7 files changed, 40 insertions, 90 deletions

diff --git a/tests/by-name/at/atuin-sync/test.nix b/tests/by-name/at/atuin-sync/test.nix
index 3e01885..d29c031 100644
--- a/tests/by-name/at/atuin-sync/test.nix
+++ b/tests/by-name/at/atuin-sync/test.nix
@@ -142,26 +142,11 @@ nixos-lib.runTest {
       run_and_record_in_atuin "$@"
     '';
 
-    acme_scripts = import ../../../common/acme/scripts.nix {inherit pkgs;};
+    acme = import ../../../common/acme {inherit pkgs;};
   in
-    /*
-    python
-    */
+    acme.prepare ["server" "client1" "client2"]
+    # Python
     ''
-      # Start dependencies for the other services
-      acme.start()
-      acme.wait_for_unit("pebble.service")
-      name_server.start()
-      name_server.wait_for_unit("nsd.service")
-
-      # Start actual test
-      start_all()
-
-      with subtest("Add pebble ca key to all services"):
-        for node in [name_server, server, client1, client2]:
-          node.wait_for_unit("network-online.target")
-          node.succeed("${acme_scripts.add_pebble_acme_ca}")
-
       server.wait_for_unit("atuin.service")
       server.wait_for_open_port(443)
 
diff --git a/tests/by-name/em/email-dns/test.nix b/tests/by-name/em/email-dns/test.nix
index f0399a5..c7ba3b3 100644
--- a/tests/by-name/em/email-dns/test.nix
+++ b/tests/by-name/em/email-dns/test.nix
@@ -90,23 +90,13 @@ in
         }
       '';
 
-      acme_scripts = import ../../../common/acme/scripts.nix {inherit pkgs;};
+      acme = import ../../../common/acme {inherit pkgs;};
     in
-      /*
-      python
-      */
+      acme.prepare ["mail1_server" "mail2_server" "alice" "bob"]
+      # Python
       ''
         from time import sleep
 
-        # Start dependencies for the other services
-        acme.start()
-        acme.wait_for_unit("pebble.service")
-        name_server.start()
-        name_server.wait_for_unit("nsd.service")
-
-        # Start the actual testing machines
-        start_all()
-
         mail1_server.wait_for_unit("stalwart-mail.service")
         mail1_server.wait_for_open_port(993) # imap
         mail1_server.wait_for_open_port(465) # smtp
@@ -120,10 +110,6 @@ in
         name_server.wait_until_succeeds("stat /var/lib/acme/mta-sts.alice.com/cert.pem")
         name_server.wait_until_succeeds("stat /var/lib/acme/mta-sts.bob.com/cert.pem")
 
-        with subtest("Add pebble ca key to all services"):
-          for node in [name_server, mail1_server, mail2_server, alice, bob]:
-            node.succeed("${acme_scripts.add_pebble_acme_ca}")
-
         with subtest("Both mailserver successfully started all services"):
           import json
           def all_services_running(host):
diff --git a/tests/by-name/em/email-http/test.nix b/tests/by-name/em/email-http/test.nix
index f508b9f..82b4c45 100644
--- a/tests/by-name/em/email-http/test.nix
+++ b/tests/by-name/em/email-http/test.nix
@@ -71,32 +71,17 @@ in
 
     # TODO(@bpeetz): This test should also test the http JMAP features of stalwart-mail. <2025-04-12>
     testScript = _: let
-      acme_scripts = import ../../../common/acme/scripts.nix {inherit pkgs;};
+      acme = import ../../../common/acme {inherit pkgs;};
     in
-      /*
-      python
-      */
+      acme.prepare ["mail_server" "bob"]
+      # Python
       ''
-        # Start dependencies for the other services
-        acme.start()
-        acme.wait_for_unit("pebble.service")
-        name_server.start()
-        name_server.wait_for_unit("nsd.service")
-
-        # Start the actual testing machines
-        start_all()
-
         mail_server.wait_for_unit("stalwart-mail.service")
         mail_server.wait_for_open_port(993) # imap
         mail_server.wait_for_open_port(465) # smtp
 
         bob.wait_for_unit("multi-user.target")
 
-        with subtest("Add pebble ca key to all services"):
-          for node in [name_server, mail_server, bob]:
-            node.wait_for_unit("network-online.target")
-            node.succeed("${acme_scripts.add_pebble_acme_ca}")
-
         with subtest("The mailserver successfully started all services"):
           import json
           def all_services_running(host):
diff --git a/tests/by-name/sh/sharkey/test.nix b/tests/by-name/sh/sharkey/test.nix
index b2ad461..0d79cd2 100644
--- a/tests/by-name/sh/sharkey/test.nix
+++ b/tests/by-name/sh/sharkey/test.nix
@@ -82,26 +82,11 @@ nixos-lib.runTest {
   };
 
   testScript = {nodes, ...}: let
-    acme_scripts = import ../../../common/acme/scripts.nix {inherit pkgs;};
+    acme = import ../../../common/acme {inherit pkgs;};
   in
-    /*
-    python
-    */
+    acme.prepare ["server" "client"]
+    # Python
     ''
-      # Start dependencies for the other services
-      acme.start()
-      acme.wait_for_unit("pebble.service")
-      name_server.start()
-      name_server.wait_for_unit("nsd.service")
-
-      # Start the actual testing machines
-      start_all()
-
-      with subtest("Add pebble ca key to all services"):
-        for node in [name_server, server, client]:
-          node.wait_for_unit("network-online.target")
-          node.succeed("${acme_scripts.add_pebble_acme_ca}")
-
       server.wait_for_unit("sharkey.service")
 
       with subtest("All services running"):
diff --git a/tests/by-name/ta/taskchampion-sync/test.nix b/tests/by-name/ta/taskchampion-sync/test.nix
index 99134bc..830b79a 100644
--- a/tests/by-name/ta/taskchampion-sync/test.nix
+++ b/tests/by-name/ta/taskchampion-sync/test.nix
@@ -114,26 +114,11 @@ nixos-lib.runTest {
         echo 'sync.encryption_secret=${password}' >> "${path}"
       '';
 
-    acme_scripts = import ../../../common/acme/scripts.nix {inherit pkgs;};
+    acme = import ../../../common/acme {inherit pkgs;};
   in
-    /*
-    python
-    */
+    acme.prepare ["server" "task_client1" "task_client2"]
+    # Python
     ''
-      # Start dependencies for the other services
-      acme.start()
-      acme.wait_for_unit("pebble.service")
-      name_server.start()
-      name_server.wait_for_unit("nsd.service")
-
-      # Start actual test
-      start_all()
-
-      with subtest("Add pebble ca key to all services"):
-        for node in [name_server, server, task_client1, task_client2]:
-          node.wait_for_unit("network-online.target")
-          node.succeed("${acme_scripts.add_pebble_acme_ca}")
-
       server.wait_for_unit("taskchampion-sync-server.service")
       server.wait_for_open_port(443)
 
diff --git a/tests/common/acme/default.nix b/tests/common/acme/default.nix
new file mode 100644
index 0000000..794a939
--- /dev/null
+++ b/tests/common/acme/default.nix
@@ -0,0 +1,24 @@
+{pkgs}: let
+  acme_scripts = import ./scripts.nix {inherit pkgs;};
+in {
+  prepare = clients: extra:
+  # The parens are needed for the syntax highlighting to work.
+    ( # python
+      ''
+        # Start dependencies for the other services
+        acme.start()
+        acme.wait_for_unit("pebble.service")
+        name_server.start()
+        name_server.wait_for_unit("nsd.service")
+
+        # Start actual test
+        start_all()
+
+        with subtest("Add pebble ca key to all services"):
+          for node in [name_server, ${builtins.concatStringsSep "," clients}]:
+            node.wait_until_succeeds("curl https://acme.test:15000/roots/0")
+            node.succeed("${acme_scripts.add_pebble_ca_certs}")
+      ''
+    )
+    + extra;
+}
diff --git a/tests/common/acme/scripts.nix b/tests/common/acme/scripts.nix
index 2228823..4161ab8 100644
--- a/tests/common/acme/scripts.nix
+++ b/tests/common/acme/scripts.nix
@@ -3,7 +3,7 @@
 * Extra functions useful for the test script.
 */
 {
-  add_pebble_acme_ca = pkgs.writeShellScript "fetch-and-set-ca" ''
+  add_pebble_ca_certs = pkgs.writeShellScript "fetch-and-set-ca" ''
     set -xe
 
     # Fetch the randomly generated ca certificate