Using Ubuntu base images with dockerTools without shadowing /bin?

Hey y’all, just starting out on my nix journey here, would love advice on how to effectively leverage the dockerTools stuff to make production-quality images. My company uses a custom build system based on nix, and I would like to be able to build an image from existing targets, with ubuntu (or really any image) as a base. As a Minimum Viable Example, I am trying to replicate the following Dockerfile in nix:

FROM ubuntu:22.04

COPY service /bin/

CMD /bin/service

Here is what I have so far:

ubuntu-image = dockerTools.pullImage {
    imageName = "ubuntu";
    imageDigest =
    sha256 = "sha256-otbd3dIUm5D4NmXLaR8ed8v8YihjPBphndoFpGIbujw=";
    finalImageName = "ubuntu";
    finalImageTag = "22.04";

service-image = dockerTools.streamLayeredImage {
    name = "service";
    tag = "latest";
    created = "now";
    # Ubuntu base image.
    fromImage = ref ":ubuntu-image";
    contents = [ (ref ":service") ];
    config.Cmd = [ "/bin/service" ];

This seems to work, and when loading this into docker I can get a working image that runs the service. However, none of the tools I would use for debugging were present, and some more digging showed that the entire /bin directory was “overwritten” and contained only the service executable.

Additional research showed that there was a way to get this to work with buildImage, but I would really like to use the layered image functionality due to the number of dependencies, and how often I want to build and push images, sometimes these images can be more than a GB.

Any help would be appreciated, thank you so much!