services: move all secrets into /media/secrets

moves all secrets into one centralised location in
/media/secrets and uses systemd-tmpfiles to set the
appropriate permissions for them

modules/services/miniflux.nix

@@ -10,7 +10,7 @@
     # OAUTH2_CLIENT_ID = "<client ID>";
     # OAUTH2_CLIENT_SECRET = "<client secret>";
     # https://pocket-id.org/docs/client-examples/miniflux/
-    adminCredentialsFile = /var/lib/miniflux/oidc;
+    adminCredentialsFile = /media/secrets/miniflux;
 
     config = {
       LISTEN_ADDR = "0.0.0.0:8021";
@@ -44,6 +44,10 @@
     };
   };
 
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/miniflux 0400 root root"
+  ];
+
   services.caddy.virtualHosts."rss.${config.homelab.domain}" = {
     useACMEHost = config.homelab.domain;
     extraConfig = ''