Introduce sops and sops-nix for secret management

Use the GPG keys used for the password-store noc directory for the admin
keys.
Switch the git hosts secret management from colmena to sops-nix.

https://github.com/getsops/sops
https://github.com/Mic92/sops-nix

config/hosts/git/forgejo.nix

@@ -14,7 +14,7 @@
     enable = true;
     package = pkgs-unstable.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
+    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
 
     settings = {
       DEFAULT = {
@@ -77,14 +77,10 @@
     };
   };
 
-  deployment.keys = {
-    "forgejo-git-smtp-password.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ];
-      destDir = "/secrets";
-      user = "forgejo";
-      group = "forgejo";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."forgejo_git_smtp_password" = {
+    mode = "0440";
+    owner = "forgejo";
+    group = "forgejo";
+    restartUnits = [ "forgejo.service" ];
   };
 }