services: move all secrets into /media/secrets

moves all secrets into one centralised location in
/media/secrets and uses systemd-tmpfiles to set the
appropriate permissions for them

modules/services/karakeep.nix

@@ -16,9 +16,18 @@
 
     # put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
     # https://docs.karakeep.app/configuration/environment-variables#authentication--signup
-    environmentFile = "/var/lib/karakeep/oidc";
+    environmentFile = "/media/secrets/karakeep";
   };
+
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/karakeep 0400 karakeep karakeep"
+  ];
   
+  fileSystems."/var/lib/karakeep" = {
+    device = "/media/apps/karakeep";
+    options = [ "bind" ];
+  };
+
   services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''