{ pkgs, lib, ... }:
let
  installNixScript = pkgs.writeScriptBin "install-nix" ''
    mkdir -p -m 0755 /nix/var/log/nix/drvs
    mkdir -p -m 0755 /nix/var/nix/gcroots
    mkdir -p -m 0755 /nix/var/nix/profiles
    mkdir -p -m 0755 /nix/var/nix/temproots
    mkdir -p -m 0755 /nix/var/nix/userpool
    mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
    mkdir -p -m 1777 /nix/var/nix/profiles/per-user
    mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
    mkdir -p -m 0700 "$HOME/.nix-defexpr"

    . ${pkgs.nix}/etc/profile.d/nix.sh

    ${pkgs.nix}/bin/nix-env -i ${
      lib.concatStringsSep " " (
        with pkgs;
        [
          nix
          cacert
          git
          openssh
          docker
        ]
      )
    }
  '';
in
{
  mkNixRunner = authenticationTokenConfigFile: {
    # File should contain at least these two variables:
    # `CI_SERVER_URL`
    # `REGISTRATION_TOKEN`
    inherit authenticationTokenConfigFile; # 2
    dockerImage = "alpine:3.18.2";
    dockerVolumes = [
      "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
      "/nix/store:/nix/store:ro"
      "/nix/var/nix/db:/nix/var/nix/db:ro"
      "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
      "/tmp:/tmp"
      "/var/run/docker.sock:/var/run/docker.sock"
      "/var/lib/docker/containers:/var/lib/docker/containers"
    ];
    dockerDisableCache = true;
    preBuildScript = "\". ${lib.getExe installNixScript}\"";
    environmentVariables = {
      ENV = "/etc/profile";
      USER = "root";
      NIX_REMOTE = "daemon";
      NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
    };
  };
}