diff --git a/deployment/check/common/nixosTest.nix b/deployment/check/common/nixosTest.nix
index 93bd3fef..9d4e528d 100644
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@@ -80,41 +80,44 @@ in
 
     acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
 
-    nodes =
+    nodes = lib.mkMerge [
       {
-        deployer = {
-          imports = [ ./deployerNode.nix ];
-          _module.args = { inherit inputs sources; };
-          enableAcme = config.enableAcme;
-          acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
-        };
+        deployer = lib.mkMerge [
+          {
+            imports = [ ./deployerNode.nix ];
+            _module.args = { inherit inputs sources; };
+            enableAcme = config.enableAcme;
+          }
+          (lib.mkIf config.enableAcme {
+            acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
+            security.acme = {
+              acceptTerms = true;
+              defaults.email = "test@test.com";
+              defaults.server = "https://acme.test/dir";
+            };
+            security.pki.certificateFiles = [
+              (import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix").ca.cert
+            ];
+            networking.extraHosts = "${config.acmeNodeIP} acme.test";
+          })
+        ];
       }
-
-      //
-
-        (
-          if config.enableAcme then
-            {
-              acme = {
-                ## FIXME: This makes `nodes.acme` into a local resolver. Maybe this will
-                ## break things once we play with DNS?
-                imports = [ "${inputs.nixpkgs}/nixos/tests/common/acme/server" ];
-                ## We aren't testing ACME - we just want certificates.
-                systemd.services.pebble.environment.PEBBLE_VA_ALWAYS_VALID = "1";
-              };
-            }
-          else
-            { }
-        )
-
-      //
-
-        genAttrs config.targetMachines (_: {
-          imports = [ ./targetNode.nix ];
-          _module.args = { inherit inputs sources; };
-          enableAcme = config.enableAcme;
-          acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
-        });
+      (lib.mkIf config.enableAcme {
+        acme = {
+          ## FIXME: This makes `nodes.acme` into a local resolver. Maybe this will
+          ## break things once we play with DNS?
+          imports = [ "${inputs.nixpkgs}/nixos/tests/common/acme/server" ];
+          ## We aren't testing ACME - we just want certificates.
+          systemd.services.pebble.environment.PEBBLE_VA_ALWAYS_VALID = "1";
+        };
+      })
+      (genAttrs config.targetMachines (_: {
+        imports = [ ./targetNode.nix ];
+        _module.args = { inherit inputs sources; };
+        enableAcme = config.enableAcme;
+        acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
+      }))
+    ];
 
     testScript = ''
       ${forConcat (attrNames config.nodes) (n: ''
diff --git a/deployment/check/data-model-nixops4/constants.nix b/deployment/check/data-model-nixops4/constants.nix
index 548d6605..cf71ef4e 100644
--- a/deployment/check/data-model-nixops4/constants.nix
+++ b/deployment/check/data-model-nixops4/constants.nix
@@ -4,6 +4,5 @@
   ];
   pathToRoot = ../../..;
   pathFromRoot = ./.;
-  enableAcme = true;
   useFlake = true;
 }
diff --git a/deployment/check/data-model-nixops4/default.nix b/deployment/check/data-model-nixops4/default.nix
index b735cd53..a08d4cd4 100644
--- a/deployment/check/data-model-nixops4/default.nix
+++ b/deployment/check/data-model-nixops4/default.nix
@@ -16,7 +16,6 @@ runNixOSTest {
     targetMachines
     pathToRoot
     pathFromRoot
-    enableAcme
     useFlake
     ;
 }
diff --git a/deployment/check/data-model-ssh/constants.nix b/deployment/check/data-model-ssh/constants.nix
index 0755c42e..d62c8a0b 100644
--- a/deployment/check/data-model-ssh/constants.nix
+++ b/deployment/check/data-model-ssh/constants.nix
@@ -8,5 +8,4 @@
     name = "root";
   };
   pathFromRoot = "/deployment/check/data-model-ssh";
-  enableAcme = true;
 }
diff --git a/deployment/check/data-model-ssh/default.nix b/deployment/check/data-model-ssh/default.nix
index 1815f19a..86ddafb9 100644
--- a/deployment/check/data-model-ssh/default.nix
+++ b/deployment/check/data-model-ssh/default.nix
@@ -16,6 +16,5 @@ runNixOSTest {
     targetMachines
     pathToRoot
     pathFromRoot
-    enableAcme
     ;
 }
diff --git a/deployment/check/data-model-tf/constants.nix b/deployment/check/data-model-tf/constants.nix
index b7de5251..0278407e 100644
--- a/deployment/check/data-model-tf/constants.nix
+++ b/deployment/check/data-model-tf/constants.nix
@@ -7,5 +7,4 @@
     name = "root";
   };
   pathFromRoot = "/deployment/check/data-model-tf";
-  enableAcme = true;
 }
diff --git a/deployment/check/data-model-tf/default.nix b/deployment/check/data-model-tf/default.nix
index 63a1c9dd..2ea10769 100644
--- a/deployment/check/data-model-tf/default.nix
+++ b/deployment/check/data-model-tf/default.nix
@@ -46,6 +46,5 @@ pkgs.testers.runNixOSTest {
     targetMachines
     pathToRoot
     pathFromRoot
-    enableAcme
     ;
 }