diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..f84e468
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+files/attic.tar.xz filter=lfs diff=lfs merge=lfs -text
diff --git a/files/attic.tar.xz b/files/attic.tar.xz
new file mode 100644
index 0000000..052ce62
Binary files /dev/null and b/files/attic.tar.xz differ
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index b97e018..a925ea2 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -15,3 +15,10 @@ woodpecker_host: "{{ vault_woodpecker_host }}"
 woodpecker_agent_secret: "{{ vault_woodpecker_agent_secret }}"
 woodpecker_client_id: "{{ vault_woodpecker_client_id }}"
 woodpecker_client_secret: "{{ vault_woodpecker_client_secret }}"
+
+# Attic
+attic_token: "{{ vault_attic_token }}"
+s3_bucket: "prymn-cache"
+s3_endpoint: "https://75178f9eca227dea51b3db4db2c15a5a.r2.cloudflarestorage.com"
+s3_access_key_id: "{{ vault_s3_access_key_id }}"
+s3_secret_access_key: "{{ vault_s3_secret_access_key }}"
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 4d9a511..f0314ec 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,25 +1,45 @@
 $ANSIBLE_VAULT;1.1;AES256
-65383031316433643562663739616639343335663234666236633361633537633331373764376162
-6562326338313831313463313431613462323833343837390a656664353131353562623637666266
-31373932396161333563663562336435353537333532373663366463393035353739656166656164
-3630616566626563320a623263613263636162623033643637656431396330663531366133613565
-64663462376332316262383762343639333632353939393030383930333065346463363365366165
-61333835613663633433343335323134316463646331306463633537626635336134326537376632
-62333338666364303131666131386437326534613038386530646262613338303162633134663131
-30633861373063623737633766333930313230663666363263386432386331373665343162666638
-33646264323663396462376639613864613936613962656264386133633330396132333166336464
-36303262313163313266353537333861306631376335343561306439356633376439396133366566
-62383336353665633263643331613033633932383461343934633466353463303430396337383165
-38666230376563653763626566616431396232393062383133363737356637326361663166636334
-65316466323032333930386439373935616430343836323632626266376239613339646433363064
-65313562393236323239373832306164366662353736643638366239343733306263316565333036
-64313633303533333937613933353262326139303662353339353661336162373032366666623664
-30353064633232393965613835313939663233646336663164323236303439316239643431303366
-37633432343864373463356465326230363661666432323065343765643362306637306262353835
-37323933313030663234386131613333373730303537663839616663356263666163633437643830
-39363265346532663230626238333563323337363262613834303735393231656334666333346239
-32616134323636643331373735643365313536626662303731373136346466613731623266636438
-66336137376436393239303234613764316361653730313463363135363236313339656361373334
-65303036303533396261333764633061313463623063383239333165663939343033306263653364
-64633961373131393139633363366230613336663732613132316134656635366163666264383263
-61306361303466396636
+39336333366236356239623062636364663831633864353733343532393165303336366365383237
+3763316534363437643533313137353765393137356365350a323538353163303536366636363136
+63393261336165396139313731643466373434363661393536633132636637383639396131383063
+3339383836386339370a306636323139323766616563623336643163323836353230346531323563
+63336339306632336234646435613031626438653562643137383938386630343261623637633462
+36316438356239333031656639366333613731633836613961366639326135336534626233303435
+36366233616262306632346434666339376665326337663539663533353735646134653164376238
+65356261646638326465633165393535353434613833363235346132363230623837343432613539
+61646135663131396261376333373236643535333838663833353265326262336632616335643266
+65306435303164633937313932373261613733366561343636326530366338633931383435623739
+33353339653165616637616563343930613564303134353333636561613935326232366532356638
+39393566343032336535363033656630316361346332636538393530346537306238633135313762
+31636336646638363937373133396630666562326330636339663265353833353636633561626561
+34336331326433643636386439666234663936343633323935323232653534643962616336643438
+66656331363038303838356337376439303430656333623834393236366238353536656363623830
+39643963666464646436663065626533343261303536353464343464326238373839346161343733
+66333762343535376331343931663833363831633934623537643535646661633232393333373430
+66336136613964373931383936343730613665373231393765316264363163353338313134623939
+62393165386130316461653637666662313163313132633663363336396232316466383938643265
+39656636633561653333383762313362333032633665633836323637616133626662633934343430
+35623632656234333262366131633534653364623835656238373464313963663238313831633163
+37613166313336346365323466346666366433303934343635323938663431363130373231626233
+65323738663565653063623863393135666363306337653634623866626536656134613763376634
+30663136643537376235663736313765323864633137373131326165653336663066623931626264
+38666539356130303036653933373965343537303032333039646530363734623031356565633764
+34623236343365363761613435393961343436343632633632323338333530303735633037326563
+37393231303064653239653062356238376463333139326261343765353136396334316537656566
+39386433636538663230346439303961396463353937383237363536376562336664646665663362
+64653164373166323165656264616666353633333435336432616466303539636362663835643762
+63386336343334663834336536336134363830383962633738623831663436383265663031656362
+33356365393035333136653662646535333963663333653535353532636639313264666265323532
+31656530313464376165666338613633336364613131356539386239373161643134386634396462
+63306264313262643735393031393936303832363261633561343534396438613630373163383365
+35633639623931383431386232366562616236363737363936646335383161623634623331316637
+36656438393736366566323938366338646166353161666237653835306232313465626337613336
+30363564336231613034653839326638623262353236663431336131336633633134363165636534
+63616532613530663762663263633737323937353636366338616137643237623339396366333535
+33613065363563366639643236663538313263336535663437653234653635646633636365363439
+62373135363162633666336138616637353836393664323264653365306431333835363130343933
+62356563623731323936613635623463633436333835626633343866333835643337666132356464
+62303638386332666162386435346166666236313932613635303139356565393464623131633833
+37343632393332623037323237623839633962653735383732343232346238396566323663356263
+35393561636566623234346631356236316434633135353361366437653539623833643664336339
+39393765643930636261
diff --git a/install_attic.yml b/install_attic.yml
new file mode 100644
index 0000000..00be1f0
--- /dev/null
+++ b/install_attic.yml
@@ -0,0 +1,39 @@
+---
+- name: Install attic
+  hosts: ulna
+
+  tasks:
+  - name: Unarchive
+    ansible.builtin.unarchive:
+      src: attic.tar.xz
+      dest: /usr/local
+    become: true
+
+  - name: Install service file
+    ansible.builtin.template:
+      src: templates/attic/attic.service.j2
+      dest: /etc/systemd/system/attic.service
+    become: true
+
+  - name: Install config file
+    ansible.builtin.template:
+      src: templates/attic/attic-server.toml.j2
+      dest: /etc/attic-server.toml
+    become: true
+
+  - name: Create share directory
+    ansible.builtin.file:
+      path: /usr/local/share/attic
+      mode: "0700"
+      owner: root
+      group: root
+      state: directory
+    become: true
+
+  - name: Restart systemd
+    ansible.builtin.systemd:
+      state: restarted
+      name: attic
+      enabled: true
+      daemon_reload: true
+    become: true
diff --git a/templates/attic/attic-server.toml.j2 b/templates/attic/attic-server.toml.j2
new file mode 100644
index 0000000..c661866
--- /dev/null
+++ b/templates/attic/attic-server.toml.j2
@@ -0,0 +1,136 @@
+# Socket address to listen on
+listen = "[::]:8080"
+
+# Allowed `Host` headers
+#
+# This _must_ be configured for production use. If unconfigured or the
+# list is empty, all `Host` headers are allowed.
+allowed-hosts = []
+
+# The canonical API endpoint of this server
+#
+# This is the endpoint exposed to clients in `cache-config` responses.
+#
+# This _must_ be configured for production use. If not configured, the
+# API endpoint is synthesized from the client's `Host` header which may
+# be insecure.
+#
+# The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+# not `https://domain.tld/attic`).
+#api-endpoint = "https://your.domain.tld/"
+
+# Whether to soft-delete caches
+#
+# If this is enabled, caches are soft-deleted instead of actually
+# removed from the database. Note that soft-deleted caches cannot
+# have their names reused as long as the original database records
+# are there.
+#soft-delete-caches = false
+
+# Whether to require fully uploading a NAR if it exists in the global cache.
+#
+# If set to false, simply knowing the NAR hash is enough for
+# an uploader to gain access to an existing NAR in the global
+# cache.
+#require-proof-of-possession = true
+
+# JWT signing token
+#
+# Set this to the Base64 encoding of some random data.
+# You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64` environment
+# variable.
+token-hs256-secret-base64 = "{{ attic_token }}"
+
+# Database connection
+[database]
+# Connection URL
+#
+# For production use it's recommended to use PostgreSQL.
+url = "sqlite:///usr/local/share/attic/server.db"
+
+# Whether to enable sending on periodic heartbeat queries
+#
+# If enabled, a heartbeat query will be sent every minute
+#heartbeat = false
+
+# File storage configuration
+[storage]
+# Storage type
+#
+# Can be "local" or "s3".
+type = "s3"
+
+# ## Local storage
+
+# The directory to store all files under
+# path = "/home/nikos/.local/share/attic/storage"
+
+# ## S3 Storage (set type to "s3" and uncomment below)
+
+# The AWS region
+region = "auto"
+
+# The name of the bucket
+bucket = "{{ s3_bucket }}"
+
+# Custom S3 endpoint
+#
+# Set this if you are using an S3-compatible object storage (e.g., Minio).
+endpoint = "{{ s3_endpoint }}"
+
+# Credentials
+#
+# If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+# `AWS_SECRET_ACCESS_KEY` environment variables.
+[storage.credentials]
+access_key_id = "{{ s3_access_key_id }}"
+secret_access_key = "{{ s3_secret_access_key }}"
+ 
+# Data chunking
+#
+# Warning: If you change any of the values here, it will be
+# difficult to reuse existing chunks for newly-uploaded NARs
+# since the cutpoints will be different. As a result, the
+# deduplication ratio will suffer for a while after the change.
+[chunking]
+# The minimum NAR size to trigger chunking
+#
+# If 0, chunking is disabled entirely for newly-uploaded NARs.
+# If 1, all NARs are chunked.
+nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
+
+# The preferred minimum size of a chunk, in bytes
+min-size = 16384            # 16 KiB
+
+# The preferred average size of a chunk, in bytes
+avg-size = 65536            # 64 KiB
+
+# The preferred maximum size of a chunk, in bytes
+max-size = 262144           # 256 KiB
+
+# Compression
+[compression]
+# Compression type
+#
+# Can be "none", "brotli", "zstd", or "xz"
+type = "zstd"
+
+# Compression level
+#level = 8
+
+# Garbage collection
+[garbage-collection]
+# The frequency to run garbage collection at
+#
+# By default it's 12 hours. You can use natural language
+# to specify the interval, like "1 day".
+#
+# If zero, automatic garbage collection is disabled, but
+# it can still be run manually with `atticd --mode garbage-collector-once`.
+interval = "12 hours"
+
+# Default retention period
+#
+# Zero (default) means time-based garbage-collection is
+# disabled by default. You can enable it on a per-cache basis.
+#default-retention-period = "6 months"
diff --git a/templates/attic/attic.service.j2 b/templates/attic/attic.service.j2
new file mode 100644
index 0000000..341e633
--- /dev/null
+++ b/templates/attic/attic.service.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=Attic Daemon
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/atticd -f /etc/attic-server.toml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target