fix forgejo-runner token: use SOPS template with TOKEN= prefix

The gitea-actions-runner NixOS module expects tokenFile to be an
EnvironmentFile containing TOKEN=<value>, but sops-nix writes only
the raw secret value. Use a sops template to prepend TOKEN= prefix.

hosts/cryodev-main/secrets.yaml

@@ -1,7 +1,7 @@
 tailscale:
     auth-key: ENC[AES256_GCM,data:v5C3DqYJsDKq6oUa/3G6WKxyKeIK4EJLNxWMbKjSbwe5MPtS4sZjFszMviKcEVGW,iv:4G8irABGuVhOYnK15EjbpNQ4B9VY/NdwCrfz+YAMzvA=,tag:0Vhq/TJgx+48frRy30yKFg==,type:str]
 forgejo-runner:
-    token: ENC[AES256_GCM,data:/i9KVMeEXYwQnn0=,iv:pILMNbhDviifDUFRINi6n9dtGSAeqxKMdBgjYwtXXEM=,tag:JCj5v5BZdZteo0MdTVKREw==,type:str]
+    token: ENC[AES256_GCM,data:sdnJcyRiTLxXoZDNbEzJAjpiK+iSUH0gV0XwbEQf94IE/6IZz5/zHw==,iv:py+qqp3VAwBGEpYiQwft3jnQS943JaBlrcckColv4f8=,tag:rtmRwW8rpXB6Pv+LSkp+Fw==,type:str]
 headplane:
     cookie_secret: ENC[AES256_GCM,data:HICF31i6yCLZGNeOFYTR3Bp0a7i0UKOvGAvx/pD3NB4=,iv:ZtK8r1YUWnf5Af0Ls341k0w1mZm+D5Rb0E1uS5z/Gdo=,tag:vwM9+4dpcmnjn/wR6Ty/MQ==,type:str]
     agent_pre_authkey: ENC[AES256_GCM,data:QvhPi2lhyP7w6HTeOSS8660NzIY9Q6AOhlOGQXnvz+qYu9vOAMQPOFMZfie5+e8g,iv:X60wVOEUIsTiMHrrd4lId0VpR7VfFDr74p8RGka3+18=,tag:kIvaHrOWIM+VQ+Qz1GiheQ==,type:str]
@@ -31,7 +31,7 @@ sops:
             MEpGbGlQbVRsM1NxN1JxY2J1MVNTTE0KuIvuM2c1VIXKv0LGLb0NwqtSyBYcRcb1
             uiIjNV0UzEt/WvnCeUTMPgIXBHk6jWcaKe13v6MHeha+/CVZ9Su/Lw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-14T11:30:38Z"
+    lastmodified: "2026-03-14T11:38:57Z"
-    mac: ENC[AES256_GCM,data:CbK8Yd39gpxLd2m5O43UKOW3jU1h4d7NRyQd3IruxEsUgokt1v9W9aXTyXvyv4fnbOaYqGxw7e8a08MECS3GtUuFpXJFK4rWDET2mU2OweoG1h6uPejyg0ejPHa+PMI7dFcADTn6W//6WZcCbQhHrAuISrUG9/JZtOod28SZWp4=,iv:KtDNJnQwgNRETDA17v4jq0rESHADfaAH4cBeCUbeEv4=,tag:825/Y83J270NZ17mTmYMew==,type:str]
+    mac: ENC[AES256_GCM,data:gmxyp3XaHeU/CT2lgo14wIbJsKs/JrZmUPhgHwo1XRN5Sf/Su6lHOpVlQS1M6R3+ZlBnS/oEur+y0gydCCqhJK1C3Y5YuUfPlOWOeQWMVxQBqxWkyemvz5KgGseDc9nG09FpoGEYa4sSeuD1J6vRsGcZiOStaA6s8NICWivdWcQ=,iv:cYILLrScr7cFiLx5INbc9z3BT7LaCjLnCH0wdn3lZ1k=,tag:IIRb/Tu8YqWNiHXH7CSOfQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

hosts/cryodev-main/services/default.nix

@@ -10,8 +10,8 @@
     ./sops.nix
 
     # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
-    # ./forgejo-runner.nix  # braucht: forgejo-runner/token (Forgejo)
+    ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
-    # ./headplane.nix       # braucht: headplane/agent_pre_authkey (Headscale)
+    ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
-    # ./tailscale.nix       # braucht: tailscale/auth-key (Headscale)
+    ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
   ];
 }

hosts/cryodev-main/services/forgejo-runner.nix

@@ -13,10 +13,16 @@
   services.forgejo-runner = {
     enable = true;
     url = "https://${constants.services.forgejo.fqdn}";
-    tokenFile = config.sops.secrets."forgejo-runner/token".path;
+    tokenFile = config.sops.templates."forgejo-runner-token".path;
   };
 
   sops.secrets."forgejo-runner/token" = {
     mode = "0400";
   };
+
+  sops.templates."forgejo-runner-token" = {
+    content = ''
+      TOKEN=${config.sops.placeholder."forgejo-runner/token"}
+    '';
+  };
 }