diff --git a/base.nix b/base.nix
index 1497d17..d15a1c3 100644
--- a/base.nix
+++ b/base.nix
@@ -123,13 +123,13 @@
     (!config.boot.isContainer or false)
   ];
 
-  # no acme in VM mode:
+  # no acme in build-vm mode:
   virtualisation.vmVariant = {
     security.acme.defaults.server = "https://127.0.0.1";
     security.acme.preliminarySelfsigned = true;
   };
 
-  # set VM root password in VM mode
+  # set VM root password in build-vm mode
   virtualisation.vmVariant = {
     users.users.root.initialPassword = "root";
   };
diff --git a/justfile b/justfile
index 029e7d7..c60f1fe 100644
--- a/justfile
+++ b/justfile
@@ -9,6 +9,8 @@ export GUM_FILTER_HEIGHT := "15"
 
 eval hostname=`just _a_host`:
   nix eval .#nixosConfigurations."{{hostname}}".config.system.build.toplevel.outPath --show-trace
+eval-vm hostname=`just _a_host`:
+  nix eval .#nixosConfigurations."{{hostname}}".config.system.build.vm.outPath --show-trace
 
 repl $hostname=`just _a_host`:
   NIX_NO_NOM=1 nixos-rebuild --flake .#"$hostname" repl
diff --git a/profiles/auto-upgrade.nix b/profiles/auto-upgrade.nix
index 7f76425..662b20e 100644
--- a/profiles/auto-upgrade.nix
+++ b/profiles/auto-upgrade.nix
@@ -1,5 +1,9 @@
 { config, pkgs, lib, inputs, ... }:
 
+let
+  inherit (config.virtualisation) isVmVariant;
+in
+
 # TODO: make /etc/nixos a symlink to the in-store flake? - bad idea, horrible error recovery
 # TODO: make /etc/nixos a writeable checkout of repo?
 
@@ -8,14 +12,16 @@
   system.autoUpgrade.enable = true;
   #system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
 
+  environment.etc."current-system-flake".enable = !isVmVariant; # makes the outPath depend on flake src
   environment.etc."current-system-flake".source = inputs.self;
   # workaround for https://github.com/NixOS/nix/issues/6895
+  environment.etc."current-system-flake-inputs.json".enable = !isVmVariant; # makes the outPath depend on flake src
   environment.etc."current-system-flake-inputs.json".source
     = pkgs.writers.writeJSON "flake-inputs.json" (
       lib.flip lib.mapAttrs inputs (name: input:
         # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like derivation
         lib.filterAttrs (key: val: !builtins.elem key ["outPath"]) (input.sourceInfo or {})
-          // { store-path = builtins.unsafeDiscardStringContext input.outPath; }
+          // { store-path = builtins.unsafeDiscardStringContext input.outPath; } # use this line instead if you want to retain a store reference to the flake inputs, but don't make it a part of the closure
           ##// { store-path = input.outPath; } # use this line instead if you want to retain a store reference to the flake inputs
       )
     );