From 4f1bd260644c52469c42827e3db5e91be95aefba Mon Sep 17 00:00:00 2001
From: cy <cy@cy7.sh>
Date: Sun, 20 Apr 2025 01:59:00 -0400
Subject: [PATCH] setup aws profile for s3 auth

---
 .../workflows/build-machines-and-homes.yml    | 84 +++++++++----------
 ci/upload-to-cache.sh                         |  1 -
 2 files changed, 39 insertions(+), 46 deletions(-)

diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 17a8c17..f1e07bc 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -24,17 +24,17 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      # - name: Maximize build disk space
-      #   uses: easimon/maximize-build-space@v10
-      #   with:
-      #     overprovision-lvm: true
-      #     swap-size-mb: 1024
-      #     remove-dotnet: 'true'
-      #     remove-android: 'true'
-      #     remove-haskell: 'true'
-      #     remove-codeql: 'true'
-      #     remove-docker-images: 'true'
-      #     build-mount-path: /nix
+      - name: Maximize build disk space
+        uses: easimon/maximize-build-space@v10
+        with:
+          overprovision-lvm: true
+          swap-size-mb: 1024
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+          remove-docker-images: 'true'
+          build-mount-path: /nix
 
       - name: setup binary cache key
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
@@ -50,6 +50,14 @@ jobs:
           sudo cp ci/upload-to-cache.sh /etc/nix/
           sudo chmod +x /etc/nix/upload-to-cache.sh
 
+      - name: setup s3 credentials
+        run: |
+          sudo mkdir /root/.aws
+          echo "[default]" |sudo tee /root/.aws/config |sudo tee /root/.aws/credentials
+          echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" |sudo tee -a /root/.aws/credentials
+          echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" |sudo tee -a /root/.aws/credentials
+          echo "endpoint_url=$AWS_ENDPOINT_URL" |sudo tee -a /root/.aws/config
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
         with:
@@ -63,28 +71,11 @@ jobs:
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
             post-build-hook = /etc/nix/upload-to-cache.sh
-        
-      - name: debug
-        run: echo "$(which nix)"
 
       - name: build
         run: |
-          # package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          # nix build -L "$package"
           nix run nixpkgs#nixos-rebuild build -- -L --flake ".#${{ matrix.machine }}"
 
-      - name: cache
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
-        run: |
-          package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          nix run github:cything/nixcp -- \
-            push \
-            --bucket nixcache \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            -u https://nix-community.cachix.org \
-            $package
-
   build-homes:
     strategy:
       fail-fast: false
@@ -113,6 +104,25 @@ jobs:
       - name: setup binary cache key
         run: echo -n "${{ secrets.NIX_CACHE_SECRET_KEY }}" | xxd -p -r > ${{ runner.temp }}/cache-priv-key.pem
 
+      - name: Sync repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: post-build-hook
+        run: |
+          sudo mkdir -p /etc/nix
+          sudo cp ci/upload-to-cache.sh /etc/nix/
+          sudo chmod +x /etc/nix/upload-to-cache.sh
+
+      - name: setup s3 credentials
+        run: |
+          sudo mkdir /root/.aws
+          echo "[default]" |sudo tee /root/.aws/config |sudo tee /root/.aws/credentials
+          echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" |sudo tee -a /root/.aws/credentials
+          echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" |sudo tee -a /root/.aws/credentials
+          echo "endpoint_url=$AWS_ENDPOINT_URL" |sudo tee -a /root/.aws/config
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
         with:
@@ -125,25 +135,9 @@ jobs:
             secret-key-files = ${{ runner.temp }}/cache-priv-key.pem
             extra-substituters = https://nixcache.cy7.sh
             extra-trusted-public-keys = nixcache.cy7.sh:DN3d1dt0wnXfTH03oVmTee4KgmdNdB0NY3SuzA8Fwx8=
-
-      - name: Sync repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+            post-build-hook = /etc/nix/upload-to-cache.sh
 
       - name: build
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
           nix build -L "$package"
-
-      - name: cache
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
-        run: |
-          package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
-          nix run github:cything/nixcp -- \
-            push \
-            --bucket nixcache \
-            --signing-key ${{ runner.temp }}/cache-priv-key.pem \
-            -u https://nix-community.cachix.org \
-            $package
diff --git a/ci/upload-to-cache.sh b/ci/upload-to-cache.sh
index 6e348a7..6ea65f5 100755
--- a/ci/upload-to-cache.sh
+++ b/ci/upload-to-cache.sh
@@ -5,5 +5,4 @@ set -eu
 set -f # disable globbing
 export IFS=' '
 echo "Uploading paths" $OUT_PATHS
-# this is where the cachix installer installs nix
 exec /nix/var/nix/profiles/default/bin/nix copy --to "s3://nixcache?endpoint=s3.cy7.sh" $OUT_PATHS