WIP: Set restrict-eval when running nix commands

Summary

restrict-eval is a feature of nix to restrict evaluation to only those paths specified in NIX_PATH. This should avoid impurity issues where things like $HOME/.config/nixpkgs/ are loaded by Nixpkgs, or a user’s config is not fully checked in to the git repo. It also disallows builtins.getEnv (everything returns "").

Note that restrict-eval is a less powerful version of pure-eval. pure-eval disallows NIX_PATH, requires everything have hashes, and disallows builtins.currentSystem & builtins.currentTime. In the future, we may want to use this, but restrict-eval offers some purity without breaking things.

Merge criteria

(Please make a note here of any dependencies on other open merge requests, or any other blockers that must be dealt with before anyone should hit the "Merge" button. Delete this comment if there are none.)

• All merge requests must be reviewed by someone other than the original author.
• Before hitting the "Merge" button, verify that the associated CI build has succeeded or that the source branch can be built with a manual nix-build.

Checklist for success

• I have updated the changelog.
• My code is consistent with the Obsidian style guide.