.github/workflows/flake-health-checks.yml

@@ -15,6 +15,13 @@ jobs:
         os: [ubuntu-latest]
     steps:
       - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
+          skip-push: "true"
       - uses: actions/checkout@v4
       - run: nix flake check --accept-flake-config
+      - run: nix ./utils/attic-push.bash

.github/workflows/flake-update.yml

@@ -21,7 +21,12 @@ jobs:
           extra_nix_config: |
             experimental-features = nix-command flakes
           install_url: https://releases.nixos.org/nix/nix-2.19.0/install
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
       - name: Calculate pre-drv
         run: nix ./utils/eval-to-drv.sh pre
       # - name: Pull latest docker images

.github/workflows/nix-fmt.yml

@@ -12,6 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
       - uses: actions/checkout@v4
       - run: nix fmt -- --check .

flake.nix

@@ -5,15 +5,17 @@
     substituters = [
       "https://cache.nixos.org/?priority=1&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
+      "https://attic.alicehuston.xyz/nix-cache"
     ];
     trusted-substituters = [
       "https://cache.nixos.org"
-      "https://attic.alicehuston.xyz/cache-nix-dot"
       "https://nix-community.cachix.org"
+      "https://attic.alicehuston.xyz/nix-cache"
     ];
     trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
     ];
     trusted-users = [ "root" ];
   };

systems/artemision/programs.nix

@@ -3,6 +3,7 @@
   environment.systemPackages = with pkgs; [
     act
     alacritty
+    attic-client
     amdgpu_top
     bat
     bitwarden-cli

systems/palatine-hill/attic/default.nix

@@ -19,7 +19,7 @@
       settings = {
         listen = "[::]:8183";
         allowed-hosts = [ "attic.alicehuston.xyz" ];
-        api-endpoint = "https://attic.alicehuston.xyz";
+        api-endpoint = "https://attic.alicehuston.xyz/";
         compression.type = "none"; # let ZFS do the compressing
         database = {
           url = "postgres://atticd?host=/run/postgresql";

systems/palatine-hill/docker/act-runner.nix

@@ -8,27 +8,75 @@ let
   act_path = vars.primary_act;
 in
 {
-  virtualisation.oci-containers.containers.act-stable-latest-1 = {
+  virtualisation.oci-containers.containers = {
-    image = "gitea/act_runner:latest";
+    act-stable-latest-1 = {
-    extraOptions = [
+      image = "gitea/act_runner:latest";
-      "--stop-signal=SIGINT"
+      extraOptions = [
-    ];
+        "--stop-signal=SIGINT"
-    labels = {
+      ];
-      "com.centurylinklabs.watchtower.enable" = "true";
+      labels = {
-      "com.centurylinklabs.watchtower.scope" = "act-runner";
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      ports = [ "8088:8088" ];
+      volumes = [
+        "${act_path}/stable-latest-1/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-1/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-1";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
     };
-    ports = [ "8088:8088" ];
+
-    volumes = [
+    act-stable-latest-2 = {
-      "${act_path}/stable-latest-1/config.yaml:/config.yaml"
+      image = "gitea/act_runner:latest";
-      "${act_path}/stable-latest-1/data:/data"
+      extraOptions = [
-      "/var/run/docker.sock:/var/run/docker.sock"
+        "--stop-signal=SIGINT"
-    ];
+      ];
-    environment = {
+      labels = {
-      CONFIG_FILE = "/config.yaml";
+        "com.centurylinklabs.watchtower.enable" = "true";
-      GITEA_RUNNER_NAME = "stable-latest-1";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      # ports = [ "8088:8088" ];
+      volumes = [
+        "${act_path}/stable-latest-2/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-2/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-2";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
+    };
+
+    act-stable-latest-3 = {
+      image = "gitea/act_runner:latest";
+      extraOptions = [
+        "--stop-signal=SIGINT"
+      ];
+      labels = {
+        "com.centurylinklabs.watchtower.enable" = "true";
+        "com.centurylinklabs.watchtower.scope" = "act-runner";
+      };
+      # ports = [ "8088:8088" ];
+      volumes = [
+        "${act_path}/stable-latest-3/config.yaml:/config.yaml"
+        "${act_path}/stable-latest-3/data:/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      environment = {
+        CONFIG_FILE = "/config.yaml";
+        GITEA_RUNNER_NAME = "stable-latest-3";
+      };
+      environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
+      log-driver = "local";
     };
-    environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
-    log-driver = "local";
   };
 
   systemd = {

systems/palatine-hill/docker/default.nix

@@ -15,7 +15,7 @@
     #./foundry.nix
     ./glances.nix
     # ./haproxy.nix
-    # ./minecraft.nix
+    ./minecraft.nix
     ./nextcloud.nix
     # ./postgres.nix
     # ./restic.nix

systems/palatine-hill/docker/minecraft.nix

@@ -9,6 +9,7 @@ let
     divinejourney = "dj.alicehuston.xyz";
     rlcraft = "rlcraft.alicehuston.xyz";
     arcanum-institute = "arcanum.alicehuston.xyz";
+    bcg-plus = "bcg.alicehuston.xyz";
   };
 
   defaultServer = "rlcraft";
@@ -27,8 +28,7 @@ let
 
   defaultOptions = [
     "--stop-signal=SIGTERM"
-    "--stop-timeout=30m"
+    "--stop-timeout=1800"
-    "--restart=unless-stopped"
     "--network=minecraft-net"
   ];
 
@@ -40,7 +40,6 @@ in
     mc-router = {
       image = "itzg/mc-router:latest";
       extraOptions = [
-        "--restart=always"
         "--network=haproxy-net"
         "--network=minecraft-net"
       ];
@@ -51,18 +50,36 @@ in
         )
       ];
     };
-    rlcraft = {
+    # rlcraft = {
-      image = "itzg/minecraft-server:java8";
+    #   image = "itzg/minecraft-server:java8";
+    #   volumes = [
+    #     "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
+    #     "${minecraft_path}/rlcraft/data:/data"
+    #   ];
+    #   hostname = "rlcraft";
+    #   environment = defaultEnv // {
+    #     VERSION = "1.12.2";
+    #     CF_SLUG = "rlcraft";
+    #     DIFFICULTY = "hard";
+    #     ENABLE_COMMAND_BLOCK = "true";
+    #   };
+    #   extraOptions = defaultOptions;
+    #   log-driver = "local";
+    #   environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
+    # };
+    bcg-plus = {
+      image = "itzg/minecraft-server:java17";
       volumes = [
-        "${minecraft_path}/rlcraft/modpacks:/modpacks:ro"
+        "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
-        "${minecraft_path}/rlcraft/data:/data"
+        "${minecraft_path}/bcg-plus/data:/data"
       ];
-      hostname = "rlcraft";
+      hostname = "bcg-plus";
       environment = defaultEnv // {
-        VERSION = "1.12.2";
+        VERSION = "1.17";
-        CF_SLUG = "rlcraft";
+        CF_SLUG = "bcg";
-        DIFFICULTY = "hard";
+        DIFFICULTY = "normal";
-        ENABLE_COMMAND_BLOCK = "true";
+        DEBUG = "true";
+        # ENABLE_COMMAND_BLOCK = "true";
       };
       extraOptions = defaultOptions;
       log-driver = "local";

systems/palatine-hill/firewall.nix

@@ -18,6 +18,9 @@
     2222
     2223
     8088
+
+    # attic
+    8183
   ];
 
 }

systems/palatine-hill/secrets.yaml

@@ -16,6 +16,7 @@ minio:
     credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
     loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
 docker:
+    minecraft: ENC[AES256_GCM,data:2k/m0ksnE92fACxQuBlOO72b19T7Nbnr58ezRddmKUVvePEgrdSnIsR3sh7PnmzwmG/ez0WTD+NKbtkQmRMDQ25vruA8gCf8Ig==,iv:X2SUidKTNAPZfbyiXFKprUbAhBxJcbF5bz+YTy4nuEA=,tag:AAvLXO888r9XvtnNfQgCpA==,type:str]
     foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
     nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
     redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
@@ -39,8 +40,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-30T05:36:05Z"
+    lastmodified: "2025-01-26T16:14:28Z"
-    mac: ENC[AES256_GCM,data:WkcqAulJAH4tUkjz5pao90rsy48cO12ipb9I/BS8/t9PR6/TIvfBORQ7JBA0/R5djfsYl1WqWTPMzBCYzLz5Os2CmJzGyd7oB70BJE9FG9xysb10I63KDRRWcRaq8KZN/0gdSZi3J1kJAKFp/3j1O68UPn8wacwRL1Sl2Za0ZVk=,iv:Kce1zXjr9LFfiffzPAKu4NzCEv4gBgXr2J/6ZNlu4Wc=,tag:p9UItj4J7bRG6Zs0iiOLug==,type:str]
+    mac: ENC[AES256_GCM,data:U8jDmNzZBnTqS+Ru5vf0KdQPYtSsyUuLq3ugLI4z1d8BrDvEWCLHCjLkr7QoTnrd3qlcCfSBQKb3934C/vAMo/4vaJ7lsoCj4F0d/YCakW22FEhV8Jn3snZYrDpLk0mu9vIZ7U6M1Au7s+jYhYz/X5kORUs+YlYNuqAnt46B4vE=,iv:OFucEOgsoYPGOe1+hzWYI+wpu65BHCW2atcfufl9mNs=,tag:VumO9W8r/Mvv2+X00bqIWQ==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-
@@ -55,4 +56,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.3

users/alice/secrets.yaml

@@ -4,6 +4,10 @@ alice:
     #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
     gha-hydra-token: ENC[AES256_GCM,data:rYDYIn7MAF4pSZQj+Nln2z9J+AxvuSzumthL86njpKETutArrw+9iX2hHJt5t513NHH03tMtZOFqM60/pzWg4YXVQOSpQmq8QOelD7qCdfCr4Z2QSeOHqXqwKy21iWtoVbxOXWunVxLzkWMJrpHkpVsiBA75Nv66ftKEjN80QNGik6xQE1iPsCB2JHeqYNIr8gtPkCr7H5Pt4yBBO/1rsyONrbNlwmzVX78eqXxmc43XOiNVjEsk8ekJxJ9mn5S6JcPNehBcnZA0kWAIxvtDIPYKnz4YBIXoilBbjgytXL8nw3PkEX27x5yeg9KfxPxO/4CGoi5wfKsYuEynBdWbHtj6a3H0AvA9KIZzktTRNJFU3ZW8UveSCXY4YHl0NREJ8kbIUgkkE7PWeyzGenGFTPMahTA0rKSa+tWPQ1c00lvo9VS3/7pfeJfZEKS7R2xBaEDZrfffHyB5PLTQOGpWl5y40wTn4HdBlyQwoREvobOaKVZEyWtVvJcUeHDPepgEHGVDzwyTelX8Btb6ZNA0Fur8xvpkLZcLmMhbvCdkjq84ztJ36nQQ5JZthecyqcZTWPyfWtPeoUPVIaxn31oLjwsriDwdQmID6twTjC9PT8nBZD/u0JebOCdeYf8fm9q49SaN2w/ZMdSRWucHUsRXeN9O149vYoOqR28H+8v/tYJdqofJpHKrIBs=,iv:GcEV6f4rqkrpCafeaLNMqqU/vBNE0xHbqokL2gMXHYw=,tag:sCHvUgq1w8npedjIAninrA==,type:str]
     wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
+    attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
+    attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
+    attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
+    attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -37,8 +41,8 @@ sops:
             ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
             7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-20T23:15:03Z"
+    lastmodified: "2025-01-26T04:17:36Z"
-    mac: ENC[AES256_GCM,data:VnLd4N2l7JTKA7f4eh9EKilW2f8mmEmLc06WbHASOn6N+MIGPHwyLjLbPVECuXiVl95cs0+uWsFOPEbLiS6XTB/gZE1OZMYqk0x7FVkQNxMdWwcVAQnncC6i/cdBTAx+GW1iF6Cf2eLY1wNNiASk/Bz8u3r4UJ4QFXuMovPsfxw=,iv:Cr1bAYrwlK+ClRFDsiUdEIqXDU7onubthDEQDlTM3S4=,tag:EyfcNB0xKrFRjbp517akpg==,type:str]
+    mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
     pgp:
         - created_at: "2024-09-05T06:10:22Z"
           enc: |-
@@ -53,4 +57,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.3

utils/attic-push.bash

@@ -0,0 +1,22 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#jq nixpkgs#gnused nixpkgs#nixVersions.latest nixpkgs#attic-client --command bash
+
+#set -x
+#set -v
+set -e
+
+# retrieve all paths under 100M
+nix_paths=$(nix path-info --json --all --closure-size \
+  | jq 'map_values(.closureSize | select(. < 1e8)) | to_entries | sort_by(.value)' \
+  | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
+
+readarray -t nix_path_array < <(echo "$nix_paths")
+
+batchsize=1000
+
+for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
+do
+    part=( "${nix_path_array[@]:i:batchsize}" )
+
+    attic push nix-cache "${part[@]}"
+done

utils/attic-token.bash

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+if (( $# != 3 )); then
+   echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
+   exit 1
+fi
+
+cache="$1"
+cache_pattern="$2"
+token_type="$3"
+
+case $token_type in
+    "cache-creator")
+        atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
+            --pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
+            --create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
+            --configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
+        ;;
+    "admin")
+        atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
+            --push "$cache_pattern" --configure-cache "$cache_pattern" \
+            --configure-cache-retention "$cache_pattern"
+        ;;
+    "writer")
+        atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
+            --push "$cache_pattern"
+        ;;
+    "reader")
+        atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
+        ;;
+    *)
+        echo "invalid token type: $token_type"
+        echo "available options: cache-creator, admin, writer, reader"
+        exit 1
+        ;;
+esac