jmug/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[Devbox] Use aws cli with yubi mfa.

Browse source 
Signed-off-by: jmug <u.g.a.mariano@gmail.com>
This commit is contained in:
Mariano Uvalle 2025-07-14 18:57:22 -07:00
parent cad2386593
commit acb33ea9ab
4 changed files with 36 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

1
home-modules/sops.nix
View file

@ -20,6 +20,7 @@
"private_keys/ace" = { "private_keys/ace" = {
path = "/home/jmug/.ssh/id_ace"; path = "/home/jmug/.ssh/id_ace";
}; };
"aws/jmug_matcha_mfa_serial" = {};
"aws/jmug_ace_mfa_serial" = {}; "aws/jmug_ace_mfa_serial" = {};
"aws/role_arn" = {}; "aws/role_arn" = {};
}; };

25
hosts/asahi/home.nix
View file

@ -80,6 +80,15 @@ in
stateVersion = "25.05"; # Do not change!!! stateVersion = "25.05"; # Do not change!!!
}; };
home.activation.aws-cli-mfa-config = lib.hm.dag.entryAfter ["writeBoundary"] ''
mkdir -p ~/.config/aws-cli-mfa
cat > ~/.config/aws-cli-mfa/config.yaml << EOF
mfa_serial: $(cat ${config.sops.secrets."aws/jmug_ace_mfa_serial".path})
role_arn: $(cat ${config.sops.secrets."aws/role_arn".path})
session_duration: 43200
EOF
'';
gtk = { gtk = {
enable = true; enable = true;
gtk3 = { gtk3 = {
@ -155,6 +164,13 @@ in
programs.zsh.shellAliases = { programs.zsh.shellAliases = {
# TODO BEGIN Interpolate the name of the host here.
# flakeconf = "sudo nvim /etc/nixos/flake.nix";
# nosconf = "sudo nvim /etc/nixos/hosts/devbox/configuration.nix";
# homeconf = "sudo nvim /etc/nixos/hosts/devbox/home.nix";
# nvconf = "sudo nvim /etc/nixos/home-modules/explicit-configs/nvim/init.lua";
# TODO END Interpolate the name of the host here.
rshellconf = "source ~/.zshrc";
fly = "flyctl"; fly = "flyctl";
# TODO: Interpolate the name of the host here. # TODO: Interpolate the name of the host here.
nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#asahi"; # parametrize this as home dir. nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#asahi"; # parametrize this as home dir.
@ -164,13 +180,4 @@ in
# Let Home Manager install and manage itself. # Let Home Manager install and manage itself.
programs.home-manager.enable = true; programs.home-manager.enable = true;
home.activation.aws-cli-mfa-config = lib.hm.dag.entryAfter ["writeBoundary"] ''
mkdir -p ~/.config/aws-cli-mfa
cat > ~/.config/aws-cli-mfa/config.yaml << EOF
mfa_serial: $(cat ${config.sops.secrets."aws/jmug_ace_mfa_serial".path})
role_arn: $(cat ${config.sops.secrets."aws/role_arn".path})
session_duration: 43200
EOF
'';
} }

16
hosts/devbox/home.nix
View file

@ -51,6 +51,10 @@ in {
whatsie whatsie
obs-studio obs-studio
# AWS tools
awscli2
(callPackage ../../nixos-modules/shell-apps/aws-cli-mfa.nix {})
# Misc # Misc
zig zig
neofetch neofetch
@ -75,6 +79,15 @@ in {
stateVersion = "25.05"; stateVersion = "25.05";
}; };
home.activation.aws-cli-mfa-config = lib.hm.dag.entryAfter ["writeBoundary"] ''
mkdir -p ~/.config/aws-cli-mfa
cat > ~/.config/aws-cli-mfa/config.yaml << EOF
mfa_serial: $(cat ${config.sops.secrets."aws/jmug_matcha_mfa_serial".path})
role_arn: $(cat ${config.sops.secrets."aws/role_arn".path})
session_duration: 43200
EOF
'';
programs.zsh = { programs.zsh = {
shellAliases = { shellAliases = {
# TODO BEGIN Interpolate the name of the host here. # TODO BEGIN Interpolate the name of the host here.
@ -86,6 +99,9 @@ in {
rshellconf = "source ~/.zshrc"; rshellconf = "source ~/.zshrc";
# TODO: Interpolate the name of the host here. # TODO: Interpolate the name of the host here.
nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#devbox"; nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#devbox";
fly = "flyctl";
awsmfa = "eval $(aws-cli-mfa)";
uawsmfa = "eval $(aws-cli-mfa --unset)";
}; };
loginExtra = '' loginExtra = ''
if [ ! -e "/tmp/ssh-agent.''${USER}" ]; then if [ ! -e "/tmp/ssh-agent.''${USER}" ]; then

5
secrets.yaml
View file

@ -3,6 +3,7 @@ private_keys:
matcha: ENC[AES256_GCM,data:ySty7UiMQirmXmTf0unJuWX731NKKHH0lJQUxl4LlOHixm+1I13SNF7g+G9XYQzkvX/ijhzkDGLwIERVq1Di1UJsEw5w2YxeSitrzoJT0NZx+/Ip8DdgD/k+KnWgm7NeswcUTlt5cQbw7/IPkmRZ3qOV9UueMhH09AYEaSLpiKBUKQuMP/u2YgklwgWvVxW6syMPiYWmSnEfP3MfnkUbhhCuexdb2a/26BfVBbZeuLgBi25dxvRlykR6/uijCk3lHl84xPgWGKyR/130aHC2wp3arVjWO8/p2h2dobtnEnnDCWz2t+3CD1Qc3kdJcSNXhlFJWESOxzJp2KZFIKc3tF4emRSJ+EwP9byavrRozkHCBx4qCvLfdBzndJalR6ebh3jMyQIdRNBPG4x7+nSNnWZeK2uXhHg+m18CJfq2nKgVrpB4x+i48LyEwv907hFGLhfB4o+gfHxQtJYNoP3F0HX2xYndIjk6ihzbUi4C4YG7eUOF1IQ174FshFiadLfqAS+yh8oDUpKVthRu8kda6pPCtMI2jugIYzFrA30k6RWSj6QIsV8FE/jUdw++Htw9dutJSVsAncqCy4mZvqTIh0Cubnp9seBHX0l7vX0kAznoUMTK07lHBbkyeVlZHvKA+y34+SJVLpuS1eVjNhkeNpKkWAxwkoc/84ozpM2078bzy48rvMJBYIzjgqnqREnSs35Q8bQcHB32R0T6JEPoT7S8Z1GS7QB7kv8ulbA2H11Z,iv:8EBPvh7dpv23NtgwUmLn+2m/CKI6dZq72AXvB1OOdlc=,tag:1RCXZDcLOUP+hznVRgzMuA==,type:str] matcha: ENC[AES256_GCM,data:ySty7UiMQirmXmTf0unJuWX731NKKHH0lJQUxl4LlOHixm+1I13SNF7g+G9XYQzkvX/ijhzkDGLwIERVq1Di1UJsEw5w2YxeSitrzoJT0NZx+/Ip8DdgD/k+KnWgm7NeswcUTlt5cQbw7/IPkmRZ3qOV9UueMhH09AYEaSLpiKBUKQuMP/u2YgklwgWvVxW6syMPiYWmSnEfP3MfnkUbhhCuexdb2a/26BfVBbZeuLgBi25dxvRlykR6/uijCk3lHl84xPgWGKyR/130aHC2wp3arVjWO8/p2h2dobtnEnnDCWz2t+3CD1Qc3kdJcSNXhlFJWESOxzJp2KZFIKc3tF4emRSJ+EwP9byavrRozkHCBx4qCvLfdBzndJalR6ebh3jMyQIdRNBPG4x7+nSNnWZeK2uXhHg+m18CJfq2nKgVrpB4x+i48LyEwv907hFGLhfB4o+gfHxQtJYNoP3F0HX2xYndIjk6ihzbUi4C4YG7eUOF1IQ174FshFiadLfqAS+yh8oDUpKVthRu8kda6pPCtMI2jugIYzFrA30k6RWSj6QIsV8FE/jUdw++Htw9dutJSVsAncqCy4mZvqTIh0Cubnp9seBHX0l7vX0kAznoUMTK07lHBbkyeVlZHvKA+y34+SJVLpuS1eVjNhkeNpKkWAxwkoc/84ozpM2078bzy48rvMJBYIzjgqnqREnSs35Q8bQcHB32R0T6JEPoT7S8Z1GS7QB7kv8ulbA2H11Z,iv:8EBPvh7dpv23NtgwUmLn+2m/CKI6dZq72AXvB1OOdlc=,tag:1RCXZDcLOUP+hznVRgzMuA==,type:str]
ace: ENC[AES256_GCM,data:rqhEzNlR978ZS+OppyHOWjYTfRKifRMXpqQfKS48oHkbcq7fQF6QtBBz3Ad4yFE3UJECcPipWqi5dhAMDVmOZT9gxEvEdhf6T7ecPHuQo95eUGPC46ZjoEwv7bykNBcncZFd4EHU2szuyqWb+xpGwJtnKqxDzi0ygsS6z/8ySlJWJ+LqCWrwsnERIblW5vgCvrT5Q2zkz3mR8pDNFc4Kh7B27SCBFG3EHST/NsEMhW0hU2eoIK5ppvHaKhVTx22ov2dP+nNbAhMi1WqHCGyQC2X4jeGGPXV8qXvev3Dl0s/VTCUsyqIIU5hPggWo++/XEspaoiLX7BsGklcfL5qGbF6YmSHYDBdgs5VOTzRUsepegmF79qXKO2XRgksH0he3aUOkpv9TVsmBIyPWqClOtA/QiQQ12gLCvqmBLcj66prvRS9qsZ++wxIINBFWhZh8F24pUHf6qpLpXmiEz9l7n1WocJjVgsI0hebYNN7sLtX/2IxVhPjNHVJQPPkDdLuw2841QKdO8cyDjCho3gbm1+RRDeyZWFSnnQUnKA+p2rE9ahtIJtUTuri7egGroJxPRWwgx2r3FW1Cm1ScdcL2W2AJQtnlJNqRnK/jXHXU3QHBkSiLTSwDLXG/0FV23/4Q+wCYp7ivBbztywT2Ngs8IMrFXz/6a7oGPaRqeendaVLJwrpkjruWv/nTdw0/PRchkLFuuP9ncJYVYaI2X6WwE9eiCAyG99M1X587w7SQe7cx,iv:HHfrC8PMHQS96YAzsyu7u52josTWNpgGa+qdjTKk7mk=,tag:9njC2670XZBUusf3cIv+gg==,type:str] ace: ENC[AES256_GCM,data:rqhEzNlR978ZS+OppyHOWjYTfRKifRMXpqQfKS48oHkbcq7fQF6QtBBz3Ad4yFE3UJECcPipWqi5dhAMDVmOZT9gxEvEdhf6T7ecPHuQo95eUGPC46ZjoEwv7bykNBcncZFd4EHU2szuyqWb+xpGwJtnKqxDzi0ygsS6z/8ySlJWJ+LqCWrwsnERIblW5vgCvrT5Q2zkz3mR8pDNFc4Kh7B27SCBFG3EHST/NsEMhW0hU2eoIK5ppvHaKhVTx22ov2dP+nNbAhMi1WqHCGyQC2X4jeGGPXV8qXvev3Dl0s/VTCUsyqIIU5hPggWo++/XEspaoiLX7BsGklcfL5qGbF6YmSHYDBdgs5VOTzRUsepegmF79qXKO2XRgksH0he3aUOkpv9TVsmBIyPWqClOtA/QiQQ12gLCvqmBLcj66prvRS9qsZ++wxIINBFWhZh8F24pUHf6qpLpXmiEz9l7n1WocJjVgsI0hebYNN7sLtX/2IxVhPjNHVJQPPkDdLuw2841QKdO8cyDjCho3gbm1+RRDeyZWFSnnQUnKA+p2rE9ahtIJtUTuri7egGroJxPRWwgx2r3FW1Cm1ScdcL2W2AJQtnlJNqRnK/jXHXU3QHBkSiLTSwDLXG/0FV23/4Q+wCYp7ivBbztywT2Ngs8IMrFXz/6a7oGPaRqeendaVLJwrpkjruWv/nTdw0/PRchkLFuuP9ncJYVYaI2X6WwE9eiCAyG99M1X587w7SQe7cx,iv:HHfrC8PMHQS96YAzsyu7u52josTWNpgGa+qdjTKk7mk=,tag:9njC2670XZBUusf3cIv+gg==,type:str]
aws: aws:
jmug_matcha_mfa_serial: ENC[AES256_GCM,data:4WGgGRWlMg24y5R1AoqH8RnbyA2ZtC5ZUECIys14i5j5K6xCQEiq3kShi0QKVY7LluSp,iv:T6CcFSWMtxU5n1lymKz0QBGBvI6fKxdjjMjyPVdz4uc=,tag:93dhdWCW85qVI4DbS/2tkg==,type:str]
jmug_ace_mfa_serial: ENC[AES256_GCM,data:zAxlQFj+K5Bm2sMoCQH4dHQIhvnDKvGMJHjsOIAdr43vfQv5Xw73qnzz8Kp6dqLzqQ==,iv:1WUwfzbohhdCOtTRFr4/gdsb2HZkavY3+OMjE/aO+ek=,tag:A+Mdr2CEZvA8dCHUHF7I6g==,type:str] jmug_ace_mfa_serial: ENC[AES256_GCM,data:zAxlQFj+K5Bm2sMoCQH4dHQIhvnDKvGMJHjsOIAdr43vfQv5Xw73qnzz8Kp6dqLzqQ==,iv:1WUwfzbohhdCOtTRFr4/gdsb2HZkavY3+OMjE/aO+ek=,tag:A+Mdr2CEZvA8dCHUHF7I6g==,type:str]
role_arn: ENC[AES256_GCM,data:YlYtqpsiTgHayuCFxY3pKfh5aBjNPf0UMGCoR+mFBUxe1CIU/Nkm+gzAOzwI,iv:Oo8d5y2g3lIVhrQgBT80PSxnZC0qXdqrumx76V1dz6w=,tag:gGJLjCYgcR3nHGhEbEpIGw==,type:str] role_arn: ENC[AES256_GCM,data:YlYtqpsiTgHayuCFxY3pKfh5aBjNPf0UMGCoR+mFBUxe1CIU/Nkm+gzAOzwI,iv:Oo8d5y2g3lIVhrQgBT80PSxnZC0qXdqrumx76V1dz6w=,tag:gGJLjCYgcR3nHGhEbEpIGw==,type:str]
yubico: yubico:
@ -47,7 +48,7 @@ sops:
UjlDQ0Y5QnY4dmlVVFZrM0IyZzlISWcKwpQY9/f1O2v78/9/dCZ7HPE3wVwQ4COG UjlDQ0Y5QnY4dmlVVFZrM0IyZzlISWcKwpQY9/f1O2v78/9/dCZ7HPE3wVwQ4COG
a0E+oMEgBIeQny9LyfhUW2V/HKhYhFNPJaZrNM4J1zL+bz2ucdErmw== a0E+oMEgBIeQny9LyfhUW2V/HKhYhFNPJaZrNM4J1zL+bz2ucdErmw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-15T01:30:03Z" lastmodified: "2025-07-15T01:46:53Z"
mac: ENC[AES256_GCM,data:5WvGX25dt5jP8dv32adP49pSfNJSOm7xDo5B1fwHjzdvCwU6jkFwjWpfnvA+7cv17nv1CcfXjx0xJOK9KJdz+nKbO6y+d61Y/Gi89aSSOcCs3pPCQgh7+aBlT8FypthmvUe10nZs9b+ImtuiTSJ1rNeYVtHVK5E1jVJt0lPc3tc=,iv:P/rPlnhk0uW7FYiob6UEkgIupakGVrgcbfsXfUg7NOo=,tag:4W0jprqNBSTx12eGMDt/Jw==,type:str] mac: ENC[AES256_GCM,data:emLL9w/oBY8EfWYlFlYfxqJr5cJT0Rt7VQ6evUSrG5exh7AJMSr3mAxrjmQ/09ZThubevNWSKdbq3EPdgj4zQ9W17xhn+K0H810M/e0Lnaia6Th40rdS9NASdDUB3qKNf5TLlXY5D0phB5Q2nxSnXxNTkQpYCtYsM6QSbeoe1MY=,iv:wcN7z1hpBRiqWIGxMDGEMYaIPDRH7sk1XZoqjzyRsYI=,tag:pQYKivueVO4KcwyKVhyQ6A==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2