{inputs, ...}: let
  inherit (inputs) cilib;
in
  cilib.mkCI {
    config.soonix = {
      componentUrl = "$CI_SERVER_FQDN/$CI_PROJECT_PATH/nix-gitlab-ci";
      componentVersion = "$CI_COMMIT_SHORT_SHA";
      # bootstrapping still needs to be done in the gitlab-ci.yml directly,
      # the child pipeline can then use the built images to test them
      extraData = {
        stages = ["build-images" "build" "trigger"];
        "build:image" = {
          stage = "build-images";
          parallel.matrix = [
            {ARCH = ["x86_64-linux" "aarch64-linux"];}
          ];
          image = "nixpkgs/nix-flakes:latest";
          script = ["nix build .#image --system $ARCH"];
          after_script = ["install -D result dist/nix-ci-$ARCH.tar.gz"];
          artifacts.paths = ["dist"];
        };
        "deploy:image" = {
          stage = "build-images";
          image = "nixpkgs/nix-flakes:latest";
          needs = ["build:image"];
          before_script = [
            # sh
            ''
              nix profile install nixpkgs#buildah
              export PATH="$PATH:$HOME/.nix-profile/bin"
              export REGISTRY_AUTH_FILE=''${HOME}/auth.json
              echo "$CI_REGISTRY_PASSWORD" | buildah login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
              mkdir -p /etc/containers && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /etc/containers/policy.json
              mkdir -p /var/tmp
            ''
          ];
          script = [
            # sh
            ''
              export NORMALIZED_BRANCH=''${CI_COMMIT_BRANCH/\//-}
              buildah manifest create localhost/nix-ci
              buildah manifest add localhost/nix-ci docker-archive:dist/nix-ci-x86_64-linux.tar.gz
              buildah manifest add localhost/nix-ci docker-archive:dist/nix-ci-aarch64-linux.tar.gz
              buildah manifest push --all localhost/nix-ci docker://''${CI_REGISTRY_IMAGE}/nix-ci:''${CI_COMMIT_SHORT_SHA}
              # branches
              if [ -z "$CI_COMMIT_TAG" ]; then
                buildah manifest push --all localhost/nix-ci docker://''${CI_REGISTRY_IMAGE}/nix-ci:''${NORMALIZED_BRANCH/main/latest}
              fi
              # tags
              if [ -n "$CI_COMMIT_TAG" ]; then
                buildah manifest push --all localhost/nix-ci docker://''${CI_REGISTRY_IMAGE}/nix-ci:''${CI_COMMIT_TAG}
              fi
            ''
          ];
        };
      };
    };
    pipelines."default" = {
      stages = ["test" "build" "deploy"];
      jobs = {
        "test" = {
          stage = "test";
          script = [
            "nix run .#tests -- --junit=junit.xml"
          ];
          allow_failure = true;
          artifacts = {
            when = "always";
            reports.junit = "junit.xml";
          };
        };
        "docs" = {
          stage = "build";
          script = [
            # sh
            ''
              nix build .#docs:default
              mkdir -p public
              cp -r result/. public/
            ''
          ];
          artifacts.paths = ["public"];
        };
        "pages" = {
          nix.enable = false;
          image = "alpine:latest";
          stage = "deploy";
          script = ["true"];
          artifacts.paths = ["public"];
          rules = [
            {
              "if" = "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH";
            }
          ];
        };
      };
    };
  }