Deploying to NixOS

Attic provides a NixOS module that allows you to deploy the Attic Server on a NixOS machine.


  1. A machine running NixOS
  2. (Optional) A dedicated bucket on S3 or a S3-compatible storage service
  3. (Optional) A PostgreSQL database

Generating the Credentials File

The HS256 JWT secret can be generated with the openssl utility:

openssl rand 64 | base64 -w0

Create a file on the server containing the following contents:

ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"

Ensure the file is only accessible by root.

Importing the Module

You can import the module in one of two ways:

  • Ad-hoc: Import the nixos/atticd.nix from the repository.
  • Flakes: Add github:zhaofengli/attic as an input, then import attic.nixosModules.atticd.


Note: These options are subject to change.

  services.atticd = {
    enable = true;

    # Replace with absolute path to your credentials file
    credentialsFile = "/etc/atticd.env";

    settings = {
      listen = "[::]:8080";

      # Data chunking
      # Warning: If you change any of the values here, it will be
      # difficult to reuse existing chunks for newly-uploaded NARs
      # since the cutpoints will be different. As a result, the
      # deduplication ratio will suffer for a while after the change.
      chunking = {
        # The minimum NAR size to trigger chunking
        # If 0, chunking is disabled entirely for newly-uploaded NARs.
        # If 1, all NARs are chunked.
        nar-size-threshold = 64 * 1024; # 64 KiB

        # The preferred minimum size of a chunk, in bytes
        min-size = 16 * 1024; # 16 KiB

        # The preferred average size of a chunk, in bytes
        avg-size = 64 * 1024; # 64 KiB

        # The preferred maximum size of a chunk, in bytes
        max-size = 256 * 1024; # 256 KiB

After the new configuration is deployed, the Attic Server will be accessible on port 8080. It's highly recommended to place it behind a reverse proxy like NGINX to provide HTTPS.


The NixOS module installs the atticd-atticadm wrapper which runs the atticadm command as the atticd user. Use this command to generate new tokens to be distributed to users.