Add SD image pipeline, documentation overhaul, and fix module issues

- Add automatic SD image builds for Raspberry Pi via Forgejo Actions
- Enable binfmt emulation on cryodev-main for aarch64 cross-builds
- Add sd-image.nix module to cryodev-pi configuration
- Create comprehensive docs/ structure with installation guides
- Split installation docs into: first-install (server), reinstall, new-client (Pi)
- Add lib/utils.nix and apps/rebuild from synix
- Fix headplane module for new upstream API (tale/headplane)
- Fix various module issues (mailserver stateVersion, option conflicts)
- Add placeholder secrets.yaml files for both hosts
- Remove old INSTRUCTIONS.md (content moved to docs/)

hosts/cryodev-main/services/forgejo.nix

@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   outputs,
   constants,
   ...
@@ -31,14 +30,17 @@
         USER = "forgejo@${constants.domain}";
       };
     };
-    sops = true; # Enable sops integration for secrets
   };
 
   services.forgejo-runner = {
     enable = true;
     url = "https://${constants.services.forgejo.fqdn}";
-    # Token needs to be set up via sops/secrets
-    sops = true;
+    tokenFile = config.sops.secrets."forgejo-runner/token".path;
+  };
+
+  sops.secrets."forgejo-runner/token" = {
+    # gitea-runner user is created by gitea-actions-runner service
+    mode = "0400";
   };
 
   services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {