let
  keys = import common/ssh-keys.nix;

  commonKeys = keys.users.delroth ++ keys.users.raito;

  secrets = with keys; {
    hydra-postgres-key = [ machines.build-coord ];
    hydra-s3-credentials = [ machines.build-coord ];
    hydra-signing-priv = [ machines.build-coord ];
    hydra-ssh-key-priv = [ machines.build-coord ];

    netbox-environment = [ machines.meta01 ];
    mimir-environment = [ machines.meta01 ];
    mimir-webhook-url = [ machines.meta01 ];
    grafana-oauth-secret = [ machines.meta01 ];
    loki-environment = [ machines.meta01 ];
    gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
    pyroscope-secrets = [ machines.meta01 ];


    buildbot-worker-password = [ machines.buildbot ];
    buildbot-oauth-secret = [ machines.buildbot ];
    buildbot-workers = [ machines.buildbot ];
    # Private SSH key to Gerrit
    # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
    buildbot-service-key = [ machines.buildbot ];
    # Signing key for Buildbot's specific cache
    buildbot-signing-key = [ machines.buildbot ];
    buildbot-remote-builder-key = [ machines.buildbot ];

    # These are the same password, but nginx wants it in htpasswd format
    metrics-push-htpasswd = [ machines.meta01 ];
    metrics-push-password = builtins.attrValues machines;

    ows-deploy-key = [ machines.gerrit01 ];

    postgres-ca-priv = [ machines.bagel-box ];
    postgres-tls-priv = [ machines.bagel-box ];

    newsletter-secrets = [ machines.public01 ];
  };
in
  builtins.listToAttrs (
    map (secretName: {
      name = "secrets/${secretName}.age";
      value.publicKeys = secrets."${secretName}" ++ commonKeys;
    }) (builtins.attrNames secrets)
  )