Mirror of the sgx opencode setup: systemd service on port 4196 fronted
by nginx with a per-host ACME cert (DNS-01 via internetbs). Adds amd
key + path rule to .sops.yaml so secrets under .secrets/amd/ encrypt
for the host.
Introduce encrypted secrets and SOPS configuration for the x1 system. Update SSH and related services to utilize these secrets and modify flake.lock to align with the latest dependencies.
