diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix
index 1bc6d4c..7b8c524 100644
--- a/nixos/roles/admins.nix
+++ b/nixos/roles/admins.nix
@@ -3,21 +3,28 @@ with lib; let
   admins = {
     nerf = {
       hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
-      keys = [
+      sshKeys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
       ];
+      nixKeys = [
+        "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
+      ];
     };
     gonne = {
       hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
-      keys = [
+      sshKeys = [
         "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne"
       ];
+      nixKeys = [
+        "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
+      ];
     };
   };
 
   mkAdmin = name: {
     hashedPassword,
-    keys,
+    sshKeys,
+    ...
   }: {
     "${name}" = {
       isNormalUser = true;
@@ -25,10 +32,12 @@ with lib; let
       extraGroups = ["wheel"];
       group = "users";
       home = "/home/${name}";
-      openssh.authorizedKeys = {inherit keys;};
+      openssh.authorizedKeys = {keys = sshKeys;};
       inherit hashedPassword;
     };
   };
+  mkNixKeys = _: {nixKeys, ...}: nixKeys;
 in {
   users.users = mkMerge (mapAttrsToList mkAdmin admins);
+  nix.settings.trusted-public-keys = lists.concatLists (mapAttrsToList mkNixKeys admins);
 }
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 2936ac3..851db7c 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -5,18 +5,11 @@
 }: {
   imports = [
     ./admins.nix
-    ./nix_keys.nix
+    ./nix.nix
     ./prometheusNodeExporter.nix
     ../modules/impermanence.nix
   ];
 
-  nix = {
-    extraOptions = ''
-      experimental-features = nix-command flakes
-      builders-use-substitutes = true
-    '';
-  };
-
   networking = {
     firewall = {
       # these shoud be default, but better make sure!
diff --git a/nixos/roles/nix.nix b/nixos/roles/nix.nix
new file mode 100644
index 0000000..543ac7d
--- /dev/null
+++ b/nixos/roles/nix.nix
@@ -0,0 +1,22 @@
+{
+  nix = {
+    settings = {
+      # trusted-public-keys belonging to specific persons are set in rolse/admins.nix
+      trusted-public-keys = [];
+      experimental-features = [
+        "flakes"
+        "nix-command"
+      ];
+      auto-optimise-store = true;
+      fallback = true;
+      builders-use-substitutes = true;
+    };
+    gc = {
+      automatic = true;
+      persistent = false;
+      dates = "weekly";
+      options = "-d";
+      randomizedDelaySec = "5h";
+    };
+  };
+}
diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix
deleted file mode 100644
index 97e5dc5..0000000
--- a/nixos/roles/nix_keys.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  imports = [];
-  nix.settings.trusted-public-keys = [
-    "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
-    "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
-  ];
-}