{
  lib,
  pkgs,
  ...
}: let
  baseSystem = let
    packages = with pkgs; [
      nix
      bashInteractive
      coreutils-full
      procps
      gnugrep
      openssh
      gitMinimal
      curl
      ncurses
      less

      cacert.out

      (writeShellScriptBin "reload-dotfiles" ''
        ${home-manager}/bin/home-manager switch --flake ''${DOTFILES_REPO:-$1} --option tarball-ttl 0
      '')
    ];
    rootEnv = pkgs.buildPackages.buildEnv {
      name = "root-profile-env";
      paths = packages;
    };

    nixConf = {
      sandbox = "false";
      experimental-features = "nix-command flakes";
      min-free = toString (100 * 1024 * 1024);
      max-free = toString (1024 * 1024 * 1024);
    };

    nixConfContents =
      (lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: let
        vStr =
          if builtins.isList v
          then lib.concatStringsSep " " v
          else v;
      in "${n} = ${vStr}")
      nixConf))
      + "\n";

    manifest = pkgs.buildPackages.runCommand "manifest.nix" {} ''
      cat > $out <<EOF
      [
      ${lib.concatStringsSep "\n" (builtins.map (drv: let
          outputs = drv.outputsToInstall or ["out"];
        in ''
          {
            ${lib.concatStringsSep "\n" (builtins.map (output: ''
              ${output} = { outPath = "${lib.getOutput output drv}"; };
            '')
            outputs)}
            outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
            name = "${drv.name}";
            outPath = "${drv}";
            system = "${drv.system}";
            type = "derivation";
            meta = { };
          }
        '')
        packages)}
      ]
      EOF
    '';
    profile = pkgs.buildPackages.runCommand "user-environment" {} ''
      mkdir $out
      cp -a ${rootEnv}/* $out/
      ln -s ${manifest} $out/manifest.nix
    '';

    dirsToCreate = ["/etc/ssl/certs" "/etc/nix" "/usr" "/nix/var/nix/gcroots" "/bin" "/usr/bin" "/tmp" "/var/tmp" "/home/coder/.nix-defexpr" "/nix/var/nix/profiles/per-user/coder"];
  in
    pkgs.runCommand "base-system" {
      allowSubstitutes = false;
      preferLocalBuild = true;
    } ''
      env
      set -x
      mkdir -p ${lib.concatMapStringsSep " " (x: "$out${x}") dirsToCreate}

      ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
      ln -s /nix/var/nix/profiles/share $out/usr/

      echo "${nixConfContents}" > $out/etc/nix/nix.conf
      echo "ID=nixos" > $out/etc/os-release

      echo "coder:x:1000:1000::/home/coder:/bin/bash" > $out/etc/passwd
      echo "coder:!:::::::" > $out/etc/shadow
      echo "coder:x:1000:" > $out/etc/group
      echo "coder:x::" > $out/etc/gshadow
      echo "coder:100000:65536" > $out/etc/subuid
      echo "coder:100000:65536" > $out/etc/subgid

      # support timezones
      ln -s ${pkgs.tzdata}/share/zoneinfo $out/etc/zoneinfo

      ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
      ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default

      # prevents the profiles from being cleaned up by the GC
      ln -s /nix/var/nix/profiles $out/nix/var/nix/gcroots/profiles

      ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/bash
    '';
in
  pkgs.dockerTools.buildLayeredImageWithNixDb {
    name = "nix-coder";
    tag = "latest";

    contents = [baseSystem];
    maxLayers = 10;

    uid = 1000;
    gid = 1000;
    fakeRootCommands = ''
      chown -R 1000:1000 ./
      chmod 1777 tmp
      chmod 1777 var/tmp
    '';

    config = {
      Cmd = ["/bin/bash"];
      User = "1000:1000";
      Env = [
        "USER=coder"
        "HOME=/home/coder"
        "TMPDIR=/tmp"
        "XDG_RUNTIME_DIR=/tmp"
        "TZDIR=/etc/zoneinfo"
        "PATH=${lib.concatStringsSep ":" [
          "/home/coder/.nix-profile/bin"
          # this makes all the packages defined at the top available
          # in the workspace
          "/nix/var/nix/profiles/default/bin"
          "/nix/var/nix/profiles/default/sbin"
        ]}"
        "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
        "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
        "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
        "NIX_PATH=/nix/var/nix/profiles/per-user/coder/channels:/home/coder/.nix-defexpr/channels"
      ];
    };
  }