Decide on and document some basic guarantees on Nixery containers

[flokli]

Spun out of #132 (comment)

Right now we add cacert and iana-etc from nixpkgs into every image (see builder/builder.go).

We sometimes add a /usr/bin/env symlink (if coreutils is part of the container), should will become available in nixpkgs as dockerTools.usrBinEnv.

Maybe we also should add dockerTools.{binSh,fakeNss} too, to add /bin/sh, and workaround some annoying nss-related problems.

Related, we might want to set the SSL_CERT_FILE environment variable to pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt to fix #101.

Once we agree on this, we should document all this, so people know what they can expect from these containers.