From 6ff0b92f53eb247960dcf6a11b2a7030c9014426 Mon Sep 17 00:00:00 2001
From: Abel Luck <abel@guardianproject.info>
Date: Thu, 5 Mar 2026 16:14:20 +0100
Subject: [PATCH] Add a NixOS VM end-to-end test for the tailscalesd module.

---
 flake.nix                 |  3 +++
 nix/tests/tailscalesd.nix | 51 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 nix/tests/tailscalesd.nix

diff --git a/flake.nix b/flake.nix
index b024844..0013484 100644
--- a/flake.nix
+++ b/flake.nix
@@ -194,6 +194,9 @@
             '';
           };
         }
+        // pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
+          tailscalesd-nixos-test = pkgs.testers.runNixOSTest (import ./nix/tests/tailscalesd.nix self);
+        }
       );
 
       nixosModules = {
diff --git a/nix/tests/tailscalesd.nix b/nix/tests/tailscalesd.nix
new file mode 100644
index 0000000..4ff07db
--- /dev/null
+++ b/nix/tests/tailscalesd.nix
@@ -0,0 +1,51 @@
+self: {
+  name = "tailscalesd-nixos-module";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      imports = [ self.nixosModules.default ];
+
+      environment.systemPackages = [ pkgs.curl ];
+
+      environment.etc = {
+        "tailscalesd-secrets/bearer-token".text = "test-token\n";
+        "tailscalesd-secrets/client-id".text = "test-client-id\n";
+        "tailscalesd-secrets/client-secret".text = "test-client-secret\n";
+      };
+
+      services.tailscalesd = {
+        enable = true;
+        environment.TAILSCALESD_TAILNET = "example.test";
+        environment.TAILSCALESD_TEST_MODE = "true";
+        credentials = {
+          bearerTokenFile = "/etc/tailscalesd-secrets/bearer-token";
+          clientIdFile = "/etc/tailscalesd-secrets/client-id";
+          clientSecretFile = "/etc/tailscalesd-secrets/client-secret";
+        };
+      };
+    };
+
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_unit("tailscalesd.service")
+    machine.wait_for_open_port(9242)
+
+    machine.succeed("systemctl is-active tailscalesd.service")
+
+    unit = machine.succeed("systemctl cat tailscalesd.service")
+    assert "DynamicUser=true" in unit, unit
+    assert "LoadCredential=bearer_token:" in unit, unit
+    assert "LoadCredential=client_id:" in unit, unit
+    assert "LoadCredential=client_secret:" in unit, unit
+
+    machine.succeed(
+        "curl -sf -H 'Authorization: Bearer test-token' http://127.0.0.1:9242/ | grep -F '[]'"
+    )
+    machine.fail(
+        "curl -sf -H 'Authorization: Bearer wrong-token' http://127.0.0.1:9242/"
+    )
+  '';
+}