Initial infra scaffold: watcher live on Infomaniak Public Cloud

- flake.nix exposes a devShell (openstackclient, opentofu, sops, age) plus
  nixosConfigurations.watcher (runtime) and packages.watcher-image (QCOW2
  via nixos-generators / openstack format).
- hosts/watcher/default.nix: SSH-only base, tyro user with key auth, root
  SSH disabled, trusted-users set so laptop closure pushes work.
- modules/website.nix: Caddy serves tyrolize.ch from sites/tyrolize.ch/;
  lize.ch 301-redirects; firewall opens 80/443. Let's Encrypt via HTTP-01.
- terraform/infomaniak/: OpenStack provider, security group (22/80/443),
  keypair, compute instance booted from the uploaded image. Auth via OS_*
  env vars sourced from terraform/infomaniak/.env by the devShell hook.
- scripts/build-image.sh + scripts/deploy.sh.
- dns/{tyrolize,lize}.ch.zone: full BIND zone files for the advanced view
  in Infomaniak DNS Manager; preserves kSuite mail records on lize.ch.

Watcher live at 195.15.203.200 (IPv6 2001:1600:10💯:b4e), NixOS 25.05.
HTTPS confirmed working on both domains.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

terraform/infomaniak/watcher.tf

@@ -0,0 +1,73 @@
+data "openstack_images_image_v2" "watcher" {
+  name        = var.watcher_image_name
+  most_recent = true
+}
+
+data "openstack_networking_network_v2" "external" {
+  name = var.external_network
+}
+
+resource "openstack_compute_keypair_v2" "primary" {
+  name       = var.ssh_key_name
+  public_key = var.ssh_public_key
+}
+
+resource "openstack_networking_secgroup_v2" "watcher" {
+  name        = "watcher"
+  description = "watcher: SSH + HTTP(S)"
+}
+
+# SSH in (IPv4 + IPv6)
+resource "openstack_networking_secgroup_rule_v2" "ssh_v4" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.watcher.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ssh_v6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "::/0"
+  security_group_id = openstack_networking_secgroup_v2.watcher.id
+}
+
+# HTTP(S) for Caddy. Open from day one so cert provisioning works the moment
+# we add the website module — closing again would just be churn.
+resource "openstack_networking_secgroup_rule_v2" "http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.watcher.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.watcher.id
+}
+
+resource "openstack_compute_instance_v2" "watcher" {
+  name            = "watcher"
+  flavor_name     = var.flavor_name
+  image_id        = data.openstack_images_image_v2.watcher.id
+  key_pair        = openstack_compute_keypair_v2.primary.name
+  security_groups = [openstack_networking_secgroup_v2.watcher.name]
+
+  network {
+    name = data.openstack_networking_network_v2.external.name
+  }
+}