1c/W4: add sops.age.keyFile for bootstrap age key (recovery key on clones; host-derived on cc-ci)

cc-ci /var/lib/sops-nix/key.txt provisioned = host-derived age key (pub == &host recipient), so
adding keyFile is safe (sops-install-secrets aborts if a configured keyFile is missing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/secrets.nix

@@ -9,6 +9,13 @@
     defaultSopsFile = ../secrets/secrets.yaml;
     # Decrypt using the host's SSH host key (converted to an age identity by sops-nix).
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    # Phase-1c: also accept a bootstrap age key at a fixed path — THE one out-of-band secret,
+    # provisioned to the host before the first rebuild. On the canonical cc-ci this holds the
+    # host-derived age identity (== the sshKeyPaths recipient, no new exposure); on a fresh/cloned
+    # host (e.g. the throwaway-VM rebuild) it holds the off-box recovery key, so a host whose SSH
+    # host key is NOT a sops recipient can still decrypt every secret. NOTE: sops-install-secrets
+    # aborts activation if this file is set but missing, so it must exist before `nixos-rebuild`.
+    age.keyFile = "/var/lib/sops-nix/key.txt";
     # Do not also look for a GPG key.
     gnupg.sshKeyPaths = [ ];