{
  config,
  lib,
  pkgs,
  ...
}:
let
  testPkgs = pkgs.appendOverlays [ (import ../modules/overlays.nix) ];
in
testPkgs.testers.runNixOSTest {
  name = "file-perms test";

  nodes.machine =
    { pkgs, ... }:
    {
      imports = [
        (lib.serviceFilePerms "test-service" [
          "Z /tmp/test-perms-dir 0750 nobody nogroup"
        ])
      ];

      systemd.services."test-service" = {
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          ExecStart = lib.getExe pkgs.bash;
        };
      };
    };

  testScript = ''
    start_all()
    machine.wait_for_unit("multi-user.target")

    # Create test directory with wrong permissions
    machine.succeed("mkdir -p /tmp/test-perms-dir")
    machine.succeed("chown root:root /tmp/test-perms-dir")
    machine.succeed("chmod 700 /tmp/test-perms-dir")

    # Start service -- this should pull in test-service-file-perms
    machine.succeed("systemctl start test-service")

    # Verify file-perms service ran and is active
    machine.succeed("systemctl is-active test-service-file-perms.service")

    # Verify permissions were fixed by tmpfiles
    result = machine.succeed("stat -c '%U:%G' /tmp/test-perms-dir").strip()
    assert result == "nobody:nogroup", f"Expected nobody:nogroup, got {result}"

    result = machine.succeed("stat -c '%a' /tmp/test-perms-dir").strip()
    assert result == "750", f"Expected 750, got {result}"
  '';
}