keys:
  - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
  - &gonne age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7

  - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
  - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
  - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn

creation_rules:
  - path_regex: nixos/machines/nyarlathotep/.*
    key_groups:
      - age:
        - *nerf
        - *gonne
        - *nyarlathotep
  - path_regex: nixos/machines/bragi/.*
    key_groups:
      - age:
        - *nerf
        - *gonne
        - *bragi
  - path_regex: nixos/machines/lobon/.*
    key_groups:
      - age:
        - *nerf
        - *gonne
        - *lobon
  # this is the catchall clause if nothing above machtes. Encrypt to users but not
  # to machines
  - key_groups:
      - age:
        - *nerf
        - *gonne