M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED

Host decrypts /run/secrets/test_secret via its ssh host key (age identity);
off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev
for nixpkgs 24.11 compat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

flake.nix

@@ -5,9 +5,14 @@
     # Pinned to the exact revision cc-ci already runs, so the first rebuild from
     # this repo is a true no-op-then-base (M0). Bump deliberately, not drift.
     nixpkgs.url = "github:NixOS/nixpkgs/50ab793786d9de88ee30ec4e4c24fb4236fc2674";
+
+    # Pinned to a commit that still uses plain `buildGoModule` — sops-nix master moved to
+    # `buildGo125Module` (Go 1.25), which our pinned nixpkgs 24.11 (2025-06-30) does not have.
+    sops-nix.url = "github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs }:
+  outputs = { self, nixpkgs, sops-nix }:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
@@ -15,7 +20,10 @@
     {
       nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
         inherit system;
-        modules = [ ./hosts/cc-ci/configuration.nix ];
+        modules = [
+          sops-nix.nixosModules.sops
+          ./hosts/cc-ci/configuration.nix
+        ];
       };
 
       # Devshell for working on the harness/bridge locally.