diff --git a/.sops.yaml b/.sops.yaml
index ab3fd30..784972b 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -7,7 +7,6 @@ keys:
   - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
   - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
   - &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
-  - &nodens age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
 
 creation_rules:
   - path_regex: nixos/machines/nyarlathotep/.*
@@ -34,14 +33,6 @@ creation_rules:
         - *daniel
         - *totallynotadolphin
         - *lobon
-  - path_regex: nixos/machines/nodens/.*
-    key_groups:
-      - age:
-        - *nerf
-        - *gonne
-        - *daniel
-        - *totallynotadolphin
-        - *nodens
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:
diff --git a/README.md b/README.md
index a756522..97d6f3c 100644
--- a/README.md
+++ b/README.md
@@ -82,10 +82,6 @@ is exactly the same it was on your machine.
 If you have a `nixos-rebuild` available on your system, it can automatize these things with the `--flake` and
 `--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand.
 
-### On nodens
-You can build the machine on `nodens` the same way you would build it on your local machine. On `nodens` there
-is a key trusted by all machines at `/run/secrets/nodens-deploy.key`, to sign your build.
-
 ### On the machine
 
 Clone this repository to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select
diff --git a/flake.lock b/flake.lock
index 5fb8c5b..157977f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -698,11 +698,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1746141548,
-        "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
+        "lastModified": 1744932701,
+        "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78",
+        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
         "type": "github"
       },
       "original": {
@@ -849,11 +849,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745310711,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "lastModified": 1744669848,
+        "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "61154300d945f0b147b30d24ddcafa159148026a",
         "type": "github"
       },
       "original": {
diff --git a/nixos/machines/nodens/configuration.nix b/nixos/machines/nodens/configuration.nix
index 282d813..a9ae8a2 100644
--- a/nixos/machines/nodens/configuration.nix
+++ b/nixos/machines/nodens/configuration.nix
@@ -11,11 +11,4 @@
 
   networking.hostName = "nodens";
   system.stateVersion = "24.11";
-
-  sops.secrets."nodens-deploy.key" = {
-    sopsFile = ./deploy.secrets.yaml;
-    owner = "root";
-    group = "root";
-    mode = "0400";
-  };
 }
diff --git a/nixos/machines/nodens/deploy.secrets.yaml b/nixos/machines/nodens/deploy.secrets.yaml
deleted file mode 100644
index bc44289..0000000
--- a/nixos/machines/nodens/deploy.secrets.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-nodens-deploy.key: ENC[AES256_GCM,data:78egSKIl+ecnCoIsw30ytx9wYwtnAHppMObpn4tPBuqSNN20ILWK4IdZUTE7H/QkOAbhi+R565efg/Cxt85OghXZ9jwBNXX+EwTwS7LAiGwp2Kxm7kYGX4jWvrmAnvmd/nqM3Rw+DgfGAA==,iv:+5Hz/Vmluk9icv68rmb1Dyi0g6PkW2JyaOnqluC/TKo=,tag:c7DQRCcKsS+9zJ9agCb0VA==,type:str]
-sops:
-    age:
-        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MWdKbDBpaHoycmdWdlc3
-            MGltTU1rbUhPQ2VtbERWUXQzdWpvd2ZGdzFjCmV0aW5oTkdGMExUUkV1UFV3UkpZ
-            dE5kUktrYUlEQ1hNWEIzdlFxeUFKRXcKLS0tIGN6NStxdTl0VkYvcS82QjJCT0xu
-            eDRtM1BjN0tMVnkwZHF4ajRKUW94aVEKklPazc/5C/g0cTe0xzdwxi+G4vZ3LSbI
-            utp7vfDLIddT4mKVyt4bD/VffDlB5Afvu91mDMEr/WrQGQsmczqdYg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S1RZVVB2ancrMERNSUZ1
-            Nlg4Q3FZNFl1WUN5b2FVM0pYUDA2cXVtendrCm1TWkZNanZqYnM2eEt3eFZpdS9M
-            SzlpQnZQQzE5OFM1ME5xaXQxOWdGbzQKLS0tIEdXUGFGL3ZOZlZMWTgwY1lNdE5o
-            MS9WYWtuWkpKdDFnb0huelcyVEgvK2sKzRQ6oxBmOrE+OnCF19Nuaf9SZus4CtHD
-            l+q/0xqkSnxz+/Vl3ooq0bPUPXiGrHWkSXb/LFH6crRJHxRAuiga3w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVlNZZ05TK3c1TitESEYx
-            dkpaMjhKaWNTTElld21yTXcyeVorTHBZYlFBCjF3R3BVNFcvZFZFK0xScmJTUEda
-            TmNySERXVk9jT01JWlFHNGd4MFlwUFkKLS0tIHJQV2dSd1pRbCtqKys3YW1JNVpq
-            QU5wdlBQODh4WmxrY1Z3aHl3WTE0eUUKTJPqJFelo6bQLfFNVa6K8UnUxCM8N15A
-            v8FWo1C71bIbMEtMTOq/TotJwxElUk8Oc10ECd3ST0bWZfyKFtkwHQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1m7l4x2zdgn7akgg5mkm9quen3u9sm0785tzm7vl000anuqrwwg6s5urenn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUdtYzJMWk1YSitjNnhi
-            VVdpU0R4eHJIejZmSTNycWxheTZjcjBJdGlZCmxHdWxpaGdhQnFCT0tMRTVTS29X
-            Yks5UEw1MG5OMlZyWHVaZHpLb01vTFEKLS0tIHBTcjZrOHE4S2lZVllGNWpBdzV1
-            ci8xcGo2dzU0NDh2M3RCVEU3VjNDRkUKWZuklDoyHN83M0sfO9lnHP8cfj5ECqbx
-            3/JbV4wOalQ4+LiSSFmgxYXfADtWe4QpRUDCoVEHPc+sBvA09aCh+g==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRa09heTBzZ0xtSHlqR092
-            R3BNQWk3ZXhnd0wwMmI0SVBOSG00cTY2czI4ClZoMHJwdDh0b08xR2lXNStEbVkz
-            RGFnNkJrRkUrU0hIaTJsNzBOdENpdFEKLS0tIHhlazVXeTgzakpTYW1qUzZSMXNJ
-            V3JSeDNsdVNOQ2ZLL2MvSDBZdk1wTzgKPzrGAY1xqJ679iTqe+gUXB3UoTuA71Rj
-            KUTxgml2J6R+3mI61VFL1C5mDApFPoI6FaG/dXk5zgXSO1auVxHlAA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-20T16:36:28Z"
-    mac: ENC[AES256_GCM,data:2UKbVUVB0WYZBAti4QN6gqsl9bsYjjjy6JOwwHYpLXywsXZOkpj1wptwdAXyjR3s9KT0fpywxZgCPtIqYb6wd8QqXkNzrTcVc6I7OJtDizcHh/tNvNsVvlC4I1+VpbTlIkmw3OxbIf88MrsVUxCFcyin7spIFHLtgIVQVO1xAHI=,iv:v7c/Wa81EE43hnWi6xISlxuzgfDxdpABkfQb/0zF+Kc=,tag:2fDl4Hy59d5QiXF3KZG+EQ==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix
index 1539d75..b436b58 100644
--- a/nixos/roles/admins.nix
+++ b/nixos/roles/admins.nix
@@ -14,7 +14,7 @@ with lib; let
     gonne = {
       hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
       sshKeys = [
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINTLfV2kNJPSGa1K7siu2pWE4Hn01rHvvsjy1ixjvbp+AAAABHNzaDo= gonne@mathebau.de"
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne"
       ];
       nixKeys = [
         "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index 9ce47d6..851db7c 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -30,16 +30,6 @@
 
   sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
 
-  # additional trusted keys for substituters for every machine
-  # right now it is only nodens so nodens can build system configs
-  # and we can deploy them from nodens.
-  # For security reasons we might want to move this to the vm part, as
-  # someone who can get control of nodens and get hold of the build process
-  # can gain control of the other machines. While this is very handy
-  # and a step towards CI, we might not want this for backups.
-  # (This is a tradeof between security and convenience)
-  nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
-
   environment = {
     systemPackages = builtins.attrValues {
       inherit
diff --git a/packages/alias-to-sieve/Cargo.lock b/packages/alias-to-sieve/Cargo.lock
index 714c143..0ed3cd8 100644
--- a/packages/alias-to-sieve/Cargo.lock
+++ b/packages/alias-to-sieve/Cargo.lock
@@ -203,9 +203,9 @@ checksum = "eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2"
 
 [[package]]
 name = "sha2"
-version = "0.10.9"
+version = "0.10.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
 dependencies = [
  "cfg-if",
  "cpufeatures",
@@ -214,9 +214,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.101"
+version = "2.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf"
+checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0"
 dependencies = [
  "proc-macro2",
  "quote",