let
  inherit (builtins) attrValues foldl' mapAttrs;
  ## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`,
  ## but we would rather avoid a dependency in nixpkgs for this file.
  mergeAttrs = x: y: x // y;
  concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v));

  keys = import ../keys;
  contributors = attrValues keys.contributors;
in

concatMapAttrs
  (name: systems: {
    "${name}.age".publicKeys = contributors ++ systems;
  })

  (
    with keys.systems;

    ##############################################################################
    ## File name <-> system host keys mapping
    ##
    ## This attribute set defines precisely which secrets exist and which systems
    ## are able to decrypt them.

    {
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
      forgejo-runner-token = [ fedi300 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
      wiki-password = [ vm02187 ];
      wiki-smtp-password = [ vm02187 ];
    }
  )