{
  config,
  writers,
  curl,
  lib,
  ...
}:
writers.writeBashBin "update-gitea-keys" ''
  set -xev
  gitea_api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["git.uninsane.org"]' -d ${../secrets/misc/git-keys.json})"
  api_base="https://git.uninsane.org/api/v1"
  api_keys="$api_base/user/keys"
  curl_common=( \
    ${lib.getExe curl} \
    --header "Authorization: token $gitea_api_key" \
    --header "Content-Type: application/json" \
  )
  # declare -p curl_common
  echo GET "$api_keys"
  resp="$("''${curl_common[@]}" "$api_keys")"
  for url in $(echo "$resp" | jq .[].url -r); do
    echo DELETE "$url"
    "''${curl_common[@]}" "$url" -X DELETE
  done
  
  new_keys=(${lib.escapeShellArgs (lib.mapAttrsToList (label: sshKey: builtins.toJSON {
    key = sshKey;
    read_only = false;
    title = label;
  }) config.vacu.ssh.authorizedKeys)})
  for keydata in "''${new_keys[@]}"; do
    echo POST "$api_keys"
    "''${curl_common[@]}" "$api_keys" -X POST --data "$keydata"
  done
''