{ pkgs, lib, config, ... }:
{
gnupg.keys = {
"Julien Moutinho <julm@sourcephile.fr>" = {
  uid = "Julien Moutinho <julm@sourcephile.fr>";
  algo   = "rsa4096";
  expire = "3y";
  usage  = ["cert" "sign"];
  passPath = "members/julm/gpg/password";
  subKeys = [
    { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
    { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
    { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
  ];
  backupRecipients = [""];
};
"Julien Moutinho <julm@mermet>" = {
  uid = "Julien Moutinho <julm@mermet>";
  algo   = "rsa4096";
  expire = "3y";
  usage  = ["cert" "sign"];
  passPath = "members/julm/gpg/password";
  subKeys = [
    { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
    { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
    { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
  ];
  backupRecipients = [""];
};
} // lib.listToAttrs (
  let domain = "sourcephile.fr"; in
  builtins.map (srv: lib.nameValuePair "root@${srv}.${domain}" {
  uid = "root@${srv}.${domain}";
  algo = "rsa4096";
  expire = "0";
  usage = ["cert" "sign"];
  passPath = "machines/${srv}/root/key.pass";
  subKeys = [
    { algo = "rsa4096"; expire = "0"; usage = ["encrypt"]; }
  ];
  backupRecipients = [""];
  # This encrypt subkey is put into a root/key.gpg, and then on the Nix stores,
  # to decrypt machines."${srv}".security.pass.secrets .
  # Its passphrase in root/key.pass is decrypted and sent by ssh before each call to nix copy
  # by adding to machines."${srv}".install.nixos-ssh.script .
  postRun = ''
    info "  generate $GNUPGHOME/machines/${srv}/root/key.gpg"
    test -s "$GNUPGHOME/machines/${srv}/root/key.gpg" || {
      mkdir -p "$GNUPGHOME/machines/${srv}/root"
      ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback --export-secret-keys --armor \
       --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/machines/${srv}/root/key.pass.gpg") \
       --export-options export-minimal @root@${srv}.${domain} |
      ${pkgs.gnupg}/bin/gpg --symmetric --batch --pinentry-mode loopback \
       --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/machines/${srv}/root/key.pass.gpg") \
       --output "$GNUPGHOME/machines/${srv}/root/key.gpg"
    }
  '';
}) (builtins.attrNames (import ../machines.nix)));
}