diff --git a/nixos/secrets/atlas_host_ed25519.age b/nixos/secrets/atlas_host_ed25519.age
index 36d8be2..e268114 100644
Binary files a/nixos/secrets/atlas_host_ed25519.age and b/nixos/secrets/atlas_host_ed25519.age differ
diff --git a/nixos/secrets/atlas_user_ed25519.age b/nixos/secrets/atlas_user_ed25519.age
index 403104f..cb4c5f7 100644
Binary files a/nixos/secrets/atlas_user_ed25519.age and b/nixos/secrets/atlas_user_ed25519.age differ
diff --git a/nixos/secrets/borg_passphrase.age b/nixos/secrets/borg_passphrase.age
index ccfb7ca..62a547f 100644
--- a/nixos/secrets/borg_passphrase.age
+++ b/nixos/secrets/borg_passphrase.age
@@ -1,6 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 aqswPA BWfWJ0Detm+1l0tYnjR9n5rIUBfdHb/wTnZnGoYx6SU
-gp5vcIXtJpF6KJ0cHJ6GRpHQvxi7ij//1LH0afFoRuo
---- exwOM8D5yMcDFp0uzRnbD6TWSgs12WmZo7sKlnHYOwY
-4Öš¾0
-e(+×}²½f%Àã^‘ kÀb×“{WèŒôVüPän­×“ù:…Å6ý£s
\ No newline at end of file
+-> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU
+8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk
+-> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac
+9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g
+-> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE
+adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU
+-> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0
+/DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM
+-> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw
+iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno
+-> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA
+NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY
+--- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE
+âå™§òQú²à¡)Š„Åçä¿7bt¡­­íu+Õ=¼¯M£ÁlìMúzsÕÚ8ð…	aÿ
\ No newline at end of file
diff --git a/nixos/secrets/database_passwords.env.age b/nixos/secrets/database_passwords.env.age
index 29f885b..0deb2ed 100644
--- a/nixos/secrets/database_passwords.env.age
+++ b/nixos/secrets/database_passwords.env.age
@@ -1,5 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 aqswPA nsjKPakYuFVxfbJkPKnhqPytMz07KIT32xgJpiuaRD0
-fv+HZdDb1Evy0LIA5sFMFx+KUbAF7jJojrQXMSSmNAo
---- zJOYXheC2OupvfQNtDfcUCkVMg3TqJQEFjTfAwyi/Pw
-‚¼¬Î°‡¨×¶†¡£‰¹maåJ^¤ˆ•€UZÂ>¬f±ââ÷@¨•¤‰÷òmÎG¨`ðrOY2‰#‡ÜŽ¼oÎ™þ‡=	åSƒî_.ô¼MÅa3›HŸ–ŸLÉÈüçcB·t§ÜËZ× Žç5 c•ä0Á=ŽLK¢¥‹ +!cut«Rƒà¥U2îŸ6½ßª½)ƒ¯fPÚ³AU«‘¤
\ No newline at end of file
+-> ssh-ed25519 UwNSRQ 4tVNE9qMbAvdgvUV/lllntSWjschSe3gY8nknp1DgQk
+8nQh/bM1tkSyPd0j5Tn9DeUT6V4p8Fdk3GiGZUwoBwk
+-> ssh-ed25519 JJ7S4A QHRi+zGVWfa6+l/gpUC1SyCSrDjMRk89MAYUVmdINWQ
+RstWCyCv2sSQCqgcFT6Djza7gkztlFf3af1EvNQTg6k
+-> ssh-ed25519 aqswPA BSwMu/VwsKqpHaqWbP7TNVE3kNWeGV1xdj2AhIhJOQE
+1QwREnDoFi5UTd20dAbJEVeA9lp3R6746PTAyF5KRqQ
+-> ssh-ed25519 LAPUww zFWdRmb38deepDWtFIlQYFA205jKrM6T4iU6nURnBU4
+gxA0pT9DKQMXMSJjQ+fFp7K6rhwHx90pXwFcBuc1ptI
+-> ssh-ed25519 vBZj5g uYJyvL//qPFg1QXgvacb+0Z0+4NMTXCg5dddlVDJJDQ
+2DqHQ6FIw8oCXbkZPl5fLmUVmXzBMLe9wFJsPSEDoZQ
+-> ssh-ed25519 QP0PgA +CHjn/rPhNrsXSVMFgoyhSdhn8k6BWS58XSDwjipi0U
+DGVkPVEMzPZDRPygjIxX4VWv9wbknmrMXFMAXnWVI1Q
+--- GZXaTJpDKi0WIHeOzamI/MygV50iPVV94UFyqPMd1GA
+%ƒXQcZŠXZâ÷´¥¦ƒÇÿö\â–iÏ#_¤Û{L¥fŠ×åOc¡EsæõÂ"ãG:ÂM	D}£{\.äÛÙ†øÐû	Ôý~Û6†,|C•v0ºŠ*Rr74ñ{Š–ußásÝZ=s}YH:æÀZ¤Þ…&(­vR„ËMkqãàÈî_PEKàMÆ"?kÌ\¨­¶Ö—³êZ’¬P
\ No newline at end of file
diff --git a/nixos/secrets/ec2_borg_server.pem.age b/nixos/secrets/ec2_borg_server.pem.age
index 05f15bc..9aa5f82 100644
Binary files a/nixos/secrets/ec2_borg_server.pem.age and b/nixos/secrets/ec2_borg_server.pem.age differ
diff --git a/nixos/secrets/jefke_host_ed25519.age b/nixos/secrets/jefke_host_ed25519.age
index f4fbc01..562718d 100644
Binary files a/nixos/secrets/jefke_host_ed25519.age and b/nixos/secrets/jefke_host_ed25519.age differ
diff --git a/nixos/secrets/jefke_user_ed25519.age b/nixos/secrets/jefke_user_ed25519.age
index 50588c7..177a74a 100644
Binary files a/nixos/secrets/jefke_user_ed25519.age and b/nixos/secrets/jefke_user_ed25519.age differ
diff --git a/nixos/secrets/lewis_host_ed25519.age b/nixos/secrets/lewis_host_ed25519.age
index 78333f6..437d298 100644
Binary files a/nixos/secrets/lewis_host_ed25519.age and b/nixos/secrets/lewis_host_ed25519.age differ
diff --git a/nixos/secrets/lewis_user_ed25519.age b/nixos/secrets/lewis_user_ed25519.age
index 6639453..1af0f9c 100644
Binary files a/nixos/secrets/lewis_user_ed25519.age and b/nixos/secrets/lewis_user_ed25519.age differ
diff --git a/nixos/secrets/postgresql_server.key.age b/nixos/secrets/postgresql_server.key.age
index 21954cc..afc4810 100644
Binary files a/nixos/secrets/postgresql_server.key.age and b/nixos/secrets/postgresql_server.key.age differ
diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix
index 9899923..577ba2e 100644
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@@ -1,44 +1,43 @@
-# TODO: Just encrypt each file with all hosts' public keys (plus our personal public keys) and deploy when demanded.
 let
   pkgs = import <nixpkgs> { };
   lib = pkgs.lib;
-  secrets = {
-    jefke = {
-      publicKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a pim@x260"
-      ];
-      encryptedFiles = [
-        "jefke_host_ed25519.age"
-        "jefke_user_ed25519.age"
-        "postgresql_server.key.age"
-      ];
-    };
-    atlas = {
-      publicKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 pim@x260"
-      ];
-      encryptedFiles = [
-        "atlas_host_ed25519.age"
-        "atlas_user_ed25519.age"
-      ];
-    };
-    lewis = {
-      publicKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a pim@x260"
-      ];
-      encryptedFiles = [
-        "lewis_host_ed25519.age"
-        "lewis_user_ed25519.age"
-        "database_passwords.env.age"
-        "borg_passphrase.age"
-        "ec2_borg_server.pem.age"
-      ];
-    };
-  };
+
+  publicKeyURLs = [
+    "https://github.com/pizzapim.keys"
+    "https://github.com/pizzaniels.keys"
+  ];
+
+  encryptedFileNames = [
+    "jefke_host_ed25519.age"
+    "jefke_user_ed25519.age"
+    "postgresql_server.key.age"
+    "atlas_host_ed25519.age"
+    "atlas_user_ed25519.age"
+    "lewis_host_ed25519.age"
+    "lewis_user_ed25519.age"
+    "database_passwords.env.age"
+    "borg_passphrase.age"
+    "ec2_borg_server.pem.age"
+  ];
+
+  machinePublicKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a root@jefke.hyp"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 root@atlas.hyp"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a root@lewis.hyp"
+  ];
+
+  fetchPublicKeys = url:
+    let
+      publicKeysFile = builtins.fetchurl { inherit url; };
+      publicKeysFileContents = lib.strings.fileContents publicKeysFile;
+    in
+    lib.strings.splitString "\n" publicKeysFileContents;
+
+  adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
+
+  allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
+
+  publicKeysForEncryptedFileName = encryptedFileName:
+    { "${encryptedFileName}".publicKeys = allPublicKeys; };
 in
-lib.attrsets.mergeAttrsList (builtins.map
-  ({ publicKeys, encryptedFiles }:
-  lib.attrsets.mergeAttrsList (builtins.map
-    (encryptedFile: { "${encryptedFile}" = { inherit publicKeys; }; })
-    encryptedFiles))
-  (lib.attrsets.attrValues secrets))
+lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)