From 2cb83f85c9ad4bb36df1e038859198e015f9606c Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Thu, 12 Feb 2026 13:31:05 -0500
Subject: [PATCH] test(tmpfiles): add VM test for serviceFilePerms (RED phase)

---
 tests/file-perms.nix | 53 ++++++++++++++++++++++++++++++++++++++++++++
 tests/tests.nix      |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 tests/file-perms.nix

diff --git a/tests/file-perms.nix b/tests/file-perms.nix
new file mode 100644
index 0000000..dd6b3b7
--- /dev/null
+++ b/tests/file-perms.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  testPkgs = pkgs.appendOverlays [ (import ../modules/overlays.nix) ];
+in
+testPkgs.testers.runNixOSTest {
+  name = "file-perms test";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      imports = [
+        (lib.serviceFilePerms "test-service" [
+          "Z /tmp/test-perms-dir 0750 nobody nogroup"
+        ])
+      ];
+
+      systemd.services."test-service" = {
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = lib.getExe pkgs.bash;
+        };
+      };
+    };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("multi-user.target")
+
+    # Create test directory with wrong permissions
+    machine.succeed("mkdir -p /tmp/test-perms-dir")
+    machine.succeed("chown root:root /tmp/test-perms-dir")
+    machine.succeed("chmod 700 /tmp/test-perms-dir")
+
+    # Start service -- this should pull in test-service-file-perms
+    machine.succeed("systemctl start test-service")
+
+    # Verify file-perms service ran and is active
+    machine.succeed("systemctl is-active test-service-file-perms.service")
+
+    # Verify permissions were fixed by tmpfiles
+    result = machine.succeed("stat -c '%U:%G' /tmp/test-perms-dir").strip()
+    assert result == "nobody:nogroup", f"Expected nobody:nogroup, got {result}"
+
+    result = machine.succeed("stat -c '%a' /tmp/test-perms-dir").strip()
+    assert result == "750", f"Expected 750, got {result}"
+  '';
+}
diff --git a/tests/tests.nix b/tests/tests.nix
index fcc29e1..f7a2e93 100644
--- a/tests/tests.nix
+++ b/tests/tests.nix
@@ -12,6 +12,7 @@ in
   testTest = handleTest ./testTest.nix;
   minecraftTest = handleTest ./minecraft.nix;
   jellyfinQbittorrentMonitorTest = handleTest ./jellyfin-qbittorrent-monitor.nix;
+  filePermsTest = handleTest ./file-perms.nix;
 
   # fail2ban tests
   fail2banSshTest = handleTest ./fail2ban-ssh.nix;