refactor(nix): extract common system configs into reusable modules

Create 6 new NixOS modules to reduce duplication across system configs:
- hardware/wooting: Wooting keyboard udev rules and Bluetooth compat
- services/nginx-base: Common nginx server settings
- services/acme-base: ACME certificate defaults
- services/xremap: Key remapping with sensible defaults
- system/no-sleep: Disable sleep/suspend/hibernate targets
- system/kernel-tweaks: PM freeze timeout and zram configuration

Update system configuration files to use these new modules.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

systems/x86_64-linux/amd/default.nix

@@ -18,21 +18,17 @@ with lib.metacfg;
     22000
   ];
 
-  services.tailscale.enable = true;
-
   services.cratedocs-mcp.enable = true;
 
   services.openssh = {
     enable = true;
   };
 
-  hardware.bluetooth.input.General.ClassicBondedOnly = false;
-  services.udev.extraRules = ''
-    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
-    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e489", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
-  '';
+  services.tailscale.enable = true;
+  services.resolved.enable = true;
 
   metacfg = {
+    hardware.wooting.enable = true;
     base.enable = true;
     gui.enable = true;
     nix-ld.enable = true;
@@ -59,15 +55,21 @@ with lib.metacfg;
       "dialout"
       "tss"
     ];
+    system.kernelTweaks.enable = true;
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    operation = "boot";
+    allowReboot = false;
   };
 
   nixpkgs.config.permittedInsecurePackages = [
     "electron-27.3.11"
   ];
 
-  # Kernel tuning
+  # Additional kernel tuning beyond the module defaults
   boot.kernel.sysctl = {
-    "power.pm_freeze_timeout" = 30000;
     # Reduce swap usage (you have zram)
     "vm.swappiness" = 10;
     # Prefer keeping directory/inode caches
@@ -111,32 +113,18 @@ with lib.metacfg;
 
   # zram swap with zstd compression for better performance
   zramSwap = {
-    enable = true;
     algorithm = "zstd";
     memoryPercent = 50;
   };
 
   services.ratbagd.enable = true;
 
-  services.resolved.enable = true;
-
-  #services.resolved.dnssec = "allow-downgrade";
-  #services.resolved.extraConfig = ''
-  #  ResolveUnicastSingleLabel=yes
-  #'';
-
   virtualisation = {
     libvirtd.enable = true;
     docker.enable = true;
     podman.dockerCompat = false;
   };
 
-  system.autoUpgrade = {
-    enable = true;
-    operation = "boot";
-    allowReboot = false;
-  };
-
   services.trezord.enable = true;
 
   services.ollama = {