{
  lib,
  dockerTools,
  system,
  ...
}:

let
  systemToArch = {
    "x86_64-linux" = {
      short = "x86";
      arch = "amd64";
    };
    "aarch64-linux" = {
      short = "arm";
      arch = "arm64";
    };
  };

  pullImage =
    {
      registry ? "docker",
      name,
      tag,
      digest,
      ...
    }@inputs:
    let
      arch = systemToArch.${system};

      registryUrl =
        assert lib.assertOneOf
        "unknown image registry"
        registry [ "docker" "github" ];
      {
        "docker" = "";
        "github" = "ghcr.io/";
      }.${registry};

      image = dockerTools.pullImage {
        imageName = registryUrl + name;
        imageDigest = digest;
        finalImageName = name;
        finalImageTag = tag;
        os = "linux";
        inherit (inputs.${arch.short}) sha256;
        inherit (arch) arch;
      };
    in
    {
      image = "${name}:${tag}";
      imageFile = image;
      base = image;
    };

  images = {
    inherit pullImage;

    alpine = pullImage {
      name = "alpine";
      tag = "3.20.3";
      digest = "sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a";
      x86.sha256 = "02fr1isg8s2h7j8n5rda7avswnh7vpfhrix3rmvqsjp8cx3qbkz3";
      arm.sha256 = "06c0q5kk60i89y1d83a28wk282ymp806xjcsmlca4cwwqp590j0q";
    };

    postgres13 = pullImage {
      name = "postgres";
      tag = "13-alpine";
      digest = "sha256:857aa00fc7e8541e3e5818b7bb8596182cb5c1b3ad964e4184e90682d5ca0d57";
      x86.sha256 = "1yc0576kdfsz55ybjaykki2mhr6w9yrby7wslx8pfmn7xkykzq9w";
      arm.sha256 = "0kjxk2sd03445mgf54x1ir9w2zmjn41zgmyns2h3k3cd7qazhkrx";
    };

    postgres14 = pullImage {
      name = "postgres";
      tag = "14-alpine";
      digest = "sha256:3f5fc44eeb8e8b42448e218f05299105761a2c33b54a89d9fd06c87cd5f7b043";
      x86.sha256 = "1zpiv9d6mj9d3n2xhgz0wn8q7a4gzjrk0hp8vpm706wwh72q8nir";
      arm.sha256 = "1gh6f4frfilr5mp6smp1k00aijd9vh1kv711a64044yl9kqr2nci";
    };

    postgres15 = pullImage {
      name = "postgres";
      tag = "15-alpine";
      digest = "sha256:8b963ea3038c3b32182ee7f592ccde21242fa7c5fd9d1b72aa333c27f1bfc809";
      x86.sha256 = "0cfmp4v1a4b2m21ljsc3f3kn23rl9nki6z37ks9jclzxh9hy629n";
      arm.sha256 = "0wydmscp4znjdflycvjqwjfry9crizhav0wc2hnajbyvk4ql32h8";
    };

    postgres16 = pullImage {
      name = "postgres";
      tag = "16-alpine";
      digest = "sha256:52bba373df3c13594014b5e9ccc9f3c2cdb2221d50db1a91ec64570819f18aba";
      x86.sha256 = "18gfc7k9gkdd45vmwgrngf10yw5cmbnvxanp3nrs5d02jz602ibm";
      arm.sha256 = "08i3n6kykhp0wd255xvkrpgv1n6izjm9gc57dg6nz4yz3yjnybzh";
    };

    postgres17 = pullImage {
      name = "postgres";
      tag = "17-alpine";
      digest = "sha256:e7897baa70dae1968d23d785adb4aeb699175e0bcaae44f98a7083ecb9668b93";
      x86.sha256 = "128hxalk74wll1i34j6rrmdssmf2rlm67kd302xcqmrp8v60n6i7";
      arm.sha256 = "1lz03jcrrky94h79spgxxamihbll2y7vphmpv54pg47506mikba0";
    };
  };

  soloOrDuoPort =
    p:
    with builtins;
    if isList p then
      assert length p == 2;
      {
        host = elemAt p 0;
        container = elemAt p 1;
      }
    else if isInt p then
      {
        host = p;
        container = p;
      }
    else
      throw "unknown port type given";

  ports = {
    globalPort =
      p:
      let
        ports = soloOrDuoPort p;
        host = toString ports.host;
        container = toString ports.container;
      in
      "0.0.0.0:${host}:${container}";

    tailnetPort =
      me: p:
      let
        ports = soloOrDuoPort p;
        host = toString ports.host;
        container = toString ports.container;
      in
      "${me.tailscale.ip}:${host}:${container}";
  };
in
images // ports