rename admin_key to steffen_key, add forgejo admin account step

- Rename SOPS key alias from generic admin_key to steffen_key in
  .sops.yaml and all docs (keys should identify the person, not a role)
- Add step 3.6 to first-install docs: create Forgejo admin account
  via CLI (required since DISABLE_REGISTRATION is enabled)
- Fix cryodev-pi_key comment naming in .sops.yaml

.sops.yaml

@@ -1,14 +1,14 @@
 keys:
-  - &admin_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t
+  - &steffen_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t # steffen (local)
   - &cryodev-main_key age1y6hushuapy0k04mrvvpev0t8lq44w904r596jus44nhkflky0yhqgq2xx6
 creation_rules:
   - path_regex: hosts/cryodev-main/secrets.yaml$
     key_groups:
       - age:
-          - *admin_key
+          - *steffen_key
           - *cryodev-main_key
   - path_regex: hosts/cryodev-pi/secrets.yaml$
     key_groups:
       - age:
-          - *admin_key
-        # - *pi_key # Add pi key here once obtained
+          - *steffen_key
+        # - *cryodev-pi_key # Add after Pi installation

docs/getting-started/first-install.md

@@ -166,14 +166,14 @@ Auf dem **Entwicklungsrechner** den neuen Host-Key in `.sops.yaml` eintragen:
 
 ```yaml
 keys:
-  - &admin_key age1e8p...     # Dein lokaler Admin-Key
+  - &steffen_key age1e8p...          # steffen (lokal)
   - &hostname_key age1abc...         # Key von Schritt 3.1
 
 creation_rules:
   - path_regex: hosts/<hostname>/secrets.yaml$
     key_groups:
       - age:
-          - *admin_key
+          - *steffen_key
           - *hostname_key
 ```
 
@@ -265,6 +265,23 @@ NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .#<hostname> \
 
 Nach diesem Deploy laufen Headscale, Forgejo, Mailserver und Nginx.
 
+### 3.6 Forgejo Admin-Account erstellen
+
+Beim ersten Start hat Forgejo noch keine Benutzer. Admin-Account per CLI anlegen
+(auf dem **Server**):
+
+```bash
+sudo -u forgejo forgejo --config /var/lib/forgejo/custom/conf/app.ini \
+  admin user create \
+  --username <benutzername> \
+  --email <email>@<domain> \
+  --password <passwort> \
+  --admin
+```
+
+> **Hinweis:** Da `DISABLE_REGISTRATION = true` gesetzt ist, koennen neue Accounts
+> nur per CLI erstellt werden.
+
 ## Schritt 4: Restliche Secrets generieren und alle Services aktivieren
 
 Nachdem der Server mit Headscale und Forgejo laeuft:

docs/getting-started/new-client.md

@@ -198,7 +198,7 @@ Auf dem Entwicklungsrechner:
 
 ```yaml
 keys:
-  - &admin_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t
+  - &steffen_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t  # steffen (local)
   - &neuer_pi_key age1xyz...  # Der neue Key
 
 creation_rules:
@@ -207,7 +207,7 @@ creation_rules:
   - path_regex: hosts/neuer-pi/secrets.yaml$
     key_groups:
       - age:
-        - *admin_key
+          - *steffen_key
           - *neuer_pi_key
 ```
 

docs/services/sops.md

@@ -31,7 +31,7 @@ Add the host key to `.sops.yaml`:
 
 ```yaml
 keys:
-  - &admin_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t
+  - &steffen_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t  # steffen (local)
   - &main_key age1...  # cryodev-main
   - &pi_key age1...    # cryodev-pi
 
@@ -39,13 +39,13 @@ creation_rules:
   - path_regex: hosts/cryodev-main/secrets.yaml$
     key_groups:
       - age:
-        - *admin_key
+          - *steffen_key
           - *main_key
 
   - path_regex: hosts/cryodev-pi/secrets.yaml$
     key_groups:
       - age:
-        - *admin_key
+          - *steffen_key
           - *pi_key
 ```
 

hosts/cryodev-main/secrets.yaml

@@ -1,10 +1,10 @@
 tailscale:
-    auth-key: ENC[AES256_GCM,data:APMZrLYEqywYTmc=,iv:KiFwgR3UXLXCdl9DlR5tJOr8XUyQEeDomPx9hOREhnw=,tag:32quLtu74EIxAgmjH3hvIw==,type:str]
+    auth-key: ENC[AES256_GCM,data:v5C3DqYJsDKq6oUa/3G6WKxyKeIK4EJLNxWMbKjSbwe5MPtS4sZjFszMviKcEVGW,iv:4G8irABGuVhOYnK15EjbpNQ4B9VY/NdwCrfz+YAMzvA=,tag:0Vhq/TJgx+48frRy30yKFg==,type:str]
 forgejo-runner:
     token: ENC[AES256_GCM,data:/i9KVMeEXYwQnn0=,iv:pILMNbhDviifDUFRINi6n9dtGSAeqxKMdBgjYwtXXEM=,tag:JCj5v5BZdZteo0MdTVKREw==,type:str]
 headplane:
     cookie_secret: ENC[AES256_GCM,data:HICF31i6yCLZGNeOFYTR3Bp0a7i0UKOvGAvx/pD3NB4=,iv:ZtK8r1YUWnf5Af0Ls341k0w1mZm+D5Rb0E1uS5z/Gdo=,tag:vwM9+4dpcmnjn/wR6Ty/MQ==,type:str]
-    agent_pre_authkey: ENC[AES256_GCM,data:aYkPZTR4fwArcKQ=,iv:+OhbIpwsyCJ4i4k8eyCKYAHE25F4iUHfdM+CG0+BQd8=,tag:BkT73WPjOv5Lu6dCFBXxWg==,type:str]
+    agent_pre_authkey: ENC[AES256_GCM,data:QvhPi2lhyP7w6HTeOSS8660NzIY9Q6AOhlOGQXnvz+qYu9vOAMQPOFMZfie5+e8g,iv:X60wVOEUIsTiMHrrd4lId0VpR7VfFDr74p8RGka3+18=,tag:kIvaHrOWIM+VQ+Qz1GiheQ==,type:str]
 mailserver:
     accounts:
         admin: ENC[AES256_GCM,data:gY2k3x3sA98yGNLcSWUr9aC0566MJM2UXhwLtWPUL3PRvxQt0XOzjeiC7ddgbqTAol4dBNeaV0zbFInD,iv:rxp0M9kHMgD73K+RDC562sUpXaJ067eU1CeciAke+LM=,tag:VKobduo/ZULAk17M9LD3bw==,type:str]
@@ -31,7 +31,7 @@ sops:
             MEpGbGlQbVRsM1NxN1JxY2J1MVNTTE0KuIvuM2c1VIXKv0LGLb0NwqtSyBYcRcb1
             uiIjNV0UzEt/WvnCeUTMPgIXBHk6jWcaKe13v6MHeha+/CVZ9Su/Lw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-14T10:28:25Z"
-    mac: ENC[AES256_GCM,data:oeT8I9gMIAPnm8wlNUFjn/0UT6qfTA//fLp3USO33FMsNIOWmqt3kB4NsozS+n6ZeMxBVWQZPss8t819DYqv0xQarzfOqQe1idCGCB+7NBFcFP2VLFzkIH+9Wei9AJSlR3BRnzyVaQDi797P6pEXFn/IoQWPWZ8sX8ZKugOfY0w=,iv:RjsKhPcVZBHHLs1W3PDhcseGLV4eawafg0is6KrzhtE=,tag:ifkobUteslEZ78OvkZw8JQ==,type:str]
+    lastmodified: "2026-03-14T11:30:38Z"
+    mac: ENC[AES256_GCM,data:CbK8Yd39gpxLd2m5O43UKOW3jU1h4d7NRyQd3IruxEsUgokt1v9W9aXTyXvyv4fnbOaYqGxw7e8a08MECS3GtUuFpXJFK4rWDET2mU2OweoG1h6uPejyg0ejPHa+PMI7dFcADTn6W//6WZcCbQhHrAuISrUG9/JZtOod28SZWp4=,iv:KtDNJnQwgNRETDA17v4jq0rESHADfaAH4cBeCUbeEv4=,tag:825/Y83J270NZ17mTmYMew==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0