{ lib
, runCommandNoCCLocal
, writeText
, ssh-to-age
, machines
, ...
}:

with lib;

let
  admins = {
    "fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ";
  };

  hosts = {
    "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMA+Q4wLe0AuZ8OC5BKJLrvmpKcy+6a8Iez9hCSVgtX8";
    "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np";
  };

  sshToAge = ssh-key:
    let
      key = runCommandNoCCLocal "hostkey-to-age" { } ''
        ${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out"
      '';
    in
    pipe key [
      readFile
      (removeSuffix "\n")
    ];

  # Keys for each machine
  machine-keys = genAttrs machines (machine:
    let
      ssh-key = assert assertMsg (hasAttr machine hosts) ''
        SSH host key is not specified for machine '${machine}'.

        Make sure the SSH host key is added to `sops-config.nix` after initial provisioning.
        After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files.
      '';
        getAttr machine hosts;
    in
    sshToAge ssh-key);

  # Keys for all admins
  admin-keys = mapAttrsToList
    (_: sshToAge)
    admins;

  mkRule = path: keys: {
    "path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$";
    "key_groups" = [{
      "age" = keys;
    }];
  };

  # Create a rule for each machine allowing the mechanie and all admins
  machine-rules = map
    (machine: mkRule
      "machines/${machine}"
      (admin-keys ++ (singleton machine-keys.${machine})))
    machines;

  # A single global rule allowing all machines and all admins to access
  global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));

in
{
  inherit admin-keys;

  config = {
    "creation_rules" = concatLists [
      machine-rules
      global-rules
    ];
  };
}