oo7-daemon: unlock the Login keyring via systemd credential

oo7-daemon was running but its 'Login' keyring stayed locked because
nothing supplied a master password, so libsecret clients (flare in
particular) blocked indefinitely on keyring.unlock().

The upstream user unit declares
  ImportCredential=oo7.keyring-encryption-password
which picks up matching credentials from systemd's per-service
credential machinery. Wire LoadCredential=oo7.keyring-encryption-password
to the agenix-decrypted secret so the daemon unlocks at session start
without any prompt.

The password itself is a fresh 64-byte urandom value encrypted to all
desktop recipients (admin SSH key + mreow + yarn TPM identities); it's
opaque to the user and never typed manually. Owner is primary so the
user-scope unit's LoadCredential read works without elevating.

Verified the activation script chowns the decrypted file primary:users
mode 0400, the user unit override carries the LoadCredential line, and
the resulting drv builds clean.

modules/desktop-age-secrets.nix

@@ -66,5 +66,15 @@ in
       group = "root";
     };
 
+    # Master password for oo7-daemon's 'Login' keyring; the unit consumes it
+    # via systemd's ImportCredential machinery (see desktop-oo7-daemon.nix).
+    # Owner is `primary` so the user-scope systemd unit can LoadCredential it.
+    oo7-keyring-password = {
+      file = ../secrets/desktop/oo7-keyring-password.age;
+      mode = "0400";
+      owner = "primary";
+      group = "users";
+    };
+
   };
 }