Use LoadCredential secrets and DynamicUser for tailscalesd.

tests/test_auth.py

@@ -33,3 +33,27 @@ def test_unauthorized_no_token():
     response = client.get("/")
     assert response.status_code == 403
     assert response.json() == {"detail": "Not authenticated"}
+
+
+def test_settings_support_secret_files(tmp_path):
+    bearer_token_file = tmp_path / "bearer_token"
+    client_id_file = tmp_path / "client_id"
+    client_secret_file = tmp_path / "client_secret"
+    bearer_token_file.write_text("from-file-token\n", encoding="utf-8")
+    client_id_file.write_text("from-file-client-id\n", encoding="utf-8")
+    client_secret_file.write_text("from-file-client-secret\n", encoding="utf-8")
+
+    settings = Settings(
+        test_mode=True,
+        tailnet="test",
+        bearer_token_file=str(bearer_token_file),
+        client_id_file=str(client_id_file),
+        client_secret_file=str(client_secret_file),
+    )
+
+    assert settings.bearer_token is not None
+    assert settings.client_id is not None
+    assert settings.client_secret is not None
+    assert settings.bearer_token.get_secret_value() == "from-file-token"
+    assert settings.client_id.get_secret_value() == "from-file-client-id"
+    assert settings.client_secret.get_secret_value() == "from-file-client-secret"