{"id":16358186,"url":"https://github.com/newam/nix-post-build-hook-queue","last_synced_at":"2025-07-14T21:34:24.770Z","repository":{"id":41547345,"uuid":"510139938","full_name":"newAM/nix-post-build-hook-queue","owner":"newAM","description":"A Nix post-build-hook queue to sign and upload store paths.","archived":false,"fork":false,"pushed_at":"2025-01-10T15:50:51.000Z","size":195,"stargazers_count":7,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-10T16:47:49.151Z","etag":null,"topics":["nix","nixos","post-build-hook"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/newAM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-03T21:33:00.000Z","updated_at":"2025-01-10T15:50:54.000Z","dependencies_parsed_at":"2023-12-25T17:37:58.987Z","dependency_job_id":"5f863021-d26f-4b90-8f5c-f79835a23a00","html_url":"https://github.com/newAM/nix-post-build-hook-queue","commit_stats":{"total_commits":168,"total_committers":2,"mean_commits":84.0,"dds":0.0892857142857143,"last_synced_commit":"de3f18399506ec163a9decc14d44c1e4faa00cb7"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newAM%2Fnix-post-build-hook-queue","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newAM%2Fnix-post-build-hook-queue/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newAM%2Fnix-post-build-hook-queue/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newAM%2Fnix-post-build-hook-queue/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/newAM","download_url":"https://codeload.github.com/newAM/nix-post-build-hook-queue/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234045320,"owners_count":18770943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nix","nixos","post-build-hook"],"created_at":"2024-10-11T02:05:01.549Z","updated_at":"2025-07-14T21:34:24.751Z","avatar_url":"https://github.com/newAM.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nix post-build-hook queue\n\n[![CI](https://github.com/newAM/nix-post-build-hook-queue/workflows/CI/badge.svg)](https://github.com/newAM/nix-post-build-hook-queue/actions)\n\nFrom [Using the post-build-hook] in the nix manual:\n\n\u003e The post build hook program runs after each executed build, and blocks the build loop. The build loop exits if the hook program fails.\n\u003e\n\u003e Concretely, this implementation will make Nix slow or unusable when the internet is slow or unreliable.\n\u003e\n\u003e A more advanced implementation might pass the store paths to a user-supplied daemon or queue for processing the store paths outside of the build loop.\n\nThis is my implementation of a user-supplied daemon to process the store paths outside of the build loop.\n\nThe post-build-hook binary writes store paths to unix domain socket for later processing.\n\nWhen data is available on the socket systemd activates the `nix-post-build-hook-queue` service to:\n\n1. Sign paths, if `signingPrivateKeyPath` is set\n2. Upload paths, if `uploadTo` is set\n\n## Usage\n\n- Add this repository to your flake inputs:\n\n```nix\n{\n  inputs = {\n    unstable.url = \"github:nixos/nixpkgs/nixos-unstable\";\n\n    nix-post-build-hook-queue = {\n      url = \"github:newam/nix-post-build-hook-queue\";\n      inputs.nixpkgs.follows = \"unstable\";\n      inputs.treefmt.follows = \"\";\n    };\n  };\n}\n```\n\n- Add `nix-post-build-hook-queue.overlays.default` to `nixpkgs.overlays`.\n- Import the `nix-post-build-hook-queue.nixosModules.default` module.\n- Configure:\n\n```nix\n{config, ...}: {\n  # Use sops-nix to store keys: https://github.com/Mic92/sops-nix\n  # Alternatives: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes\n  sops.secrets = let\n    sopsAttrs = {\n      mode = \"0400\";\n      owner = config.services.nix-post-build-hook-queue.user;\n    };\n  in {\n    cache-signing-priv-key = sopsAttrs;\n    cache-ssh-priv-key = sopsAttrs;\n  };\n\n  services.nix-post-build-hook-queue = {\n    enable = true;\n    # optional setting to sign paths before uploading\n    signingPrivateKeyPath = config.sops.secrets.cache-signing-priv-key.path;\n    # optional settings to upload store paths after signing\n    sshPrivateKeyPath = config.sops.secrets.cache-ssh-priv-key.path;\n    uploadTo = \"ssh://nix-ssh@nix-cache.example.com\";\n  };\n}\n```\n\n[Using the post-build-hook]: https://nixos.org/manual/nix/stable/advanced-topics/post-build-hook.html#implementation-caveats\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnewam%2Fnix-post-build-hook-queue","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnewam%2Fnix-post-build-hook-queue","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnewam%2Fnix-post-build-hook-queue/lists"}