feat(tmpfiles): defer per-service file permissions to reduce boot time

services/gitea.nix

@@ -8,6 +8,9 @@
 {
   imports = [
     (lib.serviceMountWithZpool "gitea" service_configs.zpool_ssds [ config.services.gitea.stateDir ])
+    (lib.serviceFilePerms "gitea" [
+      "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
+    ])
   ];
 
   services.gitea = {
@@ -41,11 +44,6 @@
     reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT}
   '';
 
-  systemd.tmpfiles.rules = [
-    # 0700 for ssh permission reasons
-    "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}"
-  ];
-
   services.postgresql = {
     ensureDatabases = [ config.services.gitea.user ];
     ensureUsers = [