{ pkgs, config, lib, ... }: {
  home.packages = [ pkgs.awscli2 ];

  # Derive AWS credentials from the existing nix-cache S3 secret — same
  # credentials, different format. No duplication, no Nomad API access needed.
  age.generators.aws-credentials = { decrypt, deps, ... }: ''
    KEY=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
      | grep AWS_ACCESS_KEY_ID | cut -d= -f2-)
    SECRET=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
      | grep AWS_SECRET_ACCESS_KEY | cut -d= -f2-)
    printf '[t4]\naws_access_key_id     = %s\naws_secret_access_key = %s\n' \
      "$KEY" "$SECRET"
  '';

  bosun.secrets.aws-credentials = {
    rekeyFile = "aws-credentials.age";
    path = "${config.home.homeDirectory}/.aws/credentials";
    mode = "0600";
    generator = {
      script = "aws-credentials";
      dependencies = {
        inherit (config.age.secrets) nix-cache-s3-env;
      };
    };
  };

  home.file.".aws/config".text = ''
    [profile t4]
    endpoint_url = https://s3.toph.so
    region = us-east-1
  '';
}