diff --git a/.builds/guix.yml b/.builds/guix.yml
new file mode 100644
index 0000000000000000000000000000000000000000..93ba40af936c99179533ebbf1b6f9cfb12b50124
--- /dev/null
+++ b/.builds/guix.yml
@@ -0,0 +1,34 @@
+image: guix
+packages:
+- plzip
+sources:
+- https://git.sr.ht/~singpolyma/sgx-endstream
+secrets:
+- 9ded4157-4cf9-42ae-b7d0-55eb6e52ea37
+- fd52c9ce-04e8-4684-af6c-1ab78d2e124a
+artifacts:
+- sgx-endstream.scm
+- sgx-endstream.nar.lz
+tasks:
+- bake: |
+    printf "(define-module (sgx-endstream))\n" > sgx-endstream.scm
+    sed '/^;;;;$/q' sgx-endstream/guix.scm >> sgx-endstream.scm
+    printf "(define-public sgx-endstream\n\t" >> sgx-endstream.scm
+    cd sgx-endstream
+    printf '(load "%s/guix.scm")\n(write sgx-endstream-baked)\n' "$(pwd)" | guix repl /dev/stdin >> ../sgx-endstream.scm
+    cd -
+    printf ")\n" >> sgx-endstream.scm
+    rm -f sgx-endstream/guix.scm
+    [ "$BUILD_REASON" = patchset ] || rm -rf sgx-endstream
+- build: |
+    if [ "$BUILD_REASON" = patchset ]; then with_source="--with-source=$PWD/sgx-endstream"; fi
+    guix build $with_source --no-grafts -r out -L. sgx-endstream
+- archive: |
+    if [ -e signing-key.sec ]; then
+      sudo mv signing-key.pub /etc/guix/
+      sudo mv signing-key.sec /etc/guix/
+      sudo chown root:root /etc/guix/signing-key.sec
+      sudo chmod 0400 /etc/guix/signing-key.sec
+    fi
+    guix archive --export -r --no-grafts $(readlink -f out) > sgx-endstream.nar
+    plzip sgx-endstream.nar