sops-nix's default identity discovery imports the host's SSH
ed25519 key as an age identity, but secrets/tide.yaml is encrypted
to the age key generated with age-keygen and stored at
/var/lib/sops-nix/key.txt. Without sops.age.keyFile pointing at
that path, activation fails with 'Error getting data key: 0
successful groups required, got 0'. Also blank the SSH/GPG
fallback paths so the module never silently picks up an
unintended identity.
Imports the tide nixos module from the TIDE flake and configures
it for tide.yisroelbaum.com (frontend) and apitide.yisroelbaum.com
(backend), reusing the existing wildcard ACME cert. Secrets are
pulled from sops-encrypted secrets/tide.yaml; replace the
placeholder with real encrypted content before deploy.
