From Using the post-build-hook in the nix manual:
The post build hook program runs after each executed build, and blocks the build loop. The build loop exits if the hook program fails.
Concretely, this implementation will make Nix slow or unusable when the internet is slow or unreliable.
A more advanced implementation might pass the store paths to a user-supplied daemon or queue for processing the store paths outside of the build loop.
This is my implementation of a user-supplied daemon to process the store paths outside of the build loop.
The post-build-hook binary writes store paths to unix domain socket for later processing.
When data is available on the socket systemd activates the nix-post-build-hook-queue service to:
- Sign paths, if
signingPrivateKeyPathis set - Upload paths, if
uploadTois set
- Add this repository to your flake inputs:
{
inputs = {
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nix-post-build-hook-queue = {
url = "github:newam/nix-post-build-hook-queue";
inputs.nixpkgs.follows = "unstable";
inputs.treefmt.follows = "";
};
};
}- Add
nix-post-build-hook-queue.overlays.defaulttonixpkgs.overlays. - Import the
nix-post-build-hook-queue.nixosModules.defaultmodule. - Configure:
{config, ...}: {
# Use sops-nix to store keys: https://github.com/Mic92/sops-nix
# Alternatives: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes
sops.secrets = let
sopsAttrs = {
mode = "0400";
owner = config.services.nix-post-build-hook-queue.user;
};
in {
cache-signing-priv-key = sopsAttrs;
cache-ssh-priv-key = sopsAttrs;
};
services.nix-post-build-hook-queue = {
enable = true;
# optional setting to sign paths before uploading
signingPrivateKeyPath = config.sops.secrets.cache-signing-priv-key.path;
# optional settings to upload store paths after signing
sshPrivateKeyPath = config.sops.secrets.cache-ssh-priv-key.path;
uploadTo = "ssh://nix-ssh@nix-cache.example.com";
};
}