diff --git a/home/auth/home.nix b/home/auth/home.nix
new file mode 100644
index 00000000..890628c3
--- /dev/null
+++ b/home/auth/home.nix
@@ -0,0 +1,25 @@
+{ pkgs
+, lib
+, config
+, ...}: with lib; {
+  # git signing configuration
+  programs.git = {
+    signing = {
+      signByDefault = true;
+      gpgPath = "${pkgs.openssh}/bin/ssh-keygen";
+      key = null;
+    };
+
+    extraConfig = {
+      user.signingkey = "~/.ssh/id_ed25519.pub";
+      gpg = {
+        format = "ssh";
+        # compiled from trusted keys in auth module
+        ssh.allowedSignersFile = toString (pkgs.writeText
+        "allowed_signers" (foldr (key: folded:
+        folded + "koishi@514fpv.one ${key}") ""
+        config.passthrough.publicKeys));
+      };
+    };
+  };
+}
diff --git a/home/auth/nixos.nix b/home/auth/nixos.nix
new file mode 100644
index 00000000..d57ea2e3
--- /dev/null
+++ b/home/auth/nixos.nix
@@ -0,0 +1,7 @@
+{ config
+, ... }: {
+  # this module passes openssh public keys to home-manager
+  users.homeModules = [ {
+    passthrough.publicKeys = config.faucet.auth.openssh.publicKeys;
+  } ];
+}