diff --git a/docs/getting-started/first-install.md b/docs/getting-started/first-install.md
index 1d489b3..01b96e4 100644
--- a/docs/getting-started/first-install.md
+++ b/docs/getting-started/first-install.md
@@ -243,30 +243,13 @@ Services **ohne externe Abhaengigkeiten** aktivieren:
     ./sops.nix
 
     # Stufe 2: Erst nach Schritt 4 aktivieren
-    # ./headplane.nix   # braucht: headplane/agent_pre_authkey (Headscale)
-    # ./tailscale.nix   # braucht: tailscale/auth-key (Headscale)
+    # ./forgejo-runner.nix  # braucht: forgejo-runner/token (Forgejo)
+    # ./headplane.nix       # braucht: headplane/agent_pre_authkey (Headscale)
+    # ./tailscale.nix       # braucht: tailscale/auth-key (Headscale)
   ];
 }
 ```
 
-Ebenso in `hosts/<hostname>/services/sops.nix` die Secrets-Definitionen wieder
-einkommentieren, **aber nur die fuer Stufe-1-Services**:
-
-```nix
-sops = {
-  defaultSopsFile = ../secrets.yaml;
-  secrets = {
-    # "forgejo-runner/token" = { };  # Stufe 2
-    "tailscale/auth-key" = { };
-  };
-};
-```
-
-> **Hinweis:** `tailscale/auth-key` muss in `sops.nix` definiert bleiben, da das
-> Tailscale-Modul es referenziert. Es wird aber erst in Schritt 4 mit einem
-> echten Wert befuellt. Solange Tailscale nicht importiert ist, hat das keinen
-> Effekt.
-
 ### 3.5 Deployen (Stufe 1)
 
 ```bash
@@ -329,6 +312,7 @@ Nachdem der Server mit Headscale und Forgejo laeuft:
    {
      imports = [
        ./forgejo.nix
+       ./forgejo-runner.nix
        ./headplane.nix
        ./headscale.nix
        ./mailserver.nix
@@ -341,8 +325,6 @@ Nachdem der Server mit Headscale und Forgejo laeuft:
    }
    ```
 
-   Und in `sops.nix` auch `forgejo-runner/token` einkommentieren.
-
 6. **Erneut deployen**:
 
    ```bash
diff --git a/hosts/cryodev-main/services/default.nix b/hosts/cryodev-main/services/default.nix
index 0bd3c67..485b746 100644
--- a/hosts/cryodev-main/services/default.nix
+++ b/hosts/cryodev-main/services/default.nix
@@ -1,13 +1,17 @@
 {
   imports = [
+    # Stufe 1: Services ohne externe Abhaengigkeiten
     ./forgejo.nix
-    ./headplane.nix
     ./headscale.nix
     ./mailserver.nix
     ./netdata.nix
     ./nginx.nix
     ./openssh.nix
     ./sops.nix
-    ./tailscale.nix
+
+    # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
+    # ./forgejo-runner.nix  # braucht: forgejo-runner/token (Forgejo)
+    # ./headplane.nix       # braucht: headplane/agent_pre_authkey (Headscale)
+    # ./tailscale.nix       # braucht: tailscale/auth-key (Headscale)
   ];
 }
diff --git a/hosts/cryodev-main/services/forgejo-runner.nix b/hosts/cryodev-main/services/forgejo-runner.nix
new file mode 100644
index 0000000..6c8362f
--- /dev/null
+++ b/hosts/cryodev-main/services/forgejo-runner.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services.forgejo-runner = {
+    enable = true;
+    url = "https://${constants.services.forgejo.fqdn}";
+    tokenFile = config.sops.secrets."forgejo-runner/token".path;
+  };
+
+  sops.secrets."forgejo-runner/token" = {
+    mode = "0400";
+  };
+}
diff --git a/hosts/cryodev-main/services/forgejo.nix b/hosts/cryodev-main/services/forgejo.nix
index b911241..5d54830 100644
--- a/hosts/cryodev-main/services/forgejo.nix
+++ b/hosts/cryodev-main/services/forgejo.nix
@@ -8,7 +8,6 @@
 {
   imports = [
     outputs.nixosModules.forgejo
-    outputs.nixosModules.forgejo-runner
   ];
 
   services.forgejo = {
@@ -32,17 +31,6 @@
     };
   };
 
-  services.forgejo-runner = {
-    enable = true;
-    url = "https://${constants.services.forgejo.fqdn}";
-    tokenFile = config.sops.secrets."forgejo-runner/token".path;
-  };
-
-  sops.secrets."forgejo-runner/token" = {
-    # gitea-runner user is created by gitea-actions-runner service
-    mode = "0400";
-  };
-
   services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {
     forceSSL = true;
     enableACME = true;
diff --git a/hosts/cryodev-main/services/sops.nix b/hosts/cryodev-main/services/sops.nix
index 8df48e1..ca01a72 100644
--- a/hosts/cryodev-main/services/sops.nix
+++ b/hosts/cryodev-main/services/sops.nix
@@ -13,9 +13,9 @@
   sops = {
     defaultSopsFile = ../secrets.yaml;
     # age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key
-    secrets = {
-      "forgejo-runner/token" = { };
-      "tailscale/auth-key" = { };
-    };
+
+    # Secrets fuer Stufe-2-Services werden in deren eigenen Dateien definiert:
+    # forgejo-runner/token -> forgejo-runner.nix
+    # tailscale/auth-key   -> tailscale.nix (via Modul)
   };
 }
diff --git a/result b/result
deleted file mode 120000
index e931342..0000000
--- a/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/xmcpz8rawfcbzr528rlnm5v0fmnrd8dj-nixos-system-cryodev-main-25.11.20260309.44bae27
\ No newline at end of file