{
  description = "Shared infrastructure OCI images";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

  outputs = { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};

      # Single image used by every static-site Nomad job.
      # At container startup it downloads the site tarball from S3, then serves it.
      # The Nomad job spec overrides Cmd with the domain- and hash-specific fetch+serve command.
      staticServer = pkgs.dockerTools.buildLayeredImage {
        name = "static-server";
        tag = "latest";
        contents = with pkgs; [
          static-web-server
          awscli2
          bash
          coreutils
          gnutar
          gzip
          cacert
        ];
        config.ExposedPorts."8080/tcp" = { };
      };
    in
    {
      packages.${system}.staticServer = staticServer;

      checks.${system}.smoke = pkgs.testers.nixosTest {
        name = "static-server-smoke";

        nodes.machine = { ... }: {
          virtualisation.docker.enable = true;
        };

        testScript = ''
          machine.start()
          machine.wait_for_unit("docker.service")
          machine.succeed("docker load < ${staticServer}")
          machine.succeed(
            "docker run -d --name site -p 8080:8080 static-server:latest"
            " /bin/bash -c 'mkdir -p /var/www"
            " && printf index > /var/www/index.html"
            " && printf foo > /var/www/foo.html"
            " && exec static-web-server --port 8080 --root /var/www'"
          )
          machine.wait_until_succeeds("curl -sf http://localhost:8080/")
          machine.succeed("curl -sf http://localhost:8080/foo | grep -q foo")
        '';
      };
    };
}