sops-nix bootstrap + Forgejo at git.tyrolize.ch

sops:
- devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to
  $REPO/.sops-age-key.txt (gitignored, generated locally).
- .sops.yaml lists laptop + watcher recipients. The watcher recipient is
  derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the
  watcher decrypts using its SSH host key as the age identity at boot.
- hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install-
  secrets surfaces it at /run/secrets/example (root-only).

Forgejo:
- modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz
  dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000.
- modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to
  localhost. Caddy gets a Let's Encrypt cert automatically.
- terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group.
- Admin user `tyro` (role admin) created out-of-band via the gitea CLI.

Both services live on the watcher.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

hosts/watcher/default.nix

@@ -1,8 +1,19 @@
 { config, lib, pkgs, ... }: {
   imports = [
     ../../modules/website.nix
+    ../../modules/forgejo.nix
   ];
 
+  # sops-nix: encrypted secrets in ./secrets.yaml, decrypted at boot using
+  # the watcher's SSH host key as the age identity. Plaintext lands in
+  # /run/secrets/<name>, readable only by root by default. Edit with
+  # `sops hosts/watcher/secrets.yaml` from inside `nix develop`.
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.example = { };   # placeholder to confirm the pipeline works
+  };
+
   # Boot, disk layout, and cloud-init are provided by:
   #   - openstack-config.nix (for nixos-rebuild on the live box), or
   #   - openstack-image.nix  (when building the QCOW2 image)