Runner on the same host cannot reach Forgejo via the public HTTPS URL
during boot (ACME certs not ready, nginx not fully up). Use the local
HTTP endpoint instead.
The gitea-actions-runner NixOS module expects tokenFile to be an
EnvironmentFile containing TOKEN=<value>, but sops-nix writes only
the raw secret value. Use a sops template to prepend TOKEN= prefix.
- Extract forgejo-runner config from forgejo.nix into forgejo-runner.nix
- Move forgejo-runner to stage 2 (requires running Forgejo for token)
- Remove all stage-2 secrets from sops.nix (each service file owns its secrets)
- Update first-install docs with corrected staged deployment flow
- Fixes deployment failure caused by runner crashing with placeholder token
