But doing this is going to give you a slight headace as most of the package repository in Nix is not checked for reproducible builds and there are no way to guarantee the hashes are actually static.
Right, all builds are dependent on their inputs.
Your inputs determine your outputs.
If your input(s) change, then so does your output.
We are saying the same thing here, I'm just trying to point out this is exactly how docker build works, but rather it is more about what you are willing to put into your docker build.
I think we are talking past each other. I'm just trying to clear up a misconception on how nix works, not anything about the docker portion of what you have written.
In the case of Nix it's addressed by the input. Not the content of the build. It's an important distinction and one Nix also makes.
https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3...
But doing this is going to give you a slight headace as most of the package repository in Nix is not checked for reproducible builds and there are no way to guarantee the hashes are actually static.