diff --git a/ofborg/src/nix.rs b/ofborg/src/nix.rs
index dcae057..fb97ab5 100644
--- a/ofborg/src/nix.rs
+++ b/ofborg/src/nix.rs
@@ -675,7 +675,7 @@ mod tests {
     }
 
     #[test]
-    fn instantiation() {
+    fn instantiation_success() {
         let ret: Result<File, File> = nix().safely(
             Operation::Instantiate,
             passing_eval_path().as_path(),
@@ -693,4 +693,23 @@ mod tests {
             ],
         );
     }
+
+    #[test]
+    fn instantiation_nixpkgs_restricted_mode() {
+        let ret: Result<File, File> = nix().safely(
+            Operation::Instantiate,
+            individual_eval_path().as_path(),
+            vec![String::from("-A"), String::from("nixpkgs-restricted-mode")],
+            true,
+        );
+
+        assert_run(
+            ret,
+            Expect::Fail,
+            vec![
+                "access to path '/fake'",
+                "is forbidden in restricted mode",
+            ],
+        );
+    }
 }
diff --git a/ofborg/src/tasks/massrebuilder.rs b/ofborg/src/tasks/massrebuilder.rs
index 19dc889..ee95b09 100644
--- a/ofborg/src/tasks/massrebuilder.rs
+++ b/ofborg/src/tasks/massrebuilder.rs
@@ -348,6 +348,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixos-options",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./nixos/release.nix"),
                     String::from("-A"),
                     String::from("options"),
@@ -359,6 +362,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixos-manual",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./nixos/release.nix"),
                     String::from("-A"),
                     String::from("manual"),
@@ -370,6 +376,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixpkgs-manual",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./pkgs/top-level/release.nix"),
                     String::from("-A"),
                     String::from("manual"),
@@ -381,6 +390,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixpkgs-tarball",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./pkgs/top-level/release.nix"),
                     String::from("-A"),
                     String::from("tarball"),
@@ -392,6 +404,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixpkgs-unstable-jobset",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./pkgs/top-level/release.nix"),
                     String::from("-A"),
                     String::from("unstable"),
diff --git a/ofborg/test-srcs/eval-mixed-failure/default.nix b/ofborg/test-srcs/eval-mixed-failure/default.nix
index a4f5290..72b8b46 100644
--- a/ofborg/test-srcs/eval-mixed-failure/default.nix
+++ b/ofborg/test-srcs/eval-mixed-failure/default.nix
@@ -1,6 +1,14 @@
 let
+  fetchGit = builtins.fetchGit or (path: assert builtins.trace ''
+    error: access to path '/fake' is forbidden in restricted mode
+  '' false; path);
+
   nix = import <nix/config.nix>;
-in rec {
+in
+
+{ nixpkgs ? fetchGit /fake }:
+
+rec {
   success = derivation {
     name = "success";
     system = builtins.currentSystem;
@@ -28,6 +36,15 @@ in rec {
       "echo this ones cool" ];
   };
 
+  nixpkgs-restricted-mode = derivation {
+    name = "nixpkgs-restricted-mode-fetchgit";
+    system = builtins.currentSystem;
+    builder = nix.shell;
+    args = [
+      "-c"
+      "echo hi; echo ${toString nixpkgs} > $out" ];
+  };
+
   fails-instantiation = assert builtins.trace ''
     You just can't frooble the frozz on this particular system.
   '' false; {};