diff --git a/agenix/dns/tuxcord.net/error.tuxcord.net.key.age b/agenix/dns/tuxcord.net/error.tuxcord.net.key.age
new file mode 100644
index 0000000..74971c1
Binary files /dev/null and b/agenix/dns/tuxcord.net/error.tuxcord.net.key.age differ
diff --git a/agenix/dns/tuxcord.net/javalsai.tuxcord.net.key.age b/agenix/dns/tuxcord.net/javalsai.tuxcord.net.key.age
new file mode 100644
index 0000000..f8b1d95
--- /dev/null
+++ b/agenix/dns/tuxcord.net/javalsai.tuxcord.net.key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
+ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
+-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
+ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
+--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
+ä3ÛÿÉèŸP>gòh@­ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòã†¿y?•ÉŽUSNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OÎ‰Puh‹½ŽÞ=t¶5|¿×“s×€ú&!­‰Î-æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí
\ No newline at end of file
diff --git a/agenix/secrets.nix b/agenix/secrets.nix
index eafb482..65bb806 100644
--- a/agenix/secrets.nix
+++ b/agenix/secrets.nix
@@ -1,17 +1,25 @@
 let
-  users = import ../lib/ssh/keys.nix;
+  inherit (import ../lib)
+    users
+    adminSSHKeys
+    attrsToList
+    getSSHKeys
+    ;
 
   tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
 
   # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
-  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
-
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
-
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
 }
+// builtins.listToAttrs (
+  map (user: {
+    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
+    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
+  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
+)