feat(mx): add Nextcloud Talk opencode bot pointing at halo.hoyer.tail:8000

Mirrors the existing nextcloud-claude-bot setup but invokes `opencode run`
against the local `halo-8000` provider/model. The bot listens on
127.0.0.1:8086, is exposed via the `/_opencode-bot/` location on
nc.hoyer.xyz, and uses `@Halo` as its mention trigger in group chats.

The opencode config (config/opencode/config.json) is installed into the
service's $HOME/.config/opencode/ on each start, so the bot picks up the
same provider definition the user uses interactively. The model map keys
are renamed to `halo-8000` / `halo-8001` so the canonical
`provider/model` reference works without an alias indirection.

systems/x86_64-linux/mx/nextcloud-opencode-bot/default.nix

@@ -0,0 +1,35 @@
+{ config, ... }:
+{
+  imports = [ ./module.nix ];
+
+  services.nextcloud-opencode-bot = {
+    enable = true;
+    nextcloudUrl = "https://nc.hoyer.xyz";
+    botSecretFile = config.sops.secrets."nextcloud-opencode-bot/secret".path;
+    opencodeConfig = ../../../../config/opencode/config.json;
+    model = "halo-8000/halo-8000";
+    botName = "Halo";
+    allowedUsers = [ ];
+  };
+
+  sops.secrets."nextcloud-opencode-bot/secret" = {
+    sopsFile = ../../../../.secrets/hetzner/nextcloud-opencode-bot.yaml;
+    restartUnits = [ "nextcloud-opencode-bot.service" ];
+    owner = "opencode-bot";
+  };
+
+  # Nginx location for Nextcloud to send webhooks to the bot
+  services.nginx.virtualHosts."nc.hoyer.xyz".locations."/_opencode-bot/" = {
+    proxyPass = "http://127.0.0.1:8086/";
+    extraConfig = ''
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      # Only allow from localhost (Nextcloud on same server)
+      allow 127.0.0.1;
+      deny all;
+    '';
+  };
+}