self: {
  name = "tailscalesd-nixos-module";

  nodes.machine =
    { pkgs, ... }:
    {
      imports = [ self.nixosModules.default ];

      environment.systemPackages = [ pkgs.curl ];

      environment.etc = {
        "tailscalesd-secrets/bearer-token".text = "test-token\n";
        "tailscalesd-secrets/client-id".text = "test-client-id\n";
        "tailscalesd-secrets/client-secret".text = "test-client-secret\n";
      };

      services.tailscalesd = {
        enable = true;
        environment.TAILSCALESD_TAILNET = "example.test";
        environment.TAILSCALESD_TEST_MODE = "true";
        credentials = {
          bearerTokenFile = "/etc/tailscalesd-secrets/bearer-token";
          clientIdFile = "/etc/tailscalesd-secrets/client-id";
          clientSecretFile = "/etc/tailscalesd-secrets/client-secret";
        };
      };
    };

  testScript = ''
    start_all()

    machine.wait_for_unit("multi-user.target")
    machine.wait_for_unit("tailscalesd.service")
    machine.wait_for_open_port(9242)

    machine.succeed("systemctl is-active tailscalesd.service")

    unit = machine.succeed("systemctl cat tailscalesd.service")
    assert "DynamicUser=true" in unit, unit
    assert "LoadCredential=bearer_token:" in unit, unit
    assert "LoadCredential=client_id:" in unit, unit
    assert "LoadCredential=client_secret:" in unit, unit

    machine.succeed(
        "curl -sf -H 'Authorization: Bearer test-token' http://127.0.0.1:9242/ | grep -F '[]'"
    )
    machine.fail(
        "curl -sf -H 'Authorization: Bearer wrong-token' http://127.0.0.1:9242/"
    )
  '';
}