replace deploy-rs CI with Comin pull-based deployment

- Add Comin service for cryodev-main (polls git repo, auto-deploys)
- Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git)
- Remove deploy-rs from CI pipeline (was insecure with shared runner)
- Remove deploy SSH key, root SSH login, sudo rules for gitea-runner
- Revert PermitRootLogin back to 'no'
- CI now only runs flake-check + build (no deploy)
- Deployment happens via Comin (both hosts poll and self-deploy)

hosts/cryodev-main/deploy-key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIPGMqOV+YrGle8X7/hctW4Sha/bzeTsTP9AcDN9bA2 forgejo-deploy

hosts/cryodev-main/services/comin.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.comin
+  ];
+
+  services.comin = {
+    enable = true;
+    remotes = [
+      {
+        name = "origin";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
+        branches.main.name = "main";
+      }
+    ];
+  };
+}

hosts/cryodev-main/services/default.nix

@@ -1,17 +1,15 @@
 {
   imports = [
-    # Stufe 1: Services ohne externe Abhaengigkeiten
+    ./comin.nix
     ./forgejo.nix
+    ./forgejo-runner.nix
+    ./headplane.nix
     ./headscale.nix
     ./mailserver.nix
     ./netdata.nix
     ./nginx.nix
     ./openssh.nix
     ./sops.nix
-
-    # Stufe 2: Erst aktivieren wenn Headscale/Forgejo laufen und echte Secrets existieren
-    ./forgejo-runner.nix # braucht: forgejo-runner/token (Forgejo)
-    ./headplane.nix # braucht: headplane/agent_pre_authkey (Headscale)
-    ./tailscale.nix # braucht: tailscale/auth-key (Headscale)
+    ./tailscale.nix
   ];
 }

hosts/cryodev-main/services/openssh.nix

@@ -9,9 +9,4 @@
   ];
 
   services.openssh.enable = true;
-
-  # Root SSH key for deploy-rs (key-only, no password)
-  users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../deploy-key.pub
-  ];
 }

hosts/cryodev-pi/services/comin.nix

@@ -16,7 +16,7 @@
     remotes = [
       {
         name = "origin";
-        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev.git";
         branches.main.name = "main";
       }
     ];