diff --git a/hosts/clerie-backup/ssh.pub b/hosts/clerie-backup/ssh.pub
new file mode 100644
index 0000000..10f458b
--- /dev/null
+++ b/hosts/clerie-backup/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ
diff --git a/secrets.nix b/secrets.nix
index 4f98257..a9044a9 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,10 +1,20 @@
 let
-  users = {
-    clerie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id";
-  };
-  hosts = {
-    clerie-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ";
-  };
-in {
-  "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age".publicKeys = [ users.clerie hosts.clerie-backup ];
-}
+  pubkeysFor = directory: let
+    instances = builtins.attrNames (builtins.readDir directory);
+    instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
+  in
+    builtins.listToAttrs (map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }) instancesWithPubkey);
+
+  users = pubkeysFor ./users;
+  hosts = pubkeysFor ./hosts;
+
+  secretsForHost = hostname: let
+    secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
+    listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles;
+  in
+    if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then
+      map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ])
+    else
+      [];
+in
+  builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts)))