This seems like the real answer to this problem. I really like Nix conceptually, but the problem it's being used to solve in this case is already solved by Docker, and using a multistage build with a Distroless stage relies on fewer dependencies, fewer tools, and many fewer lines of config.