Add NixOS integration test

module.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.bang-evaluator;
+in
+{
+  options.services.bang-evaluator = {
+    enable = lib.mkEnableOption "bang-evaluator";
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = import ./default.nix { inherit pkgs; };
+      example = "pkgs.bang-exporter-fork";
+      description = "The package to use for bang-exporter";
+    };
+    listenAddress = lib.mkOption {
+      type = lib.types.str;
+      default = ":8081";
+      example = "localhost:8081";
+      description = "The address bang-evaluator should listen on.";
+    };
+  };
+
+  config = {
+    systemd.services.bang-evaluator = lib.mkIf cfg.enable {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      environment = {
+        BANG_EVALUATOR_LISTEN_ADDRESS = cfg.listenAddress;
+      };
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/evaluator";
+        Restart = "always";
+
+        # taken from systemd-analyze --no-pager security bang-evaluator.service
+        # probably overkill
+        CapabilityBoundingSet = null;
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+      };
+    };
+  };
+}

test.nix

@@ -0,0 +1,55 @@
+let
+  port = 8082;
+in
+import <nixpkgs/nixos/tests/make-test-python.nix> ({ pkgs, ... }:
+{
+  nodes = {
+    server = {
+      imports = [ ./module.nix ];
+
+      services.bang-evaluator = {
+        enable = true;
+        listenAddress = ":${toString port}";
+      };
+
+      networking.firewall.allowedTCPPorts = [ port ];
+    };
+    client = { };
+  };
+
+  testScript = ''
+    from urllib.parse import urlencode
+
+
+    def evalSearch(query, engine="https://duckduckgo.com/?q=%s"):
+        query_params = {
+            "query": query,
+            "engine": engine,
+        }
+        return client.succeed(
+            " ".join(
+                [
+                    "${pkgs.curl}/bin/curl",
+                    "-s",
+                    "-o/dev/null",
+                    "-w",
+                    "%{redirect_url}",
+                    f"'http://server:${toString port}/eval?{urlencode(query_params)}'",
+                ]
+            )
+        )
+
+
+    start_all()
+    server.wait_for_open_port(${toString port})
+    client.wait_for_unit("multi-user.target")
+
+    assert evalSearch("foo") == "https://duckduckgo.com/?q=foo"
+    assert evalSearch("foo !wde") == "https://de.wikipedia.org/w/index.php?search=foo"
+    assert evalSearch("!wde foo") == "https://de.wikipedia.org/w/index.php?search=foo"
+    assert (
+        evalSearch("foo", engine="https://startpage.com/sp/search?query=%s")
+        == "https://startpage.com/sp/search?query=foo"
+    )
+  '';
+})