Revert "Merge pull request 'Fix deploying with sudo + password' (#3470) from target-host into main"

This reverts commit 8a849eb90f, reversing
changes made to 3b5c22ebcf.

.gitignore

@@ -16,6 +16,9 @@ nixos.qcow2
 /docs/out
 **/.local.env
 
+# MacOS stuff
+**/.DS_store
+
 # dream2nix
 .dream2nix
 
@@ -39,3 +42,6 @@ repo
 node_modules
 dist
 .webui
+
+# TODO: remove after bug in select is fixed
+select

checks/app-ocr/default.nix

@@ -0,0 +1,41 @@
+{ self, pkgs, ... }:
+{
+  name = "app-ocr-smoke-test";
+
+  enableOCR = true;
+
+  nodes = {
+    wayland =
+      { modulesPath, ... }:
+      {
+        imports = [ (modulesPath + "/../tests/common/wayland-cage.nix") ];
+        services.cage.program = "${self.packages.${pkgs.system}.clan-app}/bin/clan-app";
+        virtualisation.memorySize = 2047;
+        # TODO: get rid of this and fix debus-proxy error instead
+        services.cage.environment.WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS = "1";
+      };
+    xorg =
+      { pkgs, modulesPath, ... }:
+      {
+        imports = [
+          (modulesPath + "/../tests/common/user-account.nix")
+          (modulesPath + "/../tests/common/x11.nix")
+        ];
+        virtualisation.memorySize = 2047;
+        services.xserver.enable = true;
+        services.xserver.displayManager.sessionCommands = "${
+          self.packages.${pkgs.system}.clan-app
+        }/bin/clan-app";
+        test-support.displayManager.auto.user = "alice";
+      };
+  };
+  testScript = ''
+    start_all()
+
+    wayland.wait_for_unit('graphical.target')
+    xorg.wait_for_unit('graphical.target')
+
+    wayland.wait_for_text('Welcome to Clan')
+    xorg.wait_for_text('Welcome to Clan')
+  '';
+}

checks/backups/flake-module.nix

@@ -36,7 +36,7 @@
         # Borgbackup overrides
         services.borgbackup.repos.test-backups = {
           path = "/var/lib/borgbackup/test-backups";
-          authorizedKeys = [ (builtins.readFile ../lib/ssh/pubkey) ];
+          authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
         };
         clan.borgbackup.destinations.test-backup.repo = lib.mkForce "borg@machine:.";
 
@@ -45,7 +45,7 @@
 
         programs.ssh.knownHosts = {
           machine.hostNames = [ "machine" ];
-          machine.publicKey = builtins.readFile ../lib/ssh/pubkey;
+          machine.publicKey = builtins.readFile ../assets/ssh/pubkey;
         };
 
         services.openssh = {
@@ -60,7 +60,7 @@
           ];
         };
 
-        users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
+        users.users.root.openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
 
         # This is needed to unlock the user for sshd
         # Because we use sshd without setuid binaries
@@ -68,21 +68,21 @@
 
         systemd.tmpfiles.settings."vmsecrets" = {
           "/root/.ssh/id_ed25519" = {
-            C.argument = "${../lib/ssh/privkey}";
+            C.argument = "${../assets/ssh/privkey}";
             z = {
               mode = "0400";
               user = "root";
             };
           };
           "/etc/secrets/ssh.id_ed25519" = {
-            C.argument = "${../lib/ssh/privkey}";
+            C.argument = "${../assets/ssh/privkey}";
             z = {
               mode = "0400";
               user = "root";
             };
           };
           "/etc/secrets/borgbackup/borgbackup.ssh" = {
-            C.argument = "${../lib/ssh/privkey}";
+            C.argument = "${../assets/ssh/privkey}";
             z = {
               mode = "0400";
               user = "root";
@@ -169,7 +169,7 @@
     in
     {
       checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        backups = (import ../lib/container-test.nix) {
+        backups = self.clanLib.test.containerTest {
           name = "backups";
           nodes.machine = {
             imports =

checks/borgbackup/default.nix

@@ -1,4 +1,4 @@
-(import ../lib/test-base.nix) (
+(
   { ... }:
   {
     name = "borgbackup";
@@ -12,7 +12,7 @@
           {
             services.openssh.enable = true;
             services.borgbackup.repos.testrepo = {
-              authorizedKeys = [ (builtins.readFile ../lib/ssh/pubkey) ];
+              authorizedKeys = [ (builtins.readFile ../assets/ssh/pubkey) ];
             };
           }
           {
@@ -21,7 +21,7 @@
             environment.etc.state.text = "hello world";
             systemd.tmpfiles.settings."vmsecrets" = {
               "/etc/secrets/borgbackup/borgbackup.ssh" = {
-                C.argument = "${../lib/ssh/privkey}";
+                C.argument = "${../assets/ssh/privkey}";
                 z = {
                   mode = "0400";
                   user = "root";

checks/container/default.nix

@@ -1,4 +1,4 @@
-(import ../lib/container-test.nix) (
+(
   { ... }:
   {
     name = "container";

checks/flake-module.nix

@@ -14,7 +14,7 @@ in
     ./installation/flake-module.nix
     ./morph/flake-module.nix
     ./nixos-documentation/flake-module.nix
-    ./update/flake-module.nix
+    ./sanity-checks/dont-depend-on-repo-root.nix
   ];
   perSystem =
     {
@@ -34,34 +34,70 @@ in
             inherit (self) clanLib;
           };
           nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
-            # import our test
-            secrets = import ./secrets nixosTestArgs;
-            container = import ./container nixosTestArgs;
             # Deltachat is currently marked as broken
             # deltachat = import ./deltachat nixosTestArgs;
-            borgbackup = import ./borgbackup nixosTestArgs;
-            matrix-synapse = import ./matrix-synapse nixosTestArgs;
+
+            # Base Tests
+            secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
+            borgbackup = self.clanLib.test.baseTest ./borgbackup nixosTestArgs;
+            wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
+
+            # Container Tests
+            container = self.clanLib.test.containerTest ./container nixosTestArgs;
+            zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
+            matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
+            postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+
+            # Clan Tests
             mumble = import ./mumble nixosTestArgs;
             dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
             data-mesher = import ./data-mesher nixosTestArgs;
             syncthing = import ./syncthing nixosTestArgs;
-            zt-tcp-relay = import ./zt-tcp-relay nixosTestArgs;
-            postgresql = import ./postgresql nixosTestArgs;
-            update = import ./update nixosTestArgs;
-            wayland-proxy-virtwl = import ./wayland-proxy-virtwl nixosTestArgs;
           };
 
+          packagesToBuild = lib.removeAttrs self'.packages [
+            # exclude the check that checks that nothing depends on the repo root
+            # We might want to include this later once everything is fixed
+            "dont-depend-on-repo-root"
+          ];
+
           flakeOutputs =
             lib.mapAttrs' (
               name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
             ) (lib.filterAttrs (n: _: !lib.hasPrefix "test-" n) self.nixosConfigurations)
-            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages
+            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") packagesToBuild
             // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
             // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (
               self'.legacyPackages.homeConfigurations or { }
             );
         in
-        nixosTests // flakeOutputs;
+        nixosTests
+        // flakeOutputs
+        // {
+          # TODO: Automatically provide this check to downstream users to check their modules
+          clan-modules-json-compatible =
+            let
+              allSchemas = lib.mapAttrs (
+                _n: m:
+                let
+                  schema =
+                    (self.clanLib.inventory.evalClanService {
+                      modules = [ m ];
+                      key = "checks";
+                    }).config.result.api.schema;
+                in
+                schema
+              ) self.clan.modules;
+            in
+            pkgs.runCommand "combined-result"
+              {
+                schemaFile = builtins.toFile "schemas.json" (builtins.toJSON allSchemas);
+              }
+              ''
+                mkdir -p $out
+                cat $schemaFile > $out/allSchemas.json
+              '';
+        };
       legacyPackages = {
         nixosTests =
           let
@@ -76,6 +112,8 @@ in
             # import our test
             secrets = import ./secrets nixosTestArgs;
             container = import ./container nixosTestArgs;
+            # Clan app tests
+            app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
           };
       };
     };

checks/flash/flake-module.nix

@@ -56,7 +56,7 @@
     in
     {
       checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        flash = (import ../lib/test-base.nix) {
+        flash = self.clanLib.test.baseTest {
           name = "flash";
           nodes.target = {
             virtualisation.emptyDiskImages = [ 4096 ];

checks/installation/flake-module.nix

@@ -8,7 +8,6 @@ let
     { modulesPath, pkgs, ... }:
     let
       dependencies = [
-        self
         self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
         self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
         self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
@@ -51,7 +50,7 @@ let
       };
       users.users.nonrootuser = {
         isNormalUser = true;
-        openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
+        openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
         extraGroups = [ "wheel" ];
       };
       security.sudo.wheelNeedsPassword = false;
@@ -183,7 +182,7 @@ in
       # vm-test-run-test-installation-> target: Guest root shell did not produce any data yet...
       # vm-test-run-test-installation-> target:   To debug, enter the VM and run 'systemctl status backdoor.service'.
       checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        installation = (import ../lib/test-base.nix) {
+        installation = self.clanLib.test.baseTest {
           name = "installation";
           nodes.target = {
             services.openssh.enable = true;
@@ -195,7 +194,7 @@ in
           testScript = ''
             installer.start()
 
-            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
+            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
 
             installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
             installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
@@ -210,13 +209,13 @@ in
           '';
         } { inherit pkgs self; };
 
-        update-hardware-configuration = (import ../lib/test-base.nix) {
+        update-hardware-configuration = self.clanLib.test.baseTest {
           name = "update-hardware-configuration";
           nodes.installer = installer;
 
           testScript = ''
             installer.start()
-            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
+            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
             installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
             installer.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
             installer.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")

checks/lib/container-driver/test_driver/__main__.py

@@ -1,3 +0,0 @@
-from . import main
-
-main()

checks/lib/container-test.nix

@@ -1,55 +0,0 @@
-test:
-{ pkgs, self, ... }:
-let
-  inherit (pkgs) lib;
-  nixos-lib = import (pkgs.path + "/nixos/lib") { };
-in
-(nixos-lib.runTest {
-  hostPkgs = pkgs;
-  # speed-up evaluation
-  defaults =
-    { config, options, ... }:
-    {
-      imports = [
-        self.clanLib.test.minifyModule
-      ];
-      config = lib.mkMerge [
-        (lib.optionalAttrs (options ? clan) {
-          clan.core.settings.machine.name = config.networking.hostName;
-        })
-        {
-          documentation.enable = lib.mkDefault false;
-          boot.isContainer = true;
-
-          # needed since nixpkgs 7fb2f407c01b017737eafc26b065d7f56434a992 removed the getty unit by default
-          console.enable = true;
-
-          # undo qemu stuff
-          system.build.initialRamdisk = "";
-          virtualisation.sharedDirectories = lib.mkForce { };
-          networking.useDHCP = false;
-
-          # We use networkd to assign static ip addresses
-          networking.useNetworkd = true;
-          services.resolved.enable = false;
-
-          # Rename the host0 interface to eth0 to match what we expect in VM tests.
-          system.activationScripts.renameInterface = ''
-            ${pkgs.iproute2}/bin/ip link set dev host0 name eth1
-          '';
-
-          systemd.services.backdoor.enable = false;
-
-          # we don't have permission to set cpu scheduler in our container
-          systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = lib.mkForce "";
-        }
-      ];
-    };
-  # to accept external dependencies such as disko
-  node.specialArgs.self = self;
-  _module.args = { inherit self; };
-  imports = [
-    test
-    ./container-driver/module.nix
-  ];
-}).config.result

checks/matrix-synapse/default.nix

@@ -1,4 +1,4 @@
-(import ../lib/container-test.nix) (
+(
   { pkgs, ... }:
   {
     name = "matrix-synapse";

checks/morph/flake-module.nix

@@ -24,7 +24,7 @@
     }:
     {
       checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        morph = (import ../lib/test-base.nix) {
+        morph = self.clanLib.test.baseTest {
           name = "morph";
 
           nodes = {
@@ -44,7 +44,11 @@
               {
                 environment.etc."install-closure".source = "${closureInfo}/store-paths";
                 system.extraDependencies = dependencies;
+
                 virtualisation.memorySize = 2048;
+                virtualisation.useNixStoreImage = true;
+                virtualisation.writableStore = true;
+
                 environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli-full ];
               };
           };

checks/morph/template/configuration.nix

@@ -8,5 +8,8 @@
     (modulesPath + "/profiles/minimal.nix")
   ];
 
+  virtualisation.useNixStoreImage = true;
+  virtualisation.writableStore = true;
+
   clan.core.enableRecommendedDefaults = false;
 }

checks/mumble/default.nix

@@ -6,6 +6,8 @@
 }:
 clanLib.test.makeTestClan {
   inherit pkgs self;
+  # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
+  useContainers = false;
   nixosTest = (
     { lib, ... }:
     let

checks/postgresql/default.nix

@@ -1,4 +1,4 @@
-(import ../lib/container-test.nix) ({
+({
   name = "postgresql";
 
   nodes.machine =

checks/sanity-checks/dont-depend-on-repo-root.nix

@@ -0,0 +1,122 @@
+{
+  ...
+}:
+{
+  perSystem =
+    {
+      system,
+      pkgs,
+      self',
+      lib,
+      ...
+    }:
+    let
+      clanCore = self'.packages.clan-core-flake;
+      clanCoreHash = lib.substring 0 12 (builtins.hashString "sha256" "${clanCore}");
+      /*
+        construct a flake for the test which contains a single check which depends
+        on all checks of clan-core.
+      */
+      testFlakeFile = pkgs.writeText "flake.nix" ''
+        {
+          inputs.clan-core.url = path:///to/nowhere;
+          outputs = {clan-core, ...}:
+            let
+              checks =
+                builtins.removeAttrs
+                  clan-core.checks.${system}
+                  [
+                    "dont-depend-on-repo-root"
+                    "package-dont-depend-on-repo-root"
+                    "package-clan-core-flake"
+                  ];
+              checksOutPaths = map (x: "''${x}") (builtins.attrValues checks);
+            in
+            {
+              checks.${system}.check = builtins.derivation {
+                name = "all-clan-core-checks";
+                system = "${system}";
+                builder = "/bin/sh";
+                args = ["-c" '''
+                  of outPath in ''${toString checksOutPaths}; do
+                    echo "$outPath" >> $out
+                  done
+                '''];
+              };
+            };
+        }
+      '';
+    in
+    lib.optionalAttrs (system == "x86_64-linux") {
+      packages.dont-depend-on-repo-root =
+        pkgs.runCommand
+          # append repo hash to this tests name to ensure it gets invalidated on each chain
+          # This is needed because this test is an FOD (due to networking) and would get cached indefinitely.
+          "check-dont-depend-on-repo-root-${clanCoreHash}"
+          {
+            buildInputs = [
+              pkgs.nix
+              pkgs.cacert
+              pkgs.nix-diff
+            ];
+            outputHashAlgo = "sha256";
+            outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";
+          }
+          ''
+            mkdir clanCore testFlake store
+            clanCore=$(realpath clanCore)
+            testFlake=$(realpath testFlake)
+
+            # copy clan core flake and make writable
+            cp -r ${clanCore}/* clanCore/
+            chmod +w -R clanCore\
+
+            # copy test flake and make writable
+            cp ${testFlakeFile} testFlake/flake.nix
+            chmod +w -R testFlake
+
+            # enable flakes
+            export NIX_CONFIG="experimental-features = nix-command flakes"
+
+            # give nix a $HOME
+            export HOME=$(realpath ./store)
+
+            # override clan-core flake input to point to $clanCore\
+            echo "locking clan-core to $clanCore"
+            nix flake lock --override-input clan-core "path://$clanCore" "$testFlake" --store "$HOME"
+
+            # evaluate all tests
+            echo "evaluating all tests for clan core"
+            nix eval "$testFlake"#checks.${system}.check.drvPath --store "$HOME" --raw > drvPath1 &
+
+            # slightly modify clan core
+            cp -r $clanCore clanCore2
+            cp -r $testFlake testFlake2
+            export clanCore2=$(realpath clanCore2)
+            export testFlake2=$(realpath testFlake2)
+            touch clanCore2/fly-fpv
+
+            # re-evaluate all tests
+            echo "locking clan-core to $clanCore2"
+            nix flake lock --override-input clan-core "path://$clanCore2" "$testFlake2" --store "$HOME"
+            echo "evaluating all tests for clan core with added file"
+            nix eval "$testFlake2"#checks.${system}.check.drvPath --store "$HOME" --raw > drvPath2
+
+            # wait for first nix eval to return as well
+            while ! grep -q drv drvPath1; do sleep 1; done
+
+            # raise error if outputs are different
+            if [ "$(cat drvPath1)" != "$(cat drvPath2)" ]; then
+              echo -e "\n\nERROR: Something in clan-core depends on the whole repo" > /dev/stderr
+              echo -e "See details in the nix-diff below which shows the difference between two evaluations:"
+              echo -e "  1. Evaluation of clan-core checks without any changes"
+              echo -e "  1. Evaluation of clan-core checks after adding a file to the top-level of the repo"
+              echo "nix-diff:"
+              export NIX_REMOTE="$HOME"
+              nix-diff $(cat drvPath1) $(cat drvPath2)
+              exit 1
+            fi
+            touch $out
+          '';
+    };
+}

checks/secrets/default.nix

@@ -1,4 +1,4 @@
-(import ../lib/test-base.nix) {
+{
   name = "secrets";
 
   nodes.machine =

checks/syncthing/default.nix

@@ -1,105 +1,83 @@
-(import ../lib/test-base.nix) (
-  # Using nixos-test, because our own test system doesn't support the necessary
-  # features for systemd.
-  { lib, ... }:
-  {
-    name = "syncthing";
+{
+  pkgs,
+  self,
+  clanLib,
+  ...
+}:
+clanLib.test.makeTestClan {
+  inherit pkgs self;
+  # TODO: container driver does not support wait_for_file() yet
+  useContainers = false;
+  nixosTest = (
+    { lib, ... }:
+    {
+      name = "syncthing";
 
-    nodes.introducer =
-      { self, ... }:
-      {
-        imports = [
-          self.clanModules.syncthing
-          self.nixosModules.clanCore
-          {
-            clan.core.settings.directory = ./.;
-            environment.etc = {
-              "syncthing.pam".source = ./introducer/introducer_test_cert;
-              "syncthing.key".source = ./introducer/introducer_test_key;
-              "syncthing.api".source = ./introducer/introducer_test_api;
+      clan = {
+        directory = ./.;
+        inventory = {
+          machines = lib.genAttrs [
+            "introducer"
+            "peer1"
+            "peer2"
+          ] (_: { });
+          services = {
+            syncthing.default = {
+              roles.peer.machines = [
+                "peer1"
+                "peer2"
+              ];
+              roles.introducer.machines = [ "introducer" ];
             };
-            clan.core.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
-            services.syncthing.cert = "/etc/syncthing.pam";
-            services.syncthing.key = "/etc/syncthing.key";
-            # Doesn't test zerotier!
-            services.syncthing.openDefaultPorts = true;
-            services.syncthing.settings.folders = {
-              "Shared" = {
-                enable = true;
-                path = "~/Shared";
-                versioning = {
-                  type = "trashcan";
-                  params = {
-                    cleanoutDays = "30";
-                  };
-                };
+          };
+        };
+      };
+
+      nodes.introducer = {
+        # Doesn't test zerotier!
+        services.syncthing.openDefaultPorts = true;
+        services.syncthing.settings.folders = {
+          "Shared" = {
+            enable = true;
+            path = "~/Shared";
+            versioning = {
+              type = "trashcan";
+              params = {
+                cleanoutDays = "30";
               };
             };
-            clan.syncthing.autoAcceptDevices = true;
-            clan.syncthing.autoShares = [ "Shared" ];
-            # For faster Tests
-            systemd.timers.syncthing-auto-accept.timerConfig = {
-              OnActiveSec = 1;
-              OnUnitActiveSec = 1;
-            };
-          }
-        ];
+          };
+        };
+        clan.syncthing.autoAcceptDevices = true;
+        clan.syncthing.autoShares = [ "Shared" ];
+        # For faster Tests
+        systemd.timers.syncthing-auto-accept.timerConfig = {
+          OnActiveSec = 1;
+          OnUnitActiveSec = 1;
+        };
       };
-    nodes.peer1 =
-      { self, ... }:
-      {
-        imports = [
-          self.clanModules.syncthing
-          self.nixosModules.clanCore
-          {
-            clan.core.settings.directory = ./.;
-            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
-              builtins.readFile ./introducer/introducer_device_id
-            );
-            environment.etc = {
-              "syncthing.pam".source = ./peer_1/peer_1_test_cert;
-              "syncthing.key".source = ./peer_1/peer_1_test_key;
-            };
-            services.syncthing.openDefaultPorts = true;
-            services.syncthing.cert = "/etc/syncthing.pam";
-            services.syncthing.key = "/etc/syncthing.key";
-          }
-        ];
+      nodes.peer1 = {
+        services.syncthing.openDefaultPorts = true;
       };
-    nodes.peer2 =
-      { self, ... }:
-      {
-        imports = [
-          self.clanModules.syncthing
-          self.nixosModules.clanCore
-          {
-            clan.core.settings.directory = ./.;
-            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
-              builtins.readFile ./introducer/introducer_device_id
-            );
-            environment.etc = {
-              "syncthing.pam".source = ./peer_2/peer_2_test_cert;
-              "syncthing.key".source = ./peer_2/peer_2_test_key;
-            };
-            services.syncthing.openDefaultPorts = true;
-            services.syncthing.cert = "/etc/syncthing.pam";
-            services.syncthing.key = "/etc/syncthing.key";
-          }
-        ];
+      nodes.peer2 = {
+        services.syncthing.openDefaultPorts = true;
       };
-    testScript = ''
-      start_all()
-      introducer.wait_for_unit("syncthing")
-      peer1.wait_for_unit("syncthing")
-      peer2.wait_for_unit("syncthing")
-      peer1.wait_for_file("/home/user/Shared")
-      peer2.wait_for_file("/home/user/Shared")
-      introducer.shutdown()
-      peer1.execute("echo hello > /home/user/Shared/hello")
-      peer2.wait_for_file("/home/user/Shared/hello")
-      out = peer2.succeed("cat /home/user/Shared/hello")
-      print(out)
-      assert "hello" in out
-    '';
-  }
-)
+
+      testScript = ''
+        start_all()
+        introducer.wait_for_unit("syncthing")
+        peer1.wait_for_unit("syncthing")
+        peer2.wait_for_unit("syncthing")
+        peer1.execute("ls -la /var/lib/syncthing")
+        peer2.execute("ls -la /var/lib/syncthing")
+        peer1.wait_for_file("/var/lib/syncthing/Shared")
+        peer2.wait_for_file("/var/lib/syncthing/Shared")
+        introducer.shutdown()
+        peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
+        peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
+        out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
+        assert "hello" in out
+      '';
+    }
+  );
+}

checks/syncthing/introducer/introducer_device_id

@@ -1 +0,0 @@
-RN4ZZIJ-5AOJVWT-JD5IAAZ-SWVDTHU-B4RWCXE-AEM3SRG-QBM2KC5-JTGUNQT

checks/syncthing/introducer/introducer_test_api

@@ -1 +0,0 @@
-fKwzSQK43LWMnjVK2TDjpTkziY364dvP

checks/syncthing/introducer/introducer_test_cert

@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHDCCAaOgAwIBAgIJAJDWPRNYN7/7MAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
-CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
-BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDUwMDAwMDBaFw00MzExMzAwMDAwMDBa
-MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
-ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABEzIpSQGUVVlrSndNjiwkgZ045eH26agwT5RTN44bGRe8SJqBWC7HP3V7u1C
-6ZQZALSDoDUG5Oi89wGrFnxU48mYFSJFlZAVzyZoqfxVMof3vnk3uFDPo47HA4ex
-8fi6yaNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
-BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
-hkjOPQQDAgNnADBkAjB+d84wmaQuv3c94ctxV0sMh23xeTR1cPNcE8wbPQYxHmbO
-HbJ3IWo5HF3di63pVgECMBUfzpmFo8dshYR2/76Ovh573Svzk2+NKEMrqRyoNVFr
-JNQFhCtHbFT1rYfqYWgJBQ==
------END CERTIFICATE-----

checks/syncthing/introducer/introducer_test_key

@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDBvqJxL4s7JFy0y6Ulg7C9C0m3N9VZlW328uMJrwznGuCdRHa/VD4qY
-IcjtwJisdaqgBwYFK4EEACKhZANiAARMyKUkBlFVZa0p3TY4sJIGdOOXh9umoME+
-UUzeOGxkXvEiagVguxz91e7tQumUGQC0g6A1BuTovPcBqxZ8VOPJmBUiRZWQFc8m
-aKn8VTKH9755N7hQz6OOxwOHsfH4usk=
------END EC PRIVATE KEY-----

checks/syncthing/peer_1/peer_1_test_cert

@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHTCCAaKgAwIBAgIIT2gZuvqVFP0wCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
-U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
-A1UEAxMJc3luY3RoaW5nMB4XDTIzMTIwNjAwMDAwMFoXDTQzMTIwMTAwMDAwMFow
-SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
-bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
-YgAEBAr1CsciwCa0vi7eC6xxuSGijY3txbjtsyFanec/fge4oJBD3rVpaLKFETb3
-TvHHsuvblzElcP483MEVq6FMUoxwuL9CzTtpJrRhtwSmAs8AHLFu8irVn8sZjgkL
-sXMho1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
-AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
-SM49BAMCA2kAMGYCMQDbrtLgfcyMMIkNQn+PJe9DHYAqj8C47LQcWuIY/nekhOu0
-aUfKctEAwyBtI60Y5zcCMQCEdgD/6CNBh7Qqq3z3CKPhlrpxHtCO5tNw17k0jfdH
-haCwJInHZvZgclHk4EtFpTw=
------END CERTIFICATE-----

checks/syncthing/peer_1/peer_1_test_key

@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDA14Nqo17Xs/xRLGH2KLuyzjKp4eW9iWFobVNM93RZZbECT++W3XcQc
-cEc5WVtiPmWgBwYFK4EEACKhZANiAAQECvUKxyLAJrS+Lt4LrHG5IaKNje3FuO2z
-IVqd5z9+B7igkEPetWlosoURNvdO8cey69uXMSVw/jzcwRWroUxSjHC4v0LNO2km
-tGG3BKYCzwAcsW7yKtWfyxmOCQuxcyE=
------END EC PRIVATE KEY-----

checks/syncthing/peer_2/peer_2_test_cert

@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICHjCCAaOgAwIBAgIJAKbMWefkf1rVMAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
-CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
-BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDYwMDAwMDBaFw00MzEyMDEwMDAwMDBa
-MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
-ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABFZTMt4RfsfBue0va7QuNdjfXMI4HfZzJCEcG+b9MtV7FlDmwMKX5fgGykD9
-FBbC7yiza3+xCobdMb5bakz1qYJ7nUFCv1mwSDo2eNM+/XE+rJmlre8NwkwGmvzl
-h1uhyqNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
-BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
-hkjOPQQDAgNpADBmAjEAwzhsroN6R4/quWeXj6dO5gt5CfSTLkLee6vrcuIP5i1U
-rZvJ3OKQVmmGG6IWYe7iAjEAyuq3X2wznaqiw2YK3IDI4qVeYWpCUap0fwRNq7/x
-4dC4k+BOzHcuJOwNBIY/bEuK
------END CERTIFICATE-----

checks/syncthing/peer_2/peer_2_test_key

@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCXHGpvumKjjDRxB6SsjZOb7duw3w+rdlGQCJTIvRThLjD6zwjnyImi
-7c3PD5nWtLqgBwYFK4EEACKhZANiAARWUzLeEX7HwbntL2u0LjXY31zCOB32cyQh
-HBvm/TLVexZQ5sDCl+X4BspA/RQWwu8os2t/sQqG3TG+W2pM9amCe51BQr9ZsEg6
-NnjTPv1xPqyZpa3vDcJMBpr85Ydboco=
------END EC PRIVATE KEY-----

checks/syncthing/sops/machines/introducer/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
+    "type": "age"
+  }
+]

checks/syncthing/sops/machines/peer1/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
+    "type": "age"
+  }
+]

checks/syncthing/sops/machines/peer2/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1dutdww4x48f0e3tzmjlye9n852wx0qqhhcghsrefsq9m8c5flpfs2lxexf",
+    "type": "age"
+  }
+]

checks/syncthing/sops/secrets/introducer-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:f/KzvxsoWQFTSB17lPhe/MThYu4ZjJwvkCxKp7XkLyspFF9Dal4A+H+SY6vPG7yM3+dlE3ZnxjniUeivydDTwwJiWJ6E6XIhnPI=,iv:xat6pYzYV8sfyMKX4OMsr6oSOEOc09DDXGykKKoP14Y=,tag:xMxsIpYv7KrSYvpmvBvSUw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUGdWK1BnNjdCL1l1WlNB\nUEswYm1tYlIxWXltemdlQm1OcmlNbSsvTkdrClpRUjR6TUNUcGtxWWhGdDg5SG84\nSFFiV2p6ZHJwR1VKYW4vVFBHRGFSYTgKLS0tIERJa3hRM28ySHBUME4vTUE1UUFr\nQklDdTBWdWJpdGg0cnR1ZUNWREl6K1EKbRFOr3Rhb2aGnQUHiX+3DzGgrY9C2Dvz\nVlyZ0q6lWtn4qFWPVez03T8QAtLjv2UaGtYTFnyFIWiykhhrWy2PBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:54:54Z",
+		"mac": "ENC[AES256_GCM,data:LJCCaGNhBgFAKtWYMD6OcXg2FMq1DYDOySIpEY91ILXDUuJSSsuYyQqE6ZvCoThlogHd9inAajsW0GbzYpSflu/WyrqlQsNJSMFkBFBQh/FIjd18GUtZ4flHWRfHqAk/xM/g+n7iOgKMvaBrG1MG1DplLRfk/8ehcqlWX4Wxof0=,iv:PrjIiUYkePPXBRGF/Wnqi1ZgA2j4YtzL/uMC5KchfIQ=,tag:yMMrJ7vGt6urz4WfRAyaNg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/sops/secrets/introducer-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/syncthing/sops/secrets/peer1-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:q6mWG65NflVEvX1QUyRVFuRGOVg9wtyWDYQ8Plqw038pEyOrsVcj6Cmo6SRaRcAaxQmAUeplzYfzm2MgXMz1l/DySErH+mCyVSk=,iv:7X4mFSJXpUii+sppSAq8H7vYWGoDq3LnFJMAAjhhm7U=,tag:ep9vzbkzVtC2A8otat8vSg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bjNlZkppR01JT0F0TklO\nSnpIcFgwb0E5dStHQlZLdGNLQ3UxRDNBdEVVCnlpdWlPVVNIdFB3ZjlpSXZURjdS\nMVlCbFV5RXI0d2t5bHJvR3U5b2NDa2MKLS0tIDJLZlE0RjhNaGhBeFVsSE93Z0NX\nVVcyUjJPL1FVTEVOUktYTEMvVFNEdlUKYkmyVjcbAf5IVb/RWBfhbmoBbuz+u8X0\n3J8a/SJsgX3vLJIpVeSQSSFTNXu0+8/QeRiXsV7GCyHu+lwL75ycmA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:54:59Z",
+		"mac": "ENC[AES256_GCM,data:rhi/f3r81Cm+yXJXpnPmyK7jNqJ1Pg4tU7gsOwjCv5CeJn8U6N78ZBiHndjdwzqSdp7+qwx/9gPpLQVoPzO2IhY+uRhg0l6v6N9iK9UD6tjNzsCw8zTIb/ehObRqqpzVn2BGkUte+g0Hu2/bpHFbq6qmGm8YOYnD8K7U2FoiuGQ=,iv:o7RaD5oogpjSgdfFPqb8Tfgn43ydSzA0ZTP2ayNZI9c=,tag:e/zmTPAIWX1uDQxLNznIWQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/sops/secrets/peer1-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/syncthing/sops/secrets/peer2-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:2EaSVKRIMKVF9+qAozKl703entUWB04J61UM1QRj1omKUb5sDaOwnQKCZDZxO/CCtam/kz1jHoxCeFiJFcx+DpTyYptpSpYq1dI=,iv:syZ2HKRxQ73urS4Vwz7/3IMBYY6nk78zaooPMDkU1w4=,tag:uGaqxbU6/9DvkGY1Jq/XRw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMnJrb2VHYVdMRHJhYjFH\nL25nN2RIZ3pVeDdYTllrUkF0TkREYmNMMVdrCkNSaGlRd3c3YXZPZmIxWExCaytu\nU3FGTmhUZ0pUUjJJNS9vcVBISmFyZHcKLS0tIHMwaFlEYkFFb2RwS3JDb2VxRFcw\nZmd6S3RXVGcwbmtHVVRmWXkwSnF1RkkKTbg6igFHIakR8EAPuf+x9yhmQHF3TPp/\nC+B1FuorpovudtxmJ1UzBmkE0r13cY6iu9Vdjh1g7tBcXUWoHZsvIA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:03Z",
+		"mac": "ENC[AES256_GCM,data:HuQQvWOGIjISxnNShYHLj4QinNoeOTwxpJK35swpcBnJ4JtDnA6F2JjpJI8DXIwO42eDbXIF22lJjqynRFRo6kQrrD8uhBHEFD2R+6U7zFxJ4gknWR1iF3fbM1+2VDiu8L9InpZcfb6Z8tpKPdPiYS3NGdoAJ0ClSw+8WlVsS5E=,iv:pJxsCP5Y6NTNAck0mphbLRnZ48sRRZ/YaYUobi6mGYU=,tag:ewR5QLBh3WRLkHlSGH5MsQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/sops/secrets/peer2-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

checks/syncthing/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

checks/syncthing/vars/per-machine/introducer/syncthing/apikey/machines/introducer

@@ -0,0 +1 @@
+../../../../../../sops/machines/introducer

checks/syncthing/vars/per-machine/introducer/syncthing/apikey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:UVv08bXHtWMWcMC7tBb+xy7+3JRiOfVpRPD/q/TR1/+5,iv:ZNb3GDvtuZFbXlcJyN/kzy8cRppRqWnN308mAAkOc/4=,tag:Jv5MsPQ+gTBROzG6oo0ztg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBha2t2enBPWUhHcXIveGJJ\nZklLeVNkNkhkcXFLczJjeHdFT2haSGF6UnhNCjh1MHJobSs4dmVKTVdzL1JRTXJK\nUlo2MzFOelV5UVNqVjladStHdUlqSGcKLS0tIGlqa1RZVHpva2ZmNnpSRjhseGUw\na0hmSER6VlZsZ1A2TE84OTVyQVVTRDgKoE3UzWOqYhV9Y/vayIGY6ak4MEPR+q5t\n5NY6VDkCwYiactvcSo36jiaru47jRr6ovk5Vfkq/jFO2njDND5mLqQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZGZUVmVBOENtZTJmRTQz\ndUpzYXBwb1NUWmhPU1g0VWFkWUp3Y2JGQ0JVCjZPS1lxL3N0YlU5T2owSS9FSC9L\naWtScmdyclhqcTE3blFEZHRNRHhjOXMKLS0tIGR2MnhRdUpHZ2tqTzVLWFo0WVhm\neXlpWUdwc3ZHOGRXWTNlZC9UMHd2M3cKgabJLSO2rT1u+I4V/XdCt8iDXuFQw+2w\nwr2juhtq3IwBuO6VqQKwAy6hHNbEWa+e/6bPaoXiJAOdA6+LbzfSmg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:54:56Z",
+		"mac": "ENC[AES256_GCM,data:ajkYjU6vAqrNiknSLZOYgFYiL7A6/ut+m3bt/x22Ms7LGZv5BgsTtLDw70gbAQh9fMbQCxCngkUrHk6bvVe9afpNvdw3fPQ9hfMkXquvDjhGHMvr3bmawsBJrShuywYRZY2z++f6FA0ApGVkSG1tSFDt/Tob1wkhxbPonGnsliQ=,iv:6H2X+4RkW48+w1dHWxa4nogKbHHriGyvAOr9ODf7m68=,tag:RWv+zSyqfaKcLAjxFHhqXw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/introducer/syncthing/apikey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/introducer/syncthing/cert/machines/introducer

@@ -0,0 +1 @@
+../../../../../../sops/machines/introducer

checks/syncthing/vars/per-machine/introducer/syncthing/cert/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:DdiIZhVVosBWWyQu52g9bZm4PHlYalIeNQZtiqzN6p0Q3GcIPZkrA7EUtiI/jLOY9ILRKX3yreJWlDQHiEdfjQhqR1Oneb3JVv41GASEIumhuxPU4VQyIMV3u5MNO7H+NkzsBx8JHvm0MOIar76B4Bc+7ZoaahHacNzog+rGxUplecoY8A22Cr9G71OFj4JPQJTK40DhdSxdmSaiI3FzqxyuzbYfMViVqm6X3hX/CUv5nxlNeFUw5ZKruOTq4sjgiy859dOTiTG1L4X5T2G9UNevg5eRAqGdmjB/DB8is8yMUXYloD5TSvoDXCS8rAB7DgrtcF91nv9Wxq5aYGv6ovHpG7sL/aOY507PyaWtItir1+Gy9M8ECQq50wgj308KEMSbllFIhiHaHklpqTZdJejIzVB5nxbMIrcF2537Nfw3T2awveBk7ZjuYFQ3lIZVWNe9mbVubH1JLZS6x/Fm+rY85KnT3hZHCRLuUTvb5b3My73UMmWmAN3DekSr/m7z51cxtvJQJrM9GV6Lv4PAbgzvz8BvWps/9pIQlqVPYk8fRBvKqIAtbM7V6nIH1Fx8hmoMYM+c2CIHhMKxh1b+SGTk3BYXRuF/MX/btAt0kwUh+qPQJEd+i+9qFCS2I26BzoFsjm4M9e5tp1tx0KazrsIrWRAi6faGI+i48VpYxP60BQdK0YZTczTVLw4nIZGWJ1m0cHzeViR/P3mvP0tROo4GyAloUP3QWAwC88I2btHmC008Ldg7XRmOrPtwMuj1Z38Sj1mlRSu3+5hYS7T9wbOg3J/S9o3xbGDzJFAVU5YouAhU3qWwKvmrTKn6WRPyGFafcbBxzoNyOwK1U8MtrvDEUyoevN9kP/nGbD7sfyJpStN5zrn/9NxANVAAWjje1vWVmjFlTdip9USRzmrSIbPb4PwgXjJJObF6VWXF9RTdlZNq486BTC2eE4XQ3stOJ6UJmRwsowU3TuI8xb9wNXZBFmwfkrNhvgOrpf6LTc6ouL5QfSgcj6Gg/mXvE24Y4yhRZA4lnDqbuyl7lIyzTyfiwSEmDbJTVkc=,iv:Sby7ZpP5/ThihlnmxBX485/dtdxHQBPEoHPhbRVc7hk=,tag:9azO7wAzCSkYj/Awv6X+7Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreW1Cd3NQWE13NUJHR2Ur\nSmdWK3hvVHpNMzZ1cGxHbEdHd2FETm1tSkZBCkhNMHdReGRpZmVJVUJ6aDY4MW1G\nOFhHRVhpUE1FWThwZ1BDZFJxRnZqYzAKLS0tIDd6QTROa2JYLzd4RmtDODJhM2hJ\nU1NwSTE3TVQ5WEdGVzB5YVdYWWNPazQKot8O9EYCfw4r59Fn/9lYZ0xYd7SUo9lJ\nEsus6BeNg2VLFa5V5q3hlVgRHUgNM4LMqIhdDf9mkxULKt1ilmoB6A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Q213dEI0d2FMUDB2Z2F3\nOVp6anVnVVZSNTdGMktnL2Z1c3JxNEt6ZUhZCnhrRUFrcnRpRVJXbmNjSWJRQ2hO\nVnlCRVdCRUZidUwwNDQyc1UwemRWbkkKLS0tIER1WWhNNERtaEZ1NVZNOXZoczZN\nZHd3U3UrOC9PZWhPMTBCVG03ZVdRdW8KY3bksqIx78GETGEg8q63HvEp+b8GnLFM\nqE7hiC9sNN8THvXV5rZeJdIPYZ6Kan2Q09GxRzDEJBavK3ZK0DKblA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:54:57Z",
+		"mac": "ENC[AES256_GCM,data:SckFGU9nPJi6t3bJdRqE49i7tqzcJQB4+ZZzuzSUTnPJV+Bn+/nr6zqbf40jG4qWPPV1PJsiXoJrTOQZ5O/skLg4++c4op5U+brRZqggeJepHVdHpxe7ldVak64Of7gMJ9S5fsynyRa+96kxf/qN2qZ1f63sk0u9bImPovYOJKA=,iv:EWWRbnySYk07m8oAio71VftGhRUJWiXYKJxsnErx2ng=,tag:MS7JFdlny6OA+MjCCz3kHA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/introducer/syncthing/cert/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/introducer/syncthing/id/value

@@ -0,0 +1 @@
+Y45RCSC-Y2OENC7-OI2NQ6Y-VUU6W7X-TQDROMD-JZNYC3B-BZJA2TI-7IMW4Q4

checks/syncthing/vars/per-machine/introducer/syncthing/key/machines/introducer

@@ -0,0 +1 @@
+../../../../../../sops/machines/introducer

checks/syncthing/vars/per-machine/introducer/syncthing/key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:DkRR6AfyQJh0rnuzIO9gOs+xSmtncpo4zQOOLMeyfRcMRYYMnfzFIDYrOg4AYEmyd/KDfX8O7r/9dfrg4t4VJIFtA78h7hVA3KFpVhyA55AMfiWKJUQZhTvZG2eRP89+S0tChu6spgTXFDXIwCXa8EwzUc5Cqd/3UHs1DFdsuwWpmcbbXY1P3k4iaSpvQse/7BC0TNn2bg2ZPd4i9ovdY9kyMyOT9/54JRr21PeJ2SJYzLEMhzc+VirU4xIWdRMvK+LJRPWQEhvDGUjxAE5B90rHYmAi8eAaEEB52wpQBthJKUdBoZHlZ/DUbk9CVF2UF4B1rBLOtnt+pN9EfBFqrq0my/6bElEQV3P5UcdC7Z/sOjWVQvjBkHc9wkJp0g6e,iv:T0qYtoUeX7FZA8omE4heI6Beeh4gmbYoJ4Ww+6ix5AY=,tag:0FpsipDR1pfQA2/Z+4ogQQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWam5QUlF2K2ZQa3RjYkxt\nZXBmbmhKcC9HeklPL2c3UFRsUGhxL212T25rCmpCYzF4MFd3REk5cWtsSSt4ZFlK\nMzlLUUg3M1J4am1ZSVg0ait3eHFtVjgKLS0tIGpzYXJzWXJ4emhIOS9oL1E1SVBR\nRXZSZlVtMENGR2RNRzRMcGxCZW8xS1UK1BuhZV2eVb545eTg7I+wk5Dth6ZUwb9R\n5KkJ8oNSahtk9J27ZmJNIuof+fEj9yNueKHbvkDGo5rUoeH9u/awsw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c1FmdlRUSXBsaDcvMmlj\nUVovdlRoMzAxeGh1blh1OU1JWTh0OElhZkFZClpyZ0JpcGVFbHRJdHhqNDRnaHhY\nQVVSS3NwcXZWMm83R1BPOTAySmF6QTgKLS0tIDd1OE5VYm5qWUZtd2VvYmdob2lG\nODlpUDAzdENDT1Nvdlo2bnVHRjVRSzQKFiKoA9JY6vY6+StLnLq3Fx0SmCRDro6+\nTLy2MmJM2VjdixMBvSDJATIXdf2T5lRFqGeJIlmLftzwCSJNmar+qg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:54:57Z",
+		"mac": "ENC[AES256_GCM,data:xZlGmeBeMrM4bCYU0j/1rz/lh33Zm3SUKJCSHWQ9rkVzBqD6Zxok+8OLYPIXKmEUQLuD6A3Jj8BIELm7poC0ycDqTCHRP6crPR3TZ9Ha/8ws5yjpbvQA5lvYcF+GindIhTHifo0LlkXsr0Yr3ViErvHHwLifmB2RBYw++gUhxHY=,iv:DT0GgfCrKpVLaBtljUMzSMZ0vP8o24VIiUfp0etNn9Q=,tag:+4kYXei4E1AMpNAusQKcVg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/introducer/syncthing/key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer1/syncthing/apikey/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

checks/syncthing/vars/per-machine/peer1/syncthing/apikey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:j/cBGXgSdfB1NOuNdj6w8rdF5dVQ6ngu/pIDys7NIwoX,iv:9G2mTyHNtryKqR0hk8sceaYvQMvIMeprH2M34RphhuY=,tag:8eSMKD5PVwGB+rPS7/XBng==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4NVlLSjEyZGFoRXVkR2ZE\nSE9NeXV2V3ZDVXF0RVBUamxWdzNIL2ZYdXhjCisyVWxLak54TS9wVU1VUzVjQVEw\nZlZUaXFqSEdFd3BuMmZzNllKSkxxT28KLS0tIHNqai9wYm5oUHdjbElmRlZrRVg1\nK3BSeG9rTGJyQUpKZU95cjNQakRKajQKUBXxIEwTiz5grVKfbWlJnCC9OiHhDFCi\nG5gNsUHcj74tTWSM+nIAzjRsRWXHpz7kWk/05EQ4W0auOhQ2FaHSTw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSkwrclJrRUVqYjZXZ2ZR\naDBMKzdocjBJNlN2U3A3T09jUmNkVDk1aDJNCkQyQVU2RWpGYzJqdVBKdVRCUHdZ\ndENMbGl2VjNCQXE5Q1lBMEVHYVp3UWsKLS0tICtaZFZGRmxpMTdodGd1a2dEMDYr\nNUowMy9MNTQ1bzVxTlJ2bDdmWjJSREUKJUZ8lQ45pQBXrOfeW25v84ywXN52Og1F\nkmtXkBNAOTr5OkJVZbUXa1lQ0CahLluleVufX0wJIyCpBfhmnjHYFQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:01Z",
+		"mac": "ENC[AES256_GCM,data:kUDSBhylpGSwaHDw6HK62UgtIAmG6gnAnoooFTBC5XLS/FX1KhWIg+8fmJK8mHbPVGE/Ju7Qa8cxAEEIWa12xoVlsu6UlaHOIwiOTab6gHnxAA/WL+vYjf5H4IVzh6uOJwGIl+Wc//Yovlifs5Kg2ftkiU7rlrm5aMN6GkVGS70=,iv:hRtDatGis5VgWZcyzky5MZADba4ApZhclOxjQNgDXiI=,tag:iHcjmXiHoOHTJ88kFwezdg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/peer1/syncthing/apikey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer1/syncthing/cert/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

checks/syncthing/vars/per-machine/peer1/syncthing/cert/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:PWIDQ2EF758/YMlZ6LKB7ofyCKQJuAi0ksg70oB+Km0O5JLJ1O4nz0gpf4dk3qoHRyoyEHH2UvMHD9c7Wuxvy/2YNsIkocpDKiNLUBymYlbqA8TAbg5aZU6q5P7KT5kEujFHZlRxeDoYVgV+wtSs19nGnuZmkkqqkJ/cLWEau42YNTZ+Zu+qnahVI42eGxDK3Hz4Gynm0t5xXCHf3IQI/6eXbDxOdcTepx4hkYnE6zWIsJdS+yK+aw9dtz1NJlpaPTV9OACFZXqlEtP7H3d9XVVyGd8Gx1FbjcJZosMBEB9fG+bmxFm20gBksB1oGBaKh5sOB8OGhZEvxGqFjsJXYt1WPbm/POIvu9oDaWwAz3q9QRC60IbRSogiKLnGkeavnKqC5qYEFTcFr+9JbM9g6+pyI7PosKt5GACpqFODPx/U8iu3ooxseeI7ncDuiNbmWrDAhBcELmclWrRN879nDlfAw+Ct9EIVmP97oFYVAM6fvbxzhQ0uFe9Xrh+G0gsKnfc+XYiEhG35Ge//PdXUI1HDIaGEqcEMpH4dqzbYqkx9CKZ5+fhIcL8R0WBr4I2MI80gvD2ga9k6jpnhnlu6izAajEMNcOjCXrwc47dh5ytRi949gg/HLu38NUU8cG5JtnNP2qqHmn/hFVtTDWL7BDGGAIopC1vyJCjHY1s6pedoJkfFOEPJoKBl1bU8WCbz68GkQ5f0LrFK4026iiI0ExKXP8BApbBEU+UROqzEPcvcC24+5wUbWCnBO0O4S1k7Z4rZdfUVe9XqN2qTLFUgyaEUAnov48aB09+wsnol4xxbkkD3eihpihG58yzwBrPIhsttApOcEhMwjMwrXvbrDcV1wedglZdDCjTa7z0lPwxHaAIf4obYyddlZ36whBU8fsJEoLD2dzTzXFEmGPUKPFwtocJ4IJbNYvNBBmjeH2Eh+wcZyO0dpEuQdMY1zWeYMGWbHSuQC0LdfSvx+hCmsr2rfu8ISVqAgI7YgJc5rNro+poMl5kLpwbSFwH0TdXUJfeRuGFzi7iDgLduf5ZuUMUDsPbw7w==,iv:d6QjUKGw6zfp0Me1YjzkcEtR2fgXuKMjISB4LTbkHI0=,tag:AVyZuNbT81ER6e5/eq9WMg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSGxaVXN3LzFQaUFnN2Fk\nUStGY1J0a2YydFNVOXZBbjBxMmpLOUdSVVM0Ck5NWTVjNkZTSEVHT3N1UzltVDhN\ndnM3czdvV1pTVG5OV0QwN1hjRC9FYjAKLS0tIFRpS25rL0NEMGJKUHhrOG1TQVNS\nODkybmFPMnBwT3J2T2N5eUdnWlNuWk0K77EWBMrWSRcOgJz2VMTWG8b2VF3hsnfN\nlB24D6g6X+NyYqA5sr6tt2CokSelHvDmdQPp+9ctFUd8MZZOG80odg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TTlVS0R3K0N5QlRmOXlz\nU0JFVmx5VktaYlhKTnNYRkp4YmVHa00xbkc0ClZVQ0ozQXhNRlNvbHJ3M3VpdUFy\nK01kV1hJeG1iSVZDUTFGUVlZdHF2VjgKLS0tIFRLcldTdWpmS2RFM3lkcUlIbWg4\nelNxYlowWlRQbmhlUFRON0lOTG5FdFkKFPvYOu22il6Sq2YSHmV1p5ffOafiUQVz\n19YU773ENRNtodhqigpyJJYsC53gI4lbQC70taJciICdcmdFo/OdSA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:01Z",
+		"mac": "ENC[AES256_GCM,data:+jHseVVdCG1Y/0D9hnO8DP7mZIV60nG1AHw11R+pGy7EHhKfLlHT7/MwCRSCbP2hwekUtfrOsuRxSCnckv29h+BMGSi3NZNPXY04tScvEmMECXia7UQWE2o0gQHHLEfSVoWYJ2dcC60cQlpXYocNY47pFx0eq0Q/u6F0SOZwEjU=,iv:GNFszYeZUVdnonQgyVNp5RPofInAOFwyk1wi506wdrI=,tag:Ix0/OieMU7KNwx6y7i8LyQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/peer1/syncthing/cert/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer1/syncthing/id/value

@@ -0,0 +1 @@
+BZMMAO2-WNUTFFN-GMRL6TM-QZX57TS-Q3NXHVU-V3VPNGX-QHQMBIX-LWQUQQA

checks/syncthing/vars/per-machine/peer1/syncthing/key/machines/peer1

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer1

checks/syncthing/vars/per-machine/peer1/syncthing/key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:e9zI2AphJlfeoK08uohWw+uQKdBBitrMnJCEwE5EPxD6w1qq/yoR5d94fwmEW+PzMRC+eg838I0sACEWJ0XIBb6uOECbKbhgqfqKi67GwXaobtjfQMpYe2xZvODb0LWQdZ33hJ1h23mGnbNlsafVMFySi0ydeul7rCLdNULhIBR6ph+JQHCsOO0G9BVZWSjKc1P/ItcoapMHhS0KzEhY87E6p6jkZFKrVi+bz9e1rF9uSemPF3kE/MAz3PBaqp2JbSrYHUgvDIFuQVt1AK+47rnB3Lmvk2iBD5aYXn+q6ZMRA7M5pYDxTglTlOpALikbjuUmiRZpMuJR+vCsmIEfO/MtoTah2Rawvbyn+80J/iD0C10xF4XvTgv+CAYtJhiw,iv:FZywq4cjxcMpWOYZyBKVCXHPWUNRAp01ufx3LIexfGw=,tag:Rc2iAT6CdP3UYvHf5nvDgw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUmNuaWlsZXMwWE9OTVZz\nVWR3MGE0TnN4eW94TzA3a3RHK000Yy9XS1MwCm8rN2xSWTFRSG02c285UUVLTFM5\nNHN0Lyt2T1c1K0tqZEdkd0VCYTVMSHMKLS0tIHpOY1hKS2xwazd3bmJIZWZvc1h6\nR2VocjBudk10bm5JVDIydVpiTnFBcnMKS5Ip6wMtZ0lfyGXLE0CJsgY6JYATPId7\nKQB3iY4YcDnW4Kz3Y8mouJcS3wGpu5l5CvBBpjbP3uUQRD1r6ex2HA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaL1QvcXh3UzZVcFkzK1Zu\ncGtkNlptWlJSZlhxSjNzUzZlM2pzUGFYRFNRCm9xdU9HZ29oT2NNM0lkTVFrWjY1\nbFNPU3BsUWVDbW9EcWlLM3NzbTNTanMKLS0tIEtJQmdwNnBXa1lveEovOC9jRkZs\nbkxOL1dkdGpCQkkvMTNrQ2FZWDF2TTAKptb/vJ5kzpULSm8LeAJqqR5Tks33Vf52\nJaVEMSbHJxcIWWR1Sf954pOOgoOyVpB3BB/DFOAf6VOeVt8RBalvBw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:01Z",
+		"mac": "ENC[AES256_GCM,data:WuvkahW8Nm091/eyitO/fmUJE0c8V2G2LAkfr0QdoLqppevEjV+YGNmtqtkVYFnxoQYhzysjVT54eVHVWoeZV7yUg2P9gwMIShT+skayJfXvZfJyvEaNkHWloWeGOLn5gv93P908srTKhHeufsnfGl/hkd+TuNwzzE2mS7k2gMs=,iv:9CPjqSABHJY/sXhzU3AVvtWW5tLMHDqjAV0/Hu9/Jsc=,tag:FYMbuN/BoSowzuoyoFlYxw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/peer1/syncthing/key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer2/syncthing/apikey/machines/peer2

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer2

checks/syncthing/vars/per-machine/peer2/syncthing/apikey/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:4KwVxOYKVLymyDXQ9GswpxJi6Fi5BCDJzMj4d/02nNa4,iv:9uGX3BRswPRlgPpPjdodzfwjbj7vmTqTcDNClKdGGlw=,tag:jLkefKqBfdRVy+qV073Ksg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1dutdww4x48f0e3tzmjlye9n852wx0qqhhcghsrefsq9m8c5flpfs2lxexf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWmdQb1VNRUM4NHViYzRU\nOEkzdnhneFBQaGJ5ek1NTUxYcG5YdDhUQWhvCm1RTVc1aFRkczBYLzVZTUdhbjBz\nWXJqTDUyUXRmQVJ1R1p6cC9wSTNVbUkKLS0tIEgwSTVhMTFsdzRHdW9QcVRlZ3l3\nd2xrQkYzVFBTYldlZGtwakFnUHF2WmMKJa1A6a7umGgaFHSq8JqdwUQ6oBu65r1E\nCHSdEt7vviRXS6TRhdMdH0OiKQPTpHdspz6NRwn9KjMbrANq9Cxl6g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSnMxNHBJNXVyd0RKTFYw\nUW5VMGJFdDI4dTNDTTNKL0xOZ1dvQTlGN2hNCkFPbGRhc0pEUGNlN2NManV0MHRV\nOXZtTGQwbWo3cWN5d0kxd3UwcHh2NlUKLS0tIGs3NERZRTRvc0h5T0h0SFV0VzBv\nL0hCVXE1TmFKV25lWHZvOGQ5YzM0ek0K19o2HCcCHlI55kQ1khuyXMnYGf7X5YI8\nsOgm6sM//6qB2I1DC/IwrHT5+yq/3CkqKcHYfinr3ClaKNDLV4hpAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:05Z",
+		"mac": "ENC[AES256_GCM,data:5S1c4kdweAoikTnowDMWYXbSOS4v97CVMTeq+OFb78FHDKVwlnk1mT43cOLVyF02i589Lxf1rMXl7T9mXyYpY6fTvWKpRBewryS58eUaI01K8NFtS/+aqdgtXoqx5jO4BHrITTlJUjQh0PfXf5Lv7cZBPiNZnu9lfwrxsNbRRPE=,iv:NQeuNVZaVjBOGydA3aCPWHTX7rlG2/I4+YhOTli+nIE=,tag:wzuOuMECuitwewGArGZMeA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/peer2/syncthing/apikey/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer2/syncthing/cert/machines/peer2

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer2

checks/syncthing/vars/per-machine/peer2/syncthing/cert/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:BEFeUE9tN3sjDQmLICGXziA5VPDfHNyjHaMmQlcjJj/AUmhMPOdBUAo28rPPXE+ici0vPLZmXVEcgd4ad02YpBfd1EfUMZW9vz10sv51I7ac/ClFfmbRU1q1CNDiIAHJUErDbCTghnpJMNAiz3CDg409uF8LJ/UmDo73uN8O6UVYI+jB1nxbUD8zPKpQnydRSf6MIrUSluZ3ckDNuoBe2ZcHrvBpbnzhEYHEnEwoM9C9uQQCWtEOjyrahWKr+7wCd7kgVhQfPJLeiSZDgmnnLw0q61dPWNrTyRa48DX5wMgKOOYUM0fMtPI2HGOEqTcel/smNR/4uHVyjsQBuwK/mSdwmfKxVACu6Hxb9is+qkK7pQuPYYLyyubn/nbIhflOLlH5CxbVj/4LK1wDfMbrCOueVq5Fshsj51AgNipi0b+srlDeVnWuQ1BWoCHQ4YTMdIUB5PMYPLCONWlbsb9OQoaAnD03JA3ucCUvpEEtVkqxXMVh+5VjzPX+VoenyVP6O1amiwO1FKIGh0sRd8OJRTD4ait885T4xx2e/Evi9gxZpirFmmn8enZ+oi+zL7YFLRBp+GVso/TRHHEesCHLmsqCaclt6i6BQCK4z2lLd1bXu5ATtx27ka54qdD7sTf1XhcU8Za0d+wmDNzwOCiuMMir37XDWFnR6HP1MS9cgCAVMCxmP4ETZa3FXlA0muwSWOifMlk5OZBoorMNAq543Cmffteh883NRkHUF/SAfr7hVCzUfPsDC3px7MvgqiNaUAi+bvjxlTU1NBZOMvTYtkBcpXzSyjuQ2pVGVEUKNxG8w4QS+5UoUtBBvGCF61D7iWIEHvTfJ8U6agWpcJLSMTAhNjQ8WAbYm3zMbv0J4r4qDvqe8Jn6+3lzZ5EYk4dUvd/6r/pzVJhhhzgEuGn6hfcJusb9xV92hTAVqkLocrwGzvDJ1R/kNx3shm+8H0VRiigrANoRpiTGNPF66qUynkaGU/S6K4Oo2fjCeOrpkO/XwhWsK6ZQ/24a10pO+diBLsGGoW7boqC3ff6sSxhO+Dpl4IEV9Q==,iv:Pc8ZfMZ1ZW94tRkQeVs4VZUfeXUj3WG1h4+mFW7Zafc=,tag:Q2SzduFZATYjEZJeurUMfw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1dutdww4x48f0e3tzmjlye9n852wx0qqhhcghsrefsq9m8c5flpfs2lxexf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwUDBxUm4yUXgybmdzZHBV\nZVJXcFNuN3FENU91Y2U3bDEwN2t2ZmlCQW5rCjdta1FvWWgwb042alUybVZ4WVB1\naGIrdUR3aDNmazZSd3YwSTNxb3d6b2cKLS0tIEc3dHhuRW5SaWI1YUhHQnpSR3Vr\nQ1paemJKWld6SENUbmQ3dHFmNnNoZkEKBAO21R4igmxdkZWg64tNj/wVQql4zDI/\nM6Huuoy0KqaMNGnQZyYpHOoXaA0V2Z3wRIiqBpYmpF9yPX41TWDqAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKamJ5TDNlUHBUSm1aOW1z\nMjNEODZJWk42NlJFTW1Zdk1XWnFMU2NuZndFClJpZGVwdWtFRWgrU1EwMndxRTZK\nR0UvNzJwckZMMzdaNDBwMWZKeGppUm8KLS0tIGxsbVhqcGpZRlNGRE5JWXo4MXYy\nZGlzcVFlNHUxRmEvRkNPU3dGWlJxVXcKO/qq4BD40ctBTLKbTUb5elD/QOlFfeSL\n1a9ioyiNVehXsOWmgjg2x6POfY/1FTqB3x6PG7CxdSw5Qg31d4qcWw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:05Z",
+		"mac": "ENC[AES256_GCM,data:JW1ACIn9FnOYm0a18UanYeXgdoyuGXaBzvGMBdSTUBJAF/soeN/DP41mpyzWl9JknzId+R6qooSJ3Zs9asekeUc+9ehc2ra9KdKDNEliwB1Hi5GswIYo1fYRdRrPPBV0EnWg3lLT9Sa3vDDDKQJiMUA30jnGIkN4rNOA4xD4KeE=,iv:Eyvx/ZkqM63jaamPRk5rjjeWQsA3c0rmB2Xhl28HAYc=,tag:KTzwnPsVw9uTYQU2al5mhw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/peer2/syncthing/cert/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/syncthing/vars/per-machine/peer2/syncthing/id/value

@@ -0,0 +1 @@
+TB7HCPA-CIEXTMA-KXMBEL3-V2UIPND-C2VBRVP-BJTYZP3-G62QKYA-HFF2CQ4

checks/syncthing/vars/per-machine/peer2/syncthing/key/machines/peer2

@@ -0,0 +1 @@
+../../../../../../sops/machines/peer2

checks/syncthing/vars/per-machine/peer2/syncthing/key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:H4xEba34JvUXuHAIxXapjcBgtScEBn++uzXqKKeCttTgHbMTHuFczAHRbNraPn6qMJj8dkgPgHuAf2xbwnIxoabnFK9C34f84DyN0QdiIUSi7WweWLK6u6HtfaL4w1yoQSwlnv3t/wYPFObMmbEivfPi7zR1ojdoZhKflCBg8piUWzh915PDiZzJ/jrdsQs1gzPD05JWPm759TgQb7vRsueXl+Cvl/sTpSQsR4TyOzJ4UveJnpGskpJiKHODkUcON5l7Dp1PJWum2Vy86bIYdsIKtm2JWysPxIbGhXHCGhrgbg5IbtTzc/XAd4P8OD2cRWeVO9zho5mUzSrHhMwdI33vmw3CvT4eLsE4i9a3NioiZP+skUm9+DIWISlaV7NS,iv:2/XetmHh4rKd3P4wjMPvmSId08u+C34g/Bo7H12G890=,tag:x9r6j87FGYex16eGhgwXVA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1dutdww4x48f0e3tzmjlye9n852wx0qqhhcghsrefsq9m8c5flpfs2lxexf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyd2J1VWJ5b1RHUS9QWVN5\nakRWNjFsVWRzWHVkQ1Jld2E5d2ovNWMyRkRjClhQY0dWN3IrWlI1L3Y0c2l0VlFY\ndWphNkRiWGFQZnB6Wlh6eWR4KzRwREUKLS0tIFVMQTk1YUpKZGJHUzQwZlRLN1hV\nTkRud2gwdE5VQlJrNVZvcmluZ2dOUVUK/TxbSStfbidfeiT6oxqXwY5xNqRQ8bbf\nRsrUR7904v41JgwawFFcTgf701SM4D0O85Nc9Sog8OkGO36jMqOEtg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWYWlJSTVCWWdOY2Yybnda\neExPU1Byb0REOGc0S3Z0MlFuWHFLdkdXbnpBClk1c1pMR2V2ZFBWckNRMmJJc3Jp\ncG9qMmU1NElVeVUxS0xpeFV4VmxqS1kKLS0tIHZYYktYaHFIZXVwWkh2bThDclcr\nQlNhcDduOXJnelI2cmNEdXVzSDhlVFkKTOXZB7SJ4vl++Du5hFi9T3nMhxPNmm8s\nkODjnmPxyKYvRMfrDzPkHtzQKaPMHRls9yzZzE2imUhwKpVlvwu2lA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-23T07:55:05Z",
+		"mac": "ENC[AES256_GCM,data:PJ0CH2G8tYNnAQV++BNTZbG2emMTp0EEY29NLXUEGxwdWfuHTZxc8QnYx1ck+4Rs28a9U7KHffnPfh4/8NwnnR9MmDcyoLN6/JMHWzUJQZhuMpGGoDxJCaxs/dFaiitlvhNdazSf1f2t8ng+OKokG6L15Mi34oXNTQ/0dyYG4Hc=,iv:YzZBO69nY4p9ut3e8NBGD1EV6Rbq/6z6z2Oh2OnM8JI=,tag:KUQqxuxJfMRSvbbRP2fLng==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.1"
+	}
+}

checks/syncthing/vars/per-machine/peer2/syncthing/key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin

checks/update/default.nix

@@ -1,49 +0,0 @@
-{
-  pkgs,
-  self,
-  clanLib,
-  ...
-}:
-clanLib.test.makeTestClan {
-  inherit pkgs self;
-  nixosTest = (
-    { lib, ... }:
-    let
-      machines = [
-        "machine"
-      ];
-    in
-    {
-      name = "update";
-
-      clan = {
-        directory = ./.;
-        inventory = {
-          machines = lib.genAttrs machines (_: { });
-        };
-      };
-
-      defaults =
-        { ... }:
-        {
-          environment.systemPackages = [ self.packages.${pkgs.hostPlatform.system}.clan-cli-full ];
-          services.openssh.enable = true;
-        };
-
-      nodes = {
-        machine-updated = {
-          environment.etc."testfile".text = "updated";
-        };
-      };
-
-      testScript = ''
-        start_all()
-        machine.wait_for_open_port(22)
-
-        machine.fail("cat /etc/testfile")
-        machine.succeed("env CLAN_DIR=${self} clan machines update test-update-machine-${pkgs.hostPlatform.system} --debug")
-        assert machine.succeed("cat /etc/testfile") == "updated"
-      '';
-    }
-  );
-}

checks/update/flake-module.nix

@@ -1,102 +0,0 @@
-{
-  self,
-  config,
-  lib,
-  ...
-}:
-{
-  clan.machines = lib.listToAttrs (
-    lib.map (
-      system:
-      let
-        configuration = self.checks.${system}.update.nodes.machine.system.build.extendModules { };
-      in
-      lib.nameValuePair "test-update-machine-${system}" {
-        disabledModules = [ { key = "no-switch-to-configuration"; } ];
-
-        imports = configuration._module.args.modules ++ configuration._module.args.baseModules;
-
-        config = {
-          _module.args = { inherit (configuration._module.args) name; };
-
-          networking.hostName = lib.mkForce "machine";
-          clan.core.settings.machine.name = lib.mkForce "machine";
-
-          clan.core.networking.targetHost = "root@machine";
-
-          virtualisation.bootLoaderDevice = "/dev/vda";
-
-          environment.etc."testfile".text = "updated";
-        };
-      }
-    ) (lib.filter (lib.hasSuffix "linux") config.systems)
-  );
-
-  perSystem =
-    {
-      pkgs,
-      ...
-    }:
-    {
-      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        update = (import ../lib/test-base.nix) {
-          name = "update";
-
-          nodes = {
-            machine =
-              { pkgs, extendModules, ... }:
-              let
-                dependencies = [
-                  self
-                  pkgs.stdenv.drvPath
-                  pkgs.stdenvNoCC
-                  self.nixosConfigurations."test-update-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
-                  self.nixosConfigurations."test-update-machine-${pkgs.hostPlatform.system}".config.system.clan.deployment.file
-                ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
-                closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
-
-                inherit (import "${pkgs.path}/nixos/tests/ssh-keys.nix" pkgs)
-                  snakeOilEd25519PrivateKey
-                  snakeOilEd25519PublicKey
-                  ;
-              in
-              {
-                environment.etc."install-closure".source = "${closureInfo}/store-paths";
-                system.extraDependencies = dependencies;
-                virtualisation.memorySize = 2048;
-                environment.systemPackages = [ self.packages.${pkgs.hostPlatform.system}.clan-cli-full ];
-                system.build = { inherit extendModules; };
-
-                services.openssh.enable = true;
-                users.users.root.openssh.authorizedKeys.keys = [
-                  snakeOilEd25519PublicKey
-                ];
-
-                system.build.privateKey = snakeOilEd25519PrivateKey;
-              };
-          };
-          testScript =
-            { nodes, ... }:
-            let
-              sshConfig = builtins.toFile "ssh.conf" ''
-                UserKnownHostsFile=/dev/null
-                StrictHostKeyChecking=no
-              '';
-            in
-            ''
-              start_all()
-              machine.wait_for_open_port(22)
-
-              machine.fail("${lib.getExe pkgs.tree} /dev/disk")
-
-              machine.succeed("install -Dm 600 ${nodes.machine.system.build.privateKey} ~root/.ssh/id_ed25519")
-              machine.succeed("install ${sshConfig} ~root/.ssh/config")
-
-              machine.fail("cat /etc/testfile")
-              machine.succeed("env CLAN_DIR=${self} clan machines update test-update-machine-${pkgs.hostPlatform.system} --debug")
-              assert machine.succeed("cat /etc/testfile") == "updated"
-            '';
-        } { inherit pkgs self; };
-      };
-    };
-}

checks/wayland-proxy-virtwl/default.nix

@@ -1,4 +1,4 @@
-import ../lib/test-base.nix (
+(
   {
     config,
     pkgs,

checks/zt-tcp-relay/default.nix

@@ -1,4 +1,4 @@
-(import ../lib/container-test.nix) (
+(
   { pkgs, ... }:
   {
     name = "zt-tcp-relay";

clanModules/auto-upgrade/roles/default.nix

@@ -4,10 +4,10 @@
   ...
 }:
 let
-  cfg = config.clan.autoUpgrade;
+  cfg = config.clan.auto-upgrade;
 in
 {
-  options.clan.autoUpgrade = {
+  options.clan.auto-upgrade = {
     flake = lib.mkOption {
       type = lib.types.str;
       description = "Flake reference";
@@ -15,7 +15,7 @@ in
   };
   config = {
     system.autoUpgrade = {
-      inherit (cfg.clan.autoUpgrade) flake;
+      inherit (cfg) flake;
       enable = true;
       dates = "02:00";
       randomizedDelaySec = "45min";

clanModules/data-mesher/shared.nix

@@ -13,10 +13,10 @@ let
   defaultBootstrapNodes = builtins.foldl' (
     urls: name:
     if
-      builtins.pathExists "${config.clan.core.settings.directory}/machines/${name}/facts/zerotier-ip"
+      builtins.pathExists "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value"
     then
       let
-        ip = builtins.readFile "${config.clan.core.settings.directory}/machines/${name}/facts/zerotier-ip";
+        ip = builtins.readFile "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value";
       in
       urls ++ "${ip}:${cfg.network.port}"
     else

clanModules/dyndns/default.nix

@@ -210,14 +210,18 @@ in
                   data_dir = Path('data')
                   data_dir.mkdir(mode=0o770, exist_ok=True)
 
+                  # Create a temporary config file
+                  # with appropriate permissions
+                  tmp_config_path = data_dir / '.config.json'
+                  tmp_config_path.touch(mode=0o660, exist_ok=False)
+
                   # Write the config with secrets back
-                  config_path = data_dir / 'config.json'
-                  with open(config_path, 'w') as f:
+                  with open(tmp_config_path, 'w') as f:
                       f.write(json.dumps(config, indent=4))
 
-                  # Set file permissions to read and write
-                  # only by the user and group
-                  config_path.chmod(0o660)
+                  # Move config into place
+                  config_path = data_dir / 'config.json'
+                  tmp_config_path.rename(config_path)
 
                   # Set file permissions to read
                   # and write only by the user and group

clanModules/iwd/roles/default.nix

@@ -7,7 +7,7 @@
 
 let
   cfg = config.clan.iwd;
-  secret_path = ssid: config.clan.core.facts.services."iwd.${ssid}".secret."iwd.${ssid}".path;
+  secret_path = ssid: config.clan.core.vars.generators."iwd.${ssid}".files."iwd.${ssid}".path;
   secret_generator = name: value: {
     name = "iwd.${value.ssid}";
     value =
@@ -15,17 +15,20 @@ let
         secret_name = "iwd.${value.ssid}";
       in
       {
-        secret.${secret_name} = { };
-        generator.prompt = "Wifi password for '${value.ssid}'";
+        prompts.${secret_name} = {
+          description = "Wifi password for '${value.ssid}'";
+          persist = true;
+        };
+        migrateFact = secret_name;
         # ref. man iwd.network
-        generator.script = ''
+        script = ''
           config="
           [Settings]
             AutoConnect=${if value.AutoConnect then "true" else "false"}
           [Security]
-            Passphrase=$(echo -e "$prompt_value" | ${lib.getExe pkgs.gnused} "s=\\\=\\\\\\\=g;s=\t=\\\t=g;s=\r=\\\r=g;s=^ =\\\s=")
+            Passphrase=$(echo -e "$prompt_value/${secret_name}" | ${lib.getExe pkgs.gnused} "s=\\\=\\\\\\\=g;s=\t=\\\t=g;s=\r=\\\r=g;s=^ =\\\s=")
           "
-          echo "$config" > "$secrets/${secret_name}"
+          echo "$config" > "$out/${secret_name}"
         '';
       };
   };
@@ -72,7 +75,7 @@ in
         _: value: "C /var/lib/iwd/${value.ssid}.psk 0600 root root - ${secret_path value.ssid}"
       ) cfg.networks;
 
-      clan.core.facts.services = lib.mapAttrs' secret_generator cfg.networks;
+      clan.core.vars.generators = lib.mapAttrs' secret_generator cfg.networks;
 
       # TODO: restart the iwd.service if something changes
     })

clanModules/root-password/README.md

@@ -7,8 +7,12 @@ features = [ "inventory" ]
 After the system was installed/deployed the following command can be used to display the root-password:
 
 ```bash
-clan secrets get {machine_name}-password
+clan vars get [machine_name] root-password/root-password
 ```
 
+See also: [Vars](../../manual/vars-backend.md)
 
-See also: [Facts / Secrets](../../getting-started/secrets.md)
+To regenerate the password run:
+```
+clan vars generate --regenerate [machine_name] --generator root-password
+```

clanModules/static-hosts/default.nix

@@ -26,8 +26,8 @@
   config.networking.hosts =
     let
       dir = config.clan.core.settings.directory;
-      machineDir = dir + "/machines/";
-      zerotierIpMachinePath = machines: machineDir + machines + "/facts/zerotier-ip";
+      machineDir = "${dir}/vars/per-machine";
+      zerotierIpMachinePath = machine: "${machineDir}/${machine}/zerotier/zerotier-ip/value";
       machinesFileSet = builtins.readDir machineDir;
       machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
       networkIpsUnchecked = builtins.map (

clanModules/syncthing-static-peers/default.nix

@@ -6,10 +6,9 @@
 }:
 let
   dir = config.clan.core.settings.directory;
-  machineDir = dir + "/machines/";
-  machineVarDir = dir + "/vars/per-machine/";
-  syncthingPublicKeyPath = machines: machineVarDir + machines + "/syncthing/id/value";
-  machinesFileSet = builtins.readDir machineDir;
+  machineVarDir = "${dir}/vars/per-machine/";
+  syncthingPublicKeyPath = machine: "${machineVarDir}/${machine}/syncthing/id/value";
+  machinesFileSet = builtins.readDir machineVarDir;
   machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
   syncthingPublicKeysUnchecked = builtins.map (
     machine:
@@ -19,7 +18,7 @@ let
     if builtins.pathExists fullPath then machine else null
   ) machines;
   syncthingPublicKeyMachines = lib.filter (machine: machine != null) syncthingPublicKeysUnchecked;
-  zerotierIpMachinePath = machines: machineDir + machines + "/facts/zerotier-ip";
+  zerotierIpMachinePath = machine: "${machineVarDir}/${machine}/zerotier/zerotier-ip/value";
   networkIpsUnchecked = builtins.map (
     machine:
     let

clanModules/syncthing/README.md

@@ -1,6 +1,13 @@
 ---
 description = "A secure, file synchronization app for devices over networks, offering a private alternative to cloud services."
+features = [ "inventory" ]
+
+[constraints]
+roles.introducer.min = 1
+roles.introducer.max = 1
 ---
+**Warning**: This module was written with our VM integration in mind likely won't work outside of this context. They will be generalized in future.
+
 ## Usage
 
 We recommend configuring this module as an sync-service through the provided options. Although it provides a Web GUI through which more usage scenarios are supported.

clanModules/syncthing/default.nix

@@ -1,210 +1,6 @@
+# Dont import this file
+# It is only here for backwards compatibility.
+# Dont author new modules with this file.
 {
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  options.clan.syncthing = {
-    id = lib.mkOption {
-      description = ''
-        The ID of the machine.
-        It is generated automatically by default.
-      '';
-      type = lib.types.nullOr lib.types.str;
-      example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
-      default = config.clan.core.facts.services.syncthing.public."syncthing.pub".value or null;
-      defaultText = "config.clan.core.facts.services.syncthing.public.\"syncthing.pub\".value";
-    };
-    introducer = lib.mkOption {
-      description = ''
-        The introducer for the machine.
-      '';
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-    };
-    autoAcceptDevices = lib.mkOption {
-      description = ''
-        Auto accept incoming device requests.
-        Should only be used on the introducer.
-      '';
-      type = lib.types.bool;
-      default = false;
-    };
-    autoShares = lib.mkOption {
-      description = ''
-        Auto share the following Folders by their ID's with introduced devices.
-        Should only be used on the introducer.
-      '';
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      example = [
-        "folder1"
-        "folder2"
-      ];
-    };
-  };
-
-  imports = [
-    {
-      # Syncthing ports: 8384 for remote access to GUI
-      # 22000 TCP and/or UDP for sync traffic
-      # 21027/UDP for discovery
-      # source: https://docs.syncthing.net/users/firewall.html
-      networking.firewall.interfaces."zt+".allowedTCPPorts = [
-        8384
-        22000
-      ];
-      networking.firewall.allowedTCPPorts = [ 8384 ];
-      networking.firewall.interfaces."zt+".allowedUDPPorts = [
-        22000
-        21027
-      ];
-
-      assertions = [
-        {
-          assertion = lib.all (
-            attr: builtins.hasAttr attr config.services.syncthing.settings.folders
-          ) config.clan.syncthing.autoShares;
-          message = ''
-            Syncthing: If you want to AutoShare a folder, you need to have it configured on the sharing device.
-          '';
-        }
-      ];
-
-      # Activates inotify compatibility on syncthing
-      # use mkOverride 900 here as it otherwise would collide with the default of the
-      # upstream nixos xserver.nix
-      boot.kernel.sysctl."fs.inotify.max_user_watches" = lib.mkOverride 900 524288;
-
-      services.syncthing = {
-        enable = true;
-        configDir = "/var/lib/syncthing";
-
-        overrideFolders = lib.mkDefault (
-          if (config.clan.syncthing.introducer == null) then true else false
-        );
-        overrideDevices = lib.mkDefault (
-          if (config.clan.syncthing.introducer == null) then true else false
-        );
-
-        dataDir = lib.mkDefault "/home/user/";
-
-        group = "syncthing";
-
-        key = lib.mkDefault config.clan.secrets.syncthing.secrets."syncthing.key".path or null;
-        cert = lib.mkDefault config.clan.secrets.syncthing.secrets."syncthing.cert".path or null;
-
-        settings = {
-          options = {
-            urAccepted = -1;
-            allowedNetworks = [ config.clan.core.networking.zerotier.subnet ];
-          };
-          devices =
-            { }
-            // (
-              if (config.clan.syncthing.introducer == null) then
-                { }
-              else
-                {
-                  "${config.clan.syncthing.introducer}" = {
-                    name = "introducer";
-                    id = config.clan.syncthing.introducer;
-                    introducer = true;
-                    autoAcceptFolders = true;
-                  };
-                }
-            );
-        };
-      };
-      systemd.services.syncthing-auto-accept =
-        let
-          baseAddress = "127.0.0.1:8384";
-          getPendingDevices = "/rest/cluster/pending/devices";
-          postNewDevice = "/rest/config/devices";
-          SharedFolderById = "/rest/config/folders/";
-          apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
-        in
-        lib.mkIf config.clan.syncthing.autoAcceptDevices {
-          description = "Syncthing auto accept devices";
-          requisite = [ "syncthing.service" ];
-          after = [ "syncthing.service" ];
-          wantedBy = [ "multi-user.target" ];
-
-          script = ''
-            set -x
-            # query pending deviceID's
-            APIKEY=$(cat ${apiKey})
-            PENDING=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${getPendingDevices})
-            PENDING=$(echo $PENDING | ${lib.getExe pkgs.jq} keys[])
-
-            # accept pending deviceID's
-            for ID in $PENDING;do
-            ${lib.getExe pkgs.curl} -X POST -d "{\"deviceId\": $ID}" -H "Content-Type: application/json" -H "X-API-Key: $APIKEY" ${baseAddress}${postNewDevice}
-
-            # get all shared folders by their ID
-            for folder in ${builtins.toString config.clan.syncthing.autoShares}; do
-              SHARED_IDS=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder" | ${lib.getExe pkgs.jq} ."devices")
-              PATCHED_IDS=$(echo $SHARED_IDS | ${lib.getExe pkgs.jq} ".+= [{\"deviceID\": $ID, \"introducedBy\": \"\", \"encryptionPassword\": \"\"}]")
-              ${lib.getExe pkgs.curl} -X PATCH -d "{\"devices\": $PATCHED_IDS}" -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder"
-              done
-            done
-          '';
-        };
-
-      systemd.timers.syncthing-auto-accept = lib.mkIf config.clan.syncthing.autoAcceptDevices {
-        description = "Syncthing Auto Accept";
-
-        wantedBy = [ "syncthing-auto-accept.service" ];
-
-        timerConfig = {
-          OnActiveSec = lib.mkDefault 60;
-          OnUnitActiveSec = lib.mkDefault 60;
-        };
-      };
-
-      systemd.services.syncthing-init-api-key =
-        let
-          apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
-        in
-        lib.mkIf config.clan.syncthing.autoAcceptDevices {
-          description = "Set the api key";
-          after = [ "syncthing-init.service" ];
-          wantedBy = [ "multi-user.target" ];
-          script = ''
-            # set -x
-            set -efu pipefail
-
-            APIKEY=$(cat ${apiKey})
-            ${lib.getExe pkgs.gnused} -i "s/<apikey>.*<\/apikey>/<apikey>$APIKEY<\/apikey>/" /var/lib/syncthing/config.xml
-            # sudo systemctl restart syncthing.service
-            systemctl restart syncthing.service
-          '';
-          serviceConfig = {
-            WorkingDirectory = "/var/lib/syncthing";
-            BindReadOnlyPaths = [ apiKey ];
-            Type = "oneshot";
-          };
-        };
-
-      clan.core.facts.services.syncthing = {
-        secret."syncthing.key" = { };
-        secret."syncthing.cert" = { };
-        secret."syncthing.api" = { };
-        public."syncthing.pub" = { };
-        generator.path = [
-          pkgs.coreutils
-          pkgs.gnugrep
-          pkgs.syncthing
-        ];
-        generator.script = ''
-          syncthing generate --config "$secrets"
-          mv "$secrets"/key.pem "$secrets"/syncthing.key
-          mv "$secrets"/cert.pem "$secrets"/syncthing.cert
-          cat "$secrets"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$facts"/syncthing.pub
-          cat "$secrets"/config.xml | grep -oP '<apikey>\K[^<]+' | uniq > "$secrets"/syncthing.api
-        '';
-      };
-    }
-  ];
+  imports = [ ./roles/peer.nix ];
 }

clanModules/syncthing/roles/introducer.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ../shared.nix
+  ];
+}

clanModules/syncthing/roles/peer.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+let
+  instanceNames = builtins.attrNames config.clan.inventory.services.syncthing;
+  instanceName = builtins.head instanceNames;
+  instance = config.clan.inventory.services.syncthing.${instanceName};
+  introducer = builtins.head instance.roles.introducer.machines;
+
+  introducerId = "${config.clan.core.settings.directory}/vars/per-machine/${introducer}/syncthing/id/value";
+in
+{
+  imports = [
+    ../shared.nix
+  ];
+  clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
+    if builtins.pathExists introducerId then
+      builtins.readFile introducerId
+    else
+      throw "${introducerId} does not exists. Please run `clan vars generate ${introducer}` to generate the introducer device id"
+  );
+}

clanModules/syncthing/shared.nix

@@ -0,0 +1,214 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  options.clan.syncthing = {
+    id = lib.mkOption {
+      description = ''
+        The ID of the machine.
+        It is generated automatically by default.
+      '';
+      type = lib.types.nullOr lib.types.str;
+      example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
+      default = config.clan.core.vars.generators.syncthing.files."id".value;
+      defaultText = "config.clan.core.vars.generators.syncthing.files.\"id\".value";
+    };
+    introducer = lib.mkOption {
+      description = ''
+        The introducer for the machine.
+      '';
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+    };
+    autoAcceptDevices = lib.mkOption {
+      description = ''
+        Auto accept incoming device requests.
+        Should only be used on the introducer.
+      '';
+      type = lib.types.bool;
+      default = false;
+    };
+    autoShares = lib.mkOption {
+      description = ''
+        Auto share the following Folders by their ID's with introduced devices.
+        Should only be used on the introducer.
+      '';
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = [
+        "folder1"
+        "folder2"
+      ];
+    };
+  };
+
+  imports = [
+    {
+      # Syncthing ports: 8384 for remote access to GUI
+      # 22000 TCP and/or UDP for sync traffic
+      # 21027/UDP for discovery
+      # source: https://docs.syncthing.net/users/firewall.html
+      networking.firewall.interfaces."zt+".allowedTCPPorts = [
+        8384
+        22000
+      ];
+      networking.firewall.allowedTCPPorts = [ 8384 ];
+      networking.firewall.interfaces."zt+".allowedUDPPorts = [
+        22000
+        21027
+      ];
+
+      assertions = [
+        {
+          assertion = lib.all (
+            attr: builtins.hasAttr attr config.services.syncthing.settings.folders
+          ) config.clan.syncthing.autoShares;
+          message = ''
+            Syncthing: If you want to AutoShare a folder, you need to have it configured on the sharing device.
+          '';
+        }
+      ];
+
+      # Activates inotify compatibility on syncthing
+      # use mkOverride 900 here as it otherwise would collide with the default of the
+      # upstream nixos xserver.nix
+      boot.kernel.sysctl."fs.inotify.max_user_watches" = lib.mkOverride 900 524288;
+
+      services.syncthing = {
+        enable = true;
+
+        overrideFolders = lib.mkDefault (
+          if (config.clan.syncthing.introducer == null) then true else false
+        );
+        overrideDevices = lib.mkDefault (
+          if (config.clan.syncthing.introducer == null) then true else false
+        );
+
+        key = lib.mkDefault config.clan.core.vars.generators.syncthing.files."key".path or null;
+        cert = lib.mkDefault config.clan.core.vars.generators.syncthing.files."cert".path or null;
+
+        settings = {
+          options = {
+            urAccepted = -1;
+            allowedNetworks = [ ];
+          };
+          devices =
+            { }
+            // (
+              if (config.clan.syncthing.introducer == null) then
+                { }
+              else
+                {
+                  "${config.clan.syncthing.introducer}" = {
+                    name = "introducer";
+                    id = config.clan.syncthing.introducer;
+                    introducer = true;
+                    autoAcceptFolders = true;
+                  };
+                }
+            );
+        };
+      };
+      systemd.services.syncthing-auto-accept =
+        let
+          baseAddress = "127.0.0.1:8384";
+          getPendingDevices = "/rest/cluster/pending/devices";
+          postNewDevice = "/rest/config/devices";
+          SharedFolderById = "/rest/config/folders/";
+          apiKey = config.clan.core.vars.generators.syncthing.files."apikey".path;
+        in
+        lib.mkIf config.clan.syncthing.autoAcceptDevices {
+          description = "Syncthing auto accept devices";
+          requisite = [ "syncthing.service" ];
+          after = [ "syncthing.service" ];
+          wantedBy = [ "multi-user.target" ];
+
+          script = ''
+            set -x
+            # query pending deviceID's
+            APIKEY=$(cat ${apiKey})
+            PENDING=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${getPendingDevices})
+            PENDING=$(echo $PENDING | ${lib.getExe pkgs.jq} keys[])
+
+            # accept pending deviceID's
+            for ID in $PENDING;do
+            ${lib.getExe pkgs.curl} -X POST -d "{\"deviceId\": $ID}" -H "Content-Type: application/json" -H "X-API-Key: $APIKEY" ${baseAddress}${postNewDevice}
+
+            # get all shared folders by their ID
+            for folder in ${builtins.toString config.clan.syncthing.autoShares}; do
+              SHARED_IDS=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder" | ${lib.getExe pkgs.jq} ."devices")
+              PATCHED_IDS=$(echo $SHARED_IDS | ${lib.getExe pkgs.jq} ".+= [{\"deviceID\": $ID, \"introducedBy\": \"\", \"encryptionPassword\": \"\"}]")
+              ${lib.getExe pkgs.curl} -X PATCH -d "{\"devices\": $PATCHED_IDS}" -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder"
+              done
+            done
+          '';
+        };
+
+      systemd.timers.syncthing-auto-accept = lib.mkIf config.clan.syncthing.autoAcceptDevices {
+        description = "Syncthing Auto Accept";
+
+        wantedBy = [ "syncthing-auto-accept.service" ];
+
+        timerConfig = {
+          OnActiveSec = lib.mkDefault 60;
+          OnUnitActiveSec = lib.mkDefault 60;
+        };
+      };
+
+      systemd.services.syncthing-init-api-key =
+        let
+          apiKey = config.clan.core.vars.generators.syncthing.files."apikey".path;
+        in
+        lib.mkIf config.clan.syncthing.autoAcceptDevices {
+          description = "Set the api key";
+          after = [ "syncthing-init.service" ];
+          wantedBy = [ "multi-user.target" ];
+          script = ''
+            # set -x
+            set -efu pipefail
+
+            APIKEY=$(cat ${apiKey})
+            ${lib.getExe pkgs.gnused} -i "s/<apikey>.*<\/apikey>/<apikey>$APIKEY<\/apikey>/" ${config.services.syncthing.configDir}/config.xml
+            # sudo systemctl restart syncthing.service
+            systemctl restart syncthing.service
+          '';
+          serviceConfig = {
+            BindReadOnlyPaths = [ apiKey ];
+            Type = "oneshot";
+          };
+        };
+
+      clan.core.vars.generators.syncthing = {
+        migrateFact = "syncthing";
+
+        files."key".group = config.services.syncthing.group;
+        files."key".owner = config.services.syncthing.user;
+
+        files."cert".group = config.services.syncthing.group;
+        files."cert".owner = config.services.syncthing.user;
+
+        files."apikey".group = config.services.syncthing.group;
+        files."apikey".owner = config.services.syncthing.user;
+
+        files."id".secret = false;
+
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.gnugrep
+          pkgs.syncthing
+        ];
+
+        script = ''
+          syncthing generate --config "$out"
+          mv "$out"/key.pem "$out"/key
+          mv "$out"/cert.pem "$out"/cert
+          cat "$out"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$out"/id
+          cat "$out"/config.xml | grep -oP '<apikey>\K[^<]+' | uniq > "$out"/apikey
+        '';
+      };
+    }
+  ];
+}

clanModules/user-password/README.md

@@ -13,9 +13,12 @@ If setting the option prompt to true, the user will be prompted to type in their
 After the system was installed/deployed the following command can be used to display the user-password:
 
 ```bash
-clan secrets get {machine_name}-user-password
+clan vars get [machine_name] root-password/root-password
 ```
 
-See also: [Facts / Secrets](../../getting-started/secrets.md)
+See also: [Vars](../../manual/vars-backend.md)
 
-To regenerate the password, delete the password files in the clan directory and redeploy the machine.
+To regenerate the password run:
+```
+clan vars generate --regenerate [machine_name] --generator user-password
+```

clanModules/vaultwarden/README.md

@@ -6,9 +6,10 @@ After enabling the clan module, user accounts have to be created manually in the
 This is done by visiting `vaultwarden.example.com/admin` and typing in the admin password.
 You can get the admin password for vaultwarden by executing:
 ```bash
-clan secrets get  <machine-name>-vaultwarden-admin
+clan vars get <machine-name> vaultwarden-admin/vaultwarden-admin
 ```
 To see all secrets tied to vaultwarden execute:
 ```bash
-clan secrets list | grep vaultwarden
+clan vars get vaultwarden-admin/vaultwarden-admin
+clan vars get vaultwarden-smtp/vaultwarden-smtp
 ```

clanModules/vaultwarden/default.nix

@@ -92,36 +92,39 @@ in
       };
     };
 
-    clan.core.facts.services = {
+    clan.core.vars.generators = {
       vaultwarden-admin = {
-        secret."vaultwarden-admin" = { };
-        secret."vaultwarden-admin-hash" = { };
-        generator.path = with pkgs; [
+        migrateFact = "vaultwarden-admin";
+        files."vaultwarden-admin" = { };
+        files."vaultwarden-admin-hash" = { };
+        runtimeInputs = with pkgs; [
           coreutils
           pwgen
           libargon2
           openssl
         ];
-        generator.script = ''
+        script = ''
           ADMIN_PWD=$(pwgen 16 -n1 | tr -d "\n")
           ADMIN_HASH=$(echo -n "$ADMIN_PWD" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
 
           config="
           ADMIN_TOKEN=\"$ADMIN_HASH\"
           "
-          echo -n "$ADMIN_PWD" > "$secrets"/vaultwarden-admin
-          echo -n "$config" > "$secrets"/vaultwarden-admin-hash
+          echo -n "$ADMIN_PWD" > "$out"/vaultwarden-admin
+          echo -n "$config" > "$out"/vaultwarden-admin-hash
         '';
       };
       vaultwarden-smtp = {
-        secret."vaultwarden-smtp" = { };
-        generator.prompt = "${cfg.smtp.from} SMTP password";
-        generator.path = with pkgs; [ coreutils ];
-        generator.script = ''
+        migrateFact = "vaultwarden-smtp";
+        prompts."vaultwarden-smtp".description = "${cfg.smtp.from} SMTP password";
+        prompts."vaultwarden-smtp".persist = true;
+        runtimeInputs = with pkgs; [ coreutils ];
+        script = ''
+          prompt_value="$(cat "$prompts"/vaultwarden-smtp)"
           config="
             SMTP_PASSWORD=\"$prompt_value\"
           "
-          echo -n "$config" > "$secrets"/vaultwarden-smtp
+          echo -n "$config" > "$out"/vaultwarden-smtp
         '';
       };
     };
@@ -129,7 +132,7 @@ in
     systemd.services."vaultwarden" = {
       serviceConfig = {
         EnvironmentFile = [
-          config.clan.core.facts.services."vaultwarden-smtp".secret."vaultwarden-smtp".path
+          config.clan.core.vars.generators."vaultwarden-smtp".files."vaultwarden-smtp".path
         ];
       };
     };
@@ -138,7 +141,7 @@ in
       enable = true;
       dbBackend = "postgresql";
       environmentFile =
-        config.clan.core.facts.services."vaultwarden-admin".secret."vaultwarden-admin-hash".path; # TODO: Make this upstream an array
+        config.clan.core.vars.generators."vaultwarden-admin".files."vaultwarden-admin-hash".path; # TODO: Make this upstream an array
       config = {
         SMTP_SECURITY = "force_tls";
         SMTP_HOST = cfg.smtp.host;

clanModules/zerotier-static-peers/default.nix

@@ -6,15 +6,16 @@
 }:
 let
   dir = config.clan.core.settings.directory;
-  machineDir = dir + "/machines/";
+  machineDir = "${dir}/vars/per-machine";
+  # TODO: This should use the inventory
+  # However we are probably going to replace this with the network module.
   machinesFileSet = builtins.readDir machineDir;
   machines = lib.mapAttrsToList (name: _: name) machinesFileSet;
 
-  zerotierNetworkIdPath = machines: machineDir + machines + "/facts/zerotier-network-id";
   networkIdsUnchecked = builtins.map (
     machine:
     let
-      fullPath = zerotierNetworkIdPath machine;
+      fullPath = "${machineDir}/vars/per-machine/${machine}/zerotier/zerotier-network-id/value";
     in
     if builtins.pathExists fullPath then builtins.readFile fullPath else null
   ) machines;
@@ -45,13 +46,9 @@ in
 
   config.systemd.services.zerotier-static-peers-autoaccept =
     let
-      zerotierIpMachinePath = machines: machineDir + machines + "/facts/zerotier-ip";
+      zerotierIpFor = machine: "${machineDir}/vars/per-machine/${machine}/zerotier/zerotier-ip/value";
       networkIpsUnchecked = builtins.map (
-        machine:
-        let
-          fullPath = zerotierIpMachinePath machine;
-        in
-        if builtins.pathExists fullPath then machine else null
+        machine: if builtins.pathExists (zerotierIpFor machine) then machine else null
       ) machines;
       networkIps = lib.filter (machine: machine != null) networkIpsUnchecked;
       machinesWithIp = lib.filterAttrs (name: _: (lib.elem name networkIps)) machinesFileSet;
@@ -60,11 +57,7 @@ in
       ) machinesWithIp;
       hosts = lib.mapAttrsToList (host: _: host) (
         lib.mapAttrs' (
-          machine: _:
-          let
-            fullPath = zerotierIpMachinePath machine;
-          in
-          lib.nameValuePair (builtins.readFile fullPath) [ machine ]
+          machine: _: lib.nameValuePair (builtins.readFile (zerotierIpFor machine)) [ machine ]
         ) filteredMachines
       );
       allHostIPs = config.clan.zerotier-static-peers.networkIps ++ hosts;

clanModules/zerotier/roles/controller.nix

@@ -23,11 +23,11 @@ in
         networkIps = builtins.foldl' (
           ips: name:
           if
-            builtins.pathExists "${config.clan.core.settings.directory}/machines/${name}/facts/zerotier-ip"
+            builtins.pathExists "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value"
           then
             ips
             ++ [
-              (builtins.readFile "${config.clan.core.settings.directory}/machines/${name}/facts/zerotier-ip")
+              (builtins.readFile "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value")
             ]
           else
             ips

clanModules/zerotier/shared.nix

@@ -10,17 +10,24 @@ let
   zeroTierInstance = config.clan.inventory.services.zerotier.${instanceName};
   roles = zeroTierInstance.roles;
   controllerMachine = builtins.head roles.controller.machines;
-  networkIdPath = "${config.clan.core.settings.directory}/machines/${controllerMachine}/facts/zerotier-network-id";
-  networkId = if builtins.pathExists networkIdPath then builtins.readFile networkIdPath else null;
+  networkIdPath = "${config.clan.core.settings.directory}/vars/per-machine/${controllerMachine}/zerotier/zerotier-network-id/value";
+  networkId =
+    if builtins.pathExists networkIdPath then
+      builtins.readFile networkIdPath
+    else
+      builtins.throw ''
+        No zerotier network id found for ${controllerMachine}.
+        Please run `clan vars generate ${controllerMachine}` first.
+      '';
   moons = roles.moon.machines;
   moonIps = builtins.foldl' (
     ips: name:
     if
-      builtins.pathExists "${config.clan.core.settings.directory}/machines/${name}/facts/zerotier-ip"
+      builtins.pathExists "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value"
     then
       ips
       ++ [
-        (builtins.readFile "${config.clan.core.settings.directory}/machines/${name}/facts/zerotier-ip")
+        (builtins.readFile "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value")
       ]
     else
       ips
@@ -62,7 +69,7 @@ in
     clan.core.networking.zerotier.networkId = networkId;
     clan.core.networking.zerotier.name = instanceName;
 
-    # TODO: in future we want to have the node id of our moons in our facts
+    # TODO: in future we want to have the node id of our moons in our vars
     systemd.services.zerotierone.serviceConfig.ExecStartPost = lib.mkIf (moonIps != [ ]) (
       lib.mkAfter [
         "+${pkgs.writeScript "orbit-moons-by-ip" ''

clanServices/hello-world/flake-module.nix

@@ -13,6 +13,9 @@ in
   clan.inventory.modules = {
     hello-world = module;
   };
+  clan.modules = {
+    hello-world = module;
+  };
   perSystem =
     { pkgs, ... }:
     let

devShell.nix

@@ -29,8 +29,7 @@
           select-shell
           pkgs.nix-unit
           pkgs.tea
-          # Better error messages than nix 2.18
-          pkgs.nixVersions.latest
+          pkgs.nix
           self'.packages.tea-create-pr
           self'.packages.merge-after-ci
           self'.packages.pending-reviews

docs/nix/deploy-docs.nix

@@ -26,8 +26,7 @@ writeShellScriptBin "deploy-docs" ''
   trap "rm -rf $tmpdir" EXIT
 
   if [ -n "''${SSH_HOMEPAGE_KEY-}" ]; then
-    echo "$SSH_HOMEPAGE_KEY" > "$tmpdir/ssh_key"
-    chmod 600 "$tmpdir/ssh_key"
+    ( umask 0177 && echo "$SSH_HOMEPAGE_KEY" > "$tmpdir/ssh_key" )
     sshExtraArgs="-i $tmpdir/ssh_key"
   else
     sshExtraArgs=

docs/nix/render_options/__init__.py

@@ -29,8 +29,8 @@ from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Any
 
-from clan_cli.api.modules import Frontmatter, extract_frontmatter, get_roles
 from clan_cli.errors import ClanError
+from clan_lib.api.modules import Frontmatter, extract_frontmatter, get_roles
 
 # Get environment variables
 CLAN_CORE_PATH = Path(os.environ["CLAN_CORE_PATH"])

docs/site/getting-started/mesh-vpn.md

@@ -86,7 +86,7 @@ This guide shows you how to configure `zerotier` either through `NixOS Options`
        configuration, substituting `<CONTROLLER>` with the controller machine name:
        ```nix
        { config, ... }: {
-         clan.core.networking.zerotier.networkId = builtins.readFile (config.clan.core.settings.directory + "/machines/<CONTROLLER>/facts/zerotier-network-id");
+         clan.core.networking.zerotier.networkId = builtins.readFile ../../vars/per-machine/<CONTROLLER>/zerotier/zerotier-network-id/value;
        }
        ```
     1. **Update the New Machine**: Execute:

docs/site/getting-started/secrets.md

@@ -1,18 +1,19 @@
 
 Clan enables encryption of secrets (such as passwords & keys) ensuring security and ease-of-use among users.
 
-By default Clan utilizes the [sops](https://github.com/getsops/sops) format and integrates with [sops-nix](https://github.com/Mic92/sops-nix) on NixOS machines.
+By default, Clan uses the [sops](https://github.com/getsops/sops) format
+and integrates with [sops-nix](https://github.com/Mic92/sops-nix) on NixOS machines.
 Clan can also be configured to be used with other secret store [backends](https://docs.clan.lol/reference/clan-core/vars/#clan.core.vars.settings.secretStore).
 
 This guide will walk you through:
 
-- **Creating a Keypair for Your User**: Learn how to generate a keypair for $USER to securely control all secrets.
+- **Creating a Keypair for Your User**: Learn how to generate a keypair for `$USER` to securely control all secrets.
 - **Creating Your First Secret**: Step-by-step instructions on creating your initial secret.
 - **Assigning Machine Access to the Secret**: Understand how to grant a machine access to the newly created secret.
 
 ## Create Your Admin Keypair
 
-To get started, you'll need to create **Your admin keypair**.
+To get started, you'll need to create **your admin keypair**.
 
 !!! info
     Don't worry — if you've already made one before, this step won't change or overwrite it.
@@ -34,9 +35,78 @@ Also add your age public key to the repository with 'clan secrets users add YOUR
     Make sure to keep a safe backup of the private key you've just created.
     If it's lost, you won't be able to get to your secrets anymore because they all need the admin key to be unlocked.
 
+If you already have an [age] secret key and want to use that instead, you can simply edit `~/.config/sops/age/keys.txt`:
+
+```title="~/.config/sops/age/keys.txt"
+AGE-SECRET-KEY-13GWMK0KNNKXPTJ8KQ9LPSQZU7G3KU8LZDW474NX3D956GGVFAZRQTAE3F4
+```
+
+Alternatively, you can provide your [age] secret key as an environment variable `SOPS_AGE_KEY`, or in a different file
+using `SOPS_AGE_KEY_FILE`.
+For more information see the [SOPS] guide on [encrypting with age].
+
 !!! note
     It's safe to add any secrets created by the clan CLI and placed in your repository to version control systems like `git`.
 
+### Using Age Plugins
+
+If you wish to use a key generated using an [age plugin] as your admin key, extra care is needed.
+
+You must **precede your secret key with a comment that contains its corresponding recipient**.
+
+This is usually output as part of the generation process
+and is only required because there is no unified mechanism for recovering a recipient from a plugin secret key.
+
+Here is an example:
+
+```title="~/.config/sops/age/keys.txt"
+# public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l
+AGE-PLUGIN-FIDO2-HMAC-1QQPQZRFR7ZZ2WCV...
+```
+
+!!! note
+    The comment that precedes the plugin secret key need only contain the recipient.
+    Any other text is ignored.
+
+    In the example above, you can specify `# recipient: age1zdy...`, `# public: age1zdy....` or even
+    just `# age1zdy....`
+
+You will need to add an entry into your `flake.nix` to ensure that the necessary `age` plugins
+are loaded when using Clan:
+
+```nix title="flake.nix"
+{
+  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
+  inputs.nixpkgs.follows = "clan-core/nixpkgs";
+
+  outputs =
+    { self, clan-core, ... }:
+    let
+      clan = clan-core.clanLib.buildClan {
+        inherit self;
+
+        meta.name = "myclan";
+
+        # Add Yubikey and FIDO2 HMAC plugins
+        # Note: the plugins listed here must be available in nixpkgs.
+        secrets.age.plugins = [
+          "age-plugin-yubikey"
+          "age-plugin-fido2-hmac"
+        ];
+
+        machines = {
+          # elided for brevity
+        };
+      };
+    in
+    {
+      inherit (clan) nixosConfigurations clanInternals;
+
+      # elided for brevity
+    };
+}
+```
+
 ### Add Your Public Key(s)
 
 ```console
@@ -70,7 +140,7 @@ If you followed the quickstart tutorial all necessary secrets are initialized at
 You can list keys for your user with `clan secrets users get $USER`:
 
 ```console
-❯ bin/clan secrets users get alice
+clan secrets users get alice
 
 [
   {
@@ -83,17 +153,22 @@ You can list keys for your user with `clan secrets users get $USER`:
     "type": "age",
     "username": "alice"
   }
-]         
+]
 ```
 
-To add a new key to your user: 
+To add a new key to your user:
 
-```console 
+```console
 clan secrets users add-key $USER --age-key <your_public_key>
 ```
 
-To remove a key from your user: 
+To remove a key from your user:
 
-```console 
+```console
 clan secrets users remove-key $USER --age-key <your_public_key>
-```
+```
+
+[age]: https://github.com/FiloSottile/age
+[age plugin]: https://github.com/FiloSottile/awesome-age?tab=readme-ov-file#plugins
+[sops]: https://github.com/getsops/sops
+[encrypting with age]: https://github.com/getsops/sops?tab=readme-ov-file#encrypting-using-age

docs/site/reference/index.md

@@ -1,6 +1,6 @@
 # :material-api: Overview
 
-This section of the site provides an **automatically extracted** overview of the available options and commands within the Clan Framework.
+This section of the site provides an overview of available options and commands within the Clan Framework.
 
 ---
 

flake.lock

@@ -16,17 +16,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1745193679,
-        "narHash": "sha256-3sGidQ3Ze1K939cEw2hYbK1DnA8G1LCPsbvBvLoiFhI=",
-        "ref": "refs/heads/main",
-        "rev": "817a74e34fb0e0b8012a8d2d67287c28d640b13a",
-        "revCount": 410,
-        "type": "git",
-        "url": "https://git.clan.lol/clan/data-mesher"
+        "lastModified": 1746334246,
+        "narHash": "sha256-YU4wtH9Y5yRjqbMwczOdDakOjSiTkOUP/JAYd1f3jBc=",
+        "rev": "607ce65fbfe20bb38170b76826a11006f526c05d",
+        "type": "tarball",
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/607ce65fbfe20bb38170b76826a11006f526c05d.tar.gz"
       },
       "original": {
-        "type": "git",
-        "url": "https://git.clan.lol/clan/data-mesher"
+        "type": "tarball",
+        "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
       }
     },
     "disko": {
@@ -36,11 +34,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745224732,
-        "narHash": "sha256-0OWgbEKhpMLpk3WQi3ugOwxWW4Y6JVpKiQ+o0nuNzus=",
+        "lastModified": 1745812220,
+        "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "1770bf1ae5da05564f86b969ef21c7228cc1a70b",
+        "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78",
         "type": "github"
       },
       "original": {
@@ -76,11 +74,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "lastModified": 1746254942,
+        "narHash": "sha256-Y062AuRx6l+TJNX8wxZcT59SSLsqD9EedAY0mqgTtQE=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "rev": "760a11c87009155afa0140d55c40e7c336d62d7a",
         "type": "github"
       },
       "original": {
@@ -89,6 +87,19 @@
         "type": "github"
       }
     },
+    "nix-select": {
+      "locked": {
+        "lastModified": 1745005516,
+        "narHash": "sha256-IVaoOGDIvAa/8I0sdiiZuKptDldrkDWUNf/+ezIRhyc=",
+        "rev": "69d8bf596194c5c35a4e90dd02c52aa530caddf8",
+        "type": "tarball",
+        "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/69d8bf596194c5c35a4e90dd02c52aa530caddf8.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz"
+      }
+    },
     "nixos-facter-modules": {
       "locked": {
         "lastModified": 1743671943,
@@ -107,10 +118,10 @@
     "nixpkgs": {
       "locked": {
         "lastModified": 315532800,
-        "narHash": "sha256-Qbg44vc/Vw971fY3/lIzDLJVmb992RTuKXL2A69/89w=",
-        "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11",
+        "narHash": "sha256-pxwYhAgOyComW58BCfboADZWr4b5oS8hP9E9fQ489HM=",
+        "rev": "f21e4546e3ede7ae34d12a84602a22246b31f7e0",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre782598.18dd725c2960/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre793694.f21e4546e3ed/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -123,6 +134,7 @@
         "disko": "disko",
         "flake-parts": "flake-parts",
         "nix-darwin": "nix-darwin",
+        "nix-select": "nix-select",
         "nixos-facter-modules": "nixos-facter-modules",
         "nixpkgs": "nixpkgs",
         "sops-nix": "sops-nix",
@@ -172,11 +184,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744961264,
-        "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",
+        "lastModified": 1746216483,
+        "narHash": "sha256-4h3s1L/kKqt3gMDcVfN8/4v2jqHrgLIe4qok4ApH5x4=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "8d404a69efe76146368885110f29a2ca3700bee6",
+        "rev": "29ec5026372e0dec56f890e50dbe4f45930320fd",
         "type": "github"
       },
       "original": {

flake.nix

@@ -23,8 +23,10 @@
     treefmt-nix.url = "github:numtide/treefmt-nix";
     treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
 
+    nix-select.url = "https://git.clan.lol/clan/nix-select/archive/main.tar.gz";
+
     data-mesher = {
-      url = "git+https://git.clan.lol/clan/data-mesher";
+      url = "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz";
       inputs = {
         flake-parts.follows = "flake-parts";
         nixpkgs.follows = "nixpkgs";
@@ -38,7 +40,6 @@
     inputs@{
       flake-parts,
       nixpkgs,
-      self,
       systems,
       ...
     }:

lib/build-clan/interface.nix

@@ -108,6 +108,14 @@ in
       default = { };
     };
 
+    secrets = lib.mkOption {
+      type = types.submodule { imports = [ ./secrets/interface.nix ]; };
+      description = ''
+        Secrets related options such as AGE plugins required to encrypt/decrypt secrets using the CLI.
+      '';
+      default = { };
+    };
+
     pkgsForSystem = lib.mkOption {
       type = types.functionTo (types.nullOr types.attrs);
       default = _system: null;
@@ -152,13 +160,11 @@ in
           # Those options are interfaced by the CLI
           # We don't specify the type here, for better performance.
           inventory = lib.mkOption { type = lib.types.raw; };
-          inventoryValuesPrios = lib.mkOption { type = lib.types.raw; };
           # all exported clan templates from this clan
           templates = lib.mkOption { type = lib.types.raw; };
           # all exported clan modules from this clan
           modules = lib.mkOption { type = lib.types.raw; };
           # all inventory module schemas
-          moduleSchemas = lib.mkOption { type = lib.types.raw; };
           inventoryFile = lib.mkOption { type = lib.types.raw; };
           # The machine 'imports' generated by the inventory per machine
           inventoryClass = lib.mkOption { type = lib.types.raw; };
@@ -166,6 +172,7 @@ in
           clanModules = lib.mkOption { type = lib.types.raw; };
           source = lib.mkOption { type = lib.types.raw; };
           meta = lib.mkOption { type = lib.types.raw; };
+          secrets = lib.mkOption { type = lib.types.raw; };
           clanLib = lib.mkOption { type = lib.types.raw; };
           all-machines-json = lib.mkOption { type = lib.types.raw; };
           machines = lib.mkOption { type = lib.types.raw; };