Put functional tests in `tests/functional`

I think it is bad for these reasons when `tests/` contains a mix of
functional and integration tests

 - Concepts is harder to understand, the documentation makes a good
   unit vs functional vs integration distinction, but when the
   integration tests are just two subdirs within `tests/` this is not
   clear.

 - Source filtering in the `flake.nix` is more complex. We need to
   filter out some of the dirs from `tests/`, rather than simply pick
   the dirs we want and take all of them. This is a good sign the
   structure of what we are trying to do is not matching the structure
   of the files.

With this change we have a clean:
```shell-session
$ git show 'HEAD:tests'
tree HEAD:tests

functional/
installer/
nixos/
```

(cherry picked from commit 68c81c737571794f7246db53fb4774e94fcf4b7e)

1 files changed, 30 insertions, 0 deletions

diff --git a/tests/functional/linux-sandbox-cert-test.nix b/tests/functional/linux-sandbox-cert-test.nix
new file mode 100644
index 000000000..2fc083ea9
--- /dev/null
+++ b/tests/functional/linux-sandbox-cert-test.nix
@@ -0,0 +1,30 @@
+{ mode }:
+
+with import ./config.nix;
+
+mkDerivation (
+  {
+    name = "ssl-export";
+    buildCommand = ''
+      # Add some indirection, otherwise grepping into the debug output finds the string.
+      report () { echo CERT_$1_IN_SANDBOX; }
+
+      if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+        content=$(</etc/ssl/certs/ca-certificates.crt)
+        if [ "$content" == CERT_CONTENT ]; then
+          report present
+        fi
+      else
+        report missing
+      fi
+
+      # Always fail, because we do not want to bother with fixed-output
+      # derivations being cached, and do not want to compute the right hash.
+      false;
+    '';
+  } // {
+    fixed-output = { outputHash = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; };
+    normal = { };
+  }.${mode}
+)
+