Whack with club until builds work with new repository and scripts.

1 files changed, 34 insertions, 0 deletions

diff --git a/rpki-pbuilder.ssh_config b/rpki-pbuilder.ssh_config
new file mode 100644
index 0000000..6084fc1
--- /dev/null
+++ b/rpki-pbuilder.ssh_config
@@ -0,0 +1,34 @@
+# Fake hostnames here correspond to git remote URLs, which turns out
+# to be the easy way to use separate keys for push and fetch:
+#
+#   $ git remote -v
+#   origin  pull.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (fetch)
+#   origin  push.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (push)
+#
+# The third key is used for rsync daemon-mode-over-ssh, as the name suggests:
+#
+#   $ rsync --rsh ssh rsync://download.rpki.net/
+#   APT    APT repository for old stable RPKI code (trunk)
+#   APTng  APT repository for new development RPKI code
+#
+# The reason for using three separate keys is simple: this is a robot, keys are cheap,
+# and using a separate key for each allowed action gives us a trivial way to lock down
+# the server side.
+
+Host pull.download.rpki.net
+    HostName download.rpki.net
+    User aptbot
+    IdentityFile ~/.ssh/id_rsa_pull
+    IdentitiesOnly yes
+
+Host push.download.rpki.net
+    HostName download.rpki.net
+    User aptbot
+    IdentityFile ~/.ssh/id_rsa_push
+    IdentitiesOnly yes
+
+Host download.rpki.net
+    HostName download.rpki.net
+    User aptbot
+    IdentityFile ~/.ssh/id_rsa_rsync
+    IdentitiesOnly yes