wire tide service into nixos config

Imports the tide nixos module from the TIDE flake and configures
it for tide.yisroelbaum.com (frontend) and apitide.yisroelbaum.com
(backend), reusing the existing wildcard ACME cert. Secrets are
pulled from sops-encrypted secrets/tide.yaml; replace the
placeholder with real encrypted content before deploy.

secrets/README.md

@@ -0,0 +1,23 @@
+# Secrets
+
+Encrypted with [sops](https://github.com/getsops/sops) using the
+host's age key.
+
+## First-time setup on the server
+
+1. Generate an age key for the host:
+   ```
+   sudo mkdir -p /var/lib/sops-nix
+   sudo age-keygen -o /var/lib/sops-nix/key.txt
+   sudo chmod 600 /var/lib/sops-nix/key.txt
+   ```
+2. Read the public key:
+   ```
+   sudo grep "public key" /var/lib/sops-nix/key.txt
+   ```
+3. On a workstation, put that public key into `.sops.yaml` at
+   the repo root and encrypt `tide.yaml.example` into
+   `tide.yaml`.
+
+`tide.yaml` is encrypted and committed. `tide.yaml.example` is
+the plaintext template.

secrets/tide.yaml

@@ -0,0 +1,3 @@
+# PLACEHOLDER - replace with sops-encrypted content before deploy.
+# See secrets/README.md and secrets/tide.yaml.example.
+tide-env: ""

secrets/tide.yaml.example

@@ -0,0 +1,20 @@
+# Encrypt this with sops to produce ./tide.yaml:
+#
+#   sops --encrypt --age $(cat ~/.config/sops/age/keys.txt | grep public | cut -d: -f2 | tr -d ' ') \
+#     secrets/tide.yaml.example > secrets/tide.yaml
+#
+# Or set up .sops.yaml with the host's age public key and run
+# `sops secrets/tide.yaml`.
+#
+# Generate APP_KEY with:
+#   php -r "echo 'base64:'.base64_encode(random_bytes(32)).PHP_EOL;"
+
+tide-env: |
+  APP_KEY=base64:REPLACE_ME
+  DB_PASSWORD=REPLACE_ME
+  MAIL_HOST=127.0.0.1
+  MAIL_PORT=1025
+  MAIL_USERNAME=
+  MAIL_PASSWORD=
+  MAIL_FROM_ADDRESS=noreply@tide.yisroelbaum.com
+  MAIL_FROM_NAME=TIDE