{ depot, lib, ... }:
let
  inherit (depot) pkgs;
  inherit (depot.nix.pkgs) mercurial;
  updateNixpkgs = pkgs.runCommand "update_nixpkgs" {
    buildInputs = with pkgs; [ makeWrapper ];
  } ''
    mkdir -p $out/bin
    cp ${./update_nixpkgs.sh} $out/bin/update_nixpkgs
    chmod +x $out/bin/update_nixpkgs
    patchShebangs --host $out/bin
    wrapProgram $out/bin/update_nixpkgs \
      --prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [ bashInteractive mercurial openssh coreutils copybara git gnused ])}
  '';
in
pkgs.dockerTools.buildImage {
  name = "update_nixpkgs";
  config = {
    Cmd = [ "${updateNixpkgs}/bin/update_nixpkgs" ];
    Env = [
      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      "USER=root"
    ];
  };

  copyToRoot = pkgs.buildEnv {
    name = "update_nixpkgs-root";
    paths = [
      pkgs.cacert updateNixpkgs
      (pkgs.runCommand "update_nixpkgs_content" {} ''
  mkdir $out $out/root $out/root/.ssh $out/etc $out/tmp
  chmod 700 $out/root $out/root/.ssh
  chmod 1777 $out/tmp

  cat <<EOF >$out/etc/passwd
root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash
EOF

  cat <<EOF >$out/root/.ssh/config
Host hg
  Hostname hg.lukegb.com
  User hg
  StrictHostKeyChecking no
  IdentityFile /secrets/ssh_id
EOF

  cat <<EOF >$out/root/.hgrc
[extensions]
histedit =
rebase =
strip =
remotenames =
amend =
evolve =
topic =
purge =
share =
EOF
      '')
    ];
  };
}