[feature] Manage RDS passwords

[roberth]

All password operations could be managed through NixOps. A nice workflow can be achieved with the following behaviors.

1. Leaving out the masterPassword causes it to be generated and stored in the state.
2. resources.rdsDbInstances.*.masterPassword returns the password from the state. This can be used in deployment.keys for example.
3. A nixops subcommand can reset the master password and updates the state file accordingly.

The first two remove the need to store the password in an extra location. The last one makes it possible to update the password without breaking subsequent deployments.