feat(amd): add opencode web server at opencode.amd.hoyer.world

Mirror of the sgx opencode setup: systemd service on port 4196 fronted
by nginx with a per-host ACME cert (DNS-01 via internetbs). Adds amd
key + path rule to .sops.yaml so secrets under .secrets/amd/ encrypt
for the host.

systems/x86_64-linux/amd/default.nix

@@ -10,12 +10,17 @@ with lib.metacfg;
     ./hardware-configuration.nix
     ./xremap.nix
     ./sound.nix
+    ./acme.nix
+    ./nginx.nix
+    ./opencode.nix
   ];
 
   powerManagement.cpuFreqGovernor = "performance";
 
   services.rustdesk-server.signal.enable = false;
   networking.firewall.allowedTCPPorts = [
+    80
+    443
     22000
   ];
 
@@ -29,6 +34,8 @@ with lib.metacfg;
   services.resolved.enable = true;
 
   metacfg = {
+    services.nginxBase.enable = true;
+    services.acmeBase.enable = true;
     hardware.wooting.enable = true;
     base.enable = true;
     gui.enable = true;