let
  pkgs = import <nixpkgs> { };
  inherit (pkgs) lib;
  var = import ./var { inherit lib; };
  ssh-keys = var.ssh-keys;
  keys = ssh-keys.root;
  trusted-keys = ssh-keys.desktops.root;
  secrets = [
    "hd-password"
    "roam/firefox-sync-secret"
    "roam/forgejo-mailer-password"
    "roam/mullvad-vpn-key"
    "roam/miniflux-admin-creds"
    "roam/nextcloud-admin-password"
    "roam/rclone-conf"
    "tlskey"
  ];
  trusted-secrets = [
    # Can only be decrypted by clients
    "syncthing-password"
  ];
  mkSecrets = k: s: lib.mergeAttrsList (map (x: { "secrets/${x}.age".publicKeys = k; }) s);
  mkSyncthingSecret = client: {
    "secrets/syncthing/${client}.age".publicKeys = [ ssh-keys.by-host.root.${client} ];
  };
  syncthingSecrets = lib.mergeAttrsList (map mkSyncthingSecret (lib.attrNames var.syncthing.managed));
in
lib.mergeAttrsList [
  (mkSecrets keys secrets)
  (mkSecrets trusted-keys trusted-secrets)
  syncthingSecrets
]