From 78028846a963b8eca29ac15029beef05ba15db7a Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sat, 23 Nov 2024 23:51:53 +0100
Subject: [PATCH] WIP: gitea: init gpg signing key

---
 hosts/bekkalokk/services/gitea/default.nix |  1 +
 hosts/bekkalokk/services/gitea/gpg.nix     | 26 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 hosts/bekkalokk/services/gitea/gpg.nix

diff --git a/hosts/bekkalokk/services/gitea/default.nix b/hosts/bekkalokk/services/gitea/default.nix
index daf0718..93187e5 100644
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@@ -6,6 +6,7 @@ let
 in {
   imports = [
     ./ci.nix
+    ./gpg.nix
     ./import-users
     ./web-secret-provider
   ];
diff --git a/hosts/bekkalokk/services/gitea/gpg.nix b/hosts/bekkalokk/services/gitea/gpg.nix
new file mode 100644
index 0000000..b316000
--- /dev/null
+++ b/hosts/bekkalokk/services/gitea/gpg.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
+in
+{
+  sops.secrets."gitea/gpg-signing-key" = {
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
+  systemd.services.gitea.environment = { inherit GNUPGHOME; };
+
+  systemd.services.gitea-ensure-gnupg-homedir = {
+    description = "Import gpg key for gitea";
+    environment = { inherit GNUPGHOME; };
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      PrivateNetwork = true;
+    };
+    script = ''
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
+    '';
+  };
+}