# Attic — Post-Deployment Setup Steps to run once after the first `nixos-rebuild switch` with `homey.attic.enable = true`. **Status as of 2026-05-30:** all steps complete. Cache `main` is live at `https://attic.zakobar.com/main`. Lauretta is logged in and can push/pull. --- ## Known values | Item | Value | |------|-------| | Server URL | `https://attic.zakobar.com` | | Cache name | `main` | | Binary cache endpoint | `https://attic.zakobar.com/main` | | Public signing key | `main:9SZt/6plBU7jjQzz90J7O011I13hmJvOMYouxNqExNQ=` | | Cache visibility | Private (token required to pull) | | GC retention | 90 days | | Attic login (lauretta) | `~/.config/attic/config.toml` → server `homey` | --- ## Token reference Tokens are stateless signed JWTs — the server does not store them. If you lose one, regenerate it with the same command; it will work identically to the original. ### Admin token (full access) ```bash ssh admin@192.168.1.100 \ "sudo podman exec attic atticadm -f /etc/attic/server.toml make-token \ --sub admin \ --validity '10y' \ --pull '*' \ --push '*' \ --delete '*' \ --create-cache '*' \ --configure-cache '*' \ --configure-cache-retention '*' \ --destroy-cache '*'" ``` ### Pull-only token (for non-admin clients) ```bash ssh admin@192.168.1.100 \ "sudo podman exec attic atticadm -f /etc/attic/server.toml make-token \ --sub nixos-client \ --validity '10y' \ --pull '*'" ``` ### Push-only token (e.g. for CI) ```bash ssh admin@192.168.1.100 \ "sudo podman exec attic atticadm -f /etc/attic/server.toml make-token \ --sub ci \ --validity '10y' \ --push 'main'" ``` --- ## Configuring a new client machine ### 1. Add to `~/.config/nix/nix.conf` ``` extra-substituters = https://attic.zakobar.com/main extra-trusted-public-keys = main:9SZt/6plBU7jjQzz90J7O011I13hmJvOMYouxNqExNQ= ``` ### 2. Add pull token to `~/.netrc` Generate a pull-only token (see above), then append to `~/.netrc`: ``` machine attic.zakobar.com login token password ``` ### 3. Log in for pushing (optional) ```bash nix run github:zhaofengli/attic -- login homey https://attic.zakobar.com ``` ### 4. Verify ```bash nix store ping --store https://attic.zakobar.com/main ``` --- ## Pushing builds ```bash # Push a specific path and its closure nix run github:zhaofengli/attic -- push homey:main # Push the current system closure nix run github:zhaofengli/attic -- push homey:main /run/current-system # Push after a nix build nix build .#nixosConfigurations.pi-main.config.system.build.toplevel nix run github:zhaofengli/attic -- push homey:main ./result # Watch the store and push all new paths as they are built nix run github:zhaofengli/attic -- watch-store homey:main ``` Paths already signed by `cache.nixos.org` are skipped automatically. --- ## Monitoring - **Uptime Kuma**: monitor configured automatically via the NixOS module (5 min interval) - **Disk usage**: `ssh admin@192.168.1.100 "du -sh /mnt/data/attic/"` - **Grafana**: node exporter tracks `/mnt/data` filesystem usage - **Logs**: `ssh admin@192.168.1.100 "journalctl -u podman-attic -n 50"` ### Manual GC ```bash ssh admin@192.168.1.100 \ "sudo podman exec attic atticadm -f /etc/attic/server.toml run-gc" ``` --- ## Signing key rotation If the signing key is ever compromised or needs rotating: ```bash nix run github:zhaofengli/attic -- cache configure homey:main --regenerate-keypair nix run github:zhaofengli/attic -- cache info homey:main # get new public key ``` Then update `trusted-public-keys` in `hosts/pi-main/default.nix` and on all client machines. --- ## Initial setup steps (completed 2026-05-30) For reference — these were run once during first deployment. 1. Deployed NixOS config with `homey.attic.enable = true` 2. Added `attic.zakobar.com` to Cloudflare Tunnel dashboard 3. Generated admin token via `atticadm` inside container 4. Logged in: `attic login homey https://attic.zakobar.com ` 5. Created cache: `attic cache create homey:main` (Attic generates signing key server-side) 6. Added public key and substituter to `hosts/pi-main/default.nix` 7. Configured lauretta: `~/.config/nix/nix.conf` + `~/.netrc`