oo7-daemon: unlock the Login keyring via systemd credential

oo7-daemon was running but its 'Login' keyring stayed locked because
nothing supplied a master password, so libsecret clients (flare in
particular) blocked indefinitely on keyring.unlock().

The upstream user unit declares
  ImportCredential=oo7.keyring-encryption-password
which picks up matching credentials from systemd's per-service
credential machinery. Wire LoadCredential=oo7.keyring-encryption-password
to the agenix-decrypted secret so the daemon unlocks at session start
without any prompt.

The password itself is a fresh 64-byte urandom value encrypted to all
desktop recipients (admin SSH key + mreow + yarn TPM identities); it's
opaque to the user and never typed manually. Owner is primary so the
user-scope unit's LoadCredential read works without elevating.

Verified the activation script chowns the decrypted file primary:users
mode 0400, the user unit override carries the LoadCredential line, and
the resulting drv builds clean.

modules/desktop-oo7-daemon.nix

@@ -31,5 +31,14 @@
   systemd.user.services.oo7-daemon = {
     wantedBy = [ "default.target" ];
     aliases = [ "dbus-org.freedesktop.secrets.service" ];
+    # Feed the keyring master password through systemd's credential
+    # machinery. The upstream unit declares
+    # `ImportCredential=oo7.keyring-encryption-password`, which picks up
+    # whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
+    # decrypts the secret to /run/agenix/oo7-keyring-password as the
+    # `primary` user, who is also the user this user-scope unit runs as.
+    serviceConfig.LoadCredential = [
+      "oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
+    ];
   };
 }