let
  hosts = {
    bree = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFM4wZaYwz8kuu6lNrdrN6QOyouGQ0v1ye+Iwh1jawNi";
    mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c";
    mbp = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINXiA49xsrOJp7wOTYeX5+9o3gly8LyN6gvJoNVQmswv";
    rivendell = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
    argonath = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
  };
  users = {
    fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
  };
  age = [
    "age1yubikey1qv92lk8ckjm2qs900h89pz9myl3nfjnz7fc0eluppexyfgc0pfnjusaje3w"
    "age1yubikey1qd30fnnxd2uh9lgw0dr7nwvmn003rmzkrg87xfw67gdsf7u0lhm3kd4w8ul"
    "age1yubikey1qwrxced5j32ks5cc5aqffwz68yva9ukkz6tx5xm2sjn8swl2evtlsjlmsy9"

  ];
in
{
  "acme-cloudflare-env.age".publicKeys = [
    users.fcuny
    hosts.argonath
  ]
  ++ age;

  "restic-pw.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  "restic-nas-smb-config.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINE3mdcVS7+DPr7MZzIh3JsuI5t4z83j7ZAdAYxFLW4S rsync-nas
  "rsync-ssh-nas.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  # this is the SSH key we use to access the remote builder.
  "ssh-remote-builder.age".publicKeys = [
    users.fcuny
    hosts.mba
  ]
  ++ age;

  "miniflux-oidc.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  "grafana-oidc.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  # generated with:
  # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
  "authelia-storage-key.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  # generated with:
  # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
  "authelia-jwt-key.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  # generated with:
  # authelia crypto pair rsa generate
  "authelia-jwks.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  "authelia-users.yaml.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  "bree/wireguard.age".publicKeys = [
    users.fcuny
    hosts.bree
  ]
  ++ age;

  "bree/disk-passphrase.age".publicKeys = [
    users.fcuny
    hosts.bree
  ]
  ++ age;

  "bree/disk-unlock-key.age".publicKeys = [
    users.fcuny
    hosts.bree
  ]
  ++ age;

  "rivendell/wireguard.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ]
  ++ age;

  "argonath/wireguard.age".publicKeys = [
    users.fcuny
    hosts.argonath
  ]
  ++ age;

  "anthropic-api-key.age".publicKeys = [
    users.fcuny
    hosts.mba
    hosts.mbp
  ]
  ++ age;
}