diff --git a/flake.lock b/flake.lock
index 89c4406..d8555b7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,12 +1,33 @@
 {
   "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733951536,
+        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-24.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733348545,
-        "narHash": "sha256-b4JrUmqT0vFNx42aEN9LTWOHomkTKL/ayLopflVf81U=",
+        "lastModified": 1734298236,
+        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9ecb50d2fae8680be74c08bb0a995c5383747f89",
+        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
         "type": "github"
       },
       "original": {
@@ -18,6 +39,7 @@
     },
     "root": {
       "inputs": {
+        "home-manager": "home-manager",
         "nixpkgs": "nixpkgs"
       }
     }
diff --git a/flake.nix b/flake.nix
index 7418c97..624a060 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,10 +3,19 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+
+    home-manager = {
+      url = "github:nix-community/home-manager/release-24.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
-    { self, nixpkgs }:
+    {
+      self,
+      nixpkgs,
+      home-manager,
+    }:
     let
       supportedSystems = [
         "aarch64-linux"
@@ -27,6 +36,7 @@
 
           inherit (pkgs)
             runCommandLocal
+            callPackage
             nixfmt-rfc-style
             deadnix
             statix
@@ -63,6 +73,8 @@
 
                 touch $out
               '';
+
+          nixos-tests = callPackage ./test.nix { inherit self home-manager; };
         }
       );
 
diff --git a/test.nix b/test.nix
new file mode 100644
index 0000000..4643775
--- /dev/null
+++ b/test.nix
@@ -0,0 +1,180 @@
+{
+  self,
+  home-manager,
+  nixosTest,
+}:
+
+nixosTest {
+  name = "fortify-test";
+
+  # adapted from nixos sway integration tests
+
+  # testScriptWithTypes:49: error: Cannot call function of unknown type
+  #           (machine.succeed if succeed else machine.execute)(
+  #           ^
+  # Found 1 error in 1 file (checked 1 source file)
+  skipTypeCheck = true;
+
+  nodes.machine =
+    { lib, pkgs, ... }:
+    {
+      users.users.alice = {
+        isNormalUser = true;
+        description = "Alice Foobar";
+        password = "foobar";
+        uid = 1000;
+      };
+
+      home-manager.users.alice.home.stateVersion = "24.11";
+
+      # Automatically login on tty1 as a normal user:
+      services.getty.autologinUser = "alice";
+
+      environment = {
+        variables = {
+          SWAYSOCK = "/tmp/sway-ipc.sock";
+          WLR_RENDERER = "pixman";
+        };
+
+        # To help with OCR:
+        etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
+          main = {
+            font = "inconsolata:size=14";
+          };
+          colors = rec {
+            foreground = "000000";
+            background = "ffffff";
+            regular2 = foreground;
+          };
+        };
+      };
+
+      fonts.packages = [ pkgs.inconsolata ];
+
+      # Automatically configure and start Sway when logging in on tty1:
+      programs.bash.loginShellInit = ''
+        if [ "$(tty)" = "/dev/tty1" ]; then
+          set -e
+
+          mkdir -p ~/.config/sway
+          sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config
+
+          sway --validate
+          sway && touch /tmp/sway-exit-ok
+        fi
+      '';
+
+      programs.sway.enable = true;
+
+      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
+      virtualisation.qemu.options = [ "-vga none -device virtio-gpu-pci" ];
+
+      environment.fortify = {
+        enable = true;
+        stateDir = "/var/lib/fortify";
+        users.alice = 0;
+      };
+
+      imports = [
+        self.nixosModules.fortify
+        home-manager.nixosModules.home-manager
+      ];
+    };
+
+  testScript = ''
+    import shlex
+    import json
+
+    q = shlex.quote
+    NODE_GROUPS = ["nodes", "floating_nodes"]
+
+
+    def swaymsg(command: str = "", succeed=True, type="command"):
+        assert command != "" or type != "command", "Must specify command or type"
+        shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
+        with machine.nested(
+            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
+        ):
+            ret = (machine.succeed if succeed else machine.execute)(
+                f"su - alice -c {shell}"
+            )
+
+        # execute also returns a status code, but disregard.
+        if not succeed:
+            _, ret = ret
+
+        if not succeed and not ret:
+            return None
+
+        parsed = json.loads(ret)
+        return parsed
+
+
+    def walk(tree):
+        yield tree
+        for group in NODE_GROUPS:
+          for node in tree.get(group, []):
+              yield from walk(node)
+
+
+    def wait_for_window(pattern):
+        def func(last_chance):
+            nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
+
+            if last_chance:
+                nodes = list(nodes)
+                machine.log(f"Last call! Current list of windows: {nodes}")
+
+            return any(pattern in name for name in nodes)
+
+        retry(func)
+
+    start_all()
+    machine.wait_for_unit("multi-user.target")
+
+    # To check the version:
+    print(machine.succeed("sway --version"))
+
+    # Wait for Sway to complete startup:
+    machine.wait_for_file("/run/user/1000/wayland-1")
+    machine.wait_for_file("/tmp/sway-ipc.sock")
+
+    # Create fortify aid 0 home directory:
+    machine.succeed("install -dm 0700 -o 1000000 -g 1000000 /var/lib/fortify/u0/a0")
+
+    # Start fortify outside Wayland session:
+    print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare"))
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
+
+    # Start fortify within Wayland session:
+    swaymsg("exec fortify -v run --wayland touch /tmp/success-session")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-session")
+
+    # Start a terminal (foot) within fortify on workspace 3:
+    machine.send_key("alt-3")
+    machine.sleep(3)
+    swaymsg("exec fortify run --wayland foot")
+    wait_for_window("u0_a0@machine")
+    machine.send_chars("touch /tmp/success-client\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
+    machine.screenshot("foot_wayland_permissive")
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep foot")
+
+    # Start a terminal (foot) within fortify from a terminal on workspace 4:
+    machine.send_key("alt-4")
+    machine.sleep(3)
+    swaymsg("exec foot fortify run --wayland foot")
+    wait_for_window("u0_a0@machine")
+    machine.send_chars("touch /tmp/success-client-term\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
+    machine.screenshot("foot_wayland_permissive_term")
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep foot")
+
+    # Exit Sway and verify process exit status 0:
+    swaymsg("exit", succeed=False)
+    machine.wait_until_fails("pgrep -x sway")
+    machine.wait_for_file("/tmp/sway-exit-ok")
+  '';
+}