it seemed to also be causing some non-determinism when deploying to crappy ideally i would seal the whole nix build, by only evaluating all this config *after* building 'sane-nix-files'