refactor(modules/lib): hoist the renderer + helpers shared with forgejo

Both `services/<svc>/lib.nix` files had ~270 lines of copy-pasted
renderer machinery (option helpers, resourceOptions generator,
cleanNulls, the tf-config builder with resolveRef + substituteSecrets
+ renderItem + the credential map). Move every shared piece into
`modules/lib/default.nix`:

  - option helpers (oStr/oBool/oInt/oListStr/oAttrsStr/oSub/oListSub/
    rStr/rBool/rMapStr) -- the union of what either pairing used.
  - cleanNulls.
  - resourceOptions, now a function of `resourceTypes`.
  - mkTfConfig: takes resourceTypes + a per-provider record
    (providerName, providerSource, providerVersion, providerBlock,
    runtimePrefix, tokenVar, extraSensitiveVars) and returns
    cfg -> { config; credentials; }.

The keycloak renderer (recursive substituteSecrets walk +
list-of-managed-refs + blockAttrs wrapping) becomes the canonical one
-- a strict superset of forgejo's flat flavour, and forgejo uses none
of the extensions so behaviour is identical.

Net -245 lines; no behaviour change. forgejo + the 5 keycloak tests
cached green (rendered output byte-identical).

services/forgejo/lib.nix and services/keycloak/lib.nix now keep only
their provider import, executor, tokenVar (+ clientIdVar for keycloak),
provider-specific shared refs (realmRef etc.), the resourceTypes
record, and the genlib.mkTfConfig call. forgejo's dormant
requiredScopes stays in forgejo's lib.

Author: kmein