diff --git a/hosts/default.nix b/hosts/default.nix
index 5636017..f86454b 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -110,11 +110,13 @@
           "cloudflare-dyndns-api-token" = { };
           "restic-hetzner-password" = { };
           "hass-ssh-key".owner = "hass";
+          "sisko-attic-environment-file".owner = "atticd";
           "autistici-password" = {
             # FIXME terrible, should create a third ad-hoc group
             owner = "grafana";
             group = "forgejo";
           };
+
         };
       };
     };
diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix
index ba45c12..969f4e4 100644
--- a/hosts/sisko/default.nix
+++ b/hosts/sisko/default.nix
@@ -30,6 +30,7 @@
       "immich"
       "paperless"
       "syncthing"
+      "atticd"
     ]
     ++ [
       ./disko.nix
diff --git a/modules/atticd/default.nix b/modules/atticd/default.nix
new file mode 100644
index 0000000..507ba59
--- /dev/null
+++ b/modules/atticd/default.nix
@@ -0,0 +1,52 @@
+{ config, lib, ... }:
+{
+  services.atticd = {
+    enable = true;
+    settings = {
+      listen = "0.0.0.0:8081";
+      allowed-hosts = [ ]; # Allow all hosts
+      # api-endpoint = "https://cache.staging.mlabs.city/";
+      soft-delete-caches = false;
+      require-proof-of-possession = true;
+
+      database.url = "sqlite://${config.services.atticd.settings.storage.path}/server.db?mode=rwc";
+
+      storage = {
+        type = "local";
+        path = "/mnt/hd/atticd";
+      };
+
+      compression = {
+        level = 8;
+        type = "zstd";
+      };
+
+      chunking = {
+        nar-size-threshold = 64 * 1024; # 64 KiB
+        min-size = 16 * 1024; # 16 KiB
+        avg-size = 64 * 1024; # 64 KiB
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+    environmentFile = config.age.secrets.sisko-attic-environment-file.path;
+  };
+
+  systemd.services.atticd = {
+    serviceConfig = {
+      DynamicUser = lib.mkForce false;
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d config.services.atticd.settings.storage.path 770 atticd atticd"
+  ];
+
+  users = {
+    groups.atticd = { };
+    users.atticd = {
+      group = "atticd";
+      home = config.services.atticd.settings.storage.path;
+      isSystemUser = true;
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e5e95f4..52a3217 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -161,6 +161,11 @@ with keys.users;
     ccr-gpg
     sisko
   ];
+  "sisko-attic-environment-file.age".publicKeys = [
+    ccr-ssh
+    ccr-gpg
+    sisko
+  ];
 
   # WireGuard
   "picard-wireguard-private-key.age".publicKeys = [
diff --git a/secrets/sisko-attic-environment-file.age b/secrets/sisko-attic-environment-file.age
new file mode 100644
index 0000000..9727463
Binary files /dev/null and b/secrets/sisko-attic-environment-file.age differ