M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED

Host decrypts /run/secrets/test_secret via its ssh host key (age identity);
off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev
for nixpkgs 24.11 compat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/secrets.nix

@@ -0,0 +1,18 @@
+# sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
+# ed25519 SSH host key as the age identity (no separate key file to manage on the box).
+# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
+# listed in /.sops.yaml (host key + off-box master recovery key).
+{ ... }:
+{
+  sops = {
+    defaultSopsFile = ../secrets/secrets.yaml;
+    # Decrypt using the host's SSH host key (converted to an age identity by sops-nix).
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    # Do not also look for a GPG key.
+    gnupg.sshKeyPaths = [ ];
+
+    # M0 proof secret — confirms the decrypt path works end to end. Real infra secrets
+    # (Drone RPC, webhook HMAC, OAuth, registry creds) are added in their milestones.
+    secrets.test_secret = { };
+  };
+}