let
  keys = import common/ssh-keys.nix;

  commonKeys = keys.users.delroth ++ keys.users.raito;

  secrets = with keys; {
    hydra-s3-credentials = [ machines.bagel-box ];
    hydra-signing-priv = [ machines.bagel-box ];
    hydra-ssh-key-priv = [ machines.bagel-box ];
    netbox-environment = [ machines.meta01 ];
    mimir-environment = [ machines.meta01 ];
    grafana-oauth-secret = [ machines.meta01 ];
    loki-environment = [ machines.meta01 ];
    gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];

    # These are the same password, but nginx wants it in htpasswd format
    metrics-push-htpasswd = [ machines.meta01 ];
    metrics-push-password = builtins.attrValues machines;
  };
in
  builtins.listToAttrs (
    map (secretName: {
      name = "secrets/${secretName}.age";
      value.publicKeys = secrets."${secretName}" ++ commonKeys;
    }) (builtins.attrNames secrets)
  )