[Nix-dev] Using nix in an artifact-centric build system

Wed Feb 24 21:51:14 CET 2016

Hello Nixers*:

I want to be able to do the following steps:

## On the build server
1. build nix closures in a non-hydra build system
2. export the closure, somehow contained into a single file
3. upload this file to an artifact store

## On another server
1. download the file from the artifact store
2. import the closure into the nix store
3. be able to use the software installed in that closure

# Potential solution

I found (with the help of many Nixers*) that I can run:

     # Build
     nix-build . -A hello
     nix-store --export $(nix-store -qR $(realpath ./result)) > hello.nar

     # Remove from the system
     rm ./result
     nix-collect-garbage

     # Install the closure
     cat hello.nar | nix-store --import

and that as long as the root user (or another trusted user as defined by 
/etc/nix/nix.conf)  is running `nix-store --import` it will work fine.

However, I would prefer to be able to sign these `.nar`s with a binary 
cache key and trusting it in the nix.conf. I found `nix-store --export 
--sign`, however it appears to be using a different mechanism which is 
totally unrelated.

# Specific Questions
1. Is the `nix-store --export --sign` mechanism outdated, and should the 
`--sign` support be removed?
2. In this research, I found `nix-install-package` which similarly seems 
helpful. Is this supported? I'm not finding information about making a 
nixpkg and it appears it hasn't been updated for over a year.
2. Is there another way which would allow these similar steps to be 
taken, like building a binary cache of the closure with `nix-push 
--key-file <mykey> --dest ./my-package-closure`, and zipping for upload 
/ unzipping for install?

# General Question
Has anyone implemented a similar system and have advice to share?

How would you implement such a system?

Thank you very much,
Graham Christensen

* is that what we are? Nixers?