{ nixpkgs, flutils, ... }: flutils.lib.eachDefaultSystem (system:
let
  pkgs = nixpkgs.legacyPackages.${system};

  nixFromDockerHub = pkgs.dockerTools.pullImage {
    imageName = "nixos/nix";
    imageDigest = "sha256:b3dc72ab3216606d52357ee46f0830a0cc32f3e50e00bd490efa1a8304e9f99d";
    sha256 = "sha256-FvDlbSnCmPtWTn4eG3hu8WVK1Wm3RSi2T+CdmIDLkG4=";
    finalImageTag = "2.22.0";
    finalImageName = "nix";
  };

  nixConf = pkgs.writeText "nix.conf" ''
    build-users-group = nixbld
    sandbox = false
    trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
    experimental-features = nix-command flakes
  '';

  nixConfDrv = pkgs.stdenv.mkDerivation {
    name = "nix.conf";
    dontUnpack = true;
    installPhase = ''
      install -Dm755 ${nixConf} $out/etc/nix/nix.conf
    '';
  };
in
{
  packages.forgejo-nix-action = pkgs.dockerTools.buildImage {
    name = "forgejo-nix-action";
    tag = "latest";
    fromImage = nixFromDockerHub;

    copyToRoot = pkgs.buildEnv {
      name = "image-root";
      # TODO: Maybe we don't even want these binaries in the base image, but run everything through nix-run?
      paths = with pkgs; [ coreutils attic-client skopeo nixConfDrv ];
      pathsToLink = [ "/bin" "/etc" ];
    };
  };
})