diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..729276a
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,28 @@
+let
+  keys = import ./ssh-keys.nix;
+
+  secrets = with keys; {
+    tailscale-authKey = [
+      machines.arr
+      machines.metrics
+    ];
+    # alertmanager-matrix-forwarder = [ machines.pluto ];
+    # fastly-read-only-api-token = [ machines.pluto ];
+    # hydra-mirror-aws-credentials = [ machines.pluto ];
+    # hydra-mirror-git-credentials = [ machines.pluto ];
+    # packet-sd-env = [ machines.pluto ];
+    # pluto-backup-secret = [ machines.pluto ];
+    # pluto-backup-ssh-key = [ machines.pluto ];
+    # prometheus-packet-spot-market-price-exporter = [ machines.pluto ];
+    # rfc39-credentials = [ machines.pluto ];
+    # rfc39-github = [ machines.pluto ];
+    # rfc39-record-push = [ machines.pluto ];
+    # tarball-mirror-aws-credentials = [ machines.pluto ];
+  };
+in
+builtins.listToAttrs (
+  map (secretName: {
+    name = "secrets/${secretName}.age";
+    value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
+  }) (builtins.attrNames secrets)
+)
diff --git a/secrets/tailscale-authKey.age b/secrets/tailscale-authKey.age
new file mode 100644
index 0000000..2228a61
--- /dev/null
+++ b/secrets/tailscale-authKey.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 1nWE1Q J7LFA/+OWjALgurxCaCsrNIsiCz6Y/GBnAO8xznDdgI
+Z8/shqTX6tepqfrktQLxTn1XYzph0cnhf8bmr53Pl2o
+-> ssh-ed25519 xSWWeQ zTbGFK9uT1UmRByKdhsDikj9isQg08k4cxM3+HGXZWE
+eWrkdsYiCw6Lk9UMEs0+yby7ZheJmIx04vL7I+8q+LA
+-> ssh-ed25519 Si3UKw Jl+O+cygmKLA9IAyNBg9qr0d4H5f9ygnTBI6M/uoZxw
+ZaJAhdhn/7Tm/xIw1w0yI5D/4j2e/8K6x7Phlis9AOc
+-> ssh-ed25519 3UG3uw boXDEDh2enEx2a/6DczJ/4b6XvaGs2b6rhrkzK5L9Uc
+9qPpJ2cr+/7Br8xVROFCbj8F6vkEPkmCNMWi5JbnbBw
+-> ssh-ed25519 JEhtoQ 1d7BDdYIJe0IxDLUrZ+Um/R0cusQQzIMy2RWnb+lSCw
+Q8eWTIwkw85KvnKinh4YoKQ/PpHLa4ELrdFGMKsGWSo
+--- 9Lam+CKmN6dyxPwwJqDjJW7tL/zGTQhkomsKFZohqsI
+|֨�a�����.�{�m�'���d>|����h��Ԛ�\޽%�w�
+:dx����W.v������lLjSf�[���I��w��g�d(]
�P�Rd�}��%
\ No newline at end of file
diff --git a/ssh-keys.nix b/ssh-keys.nix
new file mode 100644
index 0000000..3897f40
--- /dev/null
+++ b/ssh-keys.nix
@@ -0,0 +1,25 @@
+rec {
+  deadbeef = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhiGLc/whCY3lCmDiRlYnMJOLiO/gvcRj/sKVEFVAhQ pazpi@deadbeef";
+
+  PP416 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpr7Kd6xKLQiOPlkXw59C3tmNuk4hN5tEhZ7Po9FEPR dp@PP416";
+
+  krzo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrVYJrU6Ys2o/QYfI6Es5yqVVyjUyDYj6Fglvz63ywP krzo@pazpi.top";
+
+  # The key are found executing `ssh-keyscan <ip-address>`
+  machines = {
+    arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42";
+    metrics = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFRY4bpw1gCJAWMtBTSm2/09gcniFkSyCKCKPyGHVbr";
+  };
+
+  infra-core = [
+    deadbeef
+    PP416
+    krzo
+  ];
+
+  infra-machine = [
+    machines.arr
+    machines.metrics
+  ];
+
+}