{
  description = "Shared infrastructure OCI images";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

  outputs = { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};

      # Single image used by every static-site Nomad job.
      # At container startup it downloads the site tarball from S3, then serves it.
      # The Nomad job spec overrides Cmd with the domain- and hash-specific fetch+serve command.
      staticServer = pkgs.dockerTools.buildLayeredImage {
        name = "static-server";
        tag = "latest";
        contents = with pkgs; [
          static-web-server
          awscli2
          bash
          coreutils
          gnutar
          gzip
          cacert
        ];
        config.ExposedPorts."8080/tcp" = { };
      };
    in
    {
      packages.${system}.staticServer = staticServer;

      # VM smoke test disabled: CI runner lacks KVM.
      # See https://git.toph.so/toph/ci-actions/issues/1
      # Intended test: load the built image into Docker, start the container,
      # verify that / serves index.html and /foo routes to foo.html.
      # Restore using pkgs.testers.nixosTest once KVM is available on the runner.
    };
}