{ pkgs, lib, ... }:
let
  installNixScript =
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
      ...
    }:
    pkgs.writeScriptBin "install-nix" ''
      mkdir -p -m 0755 /nix/var/log/nix/drvs
      mkdir -p -m 0755 /nix/var/nix/gcroots
      mkdir -p -m 0755 /nix/var/nix/profiles
      mkdir -p -m 0755 /nix/var/nix/temproots
      mkdir -p -m 0755 /nix/var/nix/userpool
      mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
      mkdir -p -m 1777 /nix/var/nix/profiles/per-user
      mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
      mkdir -p -m 0700 "$HOME/.nix-defexpr"

      . ${pkgs.nix}/etc/profile.d/nix.sh

      ${pkgs.nix}/bin/nix-env -i ${
        lib.concatStringsSep " " (
          with pkgs;
          [
            nix
            cacert
            git
            openssh
            docker
          ]
        )
      }

      ${lib.optionalString (nixCacheSshPrivateKeyPath != null) ''
        NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
        NIX_CACHE_SSH_PUBLIC_KEY="# nix-cache.wopus.dev:22 SSH-2.0-OpenSSH_10.0
        nix-cache.wopus.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU71N5QxdCmM7N25SnOg6u+YLmv92znpeDcyIDamldI"
        . ${./gitlab-runner/nix-cache-start}
      ''}
    '';
in
rec {
  mkNixRunnerFull =
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
      ...
    }@args:
    {
      # File should contain at least these two variables:
      # `CI_SERVER_URL`
      # `REGISTRATION_TOKEN`
      inherit authenticationTokenConfigFile; # 2
      dockerImage = "alpine:3.18.2";
      dockerVolumes =
        [
          "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
          "/nix/store:/nix/store:ro"
          "/nix/var/nix/db:/nix/var/nix/db:ro"
          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
          "/tmp:/tmp"
          "/var/run/docker.sock:/var/run/docker.sock"
          "/var/lib/docker/containers:/var/lib/docker/containers"
          "/cache"
        ]
        ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
          "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
        ];
      # dockerDisableCache = true;
      preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
      environmentVariables = {
        ENV = "/etc/profile";
        USER = "root";
        NIX_REMOTE = "daemon";
        NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
      };
    };

  mkNixRunner =
    authenticationTokenConfigFile:
    mkNixRunnerFull {
      inherit authenticationTokenConfigFile;
    };
}