WIP: gitea: init gpg signing key

2025-11-04 02:58:02 +01:00 · 2024-11-23 23:51:53 +01:00 · 2024-11-23 23:51:53 +01:00 · 78028846a9
commit 78028846a9
parent 07777edafb
2 changed files with 27 additions and 0 deletions
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@ -6,6 +6,7 @@ let
 in {
  imports = [
    ./ci.nix
+    ./gpg.nix
    ./import-users
    ./web-secret-provider
  ];
--- a/hosts/bekkalokk/services/gitea/gpg.nix
+++ b/hosts/bekkalokk/services/gitea/gpg.nix
@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
+in
+{
+  sops.secrets."gitea/gpg-signing-key" = {
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
+  systemd.services.gitea.environment = { inherit GNUPGHOME; };
+
+  systemd.services.gitea-ensure-gnupg-homedir = {
+    description = "Import gpg key for gitea";
+    environment = { inherit GNUPGHOME; };
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      PrivateNetwork = true;
+    };
+    script = ''
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
+    '';
+  };
+}