{
  description = "Shared infrastructure OCI images";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

  outputs = { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
    in
    {
      # Single image used by every static-site Nomad job.
      # At container startup it downloads the site tarball from S3, then serves it.
      # The Nomad job spec overrides Cmd with the domain- and hash-specific fetch+serve command.
      packages.${system}.staticServer = pkgs.dockerTools.buildLayeredImage {
        name = "static-server";
        tag = "latest";
        contents = with pkgs; [
          static-web-server
          awscli2
          bash
          coreutils
          gnutar
          gzip
          cacert
        ];
        config.ExposedPorts."8080/tcp" = { };
      };
    };
}