feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt

Add NixOS module to host org-agenda-api container on railbird-sf:
- org-agenda-api-host.nix: New module with nginx reverse proxy and ACME
- nginx configured for rbsf.tplinkdns.com with automatic TLS
- Container runs on port 51847 (random high port)
- Supports nix-built container images via imageFile option

Configure railbird-sf to use the new module:
- Build org-agenda-api container from flake
- Pass container to machine config via specialArgs
- Set up agenix secret for container environment

Note: Requires creating secrets file with AUTH_PASSWORD and
GIT_SSH_PRIVATE_KEY environment variables.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

nixos/flake.nix

@@ -223,6 +223,20 @@
     };
     defaultConfigurationParams =
       builtins.listToAttrs (map mkConfigurationParams machineFilenames);
+    # Build org-agenda-api container for a given system
+    mkOrgAgendaApiContainer = system: let
+      pkgs = import nixpkgs { inherit system; };
+      orgApiRev = builtins.substring 0 7 (org-agenda-api.rev or "unknown");
+      dotfilesRev = builtins.substring 0 7 (self.rev or self.dirtyRev or "dirty");
+      dotfilesOrgApi = import ./org-agenda-api.nix {
+        inherit pkgs system inputs;
+      };
+      tangledConfig = dotfilesOrgApi.org-agenda-custom-config;
+      containerLib = import ../org-agenda-api/container.nix {
+        inherit pkgs system tangledConfig org-agenda-api orgApiRev dotfilesRev;
+      };
+    in containerLib.containers.colonelpanic;
+
     customParams = {
       biskcomp = {
         system = "aarch64-linux";
@@ -230,6 +244,11 @@
       air-gapped-pi = {
         system = "aarch64-linux";
       };
+      railbird-sf = {
+        specialArgs = {
+          orgAgendaApiContainer = mkOrgAgendaApiContainer "x86_64-linux";
+        };
+      };
     };
     mkConfig = {
       system ? "x86_64-linux",