let
  pkgs = import <nixpkgs> { };
  lib = pkgs.lib;

  publicKeyURLs = [
    "https://github.com/pizzapim.keys"
    "https://github.com/pizzaniels.keys"
  ];

  encryptedFileNames = [
    "database_passwords.env.age"
    "borg_passphrase.age"
    "borgbase.pem.age"
    "k3s-server-token.age"
  ];

  machinePublicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis"
  ];

  fetchPublicKeys = url:
    let
      publicKeysFile = builtins.fetchurl { inherit url; };
      publicKeysFileContents = lib.strings.fileContents publicKeysFile;
    in
    lib.strings.splitString "\n" publicKeysFileContents;

  adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);

  allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];

  publicKeysForEncryptedFileName = encryptedFileName:
    { "${encryptedFileName}".publicKeys = allPublicKeys; };
in
lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)