diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml
index 212dd98c9..9fcce9e5d 100644
--- a/.forgejo/workflows/self-deploy.yml
+++ b/.forgejo/workflows/self-deploy.yml
@@ -68,7 +68,7 @@ jobs:
       # precompiled, so every test that uses the native parser/text path
       # falls back to JS and is slow. Tests still run in:
       #   - dev machines (`npm run test:unit`)
-      #   - the docker image build itself (Dockerfile runs them)
+      #   - targeted pre-push verification before landing deploy changes
       # Re-enable here when prebuilt @singularity-forge/engine-linux-x64-*
       # ships in the npm tarball.
 
@@ -86,10 +86,9 @@ jobs:
       - name: Generate release manifest
         run: npm run release:manifest -- --out dist/sf-release-manifest.json
 
-      # The forgejo-runner pod has /var/run/docker.sock mounted from the
-      # vega host (via the runner deployment in /srv/infra). docker CLI
-      # is on PATH via nixpkgs#docker-client. So: plain `docker build` and
-      # `docker push` against the host's docker daemon.
+      # The forgejo-runner pod has Nix plus /var/run/docker.sock from vega.
+      # Build the same flake image that k3s runs, load it into the host
+      # Docker daemon, then tag it to the pushed commit SHA.
       - name: Login to registry
         if: env.SF_REGISTRY_USER != '' && env.SF_REGISTRY_PASSWORD != ''
         run: |
@@ -97,17 +96,16 @@ jobs:
             "${SF_REGISTRY:-registry.infra.centralcloud.com}" \
             --username "$SF_REGISTRY_USER" --password-stdin
 
-      - name: Build server image
+      - name: Build server image with Nix
         run: |
           set -euo pipefail
-          docker build \
-            -f docker/Dockerfile.sf-server \
-            --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
-            --build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
-            --build-arg "SF_RELEASE_IMAGE=${{ steps.image.outputs.image }}" \
-            --build-arg "SF_IMAGE_REPOSITORY=${SF_IMAGE_REPOSITORY:-${SF_REGISTRY:-registry.infra.centralcloud.com}/singularity/sf-server}" \
-            -t "${{ steps.image.outputs.image }}" \
-            .
+          image_stream="$(nix build --no-link --print-out-paths .#sf-server-image)"
+          loaded_image="$("$image_stream" | docker load | awk -F': ' '/Loaded image:/ { print $2 }')"
+          if [ -z "$loaded_image" ]; then
+            echo "docker load did not report a loaded image" >&2
+            exit 1
+          fi
+          docker tag "$loaded_image" "${{ steps.image.outputs.image }}"
 
       - name: Push server image
         if: env.SF_PUSH_IMAGE != '0'