let
  hosts = {
    vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology";
    mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c root@mba-m2";
    rivendell = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
    argonath = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
  };
  users = {
    fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
  };
in
{
  "acme-cloudflare-env.age".publicKeys = [
    users.fcuny
    hosts.rivendell
    hosts.argonath
  ];

  "restic-pw.age".publicKeys = [
    users.fcuny
    hosts.vm-synology
    hosts.rivendell
  ];

  "nas_client.age".publicKeys = [
    users.fcuny
    hosts.vm-synology
    hosts.rivendell
  ];

  # this is the SSH key we use to access the remote builder.
  "ssh-remote-builder.age".publicKeys = [
    users.fcuny
    hosts.vm-synology
    hosts.mba
  ];

  "miniflux-oidc.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ];

  # generated with:
  # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
  "authelia-storage-key.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ];

  # generated with:
  # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
  "authelia-jwt-key.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ];

  # generated with:
  # authelia crypto pair rsa generate
  "authelia-jwks.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ];

  "authelia-users.yaml.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ];

  "vm-synology/wireguard.age".publicKeys = [
    users.fcuny
    hosts.vm-synology
  ];

  "rivendell/wireguard.age".publicKeys = [
    users.fcuny
    hosts.rivendell
  ];

  "argonath/wireguard.age".publicKeys = [
    users.fcuny
    hosts.argonath
  ];
}