sops-install-secrets: call systemctl directly when run as a systemd unit

When useSystemdActivation is enabled, sops-install-secrets.service runs
ordered Before=sysinit-reactivation.target, which switch-to-configuration
restarts *after* it has already consumed /run/nixos/activation-*-list.
Writing to those files from the service therefore does nothing on the
current switch and leaks into the next one.

NixOS 26.05 also deprecates the activation-list mechanism, printing a
warning whenever the files exist, with removal planned for 26.11.

Detect systemd invocation via INVOCATION_ID and call systemctl directly
(try-restart / try-reload-or-restart, --no-block to avoid deadlocking
the sysinit transaction). The legacy activation-script path keeps
writing the list files for backward compatibility.

modules/sops/default.nix

@@ -472,7 +472,7 @@ in
         before = [ "sysinit-reactivation.target" ];
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
-        path = cfg.age.plugins;
+        path = cfg.age.plugins ++ [ config.systemd.package ];
 
         serviceConfig = {
           Type = "oneshot";

modules/sops/secrets-for-users/default.nix

@@ -37,7 +37,7 @@ in
         before = [ "systemd-sysusers.service" ];
         environment = cfg.environment;
         unitConfig.DefaultDependencies = "no";
-        path = cfg.age.plugins;
+        path = cfg.age.plugins ++ [ config.systemd.package ];
 
         serviceConfig = {
           Type = "oneshot";