feat(security): implement metadata redaction and sops-nix migration

Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.

modules/common/secrets.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets = {
+    # -- User Public Keys (Anti-Fingerprinting) --
+    "user_keys_admin" = { neededForUsers = true; };
+    "user_keys_deploy" = { neededForUsers = true; };
+    "user_keys_backup" = { neededForUsers = true; };
+
+    # -- Infrastructure Metadata --
+    # Hugo TODO: Populate these in your .sops.yaml / secrets file
+    "acme_email" = {};
+    "cloudflare_dns_token" = {};
+    "pgadmin_email" = {};
+    "gitea_mailer_from" = {};
+    "vaultwarden_smtp_from" = {};
+  };
+}