Nix / NixOS

I don't have an exact example to hand because I'm not using a custom substituter for now. I have a remnant of that in my config still, here: https://github.com/balsoft/nixos-config/blob/master/flake.nix#L5 . But it should be relatively straightforward: add nix.settings.trusted-substituters = [ "http://your-substituter/" ]; to your (client device) NixOS config (e.g. in configuration.nix); add nixConfig.extra-substituters = [ "http://your-substituter/" ]; to your config flake.nix; answer yes when prompted by nixos-rebuild, and you should be good.

As for remote builders, I don't really dig them myself. They require fully trusting all users who wish to build on them and are finicky to set up. Instead I just ssh into the build machine, build whatever I need there, and nix copy it back to my laptop. That said,

intent on modifying root ssh configs in spite of security practices

You can set up your nix-daemon to run as its own user nowadays, mitigating all issues related to root entirely.

botch use of substituters on the remote builder

Never had this issue so don't really know how to help

is awkward or incompatible with non-interactive sudo sessions

This one is pretty much unfixable due to how remote building works

works for nixos build but not to switch

You should probably use nixos-rebuild switch --use-remote-sudo and run it as your user rather than root.