add opencrow Matrix bot on ful

Uses upstream NixOS module (systemd-nspawn container with sandboxing).

- User: @fable:4d2.org on matrix.4d2.org
- Provider: GitHub Copilot (OAuth, one-time interactive login)
- Secrets via agenix: matrix token as environmentFile,
  soul bind-mounted into the container
- Sessions + pi-agent state in /var/lib/opencrow, backed up via restic

To complete setup:
1. Create secrets/opencrow-matrix-token.age (OPENCROW_MATRIX_ACCESS_TOKEN=...)
2. Create secrets/opencrow-soul.age (SOUL.md content)
3. One-time Copilot login inside the container:
   sudo nixos-container root-login opencrow
   PI_CODING_AGENT_DIR=/var/lib/opencrow/pi-agent pi
   # Run /login, select GitHub Copilot, complete OAuth flow

flake.nix

@@ -26,6 +26,7 @@
     wetter.url = "github:4z3/wetter";
     wrappers.url = "github:lassulus/wrappers";
     llm-agents.url = "github:numtide/llm-agents.nix";
+    opencrow.url = "github:pinpox/opencrow";
 
     voidrice.flake = false;
 
@@ -62,6 +63,7 @@
     wetter.inputs.nixpkgs.follows = "nixpkgs";
     niphas.inputs.nixpkgs.follows = "nixpkgs-unstable";
     wrappers.inputs.nixpkgs.follows = "nixpkgs";
+    opencrow.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
@@ -78,6 +80,7 @@
       tinc-graph,
       nix-topology,
       llm-agents,
+      opencrow,
       nixpkgs-unstable,
       nixos-hardware,
       niphas,
@@ -443,6 +446,7 @@
                 self.nixosModules.panoptikon
                 self.nixosModules.go-webring
                 stockholm.nixosModules.reaktor2
+                opencrow.nixosModules.default
                 nur.modules.nixos.default
                 {
                   nixpkgs.overlays = [