rework pocket-id to be more generic

modules/clan/pocket-id/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ ... }:
 {
   _class = "clan.service";
   manifest.name = "pocket-id";
@@ -6,64 +6,40 @@
   manifest.categories = [ "System" ];
 
   roles.default = {
-    interface.options = {
-      domain = lib.mkOption {
-        type = lib.types.str;
-        default = "auth";
-        description = "";
-      };
-    };
 
-    perInstance =
+    perInstance.nixosModule =
       {
-        settings,
+        config,
+        pkgs,
+        lib,
         ...
       }:
       {
-        nixosModule =
-          {
-            config,
-            pkgs,
-            ...
-          }:
-          let
-            domain = "${settings.domain}.${config.networking.fqdn}";
-          in
-          {
-            clan.core.vars.generators.pocket-id = {
-              files = {
-                encryption-key = {
-                  owner = "${config.services.pocket-id.user}";
-                  group = "${config.services.pocket-id.group}";
-                  secret = true;
-                };
-              };
-              runtimeInputs = [ pkgs.pwgen ];
-              script = ''
-                pwgen -s 32 1 > $out/encryption-key
-              '';
+        clan.core.vars.generators.pocket-id = {
+          files = {
+            encryption-key = {
+              owner = "${config.services.pocket-id.user}";
+              group = "${config.services.pocket-id.group}";
+              secret = true;
             };
-            services.pocket-id = {
-              enable = true;
-              settings = {
-                ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
-                APP_ENV = "production";
-                APP_URL = "https://${domain}";
-                TRUST_PROXY = true;
-                PORT = 1411;
-
-                UI_CONFIG_DISABLED = true;
-              };
-            };
-            services.nginx.virtualHosts."${domain}" = {
-              forceSSL = true;
-              enableACME = true;
-              locations."/" = {
-                proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
-              };
-            };
-
           };
+          runtimeInputs = [ pkgs.pwgen ];
+          script = ''
+            pwgen -s 32 1 > $out/encryption-key
+          '';
+        };
+
+        clan.core.state.pocket-id.folders = [ config.services.pocket-id.dataDir ];
+
+        services.pocket-id = {
+          enable = lib.mkDefault true;
+          settings = {
+            ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
+            PORT = lib.mkDefault 1411;
+            ANALYTICS_DISABLED = lib.mkDefault true;
+            UI_CONFIG_DISABLED = lib.mkDefault true;
+          };
+        };
       };
   };
 }

modules/clan/pocket-id/flake-module.nix

@@ -0,0 +1,19 @@
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
+{
+  clan.modules = {
+    pocket-id = module;
+  };
+
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.pocket-id = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/pocket-id" = module;
+      };
+    };
+}

modules/clan/pocket-id/tests/vm/default.nix

@@ -0,0 +1,34 @@
+{ ... }:
+{
+  name = "service-pocket-id";
+
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
+
+      instances = {
+        pocket-id-test = {
+          module.name = "@clan/pocket-id";
+          module.input = "self";
+          roles.default.machines."server" = { };
+        };
+      };
+    };
+  };
+
+  nodes = {
+    server = {
+      services.pocket-id = { };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    server.wait_for_unit("pocket-id")
+
+    # Check that garage is running
+    server.succeed("systemctl status pocket-id")
+  '';
+}

modules/clan/pocket-id/tests/vm/sops/machines/server/key.json

@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1jvhs79a367ynhupy6gndyafg5f6wzrsa3p3r27d8y4zpvlp5vd6qwysnc2",
+    "type": "age"
+  }
+]

modules/clan/pocket-id/tests/vm/sops/secrets/server-age.key/secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:MheRz91AzSqUV0gz3PHdort06igblp8dVku2GIeXbBiTpG3Dnlqzw6QEvTeRVtZ4ol0gHS8CQQ4Lc4H9IyHGiTfJkSUM7pXY/vM=,iv:mMibIfA6gqvJlbau9sKkjRoYrDcqCpTG0b+jrZCHIkE=,tag:MN5I9AO1U7sJfq/9GxSFCg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dnVqRXVibTFYeUlsc09J\nQnRSRVE0NklWWFNlbHZaaWJ3dDlEaTJKVkZnCnJEZHhoSzd3T3NEVjFjY0NkRFNq\nL1owbmR0SENSWVQxOXVlNWJFb0JsSEEKLS0tIHhESEI2Y3MzMU9WRzhYNWZhUUd2\nTVpldG5qbDF6UG9jNnBRTnZRdzAweDAKl4FpFTp7NyTHXJEF7tIO0CnsgTY4maJ2\n7KfQRwQuhW73WqVdzJSZ7i/Xapwglx0ISBvSEDgBTiQhFlBLCMEzYg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-29T09:50:44Z",
+		"mac": "ENC[AES256_GCM,data:lZ7SAQkkH441L3Ss9nEI1fm6SgcysIcOBg9it0m80CiNhtittsFNcP7l0ApkIBQLhMsan93bLMG3kcDKzqxld3XDRPUwlJkKElh8Dc8q7qqtOqgKNnsFDcx4Zh3HdiTPywyIBnUMYAul4tVPpEzqh1GSD1GF9fsBxLiwxBwalY4=,iv:wmhz1k5LMNNxuacQj+A5FryJwzqxpXf5AnFoeL1TF4k=,tag:cl5OcxGYvC6DGQDRuhqRRw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

modules/clan/pocket-id/tests/vm/sops/secrets/server-age.key/users/admin

@@ -0,0 +1 @@
+../../../users/admin

modules/clan/pocket-id/tests/vm/sops/users/admin/key.json

@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}

modules/clan/pocket-id/tests/vm/vars/per-machine/server/pocket-id/encryption-key/machines/server

@@ -0,0 +1 @@
+../../../../../../sops/machines/server

modules/clan/pocket-id/tests/vm/vars/per-machine/server/pocket-id/encryption-key/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:o1BHipQXow25uobhojeSIvSaIM4SiOtjfpNBi11E7kRX,iv:mheOssj84dp1+QAG0rpdyaf5O4WWaTWh1y/DC/I9nnA=,tag:M8zSZ4GWwy5rOcOEOBbwIA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1jvhs79a367ynhupy6gndyafg5f6wzrsa3p3r27d8y4zpvlp5vd6qwysnc2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXaXFvL0JES28rUkhNT3Bj\neDVYZlNubC8wV1VGTHN1Vzh6NEV3YWI3L3pJClh2T0FhQURXRkRJSnFVYjVsZkdq\ncWRFL1crVm1EK2NHNUtlc1RMVlZ5aWMKLS0tIFczWUcxTWFMdkhXb2ZTZlRSNDBT\nNmxWak50M1JTV2R3M0FXclRGc0JuVjgKtsxU2a3DNhe9CeJFK+HK7lFhrpV7UuES\nqasLv4crL7+4eJFhmUxVwzT0ubPAuG3CBMbbmrYmAs2CUXWtcmqGMA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TGwzeUNLbkJ4bFBPVjJy\nd3pLTWRPVytrK1plQ3kzd1ZOMjBtcGJjY25nCk5mNDRxNmJjTHh4a2pBSldvQ0Y5\nUXVPbWZ1WW1QcU03MWtuL29udGFUQ1EKLS0tIHFSY1VZUGJFanhyZmN6WHJKTzEr\nbjBkVDNJUUZNZHhjSDlDZ3Z4Y0d3Q3MKHm3Ar31B2RviANl+tCeNmtYvQp5hVdui\n9Khkd3R6MshF4rZWrWhD9vea1RX9ugJJawCTU3+4zFDEWQ6XQ+tpTw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-29T09:50:44Z",
+		"mac": "ENC[AES256_GCM,data:B3iNE0/ve2EazWNQJ6MhSaa3EAmte5GUJrVjLB7ysIoe+pf7kQy9HE2ObEypFezvbfBYAbXd+XIq8J+jTjh4X11i6/BDNsvFQKuYbTLaK+dqZzeuOQU3ntTQuhyx5qdKyXq5FtHYyJI9XsYvSFRHe2UYy4L5i6LvMoc3ka/vUHI=,iv:mXuhXp63D1UkBJX5U7RY+NqYsU5SkolDABrSDRXegFk=,tag:LJ/BnU9xKMQyr+nAAHnGFA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

modules/clan/pocket-id/tests/vm/vars/per-machine/server/pocket-id/encryption-key/users/admin

@@ -0,0 +1 @@
+../../../../../../sops/users/admin