From db5e8855d2bab85f3f65d4f4e3f2259601f5f664 Mon Sep 17 00:00:00 2001
From: hektor <hektor.misplon@pm.me>
Date: Wed, 15 Apr 2026 20:06:44 +0200
Subject: [PATCH] fix(nix-secrets): use simplified signing key setup

---
 flake.lock                  | 30 +++++++++++++++---------------
 hosts/hecuba/default.nix    |  5 -----
 modules/common/default.nix  |  3 +++
 modules/secrets/default.nix | 11 ++++-------
 4 files changed, 22 insertions(+), 27 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7dfece37..9a147584 100644
--- a/flake.lock
+++ b/flake.lock
@@ -121,11 +121,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1775966594,
-        "narHash": "sha256-pnRtaqTr7ut8dz8b04OWAanUM4tGhDUJz8SWmeTRp7U=",
+        "lastModified": 1776225785,
+        "narHash": "sha256-yrRZkEEtTwJcIXzxL/nCFpyGsz7VmkOJSoyx/AX6Ri8=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "000d1d2322d28fa0a51b8db9f85a227aa5413b52",
+        "rev": "c09a1a34c147aefac0ff10017644ca17a3230e8c",
         "type": "gitlab"
       },
       "original": {
@@ -342,11 +342,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775983377,
-        "narHash": "sha256-ZeRjipGQnVtQ/6batI+yVOrL853FZsL0m9A63OaSfgM=",
+        "lastModified": 1776184304,
+        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e0ca734ffc85d25297715e98010b93303fa165c4",
+        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
         "type": "github"
       },
       "original": {
@@ -398,10 +398,10 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1776003473,
-        "narHash": "sha256-v87721Nfc5qnevsgGkaAO+MpeJdfgPtBpazs6N5dUiI=",
+        "lastModified": 1776276250,
+        "narHash": "sha256-j7Bs6ZHkOrCM4GKVmeOJDTYgxWPOys9saCkiQ+BExPU=",
         "ref": "main",
-        "rev": "d95fb37764e5033ad2cdf543f7d8acccb36146c8",
+        "rev": "d27bff628f13bedfaad5011437e00ec62feceb56",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -665,11 +665,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775971308,
-        "narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
+        "lastModified": 1776119890,
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {
@@ -714,11 +714,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1775936757,
-        "narHash": "sha256-KJO/7qoxJ+hlsb3WlFSl6IGrExBIf1GvKdrhOlnGdKY=",
+        "lastModified": 1776170745,
+        "narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "d3e447786b74d62c75f665e17cb3e681c66e90c7",
+        "rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
         "type": "github"
       },
       "original": {
diff --git a/hosts/hecuba/default.nix b/hosts/hecuba/default.nix
index 9672086f..f19fee7c 100644
--- a/hosts/hecuba/default.nix
+++ b/hosts/hecuba/default.nix
@@ -64,11 +64,6 @@
     ];
   };
 
-  nix.settings.trusted-users = [
-    "root"
-    "@wheel"
-  ];
-
   environment.systemPackages = with pkgs; [
     vim
     git
diff --git a/modules/common/default.nix b/modules/common/default.nix
index 7ff0fae0..2e0e51c2 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -39,6 +39,9 @@ in
         "nix-command"
         "flakes"
       ];
+      settings.trusted-public-keys = [
+        "nix-signing-key:M6ouQRFl/bZ5QQrceQUyar6P7o8qg4wwVkxD1SSLL2k="
+      ];
     };
 
     system.autoUpgrade = {
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 052a1de1..45c37909 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -29,10 +29,6 @@ in
 
       nixSigningKey = {
         enable = lib.mkEnableOption "nix signing key configuration";
-        name = lib.mkOption {
-          type = lib.types.str;
-          default = "${config.host.name}-nix-signing-key";
-        };
       };
 
       yubikey = {
@@ -52,8 +48,9 @@ in
       secrets = lib.mkMerge [
         (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
         (lib.mkIf cfg.nixSigningKey.enable {
-          ${cfg.nixSigningKey.name} = {
-            sopsFile = "${sopsDir}/${cfg.nixSigningKey.name}.yaml";
+          nix-signing-key = {
+            sopsFile = "${sopsDir}/nix.yaml";
+            key = "signing-key";
             inherit owner;
           };
         })
@@ -61,7 +58,7 @@ in
     };
 
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets.${cfg.nixSigningKey.name}.path
+      config.sops.secrets.nix-signing-key.path
     ];
 
     services = {