gpg: create homedir with 700 permissions (#2823)

It can happen in some cases that home-manager first runs before gpg
creates its homedir, and it creates it with 755 permissions which the
user then needs to change by hand.

Do this in the module instead: before linking files, make sure the
homedir exists, and if it doesn't, create it with the right permissions.

modules/programs/gpg.nix

@@ -282,7 +282,12 @@ in {
         source = "${keyringFiles}/pubring.kbx";
       };
 
-    home.activation = mkIf (cfg.publicKeys != [ ]) {
+    home.activation = {
+      createGpgHomedir =
+        hm.dag.entryBetween [ "linkGeneration" ] [ "writeBoundary" ] ''
+          $DRY_RUN_CMD mkdir -m700 -p $VERBOSE_ARG ${escapeShellArg cfg.homedir}
+        '';
+
       importGpgKeys = let
         gpg = "${cfg.package}/bin/gpg";
 
@@ -313,7 +318,8 @@ in {
           unset GNUPGHOME QUIET_ARG keyId importTrust
         '' ++ optional (!cfg.mutableTrust && anyTrust) ''
           install -m 0700 ${keyringFiles}/trustdb.gpg "${cfg.homedir}/trustdb.gpg"'');
-      in lib.hm.dag.entryAfter [ "linkGeneration" ] block;
+      in mkIf (cfg.publicKeys != [ ])
+      (lib.hm.dag.entryAfter [ "linkGeneration" ] block);
     };
   };
 }