{ lib
, callPackage
, runCommandNoCCLocal
, ssh-to-age
, ...
}:

with lib;

let
  adminKeys = [
    ''3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE''
  ];

  machines = callPackage ./machines.nix { };

  sshToKey = name: path: runCommandNoCCLocal "sops-key-${name}.pub" { } ''
    ${ssh-to-age}/bin/ssh-to-age < ${path} > $out
  '';

  # Map machine name to its key
  machineKeys = listToAttrs (map
    (machine:
      let
        keyFile = sshToKey "machine-${machine.name}" /${machine.gather}/ssh_host_ed25519_key.pub;
      in
      {
        inherit (machine) name;
        value = removeSuffix "\n" (readFile keyFile);
      })
    machines);

  pattern = path: "^${escapeRegex path}/(${escapeRegex "secrets.yaml"}|secrets/.+)$";

  machine_rules = map
    (machine: {
      "path_regex" = pattern "/machines/${machine.type}";
      "key_groups" = [{
        "age" = singleton (getAttr machine.name machineKeys);
        "pgp" = adminKeys;
      }];
    })
    machines;

in
{
  config = {
    "creation_rules" = machine_rules ++ [{
      "relPath" = pattern "shared";
      "key_groups" = [{
        "age" = attrValues machineKeys;
        "pgp" = adminKeys;
      }];
    }];
  };
}