diff --git a/.envrc b/.envrc
index 221c1b07..db1b4df9 100644
--- a/.envrc
+++ b/.envrc
@@ -1,8 +1,11 @@
-if [[ $(id -un) = kat ]]; then
-	export TRUSTED=1
-	git pull
-fi
-
+export NF_CONFIG_ROOT=$PWD
 export HOME_HOSTNAME=$(hostname -s)
 
+if [[ $(id -un) = kat ]]; then
+	git pull
+fi
+if [[ -e trusted/trusted/flake.nix ]]; then
+	export TRUSTED=1
+fi
+
 use nix
diff --git a/devShell.nix b/devShell.nix
index 9f3ec567..b3b99624 100644
--- a/devShell.nix
+++ b/devShell.nix
@@ -7,20 +7,15 @@ let
   inherit (lib.options) optional;
   inherit (lib.attrsets) attrValues;
   nf-actions = pkgs.writeShellScriptBin "nf-actions" ''
-    export START_DIR="$PWD"
     cd "${toString ./.}"
-    export NF_CONFIG_ROOT=${toString ./.}/ci
     NF_CONFIG_FILES=($NF_CONFIG_ROOT/{nodes,flake-cron}.nix)
     for f in "''${NF_CONFIG_FILES[@]}"; do
       echo $f
       nix run --argstr config "$f" -f '${inputs.ci}' run.gh-actions-generate
     done
-    cd $START_DIR
   '';
   nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
-    export START_DIR="$PWD"
     cd "${toString ./.}"
-    export NF_CONFIG_ROOT=${toString ./.}/ci
     nix run --argstr config "$NF_CONFIG_ROOT/nodes.nix" -f '${inputs.ci}' job.tewi.test
   '';
   nf-update = pkgs.writeShellScriptBin "nf-update" ''
@@ -30,7 +25,6 @@ let
     fi
   '';
   nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
-    export NF_CONFIG_ROOT=${toString ./.}
     exec /usr/bin/env bash ${./nixos/deploy.sh} "$@"
   '';
 in
@@ -48,7 +42,8 @@ pkgs.mkShell {
     export HOME_UID=$(id -u)
     export HOME_USER=$(id -un)
     export CI_PLATFORM="impure"
-    export NIX_PATH="$NIX_PATH:home=${toString ./.}"
+    export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ./.}}
+    export NIX_PATH="$NIX_PATH:home=$NF_CONFIG_ROOT"
   '';
 }
 
diff --git a/nixos/deploy.sh b/nixos/deploy.sh
index 09f90256..75aac96f 100755
--- a/nixos/deploy.sh
+++ b/nixos/deploy.sh
@@ -15,37 +15,41 @@ if [[ -e trusted/trusted/flake.nix ]]; then
 	)
 fi
 
-NIXOS_HOST=tewi
-NIXOS_TOPLEVEL=network.nodes.nixos.$NIXOS_HOST.system.build.toplevel
+NF_HOST=${NF_HOST-tewi}
+NIXOS_TOPLEVEL=network.nodes.nixos.$NF_HOST.system.build.toplevel
 
 if [[ $1 = build ]]; then
-	exec nix build --no-link --print-out-paths $NF_CONFIG_ROOT#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}"
+	exec nix build --no-link --print-out-paths $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}"
 elif [[ $1 = switch ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then
 	METHOD=$1
 	shift
 	exec nixos-rebuild $METHOD \
-		--flake $NF_CONFIG_ROOT#$NIXOS_HOST "${TRUSTED_ARGS[@]}" \
+		--flake $NF_CONFIG_ROOT\#$NF_HOST "${TRUSTED_ARGS[@]}" \
 		--no-build-nix \
-		--target-host $NIXOS_HOST --use-remote-sudo \
+		--target-host $NF_HOST --use-remote-sudo \
 		"$@"
 elif [[ $1 = check ]]; then
-	DEFAULT=$(nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
-	FLAKE=$(nix eval --raw $NF_CONFIG_ROOT#$NIXOS_TOPLEVEL)
+	EXIT_CODE=0
+	DEFAULT=$(TRUSTED= nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
+	FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL)
 	if [[ $DEFAULT != $FLAKE ]]; then
 		echo default.nix: $DEFAULT
 		echo flake.nix: $FLAKE
-		exit 1
+		EXIT_CODE=1
+	else
+		echo untrusted ok: $FLAKE
 	fi
-	echo untrusted ok: $FLAKE
 
 	TRUSTED=$(TRUSTED=1 nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
-	TRUSTED_FLAKE=$(nix eval --raw $NF_CONFIG_ROOT#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}")
+	TRUSTED_FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}")
 	if [[ $TRUSTED != $TRUSTED_FLAKE ]]; then
 		echo TRUSTED=1 default.nix: $TRUSTED
 		echo trusted/flake.nix: $TRUSTED_FLAKE
-		exit 1
+		EXIT_CODE=1
+	else
+		echo trusted ok: $TRUSTED_FLAKE
 	fi
-	echo trusted ok: $TRUSTED_FLAKE
+	exit $EXIT_CODE
 else
 	echo unknown cmd $1 >&2
 	exit 1