Trustix - Usage via Nix

In the previous chapter we set up the main Trustix daemon. It's now time to actually start using it to publish build results.

Requisites

A NixOS installation using Flakes
The basic setup from the previous chapter

Setup

configuration.nix:

{ config, pkgs, lib, ... }:
{
  # Our basic Trustix configuration from before
  services.trustix = {
    enable = true;

    signers.my-signer = {
      type = "ed25519";
      ed25519.private-key-path = ./secrets/log-priv;
    };

    publishers = [
      {
        signer = "my-signer";
        protocol = "nix";
        meta.upstream = "https://cache.nixos.org";
        publicKey = {
          type = "ed25519";
          key = builtins.readFile ./secrets/log-pub;
        };
      }
    ];
  };

  # Enable the post build hook to push builds to the main Trustix daemon
  services.trustix-nix-build-hook = {
    enable = true;
    # Log id as returned by `trustix print-log-id --protocol nix --pubkey $(cat secrets/log-pub)`
    # This is your logs globally unique identifier and what clients will use to subscribe to your build results.
    logID = "0c7942343fa91b610704d531f552f3e785705dbd7d22c965bc0d58fa3ff2c87c";
  };
}

Effect

This sets up Nix with a post build hook that publishes any builds performed locally to your locally running log.

Trustix Doc

Trustix - Usage via Nix

Requisites

Setup

Effect