diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
index 35330305f1891..f137425a2d54f 100644
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -434,6 +434,8 @@ The propagated equivalent of `depsTargetTarget`. This is prefixed for the same r
 
 A number between 0 and 7 indicating how much information to log. If set to 1 or higher, `stdenv` will print moderate debugging information during the build. In particular, the `gcc` and `ld` wrapper scripts will print out the complete command line passed to the wrapped tools. If set to 6 or higher, the `stdenv` setup script will be run with `set -x` tracing. If set to 7 or higher, the `gcc` and `ld` wrapper scripts will also be run with `set -x` tracing.
 
+In order to set the `NIX_DEBUG` environment variable, Nix itself must be re-compiled so that it's set in the local derivation build environment. This ensures that the derivation's hash doesn't change because `NIX_DEBUG` has been set. Most Nix derivation have a `withNixDebug` attribute which can be overridden. Set the `nix.package` option to use this `NIX_DEBUG`-enabled Nix.
+
 ### Attributes affecting build properties {#attributes-affecting-build-properties}
 
 #### `enableParallelBuilding` {#var-stdenv-enableParallelBuilding}
@@ -1421,7 +1423,7 @@ Both parameters take a list of flags as strings. The special `"all"` flag can be
 
 For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security).
 
-Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the `NIX_DEBUG` environment variable can be used.
+Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the [`NIX_DEBUG` environment variable](#var-stdenv-NIX_DEBUG) can be used.
 
 ### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default}
 
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index c1de5b97d2d6a..9ca24341e523d 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -55,12 +55,18 @@ nixLog() {
     echo "$@" >&"$NIX_LOG_FD"
 }
 
+# Call `nixLog` if $NIX_DEBUG is set to 1 or more.
+nixLogDebug() {
+    if (( "${NIX_DEBUG:-0}" == 0 )); then return; fi
+    nixLog "$@"
+}
+
 # Log a hook, to be run before the hook is actually called.
 # logging for "implicit" hooks -- the ones specified directly
 # in derivation's arguments -- is done in _callImplicitHook instead.
 _logHook() {
-    # Fast path in case nixLog is no-op.
-    if [[ -z ${NIX_LOG_FD-} ]]; then
+    # Fast path in case nixLog is no-op or NIX_DEBUG is 0 or unset.
+    if [[ -z ${NIX_LOG_FD-} ]] || (( "${NIX_DEBUG:-0}" == 0 )); then
         return
     fi
 
@@ -153,13 +159,13 @@ _callImplicitHook() {
     local def="$1"
     local hookName="$2"
     if declare -F "$hookName" > /dev/null; then
-        nixLog "calling implicit '$hookName' function hook"
+        nixLogDebug "calling implicit '$hookName' function hook"
         "$hookName"
     elif type -p "$hookName" > /dev/null; then
-        nixLog "sourcing implicit '$hookName' script hook"
+        nixLogDebug "sourcing implicit '$hookName' script hook"
         source "$hookName"
     elif [ -n "${!hookName:-}" ]; then
-        nixLog "evaling implicit '$hookName' string hook"
+        nixLogDebug "evaling implicit '$hookName' string hook"
         eval "${!hookName}"
     else
         return "$def"
@@ -705,7 +711,7 @@ activatePackage() {
     (( hostOffset <= targetOffset )) || exit 1
 
     if [ -f "$pkg" ]; then
-        nixLog "sourcing setup hook '$pkg'"
+        nixLogDebug "sourcing setup hook '$pkg'"
         source "$pkg"
     fi
 
@@ -729,7 +735,7 @@ activatePackage() {
     fi
 
     if [[ -f "$pkg/nix-support/setup-hook" ]]; then
-        nixLog "sourcing setup hook '$pkg/nix-support/setup-hook'"
+        nixLogDebug "sourcing setup hook '$pkg/nix-support/setup-hook'"
         source "$pkg/nix-support/setup-hook"
     fi
 }
diff --git a/pkgs/tools/package-management/lix/common.nix b/pkgs/tools/package-management/lix/common.nix
index fe9e1d2d2def6..35d7356b7a68f 100644
--- a/pkgs/tools/package-management/lix/common.nix
+++ b/pkgs/tools/package-management/lix/common.nix
@@ -80,6 +80,9 @@ assert (hash == null) -> (src != null);
   # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
   withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp,
   libseccomp,
+  # If non-`null`, the string value is what the environment variable `NIX_DEBUG`
+  # is set to when building any derivation. See the Nixpkgs manual for more.
+  withNixDebug ? null,
 
   confDir,
   stateDir,
@@ -161,6 +164,9 @@ stdenv.mkDerivation {
 
   postPatch = ''
     patchShebangs --build tests
+  '' + lib.optionalString (withNixDebug != null) ''
+    grep -r -l -Z -e 'env."NIX_LOG_FD".*"2"' src | \
+      xargs -0 sed -i '/NIX_LOG_FD.*2/a env["NIX_DEBUG"] = "${toString withNixDebug}";'
   '';
 
   preConfigure =
diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix
index 50874fef5c6cf..1033ddb1ee12b 100644
--- a/pkgs/tools/package-management/nix/common.nix
+++ b/pkgs/tools/package-management/nix/common.nix
@@ -78,6 +78,9 @@ in
 , enableStatic ? stdenv.hostPlatform.isStatic
 , withAWS ? !enableStatic && (stdenv.isLinux || stdenv.isDarwin), aws-sdk-cpp
 , withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp, libseccomp
+# If non-`null`, the string value is what the environment variable `NIX_DEBUG` is set to
+# when building any derivation. See the Nixpkgs manual for more.
+, withNixDebug ? null
 
 , confDir
 , stateDir
@@ -169,6 +172,9 @@ self = stdenv.mkDerivation {
 
   postPatch = ''
     patchShebangs --build tests
+  '' + lib.optionalString (withNixDebug != null) ''
+    grep -r -l -Z -e 'env."NIX_LOG_FD".*"2"' src | \
+      xargs -0 sed -i '/NIX_LOG_FD.*2/a env["NIX_DEBUG"] = "${toString withNixDebug}";'
   '';
 
   preConfigure =