let
  keys = import ./ssh-keys.nix;

  secrets = with keys; {
    tailscale-authKey = keys.tailscale-machine;
    cloudflare-tegola-apiKey = [ machines.caddy ];
    cloudflare-pasetto-apiKey = [ machines.caddy ];
    ddclient = [ machines.caddy ];
    arr-secrets = [ machines.arr ];
    exportarr-secrets = [ machines.metrics ];
    grafana-admin-pwd = [ machines.metrics ];
    grafana-secret-auth = [ machines.metrics ];
    nextcloud-admin-pwd = [ machines.nextcloud ];
    nextcloud-secrets = [ machines.nextcloud ];
    vaultwarden-admin-pwd = [ machines.vaultwarden ];
    searx-secret = [ machines.caddy ];
    searx-prometheus-secret = [
      machines.caddy
      machines.metrics
    ];
    watchtower-secrets = [ machines.portainer ];
    authentik-env = [ machines.auth ];
    dns01-admin-password = [ machines.dns01 ];
    dns02-admin-password = [ machines.dns02 ];
    dns02-dhcp-failover = [ machines.dns02 ];
    shadowsocks-password = [ machines.shadowsocks ];
    firefly-iii-app-key = [ machines.firefly-iii ];
    firefly-iii-mailgun-key = [ machines.firefly-iii ];
    paperless-admin = [ machines.paperless ];
    paperless-oauth2-client-secret = [ machines.paperless ];
    zigbee2mqtt-password = [ machines.zigbee2mqtt ];
    mqtt-password = [ machines.zigbee2mqtt ];
  };
in
builtins.listToAttrs (
  map (secretName: {
    name = "secrets/${secretName}.age";
    value.publicKeys = secrets."${secretName}" ++ keys.provisioning-machine;
  }) (builtins.attrNames secrets)
)