feat(sops): trigger service restarts on secret rotation

Wire up restartUnits on secrets whose consumers cache them in memory
(daemons read at startup), so sops-nix restarts the affected unit on
activation when the decrypted content changes:

- firefly: app_key → phpfpm-firefly-iii;
  auto_import_secret + access_token → phpfpm-firefly-iii-data-importer
- searx: secret_key → uwsgi
- opencode: web password → opencode-serve
- mail: sasl_passwd → postfix
- forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default

Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy
token, restic backup creds, acme dns creds, wg conf) are left as-is.

systems/x86_64-linux/sgx/firefly.nix

@@ -31,6 +31,7 @@ in
     "firefly/app_key" = {
       sopsFile = ../../../.secrets/sgx/firefly.yaml;
       owner = "firefly-iii";
+      restartUnits = [ "phpfpm-firefly-iii.service" ];
     };
     "firefly/sparda_pin" = {
       sopsFile = ../../../.secrets/sgx/firefly.yaml;
@@ -39,10 +40,12 @@ in
     "firefly/auto_import_secret" = {
       sopsFile = ../../../.secrets/sgx/firefly.yaml;
       owner = "firefly-iii-data-importer";
+      restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ];
     };
     "firefly/access_token" = {
       sopsFile = ../../../.secrets/sgx/firefly.yaml;
       owner = "firefly-iii-data-importer";
+      restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ];
     };
   };