WIP: gitea: init gpg signing key

hosts/bekkalokk/services/gitea/default.nix

@@ -6,6 +6,7 @@ let
 in {
   imports = [
     ./ci.nix
+    ./gpg.nix
     ./import-users
     ./web-secret-provider
   ];

hosts/bekkalokk/services/gitea/gpg.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
+in
+{
+  sops.secrets."gitea/gpg-signing-key" = {
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
+  systemd.services.gitea.environment = { inherit GNUPGHOME; };
+
+  systemd.services.gitea-ensure-gnupg-homedir = {
+    description = "Import gpg key for gitea";
+    environment = { inherit GNUPGHOME; };
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      PrivateNetwork = true;
+    };
+    script = ''
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
+    '';
+  };
+}