{ inputs, lib, ... }:
{
  gnupg.keys = {
    "Julien Moutinho <julm@sourcephile.fr>" = {
      uid = "Julien Moutinho <julm@sourcephile.fr>";
      algo = "rsa4096";
      expire = "3y";
      usage = [ "cert" "sign" ];
      passPath = "members/julm/gpg/password";
      subKeys = [
        { algo = "rsa4096"; expire = "3y"; usage = [ "sign" ]; }
        { algo = "rsa4096"; expire = "3y"; usage = [ "encrypt" ]; }
        { algo = "rsa4096"; expire = "3y"; usage = [ "auth" ]; }
      ];
      backupRecipients = [ "" ];
    };
    "Julien Moutinho <julm@mermet>" = {
      uid = "Julien Moutinho <julm@mermet>";
      algo = "rsa4096";
      expire = "3y";
      usage = [ "cert" "sign" ];
      passPath = "members/julm/gpg/password";
      subKeys = [
        { algo = "rsa4096"; expire = "3y"; usage = [ "sign" ]; }
        { algo = "rsa4096"; expire = "3y"; usage = [ "encrypt" ]; }
        { algo = "rsa4096"; expire = "3y"; usage = [ "auth" ]; }
      ];
      backupRecipients = [ "" ];
    };
  } // lib.listToAttrs (
    let domain = "sourcephile.fr"; in
    builtins.map
      (host: lib.nameValuePair "root@${host}.${domain}" {
        uid = "root@${host}.${domain}";
        algo = "rsa4096";
        expire = "0";
        usage = [ "cert" "sign" ];
        passPath = "hosts/${host}/gnupg/root";
        subKeys = [
          { algo = "rsa4096"; expire = "0"; usage = [ "encrypt" ]; }
        ];
        backupRecipients = [ "" ];
      })
      (builtins.attrNames inputs.self.nixosConfigurations)
  );
}