We have root on CircleCI in the docker container. We can't currently shed
them before we get inside the flake app because we can't run `nix build` as
non-root inside the nix container. :/
https://github.com/nix-community/docker-nixpkgs/issues/62
also point nixpkgs-unstable at HEAD of a PR with a cryptography upgrade
I tried just overriding the upgrade into place but it results in infinite
recursion, I suppose because cryptography is a dependency of some of the build
tools and needs extra handling that I don't feel like figuring out for this
short-term hack. someday the upgrade will land in nixpkgs master and we can
switch back.