{pkgs ? import <nixpkgs> {}}: let
  baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
in rec {
  base = pkgs.dockerTools.buildImage rec {
    name = "base";

    # Requires a VM to boot
    runAsRoot = ''
      #!${pkgs.stdenv.shell}
      ${pkgs.dockerTools.shadowSetup}
      groupadd users --gid 100
      useradd -g users -d /home/user -M --uid 1000 user
    '';

    config = {
      Env = baseEnv;
      WorkingDir = "/";
    };
  };

  interactive_base = pkgs.dockerTools.buildImage {
    name = "interactive_base";
    fromImage = base;
    contents = with pkgs; [procps zsh coreutils neovim];

    config = {Cmd = ["/bin/zsh"];};
  };

  s3ql = let
    entrypoint = pkgs.writeScript "entrypoint" ''
      #!${pkgs.stdenv.shell}

      if [ -z "$S3QL_BUCKET" ]; then
        echo S3QL_BUCKET not set
        exit 1
      fi

      if [ -z "$S3QL_STORAGE_URL" ]; then
        echo S3QL_STORAGE_URL not set
        exit 1
      fi

      if [ -z "$S3QL_CACHESIZE" ]; then
        echo S3QL_CACHESIZE not set
        exit 1
      fi

      set -x

      if [ "$S3QL_SKIP_FSCK" != "1" ]; then
        fsck.s3ql \
          --authfile $S3QL_AUTHINFO2 \
          --log none \
          --cachedir $S3QL_CACHE_DIR \
          $S3QL_STORAGE_URL
      fi

      exec mount.s3ql \
        --cachedir "$S3QL_CACHE_DIR" \
        --authfile "$S3QL_AUTHINFO2" \
        --cachesize "$S3QL_CACHESIZE" \
        --fg \
        --compress lzma-6 \
        --threads 4 \
        --log none \
        --allow-root \
        "$S3QL_STORAGE_URL" \
        /bucket

      # FIXME: touch .isbucket after mount
    '';
  in
    pkgs.dockerTools.buildImage {
      name = "s3ql";
      fromImage = interactive_base;
      contents = [pkgs.s3ql pkgs.fuse];

      runAsRoot = ''
        #!${pkgs.stdenv.shell}
        mkdir -p /usr/bin
        cp -a ${pkgs.fuse}/bin/fusermount /usr/bin
        chmod +s /usr/bin/fusermount
        echo user_allow_other >> /etc/fuse.conf
      '';

      config = {
        Env =
          baseEnv
          ++ [
            "HOME=/home/s3ql"
            "S3QL_CACHE_DIR=/var/cache/s3ql"
            "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
            "CONTAINER_ENTRYPOINT=${entrypoint}"
          ];
        Cmd = [entrypoint];
        Volumes = {
          "/var/cache/s3ql" = {};
          "/etc/s3ql/authinfo2" = {};
          "/buckets" = {};
          "/tmp" = {};
        };
      };
    };

  syncthing = let
    entrypoint = pkgs.writeScript "entrypoint" ''
      #!${pkgs.stdenv.shell}
      set -x
      if [ ! -e /data/.isbucket ]; then
        echo ERROR: Bucket not mounted at /data
        exit 1
      fi

      if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
        echo ERROR: SYNCTHING_GUI_ADDRESS is not set
        exit 1
      fi

      if [ ! -w "$SYNCTHING_HOME" ]; then
        echo ERROR : SYNCTHING_HOME is not writable
      fi

      exec syncthing \
        -home $SYNCTHING_HOME \
        -gui-address=$SYNCTHING_GUI_ADDRESS \
        -no-browser
    '';
  in
    pkgs.dockerTools.buildImage {
      name = "syncthing";
      fromImage = interactive_base;
      contents = pkgs.syncthing;

      config = {
        Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
        Cmd = [entrypoint];
        Volumes = {"/data" = {};};
      };
    };
}