From 0813bee4ee80adc041bab4d039a32f6a226e2d03 Mon Sep 17 00:00:00 2001
From: Bad <bad@badat.dev>
Date: Fri, 17 Jun 2022 23:17:33 +0200
Subject: [PATCH] Add a private peerix key

---
 profiles/peerix/default.nix     | 24 ++++++++++++++++++++++--
 secrets/binary-cache-pub        |  1 +
 secrets/binary-cache-secret.age | 10 ++++++++++
 secrets/secrets.nix             |  4 +++-
 4 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 secrets/binary-cache-pub
 create mode 100644 secrets/binary-cache-secret.age

diff --git a/profiles/peerix/default.nix b/profiles/peerix/default.nix
index 18cdd5e..f9c5ab1 100644
--- a/profiles/peerix/default.nix
+++ b/profiles/peerix/default.nix
@@ -1,3 +1,23 @@
-{...}: {
-  services.peerix.enable = true;
+{config, ...}: 
+let 
+  peerix_user = "peerix";
+in
+{
+  users.groups.${peerix_user} = {};
+  users.users.${peerix_user} = {
+    group = peerix_user;
+    isSystemUser = true;
+  };
+
+  age.secrets.binary-cache-secret = {
+    owner = peerix_user;
+    file = ../../secrets/binary-cache-secret.age;
+  };
+
+  services.peerix = {
+    enable = true;
+    user = peerix_user;
+    privateKeyFile = config.age.secrets.binary-cache-secret.path;
+    publicKey = (builtins.readFile ../../secrets/binary-cache-pub);
+  };
 }
diff --git a/secrets/binary-cache-pub b/secrets/binary-cache-pub
new file mode 100644
index 0000000..0095864
--- /dev/null
+++ b/secrets/binary-cache-pub
@@ -0,0 +1 @@
+mae-binary-cache:zgDhN/r2Dti6xFEDhmEVL74mcGUN+hKaOVSFfv3a2qM=
\ No newline at end of file
diff --git a/secrets/binary-cache-secret.age b/secrets/binary-cache-secret.age
new file mode 100644
index 0000000..a24aa97
--- /dev/null
+++ b/secrets/binary-cache-secret.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 HCZ4Yw InyIbzkqYD4rjLlm2/kXIA5pcw5gfUT8pfuzP5k3KA8
+JFhSw5zD9RoON/PQM7uil+RCXxvPxcTIlAmCCyx4AuE
+-> ssh-ed25519 KRoghg fG1+RSmK9COQEll+3t/Jxh/YbK3bXI2MC+TUcr/CNCo
+cLxQTv2pqXFJcSZVnzC7k1JDrgtJxMB3z/fDF2vPK6o
+-> <;E[-grease _ 0U::
+J4Cj04IK3H1rC8M/9u9vVvsP9rwFGy/GKgeP0evx4Fxf3HZo6L9F4sXtSK17op1o
+Wxam+ZSxi8P9e5zLPg
+--- 9W3G9DkrznU1gfFC7Hiwc0oFR29lSRH57c3yb27PHKY
+/¬¥:RÐÎÔ˜‹6Þˆkt·-’ËàŠÆÇL?E²7ƒ’4l…<;ìRÎÌË#ÐjëìÔ<Æ0	¸ÄP£‚Ä†¯ÇÓ½¾%ÎËàžt$³Ìú"¾L‡QÀ¸v^¡ƒ.[7éñš]ÀÙ¾!L‚õ™±ù2ùIœ[¡µ¬¢2v\8 ¼B)ü¦è^
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9e3d0d4..9e00961 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,7 +6,9 @@ let
   tesco_sys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqryVRMbcei0pZTOP1wgTVzn452vgsUP7MrEb0LQ17s root@tesco";
   mae_tesco = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN64wtGODBn2yygv1sOXnV8qbXImbOttMlhdTKEyQCoT mae@tesco";
 
-  allKeys = [ teapot_sys mae_teapot tesco_sys mae_tesco ];
+  systemKeys = [teapot_sys tesco_sys];
+  allKeys = [ mae_teapot mae_tesco ] ++ systemKeys;
 in
 {
+  "binary-cache-secret.age".publicKeys = systemKeys;
 }