Aner Zakobar
4.2 KiB
4.2 KiB
Attic — Post-Deployment Setup
Steps to run once after the first nixos-rebuild switch with homey.attic.enable = true.
Status as of 2026-05-30: all steps complete. Cache main is live at
https://attic.zakobar.com/main. Lauretta is logged in and can push/pull.
Known values
| Item | Value |
|---|---|
| Server URL | https://attic.zakobar.com |
| Cache name | main |
| Binary cache endpoint | https://attic.zakobar.com/main |
| Public signing key | main:9SZt/6plBU7jjQzz90J7O011I13hmJvOMYouxNqExNQ= |
| Cache visibility | Private (token required to pull) |
| GC retention | 90 days |
| Attic login (lauretta) | ~/.config/attic/config.toml → server homey |
Token reference
Tokens are stateless signed JWTs — the server does not store them. If you lose one, regenerate it with the same command; it will work identically to the original.
Admin token (full access)
ssh admin@192.168.1.100 \
"sudo podman exec attic atticadm -f /etc/attic/server.toml make-token \
--sub admin \
--validity '10y' \
--pull '*' \
--push '*' \
--delete '*' \
--create-cache '*' \
--configure-cache '*' \
--configure-cache-retention '*' \
--destroy-cache '*'"
Pull-only token (for non-admin clients)
ssh admin@192.168.1.100 \
"sudo podman exec attic atticadm -f /etc/attic/server.toml make-token \
--sub nixos-client \
--validity '10y' \
--pull '*'"
Push-only token (e.g. for CI)
ssh admin@192.168.1.100 \
"sudo podman exec attic atticadm -f /etc/attic/server.toml make-token \
--sub ci \
--validity '10y' \
--push 'main'"
Configuring a new client machine
1. Add to ~/.config/nix/nix.conf
extra-substituters = https://attic.zakobar.com/main
extra-trusted-public-keys = main:9SZt/6plBU7jjQzz90J7O011I13hmJvOMYouxNqExNQ=
2. Add pull token to ~/.netrc
Generate a pull-only token (see above), then append to ~/.netrc:
machine attic.zakobar.com
login token
password <pull-token>
3. Log in for pushing (optional)
nix run github:zhaofengli/attic -- login homey https://attic.zakobar.com <admin-or-push-token>
4. Verify
nix store ping --store https://attic.zakobar.com/main
Pushing builds
# Push a specific path and its closure
nix run github:zhaofengli/attic -- push homey:main <path>
# Push the current system closure
nix run github:zhaofengli/attic -- push homey:main /run/current-system
# Push after a nix build
nix build .#nixosConfigurations.pi-main.config.system.build.toplevel
nix run github:zhaofengli/attic -- push homey:main ./result
# Watch the store and push all new paths as they are built
nix run github:zhaofengli/attic -- watch-store homey:main
Paths already signed by cache.nixos.org are skipped automatically.
Monitoring
- Uptime Kuma: monitor configured automatically via the NixOS module (5 min interval)
- Disk usage:
ssh admin@192.168.1.100 "du -sh /mnt/data/attic/" - Grafana: node exporter tracks
/mnt/datafilesystem usage - Logs:
ssh admin@192.168.1.100 "journalctl -u podman-attic -n 50"
Manual GC
ssh admin@192.168.1.100 \
"sudo podman exec attic atticadm -f /etc/attic/server.toml run-gc"
Signing key rotation
If the signing key is ever compromised or needs rotating:
nix run github:zhaofengli/attic -- cache configure homey:main --regenerate-keypair
nix run github:zhaofengli/attic -- cache info homey:main # get new public key
Then update trusted-public-keys in hosts/pi-main/default.nix and on all client machines.
Initial setup steps (completed 2026-05-30)
For reference — these were run once during first deployment.
- Deployed NixOS config with
homey.attic.enable = true - Added
attic.zakobar.comto Cloudflare Tunnel dashboard - Generated admin token via
atticadminside container - Logged in:
attic login homey https://attic.zakobar.com <token> - Created cache:
attic cache create homey:main(Attic generates signing key server-side) - Added public key and substituter to
hosts/pi-main/default.nix - Configured lauretta:
~/.config/nix/nix.conf+~/.netrc