Validate rendered cloud-init templates against official schema

Add jsonschema dev dependency and two new tests that render the Jinja2
cloud-init template (with and without Tailscale) then validate the
output against canonical/cloud-init's JSON schema. Tests skip gracefully
when the network is unavailable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ret2libc

pyproject.toml

@@ -61,6 +61,7 @@ packages = ["dropkit"]
 
 [dependency-groups]
 dev = [
+    "jsonschema>=4.26.0",
     "pytest>=8.4.2",
     "pytest-cov",
     "ruff>=0.8.0",

tests/test_cloudinit.py

@@ -1,9 +1,30 @@
 """Tests for cloud-init template parsing and rendering."""
 
+import json
+import urllib.request
+
+import pytest
+import yaml
 from jinja2 import Template, TemplateSyntaxError
+from jsonschema import Draft4Validator
 
 from dropkit.config import Config
 
+CLOUD_CONFIG_SCHEMA_URL = (
+    "https://raw.githubusercontent.com/canonical/cloud-init/main/"
+    "cloudinit/config/schemas/schema-cloud-config-v1.json"
+)
+
+
+@pytest.fixture(scope="module")
+def cloud_config_schema():
+    """Fetch the official cloud-init JSON schema (skip if offline)."""
+    try:
+        with urllib.request.urlopen(CLOUD_CONFIG_SCHEMA_URL, timeout=10) as resp:  # noqa: S310
+            return json.loads(resp.read())
+    except (urllib.error.URLError, TimeoutError):
+        pytest.skip("Could not fetch cloud-init schema (offline?)")
+
 
 def _load_default_template() -> str:
     """Load the default cloud-init template content."""
@@ -74,3 +95,36 @@ def test_docker_install_uses_distro_detection():
 
     # Architecture detected dynamically, not hardcoded amd64
     assert "dpkg --print-architecture" in rendered
+
+
+def _render_template(tailscale_enabled: bool = True) -> str:
+    """Render the default template with sample variables."""
+    content = _load_default_template()
+    template = Template(content)
+    return template.render(
+        username="testuser",
+        full_name="Test User",
+        email="test@example.com",
+        ssh_keys=["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5 test@host"],
+        tailscale_enabled=tailscale_enabled,
+    )
+
+
+def test_rendered_template_valid_cloud_config_schema(cloud_config_schema):
+    """Verify the rendered template passes cloud-init schema validation."""
+    rendered = _render_template(tailscale_enabled=True)
+    doc = yaml.safe_load(rendered)
+    validator = Draft4Validator(cloud_config_schema)
+    errors = list(validator.iter_errors(doc))
+    messages = [f"  - {e.message}" for e in errors]
+    assert not errors, "Cloud-init schema errors:\n" + "\n".join(messages)
+
+
+def test_rendered_template_no_tailscale_valid_schema(cloud_config_schema):
+    """Verify the rendered template without Tailscale also passes schema validation."""
+    rendered = _render_template(tailscale_enabled=False)
+    doc = yaml.safe_load(rendered)
+    validator = Draft4Validator(cloud_config_schema)
+    errors = list(validator.iter_errors(doc))
+    messages = [f"  - {e.message}" for e in errors]
+    assert not errors, "Cloud-init schema errors:\n" + "\n".join(messages)