password-store: generate each secret in tmpdir

nixosModules/clanCore/secrets/password-store.nix

@@ -30,6 +30,10 @@ in
         # if any of the secrets are missing, we regenerate all connected facts/secrets
         (if ! (${lib.concatMapStringsSep " && " (x: "test -e ${passwordstoreDir}/machines/${config.clanCore.machineName}/${x.name}.gpg >/dev/null") (lib.attrValues v.secrets)}); then
 
+          tmpdir=$(mktemp -d)
+          trap "rm -rf $tmpdir" EXIT
+          cd $tmpdir
+
           facts=$(mktemp -d)
           trap "rm -rf $facts" EXIT
           secrets=$(mktemp -d)