feat(libstore): add curl-based S3 store implementation

Add a new S3BinaryCacheStore implementation that inherits from
HttpBinaryCacheStore.

The implementation is activated with NIX_WITH_CURL_S3, keeping the
existing NIX_WITH_S3_SUPPORT (AWS SDK) implementation unchanged.

src/libstore/include/nix/store/s3-binary-cache-store.hh

@@ -134,4 +134,79 @@ struct S3BinaryCacheStore : virtual BinaryCacheStore
 
 } // namespace nix
 
+#elif NIX_WITH_CURL_S3
+
+#  include "nix/store/http-binary-cache-store.hh"
+
+namespace nix {
+
+struct S3BinaryCacheStoreConfig : HttpBinaryCacheStoreConfig
+{
+    using HttpBinaryCacheStoreConfig::HttpBinaryCacheStoreConfig;
+
+    S3BinaryCacheStoreConfig(std::string_view uriScheme, std::string_view bucketName, const Params & params);
+
+    const Setting<std::string> profile{
+        this,
+        "default",
+        "profile",
+        R"(
+          The name of the AWS configuration profile to use. By default
+          Nix uses the `default` profile.
+        )"};
+
+public:
+
+    const Setting<std::string> region{
+        this,
+        "us-east-1",
+        "region",
+        R"(
+          The region of the S3 bucket. If your bucket is not in
+          `us-east-1`, you should always explicitly specify the region
+          parameter.
+        )"};
+
+    const Setting<std::string> scheme{
+        this,
+        "https",
+        "scheme",
+        R"(
+          The scheme used for S3 requests, `https` (default) or `http`. This
+          option allows you to disable HTTPS for binary caches which don't
+          support it.
+
+          > **Note**
+          >
+          > HTTPS should be used if the cache might contain sensitive
+          > information.
+        )"};
+
+    const Setting<std::string> endpoint{
+        this,
+        "",
+        "endpoint",
+        R"(
+          The S3 endpoint to use. When empty (default), uses AWS S3 with
+          region-specific endpoints (e.g., s3.us-east-1.amazonaws.com).
+          For S3-compatible services such as MinIO, set this to your service's endpoint.
+
+          > **Note**
+          >
+          > Custom endpoints must support HTTPS and use path-based
+          > addressing instead of virtual host based addressing.
+        )"};
+
+    static const std::string name()
+    {
+        return "S3 Binary Cache Store";
+    }
+
+    static StringSet uriSchemes();
+
+    static std::string doc();
+};
+
+} // namespace nix
+
 #endif

src/libstore/s3-binary-cache-store.cc

@@ -589,4 +589,50 @@ static RegisterStoreImplementation<S3BinaryCacheStoreImpl::Config> regS3BinaryCa
 
 } // namespace nix
 
+#elif NIX_WITH_CURL_S3
+
+#  include <cassert>
+
+#  include "nix/store/s3-binary-cache-store.hh"
+#  include "nix/store/http-binary-cache-store.hh"
+#  include "nix/store/store-registration.hh"
+
+namespace nix {
+
+StringSet S3BinaryCacheStoreConfig::uriSchemes()
+{
+    return {"s3"};
+}
+
+S3BinaryCacheStoreConfig::S3BinaryCacheStoreConfig(
+    std::string_view scheme, std::string_view _cacheUri, const Params & params)
+    : StoreConfig(params)
+    , HttpBinaryCacheStoreConfig(scheme, _cacheUri, params)
+{
+    // For S3 stores, preserve S3-specific query parameters as part of the URL
+    // These are needed for region specification and other S3-specific settings
+    assert(cacheUri.query.empty());
+
+    // Only copy S3-specific parameters to the URL query
+    static const std::set<std::string> s3Params = {"region", "endpoint", "profile", "scheme"};
+    for (const auto & [key, value] : params) {
+        if (s3Params.contains(key)) {
+            cacheUri.query[key] = value;
+        }
+    }
+}
+
+std::string S3BinaryCacheStoreConfig::doc()
+{
+    return R"(
+        **Store URL format**: `s3://bucket-name`
+
+        This store allows reading and writing a binary cache stored in an AWS S3 bucket.
+    )";
+}
+
+static RegisterStoreImplementation<S3BinaryCacheStoreConfig> registerS3BinaryCacheStore;
+
+} // namespace nix
+
 #endif