diff --git a/Dockerfile b/Dockerfile
index 98098bff27..c8f56b6f77 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,8 +33,7 @@ FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
 COPY --from=xx / /
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 ARG APT_MIRROR
-RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \
- && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list
+RUN test -n "$APT_MIRROR" && sed -ri "s#(httpredir|deb|security).debian.org#${APT_MIRROR}#g" /etc/apt/sources.list || true
 ARG DEBIAN_FRONTEND
 RUN apt-get update && apt-get install --no-install-recommends -y file
 ENV GO111MODULE=off
@@ -251,11 +250,11 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM base AS dockercli
 WORKDIR /go/src/github.com/docker/cli
-COPY hack/dockerfile/cli.sh /download-or-build-cli.sh
 ARG DOCKERCLI_REPOSITORY
 ARG DOCKERCLI_VERSION
 ARG TARGETPLATFORM
-RUN --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
+RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
+    --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
     --mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
         rm -f ./.git/*.lock \
      && /download-or-build-cli.sh ${DOCKERCLI_VERSION} ${DOCKERCLI_REPOSITORY} /build \
@@ -263,12 +262,12 @@ RUN --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./
 
 FROM base AS dockercli-integration
 WORKDIR /go/src/github.com/docker/cli
-COPY hack/dockerfile/cli.sh /download-or-build-cli.sh
 ARG DOCKERCLI_INTEGRATION_REPOSITORY
 ARG DOCKERCLI_INTEGRATION_VERSION
 ARG TARGETPLATFORM
-RUN --mount=type=cache,id=dockercli-integration-git-$TARGETPLATFORM,sharing=locked,target=./.git \
-    --mount=type=cache,target=/root/.cache/go-build,id=dockercli-integration-build-$TARGETPLATFORM \
+RUN --mount=source=hack/dockerfile/cli.sh,target=/download-or-build-cli.sh \
+    --mount=type=cache,id=dockercli-git-$TARGETPLATFORM,sharing=locked,target=./.git \
+    --mount=type=cache,target=/root/.cache/go-build,id=dockercli-build-$TARGETPLATFORM \
         rm -f ./.git/*.lock \
      && /download-or-build-cli.sh ${DOCKERCLI_INTEGRATION_VERSION} ${DOCKERCLI_INTEGRATION_REPOSITORY} /build \
      && /build/docker --version
@@ -369,8 +368,8 @@ RUN --mount=from=rootlesskit-src,src=/usr/src/rootlesskit,rw \
   xx-go build -o /build/rootlesskit-docker-proxy -ldflags="$([ "$DOCKER_STATIC" != "1" ] && echo "-linkmode=external")" ./cmd/rootlesskit-docker-proxy
   xx-verify $([ "$DOCKER_STATIC" = "1" ] && echo "--static") /build/rootlesskit-docker-proxy
 EOT
-COPY ./contrib/dockerd-rootless.sh /build/
-COPY ./contrib/dockerd-rootless-setuptool.sh /build/
+COPY --link ./contrib/dockerd-rootless.sh /build/
+COPY --link ./contrib/dockerd-rootless-setuptool.sh /build/
 
 FROM rootlesskit-build AS rootlesskit-linux
 FROM binary-dummy AS rootlesskit-windows
diff --git a/Dockerfile.simple b/Dockerfile.simple
index dd6fabfe16..8605aa3fcd 100644
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -13,9 +13,9 @@ ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 FROM ${GOLANG_IMAGE}
 ENV GO111MODULE=off
 
-# allow replacing httpredir or deb mirror
-ARG APT_MIRROR=deb.debian.org
-RUN sed -ri "s/(httpredir|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list
+# allow replacing debian mirror
+ARG APT_MIRROR
+RUN test -n "$APT_MIRROR" && sed -ri "s#(httpredir|deb|security).debian.org#${APT_MIRROR}#g" /etc/apt/sources.list || true
 
 # Compile and runtime deps
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
diff --git a/Jenkinsfile b/Jenkinsfile
index de00e5b31c..6707839168 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -17,7 +17,6 @@ pipeline {
         DOCKER_BUILDKIT     = '1'
         DOCKER_EXPERIMENTAL = '1'
         DOCKER_GRAPHDRIVER  = 'overlay2'
-        APT_MIRROR          = 'cdn-fastly.deb.debian.org'
         CHECK_CONFIG_COMMIT = '33a3680e08d1007e72c3b3f1454f823d8e9948ee'
         TESTDEBUG           = '0'
         TIMEOUT             = '120m'
@@ -78,7 +77,7 @@ pipeline {
                         stage("Build dev image") {
                             steps {
                                 sh '''
-                                docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
+                                docker build --force-rm -t docker:${GIT_COMMIT} .
                                 '''
                             }
                         }
@@ -191,7 +190,7 @@ pipeline {
                         stage("Build dev image") {
                             steps {
                                 sh '''
-                                docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
+                                docker build --force-rm -t docker:${GIT_COMMIT} .
                                 '''
                             }
                         }
@@ -278,7 +277,7 @@ pipeline {
                         stage("Build dev image") {
                             steps {
                                 sh '''
-                                docker buildx build --load --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
+                                docker buildx build --load --force-rm -t docker:${GIT_COMMIT} .
                                 '''
                             }
                         }
@@ -391,7 +390,7 @@ pipeline {
                         stage("Build dev image") {
                             steps {
                                 sh '''
-                                docker buildx build --load --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
+                                docker buildx build --load --force-rm -t docker:${GIT_COMMIT} .
                                 '''
                             }
                         }
@@ -476,7 +475,7 @@ pipeline {
                         }
                         stage("Build dev image") {
                             steps {
-                                sh 'docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .'
+                                sh 'docker build --force-rm -t docker:${GIT_COMMIT} .'
                             }
                         }
                         stage("Unit tests") {
diff --git a/Makefile b/Makefile
index 17aebbd26c..aa17453699 100644
--- a/Makefile
+++ b/Makefile
@@ -140,6 +140,7 @@ endif
 DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
 
 DOCKER_BUILD_ARGS += --build-arg=GO_VERSION
+DOCKER_BUILD_ARGS += --build-arg=APT_MIRROR
 DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_VERSION
 DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_REPOSITORY
 DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_VERSION
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 0eb078aebc..3d9675f184 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,5 @@
 variable "APT_MIRROR" {
-  default = "cdn-fastly.deb.debian.org"
+  default = ""
 }
 variable "DOCKER_DEBUG" {
   default = ""
diff --git a/hack/dockerfile/cli.sh b/hack/dockerfile/cli.sh
index f821994650..9482736e55 100755
--- a/hack/dockerfile/cli.sh
+++ b/hack/dockerfile/cli.sh
@@ -9,7 +9,7 @@ DOWNLOAD_URL="https://download.docker.com/linux/static/stable/$(xx-info march)/d
 
 mkdir "$outdir"
 if curl --head --silent --fail "${DOWNLOAD_URL}" 1> /dev/null 2>&1; then
-	curl -Ls "${DOWNLOAD_URL}" | tar -xz docker/docker
+	curl -fsSL "${DOWNLOAD_URL}" | tar -xz docker/docker
 	mv docker/docker "${outdir}/docker"
 else
 	git init -q .