currently NIX_PATH is hardcoded secrets=/var/src/stockholm/null:/var/src in krebs/3modules/ci.nix. this is suboptimal since it will use the nixpkgs version of the root system. but we need a root nixpkgs from somewhere, so what should we do?