Add a NixOS VM end-to-end test for the tailscalesd module.

flake.nix

@@ -194,6 +194,9 @@
             '';
           };
         }
+        // pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
+          tailscalesd-nixos-test = pkgs.testers.runNixOSTest (import ./nix/tests/tailscalesd.nix self);
+        }
       );
 
       nixosModules = {

nix/tests/tailscalesd.nix

@@ -0,0 +1,51 @@
+self: {
+  name = "tailscalesd-nixos-module";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      imports = [ self.nixosModules.default ];
+
+      environment.systemPackages = [ pkgs.curl ];
+
+      environment.etc = {
+        "tailscalesd-secrets/bearer-token".text = "test-token\n";
+        "tailscalesd-secrets/client-id".text = "test-client-id\n";
+        "tailscalesd-secrets/client-secret".text = "test-client-secret\n";
+      };
+
+      services.tailscalesd = {
+        enable = true;
+        environment.TAILSCALESD_TAILNET = "example.test";
+        environment.TAILSCALESD_TEST_MODE = "true";
+        credentials = {
+          bearerTokenFile = "/etc/tailscalesd-secrets/bearer-token";
+          clientIdFile = "/etc/tailscalesd-secrets/client-id";
+          clientSecretFile = "/etc/tailscalesd-secrets/client-secret";
+        };
+      };
+    };
+
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_unit("tailscalesd.service")
+    machine.wait_for_open_port(9242)
+
+    machine.succeed("systemctl is-active tailscalesd.service")
+
+    unit = machine.succeed("systemctl cat tailscalesd.service")
+    assert "DynamicUser=true" in unit, unit
+    assert "LoadCredential=bearer_token:" in unit, unit
+    assert "LoadCredential=client_id:" in unit, unit
+    assert "LoadCredential=client_secret:" in unit, unit
+
+    machine.succeed(
+        "curl -sf -H 'Authorization: Bearer test-token' http://127.0.0.1:9242/ | grep -F '[]'"
+    )
+    machine.fail(
+        "curl -sf -H 'Authorization: Bearer wrong-token' http://127.0.0.1:9242/"
+    )
+  '';
+}