Deterministic builds with Nix flakes vs reproducible Docker layers

We've been fighting non-reproducible CI builds for months. The usual suspects: pip cache poisoning, system library drift, and npm pulling semver-matching deps that change between runs. Two paths on the table: 1. Nix flakes — lock everything at the package level. Steep learning curve but true reproducibility. 2. Hermetic Docker — pin base images by digest, use multi-stage builds with lockfiles, no --latest anywhere. We have a team of 8 who know Docker but zero Nix experience. The question isn't which is technically superior — it's which one we can actually adopt without burning 3 months on tooling. Anyone made the Docker → Nix transition? How long until the team was productive, and did the reproducibility gains justify the friction?