FlakeHub Cache vs Self-Hosted Attic: Evaluation
Executive Summary
Recommendation: Hybrid — FlakeHub for public flake distribution, Attic for internal binary cache. This avoids vendor lock-in for the performance-critical CI cache path while leveraging FlakeHub’s zero-config distribution for external consumers.
Candidates
FlakeHub Cache (Determinate Systems)
Managed binary cache service integrated with FlakeHub flake registry.
| Property | Detail |
|---|---|
| Operator | Determinate Systems |
| Auth | JWT (OIDC from GitHub Actions), magic Nix installer |
| Dedup | Content-addressed, server-side |
| Compliance | SOC 2 Type II |
| Availability | SaaS, multi-region CDN |
| Pricing | Per-org, tiered (free tier available) |
| Setup | Zero-config with DeterminateSystems/nix-installer-action |
Attic (Self-Hosted)
Self-hosted Nix binary cache with chunk-level deduplication.
| Property | Detail |
|---|---|
| Operator | Self (GloriousFlywheel cluster) |
| Auth | Signing keys per machine/runner |
| Dedup | Chunk-level (NAR chunking), more granular than FlakeHub |
| Compliance | Self-managed (data stays in-cluster) |
| Availability | Cluster-local, single region |
| Pricing | Infrastructure cost (compute + storage) |
| Setup | Requires CNPG PostgreSQL + RustFS/S3 + Attic server |
Comparison
Performance
| Metric | FlakeHub Cache | Attic (Self-Hosted) | Winner |
|---|---|---|---|
| Cache read latency (CI) | ~50-200ms (CDN) | ~5-20ms (cluster-local) | Attic |
| Cache write latency (CI) | ~100-500ms (upload) | ~10-50ms (cluster-local) | Attic |
| Cache read latency (dev) | ~50-200ms (CDN) | ~20-100ms (tailnet) | Tie |
| First-build bootstrap | Zero-config | Requires init container + PVC | FlakeHub |
| Deduplication ratio | Good (content-addressed) | Better (chunk-level NAR) | Attic |
For CI runners in the same cluster as Attic, self-hosted wins on latency by 10-20x. This matters for builds with hundreds of store path fetches.
Cost
| Component | FlakeHub Cache | Attic (Self-Hosted) |
|---|---|---|
| Storage | Included in plan | ~$5-15/mo (50Gi Longhorn PVC) |
| Compute | Included in plan | ~$10-20/mo (Attic pod + CNPG) |
| Bandwidth | Included in plan | Free (cluster-internal) |
| Subscription | $29-299/mo (team-enterprise) | $0 |
| Ops burden | None | Moderate (PostgreSQL, backups, upgrades) |
| Monthly total | $29-299 | $15-35 + ops time |
For a small team (<5 devs, <10 runners), FlakeHub is cheaper when ops time is valued at >$50/hr. For larger deployments or teams that already manage Kubernetes, Attic’s infrastructure cost is negligible.
Features
| Feature | FlakeHub Cache | Attic |
|---|---|---|
| GitHub Actions OIDC | Native | Manual (signing key) |
| Garbage collection | Managed | attic gc (manual or cron) |
| Multi-cache support | Per-org isolation | Named caches (e.g. ci, dev) |
| Access control | Org-level | Per-cache, per-key |
| Monitoring | Dashboard (SaaS) | Self-built (Prometheus + Grafana) |
| Backup/DR | Managed | Self-managed (CNPG + S3) |
| Flake registry | Integrated | Separate (FlakeHub for publishing) |
| Offline capability | No (SaaS) | Yes (cluster-local) |
| Data sovereignty | US-hosted | Wherever you deploy |
Risk
| Risk | FlakeHub Cache | Attic |
|---|---|---|
| Vendor lock-in | Medium (proprietary protocol) | None (open source, NAR format) |
| Service outage | Depends on Determinate Systems SLA | Depends on cluster health |
| Data loss | Low (managed backups) | Medium (requires backup config) |
| Price changes | Medium (SaaS pricing can change) | None (self-hosted) |
| Maintenance burden | None | Medium (upgrades, PostgreSQL, storage) |
| Feature stagnation | Low (actively developed) | Medium (smaller community) |
Hybrid Architecture (Recommended)
External Consumers
|
FlakeHub
(public distribution)
|
flakehub-publish.yml
(push to main / tags)
|
+----------------+----------------+
| |
CI Runners Dev Machines
| |
Attic (cluster-local) Attic (via tailnet)
(fast read/write) (fast read, occasional write)
| |
Shared /nix/store PVC Local /nix/store
(Longhorn RWX) (attic use gloriousflywheel)How It Works
-
CI builds use Attic exclusively — cluster-local latency, chunk dedup, no egress costs, no SaaS dependency in the critical path.
-
FlakeHub publishing happens post-merge via GitHub Actions workflow (already implemented in
.github/workflows/flakehub-publish.yml). Uses OIDC auth, no secrets needed. -
External consumers pull from FlakeHub as a flake input. They never interact with Attic.
-
Dev machines use Attic over the tailnet for fast cache reads. Optionally also use FlakeHub as a flake input for published versions.
Why Not FlakeHub-Only?
- CI runners are in the same cluster as Attic — 5ms vs 200ms latency
- Chunk-level dedup saves storage for incremental Nix builds
- No SaaS dependency in CI critical path (builds work during FlakeHub outage)
- Data sovereignty (build artifacts stay in-cluster)
- Free (no per-org subscription for cache)
Why Not Attic-Only?
- FlakeHub provides semantic versioning and public discovery
- External consumers shouldn’t need Attic access or signing keys
- FlakeHub handles CDN, availability, and global distribution
flake.lockresolution works natively with FlakeHub URLs
Migration Path
Current state: Attic deployed but not fully operational (#185). FlakeHub publishing automated (#198).
Phase 1: Restore Attic (Issues #185, #167)
- Fix Attic deployment in cluster
- Verify CI runners can push/pull from Attic
- Set up garbage collection cron
- Monitor cache hit rates
Phase 2: Validate Hybrid
- Confirm FlakeHub publishing works end-to-end
- Verify external consumer flow (
flakehub.com/f/tinyland-inc/GloriousFlywheel/*) - Measure CI cache hit rates with Attic
- Compare build times with/without cache
Phase 3: Optimize
- Tune Attic GC retention policy
- Add Prometheus metrics for cache hit/miss rates
- Consider FlakeHub Cache as fallback if Attic is down (optional)
- Document cache strategy in runbook
Decision Record
| Date | Decision | Rationale |
|---|---|---|
| 2026-04-16 | Adopt hybrid (FlakeHub + Attic) | Best of both: local perf for CI, public distribution for consumers |
| 2026-04-16 | Attic is primary CI cache | Latency, dedup, sovereignty, and zero recurring cost |
| 2026-04-16 | FlakeHub is publication channel | Public discovery, semver, CDN, OIDC auth |
| TBD | Re-evaluate if Attic ops burden exceeds value | Trigger: >4h/month on Attic maintenance |