diff --git a/users/modules/dev/vcs/jujutsu.nix b/users/modules/dev/vcs/jujutsu.nix
index bbc0399..671097a 100644
--- a/users/modules/dev/vcs/jujutsu.nix
+++ b/users/modules/dev/vcs/jujutsu.nix
@@ -29,8 +29,8 @@ in {
       sshKey = mkOption {
         type = with types; nullOr (either path str);
         example = "~/.ssh/id_ed25519.pub";
-        default = "~/.ssh/id_ed25519.pub";
-        description = "Path to the public SSH key or its content.";
+        default = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
+        description = "Path to the private SSH key for signing.";
       };
     };
   };
@@ -54,8 +54,8 @@ in {
         behavior = "own";
         backend = "ssh";
         key = cfg.signing.sshKey;
-        backends."ssh.allowed-signers" = "~/.ssh/allowed_signers";
-        backends."ssh.program" = "${pkgs.openssh}/bin/ssh-keygen";
+        backends.ssh.allowed-signers = "${config.home.homeDirectory}/.ssh/allowed_signers";
+        backends.ssh.program = "${pkgs.openssh}/bin/ssh-keygen";
       };
       aliases = {
         blame = ["file" "annotate"];
diff --git a/users/phundrak/home.nix b/users/phundrak/home.nix
index b688f4a..372042c 100644
--- a/users/phundrak/home.nix
+++ b/users/phundrak/home.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }: {
   imports = [
@@ -69,6 +70,17 @@
         vcs.jj.signing.enable = true;
       };
       fullDesktop = true;
+      file."${config.home.homeDirectory}/.ssh/allowed_signers" = {
+        enable = true;
+        text = lib.strings.join "\n" (
+          map (file: let
+            content = lib.strings.trim (builtins.readFile file);
+            parts = lib.strings.splitString " " content;
+            email = lib.lists.last parts;
+          in "${email} namespaces=\"git\" ${content}")
+          (lib.filesystem.listFilesRecursive ../../keys)
+        );
+      };
     };
 
     manual = {