let
  inherit (import <nixpkgs> { }) lib;
  inherit (lib)
    attrsets
    filesystem
    lists
    path
    strings
    ;

  # Nounous
  aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt";
  aeltheos_1 = "age1yubikey1qwmt8heph3jg9sfva3yygphfw0nqed9hs8ndjsfw8yp86kwllearq9fylz2";
  korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh26Ejn/syhvReixauY8i85+XD8P9RRJrPQGEyAQ07l klin@nixos";
  lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHW62pK9A6E8pEwmSnTp6oKXac+bbOJ4VkPvNLa11No8 lyessaadi@crans.org";
  lzebulon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJRSBsRgd/ITK2An7q1VXoeDPbcydR3FkQjHoO+1tAAO lzebulon@archframe";
  pigeonmoelleux_0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHa+ptSTNG4mnGUEGSkHTNDzyUGeiMnaWS2nDvJwrYTp ratcornu@skryre";
  pigeonmoelleux_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA41j5jdFj18OSHONx4QN9mMT+oBmtdwb1vstNavGOnz ratcornu@vrrtkin";

  nounous = [
    aeltheos_0
    aeltheos_1
    korenstin
    lyes
    lzebulon
    pigeonmoelleux_0
    pigeonmoelleux_1
  ];

  # Machines

  hosts = {
    apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix";
    cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos";
    jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi";
    livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre";
    neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo";
    redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite";
    thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot";
    two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos";
    vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden";
  };

  # Groupes

  all = attrsets.mapAttrsToList (_: key: key) hosts;

  acme = [
    hosts.jitsi
    hosts.neo
  ];

  # Fonctions utilitaires

  listFilesRelative =
    dir:
    lists.filter (f: strings.hasSuffix ".age" f) (
      map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir)
    );

  genAttrs =
    paths: groups:
    builtins.foldl' (acc: secret: acc // { "${secret}".publicKeys = groups ++ nounous; }) { } paths;

  # Secrets

  commonSecrets = (listFilesRelative ./secrets/common) ++ [
    "./secrets/restic/client_env.age"
  ];

  acmeSecrets = listFilesRelative ./secrets/acme;

in

# Secrets communs à toutes les machines (sauf apprentix)
(genAttrs commonSecrets (lists.remove hosts.apprentix all))
# Secrets pour ACME
// (genAttrs acmeSecrets acme)
# Secrets pour restic
// attrsets.foldlAttrs (
  outacc: host: key:
  let
    secrets = listFilesRelative (path.append ./secrets/restic host);
  in
  outacc
  // builtins.foldl' (
    acc: secret:
    acc
    // {
      "${secret}".publicKeys = [ key ] ++ nounous;
    }
  ) { } secrets
) { } (lib.filterAttrs (host: _: host != "thot" && host != "cephiroth") hosts)
# Secrets spécifiques à chaque VM
// attrsets.foldlAttrs (
  outacc: host: key:
  let
    secrets = listFilesRelative (path.append ./secrets host);
  in
  outacc
  // builtins.foldl' (
    acc: secret:
    acc
    // {
      "${secret}".publicKeys = [ key ] ++ nounous;
    }
  ) { } secrets
) { } hosts