32 lines
1 KiB
Nix
32 lines
1 KiB
Nix
{ pkgs, config, lib, ... }: {
|
|
home.packages = [ pkgs.awscli2 ];
|
|
|
|
# Derive AWS credentials from the existing nix-cache S3 secret — same
|
|
# credentials, different format. No duplication, no Nomad API access needed.
|
|
age.generators.aws-credentials = { decrypt, deps, ... }: ''
|
|
KEY=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
|
|
| grep AWS_ACCESS_KEY_ID | cut -d= -f2-)
|
|
SECRET=$(${decrypt} ${lib.escapeShellArg deps.nix-cache-s3-env.file} \
|
|
| grep AWS_SECRET_ACCESS_KEY | cut -d= -f2-)
|
|
printf '[t4]\naws_access_key_id = %s\naws_secret_access_key = %s\n' \
|
|
"$KEY" "$SECRET"
|
|
'';
|
|
|
|
bosun.secrets.aws-credentials = {
|
|
rekeyFile = "aws-credentials.age";
|
|
path = "${config.home.homeDirectory}/.aws/credentials";
|
|
mode = "0600";
|
|
generator = {
|
|
script = "aws-credentials";
|
|
dependencies = {
|
|
inherit (config.age.secrets) nix-cache-s3-env;
|
|
};
|
|
};
|
|
};
|
|
|
|
home.file.".aws/config".text = ''
|
|
[profile t4]
|
|
endpoint_url = https://s3.toph.so
|
|
region = us-east-1
|
|
'';
|
|
}
|