diff --git a/common/nix-settings.nix b/common/nix-settings.nix
index 1cd0aed..3f7fcba 100644
--- a/common/nix-settings.nix
+++ b/common/nix-settings.nix
@@ -21,7 +21,6 @@ in
   sops = {
     secrets."nix/access-tokens" = {
       owner = "root";
-      group = "users";
       mode = "0440";
       sopsFile = ./secrets.yaml;
     };
@@ -30,7 +29,8 @@ in
         access-tokens = ${config.sops.placeholder."nix/access-tokens"}
       '';
       owner = "root";
-      group = "users";
+      # secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
+      group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
       mode = "0440";
     };
   };
diff --git a/darwin/sops.nix b/darwin/sops.nix
index 3ffd153..5692f9e 100644
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@@ -7,6 +7,8 @@
 {
   sops = {
     age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
+    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
+    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
     defaultSopsFile = lib.mkDefault ./secrets.yaml;
     defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
   };