fix: attic cache

utils/modules/attic-cache/default.nix

@@ -24,8 +24,17 @@ let
     fi
 
     # Read the auth token from sops if available
+    export ATTIC_AUTH_TOKEN
     ATTIC_AUTH_TOKEN=$(cat "${authTokenFile}")
 
+    # Login to Attic cache
+    echo "Logging in to Attic cache at $ATTIC_URL..." >&2
+    if ! ${pkgs.attic-client}/bin/attic login "$ATTIC_CACHE" "$ATTIC_URL" "$ATTIC_AUTH_TOKEN"; then
+      echo "Failed to login to Attic cache, skipping push" >&2
+      exit 0
+    fi
+    echo "Successfully logged in to Attic cache" >&2
+
     # Function to check if a path exists in cache
     path_in_cache() {
       local path="$1"
@@ -43,8 +52,22 @@ let
       fi
     }
 
-    # Read paths from stdin (provided by Nix post-build-hook)
-    while IFS= read -r path; do
+    # Read paths from OUT_PATHS environment variable (provided by Nix post-build-hook)
+    echo "Reading paths from OUT_PATHS..." >&2
+    echo "DRV_PATH: $DRV_PATH" >&2
+    echo "OUT_PATHS: $OUT_PATHS" >&2
+
+    if [[ -z "$OUT_PATHS" ]]; then
+      echo "No output paths provided, skipping push" >&2
+      exit 0
+    fi
+
+    path_count=0
+    # Split OUT_PATHS by space and process each path
+    for path in $OUT_PATHS; do
+      path_count=$((path_count + 1))
+      echo "Processing path #$path_count: $path" >&2
+
       if [[ -e "$path" ]]; then
         # Check if already in cache before pushing
         if ! path_in_cache "$path"; then
@@ -52,10 +75,12 @@ let
         else
           echo "Path $path already in cache, skipping" >&2
         fi
+      else
+        echo "Path $path does not exist, skipping" >&2
       fi
     done
 
-    echo "Attic cache push completed" >&2
+    echo "Attic cache push completed (processed $path_count paths)" >&2
   '';
 
 in {
@@ -63,6 +88,13 @@ in {
     sopsFile = ./secrets.yaml;
   };
 
+  # Create netrc file for authenticated cache access
+  sops.secrets.attic_netrc = {
+    sopsFile = ./secrets.yaml;
+    mode = "0440";
+    group = "nixbld";
+  };
+
   # Install attic client
   environment.systemPackages = with pkgs; [
     attic-client
@@ -73,6 +105,7 @@ in {
     substituters = [ cacheUrl ];
     trusted-public-keys = [ publicKey ];
     post-build-hook = atticPushHook;
+    netrc-file = config.sops.secrets.attic_netrc.path;
   };
 
   # Create a systemd service for manual cache operations

utils/modules/attic-cache/secrets.yaml

@@ -1,4 +1,5 @@
 attic_auth_token: ENC[AES256_GCM,data:O9wRQe+llEvCE/9mx7VckgCY/5/ZryUFz+0qpgauFRsnNWiB31yOTXo1sOn1lPldGpfsSpUZnGDTLvg5S6mzZ9UYdhDTcSk6V+E9YV5wXLFJv6HGVVI7TVhkSSBIUrxx8sbQvC/hYQ+YQ0zzfreaIz7eMVbHgk+FNnNr3pFNcLYLTacugvMOyZDwkEJcKIFMcWj+zCGu90s3W7LutfudJ37LB4M9sU1Ifjj46NGTe3fAj+lmS1IyJ+2ZUlVoQd4pCbWB0wm3bTpwjJhDYhjQj5gJPuMjBQcCpP7uBvelcmBo+8V/LJ9HY6pRFxPlp48+tOwlGGrzb5WyqWPE3sP3F2eQj4EnlQoULrfi6ARO0xO4qs0FJhN2YhvHJYRyd9leNWNLIe1SdRQ9PK5ksvuoM1rTlbgrPotPYa1PkfmgFuWBMwI+hBf0+DMJtZxJpVES3WAcOuibZukeA5lvQ+AAFTpHRW8AiZF2ry3gWxStLsUrqNQTTt1gZQq6WrHbYbXr3DCuTXxqVLX4mXO1Slbm7JLxni7Sn5nCfUiKCAmFdxuL0L22RMa5yd9+7+wdcFJfhqu9pZ8U5KoTMuaJKnxp0KISog3gDVAfxkrrtfhLnHtJkkLB+/Aa3Ypqowle9iAq1I0IdH6Nzwl63C2nbqPafL5mcXkFMwPktHlkqrflUl/QKnJqBBvcgThdHZIbsQUq2xo589cpvDLouWL2xUHNpIqWotowF5m4n/iN53i6/cJayNpLWMEWWLtslXtG1CN7arjoYYJOuEqdzkqTjornSU7Q1kF6/eLgB8e2BVnMKfBT59F4sX2c6kuK0QXPohcpLWI1ZEYxnSv/44W0i/Ij5NvqZOQ1pEsyMIlPbuh37khw1gv+fMKrbEUUyquzHTX7DEGYEECzWjHQ3/WeDuRmiHlrZC/3StMf9888qm5v2yw/Vk5rQwNY1nbeTf8yWg47qKi2GgSSdsqrUrW5yWLs4MWKF2cSSDMC/kbgvGkHoS9KVI5dBGJhGuAf98tzOBO/UO39X0TjTzcay0AQ27/r8+QeIimviaZO41/GQOjoMzzSDHGxWEf2Nf/40nrM5Vcqj3I6hvRFE4u2m6jxCMqCqsIuy9avW8EuZyC6zJMoHSe/lUnYrx4tSUf3VhN85o6QSSJqfIFUN0jPQwNFpsz3X+A=,iv:X6xSygAtem7ekQruSZirdW/LKwf0kw+/Iq35wAcNyyQ=,tag:gRuPBxM5VeoJHimC6sbSow==,type:str]
+attic_netrc: ENC[AES256_GCM,data:fdVz6YSl9ZJr0AZopowCzB9q+PWn2RYcP+vGMTUW1Irchmag7+ETwyMZUJfYHKgYdROzK6TI9xCY2aKkpMqaRc/yP8PsniLIA2t4cOxoJksyE1PZOMAUGJKfgdgGwTzRckqLnxkSK5AunHCYpPrQjHtALHOBYuIIyS/zzMGFmCcl3dJs7eSrWMpMP+HDI2A/mtsRMXMcGXGnYOoNhfwtwWcnEIcAGY2BCjKWWk6XKaRXSex+Jp8f+eAhlXE0Yon8IA8E42w+B2o+Bhzektlru6h0AVjcf+WgrvaVRPiDlkNK+NBdy+iOI1DFFmcKdXX9eKrHsD1wnDav5QuXE78q0NiwTrm6LyHINbjcmzwAAUkgOyvb9+cLZiZf9vI3ZekcofLjTe3Hwn/fj1luIOmuE6pThFZLyGxWXZ1shPrurGwISSLYLI5dq8ZIUzCcXdGcCxs1QokFhpNjpE6fdABakB62pFZfYwG9Ulqv4jX5Jj9a2ZX41xXrziCUuKusxxdjQgSo8lEPvpLoZljyB6v1UPIcVw6/r1Nwrmyx8P9RwTcv7DYU3vKQw3h/UjzOfP+iCoS2+m6N0ebIjW77MeksBVDtociN93uxKrg6G3oCcv48tc6CRG9zK5uoKOgn4Eym+hFAcFZXuBOorEGNLhAEEoZroubmqnlDm1bq2eNWv5t+8zzm2FStHonI0vLWfT3WDLNRIUiHeYH7+SEdXH8OxC8RbzuIEk0kb2gNKMiYPer0nvt8SsQ762/N15rJ29F9HccTfNIhz9210XBICB0OL0AIobF3gXzmWmIA6Q6JWETa0g72IC6HMqbDCf5U55lx5y56qCNFXz2HddIaIqYX0YWxV2mlKVP+gjZcsD1W8Emc2bWoZml/P+uaRWkzFMSFqfmwZhvCKEqZlrUY9mshOvBfcZCQaZrbarLbdhdpTikO70jMuQiFzOoFO2sC2afSu3GtGYVRmdYMcBzZcbWehx0K2jMOtqsG5STBoCvP9jUjMhPUV5eF48uiLjOYRPCclTLiIb7gJ7xorbyWr5FTrkUMK1w4t4sX7RAE7DwwLDsY4xY226TUjEf34H1kDGtXCFqlMJXA80C2qwks6PkiLQ1sToCvXpLTmO+PEVdJahA7zV4JG5E9C3C89ZwzS1p7Th3I31jnZofeU8xaJZqkg/kR5q9ButgYubkV4TTRzwkmcqOuoa48E6upMBMkP265i4wZzt+iTfAgvXvT5MEO0Ak=,iv:K5ysCVEvCa0199iu22gANPjq4CRWlYPKq+8jlM5t9e4=,tag:U17SdmXGL+5NbJ4g9MZZEw==,type:str]
 sops:
     age:
         - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
@@ -28,7 +29,7 @@ sops:
             UzVENGtNSnZVcDQvR1hDR2oyZDh5KzAKhg+AQNdiJM/RvCdMNLH5er25U+yvcnM2
             4Z0rOkkYsT6TerZHLllbm5AAyOLnKUn4PhZFMvKvGhVbc1Xg9t2XDg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-14T20:22:06Z"
-    mac: ENC[AES256_GCM,data:dt+rZ7GTlooTFhQOxRQvVpqKJksEJC5I5vsjSQ6GWPsi4EewGl2NY2gyjF6bVjYj6DHWuw/Kp79KGzJajmlYtQFdL54ydjaJUz4oMhoKO3xR4TxshW9XYEfOWavlMVqHHZQ6mPR1pyWQkonzwyni9ug8XmOJ0cN2OmZmKwdWzZQ=,iv:6AJocLlXZcNGG3nuXLc+ycfm6OA/oZOUFqFw4OoBetU=,tag:Qpa1RKS1/nqbDiAL5Jrb7w==,type:str]
+    lastmodified: "2025-10-14T21:33:39Z"
+    mac: ENC[AES256_GCM,data:uKJe6/T0TGNm466dsF6DVdhCDjhCswGKAmyx/3xcIcce2VmVEOKk/zEpO9KmD5aydHfH/3s88huImIRRCGp6xFwDReRC4zx7kLI8mtjupix984/61aXy2TbOiN80mIVShMleQs09ESU2y0YtvqT771uNgaNa8bGBPQaAqpz0v68=,iv:9hBPQ7Ad8li0bu6Sy+CFGh/SUXo15hL/X3TQaS5B8ZE=,tag:XEK7DPZaNzNNTFA3oPAGBw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0