Clan is a toolkit that makes it easier to manage networks of VPN-connected NixOS machines.
The ultimate goal is to lower the barrier to self-hosted services massively and allow anyone to achieve this without special hardware. As of now, using Clan still requires NixOS knowledge, but it already combines several of our Open-Source projects that you may know (nixos-anywhere, sops-nix, nixos-generators, disko, …) into a uniform CLI.

Changelog

Documentation

• Updated documentation with new content (#5878)
• Finalized documentation template
• Small documentation improvements (#5941, #5942)

Core Development & Testing

• Vars improvements:
  • Fixed bugs where shared vars are encrypted for wrong machine
  • Fixed bug where shared vars not generated for all required machines
  • Added logging of entities gaining access in commit messages
  • Fixed terminal multiplexing issue
  • Various small vars PRs (#5933, #5940, #5934, #5935)
• Nixpkgs bump: Ready for merge, waiting on CI (#5595)
• Improved pkgs overrides for flake.parts (#5913)

Features

• Exports system:
  • Service exports merged! (#5703)
  • Work on requiring explicit interface/traits (#5891)
• meta.domain support: Merged meta.domain option (#5783)
• Darwin support:
  • Ported clan services and wireguard VPN to nix-darwin (#5889)
  • WIP: Zerotier VPN for nix-darwin (#5958)
• Munix integration: WIP integration into clan (#5957)
• Made UI work in normal browser (#5920)
• Added nix_shell to check_machine_ssh_reachable (#5873)

UI/Frontend

• Fixed 3D view bug (#5870)
• UI architect changes (#5888)

CLI Improvements

• Display meta.domain in clan show and other fixes (#5916, #5915)
• Fixed clan machines create with custom directory (#5952)
• Added missing subcommands to machine help metavar (#5947)
  • Now shown in help output and rendered on documentation site
  • Added regression test to catch missing metavars (#5948)
• Fixed help formatting (#5953, #5914)

Services

• Syncthing: Fixed firewall interface wildcard syntax (#5918)
• Backups: Overhauled backups with documentation based on community contribution (#5868)
  • Created issue for reworking preBackupScript as standalone systemd service (#5869)

Networking

• Yggdrasil improvements:
  • Avoided self-connections in Yggdrasil
  • Added listen functionality for all peers
• SSH agent improvements (WIP) (#5803)

VMTech / Virtualization

• muvm now works on Ubuntu 25.05 live stick
• muvm now works on ARM
• muvm now works inside a VM
• PR to nixpkgs to enable mesa amdgpu-virtio #441300

Clan Core Changelog W49

• The transition from facts to vars is finally over! We are removed the last bit of compatibility code. If you have any issues please reach out. #5991
• Removed an optimization that improved CI performance, but became unwieldy over time, namely: clan-core-for-checks #5993
• Groundwork for a UI architecture change #5888
• Starting lib separation between public and private APIs to communicate what parts should be used by our community
  #5985 #5992 #5995
• Remove some direct filesystem dependencies from vars, depending on a proper abstraction instead: https://git.clan.lol/clan/clan-core/pulls/5996
• Finished explicit interface/traits #5891
• Updating our nixpkgs to the branchoff commit coming closer to our stable release: #6024
• Continued working on our Tor + Yggdrasil integration
  • Added portMapping option to tor service
  • Implemented handling for .onion addresses in yggdrasil service #6007
  • Fixed tor exports #5989
• Flake Cache Garbage Collection
  • Implemented garbage collection for flake caching #5980
• Cleanup & Bug Fixes
  • Cleanup community services page
  • Reverted password-store breakage #6004
  • Removed direct use of zerotier IP for syncthing #5954
• Continuing our work upstreaming nixos-facter modules
  • https://github.com/NixOS/nixpkgs/pull/466808
• niks3 stop leaking pre-signed urls in CI logs:
  • https://github.com/Mic92/niks3/pull/116
• Wrote a Zerotier network controller:
  • https://github.com/Mic92/mesh-controller
  • We are currently testing the controller to see if it is a viable alternative to the current zerotier controller

vmtech

• Rewrite NixOS activation in Rust (less than 500ms now)
  • https://git.clan.lol/clan/munix/commit/0bd986f97fcdc0235bf1854998c16cd51336e25
  • https://git.clan.lol/clan/munix/commit/d2070a1becbc20f2582f969ec44c06399c0db657
  • Please keep in mind that this is highly optimized for specific VMs
• munix: Submodules are now flake inputs
• muvm: Discussed potential macOS support
• libkrun: Fix arm64 + recent linux kernel support: https://github.com/containers/libkrun/pull/479
• nixpkgs: Upstreaming static userborn mode: https://github.com/NixOS/nixpkgs/pull/465906
• Big muvm PR still getting last-minute tweaks: https://github.com/AsahiLinux/muvm/pull/192
• sidebus: unhardcoded UIDs, working on swapping client/server

Clan Core Changelog W50

CLI Improvements

• Added new clan machines build subcommand (#6025)
• Reverted removal of --fast-nix option for nixos-rebuild - if you had trouble updating machines due to this deprecation, please try again (#6093)
• Fixed --build-host completion (#6087)
• Added autocompletion to clan secrets set (#6072)
• All list commands are now sorted (#6070)

Vars & Secrets

• Merged removal of facts system (#5991)
• Fixed breakage with activation time secrets (#6055, #6060)
• Optimized performance for sops and password-store backends (#6077, #6085, #6088)

Networking

• Yggdrasil Service Security Improvements (#6083):
  • Limited multicast addresses
  • Implemented firewall restrictions to limit access to clan IPs
  • Set AllowedPublicKeys configuration
• Fixed format_address function and added tests (#6068)
• Removed direct use of zerotier IP for syncthing and data-mesher (#6036, #5954)

munix

• Added settings portal support (keyboard layouts, dark mode, font size, desktop preferences)
• Added music player demo to the readme
• machine-id is now randomly generated on every boot