machines: fix remote-program for darwin nix copy

MacOS doesn't come with a proper login shell for ssh and therefore doesn't have nix in $PATH as it doesn't source /etc/profile. This restores the remote-program parameter that was accidentally removed in commit cff5d61f26.
2025-06-17 13:02:15 +02:00
707 changed files with 20564 additions and 21267 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 .hypothesis
 out.log
 .coverage.*
 qubeclan
 pkgs/repro-hook
 testdir
 democlan
@@ -19,6 +20,9 @@ nixos.qcow2
 # macOS stuff
 .DS_Store
 # dream2nix
 .dream2nix
 # python
 __pycache__
 .coverage
@@ -28,6 +32,13 @@ __pycache__
 .ruff_cache
 htmlcov
 # flatpak
 .flatpak-builder
 build
 build-dir
 repo
 .env
 # node
 node_modules
 dist
--- a/checks/backups/flake-module.nix
+++ b/checks/backups/flake-module.nix
@@ -22,6 +22,7 @@
        dependencies = [
          self
          pkgs.stdenv.drvPath
          self.clanInternals.machines.${pkgs.hostPlatform.system}.test-backup.config.system.clan.deployment.file
        ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
        closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
      in
@@ -150,8 +151,8 @@
    in
    {
      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        nixos-test-backups = self.clanLib.test.containerTest {
+        backups = self.clanLib.test.containerTest {
-          name = "nixos-test-backups";
+          name = "backups";
          nodes.machine = {
            imports =
              [
@@ -161,7 +162,7 @@
              ]
              ++
              # import the inventory generated nixosModules
-              self.clan.clanInternals.inventoryClass.machines.test-backup.machineImports;
+              self.clanInternals.inventoryClass.machines.test-backup.machineImports;
            clan.core.settings.directory = ./.;
          };
--- a/checks/borgbackup/default.nix
+++ b/checks/borgbackup/default.nix
@@ -8,12 +8,12 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
-    name = "service-borgbackup";
+    name = "borgbackup";
    clan = {
      directory = ./.;
@@ -28,7 +28,6 @@ nixosLib.runTest (
          borgone = {
            module.name = "@clan/borgbackup";
            module.input = "self";
            roles.client.machines."clientone" = { };
            roles.server.machines."serverone".settings.directory = "/tmp/borg-test";
--- a/checks/clan-core-for-checks.nix
+++ b/checks/clan-core-for-checks.nix
@@ -1,6 +1,6 @@
 { fetchgit }:
 fetchgit {
  url = "https://git.clan.lol/clan/clan-core.git";
-  rev = "eea93ea22c9818da67e148ba586277bab9e73cea";
+  rev = "13a9b1719835ef4510e4adb6941ddfe9a91d41cb";
-  sha256 = "sha256-PV0Z+97QuxQbkYSVuNIJwUNXMbHZG/vhsA9M4cDTCOE=";
+  sha256 = "sha256-M+pLnpuX+vIsxTFtbBZaNA1OwGQPeSbsMbTiDl1t4vY=";
 }
--- a/checks/data-mesher/default.nix
+++ b/checks/data-mesher/default.nix
@@ -16,11 +16,11 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
-    name = "service-data-mesher";
+    name = "data-mesher";
    clan = {
      directory = ./.;
--- a/checks/dummy-inventory-test-from-flake/default.nix
+++ b/checks/dummy-inventory-test-from-flake/default.nix
@@ -9,7 +9,7 @@ nixosLib.runTest (
  { hostPkgs, config, ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
@@ -18,19 +18,19 @@ nixosLib.runTest (
    # With the test framework
    # - legacy-modules
    # - clan.service modules
-    name = "service-dummy-test-from-flake";
+    name = "dummy-inventory-test-from-flake";
    clan.test.fromFlake = ./.;
    extraPythonPackages = _p: [
-      clan-core.legacyPackages.${hostPkgs.system}.nixosTestLib
+      clan-core.legacyPackages.${hostPkgs.system}.setupNixInNixPythonPackage
    ];
    testScript =
      { nodes, ... }:
      ''
-        from nixos_test_lib.nix_setup import setup_nix_in_nix # type: ignore[import-untyped]
+        from setup_nix_in_nix import setup_nix_in_nix # type: ignore[import-untyped]
-        setup_nix_in_nix(None)  # No closure info for this test
+        setup_nix_in_nix()
        def run_clan(cmd: list[str], **kwargs) -> str:
            import subprocess
--- a/checks/dummy-inventory-test-from-flake/flake.nix
+++ b/checks/dummy-inventory-test-from-flake/flake.nix
@@ -6,7 +6,7 @@
    { self, clan-core, ... }:
    let
      # Usage see: https://docs.clan.lol
-      clan = clan-core.lib.clan {
+      clan = clan-core.clanLib.buildClan {
        inherit self;
        inventory =
@@ -24,7 +24,6 @@
            instances."test" = {
              module.name = "new-service";
              module.input = "self";
              roles.peer.machines.peer1 = { };
            };
@@ -40,7 +39,7 @@
          perMachine = {
            nixosModule = {
              # This should be generated by:
-              # nix run .#generate-test-vars -- checks/service-dummy-test service-dummy-test
+              # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
              clan.core.vars.generators.new-service = {
                files.not-a-secret = {
                  secret = false;
@@ -66,6 +65,6 @@
    in
    {
      # all machines managed by Clan
-      inherit (clan.config) nixosConfigurations nixosModules clanInternals;
+      inherit (clan) nixosConfigurations nixosModules clanInternals;
    };
 }
--- a/checks/dummy-inventory-test-from-flake/legacy-module/README.md
+++ b/checks/dummy-inventory-test-from-flake/legacy-module/README.md
--- a/checks/dummy-inventory-test-from-flake/legacy-module/roles/admin.nix
+++ b/checks/dummy-inventory-test-from-flake/legacy-module/roles/admin.nix
--- a/checks/dummy-inventory-test-from-flake/legacy-module/roles/peer.nix
+++ b/checks/dummy-inventory-test-from-flake/legacy-module/roles/peer.nix
--- a/checks/dummy-inventory-test-from-flake/legacy-module/shared.nix
+++ b/checks/dummy-inventory-test-from-flake/legacy-module/shared.nix
--- a/checks/dummy-inventory-test-from-flake/sops/machines/admin1/key.json
+++ b/checks/dummy-inventory-test-from-flake/sops/machines/admin1/key.json
--- a/checks/dummy-inventory-test-from-flake/sops/machines/peer1/key.json
+++ b/checks/dummy-inventory-test-from-flake/sops/machines/peer1/key.json
--- a/checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/secret
+++ b/checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/secret
--- a/checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/users/admin
+++ b/checks/dummy-inventory-test-from-flake/sops/secrets/admin1-age.key/users/admin
--- a/checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/secret
+++ b/checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/secret
--- a/checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/users/admin
+++ b/checks/dummy-inventory-test-from-flake/sops/secrets/peer1-age.key/users/admin
--- a/checks/dummy-inventory-test-from-flake/sops/users/admin/key.json
+++ b/checks/dummy-inventory-test-from-flake/sops/users/admin/key.json
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/secret
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/users/admin
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/generated-password/users/admin
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/admin1/dummy-generator/host-id/value
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/secret
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/dummy-generator/host-id/value
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/machines/peer1
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/secret
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/a-secret/users/admin
--- a/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value
+++ b/checks/dummy-inventory-test-from-flake/vars/per-machine/peer1/new-service/not-a-secret/value
--- a/checks/dummy-inventory-test/default.nix
+++ b/checks/dummy-inventory-test/default.nix
@@ -8,7 +8,7 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
@@ -17,7 +17,7 @@ nixosLib.runTest (
    # With the test framework
    # - legacy-modules
    # - clan.service modules
-    name = "service-dummy-test";
+    name = "dummy-inventory-test";
    clan = {
      directory = ./.;
@@ -33,7 +33,6 @@ nixosLib.runTest (
        instances."test" = {
          module.name = "new-service";
          module.input = "self";
          roles.peer.machines.peer1 = { };
        };
@@ -48,7 +47,7 @@ nixosLib.runTest (
        perMachine = {
          nixosModule = {
            # This should be generated by:
-            # nix run .#generate-test-vars -- checks/service-dummy-test service-dummy-test
+            # nix run .#generate-test-vars -- checks/dummy-inventory-test dummy-inventory-test
            clan.core.vars.generators.new-service = {
              files.not-a-secret = {
                secret = false;
--- a/checks/dummy-inventory-test/legacy-module/README.md
+++ b/checks/dummy-inventory-test/legacy-module/README.md
--- a/checks/dummy-inventory-test/legacy-module/roles/admin.nix
+++ b/checks/dummy-inventory-test/legacy-module/roles/admin.nix
--- a/checks/dummy-inventory-test/legacy-module/roles/peer.nix
+++ b/checks/dummy-inventory-test/legacy-module/roles/peer.nix
--- a/checks/dummy-inventory-test/legacy-module/shared.nix
+++ b/checks/dummy-inventory-test/legacy-module/shared.nix
--- a/checks/dummy-inventory-test/sops/machines/admin1/key.json
+++ b/checks/dummy-inventory-test/sops/machines/admin1/key.json
--- a/checks/dummy-inventory-test/sops/machines/peer1/key.json
+++ b/checks/dummy-inventory-test/sops/machines/peer1/key.json
--- a/checks/dummy-inventory-test/sops/secrets/admin1-age.key/secret
+++ b/checks/dummy-inventory-test/sops/secrets/admin1-age.key/secret
--- a/checks/dummy-inventory-test/sops/secrets/admin1-age.key/users/admin
+++ b/checks/dummy-inventory-test/sops/secrets/admin1-age.key/users/admin
--- a/checks/dummy-inventory-test/sops/secrets/peer1-age.key/secret
+++ b/checks/dummy-inventory-test/sops/secrets/peer1-age.key/secret
--- a/checks/dummy-inventory-test/sops/secrets/peer1-age.key/users/admin
+++ b/checks/dummy-inventory-test/sops/secrets/peer1-age.key/users/admin
--- a/checks/dummy-inventory-test/sops/users/admin/key.json
+++ b/checks/dummy-inventory-test/sops/users/admin/key.json
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/machines/admin1
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/secret
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/secret
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/users/admin
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/generated-password/users/admin
--- a/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/host-id/value
+++ b/checks/dummy-inventory-test/vars/per-machine/admin1/dummy-generator/host-id/value
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/machines/peer1
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/secret
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/secret
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/generated-password/users/admin
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/host-id/value
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/dummy-generator/host-id/value
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/machines/peer1
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/machines/peer1
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/secret
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/secret
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/users/admin
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/a-secret/users/admin
--- a/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/not-a-secret/value
+++ b/checks/dummy-inventory-test/vars/per-machine/peer1/new-service/not-a-secret/value
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -1,19 +1,7 @@
-{
+{ self, lib, ... }:
  self,
  lib,
  inputs,
  ...
 }:
 let
  inherit (lib)
    attrNames
    attrValues
    elem
    filter
    filterAttrs
    flip
    genAttrs
    hasPrefix
    pathExists
    ;
  nixosLib = import (self.inputs.nixpkgs + "/nixos/lib") { };
@@ -21,8 +9,6 @@ in
 {
  imports = filter pathExists [
    ./backups/flake-module.nix
    ../nixosModules/clanCore/machine-id/tests/flake-module.nix
    ../nixosModules/clanCore/state-version/tests/flake-module.nix
    ./devshell/flake-module.nix
    ./flash/flake-module.nix
    ./impure/flake-module.nix
@@ -31,33 +17,6 @@ in
    ./nixos-documentation/flake-module.nix
    ./dont-depend-on-repo-root.nix
  ];
  flake.check = genAttrs [ "x86_64-linux" "aarch64-darwin" ] (
    system:
    let
      checks = flip filterAttrs self.checks.${system} (
        name: _check:
        !(hasPrefix "nixos-test-" name)
        && !(hasPrefix "nixos-" name)
        && !(hasPrefix "darwin-test-" name)
        && !(hasPrefix "service-" name)
        && !(hasPrefix "vars-check-" name)
        && !(hasPrefix "devShell-" name)
        && !(elem name [
          "clan-core-for-checks"
          "clan-deps"
        ])
      );
    in
    inputs.nixpkgs.legacyPackages.${system}.runCommand "fast-flake-checks-${system}"
      { passthru.checks = checks; }
      ''
        echo "Executed the following checks for ${system}..."
        echo "  - ${lib.concatStringsSep "\n" (map (n: "  - " + n) (attrNames checks))}"
        echo ${toString (attrValues checks)} >/dev/null
        echo "All checks succeeded"
        touch $out
      ''
  );
  perSystem =
    {
      pkgs,
@@ -77,24 +36,28 @@ in
            inherit (self) clanLib;
            clan-core = self;
          };
-          nixosTests = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+          nixosTests =
            lib.optionalAttrs (pkgs.stdenv.isLinux) {
              # Base Tests
-            nixos-test-secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
+              secrets = self.clanLib.test.baseTest ./secrets nixosTestArgs;
-            nixos-test-borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
+              borgbackup-legacy = self.clanLib.test.baseTest ./borgbackup-legacy nixosTestArgs;
-            nixos-test-wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
+              wayland-proxy-virtwl = self.clanLib.test.baseTest ./wayland-proxy-virtwl nixosTestArgs;
              # Container Tests
-            nixos-test-container = self.clanLib.test.containerTest ./container nixosTestArgs;
+              container = self.clanLib.test.containerTest ./container nixosTestArgs;
-            nixos-test-zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
+              zt-tcp-relay = self.clanLib.test.containerTest ./zt-tcp-relay nixosTestArgs;
-            nixos-test-matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
+              matrix-synapse = self.clanLib.test.containerTest ./matrix-synapse nixosTestArgs;
-            nixos-test-postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
+              postgresql = self.clanLib.test.containerTest ./postgresql nixosTestArgs;
            nixos-test-user-firewall-iptables = self.clanLib.test.containerTest ./user-firewall/iptables.nix nixosTestArgs;
            nixos-test-user-firewall-nftables = self.clanLib.test.containerTest ./user-firewall/nftables.nix nixosTestArgs;
-            service-dummy-test = import ./service-dummy-test nixosTestArgs;
+              dummy-inventory-test = import ./dummy-inventory-test nixosTestArgs;
-            service-dummy-test-from-flake = import ./service-dummy-test-from-flake nixosTestArgs;
+              dummy-inventory-test-from-flake = import ./dummy-inventory-test-from-flake nixosTestArgs;
-            service-data-mesher = import ./data-mesher nixosTestArgs;
+              data-mesher = import ./data-mesher nixosTestArgs;
            }
            // lib.optionalAttrs (pkgs.stdenv.hostPlatform.system == "aarch64-linux") {
              # for some reason this hangs in an odd place in CI, but it works on my machine ...
              # on aarch64-linux it works though
              mumble = import ./mumble nixosTestArgs;
            };
          packagesToBuild = lib.removeAttrs self'.packages [
@@ -107,9 +70,6 @@ in
            lib.mapAttrs' (
              name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
            ) (lib.filterAttrs (n: _: !lib.hasPrefix "test-" n) self.nixosConfigurations)
            // lib.mapAttrs' (
              name: config: lib.nameValuePair "darwin-${name}" config.config.system.build.toplevel
            ) (self.darwinConfigurations or { })
            // lib.mapAttrs' (n: lib.nameValuePair "package-${n}") packagesToBuild
            // lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells
            // lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (
@@ -126,7 +86,7 @@ in
                _n: m:
                let
                  schema =
-                    (self.clanLib.evalService {
+                    (self.clanLib.inventory.evalClanService {
                      modules = [ m ];
                      prefix = [
                        "checks"
@@ -152,9 +112,6 @@ in
            cp ${../flake.lock} $out/flake.lock
          '';
        };
      packages = lib.optionalAttrs (pkgs.stdenv.isLinux) {
        run-vm-test-offline = pkgs.callPackage ../pkgs/run-vm-test-offline { };
      };
      legacyPackages = {
        nixosTests =
          let
@@ -167,10 +124,10 @@ in
          in
          lib.optionalAttrs (pkgs.stdenv.isLinux) {
            # import our test
-            nixos-test-secrets = import ./secrets nixosTestArgs;
+            secrets = import ./secrets nixosTestArgs;
-            nixos-test-container = import ./container nixosTestArgs;
+            container = import ./container nixosTestArgs;
            # Clan app tests
-            nixos-test-app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
+            app-ocr = self.clanLib.test.baseTest ./app-ocr nixosTestArgs;
          };
      };
    };
--- a/checks/flash/flake-module.nix
+++ b/checks/flash/flake-module.nix
@@ -50,12 +50,14 @@
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
        self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.clan.deployment.file
      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
    in
    {
      checks = pkgs.lib.mkIf pkgs.stdenv.isLinux {
-        nixos-test-flash = self.clanLib.test.baseTest {
+        flash = self.clanLib.test.baseTest {
          name = "flash";
          nodes.target = {
            virtualisation.emptyDiskImages = [ 4096 ];
--- a/checks/impure/flake-module.nix
+++ b/checks/impure/flake-module.nix
@@ -28,12 +28,6 @@
        ROOT=$(git rev-parse --show-toplevel)
        cd "$ROOT/pkgs/clan-cli"
        # Set up custom git configuration for tests
        export GIT_CONFIG_GLOBAL=$(mktemp)
        git config --file "$GIT_CONFIG_GLOBAL" user.name "Test User"
        git config --file "$GIT_CONFIG_GLOBAL" user.email "test@example.com"
        export GIT_CONFIG_SYSTEM=/dev/null
        # this disables dynamic dependency loading in clan-cli
        export CLAN_NO_DYNAMIC_DEPS=1
@@ -43,9 +37,6 @@
        jobs="$((jobs > 13 ? 13 : jobs))"
        nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -n $jobs -m impure ./clan_cli $@"
        # Clean up temporary git config
        rm -f "$GIT_CONFIG_GLOBAL"
      '';
    };
 }
--- a/checks/installation/flake-module.nix
+++ b/checks/installation/flake-module.nix
@@ -1,9 +1,63 @@
 {
  self,
  lib,
  ...
 }:
 let
  installer =
    { modulesPath, pkgs, ... }:
    let
      dependencies = [
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
        self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
        pkgs.stdenv.drvPath
        pkgs.bash.drvPath
        pkgs.nixos-anywhere
        pkgs.bubblewrap
        pkgs.buildPackages.xorg.lndir
      ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
      closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
    in
    {
      imports = [
        (modulesPath + "/../tests/common/auto-format-root-device.nix")
      ];
      networking.useNetworkd = true;
      services.openssh.enable = true;
      services.openssh.settings.UseDns = false;
      services.openssh.settings.PasswordAuthentication = false;
      system.nixos.variant_id = "installer";
      environment.systemPackages = [
        self.packages.${pkgs.system}.clan-cli-full
        pkgs.nixos-facter
      ];
      environment.etc."install-closure".source = "${closureInfo}/store-paths";
      virtualisation.emptyDiskImages = [ 512 ];
      virtualisation.diskSize = 8 * 1024;
      virtualisation.rootDevice = "/dev/vdb";
      # both installer and target need to use the same diskImage
      virtualisation.diskImage = "./target.qcow2";
      virtualisation.memorySize = 3048;
      nix.settings = {
        substituters = lib.mkForce [ ];
        hashed-mirrors = null;
        connect-timeout = lib.mkForce 3;
        flake-registry = pkgs.writeText "flake-registry" ''{"flakes":[],"version":2}'';
        experimental-features = [
          "nix-command"
          "flakes"
        ];
      };
      users.users.nonrootuser = {
        isNormalUser = true;
        openssh.authorizedKeys.keyFiles = [ ../assets/ssh/pubkey ];
        extraGroups = [ "wheel" ];
      };
      security.sudo.wheelNeedsPassword = false;
      system.extraDependencies = dependencies;
    };
 in
 {
  # The purpose of this test is to ensure `clan machines install` works
@@ -52,25 +106,6 @@
        environment.etc."install-successful".text = "ok";
        # Enable SSH and add authorized key for testing
        services.openssh.enable = true;
        services.openssh.settings.PasswordAuthentication = false;
        users.users.nonrootuser = {
          isNormalUser = true;
          openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
          extraGroups = [ "wheel" ];
          home = "/home/nonrootuser";
          createHome = true;
        };
        users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
        # Allow users to manage their own SSH keys
        services.openssh.authorizedKeysFiles = [
          "/root/.ssh/authorized_keys"
          "/home/%u/.ssh/authorized_keys"
          "/etc/ssh/authorized_keys.d/%u"
        ];
        security.sudo.wheelNeedsPassword = false;
        boot.consoleLogLevel = lib.mkForce 100;
        boot.kernelParams = [ "boot.shell_on_fail" ];
@@ -147,199 +182,55 @@
      # vm-test-run-test-installation-> target: waiting for the VM to finish booting
      # vm-test-run-test-installation-> target: Guest root shell did not produce any data yet...
      # vm-test-run-test-installation-> target:   To debug, enter the VM and run 'systemctl status backdoor.service'.
-      checks =
+      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        let
+        installation = self.clanLib.test.baseTest {
          # Custom Python package for port management utilities
          closureInfo = pkgs.closureInfo {
            rootPaths = [
              self.checks.x86_64-linux.clan-core-for-checks
              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
              self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
              pkgs.stdenv.drvPath
              pkgs.bash.drvPath
              pkgs.buildPackages.xorg.lndir
            ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
          };
        in
        pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
          nixos-test-installation = self.clanLib.test.baseTest {
          name = "installation";
-            nodes.target = (import ./test-helpers.nix { inherit lib pkgs self; }).target;
+          nodes.target = {
-            extraPythonPackages = _p: [
+            services.openssh.enable = true;
-              self.legacyPackages.${pkgs.system}.nixosTestLib
+            virtualisation.diskImage = "./target.qcow2";
-            ];
+            virtualisation.useBootLoader = true;
          };
          nodes.installer = installer;
          testScript = ''
-              import tempfile
+            installer.start()
              import os
              import subprocess
              from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
              from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
-              def create_test_machine(oldmachine, qemu_test_bin: str, **kwargs):
+            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
                  """Create a new test machine from an installed disk image"""
                  start_command = [
                      f"{qemu_test_bin}/bin/qemu-kvm",
                      "-cpu",
                      "max",
                      "-m",
                      "3048",
                      "-virtfs",
                      "local,path=/nix/store,security_model=none,mount_tag=nix-store",
                      "-drive",
                      f"file={oldmachine.state_dir}/target.qcow2,id=drive1,if=none,index=1,werror=report",
                      "-device",
                      "virtio-blk-pci,drive=drive1",
                      "-netdev",
                      "user,id=net0",
                      "-device",
                      "virtio-net-pci,netdev=net0",
                  ]
                  machine = create_machine(start_command=" ".join(start_command), **kwargs)
                  driver.machines.append(machine)
                  return machine
            installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
            installer.succeed("clan machines install --no-reboot --debug --flake test-flake --yes test-install-machine-without-system --target-host nonrootuser@localhost --update-hardware-config nixos-facter >&2")
            installer.shutdown()
            # We are missing the test instrumentation somehow. Test this later.
            target.state_dir = installer.state_dir
            target.start()
-
+            target.wait_for_unit("multi-user.target")
              # Set up test environment
              with tempfile.TemporaryDirectory() as temp_dir:
                  # Prepare test flake and Nix store
                  flake_dir = prepare_test_flake(
                      temp_dir,
                      "${self.checks.x86_64-linux.clan-core-for-checks}",
                      "${closureInfo}"
                  )
                  # Set up SSH connection
                  ssh_conn = setup_ssh_connection(
                      target,
                      temp_dir,
                      "${../assets/ssh/privkey}"
                  )
                  # Run clan install from host using port forwarding
                  clan_cmd = [
                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
                      "machines",
                      "install",
                      "--phases", "disko,install",
                      "--debug",
                      "--flake", flake_dir,
                      "--yes", "test-install-machine-without-system",
                      "--target-host", f"nonrootuser@localhost:{ssh_conn.host_port}",
                      "-i", ssh_conn.ssh_key,
                      "--option", "store", os.environ['CLAN_TEST_STORE'],
                      "--update-hardware-config", "nixos-facter",
                  ]
                  subprocess.run(clan_cmd, check=True)
              # Shutdown the installer machine gracefully
              try:
                  target.shutdown()
              except BrokenPipeError:
                  # qemu has already exited
                  pass
              # Create a new machine instance that boots from the installed system
              installed_machine = create_test_machine(target, "${pkgs.qemu_test}", name="after_install")
              installed_machine.start()
              installed_machine.wait_for_unit("multi-user.target")
              installed_machine.succeed("test -f /etc/install-successful")
          '';
        } { inherit pkgs self; };
-          nixos-test-update-hardware-configuration = self.clanLib.test.baseTest {
+        update-hardware-configuration = self.clanLib.test.baseTest {
          name = "update-hardware-configuration";
-            nodes.target = (import ./test-helpers.nix { inherit lib pkgs self; }).target;
+          nodes.installer = installer;
            extraPythonPackages = _p: [
              self.legacyPackages.${pkgs.system}.nixosTestLib
            ];
          testScript = ''
-              import tempfile
+            installer.start()
-              import os
+            installer.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../assets/ssh/privkey} /root/.ssh/id_ed25519")
-              import subprocess
+            installer.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@localhost hostname")
-              from nixos_test_lib.ssh import setup_ssh_connection # type: ignore[import-untyped]
+            installer.succeed("cp -r ${self.checks.x86_64-linux.clan-core-for-checks} test-flake && chmod -R +w test-flake")
-              from nixos_test_lib.nix_setup import prepare_test_flake # type: ignore[import-untyped]
+            installer.fail("test -f test-flake/machines/test-install-machine/hardware-configuration.nix")
            installer.fail("test -f test-flake/machines/test-install-machine/facter.json")
-              target.start()
+            installer.succeed("clan machines update-hardware-config --debug --flake test-flake test-install-machine-without-system nonrootuser@localhost >&2")
            installer.succeed("test -f test-flake/machines/test-install-machine-without-system/facter.json")
            installer.succeed("rm test-flake/machines/test-install-machine-without-system/facter.json")
-              # Set up test environment
+            installer.succeed("clan machines update-hardware-config --debug --backend nixos-generate-config --flake test-flake test-install-machine-without-system nonrootuser@localhost >&2")
-              with tempfile.TemporaryDirectory() as temp_dir:
+            installer.succeed("test -f test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
-                  # Prepare test flake and Nix store
+            installer.succeed("rm test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
                  flake_dir = prepare_test_flake(
                      temp_dir,
                      "${self.checks.x86_64-linux.clan-core-for-checks}",
                      "${closureInfo}"
                  )
                  # Set up SSH connection
                  ssh_conn = setup_ssh_connection(
                      target,
                      temp_dir,
                      "${../assets/ssh/privkey}"
                  )
                  # Verify files don't exist initially
                  hw_config_file = os.path.join(flake_dir, "machines/test-install-machine/hardware-configuration.nix")
                  facter_file = os.path.join(flake_dir, "machines/test-install-machine/facter.json")
                  assert not os.path.exists(hw_config_file), "hardware-configuration.nix should not exist initially"
                  assert not os.path.exists(facter_file), "facter.json should not exist initially"
                  # Set CLAN_FLAKE for the commands
                  os.environ["CLAN_FLAKE"] = flake_dir
                  # Test facter backend
                  clan_cmd = [
                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
                      "machines",
                      "update-hardware-config",
                      "--debug",
                      "--flake", ".",
                      "--host-key-check", "none",
                      "test-install-machine-without-system",
                      "-i", ssh_conn.ssh_key,
                      "--option", "store", os.environ['CLAN_TEST_STORE'],
                      f"nonrootuser@localhost:{ssh_conn.host_port}"
                  ]
                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
                  if result.returncode != 0:
                      print(f"Clan update-hardware-config failed: {result.stderr.decode()}")
                      raise Exception(f"Clan update-hardware-config failed with return code {result.returncode}")
                  facter_without_system_file = os.path.join(flake_dir, "machines/test-install-machine-without-system/facter.json")
                  assert os.path.exists(facter_without_system_file), "facter.json should exist after update"
                  os.remove(facter_without_system_file)
                  # Test nixos-generate-config backend
                  clan_cmd = [
                      "${self.packages.${pkgs.system}.clan-cli-full}/bin/clan",
                      "machines",
                      "update-hardware-config",
                      "--debug",
                      "--backend", "nixos-generate-config",
                      "--host-key-check", "none",
                      "--flake", ".",
                      "test-install-machine-without-system",
                      "-i", ssh_conn.ssh_key,
                      "--option", "store", os.environ['CLAN_TEST_STORE'],
                      f"nonrootuser@localhost:{ssh_conn.host_port}"
                  ]
                  result = subprocess.run(clan_cmd, capture_output=True, cwd=flake_dir)
                  if result.returncode != 0:
                      print(f"Clan update-hardware-config (nixos-generate-config) failed: {result.stderr.decode()}")
                      raise Exception(f"Clan update-hardware-config failed with return code {result.returncode}")
                  hw_config_without_system_file = os.path.join(flake_dir, "machines/test-install-machine-without-system/hardware-configuration.nix")
                  assert os.path.exists(hw_config_without_system_file), "hardware-configuration.nix should exist after update"
          '';
        } { inherit pkgs self; };
      };
    };
 }
--- a/checks/installation/pyproject.toml
+++ b/checks/installation/pyproject.toml
@@ -1,44 +0,0 @@
 [build-system]
 requires = ["setuptools", "wheel"]
 build-backend = "setuptools.build_meta"
 [project]
 name = "nixos-test-lib"
 version = "1.0.0"
 description = "NixOS test utilities for clan VM testing"
 authors = [
    {name = "Clan Core Team"}
 ]
 dependencies = []
 [project.optional-dependencies]
 dev = [
    "mypy",
    "ruff"
 ]
 [tool.setuptools.packages.find]
 where = ["."]
 include = ["nixos_test_lib*"]
 [tool.setuptools.package-data]
 "nixos_test_lib" = ["py.typed"]
 [tool.mypy]
 python_version = "3.12"
 strict = true
 warn_return_any = true
 warn_unused_configs = true
 [tool.ruff]
 target-version = "py312"
 line-length = 88
 [tool.ruff.lint]
 select = ["ALL"]
 ignore = [
    "D", # docstrings
    "ANN", # type annotations  
    "COM812", # trailing comma
    "ISC001", # string concatenation
 ]
--- a/checks/installation/test-helpers.nix
+++ b/checks/installation/test-helpers.nix
@@ -1,173 +0,0 @@
 {
  lib,
  pkgs,
  self,
  ...
 }:
 let
  # Common target VM configuration used by both installation and update tests
  target =
    { modulesPath, pkgs, ... }:
    {
      imports = [
        (modulesPath + "/../tests/common/auto-format-root-device.nix")
      ];
      networking.useNetworkd = true;
      services.openssh.enable = true;
      services.openssh.settings.UseDns = false;
      services.openssh.settings.PasswordAuthentication = false;
      system.nixos.variant_id = "installer";
      environment.systemPackages = [
        pkgs.nixos-facter
      ];
      # Disable cache.nixos.org to speed up tests
      nix.settings.substituters = [ ];
      nix.settings.trusted-public-keys = [ ];
      virtualisation.emptyDiskImages = [ 512 ];
      virtualisation.diskSize = 8 * 1024;
      virtualisation.rootDevice = "/dev/vdb";
      # both installer and target need to use the same diskImage
      virtualisation.diskImage = "./target.qcow2";
      virtualisation.memorySize = 3048;
      users.users.nonrootuser = {
        isNormalUser = true;
        openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
        extraGroups = [ "wheel" ];
      };
      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
      # Allow users to manage their own SSH keys
      services.openssh.authorizedKeysFiles = [
        "/root/.ssh/authorized_keys"
        "/home/%u/.ssh/authorized_keys"
        "/etc/ssh/authorized_keys.d/%u"
      ];
      security.sudo.wheelNeedsPassword = false;
    };
  # Common base test machine configuration
  baseTestMachine =
    { lib, modulesPath, ... }:
    {
      imports = [
        (modulesPath + "/testing/test-instrumentation.nix")
        (modulesPath + "/profiles/qemu-guest.nix")
        self.clanLib.test.minifyModule
      ];
      # Enable SSH and add authorized key for testing
      services.openssh.enable = true;
      services.openssh.settings.PasswordAuthentication = false;
      users.users.nonrootuser = {
        isNormalUser = true;
        openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
        extraGroups = [ "wheel" ];
        home = "/home/nonrootuser";
        createHome = true;
      };
      users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/pubkey) ];
      # Allow users to manage their own SSH keys
      services.openssh.authorizedKeysFiles = [
        "/root/.ssh/authorized_keys"
        "/home/%u/.ssh/authorized_keys"
        "/etc/ssh/authorized_keys.d/%u"
      ];
      security.sudo.wheelNeedsPassword = false;
      boot.consoleLogLevel = lib.mkForce 100;
      boot.kernelParams = [ "boot.shell_on_fail" ];
      # disko config
      boot.loader.grub.efiSupport = lib.mkDefault true;
      boot.loader.grub.efiInstallAsRemovable = lib.mkDefault true;
      clan.core.vars.settings.secretStore = "vm";
      clan.core.vars.generators.test = {
        files.test.neededFor = "partitioning";
        script = ''
          echo "notok" > "$out"/test
        '';
      };
      disko.devices = {
        disk = {
          main = {
            type = "disk";
            device = "/dev/vda";
            preCreateHook = ''
              test -e /run/partitioning-secrets/test/test
            '';
            content = {
              type = "gpt";
              partitions = {
                boot = {
                  size = "1M";
                  type = "EF02"; # for grub MBR
                  priority = 1;
                };
                ESP = {
                  size = "512M";
                  type = "EF00";
                  content = {
                    type = "filesystem";
                    format = "vfat";
                    mountpoint = "/boot";
                    mountOptions = [ "umask=0077" ];
                  };
                };
                root = {
                  size = "100%";
                  content = {
                    type = "filesystem";
                    format = "ext4";
                    mountpoint = "/";
                  };
                };
              };
            };
          };
        };
      };
    };
  # NixOS test library combining port utils and clan VM test utilities
  nixosTestLib = pkgs.python3Packages.buildPythonPackage {
    pname = "nixos-test-lib";
    version = "1.0.0";
    format = "pyproject";
    src = lib.fileset.toSource {
      root = ./.;
      fileset = lib.fileset.unions [
        ./pyproject.toml
        ./nixos_test_lib
      ];
    };
    nativeBuildInputs = with pkgs.python3Packages; [
      setuptools
      wheel
    ];
    doCheck = false;
  };
  # Common closure info
  closureInfo = pkgs.closureInfo {
    rootPaths = [
      self.checks.x86_64-linux.clan-core-for-checks
      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.toplevel
      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.initialRamdisk
      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.build.diskoScript
      self.clanInternals.machines.${pkgs.hostPlatform.system}.test-install-machine-with-system.config.system.clan.deployment.file
      pkgs.stdenv.drvPath
      pkgs.bash.drvPath
      pkgs.buildPackages.xorg.lndir
    ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
  };
 in
 {
  inherit
    target
    baseTestMachine
    nixosTestLib
    closureInfo
    ;
 }
--- a/checks/morph/flake-module.nix
+++ b/checks/morph/flake-module.nix
@@ -24,7 +24,7 @@
    }:
    {
      checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux && !pkgs.stdenv.isAarch64) {
-        nixos-test-morph = self.clanLib.test.baseTest {
+        morph = self.clanLib.test.baseTest {
          name = "morph";
          nodes = {
@@ -35,6 +35,7 @@
                  pkgs.stdenv.drvPath
                  pkgs.stdenvNoCC
                  self.nixosConfigurations.test-morph-machine.config.system.build.toplevel
                  self.nixosConfigurations.test-morph-machine.config.system.clan.deployment.file
                ] ++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
                closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
              in
--- a/checks/mumble/default.nix
+++ b/checks/mumble/default.nix
@@ -0,0 +1,132 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  lib,
  ...
 }:
 nixosLib.runTest (
  { ... }:
  let
    machines = [
      "peer1"
      "peer2"
    ];
  in
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
    name = "mumble";
    defaults =
      { pkgs, modulesPath, ... }:
      {
        imports = [
          (modulesPath + "/../tests/common/x11.nix")
        ];
        clan.services.mumble.user = "alice";
        environment.systemPackages = [ pkgs.killall ];
      };
    clan = {
      directory = ./.;
      # TODO: container driver does not support: sleep, wait_for_window, send_chars, wait_for_text
      test.useContainers = false;
      inventory = {
        machines = lib.genAttrs machines (_: { });
        services = {
          mumble.default = {
            roles.server.machines = machines;
          };
        };
      };
    };
    enableOCR = true;
    testScript = ''
      import time
      import re
      def machine_has_text(machine: Machine, regex: str) -> bool:
          variants = machine.get_screen_text_variants()
          # for debugging
          # machine.screenshot(f"/tmp/{machine.name}.png")
          for text in variants:
              print(f"Expecting '{regex}' in '{text}'")
              if re.search(regex, text) is not None:
                  return True
          return False
      start_all()
      with subtest("Waiting for x"):
        peer1.wait_for_x()
        peer2.wait_for_x()
      with subtest("Waiting for murmur"):
        peer1.wait_for_unit("murmur.service")
        peer2.wait_for_unit("murmur.service")
      with subtest("Starting Mumble"):
        # starting mumble is blocking
        peer1.execute("mumble >&2 &")
        peer2.execute("mumble >&2 &")
      with subtest("Wait for Mumble"):
        peer1.wait_for_window(r"Mumble")
        peer2.wait_for_window(r"Mumble")
      with subtest("Wait for certificate creation"):
        peer1.wait_for_window(r"Mumble")
        peer2.wait_for_window(r"Mumble")
        for i in range(20):
          time.sleep(1)
          peer1.send_chars("\n")
          peer1.send_chars("\n")
          peer2.send_chars("\n")
          peer2.send_chars("\n")
          if machine_has_text(peer1, r"Mumble Server Connect") and \
              machine_has_text(peer2, r"Mumble Server Connect"):
            break
        else:
          raise Exception("Timeout waiting for certificate creation")
      with subtest("Check validity of server certificates"):
        peer1.execute("killall .mumble-wrapped")
        peer1.sleep(1)
        peer1.execute("mumble mumble://peer2 >&2 &")
        peer1.wait_for_window(r"Mumble")
        for i in range(20):
          time.sleep(1)
          peer1.send_chars("\n")
          peer1.send_chars("\n")
          if machine_has_text(peer1, "Connected."):
            break
        else:
          raise Exception("Timeout waiting for certificate creation")
        peer2.execute("killall .mumble-wrapped")
        peer2.sleep(1)
        peer2.execute("mumble mumble://peer1 >&2 &")
        peer2.wait_for_window(r"Mumble")
        for i in range(20):
          time.sleep(1)
          peer2.send_chars("\n")
          peer2.send_chars("\n")
          if machine_has_text(peer2, "Connected."):
            break
        else:
          raise Exception("Timeout waiting for certificate creation")
    '';
  }
 )
--- a/checks/mumble/machines/peer1/facts/mumble-cert
+++ b/checks/mumble/machines/peer1/facts/mumble-cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUCUjfNkF0CDhTKbO3nNczcsCW4qEwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTM2NDZaFw0yNDA3
 MjcwOTM2NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQDCcdZEJvXJIeOKO5pF5XUFvUeJtCCiwfWvWS662bxc
 R/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS4zSGQoTEAVzqzVdi3a/gNvsdVLb+
 7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfdWV1Y5T1tuwc3G8ATrguQ33Uo5vvF
 vcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIhjMpRG/uZ3u7wtbyZ+WqjsjxZNfnY
 aMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2ZqhVSYXyDfpAWQFznwKGzD5mjtcyKym
 gnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4KnID30OQW7AgMBAAGjUzBRMB0GA1Ud
 DgQWBBQBBO8Wp975pAGioMjkaxANAVInfzAfBgNVHSMEGDAWgBQBBO8Wp975pAGi
 oMjkaxANAVInfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg
 F40MszTZXpR/A1z9B1CcXH47tNK67f8bCMR2dhvXODbpatwSihyxhQjtLb5R6kYH
 5Yq/B4yrh303j0CXaobCQ4nQH7zI7fhViww+TzW7vDhgM7ueEyyXrqCXt6JY8avg
 TuvIRtJSeWSQJ5aLNaYqmiwMf/tj9W3BMDpctGyLqu1WTSrbpYa9mA5Vudud70Yz
 DgZ/aqHilB07cVNqzVYZzRZ56WJlTjGzVevRgnHZqPiZNVrU13H6gtWa3r8aV4Gj
 i4F663eRAttj166cRgfl1QqpSG2IprNyV9UfuS2LlUaVNT3y0idawiJ4HhaA8pGB
 ZqMUUkA4DSucb6xxEcTK
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer1/key.age
+++ b/checks/mumble/machines/peer1/key.age
@@ -0,0 +1 @@
 AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX
--- a/checks/mumble/machines/peer1/peer_1_test_cert
+++ b/checks/mumble/machines/peer1/peer_1_test_cert
@@ -0,0 +1,14 @@
 -----BEGIN CERTIFICATE-----
 MIICHTCCAaKgAwIBAgIIT2gZuvqVFP0wCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
 U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
 A1UEAxMJc3luY3RoaW5nMB4XDTIzMTIwNjAwMDAwMFoXDTQzMTIwMTAwMDAwMFow
 SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
 bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
 YgAEBAr1CsciwCa0vi7eC6xxuSGijY3txbjtsyFanec/fge4oJBD3rVpaLKFETb3
 TvHHsuvblzElcP483MEVq6FMUoxwuL9CzTtpJrRhtwSmAs8AHLFu8irVn8sZjgkL
 sXMho1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
 AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
 SM49BAMCA2kAMGYCMQDbrtLgfcyMMIkNQn+PJe9DHYAqj8C47LQcWuIY/nekhOu0
 aUfKctEAwyBtI60Y5zcCMQCEdgD/6CNBh7Qqq3z3CKPhlrpxHtCO5tNw17k0jfdH
 haCwJInHZvZgclHk4EtFpTw=
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer1/peer_1_test_key
+++ b/checks/mumble/machines/peer1/peer_1_test_key
@@ -0,0 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDA14Nqo17Xs/xRLGH2KLuyzjKp4eW9iWFobVNM93RZZbECT++W3XcQc
 cEc5WVtiPmWgBwYFK4EEACKhZANiAAQECvUKxyLAJrS+Lt4LrHG5IaKNje3FuO2z
 IVqd5z9+B7igkEPetWlosoURNvdO8cey69uXMSVw/jzcwRWroUxSjHC4v0LNO2km
 tGG3BKYCzwAcsW7yKtWfyxmOCQuxcyE=
 -----END EC PRIVATE KEY-----
--- a/checks/mumble/machines/peer2/facts/mumble-cert
+++ b/checks/mumble/machines/peer2/facts/mumble-cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUfENbTtH5nr7giuawwQpDYqUpWJswDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTQxNDNaFw0yNDA3
 MjcwOTQxNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCfP6cZhCs9jOnWqyQP12vrOOxlBrWofYZFf9amUA24
 AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEvHujKyy8PgcEGP+pwmsfWNQMvU0Dz
 j3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU1l7fO/OXUlq5kyvIjln7Za4sUHun
 ixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjGG+R6MccH8wwQwmLg5oVBkFEZrnRE
 pnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f8TYGHqbeMQFCKwusnlWPRtrNdaIc
 gaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO0Bwx8fmRAgMBAAGjUzBRMB0GA1Ud
 DgQWBBR7r+mQWNUZ0TpQNwrwjgxgngvOjTAfBgNVHSMEGDAWgBR7r+mQWNUZ0TpQ
 NwrwjgxgngvOjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
 7B4s6uQEGE8jg3CQgy76oU/D8sazGcP8+/E4JLHSc0Nj49w4ztSpkOVk2HyEtzbm
 uR3TreIw+SfqpbiOI/ivVNDbEBsb/vEeq7qPzDH1Bi72plHZNRVhNGGV5rd7ibga
 TkfXHKPM9yt8ffffHHiu1ROvb8gg2B6JbQwboU4hvvmmorW7onyTFSYEzZVdNSpv
 pUtKPldxYjTnLlbsJdXC4xyCC4PrJt2CC0n0jsWfICJ77LMxIxTODh8oZNjbPg6r
 RdI7U/DsD+R072DjbIcrivvigotJM+jihzz5inZwbO8o0WQOHAbJLIG3C3BnRW3A
 Ek4u3+HXZMl5a0LGJ76u
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer2/peer_2_test_cert
+++ b/checks/mumble/machines/peer2/peer_2_test_cert
@@ -0,0 +1,14 @@
 -----BEGIN CERTIFICATE-----
 MIICHjCCAaOgAwIBAgIJAKbMWefkf1rVMAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
 CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
 BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDYwMDAwMDBaFw00MzEyMDEwMDAwMDBa
 MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
 ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
 A2IABFZTMt4RfsfBue0va7QuNdjfXMI4HfZzJCEcG+b9MtV7FlDmwMKX5fgGykD9
 FBbC7yiza3+xCobdMb5bakz1qYJ7nUFCv1mwSDo2eNM+/XE+rJmlre8NwkwGmvzl
 h1uhyqNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
 BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
 hkjOPQQDAgNpADBmAjEAwzhsroN6R4/quWeXj6dO5gt5CfSTLkLee6vrcuIP5i1U
 rZvJ3OKQVmmGG6IWYe7iAjEAyuq3X2wznaqiw2YK3IDI4qVeYWpCUap0fwRNq7/x
 4dC4k+BOzHcuJOwNBIY/bEuK
 -----END CERTIFICATE-----
--- a/checks/mumble/machines/peer2/peer_2_test_key
+++ b/checks/mumble/machines/peer2/peer_2_test_key
@@ -0,0 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDCXHGpvumKjjDRxB6SsjZOb7duw3w+rdlGQCJTIvRThLjD6zwjnyImi
 7c3PD5nWtLqgBwYFK4EEACKhZANiAARWUzLeEX7HwbntL2u0LjXY31zCOB32cyQh
 HBvm/TLVexZQ5sDCl+X4BspA/RQWwu8os2t/sQqG3TG+W2pM9amCe51BQr9ZsEg6
 NnjTPv1xPqyZpa3vDcJMBpr85Ydboco=
 -----END EC PRIVATE KEY-----
--- a/checks/mumble/peer_1/key.age
+++ b/checks/mumble/peer_1/key.age
@@ -0,0 +1 @@
 AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX
--- a/checks/mumble/peer_1/peer_1_test_cert
+++ b/checks/mumble/peer_1/peer_1_test_cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUCUjfNkF0CDhTKbO3nNczcsCW4qEwDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTM2NDZaFw0yNDA3
 MjcwOTM2NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQDCcdZEJvXJIeOKO5pF5XUFvUeJtCCiwfWvWS662bxc
 R/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS4zSGQoTEAVzqzVdi3a/gNvsdVLb+
 7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfdWV1Y5T1tuwc3G8ATrguQ33Uo5vvF
 vcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIhjMpRG/uZ3u7wtbyZ+WqjsjxZNfnY
 aMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2ZqhVSYXyDfpAWQFznwKGzD5mjtcyKym
 gnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4KnID30OQW7AgMBAAGjUzBRMB0GA1Ud
 DgQWBBQBBO8Wp975pAGioMjkaxANAVInfzAfBgNVHSMEGDAWgBQBBO8Wp975pAGi
 oMjkaxANAVInfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg
 F40MszTZXpR/A1z9B1CcXH47tNK67f8bCMR2dhvXODbpatwSihyxhQjtLb5R6kYH
 5Yq/B4yrh303j0CXaobCQ4nQH7zI7fhViww+TzW7vDhgM7ueEyyXrqCXt6JY8avg
 TuvIRtJSeWSQJ5aLNaYqmiwMf/tj9W3BMDpctGyLqu1WTSrbpYa9mA5Vudud70Yz
 DgZ/aqHilB07cVNqzVYZzRZ56WJlTjGzVevRgnHZqPiZNVrU13H6gtWa3r8aV4Gj
 i4F663eRAttj166cRgfl1QqpSG2IprNyV9UfuS2LlUaVNT3y0idawiJ4HhaA8pGB
 ZqMUUkA4DSucb6xxEcTK
 -----END CERTIFICATE-----
--- a/checks/mumble/peer_1/peer_1_test_key
+++ b/checks/mumble/peer_1/peer_1_test_key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCcdZEJvXJIeOK
 O5pF5XUFvUeJtCCiwfWvWS662bxcR/5MZucRLqfTNYo9aBv4NITw5kxZsTaaubmS
 4zSGQoTEAVzqzVdi3a/gNvsdVLb+7CivpmweLllX/OGsTL0kHPEI+74AYiTBjXfd
 WV1Y5T1tuwc3G8ATrguQ33Uo5vvFvcqsbTKcRZC0pB9O/nn4q03GsRdvlpaKakIh
 jMpRG/uZ3u7wtbyZ+WqjsjxZNfnYaMyPoaipFqX1v+L7GKlOj2NpyEZFVVwa2Zqh
 VSYXyDfpAWQFznwKGzD5mjtcyKymgnv/5LwrpH4Xj+JMt48hN+rPnu5vfXT8Y4Kn
 ID30OQW7AgMBAAECggEAGVKn+/Iy+kG+l2cRvV6XseqnoWhjA69M5swviMgIfuAl
 Xx/boeI4mwoS+dJQKi/0zEbB1MB+gwIDB/0s/vs0vS4MQswBQG/skr+2TmiU+Hgb
 CF0dIYUZv5rAbScFTumx/mCCqxwc+1QIMzyLKqOYL203EFc92ZJGEVT4th321haZ
 8Wd+dllcYAb7BbEeBhCrTqRe9T3zt5reZgtZTquTF5hGm8EAyBp6rLjZK7dyZ9dd
 gyIsDbWgPC9vkRc6x/eANn70hgDbYOuoXwAP/qIFnWLL1Zzy8LKUyOsSgQ91S3S3
 Il4Lt6lEyU3+61MsCYss7jDoP/7REEjz5h6gfxlFSQKBgQD9u8nhHuwte4/d9VNU
 rhSBW9h8IJzwPif/eS8vh9VaS2SjR2dDCcHg6rGYKnexeEzUcx56aQMA+p3nRJwy
 Uwnx5BfEWs9FO6yPR8VEI0a2sBp+hoWKJX/Lvat+QCs6IFuGmlQpczD7/RYAkhG4
 mwyt/ymqzjukb9mFaeYIltOfPwKBgQDELnkH1ChTUH5u3HgDoelFbzR18okz6dxH
 urMbfZMAl8W5h2zAvHsAX5qxyHHankOUsiH2y3BrAgqQtTuIA2a5W7j+yHBkYiEZ
 EUNeI9YNA0KU+wwZpVVvRGUsRB5SUBo5LlcSYmX/V32f0oU5Np44i0vjl3Ju8esx
 2MLfj1A2hQKBgQDCxtZZZ0h8Pb8Z7wpSFfQNvXi5CLwQvFYuClQLk6VXVErkAJsn
 XiUjyGYeXnNVm/i2mcyKwXQZ20k90HBrPU2ED8mi5Ob5ya5Uqw6mmMHe2d7sw81d
 WB37RBWSrCXC0DYSZQQ4cYHn3sd2Fqtd4EBijV7qDLjCKU582OdKLqYzNwKBgH31
 UKQkJZgIkIThbPT4GewI0GgCRvFb76DmUGUQJTg2Oi86siq1WUwOFiabie5RuxZX
 oNLyH8W008/BbO2RMX1FVOvRCciJ8LJFkTl6TM6iDzfUUBqPOuFryoG3Yrh60btw
 81rMbqyZIgFhi0QGu2OWnC0Oadyt2tJwV/5t55R5AoGBAPspZttDmOzVkAJDSn9Z
 iByYt1KmwBQ6l7LpFg33a7ds9zWqW4+i6r0PzXvSewf/z69L0cAywSk5CaJJjDso
 dTlNMqwux01wd6V+nQGR871xnsOg+qzgJ565TJZelWgRmNRUooi4DMp5POJA33xp
 rqAISUfW0w2S+q7/5Lm0QiJE
 -----END PRIVATE KEY-----
--- a/checks/mumble/peer_2/peer_2_test_cert
+++ b/checks/mumble/peer_2/peer_2_test_cert
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDazCCAlOgAwIBAgIUfENbTtH5nr7giuawwQpDYqUpWJswDQYJKoZIhvcNAQEL
 BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
 GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA2MjcwOTQxNDNaFw0yNDA3
 MjcwOTQxNDNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
 HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
 AQUAA4IBDwAwggEKAoIBAQCfP6cZhCs9jOnWqyQP12vrOOxlBrWofYZFf9amUA24
 AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEvHujKyy8PgcEGP+pwmsfWNQMvU0Dz
 j3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU1l7fO/OXUlq5kyvIjln7Za4sUHun
 ixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjGG+R6MccH8wwQwmLg5oVBkFEZrnRE
 pnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f8TYGHqbeMQFCKwusnlWPRtrNdaIc
 gaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO0Bwx8fmRAgMBAAGjUzBRMB0GA1Ud
 DgQWBBR7r+mQWNUZ0TpQNwrwjgxgngvOjTAfBgNVHSMEGDAWgBR7r+mQWNUZ0TpQ
 NwrwjgxgngvOjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
 7B4s6uQEGE8jg3CQgy76oU/D8sazGcP8+/E4JLHSc0Nj49w4ztSpkOVk2HyEtzbm
 uR3TreIw+SfqpbiOI/ivVNDbEBsb/vEeq7qPzDH1Bi72plHZNRVhNGGV5rd7ibga
 TkfXHKPM9yt8ffffHHiu1ROvb8gg2B6JbQwboU4hvvmmorW7onyTFSYEzZVdNSpv
 pUtKPldxYjTnLlbsJdXC4xyCC4PrJt2CC0n0jsWfICJ77LMxIxTODh8oZNjbPg6r
 RdI7U/DsD+R072DjbIcrivvigotJM+jihzz5inZwbO8o0WQOHAbJLIG3C3BnRW3A
 Ek4u3+HXZMl5a0LGJ76u
 -----END CERTIFICATE-----
--- a/checks/mumble/peer_2/peer_2_test_key
+++ b/checks/mumble/peer_2/peer_2_test_key
@@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfP6cZhCs9jOnW
 qyQP12vrOOxlBrWofYZFf9amUA24AfE7oGcSfkylanmkxzvGqQkhgLAvkHZj/GEv
 HujKyy8PgcEGP+pwmsfWNQMvU0Dzj3syjWOTi3eIC/3DoUnHlWCT2qCil/bjqxgU
 1l7fO/OXUlq5kyvIjln7Za4sUHunixe/m96Er6l8a4Mh2pxh2C5pkLCvulkQhjjG
 G+R6MccH8wwQwmLg5oVBkFEZrnREpnRKBI0DvA+wk1aJFAPOI4d8Q5T7o/MyxH3f
 8TYGHqbeMQFCKwusnlWPRtrNdaIcgaLvSpR0LVlroXGu8tYmRpvHPByoKGDbgVvO
 0Bwx8fmRAgMBAAECggEACAkjOnNj5zA0IIP0RuRc6rqtmw9ynTTwUJN51lyVxKI8
 dQDMEq/S2En+J2VyS7z92/XtbgkBIFx83u7VWl5UWpj2j4UsJFB7IwD7zyiJT4D+
 +3cM/kX8Wx4XyQZbfbm47N0MXAgFCkn45hxHH0acLReXwmN9wxoDyl7AIjZRdwvG
 Qq0rnOnIc8kkkew7L6AiFwQS8b77eyzua3d6moKXN9hU/kfiJ6YUFG/WLe0pmQA1
 HbF27YghfeLnYUt50oDuX6jF6CzQhflchWVq/wn8/cxEpg/RMicWE8ulrTk7o27l
 JwCrHrhYEBsPuZO4mxX/DHrAMmhTeFjLaV5bQlz0PQKBgQDgRPSOEixYnKz9iPs/
 EDTlji5LA3Rm6TytRCNsjYY6Trw60KcvYqwyDUCiEjruvOQ9mqgBiQm1VHSalrG3
 RcbVfpEMouyZbEwmTjS8KdOi5x4Z6AX+4yWDN31jX3b8sktgbxV/HRdg3sA3q7MJ
 vExTUuoXg57W+FepIZ+XlhSoQwKBgQC1x6UMAlAeW45/yUUm/LFRcCgb/bdCQx+e
 hSb8w3jdvVoNWgx1j7RsjjFKaZUnseK3qQvVfCm4Qjvlz6MpKDxslaUYuR162Ku0
 e153z/xc7XRoXyPyPLdGZFlWii30jirB7ZqPdyz6mwlWwqdImNerbUqdFt9R8bId
 pYsyHB5zmwKBgBjYCq9iW/9E+/TqI8sMpI95fK9app5v4AThs3rnAqOa7Ucmrh6V
 s7Wnui06D8U6r54Tb+EbqTOpM3Gcl/tRg4FLEA5yTfuA/76Ok1D04Tj+mVsNVPyz
 dQhgMUe835WGusroA12df2V/x5NjNeYyMdJZMQ2ByyrNQAjAbMmCGq+5AoGBAIj8
 ERFysMOfxUvg9b7CkDFJrsAhOzew86P2vYGfIHchGTqUkG0LRTDFGrnzxNXsBGjY
 +DUB40Kajx7IkTETxC0jvA1ceq23l/VjPrZVQt0YiC+a+rCyNn7SYkyHxsfTVr9b
 ea0BZyDXMntyJrPbkjL6Ik8tDE9pLwuOU84ISJ5fAoGAZ2+Ams/VhdZj/wpRpMky
 K4jtS4nzbCmJzzTa6vdVV7Kjer5kFxSFFqMrS/FtJ/RxHeHvxdze9dfGu9jIdTKK
 vSzbyQdHFfZgRkmAKfcoN9u567z7Oc74AQ9UgFEGdEVFQUbfWOevmr8KIPt8nDQK
 J9HuVfILi1kH0jzDd/64TvA=
 -----END PRIVATE KEY-----
--- a/checks/mumble/sops/machines/peer1/key.json
+++ b/checks/mumble/sops/machines/peer1/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1987metkajgdefk0sfhjqjjtczy9eu2lsg700rwcac6hhy2alhdsshjmpw8",
    "type": "age"
  }
 ]
--- a/checks/mumble/sops/machines/peer2/key.json
+++ b/checks/mumble/sops/machines/peer2/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1fndalxxeduekn5s8q3znl73vjfx2n8kydylyrc2j3aurc93pypvs6pcql4",
    "type": "age"
  }
 ]
--- a/checks/mumble/sops/secrets/peer1-age.key/secret
+++ b/checks/mumble/sops/secrets/peer1-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:TfEsytctWPCLuo/icbicgRfy7O/txYCllTiLiUlusagGShZyXyIR46TNL9E4XWI2Lce9hIn8zczOdUWaEFPuXcvRMMMWILY3DzI=,iv:zDdq0rdYz/KIwKvIiu9MvKyX9v1pWYxZG3F/7KllBa0=,tag:mTPJGmJ+tKrgYaCZXJ37Nw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MmFpbUJuNzRnNGRlQXcy\naEhRanpHbjZpbFZxVkZ2TXFJWk8xYm9lYmlVCmVhRFdDZyt4SjJick1CdnZseWx1\nMGdvaTBYekdBeFUyaHEvTzNJVVM4TncKLS0tIG8rZ1kyTFJTRndQNFVXOC9OTTc5\nZHZGVW1FTzlLQ0RRcjNWeEpVWmVKMDgK7UDm509nexdHqG2xU8CBDZkRStjQIAAN\nDmOz5A8uWpIiyvU2LdOBcc/FQKHaXjB7OAmfT03nJccOeqSF2N3N3g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:40:26Z",
 		"mac": "ENC[AES256_GCM,data:5Qe20lbqERvSM5fDY9Orhrtv2U6zholh6uHMq0CqV1OOg+vVWSlqTqJrtz2rD/qQTUECRKzWUHB1D/kgLrJ33lRoEMqrhjmvBfxtDnNjLzoYITlLcYOm9qiv3gOqcrpdBKW10YyNlGP/+Q377Lfbo8tcZ8nmuaT8qA9PYr+AKcs=,iv:IIJEFAvoX9SY3jvkD0xVe1/L6iRPMyzmxeRmpGvZI0I=,tag:1D3BBUjj1suNeL+mVYDiKw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/sops/secrets/peer1-age.key/users/admin
+++ b/checks/mumble/sops/secrets/peer1-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/mumble/sops/secrets/peer2-age.key/secret
+++ b/checks/mumble/sops/secrets/peer2-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:NI9y5OdFkBgHf+wfn+ISDL11nh/ud+1RV5SPC64TV4Hvg0w8GKkmjJI5uiGDGI1+FfWwnHWOFexavtM2ZJr/cWfhA6dGKvzrKJc=,iv:itiZFGsGEZD/SH42akh1CLCDbuZxMSj05quMNKwvKg4=,tag:v36FGDDHIuFaABHG9we6ag==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUVVJek9Ha2ljMkt4U2pi\nSmRRd2g2R0VXZGlySG5TT1E1czFpaWFyNlFjCmRJOThCQWlCNDZnRVRFVHpSTzBW\nOWZCUU5jK2dGQTloOEZMUFFVdk04cXMKLS0tIDVzSTdXRk1UZ3psd29kdnVUcitM\nbFlqb0srUGFCVUhlNzU1dUdTTUkwN0UKAIslz1WCMZWrE+aLPJjeM+wZSXMmwnqx\nyRZT5vVzCPWv2r8sbIjhi1rFbkfF+NXHkzNZD9NS4zddwsDsz5HO1g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:40:48Z",
 		"mac": "ENC[AES256_GCM,data:2iDDnVdLPWxYcjdZrDlTb8PzPVOPEZ06QXCFvnZ2gf8ioXPiSY69ZAHRHTGpqCEp5Ve7qTIELbNja2TGU0ONLIcIRWyzqgc4q+G3n2V5fYQURW114pzaK0Ct6r6yR9oZQy8H66uEYQafkyuN2R9++3w5G0LGj8UovPcYQqNEQVo=,iv:TkCAdIgjRpZpsnhhvTfMqGVD/IveFyobYa9SExFWcC4=,tag:4RLhumGqeLT15waqHT0mRg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/sops/secrets/peer2-age.key/users/admin
+++ b/checks/mumble/sops/secrets/peer2-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/nixosModules/clanCore/machine-id/tests/sops/users/admin/key.json
+++ b/nixosModules/clanCore/machine-id/tests/sops/users/admin/key.json
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-cert/value
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-cert/value
@@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDfzCCAmegAwIBAgIUH9AKYdV75FHHBcR4mgfTZB/7eEcwDQYJKoZIhvcNAQEL
 BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAM
 BgNVBAMMBXBlZXIxMB4XDTI1MDQxNjE2NDAzN1oXDTI1MDUxNjE2NDAzN1owaDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
 cmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAMBgNVBAMM
 BXBlZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA80mo3OFSaW8F
 Ni/W7WZ70bJoGGFPFK17kiRgPu6+ghDiinmzlAQOt8A/u+egl4FsvT9Oz99TjCN1
 zkK3I74ItKmumpGKGPp92bpm62vQZa4g861xKqLlcbOwJwcfofwa8r4PhhjDhdXS
 k9vsgiwy0N5FEga79QbDEO/qwSvY+O8yKNG+lNXeOetymKvVbudL8A0je150vmpg
 oYfYjH57Oa7DpGaIrOpbZsmaBlYHD5dhfJbuX0Gxuq42gkfcBtxv3NbY0NoPVZFV
 jOvhVPyV9Xme/3JAQUSti+Fd2ZfJ+Ayl90ElA5wk25T1JBEEnMYQlQVBqPawX87C
 i1EtOysfxQIDAQABoyEwHzAdBgNVHQ4EFgQUFtjyWNCF1Yxd8ymIZ4kE9fXMY5Yw
 DQYJKoZIhvcNAQELBQADggEBAAHiQcWDvZjN2VTaWY2cQMYy3m8wkdoJTR20uV2z
 MpjY4KwCiMzTtsFe2LhiYMYFETwqHpG+B6ElOghh/+F8l96vQRbcVI9I3XTKs0G4
 +zdUtMOyB2XZumB4HBQa3PiXXrA4kAGJV88y5QC4UkZMw6SfwjW8OrtQ5Jim4vUB
 PZxY75ZIjw4JhknTqKNua7xehY4TBghRrGZAlD4eon7Yc5bIew6Gw5LHIoszOZgk
 9CFEo1XLN5z8aL9L+V8dh2DNNqF4KiXCRNgwqLmLoepL2Xptd90AOZsBI9mGxMP9
 YUPsnzcGqcat1x6Fi2Guw++ESDxUp6qKjMGAxPzSXje/TiM=
 -----END CERTIFICATE-----
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/machines/peer1
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/machines/peer1
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer1
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/secret
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:IyVffgpj8MSp2pKoic3+UMYBbeu6Fo/BGslSNQpNoURuulqSze7AZPXry/PnXEWAEvoqkfUURAq8kZdWxu5Go6N8YSkd6/sVOScw2Osa3v/qh9ysEPCuoIwYY1/h9IfUmzNM8Q3hgF4BXhb5D1F2cFQ0fZM8dQU1jn8J0DTfwXlR9ALgWRoCCAXHQxBBc1SYRMlnXbbCACfRxkJHGAtQbwwzsGo/as/Ng+YVUiXdQyLJUv3hwGax793pyX8YKQl+Bu1G3+qZJGlL3lkjL5T/7HIIs81YN9XgsT7G9kvMmR4tJWpHCHGHxU9aofSHSTxUX1lil7GUsR6xSefFEIgbZaQ27KUXwKrlZ8dQKJZIwCiUczkMtrdwBZlKkzqlD+Hi5yGSSUsIQ+lvjeR74UwPXOX/HtvGA+mEgcTSO48FCWmU7ymjvTXyoVf9ui75IZjRyHKfpM8WlFHS+lXCSEN+B6HHHMIEeo1nOpKk6e2qRd28oJHwzoqlms63YFEbPd4d2DTGNVAtO3nhXe4+5IqzvR1DZHoNQO7AiDDAJiz5DKPoOkq/u7FEBVewKQWgZyvt09vC0X+1kxqXeeOXmJILLuRngri5BKLS3YR3hgmKbN31G4KIQm3lJUoE6F0c0Opu5lAJZStwMQcwmflrXdlwYsuzMfc48wcWQYtKenuG+r5DzR0je6iwxaru3XWf/aqUnga700+rFMz5dUVOy8IlJYmpd2hdpjwriTcJyV4KwplWzdjhnb7csjrzgAiHJ5iF2MHzfVgVGje0pk6An2+iUEqoh+fmFRVlA9ZZ923Ksxl+iYRn+29Cde/JgdZu5EywDHHs3yHjfbMnFvoXuAOJ/2TX3cA95DjD2+OGvd78jKExF+Q9rda5IdU6kb93QKVf+OyOSNpTdQhKnJRusou5Q255PqoTguiJIMDoH00qGA2y5k/5q49wl9Xq5jNiU70fyaygoPOfxbghfIeIjT0z2/awaXoUW33jAqXylxY0gTTTNPZI7w4d6hRqixgU27dyCkdAQfN+bnCe6ExXSLczmZf8UfGegjRm4lyKOKgX/QLLgRwStB6BBHGn+a+8NrAH9DFgpof4fJ74LN7Vx5oQTIGbQTvSkjGy4VOez0ajmqjQI516XrBvFbLfAnYA1jGaR0ZRkD6ALISdwFhjlycAc2tAffv9F9WKsrVKWvCU3pqGV0OmWtk5chqWrfvrFY7tj0aVZUUHZBBynksiUx/8Tt5unS3OUap86FiPUknvh5lPEPZqrZc/TNiCN+8oLFAtkOXyEnFSJjZSOB/vLcd+lMkWhcGa+usvE1hGZEaiTOXsN9IOihjcZjcR2YYHR0LlkFxzzlN9ILllt7W1cgKApCovZVmtJuU3fCwjOocP1iBeAFNQfzgJ+6gMqXN8oufCrw7g4v8Y0hNjjEJEriufO+qLIg3nHivcgwy4Cp/fL9wof9UFsaKl2okbP66im7BuDcO/x8ZQ+lk9OjWPSHFJTAPScgiwPchwn74aaHiihjhocyWQ2uVzKn9JkBFkMcoUlAz7xwUFBW7AYvVS/dFQA0xF1l4aki7JdoK6L1JptEu1KpbQ2UHLoIp+W0jFB2MRnSDOEtUHMR9af/vHtgV4xoZoCCHDz/PAlK74C2wK20LO1FoQJdch2/IO6bGiAj832wrLKDp4T2VPooS/hqd6U0Jmvtvcv0vdKbewCDgbfMH3lcydwXl4eQh5lDE8Fm+HXo2Zt8lvqRexeqzyIvGy1P/ndx21uxuacTkp3yi2qTHrdy3IkGMIHTZtfQATRgbxMEpUwHyk2hr08RNqlitbHzgor2+Gn6J/DaLuzvfaFl4p5npjNJ5dGjQqjj5VEz/L16VDeBLL7b9BKorqb7LvZUlqVcCYBcd7S7mHUHT4GhlLaEb67PxA6eJbhdVtyB8o7sTE3tGY8OdBg0ClJB2cEJHS1SqQRS+GdIhuWwZS+Go7YCx9EnnqezMMuEK4lfB+LCGaVDj32XNVtaBhDvdxPuBN5QFgjbWMIOGFV8O3l9dTrlDDwYpmFANG0Wz0pjOzX4CL4LXxNSu9k2SSdPw4iKoe/7Rl3yxVsKhrLOQPW3M6Hc/vULNBMvZxRH32zPE4qKo9SD+h6rwBrC9JiwrWdLJQHtu6Yk8GT5agQNCVC1pogvHVvB7+15UdZ7yjyhUONGOfIHDB2peYame3gF0Nce3dbzqUUE5tNuD4FyKkYZbGNr9WDD9nX1i/7EboDnFh2x6pAU+MRl4oyW0dtHiiTnIR6bE=,iv:IZYhje9AgGRe0gQcodG/PQAaRBipBC/7F8qAkG35cxc=,tag:jpXpm1eghy/668gT0bmqMA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1987metkajgdefk0sfhjqjjtczy9eu2lsg700rwcac6hhy2alhdsshjmpw8",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MDdhSTZMbXlSdDVNVVZU\ndkFyVVI0eDhOUHZRU2FFalVNR3g5dUY5T25FCnl0aXpZRVpaR1hvdm5kSHplOE0x\nckloNFF3OVhNTnAxY2ZpZjNFV3plVXMKLS0tIG4yU0w2c1VGbDVCTUhYbjVrMXhr\nb0dpUnp2YUFWSERSRTVVK3g0WTNKWE0KpUfYS71F/1J1G38/ymd/+bWhABmze1GC\nehgSMymmVdsq+ZjHdJ1XcCyecsn/9aFcaZkEbASiLU8ecLNQOEGgRQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeXBUOU13M2VvZVNBNUZW\nMy9VV1dMV1FlQU9qekhZWitwb3JISTFwdENBCnB5ZHpNK29DRHBoZ2M4dEJ6UVpq\nWHFOM1lYS0ROQ2NpSTNUdkZqUkorWGsKLS0tIDhaalVJNE1oU0N3WUtodnlsQWla\nUTVmTnhPTHVCWXUyK1ZESGR1Ym5CMXcK3YqyKO/FTdxcxVy5zBGg+JCOWMBOxqd2\n9+FgUJaYaizGy+HLpP5jgtjgz7k504yqEQCo9aQ1CzbvNHom5tAu7A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:40:41Z",
 		"mac": "ENC[AES256_GCM,data:R8fWg7Vwq2mnjbTTtyYuLWwrmB6TZYZVx9xPcO5NOvGAABNIxtAVSe9yTpV25OlJiXruTNhPHDxfjwDW8Nad47Sd9fV9QzH36uygT9DOaVrrOD/TH5ojvpCuognofuJ8YHgUsq+yhiQs0QKi5efUrtRVDcXXr8s/UazyuG3vYzk=,iv:eBpSr8GKvG51govZWtqTVMWsWZDctDQ2vVgMm/jq62U=,tag:Yth78awXPAPa/7J+WxTDug==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/users/admin
+++ b/checks/mumble/vars/per-machine/peer1/mumble/mumble-key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-cert/value
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-cert/value
@@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDfzCCAmegAwIBAgIUYuUk46fwZ4CBcJ40NWnT9VDIEPUwDQYJKoZIhvcNAQEL
 BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAM
 BgNVBAMMBXBlZXIyMB4XDTI1MDQxNjE2NDA1OVoXDTI1MDUxNjE2NDA1OVowaDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
 cmFuY2lzY28xDTALBgNVBAoMBENsYW4xDTALBgNVBAsMBENsYW4xDjAMBgNVBAMM
 BXBlZXIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA45nKnn0r3HwU
 qqSRuOXbou8zpdf+5i+e1h7pmunXR7WPxPBP09t6i+99BO27GcID59zGMquabpNS
 dFhj+p+KZkqN+4sokZmyBU1civQqiwX2n5KtoaG0fU3gFFK6pfx3OQawQ6mJ50GU
 HhA2R3CuA0rXcssr6oPynj9z6pbaL7mKckOWE804xIWZuMEoWNdQEKmUmE5d1ioa
 edlblzwhqZSS+zAAeUvmb+YUEL6T54lCYYqPPnmwmiwfYFSBGu/SGyFtIijbCuIZ
 TJMDzzutx1/3Dsv2pOKC0uPb5qRcmdRePAzgBFSna4MNgfbpGHFkGPJgjiue0VIC
 qyedlpF5UQIDAQABoyEwHzAdBgNVHQ4EFgQUuIeLdxGVyhFbgFRtFbPIIJWw1R0w
 DQYJKoZIhvcNAQELBQADggEBAFj26XejazrXOfa67o8vGoZrR2TGXOLFWFeplO8B
 29AruG9poH+sInyxYo1RWAQLQMfDud/yGg73EeYylULbG1bBznKYLLHdvy4l6eXt
 SEVkEMruH0Kw93zt+NqvSO3bHCX+la1rjizyDcD4iu93xUg2uPSBmVpVpW/aeBCN
 3eF4FbBocUexmIWaygmMPY5yFY2tAf+OinBf4uSWcKEpFikIqAxQWRSDMWm8xFwY
 CG7rhfpwDauagpZtkjKkrrRedhdfGiXbxOVtYlBULuUMOggEI+ElpbD0UhyEYCsD
 XoJn7AOC0sYCGpj2F1ESwFX/5EhyciLjMuVwohFVcyWWg+Q=
 -----END CERTIFICATE-----
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/machines/peer2
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/machines/peer2
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer2
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/secret
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:LX0ZXli/xtlyI8JLDyQz2p69eKz3gMQLn/PwJh4GB1tgQ75Ei+zQyetnCKkzrm+xGDZjLgm3QXft8VyNqhxf/7a1konP9IHfZH1j1wn/1ELFyTR2IKQzIdsiilP67+nZeLFIS4wBfEMS4hGoOIVXIqohDYkryDkvoYqHOw2U5HVDf3GlqeaEfKM8zJMZgGUYAoLCJEEWmBSSYrT/jH5hVxVgd1qE+5JmhV1Uah7TWW2HX+XDpU4aeV3zQWyWZNTHDXtgnEUBb4nFsvWGrGUrB9A8FEoZFOC1jJj8NLU/aOZ8EvDkI0Us6nw8leQwwox9O9PY8MDAAlPVsTe5+vcP/svpu+P3Gor/MrJzsk1IKalIdUiSYFego3FyyQonfXdQs8oO+ufF4nkMo+BRPvXwPUGwHjyCVaL5nYtgnV4VCSBoGY612Tmc86ihJW4mUzA5ghjUTWwduDSfoWI5H0JO5TabJnMPkPcIBSms46lhCCNMSY8WvtqcGz1mUgLTjQ+fhHt4Ci/K+VCiQNjjFH5tEq6P4bhYnG1+U5rAFRIyXg+m2Z/JONKkSiVVs/0u6yzKFAji6/osqhLkFZCqpCuk2OhVtsn2Bg1ko7WjuQAZHEgh6WSmsK6nyDfGpLSdfBBRscevPA3QsE3tTwO8/i5pxaGIm7BxH6OJcbv3x/r7+8TX52orgtSO/ODiOn+ylRDUwbnTVqB8pkM6+moLDRmpmCK87a5CETfPJ/7u7bEAmcbAH5LsmBL5T8tqLpGOnCkj4ZozZ6sv8qAFxR3vmmWvpkCtJYKml9Hsqww0Laytgj76TO8xMuQSwRPgbkXRr6QaF+o1EwEW6fArb/wtsUUJSDBdv2K6UpyPwITSEQk2z0o3Cr6Y9luYlGXKmpegQWcjcBxUVWd06V21IFHTT/WM4joEBsliVAAlJBcyjYj3Sq9onxiXOHVgmNFzQpxTlSoaqVCuVLegHB8E5ipyrDtaw4gl6l3pNKdNCyILJtk226rOZpZZ/wBMs2FWUyosrlBe46oa7XynkCzPbItivxpZwqN5nPjOFQi/QXzN9i2iDCXZvoNnFKG0B/fSKb3Dho5cpqhhxUIu1AttcTj9YNx6lsw5ZGkdaLyomqIB4rRFVj9U98cY/lEP4Hgn2kl71bhloIu1R/1qxZXuk7KAC7QJ5Nk773Pb7oHVfWwaQxFmcTR2IEQm5SuXvyxWUVWpH9kuTgwhXPypJRuob3IJX2Nrm4kRKdL8U5HH/UWYhXTFcOMrbqY0b/iFAhxu/qQYvCVOSZrV43elCI70e0PGaIM9c+ifL7EZw+uHlJP6lWgtqqmbjR+K+7ZmXjVAq6KngRGetIlkjC60aMiFmqTZ1f1RADLQyEUHKbLT6YqePU698vHM+zTr+38HLOMxz80/EpC0L0qvdsMY9DXUIHow2/sffGFbWto5Jh2KcWQoSB2dMeQCOeZT45qaCwwE9ZG5sZJTWJvWgjsTegHDvlnv7LzlFOYyfWSr708v+twz/eI0Z1PmCZq8f6iN0T0fA7ncbPjp22ebg+YztDPEO1F+ThtvOrvz4ptVUr5Riywwf1aL6qGYUGZ/epOfaHosnf29l71e3xQD3Ry9DB7DEJXNGmrmF7AF1aEJXsvFSnqNa0A3pkP56cK+SfhEQbaFA7pJWqSnNqRuZR+60ItKQ/plimZRhPobKYb8bjJ0CyFtAf6fez1Q8XC/YohMNi3vZ1sdkmQ+O0CCV72sS7jRpSJOc6zG2KB4zL9JllxThNAXBvB+4rHoowG5ltCw2xm/eTQSdUivCkT67EocjS8RjucLfYvc2aH9+tLaIkwFUYsNKkd+JpNlmD6E6fp229YJ3908JrksYCRc//MQhaDMaig1Bc7JPTGqHlHZFtHhbrGIHPoRMLL6djRKXlPndQ/ZGKTca72oBNt4KXO2MQhTYtP08Zgt8E2lpjUhbWnNsyikuVju7UWi0ynT2RPNaRgffoXZtnDVsCYv1yhYnrfoqNOGZpR4GE/rwyQMw3/osNI91l7vKSGIhAQAPnTT77A5xWiVMb0VL4WzokZaWFWL9BGkSIMcbJNkZB1udwrNeqwU7N8WHwQKGuBSg1YOd9wE0A8GmNNuBo0Qjo4QCGs0Q/GAvrczppinbNkABSgW570/i+Ep7UOJ83Zcv7XhxoHdlsdmpweGIpOdjC4WMfYlNRwVJ2eg7qhvuFOzuvSZBMCmPpC/gkjYgD9FjsH1rzgxbcOvkkUzxHQImiYHxYd6h7ZqqGD7XINy1oSPJEaK,iv:zNaVGK5hNxziOoPTbwaUhUwBuFbCiGNrfVMpeMxL3JI=,tag:6v8Hf4Symd1T16MOEChtcA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1fndalxxeduekn5s8q3znl73vjfx2n8kydylyrc2j3aurc93pypvs6pcql4",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VGVjRkdJOGx3c05YM28y\nM3dCbkU4TXBHK1VVOFFkY3FQVk0rQVp0d1g0CnZPR3FtUGlCb2lKSVc1Z3VtM0JM\nV1ZtZ3NVVndvak43cStIRWZxWldKSncKLS0tIEdJVHFFTzdaNklLVHdURndGa3Qy\nc2lEZ1hER3dGL0FKNUZrSkxMOXMvOGsKHGJ44Ey6mR3rV6NPPmn/QTsyjL08wCzu\nkUdD0jgSMLwInX5R9Gh9+Zbc9NIfEgSzLr6up6UlgW/4iWvM4oFPRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcHVweTFZenhZZzVDZ2ts\nTnNxNkZLWnVQRmpoa0ZldHpxdWt0Sy9jRVFFClExS2FMM3hiSlRQR2lmb25RTEo0\nRTRGdmxCaXJoeXdNaVU3cGRIRFlibWsKLS0tIFFzVFhCR2hSOStYNk5yNmc5UkZl\nTHdWSUZTZUIyUEp2OFR0SFpzMzFFd0EKlsRWNJjapPefXxyuUtFWlPs/UIC9V1N7\nF7Ek+TAKl11SwGGA2qla1yvnDOxkZvFg7gWsurZeEBH4PuPZ1OE/Yg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-16T16:41:03Z",
 		"mac": "ENC[AES256_GCM,data:1DcuXden9WAF3frVjOMgpt0nniqiGEAA4SubPLk86GODEaOXxZSVStX1rr0GCF0t0tR4O4jl4cnRvZHF9Zjj7smA5Wf8jPpbSCrZX4oBo/HP3UU+A78yxSrj4gmoeH4m/aaJv0co77Vwcm/HglE6Q89Oc9BUqE2e4FGVmDUZTws=,iv:OAa2hvuw6aUcp3qKkRpDeLMDcq9Kkn/Bc+86DzV5h5g=,tag:wVrs9oyfaCAv3gZxsxbMPg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/users/admin
+++ b/checks/mumble/vars/per-machine/peer2/mumble/mumble-key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/mycelium/default.nix
+++ b/checks/mycelium/default.nix
@@ -8,14 +8,15 @@ nixosLib.runTest (
  { ... }:
  {
    imports = [
-      clan-core.modules.nixosTest.clanTest
+      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
-    name = "service-mycelium";
+    name = "mycelium";
    clan = {
      test.useContainers = false;
      directory = ./.;
      modules."@clan/mycelium" = ../../clanServices/mycelium/default.nix;
@@ -25,7 +26,6 @@ nixosLib.runTest (
        instances = {
          mycelium-test = {
            module.name = "@clan/mycelium";
            module.input = "self";
            roles.peer.machines."server".settings = {
              openFirewall = true;
              addHostedPublicNodes = true;
--- a/checks/syncthing/default.nix
+++ b/checks/syncthing/default.nix
@@ -0,0 +1,87 @@
 {
  pkgs,
  nixosLib,
  clan-core,
  lib,
  ...
 }:
 nixosLib.runTest (
  { ... }:
  {
    imports = [
      clan-core.modules.nixosVmTest.clanTest
    ];
    hostPkgs = pkgs;
    name = "syncthing";
    clan = {
      directory = ./.;
      # TODO: container driver does not support wait_for_file() yet
      test.useContainers = false;
      inventory = {
        machines = lib.genAttrs [
          "introducer"
          "peer1"
          "peer2"
        ] (_: { });
        services = {
          syncthing.default = {
            roles.peer.machines = [
              "peer1"
              "peer2"
            ];
            roles.introducer.machines = [ "introducer" ];
          };
        };
      };
    };
    nodes.introducer = {
      # Doesn't test zerotier!
      services.syncthing.openDefaultPorts = true;
      services.syncthing.settings.folders = {
        "Shared" = {
          enable = true;
          path = "~/Shared";
          versioning = {
            type = "trashcan";
            params = {
              cleanoutDays = "30";
            };
          };
        };
      };
      clan.syncthing.autoAcceptDevices = true;
      clan.syncthing.autoShares = [ "Shared" ];
      # For faster Tests
      systemd.timers.syncthing-auto-accept.timerConfig = {
        OnActiveSec = 1;
        OnUnitActiveSec = 1;
      };
    };
    nodes.peer1 = {
      services.syncthing.openDefaultPorts = true;
    };
    nodes.peer2 = {
      services.syncthing.openDefaultPorts = true;
    };
    testScript = ''
      start_all()
      introducer.wait_for_unit("syncthing")
      peer1.wait_for_unit("syncthing")
      peer2.wait_for_unit("syncthing")
      peer1.execute("ls -la /var/lib/syncthing")
      peer2.execute("ls -la /var/lib/syncthing")
      peer1.wait_for_file("/var/lib/syncthing/Shared")
      peer2.wait_for_file("/var/lib/syncthing/Shared")
      introducer.shutdown()
      peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
      peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
      out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
      assert "hello" in out
    '';
  }
 )
--- a/checks/syncthing/sops/machines/introducer/key.json
+++ b/checks/syncthing/sops/machines/introducer/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1wjp0vvvy4d2c0pdrth0kl505rzpz37804swf6rrny9xa208mrg2s0r5m67",
    "type": "age"
  }
 ]
--- a/checks/syncthing/sops/machines/peer1/key.json
+++ b/checks/syncthing/sops/machines/peer1/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age14faw2l6rskw2gcv3rrkygmwmrp2ev9yclzq4fh8xf8sjeke8p97sw4dxuq",
    "type": "age"
  }
 ]
--- a/checks/syncthing/sops/machines/peer2/key.json
+++ b/checks/syncthing/sops/machines/peer2/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1dutdww4x48f0e3tzmjlye9n852wx0qqhhcghsrefsq9m8c5flpfs2lxexf",
    "type": "age"
  }
 ]
--- a/checks/syncthing/sops/secrets/introducer-age.key/secret
+++ b/checks/syncthing/sops/secrets/introducer-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:f/KzvxsoWQFTSB17lPhe/MThYu4ZjJwvkCxKp7XkLyspFF9Dal4A+H+SY6vPG7yM3+dlE3ZnxjniUeivydDTwwJiWJ6E6XIhnPI=,iv:xat6pYzYV8sfyMKX4OMsr6oSOEOc09DDXGykKKoP14Y=,tag:xMxsIpYv7KrSYvpmvBvSUw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUGdWK1BnNjdCL1l1WlNB\nUEswYm1tYlIxWXltemdlQm1OcmlNbSsvTkdrClpRUjR6TUNUcGtxWWhGdDg5SG84\nSFFiV2p6ZHJwR1VKYW4vVFBHRGFSYTgKLS0tIERJa3hRM28ySHBUME4vTUE1UUFr\nQklDdTBWdWJpdGg0cnR1ZUNWREl6K1EKbRFOr3Rhb2aGnQUHiX+3DzGgrY9C2Dvz\nVlyZ0q6lWtn4qFWPVez03T8QAtLjv2UaGtYTFnyFIWiykhhrWy2PBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-23T07:54:54Z",
 		"mac": "ENC[AES256_GCM,data:LJCCaGNhBgFAKtWYMD6OcXg2FMq1DYDOySIpEY91ILXDUuJSSsuYyQqE6ZvCoThlogHd9inAajsW0GbzYpSflu/WyrqlQsNJSMFkBFBQh/FIjd18GUtZ4flHWRfHqAk/xM/g+n7iOgKMvaBrG1MG1DplLRfk/8ehcqlWX4Wxof0=,iv:PrjIiUYkePPXBRGF/Wnqi1ZgA2j4YtzL/uMC5KchfIQ=,tag:yMMrJ7vGt6urz4WfRAyaNg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/sops/secrets/introducer-age.key/users/admin
+++ b/checks/syncthing/sops/secrets/introducer-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/syncthing/sops/secrets/peer1-age.key/secret
+++ b/checks/syncthing/sops/secrets/peer1-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:q6mWG65NflVEvX1QUyRVFuRGOVg9wtyWDYQ8Plqw038pEyOrsVcj6Cmo6SRaRcAaxQmAUeplzYfzm2MgXMz1l/DySErH+mCyVSk=,iv:7X4mFSJXpUii+sppSAq8H7vYWGoDq3LnFJMAAjhhm7U=,tag:ep9vzbkzVtC2A8otat8vSg==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bjNlZkppR01JT0F0TklO\nSnpIcFgwb0E5dStHQlZLdGNLQ3UxRDNBdEVVCnlpdWlPVVNIdFB3ZjlpSXZURjdS\nMVlCbFV5RXI0d2t5bHJvR3U5b2NDa2MKLS0tIDJLZlE0RjhNaGhBeFVsSE93Z0NX\nVVcyUjJPL1FVTEVOUktYTEMvVFNEdlUKYkmyVjcbAf5IVb/RWBfhbmoBbuz+u8X0\n3J8a/SJsgX3vLJIpVeSQSSFTNXu0+8/QeRiXsV7GCyHu+lwL75ycmA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-23T07:54:59Z",
 		"mac": "ENC[AES256_GCM,data:rhi/f3r81Cm+yXJXpnPmyK7jNqJ1Pg4tU7gsOwjCv5CeJn8U6N78ZBiHndjdwzqSdp7+qwx/9gPpLQVoPzO2IhY+uRhg0l6v6N9iK9UD6tjNzsCw8zTIb/ehObRqqpzVn2BGkUte+g0Hu2/bpHFbq6qmGm8YOYnD8K7U2FoiuGQ=,iv:o7RaD5oogpjSgdfFPqb8Tfgn43ydSzA0ZTP2ayNZI9c=,tag:e/zmTPAIWX1uDQxLNznIWQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/sops/secrets/peer1-age.key/users/admin
+++ b/checks/syncthing/sops/secrets/peer1-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/syncthing/sops/secrets/peer2-age.key/secret
+++ b/checks/syncthing/sops/secrets/peer2-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:2EaSVKRIMKVF9+qAozKl703entUWB04J61UM1QRj1omKUb5sDaOwnQKCZDZxO/CCtam/kz1jHoxCeFiJFcx+DpTyYptpSpYq1dI=,iv:syZ2HKRxQ73urS4Vwz7/3IMBYY6nk78zaooPMDkU1w4=,tag:uGaqxbU6/9DvkGY1Jq/XRw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMnJrb2VHYVdMRHJhYjFH\nL25nN2RIZ3pVeDdYTllrUkF0TkREYmNMMVdrCkNSaGlRd3c3YXZPZmIxWExCaytu\nU3FGTmhUZ0pUUjJJNS9vcVBISmFyZHcKLS0tIHMwaFlEYkFFb2RwS3JDb2VxRFcw\nZmd6S3RXVGcwbmtHVVRmWXkwSnF1RkkKTbg6igFHIakR8EAPuf+x9yhmQHF3TPp/\nC+B1FuorpovudtxmJ1UzBmkE0r13cY6iu9Vdjh1g7tBcXUWoHZsvIA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-23T07:55:03Z",
 		"mac": "ENC[AES256_GCM,data:HuQQvWOGIjISxnNShYHLj4QinNoeOTwxpJK35swpcBnJ4JtDnA6F2JjpJI8DXIwO42eDbXIF22lJjqynRFRo6kQrrD8uhBHEFD2R+6U7zFxJ4gknWR1iF3fbM1+2VDiu8L9InpZcfb6Z8tpKPdPiYS3NGdoAJ0ClSw+8WlVsS5E=,iv:pJxsCP5Y6NTNAck0mphbLRnZ48sRRZ/YaYUobi6mGYU=,tag:ewR5QLBh3WRLkHlSGH5MsQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/sops/secrets/peer2-age.key/users/admin
+++ b/checks/syncthing/sops/secrets/peer2-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`AGE-SECRET-KEY-1UCXEUJH6JXF8LFKWFHDM4N9AQE2CCGQZGXLUNV4TKR5KY0KC8FDQ2TY4NX`