{ nixpkgs, flutils, ... }: flutils.lib.eachDefaultSystem (system:
let
  pkgs = nixpkgs.legacyPackages.${system};

  nixFromDockerHub = pkgs.dockerTools.pullImage {
    imageName = "nixos/nix";
    imageDigest = "sha256:b3dc72ab3216606d52357ee46f0830a0cc32f3e50e00bd490efa1a8304e9f99d";
    sha256 = "sha256-FvDlbSnCmPtWTn4eG3hu8WVK1Wm3RSi2T+CdmIDLkG4=";
    finalImageTag = "2.22.0";
    finalImageName = "nix";
  };

  nixConf = pkgs.writeText "nix.conf" ''
    build-users-group = nixbld
    sandbox = false
    trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
    experimental-features = nix-command flakes
  '';

  nixConfDrv = pkgs.stdenv.mkDerivation {
    name = "nix.conf";
    dontUnpack = true;
    installPhase = "install -Dm755 ${nixConf} $out/etc/nix/nix.conf";
  };
in
{
  packages.forgejo-nix-action = pkgs.dockerTools.buildImage {
    name = "forgejo-nix-action";
    tag = "latest";
    fromImage = nixFromDockerHub;

    copyToRoot = pkgs.buildEnv {
      name = "image-root";
      paths = with pkgs; [ coreutils attic-client docker-client nixConfDrv ];
      pathsToLink = [ "/bin" "/etc/nix" ];
    };

    # config = {
    #   Env = [
    #     "PATH=/bin:/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin"
    #   ];
    # };
  };
})