# Fake hostnames here correspond to git remote URLs, which turns out
# to be the easy way to use separate keys for push and fetch:
#
#   $ git remote -v
#   origin  pull.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (fetch)
#   origin  push.download.rpki.net:/usr/local/git/repositories/rpki.net.git/ (push)
#
# The third key is used for rsync daemon-mode-over-ssh, as the name suggests:
#
#   $ rsync --rsh ssh rsync://download.rpki.net/
#   APT    APT repository for old stable RPKI code (trunk)
#   APTng  APT repository for new development RPKI code
#
# The reason for using three separate keys is simple: this is a robot, keys are cheap,
# and using a separate key for each allowed action gives us a trivial way to lock down
# the server side.

Host pull.download.rpki.net
    HostName download.rpki.net
    User aptbot
    IdentityFile ~/.ssh/id_rsa_pull
    IdentitiesOnly yes

Host push.download.rpki.net
    HostName download.rpki.net
    User aptbot
    IdentityFile ~/.ssh/id_rsa_push
    IdentitiesOnly yes

Host download.rpki.net
    HostName download.rpki.net
    User aptbot
    IdentityFile ~/.ssh/id_rsa_rsync
    IdentitiesOnly yes