = {
-                  mode = "0400";
-                  user = "root";
-                };
-              };
-            };
-          }
-        ];
-      };
-    testScript = ''
-      start_all()
-      machine.wait_for_unit("matrix-synapse")
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 8008")
-      machine.wait_until_succeeds("${pkgs.curl}/bin/curl -Ssf -L http://localhost/_matrix/static/ -H 'Host: matrix.clan.test'")
-
-      machine.systemctl("restart matrix-synapse >&2") # check if user creation is idempotent
-      machine.execute("journalctl -u matrix-synapse --no-pager >&2")
-      machine.wait_for_unit("matrix-synapse")
-      machine.succeed("${pkgs.netcat}/bin/nc -z -v ::1 8008")
-      machine.succeed("${pkgs.curl}/bin/curl -Ssf -L http://localhost/_matrix/static/ -H 'Host: matrix.clan.test'")
-    '';
-  }
-)

checks/matrix-synapse/synapse-registration_shared_secret

@@ -1 +0,0 @@
-registration_shared_secret: supersecret

checks/meshnamed/default.nix

@@ -0,0 +1,21 @@
+(import ../lib/container-test.nix) ({ pkgs, ... }: {
+  name = "meshnamed";
+
+  nodes.machine = { self, ... }: {
+    imports = [
+      self.nixosModules.clanCore
+      {
+        clanCore.machineName = "machine";
+        clan.networking.meshnamed.networks.vpn.subnet = "fd43:7def:4b50:28d0:4e99:9347:3035:17ef/88";
+        clanCore.clanDir = ./.;
+      }
+    ];
+  };
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("meshnamed")
+    out = machine.succeed("${pkgs.dnsutils}/bin/dig AAAA foo.7vbx332lkaunatuzsndtanix54.vpn @meshnamed +short")
+    print(out)
+    assert out.strip() == "fd43:7def:4b50:28d0:4e99:9347:3035:17ef"
+  '';
+})

checks/morph/flake-module.nix

@@ -1,63 +0,0 @@
-{
-  self,
-  ...
-}:
-{
-  clan.machines.test-morph-machine = {
-    imports = [
-      ./template/configuration.nix
-      self.nixosModules.clanCore
-    ];
-    nixpkgs.hostPlatform = "x86_64-linux";
-    environment.etc."testfile".text = "morphed";
-  };
-
-  clan.templates.machine.test-morph-template = {
-    description = "Morph a machine";
-    path = ./template;
-  };
-
-  perSystem =
-    {
-      pkgs,
-      ...
-    }:
-    {
-      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        nixos-test-morph = self.clanLib.test.baseTest {
-          name = "morph";
-
-          nodes = {
-            actual =
-              { pkgs, ... }:
-              let
-                dependencies = [
-                  pkgs.stdenv.drvPath
-                  pkgs.stdenvNoCC
-                  self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
-                ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-                closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-              in
-
-              {
-                environment.etc."install-closure".source = "${closureInfo}/store-paths";
-                system.extraDependencies = dependencies;
-
-                virtualisation.memorySize = 2048;
-                virtualisation.useNixStoreImage = true;
-                virtualisation.writableStore = true;
-
-                environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli-full ];
-              };
-          };
-          testScript = ''
-            start_all()
-            actual.fail("cat /etc/testfile")
-            actual.succeed("env CLAN_DIR=${self.checks.x86_64-linux.clan-core-for-checks} clan machines morph test-morph-template --i-will-be-fired-for-using-this --debug --name test-morph-machine")
-            assert actual.succeed("cat /etc/testfile") == "morphed"
-          '';
-        } { inherit pkgs self; };
-      };
-
-    };
-}

checks/morph/template/configuration.nix

@@ -1,15 +0,0 @@
-{ modulesPath, ... }:
-{
-  imports = [
-    # we need these 2 modules always to be able to run the tests
-    (modulesPath + "/testing/test-instrumentation.nix")
-    (modulesPath + "/virtualisation/qemu-vm.nix")
-
-    (modulesPath + "/profiles/minimal.nix")
-  ];
-
-  virtualisation.useNixStoreImage = true;
-  virtualisation.writableStore = true;
-
-  clan.core.enableRecommendedDefaults = false;
-}

checks/mycelium/default.nix

@@ -1,53 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    name = "service-mycelium";
-
-    clan = {
-      test.useContainers = false;
-      directory = ./.;
-      modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
-      inventory = {
-        machines.server = { };
-
-        instances = {
-          mycelium-test = {
-            module.name = "@clan/mycelium";
-            module.input = "self";
-            roles.peer.machines."server".settings = {
-              openFirewall = true;
-              addHostedPublicNodes = true;
-            };
-          };
-        };
-      };
-    };
-
-    nodes = {
-      server = { };
-    };
-
-    testScript = ''
-      start_all()
-
-      # Check that mycelium service is running
-      server.wait_for_unit("mycelium")
-      server.succeed("systemctl status mycelium")
-
-      # Check that mycelium is listening on its default port
-      server.wait_until_succeeds("${pkgs.iproute2}/bin/ss -tulpn | grep -q 'mycelium'", 10)
-    '';
-  }
-)

checks/mycelium/sops/machines/server/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
-    "type": "age"
-  }
-]

checks/mycelium/sops/secrets/server-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:hLJS+CJllYM50KxKuiYamxBLGd9lwoeIFapP9mZAlVGH5DSenylcKUfsphxafASoB516qns2DznBoS9mWqg9uTsRZjk4WlR3x6A=,iv:uRiIpUKIiV3riNcBAWUqhZbE+Vb7lLMfU0C/TClVZ6M=,tag:4+nsMssiSyq9Iv7sDuWmoQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUWFOMzluRmdOQXBmRjRN\ncXNSUlB5Z0t6dWYxNVkvMmhrN1FDdmxHcTNJCkhPL3BYMFFXMmU5ZGRqOC9KWEgv\nSHB5OUJqTk5Dd0tDTks1R1ZhYktrLzgKLS0tIHJIMlFRVWphZXlISmR3VUJKUjNk\ndWF4eCt6UHBrSndBay95RVJ3dldiaFkKCgYqrt0aCGRTaHycBoeqv/zeByu2ZZ3Z\nVfgxnD9liIQkS2wERbpk0/Yq9wkKgVxj+DZoWwHYhP0eKCw2UOorCA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-04T11:54:59Z",
-		"mac": "ENC[AES256_GCM,data:xoeOz7FRCPJ18UTsfbY1x/N65pxbTsehT9Kv3MgEd6NQJn6FTvquaj3HEZ0KvIzStBz1FNOhSql9CZUFc4StYps05EbX61MMMnz6Nlj3xcTwuVQFabGoinxcXbCDSA+tAW7VqzVxumj6FMDg+r77gdcIApZjGJg4Z9ws2RZd3u4=,iv:U8IUDwmfg8Umob9mtKgGaKoIY4SKNL895BABJxzx5n8=,tag:tnMCx6D/17ZYgI6SgNS29A==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/mycelium/sops/secrets/server-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/mycelium/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/mycelium/vars/per-machine/server/mycelium/ip/value

@@ -1 +0,0 @@
-52d:87c1:4222:b550:ee01:a7ae:254:5a66

checks/mycelium/vars/per-machine/server/mycelium/key/machines/server

@@ -1 +0,0 @@
-../../../../../../sops/machines/server

checks/mycelium/vars/per-machine/server/mycelium/key/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:DGzl2G4H+NkwXq0fCUQS0+8FG1x9xoIsYvAgUxP4Qp8=,iv:CXOJVgYNthVOZ4vbdI3n4KLXSFVemzaoEnRGMC+m0i8=,tag:/u+pV3xWpUq0ZtAm6LKuGQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age122lc4fvw2p22gcvwqeme5k49qxtjanqkl2xvr6qvf3r0zyh7scuqz28cam",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZHZjdXMwclBTeGthcGpM\nV1ArVy83akNHNEpXVFhoR1FWNlJUeHNKTW00CjJFTFZneFNrL0hDMXJpaTQ2M1ln\nTmdPMGhzeUp0NU55QnhCZEU2QVk1OG8KLS0tIDFhQmJhOHJsTjhYNEhITEw0WFgy\nWC9pTi9od0wyMWtZRVZJYWo0Nmo5SHMKDohnAAfrnGOiw55huMme2EEWE53N/feS\nutvbiTZh1ECHCi/uoK757fjnJ/WrQMSxUpctT9I8bpJRtbTqkx3XRw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeTZENGFpWndDbmdsWDRw\nMTBCVXg5Zkg2a2s5Yk1HSERIVlVQRXdUSUNnCnREbno0dEN0ZEgvOFNMRG1ReGx4\na0h1YUFuMkxBZXJUTE9xOUVUMitEalkKLS0tIFZMZ21qclRqUFR0dlAyMFkzdUNX\nNjRLTWVRVWtHSDlDakEzMmpRVWkyc0EKabm8mTKJVxQNTaIgU+8rb/xk9Dpg+Zjz\nb+wgD0+TlARlenMtIub8Y6N06ENOc20oovylfu+g7xV+EkvRPCd6tA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-06-04T11:55:02Z",
-		"mac": "ENC[AES256_GCM,data:UIBaD/3mACgFzkajkFXz3oKai8IxpYQriR2t0mc5fL92P5ECloxCobY386TDZYOEVrDJ45Bw+IzqZbsCx/G9f1xCCTR2JvqygxYIsK3TpQPsboJzb9Cz3dBNBCXGboVykcg/NobEMaJBw1xtdAQBhuo8S7ymIuOPtGz0vPFJkf8=,iv:g0YAOBsRpgAOikKDMJDyOtcVx+0QwetfA8R6wQFH7lY=,tag:sfdFLjtiqFHdP/Qe1suBBQ==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/mycelium/vars/per-machine/server/mycelium/key/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/mycelium/vars/per-machine/server/mycelium/pubkey/value

@@ -1 +0,0 @@
-2125c6b039374467eaa3eaf552bd3e97f434d16006433cfbba3e6823c958b728

checks/nixos-documentation/flake-module.nix

@@ -1,27 +0,0 @@
-{ self, ... }:
-let
-  documentationModule = {
-    # This is how some downstream users currently generate documentation
-    # If this breaks notify them via matrix since we spent ~5 hrs for bughunting last time.
-    documentation.nixos.enable = true;
-    documentation.nixos.extraModules = [
-      self.nixosModules.clanCore
-      # This is the only option that is not part of the
-      # module because it is usually set by flake-parts
-      { clan.core.settings.directory = ./.; }
-    ];
-  };
-in
-{
-  clan = {
-    machines.test-documentation = {
-      # Dummy file system
-      fileSystems."/".device = "/dev/null";
-      boot.loader.grub.device = "/dev/null";
-      nixpkgs.hostPlatform = "x86_64-linux";
-      imports = [
-        documentationModule
-      ];
-    };
-  };
-}

checks/postgresql/default.nix

@@ -1,73 +0,0 @@
-({
-  name = "postgresql";
-
-  nodes.machine =
-    { self, config, ... }:
-    {
-      imports = [
-        self.nixosModules.clanCore
-        self.clanModules.postgresql
-        self.clanModules.localbackup
-      ];
-      clan.postgresql.users.test = { };
-      clan.postgresql.databases.test.create.options.OWNER = "test";
-      clan.postgresql.databases.test.restore.stopOnRestore = [ "sample-service" ];
-      clan.localbackup.targets.hdd.directory = "/mnt/external-disk";
-      clan.core.settings.directory = ./.;
-
-      systemd.services.sample-service = {
-        wantedBy = [ "multi-user.target" ];
-        script = ''
-          while true; do
-            echo "Hello, world!"
-            sleep 5
-          done
-        '';
-      };
-
-      environment.systemPackages = [ config.services.postgresql.package ];
-    };
-  testScript =
-    { nodes, ... }:
-    ''
-      start_all()
-      machine.wait_for_unit("postgresql")
-      machine.wait_for_unit("sample-service")
-      # Create a test table
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -c 'CREATE TABLE test (id serial PRIMARY KEY);' test")
-
-      machine.succeed("/run/current-system/sw/bin/localbackup-create >&2")
-      timestamp_before = int(machine.succeed("systemctl show --property=ExecMainStartTimestampMonotonic sample-service | cut -d= -f2").strip())
-
-      machine.succeed("test -e /mnt/external-disk/snapshot.0/machine/var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'INSERT INTO test DEFAULT VALUES;'")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'DROP TABLE test;'")
-      machine.succeed("test -e /var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
-
-      machine.succeed("rm -rf /var/backup/postgres")
-
-      machine.succeed("NAME=/mnt/external-disk/snapshot.0 FOLDERS=/var/backup/postgres/test /run/current-system/sw/bin/localbackup-restore >&2")
-      machine.succeed("test -e /var/backup/postgres/test/pg-dump || { echo 'pg-dump not found'; exit 1; }")
-
-      machine.succeed("""
-      set -x
-      ${nodes.machine.clan.core.state.test.postRestoreCommand}
-      """)
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -l >&2")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c '\dt' >&2")
-
-      timestamp_after = int(machine.succeed("systemctl show --property=ExecMainStartTimestampMonotonic sample-service | cut -d= -f2").strip())
-      assert timestamp_before < timestamp_after, f"{timestamp_before} >= {timestamp_after}: expected sample-service to be restarted after restore"
-
-      # Check that the table is still there
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c 'SELECT * FROM test;'")
-      output = machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql --csv -c \"SELECT datdba::regrole FROM pg_database WHERE datname = 'test'\"")
-      owner = output.split("\n")[1]
-      assert owner == "test", f"Expected database owner to be 'test', got '{owner}'"
-
-      # check if restore works if the database does not exist
-      machine.succeed("runuser -u postgres -- dropdb test")
-      machine.succeed("${nodes.machine.clan.core.state.test.postRestoreCommand}")
-      machine.succeed("runuser -u postgres -- /run/current-system/sw/bin/psql -d test -c '\dt' >&2")
-    '';
-})

checks/schemas.nix

@@ -0,0 +1,35 @@
+{ self, runCommand, check-jsonschema, pkgs, lib, ... }:
+let
+  clanModules.clanCore = self.nixosModules.clanCore;
+
+  baseModule = {
+    imports =
+      (import (pkgs.path + "/nixos/modules/module-list.nix"))
+      ++ [{
+        nixpkgs.hostPlatform = "x86_64-linux";
+        clanCore.clanName = "dummy";
+      }];
+  };
+
+  optionsFromModule = module:
+    let
+      evaled = lib.evalModules {
+        modules = [ module baseModule ];
+      };
+    in
+    evaled.options.clan;
+
+  clanModuleSchemas = lib.mapAttrs (_: module: self.lib.jsonschema.parseOptions (optionsFromModule module)) clanModules;
+
+  mkTest = name: schema: runCommand "schema-${name}" { } ''
+    ${check-jsonschema}/bin/check-jsonschema \
+      --check-metaschema ${builtins.toFile "schema-${name}" (builtins.toJSON schema)}
+      touch $out
+  '';
+in
+lib.mapAttrs'
+  (name: schema: {
+    name = "schema-${name}";
+    value = mkTest name schema;
+  })
+  clanModuleSchemas

checks/secrets/default.nix

@@ -1,19 +1,19 @@
-{
+(import ../lib/test-base.nix) {
   name = "secrets";
 
-  nodes.machine =
-    { self, config, ... }:
-    {
-      environment.etc."privkey.age".source = ./key.age;
-      imports = [ (self.nixosModules.clanCore) ];
-      environment.etc."secret".source = config.sops.secrets.secret.path;
-      environment.etc."group-secret".source = config.sops.secrets.group-secret.path;
-      sops.age.keyFile = "/etc/privkey.age";
+  nodes.machine = { self, config, ... }: {
+    imports = [
+      (self.nixosModules.clanCore)
+    ];
+    environment.etc."secret".source = config.sops.secrets.secret.path;
+    environment.etc."group-secret".source = config.sops.secrets.group-secret.path;
+    sops.age.keyFile = ./key.age;
 
-      clan.core.settings.directory = "${./.}";
+    clanCore.clanDir = "${./.}";
+    clanCore.machineName = "machine";
 
-      networking.hostName = "machine";
-    };
+    networking.hostName = "machine";
+  };
   testScript = ''
     machine.succeed("cat /etc/secret >&2")
     machine.succeed("cat /etc/group-secret >&2")

checks/secrets/sops/machines/machine/key.json

@@ -1,4 +1,4 @@
 {
   "publickey": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00",
   "type": "age"
-}
+}

checks/secrets/sops/users/admin/key.json

@@ -1,4 +1,4 @@
 {
   "publickey": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00",
   "type": "age"
-}
+}

checks/service-dummy-test-from-flake/default.nix

@@ -1,66 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-
-nixosLib.runTest (
-  { hostPkgs, config, ... }:
-  {
-    imports = [
-      clan-core.modules.nixosTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    # This tests the compatibility of the inventory
-    # With the test framework
-    # - legacy-modules
-    # - clan.service modules
-    name = "service-dummy-test-from-flake";
-
-    clan.test.fromFlake = ./.;
-
-    extraPythonPackages = _p: [
-      clan-core.legacyPackages.${hostPkgs.system}.nixosTestLib
-    ];
-
-    testScript =
-      { nodes, ... }:
-      ''
-        from nixos_test_lib.nix_setup import setup_nix_in_nix # type: ignore[import-untyped]
-        setup_nix_in_nix(None)  # No closure info for this test
-
-        def run_clan(cmd: list[str], **kwargs) -> str:
-            import subprocess
-            clan = "${clan-core.packages.${hostPkgs.system}.clan-cli}/bin/clan"
-            clan_args = ["--flake", "${config.clan.test.flakeForSandbox}"]
-            return subprocess.run(
-                ["${hostPkgs.util-linux}/bin/unshare", "--user", "--map-user", "1000", "--map-group", "1000", clan, *cmd, *clan_args],
-                **kwargs,
-                check=True,
-            ).stdout
-
-        start_all()
-        admin1.wait_for_unit("multi-user.target")
-        peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
-
-        # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
-
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
-
-        run_clan(["machines", "list"])
-      '';
-  }
-)

checks/service-dummy-test-from-flake/flake.nix

@@ -1,71 +0,0 @@
-{
-  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
-  inputs.nixpkgs.follows = "clan-core/nixpkgs";
-
-  outputs =
-    { self, clan-core, ... }:
-    let
-      # Usage see: https://docs.clan.lol
-      clan = clan-core.lib.clan {
-        inherit self;
-
-        inventory =
-          { ... }:
-          {
-            meta.name = "foo";
-            machines.peer1 = { };
-            machines.admin1 = { };
-            services = {
-              legacy-module.default = {
-                roles.peer.machines = [ "peer1" ];
-                roles.admin.machines = [ "admin1" ];
-              };
-            };
-
-            instances."test" = {
-              module.name = "new-service";
-              module.input = "self";
-              roles.peer.machines.peer1 = { };
-            };
-
-            modules = {
-              legacy-module = ./legacy-module;
-            };
-          };
-
-        modules.new-service = {
-          _class = "clan.service";
-          manifest.name = "new-service";
-          roles.peer = { };
-          perMachine = {
-            nixosModule = {
-              # This should be generated by:
-              # nix run .#generate-test-vars -- checks/service-dummy-test service-dummy-test
-              clan.core.vars.generators.new-service = {
-                files.not-a-secret = {
-                  secret = false;
-                  deploy = true;
-                };
-                files.a-secret = {
-                  secret = true;
-                  deploy = true;
-                  owner = "nobody";
-                  group = "users";
-                  mode = "0644";
-                };
-                script = ''
-                  # This is a dummy script that does nothing
-                  echo -n "not-a-secret" > $out/not-a-secret
-                  echo -n "a-secret" > $out/a-secret
-                '';
-              };
-            };
-          };
-        };
-      };
-    in
-    {
-      # all machines managed by Clan
-      inherit (clan.config) nixosConfigurations nixosModules clanInternals;
-    };
-}

checks/service-dummy-test-from-flake/legacy-module/README.md

@@ -1,10 +0,0 @@
----
-description = "Set up dummy-module"
-categories = ["System"]
-features = [ "inventory" ]
-
-[constraints]
-roles.admin.min = 1
-roles.admin.max = 1
----
-

checks/service-dummy-test-from-flake/legacy-module/roles/admin.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/service-dummy-test-from-flake/legacy-module/roles/peer.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ../shared.nix
-  ];
-}

checks/service-dummy-test-from-flake/legacy-module/shared.nix

@@ -1,34 +0,0 @@
-{ config, ... }:
-{
-  systemd.services.dummy-service = {
-    enable = true;
-    description = "Dummy service";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      generated_password_path="${config.clan.core.vars.generators.dummy-generator.files.generated-password.path}"
-      if [ ! -f "$generated_password_path" ]; then
-        echo "Generated password file not found: $generated_password_path"
-        exit 1
-      fi
-      host_id_path="${config.clan.core.vars.generators.dummy-generator.files.host-id.path}"
-      if [ ! -e "$host_id_path" ]; then
-        echo "Host ID file not found: $host_id_path"
-        exit 1
-      fi
-    '';
-  };
-
-  # TODO: add and prompt and make it work in the test framework
-  clan.core.vars.generators.dummy-generator = {
-    files.host-id.secret = false;
-    files.generated-password.secret = true;
-    script = ''
-      echo $RANDOM > "$out"/host-id
-      echo $RANDOM > "$out"/generated-password
-    '';
-  };
-}

checks/service-dummy-test-from-flake/sops/machines/admin1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
-    "type": "age"
-  }
-]

checks/service-dummy-test-from-flake/sops/machines/peer1/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-    "type": "age"
-  }
-]

checks/service-dummy-test-from-flake/sops/secrets/admin1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:GPpsUhSzWPtTP8EUNKsobFXjYqDldhkkIH6hBk11RsDLAGWdhVrwcISGbhsWpYhvAdPKA84DB6Zqyh9lL2bLM9//ybC1kzY20BQ=,iv:NrxMLdedT2FCkUAD00SwsAHchIsxWvqe7BQekWuJcxw=,tag:pMDXcMyHnLF2t3Qhb1KolA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb2tWb1ExKzdmUTRzaGVj\nK3cyYTBHZTJwVjM1SzUvbHFiMnVhY05iKzFZCnJTSE1VSVdpcUFLSEJuaE1CZzJD\nWjZxYzN2cUltdThNMVRKU3FIb20vUXMKLS0tIFlHQXRIdnMybDZFUVEzWlQrc1dw\nbUxhZURXblhHd0pka0JIK1FTZEVqdUEKI/rfxQRBc+xGRelhswkJQ9GcZs6lzfgy\nuCxS5JI9npdPLQ/131F3b21+sP5YWqks41uZG+vslM1zQ+BlENNhDw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:13Z",
-		"mac": "ENC[AES256_GCM,data:fWxLHXBWolHVxv6Q7utcy6OVLV13ziswrIYyNKiwy1vsU8i7xvvuGO1HlnE+q43D2WuHR53liKq1UHuf1JMrWzTwZ0PYe+CVugtoEtbR2qu3rK/jAkOyMyhmmHzmf6Rp4ZMCzKgZeC/X2bDKY/z0firHAvjWydEyogutHpvtznM=,iv:OQI3FfkLneqbdztAXVQB3UkHwDPK+0hWu5hZ9m8Oczg=,tag:em6GfS2QHsXs391QKPxfmA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/service-dummy-test-from-flake/sops/secrets/admin1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/service-dummy-test-from-flake/sops/secrets/peer1-age.key/secret

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:W3cOkUYL5/YulW2pEISyTlMaA/t7/WBE7BoCdFlqrqgaCL7tG4IV2HgjiPWzIVMs0zvDSaghdEvAIoB4wOf470d1nSWs0/E8SDk=,iv:wXXaZIw3sPY8L/wxsu7+C5v+d3RQRuwxZRP4YLkS8K4=,tag:HeK4okj7O7XDA9JDz2KULw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRC83b3dtSVpXcGovNnVs\nTzFka2J2MEFhYkF1ajVrdjMrNUtPWGRObjM4Cm5zSUR5OGw0T0FaL3BaWmR6L29W\nU2syMFIyMUhFRUZpWFpCT28vWko2ZU0KLS0tIFpHK3BjU1V1L0FrMGtwTGFuU3Mz\nRkV5VjI2Vndod202bUR3RWQwNXpmVzQKNk8/y7M62wTIIKqY4r3ZRk5aUCRUfine\n1LUSHMKa2bRe+hR7nS7AF4BGXp03h2UPY0FP5+U5q8XuIj1jfMX8kg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:16Z",
-		"mac": "ENC[AES256_GCM,data:yTkQeFvKrN1+5FP+yInsaRWSAG+ZGG0uWF3+gVRvzJTFxab8kT2XkAMc+4D7SKgcjsmwBBb77GNoAKaKByhZ92UaCfZ2X66i7ZmYUwLM1NVVmm+xiwwjsh7PJXlZO/70anTzd1evtlZse0jEmRnV5Y0F0M6YqXmuwU+qGUJU2F8=,iv:sy6ozhXonWVruaQfa7pdEoV5GkNZR/UbbINKAPbgWeg=,tag:VMruQ1KExmlMR7TsGNgMlg==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/service-dummy-test-from-flake/sops/secrets/peer1-age.key/users/admin

@@ -1 +0,0 @@
-../../../users/admin

checks/service-dummy-test-from-flake/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

checks/service-dummy-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1

@@ -1 +0,0 @@
-../../../../../../sops/machines/admin1

checks/service-dummy-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:T8edCvw=,iv:7/G5xt5fv38I9uFzk7WMIr9xQdz/6lFxqOC+18HBg8Q=,tag:F39Cxbgmzml+lZLsZ59Kmg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12yt078p9ewxy2sh0a36nxdpgglv8wqqftmj4dkj9rgy5fuyn4p0q5nje9m",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPNUhiYkZWK3dPMHNiRTVM\nRHNvaHFsOFp1c0UxQitwVG0zY01MNDZRV1E4CjEybENoTVIzN29vQ3FtUTRSYmFU\nNXIzQllVSllXRGN2M1B6WXJLdHZSajgKLS0tIDllZ0ZmZUcxMHhDQUpUOEdWbmkv\neUQweHArYTdFSmNteVpuQ3BKdnh0Y0UKs8Hm3D+rXRRfpUVSZM3zYjs6b9z8g10D\nGTkvreUMim4CS22pjdQ3eNA9TGeDXfWXE7XzwXLCb+wVcf7KwbDmvg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSDhpT3cvck9PenZYVEZH\ndFQreVRBdG93L1dBUGlvYjFWcDlHWUJsZUVBCm9DMTJ4UytiYzlEVHNWdUcwS1ds\nT0dhbzAzNDdmbDBCU0dvL2xNeHpXcGsKLS0tIFArbmpsbzU3WnpJdUt1MGN0L1d0\nV1JkTDJYWUxsbmhTQVNOeVRaSUhTODQKk9Vph2eldS5nwuvVX0SCsxEm4B+sO76Z\ndIjJ3OQxzoZmXMaOOuKHC5U0Y75Qn7eXC43w5KHsl2CMIUYsBGJOZw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:14Z",
-		"mac": "ENC[AES256_GCM,data:6fKrS1eLLUWlHkQpxLFXBRk6f2wa5ADLMViVvYXXGU24ayl9UuNSKrCRHp9cbzhqhti3HdwyNt6TM+2X6qhiiAQanKEB2PF7JRYX74NfNKil9BEDjt5AqqtpSgVv5l7Ku/uSHaPkd2sDmzHsy5Q4bSGxJQokStk1kidrwle+mbc=,iv:I/Aad82L/TCxStM8d8IZICUrwdjRbGx2fuGWqexr21o=,tag:BfgRbGUxhPZzK2fLik1kxA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/service-dummy-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/service-dummy-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value

@@ -1 +0,0 @@
-18650

checks/service-dummy-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/service-dummy-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:vp0yW0Gt,iv:FO2cy+UpEl5aRay/LUGu//c82QiVxuKuGSaVh0rGJvc=,tag:vf2RAOPpcRW0HwxHoGy17A==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFVNMEd2YUxpSm5XVVRi\nY2ZUc3NTOStJUFNMWWVPQTgxZ2tCK1QrMW1ZCjYwMlA4dkIzSlc0TGtvZjcyK3Bi\nM3pob2JOOFUyeVJ6M2JpaTRCZlc1R0kKLS0tIDJMb1dFcVRWckhwYWNCQng0RlFO\nTkw3OGt4dkFIZVY5aVEzZE5mMzJSM0EKUv8bUqg48L2FfYVUVlpXvyZvPye699of\nG6PcjLh1ZMbNCfnsCzr+P8Vdk/F4J/ifxL66lRGfu2xOLxwciwQ+5Q==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2dDbVhoQngxM3lTSmZF\nUTAwS1lCTGhEMU1GVXpFUzlIUFdqZy9LajF3Ck9mdVpBRjlyVUNhZXZIUFZjUzF1\nNlhFN28vNmwzcUVkNmlzUnpkWjJuZE0KLS0tIHpXVHVlNk9vU1ZPTGRrYStWbmRO\nbDM4U2o1SlEwYWtqOXBqd3BFUTAvMHcKkI8UVd0v+x+ELZ5CoGq9DzlA6DnVNU2r\nrV9wLfbFd7RHxS0/TYZh5tmU42nO3iMYA9FqERQXCtZgXS9KvfqHwQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:18Z",
-		"mac": "ENC[AES256_GCM,data:1ZZ+ZI1JsHmxTov1bRijfol3kTkyheg2o3ivLsMHRhCmScsUry97hQJchF78+y2Izt7avaQEHYn6pVbYt/0rLrSYD7Ru7ITVxXoYHOiN5Qb98masUzpibZjrdyg5nO+LW5/Hmmwsc3yn/+o3IH1AUYpsxlJRdnHHCmoSOFaiFFM=,iv:OQlgmpOTw4ljujNzqwQ5/0Mz8pQpCSUtqRvj3FJAxDs=,tag:foZvdeW7gK9ZVKkWqnlxGA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/service-dummy-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/service-dummy-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value

@@ -1 +0,0 @@
-6745

checks/service-dummy-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1

@@ -1 +0,0 @@
-../../../../../../sops/machines/peer1

checks/service-dummy-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret

@@ -1,19 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:prFl0EJy8bM=,iv:zITWxf+6Ebk0iB5vhhd7SBQa1HFrIJXm8xpSM+D9I0M=,tag:NZCRMCs1SzNKLBu/KUDKMQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age12w2ld4vxfyf3hdq2d8la4cu0tye4pq97egvv3me4wary7xkdnq2snh0zx2",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S0RZRWxaZVZvTUhjdWVL\naU9WZmtEcm1qa2JsRmdvdmZmNENMaWFEVUFRCmdoVnRXSGlpRlFjNmVVbDJ5VnFT\nMnVJUlVnM3lxNmZCRTdoRVJ4NW1oYWcKLS0tIFFNbXBFUk1RWnlUTW1SeG1vYzlM\nVVpEclFVOE9PWWQxVkZ0eEgwWndoRWcKDAOHe+FIxqGsc6LhxMy164qjwG6t2Ei2\nP0FSs+bcKMDpudxeuxCjnDm/VoLxOWeuqkB+9K2vSm2W/c/fHTSbrA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VU5jOEpwYUtDVEVFcVpU\nQkExTVZ3ejZHcGo5TG8zdUQwNktoV09WdUZvCmQ0dE1TOWRFbTlxdVd4WWRxd3VF\nQUNTTkNNT3NKYjQ5dEJDY0xVZ3pZVUUKLS0tIDFjajRZNFJZUTdNeS8yN05FMFZU\ncEtjRjhRbGE0MnRLdk10NkFLMkxqencKGzJ66dHluIghH04RV/FccfEQP07yqnfb\n25Hi0XIVJfXBwje4UEyszrWTxPPwVXdQDQmoNKf76Qy2jYqJ56uksw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-04T12:44:20Z",
-		"mac": "ENC[AES256_GCM,data:FIkilsni5kOdNlVwDuLsQ/zExypHRWdqIBQDNWMLTwe8OrsNPkX+KYutUvt9GaSoGv4iDULaMRoizO/OZUNfc2d8XYSdj0cxOG1Joov4GPUcC/UGyNuQneAejZBKolvlnidKZArofnuK9g+lOTANEUtEXUTnx8L+VahqPZayQas=,iv:NAo6sT3L8OOB3wv1pjr3RY2FwXgVmZ4N0F4BEX4YPUY=,tag:zHwmXygyvkdpASZCodQT9Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

checks/service-dummy-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin

@@ -1 +0,0 @@
-../../../../../../sops/users/admin

checks/service-dummy-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value

@@ -1 +0,0 @@
-not-a-secret

checks/service-dummy-test/default.nix

@@ -1,97 +0,0 @@
-{
-  pkgs,
-  nixosLib,
-  clan-core,
-  ...
-}:
-nixosLib.runTest (
-  { ... }:
-  {
-    imports = [
-      clan-core.modules.nixosTest.clanTest
-    ];
-
-    hostPkgs = pkgs;
-
-    # This tests the compatibility of the inventory
-    # With the test framework
-    # - legacy-modules
-    # - clan.service modules
-    name = "service-dummy-test";
-
-    clan = {
-      directory = ./.;
-      inventory = {
-        machines.peer1 = { };
-        machines.admin1 = { };
-        services = {
-          legacy-module.default = {
-            roles.peer.machines = [ "peer1" ];
-            roles.admin.machines = [ "admin1" ];
-          };
-        };
-
-        instances."test" = {
-          module.name = "new-service";
-          module.input = "self";
-          roles.peer.machines.peer1 = { };
-        };
-
-        modules = {
-          legacy-module = ./legacy-module;
-        };
-      };
-      modules.new-service = {
-        _class = "clan.service";
-        manifest.name = "new-service";
-        roles.peer = { };
-        perMachine = {
-          nixosModule = {
-            # This should be generated by:
-            # nix run .#generate-test-vars -- checks/service-dummy-test service-dummy-test
-            clan.core.vars.generators.new-service = {
-              files.not-a-secret = {
-                secret = false;
-                deploy = true;
-              };
-              files.a-secret = {
-                secret = true;
-                deploy = true;
-                owner = "nobody";
-                group = "users";
-                mode = "0644";
-              };
-              script = ''
-                # This is a dummy script that does nothing
-                echo -n "not-a-secret" > $out/not-a-secret
-                echo -n "a-secret" > $out/a-secret
-              '';
-            };
-          };
-        };
-      };
-    };
-
-    testScript =
-      { nodes, ... }:
-      ''
-        start_all()
-        admin1.wait_for_unit("multi-user.target")
-        peer1.wait_for_unit("multi-user.target")
-        # Provided by the legacy module
-        print(admin1.succeed("systemctl status dummy-service"))
-        print(peer1.succeed("systemctl status dummy-service"))
-
-        # peer1 should have the 'hello' file
-        peer1.succeed("cat ${nodes.peer1.clan.core.vars.generators.new-service.files.not-a-secret.path}")
-
-        ls_out = peer1.succeed("ls -la ${nodes.peer1.clan.core.vars.generators.new-service.files.a-secret.path}")
-        # Check that the file is owned by 'nobody'
-        assert "nobody" in ls_out, f"File is not owned by 'nobody': {ls_out}"
-        # Check that the file is in the 'users' group
-        assert "users" in ls_out, f"File is not in the 'users' group: {ls_out}"
-        # Check that the file is in the '0644' mode
-        assert "-rw-r--r--" in ls_out, f"File is not in the '0644' mode: {ls_out}"
-      '';
-  }
-)