diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 11d02b30fb09b2f36761f1b56a1cb59192548528..16e101f7715a78b36963ce22ed9bcb57a45e2dc9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,25 +15,25 @@ workflow:
       variables:
         TAG: $CI_COMMIT_REF_SLUG
 
-before_script:
-  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
-
-build/build-legacy:
+.build-common:
   stage: build
-  variables:
-    BASE_CONTAINER: quay.io/pypa/manylinux1_x86_64
   before_script:
-    - echo "FROM ${BASE_CONTAINER}\n\n" <(dockerfile_template.txt) > Dockerfile
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+    - cat <(echo "FROM $BASE_IMAGE") dockerfile.template > Dockerfile
+    - cat Dockerfile
   script:
-    - docker build --compress -t "${CI_REGISTRY_IMAGE}_legacy:${TAG}" .
-    - docker push "${CI_REGISTRY_IMAGE}_legacy:${TAG}"
+    - docker build --compress -t "${CI_REGISTRY_IMAGE}:${TAG_SLUG}" .
+    - docker push "${CI_REGISTRY_IMAGE}:${TAG_SLUG}"
+
+build/build-legacy:
+  extends: .build-common
+  variables:
+    TAG_SLUG: ${TAG}_legacy
+    BASE_IMAGE: quay.io/pypa/manylinux1_x86_64
+    
     
 build/build-modern:
-  stage: build
+  extends: .build-common
   variables:
-    BASE_CONTAINER: quay.io/pypa/manylinux_2_28_x86_64
-  before_script:
-    - echo "FROM ${BASE_CONTAINER}\n\n" <(dockerfile_template.txt) > Dockerfile
-  script:
-    - docker build --compress -t "${CI_REGISTRY_IMAGE}:${TAG}" .
-    - docker push "${CI_REGISTRY_IMAGE}:${TAG}"
+    TAG_SLUG: ${TAG}
+    BASE_IMAGE: quay.io/pypa/manylinux_2_28_x86_64
diff --git a/Dockerfile b/dockerfile.template
similarity index 75%
rename from Dockerfile
rename to dockerfile.template
index 07f888c0f0ba374366c1bb044a7dca8a578153ee..59f8532a3adf36b4cf0508dafa35d9abe78382ba 100644
--- a/Dockerfile
+++ b/dockerfile.template
@@ -1,6 +1,4 @@
-FROM quay.io/pypa/manylinux_2_28_x86_64
-# the above seems to be THE newest, as of 8/21/22
-# FROM quay.io/pypa/manylinux2014_x86_64
+# FROM $BASE_IMAGE   ### this is coming from external scripts
 
 # inject files
 COPY . /io