diff --git a/launch/main.tf b/launch/main.tf
index 70ce25cf..dafc04d2 100644
--- a/launch/main.tf
+++ b/launch/main.tf
@@ -59,10 +59,6 @@ resource "terraform_data" "nixos" {
     # note that absolute paths can cause false positives in triggers,
     # so are generally discouraged in TF.
     working_dir = path.root
-    environment = {
-      # nix path used on build, lets us refer to e.g. nixpkgs like `<nixpkgs>`
-      NIX_PATH = local.nix_path
-    }
     # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
     # TODO: build on target?
     command = <<-EOF
@@ -74,7 +70,8 @@ resource "terraform_data" "nixos" {
         --show-trace
         --expr
         'let
-          os = import <nixpkgs/nixos> {
+          sources = import ../npins;
+          os = import "$${sources.nixpkgs}/nixos" {
             system = "${local.system}";
             configuration = {
               # note interpolations here TF ones
diff --git a/launch/shared.nix b/launch/shared.nix
index 46d6ccc5..46bc94c2 100644
--- a/launch/shared.nix
+++ b/launch/shared.nix
@@ -5,11 +5,12 @@
 }:
 let
   inherit (config.terraform) hostname domain initialUser;
+  sources = import ../npins;
 in
 {
-  imports = [
-    <disko/module.nix>
-    <agenix/modules/age.nix>
+  imports = with sources; [
+    "${disko}/module.nix"
+    "${agenix}/modules/age.nix"
     ../services/fediversity
     ./resource.nix
   ];