zhaofengli
`Error: Unauthorized: Unauthorized.` for a newly created token
What am I doing wrong?
{ config, pkgs, ... }:
{
age.secrets."attic.env".file = ./attic.env.age;
environment.systemPackages = with pkgs; [
attic
];
services.atticd = {
enable = true;
package = pkgs.attic;
credentialsFile = config.age.secrets."attic.env".path;
settings = {
listen = "[::]:8080";
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
storage = {
type = "local";
path = "/var/lib/attic";
};
};
};
systemd.services.atticd.serviceConfig.ReadWritePaths = "/var/lib/attic";
}
% systemctl cat atticd.service
# /etc/systemd/system/atticd.service
[Unit]
After=network.target
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/pdkclbn8qd1faqkf08k9k9g8f0y0cxgn-glibc-locales-2.37-8/lib/locale/locale-archive"
Environment="PATH=/nix/store/apn3p2b40xvirn7w740wv2gy330ppib5-coreutils-9.3/bin:/nix/store/xvhh3dzdqfaz78nhya1xildz2r38sy3s-findutils-4.9.0/bin:/nix/store/4hx292xs95frrd1hqwwfc2fpcz0niwgp-gnugrep-3.11/bin:/nix/store/7snlgj0l0ys6lbcl5pyy8vwnmk26wh8x-gnused-4.9/bin:/nix/store/rjz12jr6wa46vcaj7v2nsi2x17jibipm-systemd-253>
Environment="TZDIR=/nix/store/lvf61q95f827z8dzwnnchdbr0dlpbv8n-tzdata-2023c/share/zoneinfo"
DynamicUser=true
EnvironmentFile=/run/agenix/attic.env
ExecStart=/nix/store/kyhqs4yy1n5458vp46p13a5rxr1zmnsn-attic-0.1.0/bin/atticd -f /nix/store/nbdn05z120qv64dcx7c3a6kbqg8gz9ns-checked-attic-server.toml
Group=atticd
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/var/lib/attic
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=atticd
User=atticd
% cat /nix/store/nbdn05z120qv64dcx7c3a6kbqg8gz9ns-checked-attic-server.toml
listen = "[::]:8080"
[chunking]
avg-size = 65536
max-size = 262144
min-size = 16384
nar-size-threshold = 65536
[database]
url = "sqlite:///var/lib/atticd/server.db?mode=rwc"
[storage]
path = "/var/lib/attic"
type = "local"
% sudo atticd-atticadm make-token \
--validity "100y" \
--sub "hello" \
--pull "hello" \
--push "hello" \
--create-cache "hello" \
--configure-cache "hello" \
--configure-cache-retention "hello" \
--destroy-cache "hello"
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjU1ODY3MTUzMywic3ViIjoiaGVsbG8iLCJodHRwczovL2p3dC5hdHRpYy5ycy92MSI6eyJjYWNoZXMiOnsiaGVsbG8iOnsiciI6MSwidyI6MSwiY2MiOjEsImNyIjoxLCJjcSI6MSwiY2QiOjF9fX19.CwI4XgycQXYqcF_LlAyMgVN2zHDa6A-L-PkmbxdQCMQ
% attic login hello http://127.0.0.1:8080 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjU1ODY3MTUzMywic3ViIjoiaGVsbG8iLCJodHRwczovL2p3dC5hdHRpYy5ycy92MSI6eyJjYWNoZXMiOnsiaGVsbG8iOnsiciI6MSwidyI6MSwiY2MiOjEsImNyIjoxLCJjcSI6MSwiY2QiOjF9fX19.CwI4XgycQXYqcF_LlAyMgVN2zHDa6A-L-PkmbxdQCMQ
✍️ Configuring server "hello"
% attic cache create hello
Error: Unauthorized: Unauthorized.
% attic cache info hello
Error: Unauthorized: Unauthorized.
I ran into the same issue but generated my token with * at the end
atticd-atticadm make-token \
--validity "10y" \
--sub "hello*" \
--pull "hello*" \
--push "hello*" \
--create-cache "hello*" \
--configure-cache "hello*" \
--configure-cache-retention "hello*" \
--destroy-cache "hello*"
I also had to set default-server to hello login as I had 2 in the config file $HOME/.config/attic/config.toml
Same here: https://github.com/klarkc/os/blob/3dd316c8dcf3fb6293f8556cdab452fd3bcdca13/setups/cache/default.nix
I was wondering, if we need to create token, why we need to set ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64?
I ran in to this problem and the core issue is that the not-valid-after timestamp in the JWT is computed by adding the validity period to the current time since the epoch (1970-01-01) as a 32-bit unsigned integer. This wraps around sometime in 2106 meaning that as computed for the JWT 100 years from now is in the past. It doesn't help that any issues with tokens are logged only at the debug level and not reported in any way to the client.
I'm not sure that's the only issue. I've just set up a new attic server with this nixos module:
{ config, ... }:
let
atticd = builtins.fetchGit {
url = "https://github.com/zhaofengli/attic.git";
ref = "main";
shallow = true;
};
in
{
imports = [
"${atticd.outPath}/nixos/atticd.nix"
];
sops.secrets."attic.env" = { };
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
credentialsFile = config.sops.secrets."attic.env".path;
settings = {
listen = "[::]:9090";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
}
The atticd service has started successfully and I can generate tokens (although I have to use sudo - sudo atticd-atticadm make-token --sub local --validity '3 months', but even with the three month validity I still get Error: Unauthorized: Unauthorized.. There are no error logs in journalctl
I think you need to give all your grants when creating the token. If you created it with that exact command line it has none.
🤦🏽 Thanks, that worked. My initial server output didn't have the JWT:
Attic Server 0.1.0 (release)
Running migrations...
* Migrating NARs to chunks...
* Migrating NAR schema...
Starting API server...
Listening on [::]:9090...
Edit: more information about why that happened here
May I ask if anyone can give a little TL;DR what you need to do to fix this?
Because I'm a bit confused regarding the
credentialsFile = config.sops.secrets."attic.env".path;
setting. Do we still need it, if we have to create the token manually? Is it somehow possible to create the token declaratively so that any new system are instant able to use my attic instance?
You have to create a token on the attic server. The line you quoted from my example is using a pregenerated token with https://github.com/Mic92/sops-nix as a secure way of sharing it
You have to create a token on the attic server. The line you quoted from my example is using a pregenerated token with https://github.com/Mic92/sops-nix as a secure way of sharing it
but what is the correct way to create the token now? Is this still the correct way or do I have to execute sudo atticd-atticadm make-token ...?
Sorry, I misread your original message and was conflating two things. There is the credentials file (which is the HS256 secret generated as per your last message) for the attic server, and then each client that uses the server will need to use a JWT generated with atticd-atticadm make-token
oh, so the credentials file contains something else. Good to know. Thank you!
Would be nice if anyone could help me here :) https://github.com/zhaofengli/attic/issues/166#issue-2499729308
@TornaxO7 see my issue #209 Perhaps it may be related. If you are reusing the configuration for subsequent runs, your tokens might not be valid
