New default secret path, symlinking secrets, and other fixes

Wow, it has almost been a year since the last release!

🔒 Security fixes

• Before agenix 0.10.0, the umask when creating a secret was incorrectly set, so the secrets were world readable after they were decrypted for a very brief time period before the file permissions were applied to them. #38 Thanks to @pennae for reporting this issue.

⚠️ Breaking changes

• Secrets have a new default location: /run/agenix/<name>. The reason for this new location is that we want agenix to be able to co-exist with other secret systems like sops-nix or nixops. If you need to refer to a path in your NixOS configuration, please always use config.age.secrets.<name>.path, so you can avoid being broken by changes like this. People referring to secret paths outside of NixOS configuration will need to manually update the path location, if they are relying on the default. #27
• Thanks to @cole-h, secrets are now symlinked into place by default. This is how sops-nix works. The main benefit is that decrypted secrets will not remain on a system after they are not part of the configuration. If you do not wish to use the symlink feature, you can set config.age.secrets.<name>.symlink = false;. #27
• Thanks to @ngkz, agenix activation scripts are now run after specialfs activation scripts, which is useful for some setups where /run is mounted in a special way. #49

🔧 Other changes

• Thanks to @blaggacao, an overlay is now available for the agenix CLI. #12
• Various fixes for Darwin. #20 #35
• Locale fixes for Rage. #28
• There is now a NixOS test for testing agenix is working properly. #40
• Many other documentation and small fixes.