Attic public key not trusted

I’m trying to use a selfhosted binary cache using attic in my tailnet. But something seems to be going wrong with the signing/verification when pulling from the cache on one of my machines.

warning: ignoring substitute for '/nix/store/kxd9crfs6faf3a5bbscq0niybflz5j7n-hm_homejordy.cache.keep' from 'http://attic.tailnet.domain/homelab', as it's not signed by any of the keys in 'trusted-public-keys'
warning: ignoring substitute for '/nix/store/0yw7maw8h39n70yph4da5jv35m9i7vyl-hm_homejordy.localstate.keep' from 'http://attic.tailnet.domain/homelab', as it's not signed by any of the keys in 'trusted-public-keys'
warning: ignoring substitute for '/nix/store/ck1ccknr7gc0ffi7532vnbc8c6h9s892-hm_systemduserappcom.mitchellh.ghostty.service.doverrides.conf' from 'http://attic.tailnet.domain/homelab', as it's not signed by any of the keys in 'trusted-public-keys'
warning: ignoring substitute for '/nix/store/dvmk1qxj8ih2sc5c62wn726f1pfsgrnx-hm_usertmpfiles.dhomemanager.conf' from 'http://attic.tailnet.domain/homelab', as it's not signed by any of the keys in 'trusted-public-keys'

I have the key added to my extra substituters list in flake.nix. And when rebuilding nix asked if I wanted to permanently mark the keys as trusted which I did. I have also checked /root/.local/share/nix/trusted-setting.json and the key appears to be in there correctly.

  nixConfig = {
    extra-substituters = [
      "https://nix-community.cachix.org"
      "https://cuda-maintainers.cachix.org"
      "https://vicinae.cachix.org"
      "http://attic.tailnet.domain/homelab"
    ];
    extra-trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
      "vicinae.cachix.org-1:1kDrfienkGHPYbkpNj1mWTr7Fm1+zcenzgTizIcI3oc="
      "homelab:D1PU3pJIzLurAwTg3aJllxtHe/MtL3TYVc4y9q/2sZU="
    ];
  };

The key appears to be the correct key for the attic cache. I’m not sure if the issue here lies with my nix configuration or with attic, and am not sure how to verify it.

❯ attic cache info homelab
               Public: true
           Public Key: homelab:D1PU3pJIzLurAwTg3aJllxtHe/MtL3TYVc4y9q/2sZU=
Binary Cache Endpoint: http://attic.tailnet.domain/homelab
         API Endpoint: http://attic.tailnet.domain/
      Store Directory: /nix/store
             Priority: 41
  Upstream Cache Keys: ["cache.nixos.org-1"]
     Retention Period: Global Default

I’ve also checked the configuration generated by attic use on the machine I pushed to the cache from, and it seems to match my nix config.

access-tokens = github.com=*snip*
substituters = http://attic.tailnet.domain/homelab https://cache.nixos.org
trusted-public-keys = homelab:D1PU3pJIzLurAwTg3aJllxtHe/MtL3TYVc4y9q/2sZU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
netrc-file = /home/jordy/.config/nix/netrc

I’m just writing to say that doing exactly this has been on my list for a few days, and I’ll respond once I have the same problems as you or not.

To be clear do y’all need attic? It’s quite a complex beast that only exists to provide multi-tenancy, in case you want to offer a hosting service to multiple different companies that don’t want to leak binaries to each other.

Nix’ binary caches are fundamentally just simple http servers if you don’t mind sharing all binaries with authenticated parties.

You can alternatively just use the reference implementation, or a much simpler rust-based server.

I use it as it is an easy way for me to push and pull packages to a cache that is not in my computer’s nix store. My reasoning is because I am running Hydra on my desktop but my root drive is not that large, so I have attic store and dedup on a separate drive.

Is there a simpler solution for this?

The reason I specifically wanted to use attic was to not push packages to the cache that are already iin other caches. So I’m not duplicatig large packages like the entirety of gnome, and just caching the packages that have to be built from source.

Thanks for suggesting nix-serve and harmonia as simpler alternatives.

It’s just that attic pops up as the first result when you look for this.

I would say that serving the entire Nix store of a machine sounds like you want to make certain that nothing secret, personal or experimental ends up in the store. So if I run the binary cache on my personal server where the secrets management is so-so, it’s a very different thing to do than, say, serve an OCI registry.

The main purpose for me in having a binary cache is to serve precompiled binaries for programs that are not in nixpkgs so that installing them anywhere is fast and doesn’t require compilation. Sometimes those programs are mine, other times they’re flake inputs. I may want to compile them on my laptop and push the binaries to a remote store. I suppose I could sync the remote store with things I built locally by reading Remote Builds adjacent to the documentation you linked to.

Ideally, the binary cache should not mix with some particular machine’s Nix store, unless that machine’s store is entirely secrets-free and only serves being a cache. In that case I’d be using NixOS as a binary cache rather than a single service running inside NixOS.