Implementing, Configuring, and Testing the Nix Post-Build Hook for S3 Binary Caches

Then update [`nix.conf`](../command-ref/conf-file.md) on any machine that will access the cache. Add the cache URL to [`substituters`](../command-ref/conf-file.md#conf-substituters) and the public key to [`trusted-public-keys`](../command-ref/conf-file.md#conf-trusted-public-keys): substituters = https://cache.nixos.org/ s3://example-nix-cache trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= example-nix-cache-1:1/cKDz3QCCOmwcztD2eV6Coggp6rqc9DGjWv7C0G+rM= Machines that build for the cache must sign derivations using the private key. On those machines, add the path to the key file to the [`secret-key-files`](../command-ref/conf-file.md#conf-secret-key-files) field in their [`nix.conf`](../command-ref/conf-file.md): secret-key-files = /etc/nix/key.private We will restart the Nix daemon in a later step. # Implementing the build hook Write the following script to `/etc/nix/upload-to-cache.sh`: ```bash #!/bin/sh set -eu set -f # disable globbing export IFS=' ' echo "Uploading paths" $OUT_PATHS exec nix copy --to "s3://example-nix-cache" $OUT_PATHS ``` > **Note** > > The `$OUT_PATHS` variable is a space-separated list of Nix store > paths. In this case, we expect and want the shell to perform word > splitting to make each output path its own argument to `nix > store sign`. Nix guarantees the paths will not contain any spaces, > however a store path might contain glob characters. The `set -f` > disables globbing in the shell. > If you want to upload the `.drv` file too, the `$DRV_PATH` variable > is also defined for the script and works just like `$OUT_PATHS`. Then make sure the hook program is executable by the `root` user: ```console # chmod +x /etc/nix/upload-to-cache.sh ``` # Updating Nix Configuration Edit `/etc/nix/nix.conf` to run our hook, by adding the following configuration snippet at the end: post-build-hook = /etc/nix/upload-to-cache.sh Then, restart the `nix-daemon`. # Testing Build any derivation, for example: ```console $ nix-build --expr '(import <nixpkgs> {}).writeText "example" (builtins.toString builtins.currentTime)' this derivation will be built: /nix/store/s4pnfbkalzy5qz57qs6yybna8wylkig6-example.drv building '/nix/store/s4pnfbkalzy5qz57qs6yybna8wylkig6-example.drv'... running post-build-hook '/home/grahamc/projects/github.com/NixOS/nix/post-hook.sh'... post-build-hook: Signing paths /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example post-build-hook: Uploading paths /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example ``` Then delete the path from the store, and try substituting it from the binary cache: ```console $ rm ./result $ nix-store --delete /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example ``` Now, copy the path back from the cache: ```console $ nix-store --realise /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example copying path '/nix/store/m8bmqwrch6l3h8s0k3d673xpmipcdpsa-example from 's3://example-nix-cache'... warning: you did not specify '--add-root'; the result might be removed by the garbage collector /nix/store/m8bmqwrch6l3h8s0k3d673xpmipcdpsa-example ``` # Conclusion We now have a Nix installation configured to automatically sign and upload every local build to a remote binary cache. Before deploying this to production, be sure to consider the [implementation caveats](#implementation-caveats).

This document covers the final steps for implementing, configuring, and testing Nix's `post-build-hook` to automate uploads to an S3 binary cache. It explains how to configure `secret-key-files` in `nix.conf` for signing derivations. The core implementation involves creating `/etc/nix/upload-to-cache.sh`, a shell script that uses `nix copy --to` to send `$OUT_PATHS` (and optionally `$DRV_PATH`) to the S3 cache, handling glob characters and ensuring executability. Subsequently, `nix.conf` is updated with `post-build-hook = /etc/nix/upload-to-cache.sh`, requiring a `nix-daemon` restart. A testing section guides users through building a derivation, observing the hook's execution and upload, deleting the local store path, and then successfully retrieving it from the S3 cache. The guide concludes by affirming the setup for automatic signing and uploading, with a reminder to consider implementation caveats for production.