Build and deploy nixos from Enterprise to Bebop

- Generate binary cache signing keys on Enterprise
- Add private key to enterprise config for signing
- Add public key to Bebop for accepting packages signed by Enterprise
- Setup hosts files on both systems to include other host name at local reserved
  ip address
- Bebop: Enable OpenSSH access for root user
  - Via SSH only, NO password
  - Use same ssh public key as normal user
- Enterprise: Enable Qemu for compiling aarch64 pacakges

Deploy NixOS from enterprise to bebop with below:

```
nixos-rebuild boot --flake .#bebop -v --target-host root@bebop --build-host
localhost
```

Notice lack of sudo. Remote server does not ask for password for root (usually),
because it is supposed to use SSH key.

TODO: Add payas as trusted user in nix config for bebop so deploying via root is
not necessary. It is generally not best idea to expose root over network.

hosts/bebop/configuration.nix

@@ -8,6 +8,12 @@ let
   hostname = "bebop";
 in
 {
+  nix = {
+    settings.trusted-public-keys = [
+      "enterprise-nix-cache:z8I4D9VcVa4rbc13EWtv3WTuOCcqmywKwguViFwQw+A="
+    ];
+  };
+
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-label/NIXOS_SD";
@@ -18,6 +24,10 @@ in
 
   networking = {
     hostName = hostname;
+    hosts = {
+      "192.168.0.5" = [ "enterprise" ];
+    };
+
     wireless = {
       enable = true;
       networks."${SSID}".psk = SSIDpassword;
@@ -31,7 +41,10 @@ in
   ];
 
   programs.ssh.startAgent = true;
-  services.openssh.enable = true;
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+  };
 
   # Make sure dumb ssh-add is run on every interactive entry
   # Make no mistake, this is a hack. But until I find better solution, it works.
@@ -45,12 +58,18 @@ in
 
   users = {
     # mutableUsers = false;
-    users."${user}" = {
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = [
+    users = {
+      root.openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise"
       ];
+
+      "${user}" = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise"
+        ];
+      };
     };
   };
 

hosts/enterprise/configuration.nix

@@ -34,6 +34,9 @@ with pkgs;
     };
     kernelPackages = pkgs.linuxPackages_latest;
     kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; # IPv4 NAT networking
+
+    # Compile for aarch64 (Raspberry Pi) from this machine
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
   };
 
   fileSystems."/mnt/Data" = {
@@ -171,6 +174,15 @@ with pkgs;
   # should.
   system.stateVersion = "19.09"; # Did you read the comment?
 
+  nix.settings = {
+    secret-key-files = [
+      "/etc/nixos/hosts/enterprise/binary-cache/enterprise-nix-cache-key.sec"
+    ];
+    trusted-public-keys = [
+      "enterprise-nix-cache:z8I4D9VcVa4rbc13EWtv3WTuOCcqmywKwguViFwQw+A="
+    ];
+  };
+
   nixpkgs = {
     config = {
       # Allow searching and installing proprietory packages