let
  fcuny_aptos =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
  tahoe =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEq1IQRvj2jofCHOO6M28w2SRdgtHU06NJvwAwv/b69F";
  all = [ fcuny_aptos tahoe ];
in
{
  "wireguard_privatekey.age".publicKeys = all;

  "acme/credentials.age".publicKeys = all;
  "acme/gcp_service_account.json.age" = {
    publicKeys = all;
    owner = "acme";
  };

  # see https://buildkite.com/docs/agent/v3/tokens
  "buildkite/agent.age" = {
    publicKeys = all;
    owner = "buildkite-agent-builder-1";
    group = "buildkite-agents";
    mode = "0440";
  };

  "buildkite/graphql.age" = {
    publicKeys = all;
    owner = "buildkite-agent-builder-1";
    group = "buildkite-agents";
    mode = "0440";
  };

  # the owner is gerrit, but we also want the builders to access this
  # configuration.
  "gerrit/hooks.age" = {
    publicKeys = all;
    owner = "git";
    group = "buildkite-agents";
    mode = "0440";
  };

  "gerrit/secure-config.age" = {
    publicKeys = all;
    owner = "git";
    path = "/var/lib/gerrit/etc/secure.config";
  };

  "syncthing/key.age" = {
    publicKeys = all;
    owner = "fcuny";
  };

  "syncthing/cert.age" = {
    publicKeys = all;
    owner = "fcuny";
  };

  "unifi/unifi-poller.age".publicKeys = all;

  "restic/repo-systems.age".publicKeys = all;
  "rclone/config.ini.age".publicKeys = all;
  "rclone/gcs_service_account.json.age".publicKeys = all;
}