The gitea-actions-runner NixOS module expects tokenFile to be an
EnvironmentFile containing TOKEN=<value>, but sops-nix writes only
the raw secret value. Use a sops template to prepend TOKEN= prefix.
- Extract forgejo-runner config from forgejo.nix into forgejo-runner.nix
- Move forgejo-runner to stage 2 (requires running Forgejo for token)
- Remove all stage-2 secrets from sops.nix (each service file owns its secrets)
- Update first-install docs with corrected staged deployment flow
- Fixes deployment failure caused by runner crashing with placeholder token
