diff --git a/.bazelrc b/.bazelrc
index d69208d7f..b4c4eb336 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -39,6 +39,11 @@ common:linux_arm64 --platforms @zig_sdk//libc_aware/platform:linux_arm64_gnu.2.2
 common:linux_amd64_static --platforms @zig_sdk//libc_aware/platform:linux_amd64_musl
 common:linux_arm64_static --platforms @zig_sdk//libc_aware/platform:linux_arm64_musl
 
+# bazel configs to explicitly target NixOS
+common:nix --host_platform=@io_tweag_rules_nixpkgs//nixpkgs/platforms:host
+common:nix --crosstool_top=@local_config_cc//:toolchain
+common:nix --action_env=BAZEL_NIX_HOST_PLATFORM=1
+
 # bazel config to explicitly disable stamping (hide version information at build time)
 common:nostamp --nostamp --workspace_status_command=
 
diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel
index 0d2272e4e..21e604021 100644
--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@@ -1,5 +1,9 @@
 workspace(name = "constellation")
 
+load("//bazel/toolchains:skylib_deps.bzl", "skylib_deps")
+
+skylib_deps()
+
 # nixpkgs deps
 load("//bazel/toolchains:nixpkgs_deps.bzl", "nixpkgs_deps")
 
@@ -9,7 +13,13 @@ load("@io_tweag_rules_nixpkgs//nixpkgs:repositories.bzl", "rules_nixpkgs_depende
 
 rules_nixpkgs_dependencies()
 
-load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_flake_package")
+load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_flake_package", "nixpkgs_git_repository", "nixpkgs_package", "nixpkgs_python_configure")
+
+nixpkgs_git_repository(
+    name = "nixpkgs",
+    revision = "27c6a38e0aa2e57ab914ad8b500582085549c236",
+    sha256 = "875c2e171ab9663ff6ad2b5c75d974776682b3b4075143fc98d73c39a3b8c132",
+)
 
 nixpkgs_flake_package(
     name = "mkosi",
@@ -18,9 +28,19 @@ nixpkgs_flake_package(
     package = "mkosi",
 )
 
+nixpkgs_package(
+    name = "diffutils",
+    repository = "@nixpkgs",
+)
+
+nixpkgs_package(
+    name = "systemd",
+    repository = "@nixpkgs",
+)
+
 load("//bazel/mkosi:mkosi_configure.bzl", "find_system_mkosi")
 
-find_system_mkosi(name="constellation_mkosi")
+find_system_mkosi(name = "constellation_mkosi")
 
 # Python toolchain
 load("//bazel/toolchains:python_deps.bzl", "python_deps")
@@ -31,6 +51,14 @@ load("@rules_python//python:repositories.bzl", "py_repositories", "python_regist
 
 py_repositories()
 
+# if nix is installed, use nixpkgs python toolchain...
+nixpkgs_python_configure(
+    fail_not_supported = False,
+    python3_attribute_path = "python311.withPackages(ps: with ps; [ numpy ])",
+    repository = "@nixpkgs",
+)
+
+# ... otherwise, fall back to rules_python toolchain
 python_register_toolchains(
     name = "python3_11",
     python_version = "3.11",
@@ -41,16 +69,29 @@ load("//bazel/toolchains:go_rules_deps.bzl", "go_deps")
 
 go_deps()
 
-load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
-load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
 load("//bazel/toolchains:go_module_deps.bzl", "go_dependencies")
 
 # gazelle:repository_macro bazel/toolchains/go_module_deps.bzl%go_dependencies
 go_dependencies()
 
+load("@io_bazel_rules_go//go:deps.bzl", "go_rules_dependencies")
+
 go_rules_dependencies()
 
-go_register_toolchains(version = "1.20.8")
+local_repository(
+    name = "nixos-support",
+    path = "bazel/nixos-support",
+)
+
+load("@nixos-support//:nixos-support.bzl", "gen_imports")
+
+gen_imports()
+
+load("@nixos_support//:imports.bzl", "cc_toolchain", "go_toolchain")
+
+go_toolchain()
+
+load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
 
 gazelle_dependencies(go_repository_default_config = "//:WORKSPACE.bazel")
 
@@ -111,19 +152,7 @@ load("@hermetic_cc_toolchain//toolchain:defs.bzl", zig_toolchains = "toolchains"
 
 zig_toolchains()
 
-register_toolchains(
-    "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
-    "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
-    "@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
-    "@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
-    "@zig_sdk//toolchain:linux_amd64_gnu.2.23",
-    "@zig_sdk//toolchain:linux_arm64_gnu.2.23",
-    "@zig_sdk//toolchain:linux_amd64_musl",
-    "@zig_sdk//toolchain:linux_arm64_musl",
-    "@zig_sdk//toolchain:darwin_amd64",
-    "@zig_sdk//toolchain:darwin_arm64",
-    "@zig_sdk//toolchain:windows_amd64",
-)
+cc_toolchain()
 
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
diff --git a/bazel/ci/BUILD.bazel b/bazel/ci/BUILD.bazel
index 25bbc5fd1..e7484c8c2 100644
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@@ -398,7 +398,18 @@ repo_command(
 
 sh_template(
     name = "proto_targets_check",
-    data = [],
+    data = select({
+        "@rules_nixpkgs_core//constraints:support_nix": [
+            "@diffutils//:bin/diff",
+        ],
+        "//conditions:default": [],
+    }),
+    env = select({
+        "@rules_nixpkgs_core//constraints:support_nix": {
+            "DIFF": "$(rootpath @diffutils//:bin/diff)",
+        },
+        "//conditions:default": {},
+    }),
     substitutions = {
         "@@PROTO_TARGETS@@": " ".join(proto_targets()),
     },
diff --git a/bazel/ci/proto_targets_check.sh.in b/bazel/ci/proto_targets_check.sh.in
index 39c0c82c8..6184690f2 100644
--- a/bazel/ci/proto_targets_check.sh.in
+++ b/bazel/ci/proto_targets_check.sh.in
@@ -5,6 +5,13 @@
 lib=$(realpath @@BASE_LIB@@) || exit 1
 stat "${lib}" >> /dev/null || exit 1
 
+if [[ -n ${DIFF+x} ]]; then
+  diff=$(realpath "${DIFF}") || exit 1
+else
+  diff=$(command -v diff) || exit 1
+fi
+stat "${diff}" >> /dev/null || exit 1
+
 # shellcheck source=../sh/lib.bash
 if ! source "${lib}"; then
   echo "Error: could not find import"
@@ -47,7 +54,7 @@ done
 protoFilePathsSorted=$(printf '%s\n' "${protoFilePaths[@]}" | sort)
 writeGoProtoPathsSorted=$(printf '%s\n' "${writeGoProtoPaths[@]}" | sort)
 
-diff=$(diff <(echo "${protoFilePathsSorted}") <(echo "${writeGoProtoPathsSorted}") || true) # don't let diff fail
+diff=$($diff <(echo "${protoFilePathsSorted}") <(echo "${writeGoProtoPathsSorted}") || true) # don't let diff fail
 
 if [[ -n ${diff} ]]; then
   echo "Mismatch between proto files and 'write_go_proto_srcs' calls:"
diff --git a/bazel/nixos-support/BUILD.bazel b/bazel/nixos-support/BUILD.bazel
new file mode 100644
index 000000000..e69de29bb
diff --git a/bazel/nixos-support/WORKSPACE.bazel b/bazel/nixos-support/WORKSPACE.bazel
new file mode 100644
index 000000000..e69de29bb
diff --git a/bazel/nixos-support/nixos-support.bzl b/bazel/nixos-support/nixos-support.bzl
new file mode 100644
index 000000000..36cf719b9
--- /dev/null
+++ b/bazel/nixos-support/nixos-support.bzl
@@ -0,0 +1,66 @@
+""" A repository rule use either nixpkgs or download a go toolchain / SDK """
+
+def _has_nix(ctx):
+    return ctx.os.environ.get("BAZEL_NIX_HOST_PLATFORM", "0") == "1"
+
+def _gen_imports_impl(ctx):
+    ctx.file("BUILD", "")
+
+    imports_for_nix = """
+load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_cc_configure")
+load("@io_tweag_rules_nixpkgs//nixpkgs:toolchains/go.bzl", "nixpkgs_go_configure")
+
+def go_toolchain():
+    nixpkgs_go_configure(repository = "@nixpkgs")
+
+def cc_toolchain():
+    nixpkgs_cc_configure(repository = "@nixpkgs")
+    native.register_toolchains(
+        "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
+        "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
+        "@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
+        "@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
+        "@zig_sdk//toolchain:linux_amd64_gnu.2.23",
+        "@zig_sdk//toolchain:linux_arm64_gnu.2.23",
+        "@zig_sdk//toolchain:linux_amd64_musl",
+        "@zig_sdk//toolchain:linux_arm64_musl",
+        "@zig_sdk//toolchain:darwin_amd64",
+        "@zig_sdk//toolchain:darwin_arm64",
+        "@zig_sdk//toolchain:windows_amd64",
+    )
+    """
+    imports_for_non_nix = """
+load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains")
+
+def go_toolchain():
+    go_register_toolchains(version = "1.20.8")
+
+def cc_toolchain():
+    native.register_toolchains(
+        "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
+        "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
+        "@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
+        "@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
+        "@zig_sdk//toolchain:linux_amd64_gnu.2.23",
+        "@zig_sdk//toolchain:linux_arm64_gnu.2.23",
+        "@zig_sdk//toolchain:linux_amd64_musl",
+        "@zig_sdk//toolchain:linux_arm64_musl",
+        "@zig_sdk//toolchain:darwin_amd64",
+        "@zig_sdk//toolchain:darwin_arm64",
+        "@zig_sdk//toolchain:windows_amd64",
+    )
+    """
+
+    if _has_nix(ctx):
+        ctx.file("imports.bzl", imports_for_nix)
+    else:
+        ctx.file("imports.bzl", imports_for_non_nix)
+
+_gen_imports = repository_rule(
+    implementation = _gen_imports_impl,
+)
+
+def gen_imports():
+    _gen_imports(
+        name = "nixos_support",
+    )
diff --git a/bazel/proto/rules.bzl b/bazel/proto/rules.bzl
index 07e0136bf..da73d5f72 100644
--- a/bazel/proto/rules.bzl
+++ b/bazel/proto/rules.bzl
@@ -83,5 +83,6 @@ def write_go_proto_srcs(name, go_proto_library, src, visibility = None):
         files = {
             src: generated_src,
         },
+        diff_test = False,
         visibility = visibility,
     )
diff --git a/bazel/sh/def.bzl b/bazel/sh/def.bzl
index 18e0a8074..5f2129017 100644
--- a/bazel/sh/def.bzl
+++ b/bazel/sh/def.bzl
@@ -5,7 +5,9 @@ load("@bazel_skylib//lib:shell.bzl", "shell")
 def _sh_template_impl(ctx):
     out_file = ctx.actions.declare_file(ctx.label.name + ".bash")
 
-    substitutions = {}
+    substitutions = {
+        "@@BASE_LIB@@": ctx.file._base_lib.path,
+    }
     for k, v in ctx.attr.substitutions.items():
         sub = ctx.expand_location(v, ctx.attr.data)
         sub = ctx.expand_make_variables("substitutions", sub, {})
@@ -21,6 +23,7 @@ def _sh_template_impl(ctx):
     return [DefaultInfo(
         files = depset([out_file]),
         executable = out_file,
+        runfiles = ctx.runfiles(files = ctx.files.data + [ctx.file._base_lib]),
     )]
 
 _sh_template = rule(
@@ -33,6 +36,10 @@ _sh_template = rule(
         "template": attr.label(
             allow_single_file = True,
         ),
+        "_base_lib": attr.label(
+            default = Label("@constellation//bazel/sh:base_lib"),
+            allow_single_file = True,
+        ),
     },
 )
 
@@ -46,10 +53,8 @@ def sh_template(name, **kwargs):
     script_name = name + "-script"
 
     tags = kwargs.get("tags", [])
-    data = kwargs.get("data", [])
-    data.append("//bazel/sh:base_lib")
+    data = kwargs.pop("data", [])
     substitutions = kwargs.pop("substitutions", [])
-    substitutions["@@BASE_LIB@@"] = "$(rootpath //bazel/sh:base_lib)"
     template = kwargs.pop("template", [])
     toolchains = kwargs.pop("toolchains", [])
 
@@ -65,6 +70,7 @@ def sh_template(name, **kwargs):
     native.sh_binary(
         name = name,
         srcs = [script_name],
+        data = [script_name] + data,
         **kwargs
     )
 
@@ -78,10 +84,8 @@ def sh_test_template(name, **kwargs):
     script_name = name + "-script"
 
     tags = kwargs.get("tags", [])
-    data = kwargs.get("data", [])
-    data.append("//bazel/sh:base_lib")
+    data = kwargs.pop("data", [])
     substitutions = kwargs.pop("substitutions", [])
-    substitutions["@@BASE_LIB@@"] = "$(rootpath //bazel/sh:base_lib)"
     template = kwargs.pop("template", [])
 
     _sh_template(
@@ -95,6 +99,7 @@ def sh_test_template(name, **kwargs):
     native.sh_test(
         name = name,
         srcs = [script_name],
+        data = [script_name] + data,
         **kwargs
     )
 
diff --git a/bazel/toolchains/hermetic_cc_deps.bzl b/bazel/toolchains/hermetic_cc_deps.bzl
index b838b500f..e1072db14 100644
--- a/bazel/toolchains/hermetic_cc_deps.bzl
+++ b/bazel/toolchains/hermetic_cc_deps.bzl
@@ -5,17 +5,6 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 def hermetic_cc_deps():
     """Loads the dependencies for hermetic_cc_toolchain."""
 
-    http_archive(
-        name = "bazel_skylib",
-        sha256 = "66ffd9315665bfaafc96b52278f57c7e2dd09f5ede279ea6d39b2be471e7e3aa",
-        urls = [
-            "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.4.2/bazel-skylib-1.4.2.tar.gz",
-            "https://cdn.confidential.cloud/constellation/cas/sha256/66ffd9315665bfaafc96b52278f57c7e2dd09f5ede279ea6d39b2be471e7e3aa",
-            "https://github.com/bazelbuild/bazel-skylib/releases/download/1.4.2/bazel-skylib-1.4.2.tar.gz",
-        ],
-        type = "tar.gz",
-    )
-
     http_archive(
         name = "hermetic_cc_toolchain",
         urls = [
diff --git a/bazel/toolchains/skylib_deps.bzl b/bazel/toolchains/skylib_deps.bzl
new file mode 100644
index 000000000..24a8da556
--- /dev/null
+++ b/bazel/toolchains/skylib_deps.bzl
@@ -0,0 +1,15 @@
+"""bazel skylib"""
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def skylib_deps():
+    http_archive(
+        name = "bazel_skylib",
+        sha256 = "66ffd9315665bfaafc96b52278f57c7e2dd09f5ede279ea6d39b2be471e7e3aa",
+        urls = [
+            "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.4.2/bazel-skylib-1.4.2.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/66ffd9315665bfaafc96b52278f57c7e2dd09f5ede279ea6d39b2be471e7e3aa",
+            "https://github.com/bazelbuild/bazel-skylib/releases/download/1.4.2/bazel-skylib-1.4.2.tar.gz",
+        ],
+        type = "tar.gz",
+    )