let
  _sources = import ../npins;

  meta = import ../meta (import _sources.nixpkgs { }).lib;

  getAttr = flip builtins.getAttr;

  inherit (import ../lib/nix-lib) flip setDefault unique;
in

rec {
  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
  #          If not, you will face an angry maintainer
  _keys = (import "${_sources.infrastructure}/keys")._keys // {
    krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
    router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
  };

  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);

  mkSecrets =
    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };

  getNodeKeys' =
    node:
    let
      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
        meta.nodes.${node}.admins ++ [ node ]
      ) meta.nodes.${node}.adminGroups;
    in
    unique (getKeys names);

  getNodeKeys = node: rootKeys ++ getNodeKeys' node;

  # List of keys for the root group
  rootKeys = getKeys meta.organization.groups.root;

  # List of 'machine' keys
  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}