Add SD image pipeline, documentation overhaul, and fix module issues

- Add automatic SD image builds for Raspberry Pi via Forgejo Actions
- Enable binfmt emulation on cryodev-main for aarch64 cross-builds
- Add sd-image.nix module to cryodev-pi configuration
- Create comprehensive docs/ structure with installation guides
- Split installation docs into: first-install (server), reinstall, new-client (Pi)
- Add lib/utils.nix and apps/rebuild from synix
- Fix headplane module for new upstream API (tale/headplane)
- Fix various module issues (mailserver stateVersion, option conflicts)
- Add placeholder secrets.yaml files for both hosts
- Remove old INSTRUCTIONS.md (content moved to docs/)

docs/services/forgejo.md

@@ -0,0 +1,149 @@
+# Forgejo
+
+Forgejo is a self-hosted Git service (fork of Gitea) with built-in CI/CD Actions.
+
+## References
+
+- [Forgejo Documentation](https://forgejo.org/docs/)
+- [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/)
+
+## Setup
+
+### DNS
+
+Set a CNAME record for `git.cryodev.xyz` pointing to your main domain.
+
+### Configuration
+
+```nix
+# hosts/cryodev-main/services/forgejo.nix
+{ config, ... }:
+{
+  services.forgejo = {
+    enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.cryodev.xyz";
+        ROOT_URL = "https://git.cryodev.xyz";
+      };
+      mailer = {
+        ENABLED = true;
+        FROM = "forgejo@cryodev.xyz";
+      };
+    };
+  };
+}
+```
+
+## Forgejo Runner
+
+The runner executes CI/CD pipelines defined in `.forgejo/workflows/`.
+
+### Get Runner Token
+
+1. Go to Forgejo Admin Panel
+2. Navigate to Actions > Runners
+3. Create a new runner and copy the token
+
+### Add to Secrets
+
+```bash
+sops hosts/cryodev-main/secrets.yaml
+```
+
+```yaml
+forgejo-runner:
+  token: "your-runner-token"
+```
+
+### Configuration
+
+```nix
+{
+  sops.secrets."forgejo-runner/token" = { };
+  
+  services.gitea-actions-runner = {
+    instances.default = {
+      enable = true;
+      url = "https://git.cryodev.xyz";
+      tokenFile = config.sops.secrets."forgejo-runner/token".path;
+      labels = [ "ubuntu-latest:docker://node:20" ];
+    };
+  };
+}
+```
+
+## CI/CD Workflows
+
+### deploy-rs Workflow
+
+`.forgejo/workflows/deploy.yaml`:
+
+```yaml
+name: Deploy
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Install Nix
+        uses: cachix/install-nix-action@v24
+        
+      - name: Deploy
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          nix run .#deploy
+```
+
+## Administration
+
+### Create Admin User
+
+```bash
+sudo -u forgejo forgejo admin user create \
+  --username admin \
+  --password changeme \
+  --email admin@cryodev.xyz \
+  --admin
+```
+
+### Reset User Password
+
+```bash
+sudo -u forgejo forgejo admin user change-password \
+  --username USER \
+  --password NEWPASS
+```
+
+## Troubleshooting
+
+### Check Service Status
+
+```bash
+sudo systemctl status forgejo
+sudo systemctl status gitea-runner-default
+```
+
+### View Logs
+
+```bash
+sudo journalctl -u forgejo -f
+sudo journalctl -u gitea-runner-default -f
+```
+
+### Database Issues
+
+Forgejo uses SQLite by default. Database location:
+
+```bash
+ls -la /var/lib/forgejo/data/
+```