{
  description = "nix builder for ci";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs";
  inputs.attic.url = "github:zhaofengli/attic";

  outputs = { self, nixpkgs, attic }: let
    pkgs = import nixpkgs { system = "x86_64-linux"; };
  in {
    packages.x86_64-linux.default = pkgs.dockerTools.buildImage {
      name = "nix-builder";
      tag = "latest";
      copyToRoot = with pkgs; [coreutils cacert nix git git-lfs bash] ++ [attic.packages."x86_64-linux".default];
      
      runAsRoot = ''
        #!${pkgs.runtimeShell}
        mkdir -p /etc/nix
        echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
        ln -s $NIX_SSL_CERT_FILE /etc/ssl/certs
      '';
      
      config = {
        Cmd = ["${pkgs.bash}/bin/bash"];
        Env = with pkgs; [
          "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
        ];
      };
    };
  };
}