From acb33ea9abd6b05986d67cced9f23d0e2c8fdd80 Mon Sep 17 00:00:00 2001
From: jmug <u.g.a.mariano@gmail.com>
Date: Mon, 14 Jul 2025 18:57:22 -0700
Subject: [PATCH] [Devbox] Use aws cli with yubi mfa.

Signed-off-by: jmug <u.g.a.mariano@gmail.com>
---
 home-modules/sops.nix |  1 +
 hosts/asahi/home.nix  | 25 ++++++++++++++++---------
 hosts/devbox/home.nix | 16 ++++++++++++++++
 secrets.yaml          |  5 +++--
 4 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/home-modules/sops.nix b/home-modules/sops.nix
index e2d44c8..0509b1d 100644
--- a/home-modules/sops.nix
+++ b/home-modules/sops.nix
@@ -20,6 +20,7 @@
       "private_keys/ace" = {
         path = "/home/jmug/.ssh/id_ace";
       };
+      "aws/jmug_matcha_mfa_serial" = {};
       "aws/jmug_ace_mfa_serial" = {};
       "aws/role_arn" = {};
     };
diff --git a/hosts/asahi/home.nix b/hosts/asahi/home.nix
index 481d948..20d9b15 100644
--- a/hosts/asahi/home.nix
+++ b/hosts/asahi/home.nix
@@ -80,6 +80,15 @@ in
     stateVersion = "25.05"; # Do not change!!!
   };
 
+  home.activation.aws-cli-mfa-config = lib.hm.dag.entryAfter ["writeBoundary"] ''
+    mkdir -p ~/.config/aws-cli-mfa
+    cat > ~/.config/aws-cli-mfa/config.yaml << EOF
+mfa_serial: $(cat ${config.sops.secrets."aws/jmug_ace_mfa_serial".path})
+role_arn: $(cat ${config.sops.secrets."aws/role_arn".path})
+session_duration: 43200
+EOF
+  '';
+
   gtk = {
     enable = true;
     gtk3 = {
@@ -155,6 +164,13 @@ in
 
 
   programs.zsh.shellAliases = {
+    # TODO BEGIN Interpolate the name of the host here.
+    # flakeconf = "sudo nvim /etc/nixos/flake.nix";
+    # nosconf = "sudo nvim /etc/nixos/hosts/devbox/configuration.nix";
+    # homeconf = "sudo nvim /etc/nixos/hosts/devbox/home.nix";
+    # nvconf = "sudo nvim /etc/nixos/home-modules/explicit-configs/nvim/init.lua";
+    # TODO END Interpolate the name of the host here.
+    rshellconf = "source ~/.zshrc";
     fly = "flyctl";
     # TODO: Interpolate the name of the host here.
     nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#asahi"; # parametrize this as home dir.
@@ -164,13 +180,4 @@ in
 
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
-
-  home.activation.aws-cli-mfa-config = lib.hm.dag.entryAfter ["writeBoundary"] ''
-    mkdir -p ~/.config/aws-cli-mfa
-    cat > ~/.config/aws-cli-mfa/config.yaml << EOF
-mfa_serial: $(cat ${config.sops.secrets."aws/jmug_ace_mfa_serial".path})
-role_arn: $(cat ${config.sops.secrets."aws/role_arn".path})
-session_duration: 43200
-EOF
-  '';
 }
diff --git a/hosts/devbox/home.nix b/hosts/devbox/home.nix
index 4795da9..6915826 100644
--- a/hosts/devbox/home.nix
+++ b/hosts/devbox/home.nix
@@ -51,6 +51,10 @@ in {
       whatsie
       obs-studio
 
+      # AWS tools
+      awscli2
+      (callPackage ../../nixos-modules/shell-apps/aws-cli-mfa.nix {})
+
       # Misc
       zig
       neofetch
@@ -75,6 +79,15 @@ in {
     stateVersion = "25.05";
   };
 
+  home.activation.aws-cli-mfa-config = lib.hm.dag.entryAfter ["writeBoundary"] ''
+    mkdir -p ~/.config/aws-cli-mfa
+    cat > ~/.config/aws-cli-mfa/config.yaml << EOF
+mfa_serial: $(cat ${config.sops.secrets."aws/jmug_matcha_mfa_serial".path})
+role_arn: $(cat ${config.sops.secrets."aws/role_arn".path})
+session_duration: 43200
+EOF
+  '';
+
   programs.zsh = {
     shellAliases = {
       # TODO BEGIN Interpolate the name of the host here.
@@ -86,6 +99,9 @@ in {
       rshellconf = "source ~/.zshrc";
       # TODO: Interpolate the name of the host here.
       nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#devbox";
+      fly = "flyctl";
+      awsmfa = "eval $(aws-cli-mfa)";
+      uawsmfa = "eval $(aws-cli-mfa --unset)";
     };
     loginExtra = ''
     if [ ! -e "/tmp/ssh-agent.''${USER}" ]; then
diff --git a/secrets.yaml b/secrets.yaml
index 2a9e4b6..d7ef9e5 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -3,6 +3,7 @@ private_keys:
     matcha: ENC[AES256_GCM,data:ySty7UiMQirmXmTf0unJuWX731NKKHH0lJQUxl4LlOHixm+1I13SNF7g+G9XYQzkvX/ijhzkDGLwIERVq1Di1UJsEw5w2YxeSitrzoJT0NZx+/Ip8DdgD/k+KnWgm7NeswcUTlt5cQbw7/IPkmRZ3qOV9UueMhH09AYEaSLpiKBUKQuMP/u2YgklwgWvVxW6syMPiYWmSnEfP3MfnkUbhhCuexdb2a/26BfVBbZeuLgBi25dxvRlykR6/uijCk3lHl84xPgWGKyR/130aHC2wp3arVjWO8/p2h2dobtnEnnDCWz2t+3CD1Qc3kdJcSNXhlFJWESOxzJp2KZFIKc3tF4emRSJ+EwP9byavrRozkHCBx4qCvLfdBzndJalR6ebh3jMyQIdRNBPG4x7+nSNnWZeK2uXhHg+m18CJfq2nKgVrpB4x+i48LyEwv907hFGLhfB4o+gfHxQtJYNoP3F0HX2xYndIjk6ihzbUi4C4YG7eUOF1IQ174FshFiadLfqAS+yh8oDUpKVthRu8kda6pPCtMI2jugIYzFrA30k6RWSj6QIsV8FE/jUdw++Htw9dutJSVsAncqCy4mZvqTIh0Cubnp9seBHX0l7vX0kAznoUMTK07lHBbkyeVlZHvKA+y34+SJVLpuS1eVjNhkeNpKkWAxwkoc/84ozpM2078bzy48rvMJBYIzjgqnqREnSs35Q8bQcHB32R0T6JEPoT7S8Z1GS7QB7kv8ulbA2H11Z,iv:8EBPvh7dpv23NtgwUmLn+2m/CKI6dZq72AXvB1OOdlc=,tag:1RCXZDcLOUP+hznVRgzMuA==,type:str]
     ace: ENC[AES256_GCM,data:rqhEzNlR978ZS+OppyHOWjYTfRKifRMXpqQfKS48oHkbcq7fQF6QtBBz3Ad4yFE3UJECcPipWqi5dhAMDVmOZT9gxEvEdhf6T7ecPHuQo95eUGPC46ZjoEwv7bykNBcncZFd4EHU2szuyqWb+xpGwJtnKqxDzi0ygsS6z/8ySlJWJ+LqCWrwsnERIblW5vgCvrT5Q2zkz3mR8pDNFc4Kh7B27SCBFG3EHST/NsEMhW0hU2eoIK5ppvHaKhVTx22ov2dP+nNbAhMi1WqHCGyQC2X4jeGGPXV8qXvev3Dl0s/VTCUsyqIIU5hPggWo++/XEspaoiLX7BsGklcfL5qGbF6YmSHYDBdgs5VOTzRUsepegmF79qXKO2XRgksH0he3aUOkpv9TVsmBIyPWqClOtA/QiQQ12gLCvqmBLcj66prvRS9qsZ++wxIINBFWhZh8F24pUHf6qpLpXmiEz9l7n1WocJjVgsI0hebYNN7sLtX/2IxVhPjNHVJQPPkDdLuw2841QKdO8cyDjCho3gbm1+RRDeyZWFSnnQUnKA+p2rE9ahtIJtUTuri7egGroJxPRWwgx2r3FW1Cm1ScdcL2W2AJQtnlJNqRnK/jXHXU3QHBkSiLTSwDLXG/0FV23/4Q+wCYp7ivBbztywT2Ngs8IMrFXz/6a7oGPaRqeendaVLJwrpkjruWv/nTdw0/PRchkLFuuP9ncJYVYaI2X6WwE9eiCAyG99M1X587w7SQe7cx,iv:HHfrC8PMHQS96YAzsyu7u52josTWNpgGa+qdjTKk7mk=,tag:9njC2670XZBUusf3cIv+gg==,type:str]
 aws:
+    jmug_matcha_mfa_serial: ENC[AES256_GCM,data:4WGgGRWlMg24y5R1AoqH8RnbyA2ZtC5ZUECIys14i5j5K6xCQEiq3kShi0QKVY7LluSp,iv:T6CcFSWMtxU5n1lymKz0QBGBvI6fKxdjjMjyPVdz4uc=,tag:93dhdWCW85qVI4DbS/2tkg==,type:str]
     jmug_ace_mfa_serial: ENC[AES256_GCM,data:zAxlQFj+K5Bm2sMoCQH4dHQIhvnDKvGMJHjsOIAdr43vfQv5Xw73qnzz8Kp6dqLzqQ==,iv:1WUwfzbohhdCOtTRFr4/gdsb2HZkavY3+OMjE/aO+ek=,tag:A+Mdr2CEZvA8dCHUHF7I6g==,type:str]
     role_arn: ENC[AES256_GCM,data:YlYtqpsiTgHayuCFxY3pKfh5aBjNPf0UMGCoR+mFBUxe1CIU/Nkm+gzAOzwI,iv:Oo8d5y2g3lIVhrQgBT80PSxnZC0qXdqrumx76V1dz6w=,tag:gGJLjCYgcR3nHGhEbEpIGw==,type:str]
 yubico:
@@ -47,7 +48,7 @@ sops:
             UjlDQ0Y5QnY4dmlVVFZrM0IyZzlISWcKwpQY9/f1O2v78/9/dCZ7HPE3wVwQ4COG
             a0E+oMEgBIeQny9LyfhUW2V/HKhYhFNPJaZrNM4J1zL+bz2ucdErmw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-15T01:30:03Z"
-    mac: ENC[AES256_GCM,data:5WvGX25dt5jP8dv32adP49pSfNJSOm7xDo5B1fwHjzdvCwU6jkFwjWpfnvA+7cv17nv1CcfXjx0xJOK9KJdz+nKbO6y+d61Y/Gi89aSSOcCs3pPCQgh7+aBlT8FypthmvUe10nZs9b+ImtuiTSJ1rNeYVtHVK5E1jVJt0lPc3tc=,iv:P/rPlnhk0uW7FYiob6UEkgIupakGVrgcbfsXfUg7NOo=,tag:4W0jprqNBSTx12eGMDt/Jw==,type:str]
+    lastmodified: "2025-07-15T01:46:53Z"
+    mac: ENC[AES256_GCM,data:emLL9w/oBY8EfWYlFlYfxqJr5cJT0Rt7VQ6evUSrG5exh7AJMSr3mAxrjmQ/09ZThubevNWSKdbq3EPdgj4zQ9W17xhn+K0H810M/e0Lnaia6Th40rdS9NASdDUB3qKNf5TLlXY5D0phB5Q2nxSnXxNTkQpYCtYsM6QSbeoe1MY=,iv:wcN7z1hpBRiqWIGxMDGEMYaIPDRH7sk1XZoqjzyRsYI=,tag:pQYKivueVO4KcwyKVhyQ6A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2