let
  keys = import ./ssh-keys.nix;

  secrets = with keys; {
    tailscale-authKey = keys.tailscale-machine;
    cloudflare-tegola-apiKey = [ machines.caddy ];
    cloudflare-pasetto-apiKey = [ machines.caddy ];
    ddclient = [ machines.caddy ];
    prowlarr-apiKey = [ machines.metrics ];
    radarr-apiKey = [ machines.metrics ];
    sonarr-apiKey = [ machines.metrics ];
    lidarr-apiKey = [ machines.metrics ];
    readarr-apiKey = [ machines.metrics ];
    bazarr-apiKey = [ machines.metrics ];
    grafana-admin-pwd = [ machines.metrics ];
    grafana-secret-auth = [ machines.metrics ];
    nextcloud-admin-pwd = [ machines.nextcloud ];
    vaultwarden-admin-pwd = [ machines.vaultwarden ];
    searx-secret = [ machines.caddy ];
    searx-prometheus-secret = [
      machines.caddy
      machines.metrics
    ];
    watchtower-secrets = [ machines.portainer ];
    authentik-env = [ machines.auth ];
    dns01-admin-password = [ machines.dns01 ];
    dns02-admin-password = [ machines.dns02 ];
    dns02-dhcp-failover = [ machines.dns02 ];
    shadowshocks-password = [ machines.shadowshocks ];
  };
in
builtins.listToAttrs (
  map (secretName: {
    name = "secrets/${secretName}.age";
    value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
  }) (builtins.attrNames secrets)
)