diff --git a/docker.nix b/docker.nix
index 8262d1b70..060dcd8f0 100644
--- a/docker.nix
+++ b/docker.nix
@@ -1,6 +1,10 @@
 {
-  pkgs ? import <nixpkgs> { },
-  lib ? pkgs.lib,
+  # Core dependencies
+  pkgs,
+  lib,
+  runCommand,
+  buildPackages,
+  # Image configuration
   name ? "nix",
   tag ? "latest",
   bundleNixpkgs ? true,
@@ -14,36 +18,52 @@
   gid ? 0,
   uname ? "root",
   gname ? "root",
+  # Default Packages
+  nix,
+  bashInteractive,
+  coreutils-full,
+  gnutar,
+  gzip,
+  gnugrep,
+  which,
+  curl,
+  less,
+  wget,
+  man,
+  cacert,
+  findutils,
+  iana-etc,
+  git,
+  openssh,
+  # Other dependencies
+  shadow,
 }:
 let
-  defaultPkgs =
-    with pkgs;
-    [
-      nix
-      bashInteractive
-      coreutils-full
-      gnutar
-      gzip
-      gnugrep
-      which
-      curl
-      less
-      wget
-      man
-      cacert.out
-      findutils
-      iana-etc
-      git
-      openssh
-    ]
-    ++ extraPkgs;
+  defaultPkgs = [
+    nix
+    bashInteractive
+    coreutils-full
+    gnutar
+    gzip
+    gnugrep
+    which
+    curl
+    less
+    wget
+    man
+    cacert.out
+    findutils
+    iana-etc
+    git
+    openssh
+  ] ++ extraPkgs;
 
   users =
     {
 
       root = {
         uid = 0;
-        shell = "${pkgs.bashInteractive}/bin/bash";
+        shell = lib.getExe bashInteractive;
         home = "/root";
         gid = 0;
         groups = [ "root" ];
@@ -52,7 +72,7 @@ let
 
       nobody = {
         uid = 65534;
-        shell = "${pkgs.shadow}/bin/nologin";
+        shell = lib.getExe' shadow "nologin";
         home = "/var/empty";
         gid = 65534;
         groups = [ "nobody" ];
@@ -63,7 +83,7 @@ let
     // lib.optionalAttrs (uid != 0) {
       "${uname}" = {
         uid = uid;
-        shell = "${pkgs.bashInteractive}/bin/bash";
+        shell = lib.getExe bashInteractive;
         home = "/home/${uname}";
         gid = gid;
         groups = [ "${gname}" ];
@@ -170,7 +190,7 @@ let
   baseSystem =
     let
       nixpkgs = pkgs.path;
-      channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } ''
+      channel = runCommand "channel-nixos" { inherit bundleNixpkgs; } ''
         mkdir $out
         if [ "$bundleNixpkgs" ]; then
           ln -s ${
@@ -182,11 +202,11 @@ let
           echo "[]" > $out/manifest.nix
         fi
       '';
-      rootEnv = pkgs.buildPackages.buildEnv {
+      rootEnv = buildPackages.buildEnv {
         name = "root-profile-env";
         paths = defaultPkgs;
       };
-      manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
+      manifest = buildPackages.runCommand "manifest.nix" { } ''
         cat > $out <<EOF
         [
         ${lib.concatStringsSep "\n" (
@@ -215,7 +235,7 @@ let
         ]
         EOF
       '';
-      profile = pkgs.buildPackages.runCommand "user-environment" { } ''
+      profile = buildPackages.runCommand "user-environment" { } ''
         mkdir $out
         cp -a ${rootEnv}/* $out/
         ln -s ${manifest} $out/manifest.nix
@@ -228,7 +248,7 @@ let
         else
           flake-registry;
     in
-    pkgs.runCommand "base-system"
+    runCommand "base-system"
       {
         inherit
           passwdContents
@@ -290,8 +310,8 @@ let
           echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels
 
           mkdir -p $out/bin $out/usr/bin
-          ln -s ${pkgs.coreutils-full}/bin/env $out/usr/bin/env
-          ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
+          ln -s ${lib.getExe' coreutils-full "env"} $out/usr/bin/env
+          ln -s ${lib.getExe bashInteractive} $out/bin/sh
 
         ''
         + (lib.optionalString (flake-registry-path != null) ''
@@ -300,7 +320,7 @@ let
           globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
           ln -s ${flake-registry-path} $out$globalFlakeRegistryPath
           mkdir -p $out/nix/var/nix/gcroots/auto
-          rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
+          rootName=$(${lib.getExe' nix "nix"} --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
           ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
         '')
       );
@@ -332,7 +352,7 @@ pkgs.dockerTools.buildLayeredImageWithNixDb {
   '';
 
   config = {
-    Cmd = [ "${userHome}/.nix-profile/bin/bash" ];
+    Cmd = [ (lib.getExe bashInteractive) ];
     User = "${toString uid}:${toString gid}";
     Env = [
       "USER=${uname}"
diff --git a/flake.nix b/flake.nix
index 7d7c4d4c2..69bd2a21a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -404,8 +404,7 @@
           dockerImage =
             let
               pkgs = nixpkgsFor.${system}.native;
-              image = import ./docker.nix {
-                inherit pkgs;
+              image = pkgs.callPackage ./docker.nix {
                 tag = pkgs.nix.version;
               };
             in
diff --git a/tests/nixos/nix-docker.nix b/tests/nixos/nix-docker.nix
index c58a00cdd..f1c218585 100644
--- a/tests/nixos/nix-docker.nix
+++ b/tests/nixos/nix-docker.nix
@@ -1,21 +1,15 @@
 # Test the container built by ../../docker.nix.
 
 {
-  lib,
   config,
-  nixpkgs,
-  hostPkgs,
   ...
 }:
 
 let
   pkgs = config.nodes.machine.nixpkgs.pkgs;
 
-  nixImage = import ../../docker.nix {
-    inherit (config.nodes.machine.nixpkgs) pkgs;
-  };
-  nixUserImage = import ../../docker.nix {
-    inherit (config.nodes.machine.nixpkgs) pkgs;
+  nixImage = pkgs.callPackage ../../docker.nix { };
+  nixUserImage = pkgs.callPackage ../../docker.nix {
     name = "nix-user";
     uid = 1000;
     gid = 1000;