feat(git): add signing key to secrets store and sign all commits by default

modules/home-manager/features/git.nix

@@ -1,15 +1,12 @@
+{
+  userName,
+  ...
+}:
 {
   programs.git = {
     enable = true;
     settings = {
-      init.defaultBranch = "main";
+      # keep-sorted start block=yes
-      core.editor = "nvim";
-      push.autoSetupRemote = true;
-      pull.rebase = true;
-      user = {
-        name = "wi11-holdsworth";
-        email = "83637728+wi11-holdsworth@users.noreply.github.com";
-      };
       aliases = {
         # keep-sorted start
         a = "add";
@@ -30,6 +27,20 @@
         s = "status -s";
         # keep-sorted end
       };
+      core.editor = "nvim";
+      init.defaultBranch = "main";
+      pull.rebase = true;
+      push.autoSetupRemote = true;
+      user = {
+        name = "Will Holdsworth";
+        email = "me@fi33.buzz";
+      };
+      # keep-sorted end
+    };
+    signing = {
+      key = "/home/${userName}/.ssh/git_signature.pub";
+      format = "ssh";
+      signByDefault = true;
     };
   };
 }

secrets/git_signing_key.pub.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 qLT+DQ NMzN1Cll+cH5GgEQvCRpb8c1m7CDHWBtUZ5QNMluKkg
+H77YBVoCAZerRyoG90h9W6PKZbpjNBl2mfsW3Eco27w
+-> ssh-ed25519 7+xRyQ 67NFmrcLe9R5ni0HnvIiHcN0tlRVXpAiaVOQfIpqWzI
+H7jbIgVXVl+lENksb4KUfASeIKPBI/FtHhhlQzhXwik
+-> ssh-ed25519 LtK9yQ jvrWRlZF/H20QARL4lWWX0cDDoIK0Et5ZMxdsPJPXn0
+g+ZaDYycq65tBEBFuDpSl1BKuCTmxCJuYqG8kSCtL9U
+--- jZ2xp/oW3CgXPc8jriK53zTODB9lhDNZr8YfSYLAmio
+íAûKwÕ;÷À2R
+Ö¨†Ø<11>Øb—éSÓ'æÀ7/ˆ‘¾/’ÎkXÿHÓ–ùÿªÉÝW†œƒ<°P
p•HcÁTáúæG÷ÿÒ	'ŠFå¾…&Î!‹†(…³=˜6ŒŸ”HØ_ y <79>éËTlj­ªUbëó1

secrets/secrets.nix

@@ -21,6 +21,8 @@ in
   "copyparty.age".publicKeys = users;
   "firefly-db.age".publicKeys = users;
   "firefly.age".publicKeys = users;
+  "git_signing_key.age".publicKeys = users;
+  "git_signing_key.pub.age".publicKeys = users;
   "immich.age".publicKeys = users;
   "jellyfin.age".publicKeys = users;
   "karakeep.age".publicKeys = users;