let
  # Admin public keys (for encrypting secrets locally)
  superq = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA_REPLACE_WITH_SUPERQ_KEY";
  jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA_REPLACE_WITH_JET_KEY";

  admins = [ superq jet ];

  # Host keys (generated after provisioning, replace with real keys)
  wiki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA_REPLACE_WITH_WIKI_HOST_KEY";
  wiki-replica = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA_REPLACE_WITH_REPLICA_HOST_KEY";

  allHosts = [ wiki wiki-replica ];
  primaryOnly = [ wiki ];
in
{
  # Shared secrets (both hosts)
  "tailscale-auth.age".publicKeys = admins ++ allHosts;
  "mysql-mediawiki.age".publicKeys = admins ++ allHosts;
  "mysql-replication.age".publicKeys = admins ++ allHosts;
  "mediawiki-secret-key.age".publicKeys = admins ++ allHosts;

  # Primary-only secrets
  "grafana-admin.age".publicKeys = admins ++ primaryOnly;
  "prometheus-auth.age".publicKeys = admins ++ primaryOnly;
  "b2-credentials.age".publicKeys = admins ++ primaryOnly;
  "discord-webhook.age".publicKeys = admins ++ primaryOnly;
  "mediawiki-recaptcha.age".publicKeys = admins ++ primaryOnly;
}