diff --git a/home/by-host/endurance/config/aws.nix b/home/by-host/endurance/config/aws.nix
new file mode 100644
index 0000000..653b3ff
--- /dev/null
+++ b/home/by-host/endurance/config/aws.nix
@@ -0,0 +1,32 @@
+{ pkgs, config, lib, ... }: {
+  home.packages = [ pkgs.awscli2 ];
+
+  # Derive AWS credentials from the existing nix-cache S3 secret â€” same
+  # credentials, different format. No duplication, no Nomad API access needed.
+  age.generators.aws-credentials = { decrypt, deps, ... }: ''
+    KEY=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
+      | grep AWS_ACCESS_KEY_ID | cut -d= -f2-)
+    SECRET=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
+      | grep AWS_SECRET_ACCESS_KEY | cut -d= -f2-)
+    printf '[t4]\naws_access_key_id     = %s\naws_secret_access_key = %s\n' \
+      "$KEY" "$SECRET"
+  '';
+
+  bosun.secrets.aws-credentials = {
+    rekeyFile = "aws-credentials.age";
+    path = "${config.home.homeDirectory}/.aws/credentials";
+    mode = "0600";
+    generator = {
+      script = "aws-credentials";
+      dependencies = {
+        inherit (config.age.secrets) nix-cache-s3-env;
+      };
+    };
+  };
+
+  home.file.".aws/config".text = ''
+    [profile t4]
+    endpoint_url = https://s3.toph.so
+    region = us-east-1
+  '';
+}
diff --git a/hosts/endurance/default.nix b/hosts/endurance/default.nix
index f76bd9e..79d649e 100644
--- a/hosts/endurance/default.nix
+++ b/hosts/endurance/default.nix
@@ -20,6 +20,25 @@
 
     #quirks = ["avahi" "docker" "nix-ld"];
     key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjqieS4GkYAa1WRYZpxjgYsj7VGZ9U+rTFCkX8M0umD";
+
+    secrets = {
+      nix-cache-privkey = "nix-cache-privkey.age";
+      nix-cache-s3-env = "nix-cache-s3.env.age";
+    };
+  };
+
+  # Sign builds and push to the S3 binary cache at s3.toph.so/nix-cache.
+  nix.settings = {
+    secret-key-files = [config.age.secrets.nix-cache-privkey.path];
+    post-build-hook = toString (pkgs.writeScript "nix-cache-upload" ''
+      #!/bin/sh
+      set -uf
+      . ${config.age.secrets.nix-cache-s3-env.path}
+      ${config.nix.package}/bin/nix copy \
+        --to "s3://nix-cache?endpoint=https://s3.toph.so&region=us-east-1" \
+        $OUT_PATHS \
+        >> /tmp/nix-cache-upload.log 2>&1 &
+    '');
   };
 
   networking = {
diff --git a/modules/generic/nix.nix b/modules/generic/nix.nix
index af43f90..bf6bf3c 100644
--- a/modules/generic/nix.nix
+++ b/modules/generic/nix.nix
@@ -30,7 +30,15 @@
       keep-outputs = true;
 
       trusted-users = ["root" "@wheel"];
-      substituters = ["https://cache.nixos.org/"];
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://s3.toph.so/nix-cache"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "cache.toph.so:sre7NaMFLUyRGuHY5MoC4Il4wD9lC53Ct0D1A/lwb+A="
+        "cache.toph.so-ci:e5n27lZmhhdQvYClj9PZUFJIYwiBfC7eJkEXe8h4PKU="
+      ];
     };
   };
 
diff --git a/modules/home/common/terminal/shell/fish.nix b/modules/home/common/terminal/shell/fish.nix
index c542177..186427e 100644
--- a/modules/home/common/terminal/shell/fish.nix
+++ b/modules/home/common/terminal/shell/fish.nix
@@ -20,11 +20,13 @@ in {
     '';
 
     functions = {
-      nomad-ui = {
-        description = "Fetches the Nomad management token from alvin and opens the authenticated UI";
+      nomad-auth = {
+        description = "Fetches the Nomad management token from alvin. Pass --ui to also open the authenticated UI.";
         body = ''
           set -gx NOMAD_TOKEN (ssh root@alvin cat /var/lib/nomad-acl/management.token)
-          nomad ui -authenticate
+          if contains -- --ui $argv
+            nomad ui -authenticate
+          end
         '';
       };
       agx = {
diff --git a/new-secret-ci.key b/new-secret-ci.key
new file mode 100644
index 0000000..fffffa2
Binary files /dev/null and b/new-secret-ci.key differ
diff --git a/secrets/aws-credentials.age b/secrets/aws-credentials.age
new file mode 100644
index 0000000..aafd581
--- /dev/null
+++ b/secrets/aws-credentials.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 j9CFK6quTBAviKfxt7nk/sdsTR/5swqEfqLgo7gjmTw
+BSrgJCxZY1nIOtjkzAdx60POzJ98IF5ryF1SLXKMgZk
+-> piv-p256 Kmn3OQ AwqKwTZh40d7YdbU3mMJFhKz75X/NKfXdBCzpKWf75uo
+FIuAwxkVMN12HoV7SN7iq1fOhqakL4Lbz5Wp/PabTO4
+-> F=1e<+J-grease pk rVDW+r/ Zme4
+y52QMNBhnOd9wwF4NauKUGkRCt99O7L+cqGD6od03cDf79bfsCxc0jyY7wW+fe9R
+TgFDwzdeRl4LQCL/3uH4bj+j
+--- zuMUxvMUyLES8iVG6tbdW/oU0bAaTDlRJwN7x+k6kTw
+Ê_Ï5ýZÄB£öÛù~Úi©Ç%B¸3RÕ›ËrÜËôê˜W<| ASƒ•=œ×³Û*IÁ~Þ»Ø¦y$¦äY´`Óp|F¨Èz?nR	ÄÂâÚ4h7y·Á#‘/r…Vy«|Ò¢B+~òBfÁƒ;±å|áÇWu¤$Y“E=ËÇIÁU'… ¬
+¯
\ No newline at end of file
diff --git a/secrets/nix-cache-privkey.age b/secrets/nix-cache-privkey.age
new file mode 100644
index 0000000..5b663c3
Binary files /dev/null and b/secrets/nix-cache-privkey.age differ
diff --git a/secrets/nix-cache-s3.env.age b/secrets/nix-cache-s3.env.age
new file mode 100644
index 0000000..3c32295
--- /dev/null
+++ b/secrets/nix-cache-s3.env.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 pxQqMT3kixRevDw5AOugW61Stxpa54NPwdaMDf5ywBc
+emM75EuTf5bL1eueeWsmFfbEZDT5+27VzBOQgCfGzlw
+-> piv-p256 Kmn3OQ A92Zkli15jy0zZZiW+VYVi5apkhwXi5gZdGsfz4Nzrai
+wP2maNvDOmxxA6PMcj930SJLFnExpQHYOqWVXvh2g3o
+-> ,*$Gmjb-grease `Ob>AA UG\`RJP S @-2
++HbUwSV+W2xrg8coxxpvSQ+VfPGWfqr0HjtDmX3wCmCO0jpjqKqRCDEAsTj5oTKL
+MUOwTg
+--- Ib2BGSJRp6WTD55zNN072D+RFxRegKZhjXa48sKg3+Q
+ìLŸôÐô~\FþQ$Â€´¬šáûÌFõ²
+i¯ E±EØ®ÔMi[x¿/z ÒþŠ¢·ÿÃ×s‡ÆüÆg®l8· 6tÒìi]ø’¨0Èo6—¿%’ÆúáÜÐc/ïÃ+%Ô¹Œ~ùšHˆpPŽ‘%[úuQ;ÑˆŒ_[p_§²}ªw†È
\ No newline at end of file
diff --git a/secrets/rekeyed/endurance/50db29637a0b7d73f036321af22c8a9c-nix-cache-s3-env.age b/secrets/rekeyed/endurance/50db29637a0b7d73f036321af22c8a9c-nix-cache-s3-env.age
new file mode 100644
index 0000000..5beee02
Binary files /dev/null and b/secrets/rekeyed/endurance/50db29637a0b7d73f036321af22c8a9c-nix-cache-s3-env.age differ
diff --git a/secrets/rekeyed/endurance/b26d17749592ba1595d566934c2ea6ba-nix-cache-privkey.age b/secrets/rekeyed/endurance/b26d17749592ba1595d566934c2ea6ba-nix-cache-privkey.age
new file mode 100644
index 0000000..de73162
Binary files /dev/null and b/secrets/rekeyed/endurance/b26d17749592ba1595d566934c2ea6ba-nix-cache-privkey.age differ
diff --git a/secrets/rekeyed/toph.endurance/0948f172d4f8ec095d92d6d65af01f5e-aws-credentials.age b/secrets/rekeyed/toph.endurance/0948f172d4f8ec095d92d6d65af01f5e-aws-credentials.age
new file mode 100644
index 0000000..6255616
--- /dev/null
+++ b/secrets/rekeyed/toph.endurance/0948f172d4f8ec095d92d6d65af01f5e-aws-credentials.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 Sih9FA DiICdXQXdFzjmLaO3TbZmurGr7rRlOyeyT4B6Q2hbgw
+AMltu9LuCxoev0zm5Ihoa0aSYVvs7SAD04NIF4gyMxw
+-> K0!Lf-grease AnUy
+q4vQ1RJdAeh03A
+--- g4sTWmo/FkvfmPBcfalOQE3FUapLvqYKLEfqDUvt2Yw
+*ñUäA†±=¾w1üƒ·&º*d©UÙÎs>a4¦s«˜hig€}K	Š»}ÒïàÆ8dÄþp‰¸œˆÔVë†bB¼•†TxéÊÈŒ0sˆüdÃ÷Q¿UR+
+nF?æÈÚ ýƒÏP'i¥Xœ²)¥UsÜq¶²EŒ~Êèi¥ûÀˆ=âµ|P.¥ùÁâ2
\ No newline at end of file