add opencrow Matrix bot on ful

Uses upstream NixOS module (systemd-nspawn container with sandboxing).

- User: @fable:4d2.org on matrix.4d2.org
- Provider: GitHub Copilot (OAuth, one-time interactive login)
- Secrets via agenix: matrix token as environmentFile,
  soul bind-mounted into the container
- Sessions + pi-agent state in /var/lib/opencrow, backed up via restic

To complete setup:
1. Create secrets/opencrow-matrix-token.age (OPENCROW_MATRIX_ACCESS_TOKEN=...)
2. Create secrets/opencrow-soul.age (SOUL.md content)
3. One-time Copilot login inside the container:
   sudo nixos-container root-login opencrow
   PI_CODING_AGENT_DIR=/var/lib/opencrow/pi-agent pi
   # Run /login, select GitHub Copilot, complete OAuth flow

systems/ful/configuration.nix

@@ -17,6 +17,7 @@
     ./wallabag.nix
     ./nethack.nix
     ./openclaw.nix
+    ./opencrow.nix
   ];
 
   niveum.passport = {

systems/ful/opencrow.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  age.secrets = {
+    opencrow-matrix-token = {
+      file = ../../secrets/opencrow-matrix-token.age;
+    };
+    opencrow-soul = {
+      file = ../../secrets/opencrow-soul.age;
+    };
+  };
+
+  services.opencrow = {
+    enable = true;
+
+    environmentFiles = [
+      config.age.secrets.opencrow-matrix-token.path
+    ];
+
+    extraBindMounts."/run/secrets/opencrow-soul" = {
+      hostPath = config.age.secrets.opencrow-soul.path;
+      isReadOnly = true;
+    };
+
+    environment = {
+      OPENCROW_MATRIX_HOMESERVER = "https://matrix.4d2.org";
+      OPENCROW_MATRIX_USER_ID = "@fable:4d2.org";
+      OPENCROW_PI_PROVIDER = "copilot";
+      OPENCROW_PI_MODEL = "claude-sonnet-4-20250514";
+      OPENCROW_SOUL_FILE = "/run/secrets/opencrow-soul";
+    };
+  };
+
+  services.restic.backups.niveum.paths = [
+    "/var/lib/opencrow"
+  ];
+}