blocksense-network · zah · Jun 22, 2026 · Jun 22, 2026
diff --git a/.github/WORKFLOW_PATTERN.md b/.github/WORKFLOW_PATTERN.md
@@ -13,7 +13,6 @@ steps:
 - uses: ./.github/actions/setup-nix
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
-    cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 ```
 
 ### 2. Set Default Shell for Jobs
@@ -48,8 +47,8 @@ Commands no longer need the `nix develop --command` prefix:
 ## Composite Action
 
 The shared setup action (`.github/actions/setup-nix/action.yml`) handles:
-- Nix installation via cachix/install-nix-action
-- Cachix configuration for caching
+- Nix installation via metacraft-labs/nixos-modules setup-nix action
+- Attic configuration for caching
 
 ## Environment Variables
 

diff --git a/.github/act-env.env b/.github/act-env.env
@@ -13,7 +13,7 @@ MAX_MEMORY=4096
 # Act-specific settings
 ACT=true
 
-# Cachix configuration (missing in act environment)
-CACHIX_CACHE=blocksense
-TRUSTED_PUBLIC_KEYS=
-SUBSTITUTERS=
+# Attic configuration (missing in act environment)
+ATTIC_CACHE=blocksense-public
+TRUSTED_PUBLIC_KEYS=blocksense-public:OOgTc0ye1FONCiVHMrbpScc/HP+lX3uoU0EfwzX6ypE=
+SUBSTITUTERS=https://cache.metacraft-labs.com/blocksense-public
diff --git a/.github/act-secrets.local.env.example b/.github/act-secrets.local.env.example
@@ -8,11 +8,11 @@
 #
 # This script automatically retrieves tokens from your existing CLI tool logins:
 # - GitHub token from: gh auth token
-# - Cachix token from: ~/.config/cachix/cachix.dhall
+# - Attic token from: ATTIC_TOKEN environment variable
 #
 # Prerequisites:
 # 1. Install and login to GitHub CLI: gh auth login
-# 2. Install and configure Cachix: cachix authtoken <your-token>
+# 2. Export an Attic token: export ATTIC_TOKEN=<your-token>
 #
 # Usage:
 #   ./.github/scripts/get-auth-tokens.sh
@@ -25,10 +25,10 @@
 # If you prefer to manually configure tokens, copy this file to
 # .github/act-secrets.local.env and fill in your actual values below:
 
-# Cachix authentication token for blocksense-os cache
-# Get from: https://app.cachix.org/ -> Your cache -> Settings -> Auth Tokens
-# Required for: Downloading from and pushing to Cachix binary cache
-CACHIX_AUTH_TOKEN=your_cachix_auth_token_here
+# Attic authentication token for blocksense-os cache
+# Get from the Metacraft Attic token issuer
+# Required for: Downloading from and pushing to Attic binary cache
+ATTIC_TOKEN=your_attic_token_here
 
 # GitHub personal access token
 # Get from: https://github.com/settings/tokens
@@ -55,6 +55,6 @@ CODECOV_TOKEN=your_codecov_token_here
 # Most workflows will run without the optional secrets, but may have reduced
 # functionality (e.g., no coverage uploads).
 #
-# For the CI workflow, only CACHIX_AUTH_TOKEN and GITHUB_TOKEN are typically needed.
+# For the CI workflow, only ATTIC_TOKEN and GITHUB_TOKEN are typically needed.
 #
 # Keep this file secure and never commit it to version control!
diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml
@@ -1,21 +1,23 @@
 name: 'Setup Nix Environment'
-description: 'Install Nix and setup Cachix for BlocksenseOS'
+description: 'Install Nix and configure binary caches for BlocksenseOS'
 inputs:
   github_token:
     description: 'GitHub token for Nix installation'
     required: true
-  cachix_auth_token:
-    description: 'Cachix authentication token'
-    required: true
+  substituters:
+    description: 'Additional Nix substituters'
+    required: false
+    default: ''
+  trusted_public_keys:
+    description: 'Additional Nix trusted public keys'
+    required: false
+    default: ''
 runs:
   using: 'composite'
   steps:
-    - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
-      with:
-        github_access_token: ${{ inputs.github_token }}
-
-    - name: Setup Cachix
-      uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
+    - name: Setup Nix
+      uses: metacraft-labs/nixos-modules/.github/setup-nix@main
       with:
-        name: blocksense
-        authToken: ${{ inputs.cachix_auth_token }}
+        trusted-public-keys: ${{ inputs.trusted_public_keys }}
+        substituters: ${{ inputs.substituters }}
+        nix-github-token: ${{ inputs.github_token }}
diff --git a/.github/scripts/get-auth-tokens.sh b/.github/scripts/get-auth-tokens.sh
@@ -45,47 +45,25 @@ get_github_token() {
     fi
 }
 
-# Function to get Cachix token
-get_cachix_token() {
-    print_status "$YELLOW" "Retrieving Cachix token from cachix CLI..."
-
-    # Try different possible config locations
-    local config_paths=(
-        "$HOME/.config/cachix/cachix.dhall"
-        "$HOME/.cachix/cachix.dhall"
-    )
-
-    # Add XDG_CONFIG_HOME path only if the variable is set
-    if [[ -n "${XDG_CONFIG_HOME:-}" ]]; then
-        config_paths+=("$XDG_CONFIG_HOME/cachix/cachix.dhall")
+# Function to get Attic token
+get_attic_token() {
+    print_status "$YELLOW" "Retrieving Attic token from ATTIC_TOKEN..."
+
+    if [[ -n "${ATTIC_TOKEN:-}" ]]; then
+        print_status "$GREEN" "✓ Attic token retrieved successfully"
+        echo "$ATTIC_TOKEN"  # Only the token goes to stdout
+        return 0
     fi
 
-    for config_path in "${config_paths[@]}"; do
-        if [[ -f "$config_path" ]]; then
-            print_status "$YELLOW" "Found Cachix config at: $config_path"
-
-            # Use dhall-to-json and jq to properly parse the Dhall config
-            local token
-            token=$(dhall-to-json <<< "($(<"$config_path")).authToken" 2>/dev/null | jq -r '.' 2>/dev/null)
-
-            if [[ -n "$token" && "$token" != "null" ]]; then
-                print_status "$GREEN" "✓ Cachix token retrieved successfully"
-                echo "$token"  # Only the token goes to stdout
-                return 0
-            fi
-        fi
-    done
-
-    print_status "$RED" "Error: Could not find Cachix authentication token"
-    print_status "$YELLOW" "Please run: cachix authtoken <your-token>"
-    print_status "$YELLOW" "Or login via: cachix use <your-cache-name>"
+    print_status "$RED" "Error: ATTIC_TOKEN is not set"
+    print_status "$YELLOW" "Export an Attic push token before running this script."
     return 1
 }
 
 # Function to create/update act secrets file
 create_act_secrets() {
     local github_token=$1
-    local cachix_token=$2
+    local attic_token=$2
     local secrets_file=".github/act-secrets.local.env"
 
     print_status "$YELLOW" "Creating/updating $secrets_file..."
@@ -98,8 +76,8 @@ create_act_secrets() {
 # REQUIRED FOR WORKFLOW EXECUTION (Auto-retrieved)
 # =============================================================================
 
-# Cachix authentication token for blocksense-os cache (from cachix CLI)
-CACHIX_AUTH_TOKEN=$cachix_token
+# Attic authentication token for blocksense-os cache
+ATTIC_TOKEN=$attic_token
 
 # GitHub personal access token (from gh CLI)
 GITHUB_TOKEN=$github_token
@@ -125,7 +103,7 @@ main() {
 
     cd "$(dirname "$0")/../.." # Go to repo root
 
-    local github_token cachix_token
+    local github_token attic_token
 
     # Get GitHub token
     if github_token=$(get_github_token); then
@@ -135,21 +113,21 @@ main() {
         exit 1
     fi
 
-    # Get Cachix token
-    if cachix_token=$(get_cachix_token); then
-        print_status "$GREEN" "Cachix token: ${cachix_token:0:8}..." # Show only first 8 chars
+    # Get Attic token
+    if attic_token=$(get_attic_token); then
+        print_status "$GREEN" "Attic token: ${attic_token:0:8}..." # Show only first 8 chars
     else
-        print_status "$RED" "Failed to get Cachix token"
+        print_status "$RED" "Failed to get Attic token"
         exit 1
     fi
 
     # Create secrets file
-    create_act_secrets "$github_token" "$cachix_token"
+    create_act_secrets "$github_token" "$attic_token"
 
     print_status "$GREEN" "=== Setup Complete ==="
     print_status "$YELLOW" "You can now run workflows locally with: act"
     print_status "$YELLOW" "The tokens will be automatically loaded from your CLI tool logins"
 }
 
 # Run main function
-main "$@"
+main "$@"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -57,7 +57,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Run code quality checks
       run: just ci-code-quality
@@ -111,7 +112,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Build ${{ matrix.component }}
       run: nix build .#${{ matrix.component }} -o build/${{ matrix.component }}
@@ -156,7 +158,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Run unit tests for ${{ matrix.project }}
       run: |
@@ -198,7 +201,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Download build artifacts
       uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
@@ -240,7 +244,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Enable KVM
       run: |
@@ -273,7 +278,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Generate documentation
       run: just generate-docs

diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml
@@ -25,7 +25,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Check current dependency status
       run: just check-dependency-freshness

diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
@@ -36,7 +36,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Run service startup performance tests
       run: just test-startup-performance
@@ -56,7 +57,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Run load testing
       run: just test-load
@@ -80,7 +82,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Build current version
       run: just build-all

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -79,7 +79,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Build release artifacts
       run: just build-release-artifacts
@@ -122,7 +123,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Generate documentation
       run: just generate-docs
@@ -131,4 +133,6 @@ jobs:
       uses: peaceiris/actions-gh-pages@4a2e02b36f31d8974a0d09d3bb9f3172aa2d0d0d # v3
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
         publish_dir: ./docs/build
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -34,7 +34,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Run comprehensive security audit
       run: just security-audit
@@ -80,7 +81,8 @@ jobs:
     - uses: ./.github/actions/setup-nix
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        substituters: ${{ vars.SUBSTITUTERS }}
+        trusted_public_keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
 
     - name: Generate comprehensive SBOM
       run: just generate-sbom