refactor(nix): remove duplicate settings already provided by NixOS

- Remove default-substituter options (NixOS adds cache.nixos.org)
- Remove "root" from trusted-users and allowed-users (NixOS defaults)
- Simplify substituters/trusted-public-keys to only include extras

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

modules/nixos/nix/default.nix

@@ -25,13 +25,6 @@ in
     enable = mkBoolOpt false "Whether or not to manage nix configuration.";
     package = mkOpt package pkgs.nix "Which nix package to use.";
 
-    default-substituter = {
-      url = mkOpt str "https://cache.nixos.org" "The url for the substituter.";
-      key =
-        mkOpt str "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          "The trusted public key for the substituter.";
-    };
-
     extra-substituters = mkOpt (attrsOf substituters-submodule) { } "Extra substituters to configure.";
   };
 
@@ -58,7 +51,6 @@ in
     nix =
       let
         users = [
-          "root"
           config.metacfg.user.name
         ]
         ++ optional config.services.hydra.enable "hydra";
@@ -75,19 +67,11 @@ in
           sandbox = true;
           auto-optimise-store = true;
           trusted-users = users;
-          allowed-users = [
+          allowed-users = [ "@users" ];
-            "@users"
-            "root"
-          ];
 
-          substituters = [
+          # NixOS already adds cache.nixos.org by default, only add extra substituters
-            cfg.default-substituter.url
+          substituters = mapAttrsToList (name: _: name) extra-substituters;
-          ]
+          trusted-public-keys = mapAttrsToList (_: value: value.key) extra-substituters;
-          ++ (mapAttrsToList (name: value: name) extra-substituters);
-          trusted-public-keys = [
-            cfg.default-substituter.key
-          ]
-          ++ (mapAttrsToList (name: value: value.key) extra-substituters);
 
         }
         // (lib.optionalAttrs config.metacfg.tools.direnv.enable {