Run your own `nix-serve` for your CI

I am using Gitea for my personal projects, and Actions inside.

I want these Actions to run nix build ./#my-package when pushing to git.
I also want to benefit from nix store. Since running on host is not really stable (at least I could not run it), I chose to run an overloaded version of docker nixos/nix.
So to benfeit from the store system, on the Gitea Runner, I use:

nix.sshServe.enable = true;
nix.sshServe.keys = [ "ssh-ed25519 [...]"  ];

On the Dockerfile of the image running the actions I use:

FROM nixos/nix
COPY known_hosts /root/.ssh/known_hosts
COPY id_ed25519 /root/.ssh/id_ed25519
COPY /root/.ssh/

RUN echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
RUN echo 'access-tokens = "<TOKEN>' >> /etc/nix/nix.conf
RUN echo 'extra-substituters = ssh://nix-ssh@<MY-DOMAIN>' >> /etc/nix/nix.conf
RUN echo 'extra-trusted-public-keys = <???>' >> /etc/nix/nix.conf

RUN nix-env -iA nixpkgs.nodejs_20 nixpkgs.coreutils

RUN ln -s /root/.nix-profile/bin/sleep /bin/sleep #required because gitea act_runner needs it for some reason

Now this almost works.

It seems that content is not signed, because when I run

nix copy  --to ssh://root@<MY-STORE> './#my-package'

nix store verify --store ssh://nix-serve@<MY DOMAIN> './#my-package'

I get

       … while fetching the input 'git+file:/ [...]'

       error: operation 'addToStore' is not supported by store <MY-STORE>

Not everything is very clear to me here.
What should be the public key added in the Dockerfile to extra-trusted-public-keys ?

When using sshServe, it does not require to add a secret right? I guess the ssh private key should be enough to sign the store content?

Also, during my build, I would expect to be able to send the new derivation to the store, what should I do to sign it then ?

And could the user be nix-ssh, or be specified as allowed only to publish to the store, without being root?

Thank you !

Interesting links I found, (but not sure will help):