let
  # Founder SSH public key (recipient). Safe to commit.
  founder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCBTSEEcBOhOkf3WF1e8xmblAZHvgTibFsqck2GY8D/";
  # Forge automation SSH public key (recipient). Safe to commit.
  forge = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmKJt5+uilix5Ldiaaq1BhrYNjmV5lHcW7D/5inCCnO forge@every.channel";
  # ecp-forge host SSH key (recipient) so NixOS can decrypt runtime secrets locally.
  ecpForgeHost = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtifu+ktG7rBZgI7wlAzsaSkaX/PtPy22SThB2wKw3A root@ecp-forge";
in
{
  "secrets/cloudflare-api-token.age".publicKeys = [ founder forge ];
  "secrets/forge-token.age".publicKeys = [ founder forge ];
  "secrets/codeberg-token.age".publicKeys = [ founder forge ];
  "secrets/forgejo-api-token.age".publicKeys = [ founder forge ecpForgeHost ];
  "secrets/netboot-chain-token.age".publicKeys = [ founder forge ecpForgeHost ];
  "secrets/op-stack-sepolia-private-key.age".publicKeys = [ founder forge ecpForgeHost ];
  "secrets/op-stack-challenger-prestate.bin.gz.age".publicKeys = [ founder forge ecpForgeHost ];
}