diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 8b674bfb7342..0263faf42573 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -879,6 +879,7 @@ in {
   retroarch = handleTest ./retroarch.nix {};
   rke2 = handleTestOn ["aarch64-linux" "x86_64-linux"] ./rke2 {};
   rkvm = handleTest ./rkvm {};
+  rmfakecloud = runTest ./rmfakecloud.nix;
   robustirc-bridge = handleTest ./robustirc-bridge.nix {};
   roundcube = handleTest ./roundcube.nix {};
   rosenpass = handleTest ./rosenpass.nix {};
diff --git a/nixos/tests/rmfakecloud.nix b/nixos/tests/rmfakecloud.nix
new file mode 100644
index 000000000000..f226c20b9577
--- /dev/null
+++ b/nixos/tests/rmfakecloud.nix
@@ -0,0 +1,67 @@
+{ pkgs, ... }:
+{
+  name = "rmfakecloud";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ martinetd ];
+  };
+
+  nodes.machine = {
+    services.rmfakecloud = {
+      enable = true;
+      storageUrl = "https://local.appspot.com";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("rmfakecloud.service")
+    machine.wait_for_open_port(3000)
+
+    # first login creates user
+    login_token = machine.succeed("""
+      curl -sSf -b cookie -c cookie -H "Content-Type: application/json" \
+        -d'{"email":"test","password":"test"}' -X POST \
+        http://localhost:3000/ui/api/login
+    """)
+
+    # subsequent different pass or mail should fail, but same login works
+    machine.fail("""
+      curl -sSf -H "Content-Type: application/json" \
+        -d'{"email":"test","password":"test2"}' -X POST \
+        http://localhost:3000/ui/api/login
+    """)
+    machine.fail("""
+      curl -sSf -H "Content-Type: application/json" \
+        -d'{"email":"test2","password":"test"}' -X POST
+        http://localhost:3000/ui/api/login
+    """)
+    machine.succeed("""
+      curl -sSf -H "Content-Type: application/json" \
+        -d'{"email":"test","password":"test"}' -X POST \
+        http://localhost:3000/ui/api/login
+    """)
+
+    # can get code from cookie or bearer
+    machine.succeed("""
+      curl -sSf -b cookie -c cookie http://localhost:3000/ui/api/newcode
+    """)
+    newcode = machine.succeed(f"""
+      curl -sSf -H "Authorization: Bearer {login_token}" \
+        http://localhost:3000/ui/api/newcode
+    """).strip('"')
+
+    # ... but not junk
+    machine.fail(f"""
+      curl -sSf -H "Authorization: Bearer abc{login_token}" \
+          http://localhost:3000/ui/api/newcode
+    """)
+
+    # can connect "device" with said code
+    machine.succeed(f"""
+      curl -sSf -d '{{"code":"{newcode}", "deviceDesc": "desc", "deviceID":"rm100-123"}}' \
+        http://localhost:3000/token/json/2/device/new
+    """)
+
+    # for future improvements
+    machine.log(machine.execute("systemd-analyze security rmfakecloud.service")[1])
+  '';
+}
diff --git a/pkgs/by-name/rm/rmfakecloud/package.nix b/pkgs/by-name/rm/rmfakecloud/package.nix
index 9e6dd286696b..f68229b10a16 100644
--- a/pkgs/by-name/rm/rmfakecloud/package.nix
+++ b/pkgs/by-name/rm/rmfakecloud/package.nix
@@ -4,6 +4,7 @@
   buildGoModule,
   callPackage,
   enableWebui ? true,
+  nixosTests,
 }:
 
 buildGoModule rec {
@@ -38,6 +39,8 @@ buildGoModule rec {
     "-X main.version=v${version}"
   ];
 
+  passthru.tests.rmfakecloud = nixosTests.rmfakecloud;
+
   meta = with lib; {
     description = "Host your own cloud for the Remarkable";
     homepage = "https://ddvk.github.io/rmfakecloud/";