tailscalesd/nix/tests/tailscalesd.nix

self: {
  name = "tailscalesd-nixos-module";

  nodes.machine =
    { pkgs, ... }:
    {
      imports = [ self.nixosModules.default ];

      environment.systemPackages = [ pkgs.curl ];

      environment.etc = {
        "tailscalesd-secrets/bearer-token".text = "test-token\n";
        "tailscalesd-secrets/client-id".text = "test-client-id\n";
        "tailscalesd-secrets/client-secret".text = "test-client-secret\n";
      };

      services.tailscalesd = {
        enable = true;
        environment.TAILSCALESD_TAILNET = "example.test";
        environment.TAILSCALESD_TEST_MODE = "true";
        credentials = {
          bearerTokenFile = "/etc/tailscalesd-secrets/bearer-token";
          clientIdFile = "/etc/tailscalesd-secrets/client-id";
          clientSecretFile = "/etc/tailscalesd-secrets/client-secret";
        };
      };
    };

  testScript = ''
    start_all()

    machine.wait_for_unit("multi-user.target")
    machine.wait_for_unit("tailscalesd.service")
    machine.wait_for_open_port(9242)

    machine.succeed("systemctl is-active tailscalesd.service")

    unit = machine.succeed("systemctl cat tailscalesd.service")
    assert "DynamicUser=true" in unit, unit
    assert "LoadCredential=bearer_token:" in unit, unit
    assert "LoadCredential=client_id:" in unit, unit
    assert "LoadCredential=client_secret:" in unit, unit

    machine.succeed(
        "curl -sf -H 'Authorization: Bearer test-token' http://127.0.0.1:9242/ | grep -F '[]'"
    )
    machine.fail(
        "curl -sf -H 'Authorization: Bearer wrong-token' http://127.0.0.1:9242/"
    )
  '';
}
Add a NixOS VM end-to-end test for the tailscalesd module. 2026-03-05 16:14:20 +01:00			`self: {`
			`name = "tailscalesd-nixos-module";`

			`nodes.machine =`
			`{ pkgs, ... }:`
			`{`
			`imports = [ self.nixosModules.default ];`

			`environment.systemPackages = [ pkgs.curl ];`

			`environment.etc = {`
			`"tailscalesd-secrets/bearer-token".text = "test-token\n";`
			`"tailscalesd-secrets/client-id".text = "test-client-id\n";`
			`"tailscalesd-secrets/client-secret".text = "test-client-secret\n";`
			`};`

			`services.tailscalesd = {`
			`enable = true;`
			`environment.TAILSCALESD_TAILNET = "example.test";`
			`environment.TAILSCALESD_TEST_MODE = "true";`
			`credentials = {`
			`bearerTokenFile = "/etc/tailscalesd-secrets/bearer-token";`
			`clientIdFile = "/etc/tailscalesd-secrets/client-id";`
			`clientSecretFile = "/etc/tailscalesd-secrets/client-secret";`
			`};`
			`};`
			`};`

			`testScript = ''`
			`start_all()`

			`machine.wait_for_unit("multi-user.target")`
			`machine.wait_for_unit("tailscalesd.service")`
			`machine.wait_for_open_port(9242)`

			`machine.succeed("systemctl is-active tailscalesd.service")`

			`unit = machine.succeed("systemctl cat tailscalesd.service")`
			`assert "DynamicUser=true" in unit, unit`
			`assert "LoadCredential=bearer_token:" in unit, unit`
			`assert "LoadCredential=client_id:" in unit, unit`
			`assert "LoadCredential=client_secret:" in unit, unit`

			`machine.succeed(`
			`"curl -sf -H 'Authorization: Bearer test-token' http://127.0.0.1:9242/ \| grep -F '[]'"`
			`)`
			`machine.fail(`
			`"curl -sf -H 'Authorization: Bearer wrong-token' http://127.0.0.1:9242/"`
			`)`
			`'';`
			`}`