{
  lib,
  pkgs,
  sources,
  ...
}:
let
  inherit (pkgs.callPackage ../../utils.nix { }) evalOption;
  domain = "domain.tld";
  apiKey = "abcdefghijklm";
  inherit
    (evalOption
      (pkgs.callPackage ../../run {
        inherit sources;
      }).octodns-zone
      {
        inherit domain;
        provider = "powerdns";
        # outside tests, use an actual secrets mechanism instead
        secretFiles.api_key = builtins.toString (pkgs.writeText "api_key" apiKey);
        configuration.host = "localhost";
        zone = {
          NS = [ "ns.test.com." ];
          A = [ "203.0.113.2" ];
        };
      }
    )
    validate
    sync
    ;
in
{
  _class = "nixosTest";
  name = "octodns";

  nodes.deployer = {
    networking.firewall.enable = false;
    services.powerdns = {
      enable = true;
      extraConfig = ''
        api=yes
        api-key=${apiKey}
        launch=gmysql
        gmysql-user=pdns
      '';
    };
    services.mysql = {
      enable = true;
      package = pkgs.mariadb;
      ensureDatabases = [ "powerdns" ];
      ensureUsers = lib.singleton {
        name = "pdns";
        ensurePermissions = {
          "powerdns.*" = "ALL PRIVILEGES";
        };
      };
    };
    environment.systemPackages = with pkgs; [
      dnsutils
      powerdns
      mariadb
    ];
  };

  extraTestScript = ''

    with subtest("Loading the MySQL schema"):
        deployer.wait_for_unit("mysql")
        deployer.succeed(
            "sudo -u pdns mysql -u pdns -D powerdns <"
            "${pkgs.powerdns}/share/doc/pdns/schema.mysql.sql"
        )

    with subtest("PowerDNS server starts"):
        deployer.wait_for_unit("pdns")

    with subtest("validate"):
      deployer.succeed("""
        ${lib.getExe validate}
      """)
    with subtest("sync"):
      deployer.succeed("""
        ${lib.getExe sync}
      """)
    with subtest("no-op sync"):
      deployer.succeed("""
        ${lib.getExe sync}
      """)
  '';
}