diff --git a/Dockerfile b/Dockerfile
index 3c36a1e..9798fc9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -312,15 +312,31 @@ USER crafter
 WORKDIR /home/crafter
 RUN mkdir -p /home/crafter/.config/nix \
     && printf '%s\n' \
-        'experimental-features = nix-command flakes ca-derivations' \
+        'experimental-features = nix-command flakes' \
         'sandbox = false' \
-        'accept-flake-config = true' \
-        'substituters = https://cache.nixos.org https://cache.iog.io https://mlabs.cachix.org' \
-        'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=' \
+        'accept-flake-config = false' \
+        'substituters = https://cache.nixos.org https://cache.iog.io' \
+        'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=' \
         > /home/crafter/.config/nix/nix.conf \
     && curl -fsSL https://nixos.org/nix/install -o /tmp/install-nix.sh \
     && sh /tmp/install-nix.sh --no-daemon --no-channel-add --no-modify-profile \
     && rm /tmp/install-nix.sh
+
+# Why accept-flake-config=false:
+#   Nix 2.34.7's schema-upgrade path from v10 to v11 (which adds the
+#   Realisations table that ca-derivations queries) doesn't fire
+#   cleanly, even with ca-derivations enabled at install time.
+#   Plutarch / Liqwid Agora / IOG flakes set
+#   `extra-experimental-features = [... "ca-derivations" ...]` in
+#   their nixConfig. With accept-flake-config=true that gets added
+#   to our experimental-features, then any flake operation crashes
+#   with `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::Use::Use`.
+#   Disabling sidesteps the issue — ca-derivations is an optimization
+#   for content-addressed builds, not a hard requirement.
+#
+# Substituters set in our base nix.conf so we don't depend on the
+# flake's additions. mlabs.cachix.org dropped — it's a private cache
+# returning 401 to anonymous reads.
 ENV PATH=/home/crafter/.nix-profile/bin:$PATH
 
 # ============================================================