Initial infra scaffold: watcher live on Infomaniak Public Cloud

- flake.nix exposes a devShell (openstackclient, opentofu, sops, age) plus
  nixosConfigurations.watcher (runtime) and packages.watcher-image (QCOW2
  via nixos-generators / openstack format).
- hosts/watcher/default.nix: SSH-only base, tyro user with key auth, root
  SSH disabled, trusted-users set so laptop closure pushes work.
- modules/website.nix: Caddy serves tyrolize.ch from sites/tyrolize.ch/;
  lize.ch 301-redirects; firewall opens 80/443. Let's Encrypt via HTTP-01.
- terraform/infomaniak/: OpenStack provider, security group (22/80/443),
  keypair, compute instance booted from the uploaded image. Auth via OS_*
  env vars sourced from terraform/infomaniak/.env by the devShell hook.
- scripts/build-image.sh + scripts/deploy.sh.
- dns/{tyrolize,lize}.ch.zone: full BIND zone files for the advanced view
  in Infomaniak DNS Manager; preserves kSuite mail records on lize.ch.

Watcher live at 195.15.203.200 (IPv6 2001:1600:10💯:b4e), NixOS 25.05.
HTTPS confirmed working on both domains.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

hosts/watcher/default.nix

@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }: {
+  imports = [
+    ../../modules/website.nix
+  ];
+
+  # Boot, disk layout, and cloud-init are provided by:
+  #   - openstack-config.nix (for nixos-rebuild on the live box), or
+  #   - openstack-image.nix  (when building the QCOW2 image)
+  # Both are wired in flake.nix.
+
+  system.stateVersion = "25.05";
+
+  networking.hostName = "watcher";
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 ];   # services like 80/443 added as they come online
+  };
+
+  time.timeZone = "Europe/Zurich";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  users.mutableUsers = false;
+  users.users.tyro = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHC7oEcIquy/HWSHjA9N62FVKA6js4aOWu9q41Qp3nNj tyrolize@nixos"
+    ];
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      # openstack-config.nix defaults this to "prohibit-password" so cloud-init can
+      # inject the OpenStack keypair into root. We don't need it: the same key is
+      # already in users.users.tyro via the flake. Hard-disable root SSH.
+      PermitRootLogin = lib.mkForce "no";
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+    htop
+    tmux
+    curl
+    wget
+  ];
+
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    # Allow the tyro user to push pre-built closures from the laptop via
+    # `nixos-rebuild --target-host` without re-signing every store path.
+    trusted-users = [ "root" "@wheel" ];
+  };
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 14d";
+  };
+}