{
  nixos-lib,
  pkgsUnstable,
  nixpkgs-unstable,
  vhackPackages,
  pkgs,
  extraModules,
  nixLib,
  ...
}:
nixos-lib.runTest {
  hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs

  name = "sharkey-images";

  node = {
    specialArgs = {inherit pkgsUnstable extraModules vhackPackages nixpkgs-unstable nixLib;};

    # Use the nixpkgs as constructed by the `nixpkgs.*` options
    pkgs = null;
  };

  nodes = {
    server = {config, ...}: {
      imports =
        extraModules
        ++ [
          ../../../../modules
        ];

      vhack = {
        persist.enable = true;
        nginx.enable = true;
        sharkey = {
          enable = true;
          fqdn = "sharkey.server";
        };
      };
      systemd.services = {
        # Avoid an error from this service.
        "acme-sharkey.server".serviceConfig.ExecStart = pkgs.lib.mkForce "${pkgs.lib.getExe' pkgs.coreutils "true"}";

        # Test, that sharkey's hardening still allows access to the CPUs.
        sharkey.serviceConfig.ExecStart = let
          nodejs = pkgs.lib.getExe pkgsUnstable.nodejs;
          script = pkgs.writeTextFile {
            name = "script.js";
            text = ''
              import * as os from 'node:os';

              console.log(os.cpus()[0].model)
              console.log(os.cpus().length)
            '';
          };
        in
          pkgs.lib.mkForce "${nodejs} ${script}";
      };
    };
  };

  testScript = {nodes, ...}:
  /*
  python
  */
  ''
    from time import sleep

    start_all()
    server.wait_for_unit("sharkey.service")

    # Give the service time to start.
    sleep(3)

    with subtest("All services running"):
      import json
      def all_services_running(host):
        (status, output) = host.systemctl("list-units --state=failed --plain --no-pager --output=json")
        host_failed = json.loads(output)
        assert len(host_failed) == 0, f"Expected zero failing services, but found: {json.dumps(host_failed, indent=4)}"
      all_services_running(server)
  '';
}