{
  inputs,
  system,
  ...
}: let
  inherit (inputs) pkgs;
in rec {
  setupScript = pkgs.writeShellScriptBin "setup_nix_ci" (builtins.readFile ./scripts/setup_nix_ci.sh);
  finalizeScript = pkgs.writeShellScriptBin "finalize_nix_ci" (builtins.readFile ./scripts/finalize_nix_ci.sh);
  image = pkgs.dockerTools.buildImage {
    name = "nix-ci";
    fromImage = let
      hashes = {
        "x86_64-linux" = "sha256-kJ7dqje5o1KPr3RDZ7/THbhMSoiCU1C/7HshDrNfwnM=";
        "aarch64-linux" = "sha256-jz+Z3Ji+hy5d9ImOh/YOKCqy9P9/cseSov+5J/O95bg=";
      };
      # check digest of tags like nixos-24.11-aarch64-linux etc.
      digests = {
        "x86_64-linux" = "sha256:345f210dea4cbd049e2d01d13159c829066dfb6e273cdd49ea878186d17b19f7";
        "aarch64-linux" = "sha256:66163fdf446d851416dd4e9be28c0794d9c2550214a57a846957699a3f5747f6";
      };
      hash = hashes.${system} or (throw "Unsupported system");
      imageDigest = digests.${system} or (throw "Unsupported system");
    in
      pkgs.dockerTools.pullImage {
        imageName = "nixpkgs/nix-flakes";
        inherit hash imageDigest;
      };
    copyToRoot = pkgs.buildEnv {
      name = "image-root";
      paths = with pkgs;
        [
          gitMinimal
          gnugrep
          gnused
          coreutils
          diffutils
          cachix
          attic-client
        ]
        ++ [
          setupScript
          finalizeScript
        ];
      pathsToLink = ["/bin"];
    };
  };
}