server7: add Nix signing post-build-hook

hosts/server7/default.nix

@@ -81,9 +81,17 @@ in {
 
   nix = {
     package = pkgs.nixFlakes;
-    extraOptions = "experimental-features = nix-command flakes ca-references";
     gc.automatic = true;
     optimise.automatic = true;
+    extraOptions = ''
+      experimental-features = nix-command flakes ca-references
+      post-build-hook = ${
+        pkgs.writeScript "post-build-sign-paths" ''
+          #!${pkgs.runtimeShell}
+          nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
+        ''
+      }
+    '';
   };
 
   virtualisation.docker.enable = true;