Allow $site_path/etc/peer_keys to authenticate peer daemons

The peer_keys file is the standard OpenSSH authorized_keys file
format, one SSH key per line.  Blank lines and any lines starting
with # are ignored.

The file is scanned each time it is modified, allowing hosts to be
added or removed from a cluster configuration without needing to
restart the current node.

I'm choosing to put the peer keys into a local disk file rather
than into the database, because we might run into a catch-22 case
where the peers need to authenticate to each other before they can
read the database.  E.g. this could happen if we figure out how to
embed Apache Cassandra, tunnel its swarm traffic over our own SSH
channels, and require a quorum read to bring the server up.

The use of this file is experimental.  I'm not documenting it yet
because I don't know if we'll be supporting it long-term.

Change-Id: I6e9b8ae5cd1bb3643688a3ee657055aab73e6a87
Signed-off-by: Shawn O. Pearce <sop@google.com>

gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java

@@ -43,6 +43,7 @@ public final class SitePaths {
   public final File ssh_key;
   public final File ssh_rsa;
   public final File ssh_dsa;
+  public final File peer_keys;
 
   public final File site_css;
   public final File site_header;
@@ -75,6 +76,7 @@ public final class SitePaths {
     ssh_key = new File(etc_dir, "ssh_host_key");
     ssh_rsa = new File(etc_dir, "ssh_host_rsa_key");
     ssh_dsa = new File(etc_dir, "ssh_host_dsa_key");
+    peer_keys = new File(etc_dir, "peer_keys");
 
     site_css = new File(etc_dir, "GerritSite.css");
     site_header = new File(etc_dir, "GerritSiteHeader.html");