{pkgs}: let
  add_pebble_ca_certs = pkgs.writeShellScript "fetch-and-set-ca" ''
    set -xe

    # Fetch the randomly generated ca certificate
    curl https://acme.test:15000/roots/0 > /tmp/ca.crt
    curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt

    # Append it to the various system stores
    # The file paths are from <nixpgks>/modules/security/ca.nix
    for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do
      cert_path="/etc/$cert_path"

      mv "$cert_path" "$cert_path.old"
      cat "$cert_path.old" > "$cert_path"
      cat /tmp/ca.crt >> "$cert_path"
    done

    export NIX_SSL_CERT_FILE=/tmp/ca.crt
    export SSL_CERT_FILE=/tmp/ca.crt

    # TODO
    # # P11-Kit trust source.
    # environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source";
  '';
in {
  prepare = clients: extra:
  # The parens are needed for the syntax highlighting to work.
    ( # python
      ''
        # Start dependencies for the other services
        acme.start()
        acme.wait_for_unit("pebble.service")
        name_server.start()
        name_server.wait_for_unit("nsd.service")

        # Start actual test
        start_all()

        with subtest("Add pebble ca key to all services"):
          for node in [name_server, ${builtins.concatStringsSep "," clients}]:
            node.wait_until_succeeds("curl https://acme.test:15000/roots/0")
            node.succeed("${add_pebble_ca_certs}")
      ''
    )
    + extra;
}