Add a private peerix key

profiles/peerix/default.nix

@@ -1,3 +1,23 @@
-{...}: {
-  services.peerix.enable = true;
+{config, ...}: 
+let 
+  peerix_user = "peerix";
+in
+{
+  users.groups.${peerix_user} = {};
+  users.users.${peerix_user} = {
+    group = peerix_user;
+    isSystemUser = true;
+  };
+
+  age.secrets.binary-cache-secret = {
+    owner = peerix_user;
+    file = ../../secrets/binary-cache-secret.age;
+  };
+
+  services.peerix = {
+    enable = true;
+    user = peerix_user;
+    privateKeyFile = config.age.secrets.binary-cache-secret.path;
+    publicKey = (builtins.readFile ../../secrets/binary-cache-pub);
+  };
 }

secrets/binary-cache-pub

@@ -0,0 +1 @@
+mae-binary-cache:zgDhN/r2Dti6xFEDhmEVL74mcGUN+hKaOVSFfv3a2qM=

secrets/binary-cache-secret.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 HCZ4Yw InyIbzkqYD4rjLlm2/kXIA5pcw5gfUT8pfuzP5k3KA8
+JFhSw5zD9RoON/PQM7uil+RCXxvPxcTIlAmCCyx4AuE
+-> ssh-ed25519 KRoghg fG1+RSmK9COQEll+3t/Jxh/YbK3bXI2MC+TUcr/CNCo
+cLxQTv2pqXFJcSZVnzC7k1JDrgtJxMB3z/fDF2vPK6o
+-> <;E[-grease _ 0U::
+J4Cj04IK3H1rC8M/9u9vVvsP9rwFGy/GKgeP0evx4Fxf3HZo6L9F4sXtSK17op1o
+Wxam+ZSxi8P9e5zLPg
+--- 9W3G9DkrznU1gfFC7Hiwc0oFR29lSRH57c3yb27PHKY
+/¬¥:RÐÎÔ<C38E>˜‹6Þˆkt·-’ËàŠÆÇL?E²7ƒ’4l…<;ìRÎÌË#Ð<>jëìÔ<Æ0	¸ÄP£‚Ć¯ÇÓ½¾%ÎËàžt$<24>³Ìú"¾L‡QÀ¸v^¡ƒ.[7éñš]ÀÙ¾!L‚õ™±ù2ùIœ[¡µ¬¢2v\8 ¼B)ü¦è^

secrets/secrets.nix

@@ -6,7 +6,9 @@ let
   tesco_sys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqryVRMbcei0pZTOP1wgTVzn452vgsUP7MrEb0LQ17s root@tesco";
   mae_tesco = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN64wtGODBn2yygv1sOXnV8qbXImbOttMlhdTKEyQCoT mae@tesco";
 
-  allKeys = [ teapot_sys mae_teapot tesco_sys mae_tesco ];
+  systemKeys = [teapot_sys tesco_sys];
+  allKeys = [ mae_teapot mae_tesco ] ++ systemKeys;
 in
 {
+  "binary-cache-secret.age".publicKeys = systemKeys;
 }