diff --git a/configurations/nixos/forgejo-runner-tofu/default.nix b/configurations/nixos/forgejo-runner-tofu/default.nix
index 15d3b9a..7f6af15 100644
--- a/configurations/nixos/forgejo-runner-tofu/default.nix
+++ b/configurations/nixos/forgejo-runner-tofu/default.nix
@@ -34,6 +34,10 @@ in
     # group = "gitea-runner";
     mode = "0777";
   };
+  sops.secrets.forgejo-nix-key = { };
+  nix.settings = {
+    secret-key-files = config.sops.secrets.forgejo-nix-key.path;
+  };
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
     instances = {
diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix
new file mode 100644
index 0000000..4fa70af
--- /dev/null
+++ b/modules/nixos/common/nix.nix
@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  pkgs,
+  self',
+  ...
+}:
+{
+  nix.settings = {
+    trusted-public-keys = [
+      "forgejo-runner-tofu.local:iaY0LQcytexYeZWKbV3EaoHWmvS3tThLWDUYN02T534="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+    substituters = [
+      "https://cache.nixos.org/"
+    ];
+  };
+
+}
diff --git a/secrets.yaml b/secrets.yaml
index b8cc687..2036413 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,5 +1,6 @@
 otfenv: ENC[AES256_GCM,data:vHSZN364zAhuTBii4IGbQk3bPCu7GBR7K8Z8ce3U/uIOCXNvEi3micq+AEPEooPEQkWL/eslg92uREcgo/JEMYbSuWHWLFNNehhYTeBZ+YXLwuDgJLWzaJGouktF1aF7uQDMsydaX2UjUnLQjf/VdJm3YnoJAGE3QQtbp9ehK0YiHA1hS3XMlwvNuepZfX8Hx7qZTEs6zNa3R8tZvj24jryVsGFvTN+0R1pb7YvqXeLhR3tCkm53S2IJFFXebq2EdaHNbyEIGmfcK2uhdSvpXiGI,iv:lwADUz6mA//G0/jAdAp1eRkn9RvRXXzps5r5RIpWR5A=,tag:YlNtrT4t0R6SYxIR1tRe4g==,type:str]
 forgejo-runners-token: ENC[AES256_GCM,data:y6m9JciySpqJ8QOtHGoUG5McPXyZSODqRHCLVY0m+O+vfys2tvmkK3fGKtOlNA==,iv:NYbjaOkRumwJbZBPZlltIeQkaNOrUKQLmVb0uFNXX+g=,tag:f+rH81mGvS0QKrfmLoXEHQ==,type:str]
+forgejo-nix-key: ENC[AES256_GCM,data:LKC8t2KSrILh0nc5xlSgQ9OuhQcc3m84fE9UJeVi1lXsv0mn+MddQw083WaDxMdlZKjbH0QclDfIkJCbHpJ/wEWVXzkVGErCJmdWeH1YEgElj5FuaFrDmbKNn8rhV7t3FYn04ni8iypLV/wPBqvVI/Yt,iv:r/SHHXjA2raRIKs/fZxJodVgMunp+RmL1SjVZOGli+E=,tag:MmBhUHCZRgSW2uhBd4o72A==,type:str]
 sops:
     age:
         - recipient: age1ja6zky2xlptgmu04ghp30z9gcyw240p4p8jpqeznt9msmmrwjdjshl6rx3
@@ -38,7 +39,7 @@ sops:
             aXdJMnFId3Nnc093cVpNOGUyKzFuYlEKaszE8RHwN9EQYKemh9fVq6O/YxmC5nMM
             hV6FMTuZC/pE75Zzmz8f2ZFHJrqwQB/2xgTpMiudvbQHrZRUEKMCEA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-19T23:51:21Z"
-    mac: ENC[AES256_GCM,data:gw9Z6NBqNqNRh+34pL9jis4x01AOx7+4dVQn69dciWcxSoWltfyUxj0LkthKYWSVezv4nruB3PAShNaTdn2xdmDhCoT/MuSeMa7VrnblyFzPs0yshdOoaqk8zit4pjegZCrpbUh4TYZs0Tfjhd58PoSGaCpqtESTSfR6wL76U/g=,iv:xfYQHTTSlmRavM/HR+cATIKuvEwzIoU8iHkUM0/XdDo=,tag:Ujk7J2qwd5vcxBz+Q3JDUw==,type:str]
+    lastmodified: "2025-06-26T00:55:16Z"
+    mac: ENC[AES256_GCM,data:UYsuGDLofBEMqj0qcZKmRxVDKOdaS15jzpLerSGxA5EWoqcoJohYBz1STTtobBtfnVa1UV/EOPXKqsONv2iWe4HKJh5byKwJm3Y3omGbd/8xm+o1q9EKB9CZJAHlOkBl6rgkWnlApgxpPaD1FFsAeTTwndnrTPeefBsMTs4H03w=,iv:SK5bNm5LN1xp5FJIxvaz5claDJw/MtRt+q4bSM34Eqg=,tag:mx/JkyYNKk1vkGRLtyBZwA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2