Configure our binary cache on deployment-update-capable systems

nixos/modules/deployment.nix

@@ -30,6 +30,18 @@ in {
   };
 
   config = {
+    # Configure the system to use our binary cache so that deployment updates
+    # only require downloading pre-built software, not building it ourselves.
+    nix = {
+      binaryCachePublicKeys = [
+        "saxtons.private.storage:MplOcEH8G/6mRlhlKkbA8GdeFR3dhCFsSszrspE/ZwY="
+      ];
+      binaryCaches = [
+        "http://saxtons.private.storage"
+      ];
+    };
+
+    # Configure the deployment user.
     users.users.deployment = {
       # Without some shell no login is possible at all, even to execute our
       # restricted command.
@@ -39,6 +51,7 @@ in {
       createHome = true;
       home = "/home/deployment";
 
+      # Authorize the supplied key to run the deployment update command.
       openssh.authorizedKeys.keys = [
         (restrictedKey {
           inherit (cfg) authorizedKey gridName;