Since we're using modules (flake-parts), may as well pass through the location (or even the collection) of the secrets as a module argument.
TBH I think managing keys right in your Nix expression is an antipattern. Check how it's done in NGIpkgs for an alternative. That has the advantage that people can update their keys merely by cping over their own file; adding keys only additionally requires to add your handle to the list in the config.
I was thinking, if all else fails we could grab into the Forgejo database and rewrite the relation of projects/issues to point to the other repo. The problem with that is that we have to update…
Hah, (unsurprisingly) rebasing rewrites the commit history such that all the nice signatures are lost. Forgejo seems to be fundamentally incompatible with linear history. Time to switch to Gerrit…