{
  description = "Shared infrastructure OCI images";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

  outputs = { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};

      # Single image used by every static-site Nomad job.
      # At container startup it downloads the site tarball from S3, then serves it.
      # The Nomad job spec overrides Cmd with the domain- and hash-specific fetch+serve command.
      staticServer = pkgs.dockerTools.buildLayeredImage {
        name = "static-server";
        tag = "latest";
        contents = with pkgs; [
          static-web-server
          awscli2
          bash
          coreutils
          gnutar
          gzip
          cacert
        ];
        config.ExposedPorts."8080/tcp" = { };
      };
    in
    {
      packages.${system}.staticServer = staticServer;

      checks.${system}.smoke = pkgs.runCommand "static-server-smoke" {
        nativeBuildInputs = with pkgs; [ static-web-server curl ];
      } ''
        mkdir -p $TMPDIR/www
        printf index > $TMPDIR/www/index.html
        printf foo   > $TMPDIR/www/foo.html

        static-web-server --port 18080 --root $TMPDIR/www &
        SERVER_PID=$!
        trap "kill $SERVER_PID" EXIT

        # wait for server to be ready
        for i in $(seq 1 10); do
          curl -sf http://localhost:18080/ && break
          sleep 0.5
        done

        curl -sf http://localhost:18080/ | grep -q index
        curl -sf http://localhost:18080/foo | grep -q foo

        touch $out
      '';
    };
}