{
  nixos-lib,
  pkgsUnstable,
  nixpkgs-unstable,
  vhackPackages,
  pkgs,
  extraModules,
  nixLib,
  ...
}: let
  mail_server = import ./nodes/mail_server.nix {inherit extraModules pkgs vhackPackages;};
  inherit (mail_server) mkMailServer;
  user = import ./nodes/user.nix {inherit pkgs vhackPackages;};
  inherit (user) mkUser;
in
  nixos-lib.runTest {
    hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs

    name = "email-http";

    node = {
      specialArgs = {inherit pkgsUnstable vhackPackages nixpkgs-unstable nixLib;};

      # Use the nixpkgs as constructed by the `nixpkgs.*` options
      pkgs = null;
    };

    nodes = {
      acme = {
        nodes,
        lib,
        ...
      }: {
        imports = [../../../common/acme];
        networking.nameservers = lib.mkForce [
          nodes.name_server.networking.primaryIPAddress
        ];
      };

      name_server = import ./nodes/name_server.nix {inherit extraModules;};

      mail_server = mkMailServer "mail" null;

      bob = mkUser "bob" "mail";
    };

    # TODO(@bpeetz): This test should also test the http JMAP features of stalwart-mail. <2025-04-12>
    testScript = _:
    /*
    python
    */
    ''
      # Start dependencies for the other services
      acme.start()
      acme.wait_for_unit("pebble.service")
      name_server.start()
      name_server.wait_for_unit("nsd.service")

      # Start the actual testing machines
      start_all()

      mail_server.wait_for_unit("stalwart-mail.service")
      mail_server.wait_for_open_port(993) # imap
      mail_server.wait_for_open_port(465) # smtp

      bob.wait_for_unit("multi-user.target")

      with subtest("Add pebble ca key to all services"):
        for node in [name_server, mail_server, bob]:
          node.succeed("${pkgs.writeShellScript "fetch-and-set-ca" ''
        set -xe

        # Fetch the randomly generated ca certificate
        curl https://acme.test:15000/roots/0 > /tmp/ca.crt
        curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt

        # Append it to the various system stores
        # The file paths are from <nixpgks>/modules/security/ca.nix
        for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do
          cert_path="/etc/$cert_path"

          mv "$cert_path" "$cert_path.old"
          cat "$cert_path.old" > "$cert_path"
          cat /tmp/ca.crt >> "$cert_path"
        done

        export NIX_SSL_CERT_FILE=/tmp/ca.crt
        export SSL_CERT_FILE=/tmp/ca.crt

        # TODO
        # # P11-Kit trust source.
        # environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source";
      ''}")

      with subtest("The mailserver successfully started all services"):
        import json
        def all_services_running(host):
          (status, output) = host.systemctl("list-units --state=failed --plain --no-pager --output=json")
          host_failed = json.loads(output)
          assert len(host_failed) == 0, f"Expected zero failing services, but found: {json.dumps(host_failed, indent=4)}"
        all_services_running(mail_server)

      with subtest("Bob can use the self-service interface"):
        bob.succeed("${pkgs.writeShellScript "check-self-service" ''
        curl mail.server.com --location --output /home/bob/output.html;
      ''}")

      bob.copy_from_vm("/home/bob", "")
    '';
  }