{ pkgs, lib, ... }:
{
  name = "zkap-spending-service";
  nodes = {
    spending = { config, pkgs, ourpkgs, modulesPath, ... }: {
      imports = [
        ../modules/packages.nix
        ../modules/spending.nix
      ];

      services.private-storage-spending.enable = true;
      services.private-storage-spending.domain = "localhost";
    };
    external = { ... }: {
      # A node that has no particular configuration, for testing access rules
      # for external hosts.
    };
  };
  testScript = { nodes }: let
    revision = nodes.spending.config.passthru.ourpkgs.zkap-spending-service.meta.rev;
    curl = "${pkgs.curl}/bin/curl -sSf --max-time 5";
  in
    ''
      import json

      start_all()

      spending.wait_for_open_port(80)
      with subtest("Ensure we can ping the spending service"):
        output = spending.succeed("${curl} http://localhost/v1/_ping")
        assert json.loads(output)["status"] == "ok", "Could not ping spending service."
      with subtest("Ensure external hosts can ping the spending service"):
        output = external.succeed("${curl} http://spending/v1/_ping")
        assert json.loads(output)["status"] == "ok", "Could not ping spending service."
      with subtest("Ensure that the spending service version matches the expected version"):
        output = spending.succeed("${curl} http://localhost/v1/_version")
        assert json.loads(output)["revision"] == "${revision}", "Spending service revision does not match."
      with subtest("Ensure that the spending service generates metrics"):
        # TODO: We should pass "-H 'accept: application/openmetrics-text'" here.
        # See https://github.com/prometheus/prometheus/issues/8932
        output = spending.succeed("${curl} http://localhost/metrics | ${pkgs.prometheus}/bin/promtool check metrics")
      with subtest("Ensure that the metrics are not accesible from other machines"):
        output = external.fail("${curl} http://spending/metrics")
    '';
}