split forgejo-runner into own service file for staged deployment

- Extract forgejo-runner config from forgejo.nix into forgejo-runner.nix - Move forgejo-runner to stage 2 (requires running Forgejo for token) - Remove all stage-2 secrets from sops.nix (each service file owns its secrets) - Update first-install docs with corrected staged deployment flow - Fixes deployment failure caused by runner crashing with placeholder token
2026-03-14 12:22:33 +01:00 · 2026-03-14 12:22:33 +01:00 · 4c560abffd
commit 4c560abffd
parent da37a2dce3
6 changed files with 36 additions and 41 deletions
--- a/hosts/cryodev-main/services/sops.nix
+++ b/hosts/cryodev-main/services/sops.nix
@ -13,9 +13,9 @@
  sops = {
    defaultSopsFile = ../secrets.yaml;
    # age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key
-    secrets = {
-      "forgejo-runner/token" = { };
-      "tailscale/auth-key" = { };
-    };
+
+    # Secrets fuer Stufe-2-Services werden in deren eigenen Dateien definiert:
+    # forgejo-runner/token -> forgejo-runner.nix
+    # tailscale/auth-key   -> tailscale.nix (via Modul)
  };
 }