diff --git a/nixos/modules/deployment.nix b/nixos/modules/deployment.nix
index db61ba8bdaea0f51ab2d81d11a287658a9a19a2c..2615659519469c9c1c2712382b178bc4fd1c323b 100755
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -11,7 +11,13 @@ let
     # `restrict` means "disable all the things" then `command` means "but
     # enable running this one command" (the client does not have to supply the
     # command; if they authenticate, this is the command that will run).
-    "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
+    # environment lets us pass an environment variable into the process
+    # started by the given command.  It only works because we configured our
+    # sshd to allow this particular variable through.  By passing this value,
+    # we can pin nixpkgs in the executed command to the same version
+    # configured for use here.  It might be better if we just had a channel
+    # the system could be configured with ... but we don't at the moment.
+    "restrict,environment=\"NIXPKGS_FOR_MORPH=${pkgs.path}\",command=\"${command} ${gridName}\" ${authorizedKey}";
 in {
   options = {
     services.private-storage.deployment.authorizedKey = lib.mkOption {
@@ -44,6 +50,10 @@ in {
       ];
     };
 
+    services.openssh.extraConfig = ''
+      PermitUserEnvironment=NIXPKGS_FOR_MORPH
+    '';
+
     # Create a one-time service that will set up an ssh key that allows the
     # deployment user to authorize as root to perform the system update with
     # `morph deploy`.
diff --git a/nixos/modules/update-deployment b/nixos/modules/update-deployment
index 57af331df3bc862770068345dfeca41976ef8455..306bb882ef98aedeb16c25b150fb00bcd5507ff1 100755
--- a/nixos/modules/update-deployment
+++ b/nixos/modules/update-deployment
@@ -2,10 +2,6 @@
 
 set -euxo pipefail
 
-# XXX I just want to inherit this.  Why can't I get it through the environment
-# to here?
-export NIX_PATH=nixpkgs=https://github.com/PrivateStorageio/nixpkgs/archive/7e71ee63a67bd3e2c190abd982b541603f4f86b0.tar.gz
-
 # Accept the name of the grid this system is part of as a parameter.  This
 # lets us pick the correct morph grid source file later on.
 GRIDNAME=$1
@@ -77,6 +73,13 @@ EOF
 # Make sure known_hosts has the host key in it.
 ssh -o StrictHostKeyChecking=no "$(hostname).$(domainname)" ":"
 
+# Set nixpkgs to our preferred version for the morph build.  The NIX_PATH
+# environment variable itself receives special treatment by some parts of the
+# system (especially those parts leading up to the execution of this script)
+# so we pass the desired information through a different variable and then
+# shuffle it into the right place here, just before it is needed.
+export NIX_PATH="nixpkgs=$NIXPKGS_FOR_MORPH"
+
 # Attempt to update just this host.  Choose the morph grid definition matching
 # the grid we belong to and limit the morph deployment update to the host
 # matching our name.  morph uses just the bare hostname without the domain