diff --git a/{{cookiecutter.project_slug}}/.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
index 9e8db04f8c7f9b344285d7ba239cce8fb6653039..37ce832504697454598b5f6033e3d6d10932bd7d 100644
--- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
@@ -101,7 +101,6 @@ run_unit_tests_coverage:
 
 package_files:
   stage: package
-  image: docker
   tags:
     - dind
   artifacts:
@@ -109,8 +108,7 @@ package_files:
     paths:
       - dist/*
   script:
-#    - curl -sSL https://get.docker.com/ | sh
-#    - python -m pip install cibuildwheel==2.13.1 cookiecutter
+    - source scripts/setup-docker-host.sh
     - cibuildwheel --platform linux --output-dir dist
 
 package_docs:
diff --git a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
index 54b2c9c4fe345ccda7c44daee6c754f52358cfac..e9aa9c7f7d25b9847af3a2df5b708f084bd6bd5d 100644
--- a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
+++ b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
@@ -2,3 +2,4 @@ FROM python:3.11
 
 RUN python -m pip install --upgrade pip
 RUN pip install --upgrade tox twine cibuildwheel==2.13.1
+RUN curl -sSL https://get.docker.com/ | sh
diff --git a/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c535da08985c97b358adec2ecaf0f1979a80e1db
--- /dev/null
+++ b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+_should_tls() {
+	[ -n "${DOCKER_TLS_CERTDIR:-}" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/ca.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/cert.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/key.pem" ]
+}
+
+# if we have no DOCKER_HOST but we do have the default Unix socket (standard or rootless), use it explicitly
+if [ -z "${DOCKER_HOST:-}" ] && [ -S /var/run/docker.sock ]; then
+	export DOCKER_HOST=unix:///var/run/docker.sock
+elif [ -z "${DOCKER_HOST:-}" ] && XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
+	export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
+fi
+
+# if DOCKER_HOST isn't set (no custom setting, no default socket), let's set it to a sane remote value
+if [ -z "${DOCKER_HOST:-}" ]; then
+	if _should_tls || [ -n "${DOCKER_TLS_VERIFY:-}" ]; then
+		export DOCKER_HOST='tcp://docker:2376'
+	else
+		export DOCKER_HOST='tcp://docker:2375'
+	fi
+fi
+if [ "${DOCKER_HOST#tcp:}" != "$DOCKER_HOST" ] \
+	&& [ -z "${DOCKER_TLS_VERIFY:-}" ] \
+	&& [ -z "${DOCKER_CERT_PATH:-}" ] \
+	&& _should_tls \
+; then
+	export DOCKER_TLS_VERIFY=1
+	export DOCKER_CERT_PATH="$DOCKER_TLS_CERTDIR/client"
+fi