diff --git a/Makefile b/Makefile
index 4258d9178..7b622126e 100644
--- a/Makefile
+++ b/Makefile
@@ -84,8 +84,9 @@ $(error No goals specified)
 endif
 
 # usage: make deploy system=foo [target=bar]
+# usage: make install system=foo target=bar
 # usage: make test system=foo target=bar
-deploy test:
+deploy install test:
 ifdef target
 	nix-shell --run '$@ --system=$(system) --target=$(target)'
 else
@@ -112,15 +113,3 @@ pkgs.%:;@$(call build,$@)
 # usage: make LOGNAME=krebs system=wolf eval.config.krebs.build.host.name
 eval eval.:;@$(call evaluate,$${expr-eval})
 eval.%:;@$(call evaluate,$@)
-
-# usage: make install system=foo [target_host=bar]
-install: ssh ?= ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-install:
-	$(ssh) $(target_user)@$(target_host) -p $(target_port) \
-		env target_path=$(target_path) \
-			sh -s prepare < krebs/4lib/infest/prepare.sh
-	$(MAKE) populate target_path=/mnt$(target_path)
-	$(ssh) $(target_user)@$(target_host) -p $(target_port) \
-		env NIXOS_CONFIG=$(target_path)/nixos-config \
-				STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \
-			nixos-install
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index d39aca348..ccfc4f49b 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -1,8 +1,8 @@
 #! /bin/sh
 set -efu
 
-nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2
-nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4
+nix_url=https://nixos.org/releases/nix/nix-1.11.13/nix-1.11.13-x86_64-linux.tar.bz2
+nix_sha256=c11411d52d8ad1ce3a68410015487282fd4651d3abefbbb13fa1f7803a2f60de
 
 prepare() {(
   if test -e /etc/os-release; then
@@ -14,10 +14,6 @@ prepare() {(
         ;;
       centos)
         case $VERSION_ID in
-          6)
-            prepare_centos "$@"
-            exit
-            ;;
           7)
             prepare_centos "$@"
             exit
@@ -51,13 +47,6 @@ prepare() {(
         esac
         ;;
     esac
-  elif test -e /etc/centos-release; then
-    case $(cat /etc/centos-release) in
-      'CentOS release 6.5 (Final)')
-        prepare_centos "$@"
-        exit
-        ;;
-    esac
   fi
   echo "$0 prepare: unknown OS" >&2
   exit -1
@@ -217,7 +206,7 @@ prepare_common() {(
   mkdir -p bin
   rm -f bin/nixos-install
   cp "$(type -p nixos-install)" bin/nixos-install
-  sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
+  sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
 
   if ! grep -q '^PATH.*#krebs' .bashrc; then
     echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc
diff --git a/krebs/5pkgs/writers.nix b/krebs/5pkgs/writers.nix
index 49ca3557e..f1626078e 100644
--- a/krebs/5pkgs/writers.nix
+++ b/krebs/5pkgs/writers.nix
@@ -144,9 +144,14 @@ with import <stockholm/lib>;
 
       env = filevars // { passAsFile = attrNames filevars; };
     in
+      # Use a subshell because <nixpkgs/stdenv/generic/setup.sh>'s genericBuild
+      # sources (or evaluates) the buildCommand and we don't want to modify its
+      # shell.  In particular, exitHandler breaks in multiple ways with set -u.
       pkgs.runCommand name env /* sh */ ''
-        set -efu
-        ${concatMapStringsSep "\n" (getAttr "install") files}
+        (
+          set -efu
+          ${concatMapStringsSep "\n" (getAttr "install") files}
+        )
       '';
 
     writeHaskell =
diff --git a/shell.nix b/shell.nix
index 2973d4c51..fda48a1a7 100644
--- a/shell.nix
+++ b/shell.nix
@@ -15,10 +15,52 @@ let
     \test -n "''${target-}" || target=$system
     \test -n "''${user-}" || user=$LOGNAME
     . ${init.env}
+    . ${init.proxy}
 
     exec ${utils.deploy}
   '';
 
+  # usage: install [--user=USER] --system=SYSTEM --target=TARGET
+  cmds.install = pkgs.writeBash "cmds.install" ''
+    set -efu
+
+    command=install
+    . ${init.args}
+    \test -n "''${user-}" || user=$LOGNAME
+    . ${init.env}
+
+    if \test "''${using_proxy-}" != true; then
+      ${pkgs.openssh}/bin/ssh \
+          -o StrictHostKeyChecking=no \
+          -o UserKnownHostsFile=/dev/null \
+          "$target_user@$target_host" -p "$target_port" \
+          env target_path=$(quote "$target_path") \
+              sh -s prepare < ${./krebs/4lib/infest/prepare.sh}
+              # TODO inline prepare.sh?
+    fi
+
+    . ${init.proxy}
+
+    # Reset PATH because we need access to nixos-install.
+    # TODO provide nixos-install instead of relying on prepare.sh
+    export PATH="$OLD_PATH"
+
+    # these variables get defined by nix-shell (i.e. nix-build) from
+    # XDG_RUNTIME_DIR and reference the wrong directory (/run/user/0),
+    # which only exists on / and not at /mnt.
+    export NIX_BUILD_TOP=/tmp
+    export TEMPDIR=/tmp
+    export TEMP=/tmp
+    export TMPDIR=/tmp
+    export TMP=/tmp
+    export XDG_RUNTIME_DIR=/tmp
+
+    export NIXOS_CONFIG="$target_path/nixos-config"
+
+    cd
+    exec nixos-install
+  '';
+
   # usage: test [--user=USER] --system=SYSTEM --target=TARGET
   cmds.test = pkgs.writeDash "cmds.test" /* sh */ ''
     set -efu
@@ -29,6 +71,7 @@ let
     . ${init.args}
     \test -n "''${user-}" || user=$LOGNAME
     . ${init.env}
+    . ${init.proxy}
 
     exec ${utils.build} config.system.build.toplevel
   '';
@@ -114,9 +157,6 @@ let
   '';
 
   init.env = pkgs.writeText "init.env" /* sh */ ''
-    source=''${source-$user/1systems/$system/source.nix}
-
-    export source
     export system
     export target
     export user
@@ -129,38 +169,31 @@ let
     export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
     export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)"
     export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
+  '';
 
+  init.proxy = pkgs.writeText "init.proxy" /* sh */ ''
     if \test "''${using_proxy-}" != true; then
-      ${init.env.populate}
+
+      source_file=$user/1systems/$system/source.nix
+      source=$(get-source "$source_file")
+      qualified_target=$target_user@$target_host:$target_port$target_path
+      echo "$source" | populate "$qualified_target"
+
       if \test "$target_local" != true; then
-        exec ${init.env.proxy} "$command" "$@"
+        exec ${pkgs.openssh}/bin/ssh \
+            "$target_user@$target_host" -p "$target_port" \
+            cd "$target_path/stockholm" \; \
+            NIX_PATH=$(quote "$target_path") \
+            STOCKHOLM_VERSION=$(quote "$STOCKHOLM_VERSION") \
+            nix-shell --run "$(quote "
+              system=$(quote "$system") \
+              target=$(quote "$target") \
+              using_proxy=true \
+              $(quote "$command" "$@")
+            ")"
       fi
     fi
-  '' // {
-    populate = pkgs.writeDash "init.env.populate" ''
-      set -efu
-      _source=$(get-source "$source")
-      echo $_source |
-      ${pkgs.populate}/bin/populate \
-          "$target_user@$target_host:$target_port$target_path" \
-        >&2
-      unset _source
-    '';
-    proxy = pkgs.writeDash "init.env.proxy" ''
-      set -efu
-      exec ${pkgs.openssh}/bin/ssh \
-        "$target_user@$target_host" -p "$target_port" \
-        cd "$target_path/stockholm" \; \
-        NIX_PATH=$(quote "$target_path") \
-        STOCKHOLM_VERSION=$(quote "$STOCKHOLM_VERSION") \
-        nix-shell --run "$(quote "
-          system=$(quote "$system") \
-          target=$(quote "$target") \
-          using_proxy=true \
-          $(quote "$@")
-        ")"
-    '';
-  };
+  '';
 
   utils.build = pkgs.writeDash "utils.build" ''
     set -efu
@@ -201,9 +234,13 @@ let
 in pkgs.stdenv.mkDerivation {
   name = "stockholm";
   shellHook = /* sh */ ''
+    export OLD_PATH="$PATH"
     export NIX_PATH=stockholm=$PWD:nixpkgs=${toString <nixpkgs>}
-    export NIX_REMOTE=daemon
+    if test -e /nix/var/nix/daemon-socket/socket; then
+      export NIX_REMOTE=daemon
+    fi
     export PATH=${lib.makeBinPath [
+      pkgs.populate
       shell.cmdspkg
     ]}