diff --git a/build-docker.sh b/build-docker.sh
index 926c1e18e..5c8d66fc3 100755
--- a/build-docker.sh
+++ b/build-docker.sh
@@ -14,6 +14,7 @@ else
   REPOSITORY=https://github.com/$REPOSITORY/trezor-firmware.git
 fi
 
+wget -nc -P ci/ http://dl-cdn.alpinelinux.org/alpine/v3.12/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz
 docker build -t "$IMAGE" ci/
 
 USER=$(ls -lnd . | awk '{ print $3 }')
diff --git a/ci/.gitignore b/ci/.gitignore
new file mode 100644
index 000000000..66f42d722
--- /dev/null
+++ b/ci/.gitignore
@@ -0,0 +1 @@
+alpine-minirootfs-*
diff --git a/ci/Dockerfile b/ci/Dockerfile
index 1119f616d..83bc92d27 100644
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@@ -1,4 +1,39 @@
-FROM nixos/nix:2.3.4
+# install the latest Alpine linux from scratch
+
+FROM scratch
+ARG ALPINE_VERSION=3.12.0
+ADD alpine-minirootfs-${ALPINE_VERSION}-x86_64.tar.gz /
+
+# the following is adapted from https://github.com/NixOS/docker/blob/master/Dockerfile
+
+# Enable HTTPS support in wget and set nsswitch.conf to make resolution work within containers
+RUN apk add --no-cache --update openssl \
+  && echo hosts: dns files > /etc/nsswitch.conf
+
+# Download Nix and install it into the system.
+ARG NIX_VERSION=2.3.6
+RUN wget https://nixos.org/releases/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-x86_64-linux.tar.xz \
+  && tar xf nix-${NIX_VERSION}-x86_64-linux.tar.xz \
+  && addgroup -g 30000 -S nixbld \
+  && for i in $(seq 1 30); do adduser -S -D -h /var/empty -g "Nix build user $i" -u $((30000 + i)) -G nixbld nixbld$i ; done \
+  && mkdir -m 0755 /etc/nix \
+  && echo 'sandbox = false' > /etc/nix/nix.conf \
+  && mkdir -m 0755 /nix && USER=root sh nix-${NIX_VERSION}-x86_64-linux/install \
+  && ln -s /nix/var/nix/profiles/default/etc/profile.d/nix.sh /etc/profile.d/ \
+  && rm -r /nix-${NIX_VERSION}-x86_64-linux* \
+  && rm -rf /var/cache/apk/* \
+  && /nix/var/nix/profiles/default/bin/nix-collect-garbage --delete-old \
+  && /nix/var/nix/profiles/default/bin/nix-store --optimise \
+  && /nix/var/nix/profiles/default/bin/nix-store --verify --check-contents
+
+ENV \
+    USER=root \
+    PATH=/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin \
+    GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt \
+    NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
+    NIX_PATH=/nix/var/nix/profiles/per-user/root/channels
+
+# Trezor specific stuff starts here
 
 COPY shell.nix shell.nix
 
diff --git a/ci/environment.yml b/ci/environment.yml
index 9efd59c02..78797bb0d 100644
--- a/ci/environment.yml
+++ b/ci/environment.yml
@@ -11,6 +11,7 @@ environment:
     - docker login $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD
   script:
     - docker pull $CONTAINER_NAME:latest || true
+    - wget -nc -P ci/ http://dl-cdn.alpinelinux.org/alpine/v3.12/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz
     - docker build --cache-from $CONTAINER_NAME:latest --tag $CONTAINER_NAME:$CI_COMMIT_SHA --tag $CONTAINER_NAME:latest --build-arg FULLDEPS_TESTING=1 ci/
     - docker push $CONTAINER_NAME:$CI_COMMIT_SHA
     - docker push $CONTAINER_NAME:latest