{ pkgs, ... }:
let
  containerPolicy = pkgs.writeTextDir "/etc/containers/policy.json" (
    builtins.readFile (
      (pkgs.formats.json { }).generate "policy.json" {
        default = [ { type = "insecureAcceptAnything"; } ];
        transports.docker-daemon."" = [ { type = "insecureAcceptAnything"; } ];
      }
    )
  );
in
pkgs.dockerTools.buildImage {
  name = "gitea-act-runner-worker";
  fromImage = pkgs.docker-image-base;

  copyToRoot = pkgs.buildEnv {
    name = "root";
    paths = with pkgs; [
      git
      git-lfs
      curl
      jq
      nix
      nodejs
      buildah
      skopeo
      containerPolicy
    ];
    pathsToLink = [
      "/bin"
      "/etc"
    ];
  };

  runAsRoot = ''
    mkdir -p /var/tmp
  '';
}