diff --git a/.sops.yaml b/.sops.yaml
index adfa8d0..5477595 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,9 +1,8 @@
 # XXX: missing: macbook, thinknix?, at some point mobile
 keys:
   - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
-  - &workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
   # Generate AGE keys from SSH keys with:
-  # nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+  # nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
   - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
 creation_rules:
   # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
@@ -16,6 +15,5 @@ creation_rules:
     key_groups:
       - age:
         - *admins
-        - *workmac
         - *machine_framenix
 
diff --git a/darwin/sops.nix b/darwin/sops.nix
index 3ffd153..a819347 100644
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@@ -6,7 +6,7 @@
 }:
 {
   sops = {
-    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     defaultSopsFile = lib.mkDefault ./secrets.yaml;
     defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
   };
diff --git a/home/modules/sops.nix b/home/modules/sops.nix
index 183d3cb..0e18ffe 100644
--- a/home/modules/sops.nix
+++ b/home/modules/sops.nix
@@ -1,32 +1,7 @@
+{ inputs, ... }:
 {
-  inputs,
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  homeKeys =
-    if pkgs.stdenv.isDarwin then
-      "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
-    else
-      "/home/${config.home.username}/.config/sops/age/keys.txt";
-in
-lib.mkMerge [
-  {
-    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
-    sops = {
-      age.keyFile = "/home/user/.age-key.txt"; # must have no password!
-      # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
-    };
-  }
-  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
-  (lib.mkIf pkgs.stdenv.isLinux {
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  })
-
-  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
-  (lib.mkIf pkgs.stdenv.isDarwin {
-    sops.age.keyFile = homeKeys;
-  })
-]
+  sops = {
+    age.keyFile = "/home/user/.age-key.txt"; # must have no password!
+    # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
+  };
+}