feat(hectic-lab): enable sentinèlla watcher service

Enable the p2p watcher alongside the existing probe. Peers are discovered
via DNS name peers.hectic-lab.com. TG credentials are loaded from a SOPS
secret sentinèlla/watcher/environment (to be populated with TG_TOKEN and
TG_CHAT_ID).

nixos/system/hectic-lab/sentinèlla.nix

@@ -5,17 +5,31 @@
   domain,
   sslOpts,
   ...
-}: let
+}: { config, ... }: let
   port = 5869;
 in {
-  hectic = {
-    services."sentinèlla".probe = {
+  hectic.services."sentinèlla" = {
+    probe = {
       enable = true;
       inherit port;
     };
+    watcher = {
+      enable              = true;
+      peersDns            = "peers.${domain}";
+      peersPort           = port;
+      pollingIntervalSec  = 60;
+      # TG_TOKEN= and TG_CHAT_ID= are set via this environment file
+      # Add the following to sus/hectic-lab.yaml under sentinèlla/watcher/:
+      #   environment: |
+      #     TG_TOKEN=<bot-token>
+      #     TG_CHAT_ID=<chat-id>
+      environmentFile = config.sops.secrets."sentinèlla/watcher/environment".path;
+    };
   };
 
-  services.nginx =  {
+  sops.secrets."sentinèlla/watcher/environment" = {};
+
+  services.nginx = {
     virtualHosts."probe.${domain}" = sslOpts // {
       forceSSL = true;
       locations."/" = {