{ nixpkgs ? <nixpkgs> } @ args:

let
  check = lib: config: {
    rootSecretExists =
      let p = config.seacrit.secrets.root.path;
      in lib.stringAfter [ "seacrit-root" ] ''
        (
          set -x;
          [ "$(cat ${p})" = root ] && \
            [ $(stat -c %u:%g ${p}) = 0:0 ] && \
            [ $(stat -c %a ${p}) = 400 ] && \
              touch /run/root-sec-succeeded
        )
      '';
    users.deps = [ "rootSecretExists" ];
    groups.deps = [ "rootSecretExists" ];

    userSecretExists =
      let p = config.seacrit.secrets."user/sec".path;
      in lib.stringAfter [ "users" "groups" "seacrit" ] ''
        (
          set -x;
          [ "$(cat ${p})" = user ] && \
            [ $(stat -c %U:%G ${p}) = user:user ] && \
            [ $(stat -c %a ${p}) = 204 ] && \
              touch /run/user-sec-succeeded
        )
      '';
  };
in
import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ... }: rec {
  name = "seacrit-simple";

  nodes.main = { pkgs, config, lib, ... }: {
    imports = [
      ../modules
    ];

    seacrit = {
      storePath = ./simple;
      hostKeys = [ (pkgs.runCommand "" { key = ./simple/main.key; } "cp $key $out") ];

      secrets = {
        root = { };
        "user/sec" = { owner = "user"; group = "user"; mode = "u=w,o=r"; };
      };
    };

    users = {
      mutableUsers = false;
      users.user = { isNormalUser = true; };
      groups.user = {};
    };

    system.activationScripts = check lib config;
  };

  nodes.other = args@{ pkgs, config, lib, ... }: lib.recursiveUpdate (nodes.main args) {
    seacrit.hostID = "main";
  };

  nodes.aux = args@{ pkgs, config, lib, ... }: lib.recursiveUpdate (nodes.main args) {
    seacrit.hostKeys = [ (pkgs.runCommand "" { key = ./simple/aux.key; } "cp $key $out") ];
  };

  testScript = ''
    for m in [ main, other, aux ]:
      m.wait_for_unit("multi-user.target")
      m.succeed('[ -f /run/root-sec-succeeded ]')
      m.succeed('[ -f /run/user-sec-succeeded ]')
  '';
}) args