wip(storybook): run storybook in nix derivation

.gitea/workflows/build-clan-app-darwin.yml

@@ -17,4 +17,4 @@ jobs:
 
       - name: Build clan-app for x86_64-darwin
         run: |
-          nix build .#packages.x86_64-darwin.clan-app --log-format bar-with-logs
+          nix build .#packages.x86_64-darwin.clan-app --system x86_64-darwin --log-format bar-with-logs

CODEOWNERS

@@ -1,10 +1,8 @@
 clanServices/.* @pinpox @kenji
 
 lib/test/container-test-driver/.* @DavHau @mic92
-lib/inventory/.* @hsjobeki
-lib/inventoryClass/.* @hsjobeki
-
-modules/.* @hsjobeki
+lib/modules/inventory/.* @hsjobeki
+lib/modules/inventoryClass/.* @hsjobeki
 
 pkgs/clan-app/ui/.* @hsjobeki @brianmcgee
 pkgs/clan-app/clan_app/.* @qubasa @hsjobeki

LICENSE.md

@@ -1,4 +1,4 @@
-Copyright 2023-2025 Clan contributors
+Copyright 2023-2024 Clan contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

checks/flake-module.nix

@@ -86,13 +86,11 @@ in
 
             # Container Tests
             nixos-test-container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            nixos-systemd-abstraction = self.clanLib.test.containerTest ./systemd-abstraction nixosTestArgs;
-            nixos-llm-test = self.clanLib.test.containerTest ./llm nixosTestArgs;
             nixos-test-user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
             nixos-test-user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
-            nixos-test-extra-python-packages = self.clanLib.test.containerTest ./test-extra-python-packages nixosTestArgs;
 
             service-dummy-test = import ./service-dummy-test nixosTestArgs;
+            wireguard = import ./wireguard nixosTestArgs;
             service-dummy-test-from-flake = import ./service-dummy-test-from-flake nixosTestArgs;
           };
 

checks/flash/flake-module.nix

@@ -58,53 +58,51 @@
         pkgs.buildPackages.xorg.lndir
         pkgs.glibcLocales
         pkgs.kbd.out
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".pkgs.perlPackages.FileSlurp
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
         pkgs.bubblewrap
 
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.toplevel
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript
-        self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript.drvPath
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
+        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
       ]
       ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
       closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
     in
     {
       # Skip flash test on aarch64-linux for now as it's too slow
-      checks =
-        lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux")
-          {
-            nixos-test-flash = self.clanLib.test.baseTest {
-              name = "flash";
-              nodes.target = {
-                virtualisation.emptyDiskImages = [ 4096 ];
-                virtualisation.memorySize = 4096;
+      checks = lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.hostPlatform.system != "aarch64-linux") {
+        nixos-test-flash = self.clanLib.test.baseTest {
+          name = "flash";
+          nodes.target = {
+            virtualisation.emptyDiskImages = [ 4096 ];
+            virtualisation.memorySize = 4096;
 
-                virtualisation.useNixStoreImage = true;
-                virtualisation.writableStore = true;
+            virtualisation.useNixStoreImage = true;
+            virtualisation.writableStore = true;
 
-                environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
-                environment.etc."install-closure".source = "${closureInfo}/store-paths";
+            environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
+            environment.etc."install-closure".source = "${closureInfo}/store-paths";
 
-                nix.settings = {
-                  substituters = lib.mkForce [ ];
-                  hashed-mirrors = null;
-                  connect-timeout = lib.mkForce 3;
-                  flake-registry = "";
-                  experimental-features = [
-                    "nix-command"
-                    "flakes"
-                  ];
-                };
-              };
-              testScript = ''
-                start_all()
-                machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
-                # Some distros like to automount disks with spaces
-                machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
-                machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.stdenv.hostPlatform.system}")
-              '';
-            } { inherit pkgs self; };
+            nix.settings = {
+              substituters = lib.mkForce [ ];
+              hashed-mirrors = null;
+              connect-timeout = lib.mkForce 3;
+              flake-registry = "";
+              experimental-features = [
+                "nix-command"
+                "flakes"
+              ];
+            };
           };
+          testScript = ''
+            start_all()
+            machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
+            # Some distros like to automount disks with spaces
+            machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
+            machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
+          '';
+        } { inherit pkgs self; };
+      };
     };
 }

checks/installation/flake-module.nix

@@ -160,9 +160,9 @@
           closureInfo = pkgs.closureInfo {
             rootPaths = [
               privateInputs.clan-core-for-checks
-              self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.toplevel
-              self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.initialRamdisk
-              self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript
+              self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
+              self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.initialRamdisk
+              self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
               pkgs.stdenv.drvPath
               pkgs.bash.drvPath
               pkgs.buildPackages.xorg.lndir
@@ -215,7 +215,7 @@
                   # Prepare test flake and Nix store
                   flake_dir = prepare_test_flake(
                       temp_dir,
-                      "${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
+                      "${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
                       "${closureInfo}"
                   )
 
@@ -296,7 +296,7 @@
                   # Prepare test flake and Nix store
                   flake_dir = prepare_test_flake(
                       temp_dir,
-                      "${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
+                      "${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
                       "${closureInfo}"
                   )
 

checks/llm/default.nix

@@ -1,82 +0,0 @@
-{ self, pkgs, ... }:
-
-let
-
-  cli = self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full;
-
-  ollama-model = pkgs.callPackage ./qwen3-4b-instruct.nix { };
-in
-{
-  name = "llm";
-
-  nodes = {
-    peer1 =
-      { pkgs, ... }:
-      {
-
-        users.users.text-user = {
-          isNormalUser = true;
-          linger = true;
-          uid = 1000;
-          extraGroups = [ "systemd-journal" ];
-        };
-
-        # Set environment variables for user systemd
-        environment.extraInit = ''
-          if [ "$(id -u)" = "1000" ]; then
-            export XDG_RUNTIME_DIR="/run/user/1000"
-            export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/1000/bus"
-
-            ollama_dir="$HOME/.ollama"
-            mkdir -p "$ollama_dir"
-            ln -sf ${ollama-model}/models "$ollama_dir"/models
-          fi
-        '';
-
-        # Enable PAM for user systemd sessions
-        security.pam.services.systemd-user = {
-          startSession = true;
-          # Workaround for containers - use pam_permit to avoid helper binary issues
-          text = pkgs.lib.mkForce ''
-            account required pam_permit.so
-            session required pam_permit.so
-            session required pam_env.so conffile=/etc/pam/environment readenv=0
-            session required ${pkgs.systemd}/lib/security/pam_systemd.so
-          '';
-        };
-
-        environment.systemPackages = [
-          cli
-          pkgs.ollama
-          (cli.pythonRuntime.withPackages (
-            ps: with ps; [
-              pytest
-              pytest-xdist
-              (cli.pythonRuntime.pkgs.toPythonModule cli)
-              self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.nixosTestLib
-            ]
-          ))
-        ];
-      };
-  };
-
-  testScript =
-    { ... }:
-    ''
-      start_all()
-
-      peer1.wait_for_unit("multi-user.target")
-      peer1.wait_for_unit("user@1000.service")
-
-      # Fix user journal permissions so text-user can read their own logs
-      peer1.succeed("chown text-user:systemd-journal /var/log/journal/*/user-1000.journal*")
-      peer1.succeed("chmod 640 /var/log/journal/*/user-1000.journal*")
-      # the -o adopts="" is needed to overwrite any args coming from pyproject.toml
-      # -p no:cacheprovider disables pytest's cacheprovider which tries to write to the nix store in this case
-      cmd = "su - text-user -c 'pytest -s -n0 -m service_runner -p no:cacheprovider -o addopts="" ${cli.passthru.sourceWithTests}/clan_lib/llm'"
-      print("Running tests with command: " + cmd)
-
-      # Run tests as text-user (environment variables are set automatically)
-      peer1.succeed(cmd)
-    '';
-}

checks/llm/qwen3-4b-instruct.nix

@@ -1,70 +0,0 @@
-{ pkgs }:
-
-let
-  # Got them from https://github.com/Gholamrezadar/ollama-direct-downloader
-
-  # Download manifest
-  manifest = pkgs.fetchurl {
-    url = "https://registry.ollama.ai/v2/library/qwen3/manifests/4b-instruct";
-    # You'll need to calculate this hash - run the derivation once and it will tell you the correct hash
-    hash = "sha256-Dtze80WT6sGqK+nH0GxDLc+BlFrcpeyi8nZiwY8Wi6A=";
-  };
-
-  # Download blobs
-  blob1 = pkgs.fetchurl {
-    url = "https://registry.ollama.ai/v2/library/qwen3/blobs/sha256:b72accf9724e93698c57cbd3b1af2d3341b3d05ec2089d86d273d97964853cd2";
-    hash = "sha256-tyrM+XJOk2mMV8vTsa8tM0Gz0F7CCJ2G0nPZeWSFPNI=";
-  };
-
-  blob2 = pkgs.fetchurl {
-    url = "https://registry.ollama.ai/v2/library/qwen3/blobs/sha256:85e4a5b7b8ef0e48af0e8658f5aaab9c2324c76c1641493f4d1e25fce54b18b9";
-    hash = "sha256-heSlt7jvDkivDoZY9aqrnCMkx2wWQUk/TR4l/OVLGLk=";
-  };
-
-  blob3 = pkgs.fetchurl {
-    url = "https://registry.ollama.ai/v2/library/qwen3/blobs/sha256:eade0a07cac7712787bbce23d12f9306adb4781d873d1df6e16f7840fa37afec";
-    hash = "sha256-6t4KB8rHcSeHu84j0S+TBq20eB2HPR324W94QPo3r+w=";
-  };
-
-  blob4 = pkgs.fetchurl {
-    url = "https://registry.ollama.ai/v2/library/qwen3/blobs/sha256:d18a5cc71b84bc4af394a31116bd3932b42241de70c77d2b76d69a314ec8aa12";
-    hash = "sha256-0YpcxxuEvErzlKMRFr05MrQiQd5wx30rdtaaMU7IqhI=";
-  };
-
-  blob5 = pkgs.fetchurl {
-    url = "https://registry.ollama.ai/v2/library/qwen3/blobs/sha256:0914c7781e001948488d937994217538375b4fd8c1466c5e7a625221abd3ea7a";
-    hash = "sha256-CRTHeB4AGUhIjZN5lCF1ODdbT9jBRmxeemJSIavT6no=";
-  };
-in
-pkgs.stdenv.mkDerivation {
-  pname = "ollama-qwen3-4b-instruct";
-  version = "1.0";
-
-  dontUnpack = true;
-
-  buildPhase = ''
-    mkdir -p $out/models/manifests/registry.ollama.ai/library/qwen3
-    mkdir -p $out/models/blobs
-
-    # Copy manifest
-    cp ${manifest} $out/models/manifests/registry.ollama.ai/library/qwen3/4b-instruct
-
-    # Copy blobs with correct names
-    cp ${blob1} $out/models/blobs/sha256-b72accf9724e93698c57cbd3b1af2d3341b3d05ec2089d86d273d97964853cd2
-    cp ${blob2} $out/models/blobs/sha256-85e4a5b7b8ef0e48af0e8658f5aaab9c2324c76c1641493f4d1e25fce54b18b9
-    cp ${blob3} $out/models/blobs/sha256-eade0a07cac7712787bbce23d12f9306adb4781d873d1df6e16f7840fa37afec
-    cp ${blob4} $out/models/blobs/sha256-d18a5cc71b84bc4af394a31116bd3932b42241de70c77d2b76d69a314ec8aa12
-    cp ${blob5} $out/models/blobs/sha256-0914c7781e001948488d937994217538375b4fd8c1466c5e7a625221abd3ea7a
-  '';
-
-  installPhase = ''
-    # buildPhase already created everything in $out
-    :
-  '';
-
-  meta = with pkgs.lib; {
-    description = "Qwen3 4B Instruct model for Ollama";
-    license = "apache-2.0";
-    platforms = platforms.all;
-  };
-}

checks/service-dummy-test-from-flake/flake.nix

@@ -27,7 +27,6 @@
         modules.new-service = {
           _class = "clan.service";
           manifest.name = "new-service";
-          manifest.readme = "Just a sample readme to not trigger the warning.";
           roles.peer = {
             description = "A peer that uses the new-service to generate some files.";
           };

checks/service-dummy-test/default.nix

@@ -34,7 +34,6 @@ nixosLib.runTest (
       modules.new-service = {
         _class = "clan.service";
         manifest.name = "new-service";
-        manifest.readme = "Just a sample readme to not trigger the warning.";
         roles.peer = {
           description = "A peer that uses the new-service to generate some files.";
         };

checks/systemd-abstraction/default.nix

@@ -1,67 +0,0 @@
-{ self, pkgs, ... }:
-
-let
-
-  cli = self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full;
-in
-{
-  name = "systemd-abstraction";
-
-  nodes = {
-    peer1 = {
-
-      users.users.text-user = {
-        isNormalUser = true;
-        linger = true;
-        uid = 1000;
-        extraGroups = [ "systemd-journal" ];
-      };
-
-      # Set environment variables for user systemd
-      environment.extraInit = ''
-        if [ "$(id -u)" = "1000" ]; then
-          export XDG_RUNTIME_DIR="/run/user/1000"
-          export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/1000/bus"
-        fi
-      '';
-
-      # Enable PAM for user systemd sessions
-      security.pam.services.systemd-user = {
-        startSession = true;
-        # Workaround for containers - use pam_permit to avoid helper binary issues
-        text = pkgs.lib.mkForce ''
-          account required pam_permit.so
-          session required pam_permit.so
-          session required pam_env.so conffile=/etc/pam/environment readenv=0
-          session required ${pkgs.systemd}/lib/security/pam_systemd.so
-        '';
-      };
-
-      environment.systemPackages = [
-        cli
-        (cli.pythonRuntime.withPackages (
-          ps: with ps; [
-            pytest
-            pytest-xdist
-          ]
-        ))
-      ];
-    };
-  };
-
-  testScript =
-    { ... }:
-    ''
-      start_all()
-
-      peer1.wait_for_unit("multi-user.target")
-      peer1.wait_for_unit("user@1000.service")
-
-      # Fix user journal permissions so text-user can read their own logs
-      peer1.succeed("chown text-user:systemd-journal /var/log/journal/*/user-1000.journal*")
-      peer1.succeed("chmod 640 /var/log/journal/*/user-1000.journal*")
-
-      # Run tests as text-user (environment variables are set automatically)
-      peer1.succeed("su - text-user -c 'pytest -p no:cacheprovider -o addopts="" -s -n0 ${cli.passthru.sourceWithTests}/clan_lib/service_runner'")
-    '';
-}

checks/test-extra-python-packages/default.nix

@@ -1,26 +0,0 @@
-(
-  { ... }:
-  {
-    name = "test-extra-python-packages";
-
-    extraPythonPackages = ps: [ ps.numpy ];
-
-    nodes.machine =
-      { ... }:
-      {
-        networking.hostName = "machine";
-      };
-
-    testScript = ''
-      import numpy as np
-
-      start_all()
-      machine.wait_for_unit("multi-user.target")
-
-      # Test availability of numpy
-      arr = np.array([1, 2, 3])
-      print(f"Numpy array: {arr}")
-      assert len(arr) == 3
-    '';
-  }
-)

checks/update/flake-module.nix

@@ -115,9 +115,9 @@
               let
                 closureInfo = pkgs.closureInfo {
                   rootPaths = [
-                    self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli
-                    self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks
-                    self.clanInternals.machines.${pkgs.stdenv.hostPlatform.system}.test-update-machine.config.system.build.toplevel
+                    self.packages.${pkgs.hostPlatform.system}.clan-cli
+                    self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks
+                    self.clanInternals.machines.${pkgs.hostPlatform.system}.test-update-machine.config.system.build.toplevel
                     pkgs.stdenv.drvPath
                     pkgs.bash.drvPath
                     pkgs.buildPackages.xorg.lndir
@@ -132,7 +132,7 @@
                   imports = [ self.nixosModules.test-update-machine ];
                 };
                 extraPythonPackages = _p: [
-                  self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.nixosTestLib
+                  self.legacyPackages.${pkgs.hostPlatform.system}.nixosTestLib
                 ];
 
                 testScript = ''
@@ -154,7 +154,7 @@
                       # Prepare test flake and Nix store
                       flake_dir = prepare_test_flake(
                           temp_dir,
-                          "${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
+                          "${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
                           "${closureInfo}"
                       )
                       (flake_dir / ".clan-flake").write_text("")  # Ensure .clan-flake exists
@@ -226,7 +226,7 @@
                             "--to",
                             "ssh://root@192.168.1.1",
                             "--no-check-sigs",
-                            f"${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli}",
+                            f"${self.packages.${pkgs.hostPlatform.system}.clan-cli}",
                             "--extra-experimental-features", "nix-command flakes",
                         ],
                         check=True,
@@ -242,7 +242,7 @@
                           "-o", "UserKnownHostsFile=/dev/null",
                           "-o", "StrictHostKeyChecking=no",
                           f"root@192.168.1.1",
-                          "${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli}/bin/clan",
+                          "${self.packages.${pkgs.hostPlatform.system}.clan-cli}/bin/clan",
                           "machines",
                           "update",
                           "--debug",
@@ -270,7 +270,7 @@
 
                       # Run clan update command
                       subprocess.run([
-                          "${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full}/bin/clan",
+                          "${self.packages.${pkgs.hostPlatform.system}.clan-cli-full}/bin/clan",
                           "machines",
                           "update",
                           "--debug",
@@ -297,7 +297,7 @@
 
                       # Run clan update command with --build-host
                       subprocess.run([
-                          "${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full}/bin/clan",
+                          "${self.packages.${pkgs.hostPlatform.system}.clan-cli-full}/bin/clan",
                           "machines",
                           "update",
                           "--debug",

checks/wireguard/default.nix

@@ -0,0 +1,115 @@
+{
+  pkgs,
+  nixosLib,
+  clan-core,
+  lib,
+  ...
+}:
+nixosLib.runTest (
+  { ... }:
+
+  let
+    machines = [
+      "controller1"
+      "controller2"
+      "peer1"
+      "peer2"
+      "peer3"
+    ];
+  in
+  {
+    imports = [
+      clan-core.modules.nixosTest.clanTest
+    ];
+
+    hostPkgs = pkgs;
+
+    name = "wireguard";
+
+    clan = {
+      directory = ./.;
+      modules."@clan/wireguard" = import ../../clanServices/wireguard/default.nix;
+      inventory = {
+
+        machines = lib.genAttrs machines (_: { });
+
+        instances = {
+
+          /*
+                          wg-test-one
+            ┌───────────────────────────────┐
+            │            ◄─────────────     │
+            │ controller2              controller1
+            │    ▲       ─────────────►    ▲     ▲
+            │    │ │ │ │                 │ │   │ │
+            │    │ │ │ │                 │ │   │ │
+            │    │ │ │ │                 │ │   │ │
+            │    │ │ │ └───────────────┐ │ │   │ │
+            │    │ │ └──────────────┐  │ │ │   │ │
+            │      ▼                │  ▼ ▼     ▼
+            └─► peer2               │  peer1  peer3
+                                    │          ▲
+                                    └──────────┘
+          */
+
+          wg-test-one = {
+
+            module.name = "@clan/wireguard";
+            module.input = "self";
+
+            roles.controller.machines."controller1".settings = {
+              endpoint = "192.168.1.1";
+            };
+
+            roles.controller.machines."controller2".settings = {
+              endpoint = "192.168.1.2";
+            };
+
+            roles.peer.machines = {
+              peer1.settings.controller = "controller1";
+              peer2.settings.controller = "controller2";
+              peer3.settings.controller = "controller1";
+            };
+          };
+
+          # TODO: Will this actually work with conflicting ports? Can we re-use interfaces?
+          #wg-test-two = {
+          #  module.name = "@clan/wireguard";
+
+          #  roles.controller.machines."controller1".settings = {
+          #    endpoint = "192.168.1.1";
+          #    port = 51922;
+          #  };
+
+          #  roles.peer.machines = {
+          #    peer1 = { };
+          #  };
+          #};
+        };
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      # Show all addresses
+      machines = [peer1, peer2, peer3, controller1, controller2]
+      for m in machines:
+          m.systemctl("start network-online.target")
+
+      for m in machines:
+          m.wait_for_unit("network-online.target")
+          m.wait_for_unit("systemd-networkd.service")
+
+      print("\n\n" + "="*60)
+      print("STARTING PING TESTS")
+      print("="*60)
+
+      for m1 in machines:
+          for m2 in machines:
+              if m1 != m2:
+                  print(f"\n--- Pinging from {m1.name} to {m2.name}.wg-test-one ---")
+                  m1.wait_until_succeeds(f"ping -c1 {m2.name}.wg-test-one >&2")
+    '';
+  }
+)

clanServices/admin/README.md

@@ -1,25 +0,0 @@
-The admin service aggregates components that allow an administrator to log in to and manage the machine.
-
-The following configuration:
-
-1. Enables OpenSSH with root login and adds an SSH public key named`myusersKey` to the machine's authorized_keys via the `allowedKeys` setting.
-
-2. Automatically generates a password for the root user.
-
-```nix
-instances = {
-    admin = {
-        roles.default.tags = {
-            all = {  };
-        };
-        roles.default.settings = {
-            allowedKeys = {
-                myusersKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFDNnynMbFWatSFdANzbJ8iiEKL7+9ZpDaMLrWRQjyH lhebendanz@wintux";
-            };
-        };
-    };
-};
-```
-
-
-

clanServices/admin/default.nix

@@ -3,7 +3,6 @@
   manifest.name = "clan-core/admin";
   manifest.description = "Adds a root user with ssh access";
   manifest.categories = [ "Utility" ];
-  manifest.readme = builtins.readFile ./README.md;
 
   roles.default = {
     description = "Placeholder role to apply the admin service";

clanServices/admin/tests/vm/default.nix

@@ -2,7 +2,7 @@ let
   public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6zj7ubTg6z/aDwRNwvM/WlQdUocMprQ8E92NWxl6t+ test@test";
 in
 {
-  name = "admin";
+  name = "service-admin";
 
   clan = {
     directory = ./.;

clanServices/admin/tests/vm/vars/per-machine/client/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/admin/tests/vm/vars/per-machine/server/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/borgbackup/tests/vm/default.nix

@@ -3,7 +3,7 @@
   ...
 }:
 {
-  name = "borgbackup";
+  name = "service-borgbackup";
 
   clan = {
     directory = ./.;

clanServices/borgbackup/tests/vm/vars/per-machine/clientone/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/borgbackup/tests/vm/vars/per-machine/serverone/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/certificates/README.md

@@ -1,6 +1,3 @@
-!!! Danger "Experimental"
-    This service is experimental and will change in the future.
-
 This service sets up a certificate authority (CA) that can issue certificates to
 other machines in your clan. For this the `ca` role is used.
 It additionally provides a `default` role, that can be applied to all machines

clanServices/coredns/README.md

@@ -1,6 +1,3 @@
-!!! Danger "Experimental"
-    This service is experimental and will change in the future.
-
 This module enables hosting clan-internal services easily, which can be resolved
 inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
 and exposing endpoints from a machine to others, which will be

clanServices/data-mesher/default.nix

@@ -1,7 +1,4 @@
-{
-  clanLib,
-  ...
-}:
+{ ... }:
 let
   sharedInterface =
     { lib, ... }:
@@ -54,15 +51,15 @@ let
       builtins.foldl' (
         urls: name:
         let
-          ip = clanLib.vars.getPublicValue {
-            flake = config.clan.core.settings.directory;
-            machine = name;
-            generator = "zerotier";
-            file = "zerotier-ip";
-            default = null;
-          };
+          ipPath = "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
         in
-        if ip != null then urls ++ [ "[${ip}]:${builtins.toString settings.network.port}" ] else urls
+        if builtins.pathExists ipPath then
+          let
+            ip = builtins.readFile ipPath;
+          in
+          urls ++ [ "[${ip}]:${builtins.toString settings.network.port}" ]
+        else
+          urls
       ) [ ] (builtins.attrNames ((roles.admin.machines or { }) // (roles.signer.machines or { })))
     );
 
@@ -159,14 +156,9 @@ in
                   readHostKey =
                     machine:
                     let
-                      publicKey = clanLib.vars.getPublicValue {
-                        flake = config.clan.core.settings.directory;
-                        inherit machine;
-                        generator = "data-mesher-host-key";
-                        file = "public_key";
-                      };
+                      path = "${config.clan.core.settings.directory}/vars/per-machine/${machine}/data-mesher-host-key/public_key/value";
                     in
-                    builtins.elemAt (lib.splitString "\n" publicKey) 1;
+                    builtins.elemAt (lib.splitString "\n" (builtins.readFile path)) 1;
                 in
                 {
                   enable = true;

clanServices/data-mesher/flake-module.nix

@@ -9,7 +9,7 @@ in
   perSystem =
     { ... }:
     {
-      clan.nixosTests.data-mesher = {
+      clan.nixosTests.service-data-mesher = {
         imports = [ ./tests/vm/default.nix ];
         clan.modules."@clan/data-mesher" = module;
       };

clanServices/data-mesher/tests/vm/default.nix

@@ -2,7 +2,7 @@
   ...
 }:
 {
-  name = "data-mesher";
+  name = "service-data-mesher";
 
   clan = {
     directory = ./.;

clanServices/data-mesher/tests/vm/vars/per-machine/admin/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/data-mesher/tests/vm/vars/per-machine/peer/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/data-mesher/tests/vm/vars/per-machine/signer/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/dyndns/tests/vm/default.nix

@@ -3,7 +3,7 @@
   ...
 }:
 {
-  name = "dyndns";
+  name = "service-dyndns";
 
   clan = {
     directory = ./.;

clanServices/dyndns/tests/vm/sops/machines/server/key.json

@@ -1,6 +0,0 @@
-[
-  {
-    "publickey": "age164wrhlnake7f7duhzs936lq6w49dtg53hcdyxqwxj0agad6tqg2s2u4yta",
-    "type": "age"
-  }
-]

clanServices/dyndns/tests/vm/sops/secrets/server-age.key/secret

@@ -1,14 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:seLxbv590dO0KvMJmtN7WVvUcH27VYwAc3rmyD7q6ZmwCgswOKx55LFnh0stRDKSZa8K7Dq1x7D9adhZtPAMWX8tbJswBeNMPt8=,iv:G52eugxfTi0tTzH4EN4CWmpyv6feSL34++UVSjb0aAo=,tag:6r10/a7kD2hBAmae0nz2OQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVC8wZUZJYUl5MXVNa2k5\ndGV1MnFWbUNLNVdxeEtCVUc3MTd0ck9aeFFBCnFhZW40amVYc3FlN1FPRTFSWTJR\nQzhNOERKbnRnSlJVeElNSEM5ZUJsZGsKLS0tIG1uNnlNN3MweHlYczNRTW9xSytu\neThzUmxKZTJBT2lCcTdiNUI4N3paTVEKgS9j2/GVt1KBoggUj9d6UK/mIlK4niLQ\nzVq2BHt3irxQpkpGUogXH2b86zSAOEJFzsL1Rk8HM1mogTG8jqf0qA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-19T12:49:11Z",
-		"mac": "ENC[AES256_GCM,data:T/2xw2mvUi8YALyxz78qG/g/xguoUTeHNzcZfXwwSyCXMg9ircsGGLO9SOVWy/QNkibnw3Yp80tXNJyr4oJH28PhFH7RrRp8jzNdopF49ZNJb2IqJ3C7xNYRZMHfjOCd/raka+ehZq8YGilEpXUWLRk1ere9lbBMh1ycL7jJS3c=,iv:FZbY/jTNPM+p4qD41FD0K7B9zoppGuvnUY5hL/EkmYM=,tag:IF5QTyUkHXWthlAGBn9R8w==,type:str]",
-		"version": "3.11.0"
-	}
-}

clanServices/dyndns/tests/vm/vars/per-machine/server/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/dyndns/tests/vm/vars/shared/dyndns-namecheap-example.com/dyndns-namecheap-example.com/machines/server

@@ -1 +0,0 @@
-../../../../../sops/machines/server

clanServices/dyndns/tests/vm/vars/shared/dyndns-namecheap-example.com/dyndns-namecheap-example.com/secret

@@ -1,18 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:Zu+n+DDYP7rQRTS17PJ6Apo=,iv:5WOs81Pj+S85kdC1AlOXSyPMGDfwM5UD8x7nyRZtRYQ=,tag:2JYkGnLugAni49Upv43o2g==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age164wrhlnake7f7duhzs936lq6w49dtg53hcdyxqwxj0agad6tqg2s2u4yta",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlR3RGQ2ZLTkR3ZWxNVCsv\naXJHRjBiVUVYZVRIY2swY2xubGhmb3pLRkNvCldhQUV2WDlqYjZ4ZUFWYXkvUEEw\nZi9XRWw0Mi9mRENDcnI0aENDR2Z4MHcKLS0tIGFQU3Q4WEErbnBjOHpNR1BSR2cr\nRFg0anE1cHExT0sySmxuUks1R05nczAKZO3R6+f9co2+YGO8HPufoq1fLqqrdTWD\n4zqemMmG2BjMRDumxtcKp8CLaZWlJoP4e/+tonfdoe42qmNF5NJcFw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZWo4WGh1cWxKeDhDdlBm\nTVFjVFBIUU9xaGRkanNHaUVUUHN1czNRSUhNCkp5MmwzSGdycmsrZGhaRUhEbXBF\nNUhtdEF6bHZQOGJYUVhFVHlYc3FPODAKLS0tIDBRQ2VGT2IvU1F4MEVabzhYSFJq\nOWZmbGpkQmNSMnNKa0s4K2JXdGgwRlkKUQRREpG5H1mNHSc/cZrdMiSz0veJFR4N\n+W49XL/wQUZwajykwYj++G+dWDO7DQ+fpbB9w4mzbsAmCsXirseTLA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-10-19T12:49:11Z",
-		"mac": "ENC[AES256_GCM,data:0msda7WbQQxXQ+juT7yErgT7NADgnzqEZLTQw+4JPuAE4xcqRIYwrrAALaA0GCCM2aIWlICzJigLCuzQUfSUbIzeP79tEHiKez+NOt/xgSM9ljz7GlsmLd0vzkxdt3WSxP+sHxy0S866N2sLMUkLqPGdqeTjB+Jji5ghGhzk9ys=,iv:8UU7iA4SdR6ZlVolm708l2Iea0sQYRT+5wPBBP5tpS0=,tag:VQXslAlqLqs1QEkwW6x6qg==,type:str]",
-		"version": "3.11.0"
-	}
-}

clanServices/dyndns/tests/vm/vars/shared/dyndns-namecheap-example.com/dyndns-namecheap-example.com/users/admin

@@ -1 +0,0 @@
-../../../../../sops/users/admin

clanServices/garage/README.md

@@ -1,12 +0,0 @@
-[Garage](https://garagehq.deuxfleurs.fr/) is an open-source, S3-compatible distributed object storage service for self-hosting.
-
-This module provisions a single-instance S3 bucket. To customize its behavior, set `services.garage.settings` in your Nix configuration.
-
-Example configuration:
-```
-instances = {
-    garage = {
-        roles.default.machines."server" = {};
-    };
-};
-```

clanServices/garage/default.nix

@@ -4,7 +4,6 @@
   manifest.name = "clan-core/garage";
   manifest.description = "S3-compatible object store for small self-hosted geo-distributed deployments";
   manifest.categories = [ "System" ];
-  manifest.readme = builtins.readFile ./README.md;
 
   roles.default = {
     description = "Placeholder role to apply the garage service";

clanServices/garage/tests/vm/default.nix

@@ -3,7 +3,7 @@
   ...
 }:
 {
-  name = "garage";
+  name = "service-garage";
 
   clan = {
     directory = ./.;

clanServices/garage/tests/vm/vars/per-machine/server/state-version/version/value

@@ -1 +0,0 @@
-25.11

clanServices/hello-world/README.md

@@ -1,83 +0,0 @@
-!!! Danger "Experimental"
-    This service is for demonstration purpose only and may change in the future.
-
-The Hello-World Clan Service is a minimal example showing how to build and register your own service.
-
-It serves as a reference implementation and is used in clan-core CI tests to ensure compatibility.
-
-## What it demonstrates
-
-- How to define a basic Clan-compatible service.
-- How to structure your service for discovery and configuration.
-- How Clan services interact with nixos.
-
-## Testing
-
-This service demonstrates two levels of testing to ensure quality and stability across releases:
-
-1. **Unit & Integration Testing** — via [`nix-unit`](https://github.com/nix-community/nix-unit)
-2. **End-to-End Testing** — via **NixOS VM tests**, which we extended to support **container virtualization** for better performance.
-
-We highly advocate following the [Practical Testing Pyramid](https://martinfowler.com/articles/practical-test-pyramid.html):
-
-* Write **unit tests** for core logic and invariants.
-* Add **one or two end-to-end (E2E)** tests to confirm your service starts and behaves correctly in a real NixOS environment.
-
-NixOS is **untyped** and frequently changes; tests are the safest way to ensure long-term stability of services.
-
-```
-               / \
-              /   \
-             / E2E \
-            /-------\
-           /         \
-          /Integration\
-         /-------------\
-        /               \
-       /    Unit Tests   \
-       -------------------
-```
-
-### nix-unit
-
-We highly advocate the usage of
-
-[nix-unit](https://github.com/nix-community/nix-unit)
-
-Example in: tests/eval-tests.nix
-
-If you use flake-parts you can use the [native integration](https://flake.parts/options/nix-unit.html)
-
-If nix-unit succeeds you'r nixos evaluation should be mostly correct.
-
-!!! Tip
-    - Ensure most used 'settings' and variants are tested.
-    - Think about some important edge-cases your system should handle.
-
-### NixOS VM / Container Test
-
-!!! Warning "Early Vars & clanTest"
-    The testing system around vars is experimental
-
-    `clanTest` is still experimental and enables container virtualization by default.
-    This is still early and might have some limitations.
-
-Some minimal boilerplate is needed to use `clanTest`
-
-```nix
-nixosLib = import (inputs.nixpkgs + "/nixos/lib") { }
-nixosLib.runTest (
-    { ... }:
-    {
-        imports = [
-            self.modules.nixosTest.clanTest
-            # Example in tests/vm/default.nix
-            testModule
-        ];
-        hostPkgs = pkgs;
-
-        # Uncomment if you don't want or cannot use containers
-        # test.useContainers = false;
-    }
-)
-```

clanServices/hello-world/default.nix

@@ -8,8 +8,7 @@
 {
   _class = "clan.service";
   manifest.name = "clan-core/hello-word";
-  manifest.description = "Minimal example clan service that greets the world";
-  manifest.readme = builtins.readFile ./README.md;
+  manifest.description = "This is a test";
 
   # This service provides two roles: "morning" and "evening". Roles can be
   # defined in this file directly (e.g. the "morning" role) or split up into a
@@ -35,13 +34,10 @@
         settings,
 
         # The name of this instance of the service
-        instanceName,
 
         # The current machine
-        machine,
 
         # All roles of this service, with their assigned machines
-        roles,
         ...
       }:
       {

clanServices/hello-world/flake-module.nix

@@ -26,7 +26,7 @@ in
             # The hello-world service being tested
             ../../clanServices/hello-world
             # Required modules
-            ../../nixosModules
+            ../../nixosModules/clanCore
           ];
           testName = "hello-world";
           tests = ./tests/eval-tests.nix;

clanServices/hello-world/tests/eval-tests.nix

@@ -4,7 +4,7 @@
   ...
 }:
 let
-  testClan = clanLib.clan {
+  testFlake = clanLib.clan {
     self = { };
     # Point to the folder of the module
     # TODO: make this optional
@@ -33,20 +33,10 @@ let
   };
 in
 {
-  /**
-    We highly advocate the usage of:
-    https://github.com/nix-community/nix-unit
-
-    If you use flake-parts you can use the native integration: https://flake.parts/options/nix-unit.html
-  */
   test_simple = {
-    # Allows inspection via the nix-repl
-    # Ignored by nix-unit; it only looks at 'expr' and 'expected'
-    inherit testClan;
+    config = testFlake.config;
 
-    # Assert that jon has the
-    # configured greeting in 'environment.etc.hello.text'
-    expr = testClan.config.nixosConfigurations.jon.config.environment.etc."hello".text;
-    expected = "Good evening World!";
+    expr = { };
+    expected = { };
   };
 }

clanServices/hello-world/tests/vm/default.nix

@@ -1,5 +1,5 @@
 {
-  name = "hello-service";
+  name = "service-hello-service";
 
   clan = {
     directory = ./.;

clanServices/internet/README.md

@@ -1,24 +0,0 @@
-!!! Danger "Experimental"
-    This service is experimental and will change in the future.
-
----
-
-This module is part of Clan's [networking interface](https://docs.clan.lol/guides/networking/networking/).
-
-Clan's networking module automatically manages connections across available network transports and falls back intelligently. When you run `clan ssh` or `clan machines update`, Clan attempts each configured network in priority order until a connection succeeds.
-
-The example below shows how to configure a domain so server1 is reachable over the clearnet. By default, the `internet` module has the highest priority among networks.
-
-```nix
-  inventory.instances = {
-        # Direct SSH with fallback support
-        internet = {
-            roles.default.machines.server1 = {
-                settings.host = "server1.example.com";
-            };
-            roles.default.machines.server2 = {
-                settings.host = "192.168.1.100";
-            };
-        };
-};
-```

clanServices/internet/default.nix

@@ -7,7 +7,6 @@
     "System"
     "Network"
   ];
-  manifest.readme = builtins.readFile ./README.md;
   roles.default = {
     description = "Placeholder role to apply the internet service";
     interface =
@@ -16,7 +15,6 @@
         options = {
           host = lib.mkOption {
             type = lib.types.str;
-            default = "";
             description = ''
               ip address or hostname (domain) of the machine
             '';

clanServices/kde/README.md

@@ -1,28 +0,0 @@
-This module sets up the [KDE Plasma](https://kde.org) Desktop environment.
-
-!!! Note "Customisation"
-    This service intentionally does not provide any settings or customisation
-    options, as desktop preferences are highly subjective. Clan currently
-    supports only this default desktop configuration. Any additional
-    customisation can be done via the `extraModules` option. Furthermore, if you
-    want to use a different desktop environment or compositor (e.g. Gnome or
-    sway), we encourage you to to build your own
-    [Clan Service](https://docs.clan.lol/guides/services/community/) or have a
-    look at the [Community Services](https://docs.clan.lol/services/community/).
-
-## Example Usage
-
-```nix
-inventory = {
-  instances = {
-    kde = {
-
-      # Deploy on all machines
-      roles.default.tags.all = { };
-
-      # Or individual hosts
-      roles.default.machines.laptop = { };
-    };
-  };
-};
-```

clanServices/kde/default.nix

@@ -1,19 +0,0 @@
-{ ... }:
-{
-  _class = "clan.service";
-  manifest.name = "clan-core/kde";
-  manifest.description = "Sets up a graphical desktop environment";
-  manifest.categories = [ "Desktop" ];
-  manifest.readme = builtins.readFile ./README.md;
-
-  roles.default = {
-    description = "KDE/Plasma (wayland): Full-featured desktop environment with modern Qt-based interface";
-    perInstance.nixosModule = {
-      services = {
-        displayManager.sddm.enable = true;
-        displayManager.sddm.wayland.enable = true;
-        desktopManager.plasma6.enable = true;
-      };
-    };
-  };
-}

clanServices/kde/flake-module.nix

@@ -1,24 +0,0 @@
-{
-  self,
-  lib,
-  ...
-}:
-let
-  module = lib.modules.importApply ./default.nix {
-    inherit (self) packages;
-  };
-in
-{
-  clan.modules = {
-    kde = module;
-  };
-  perSystem =
-    { ... }:
-    {
-      clan.nixosTests.kde = {
-        imports = [ ./tests/vm/default.nix ];
-
-        clan.modules.kde = module;
-      };
-    };
-}

clanServices/kde/tests/vm/default.nix

@@ -1,30 +0,0 @@
-{
-  name = "kde";
-
-  clan = {
-    directory = ./.;
-    inventory = {
-
-      machines.client = { };
-
-      instances = {
-        kde = {
-          module.name = "kde";
-          module.input = "self";
-          roles.default.machines."client" = { };
-        };
-      };
-    };
-  };
-
-  testScript = ''
-    start_all()
-
-    client.systemctl("start network-online.target")
-    client.wait_for_unit("network-online.target")
-
-    client.wait_for_unit("graphical.target")
-    client.wait_for_unit("display-manager.service")
-    client.succeed("systemctl status display-manager.service")
-  '';
-}

clanServices/kde/tests/vm/sops/users/admin/key.json

@@ -1,4 +0,0 @@
-{
-  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
-  "type": "age"
-}

clanServices/kde/tests/vm/vars/per-machine/client/state-version/version/value

@@ -1 +0,0 @@
-25.11