fix: remove stack before secret rotation (scale=0 doesn't free secret refs)

docker stack rm nalu releases all secret references.
Wait for services to terminate before recreating secrets.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/deploy-nalu.yml

@@ -211,9 +211,11 @@ jobs:
         ssh -o StrictHostKeyChecking=no ubuntu@${{ env.SWARM_MANAGER }} << SSHEOF
           set -e
 
-          # ── Scale down so secrets can be rotated ─────────────────────────
+          # ── Remove stack so secrets can be rotated ───────────────────────
-          docker service scale nalu_app=0 2>/dev/null || true
+          docker stack rm nalu 2>/dev/null || true
-          sleep 5
+          # wait until all nalu services are gone
+          timeout 60 bash -c 'until ! docker service ls 2>/dev/null | grep -q nalu_; do sleep 2; done' || true
+          sleep 3
 
           # ── Create/update Docker secrets ─────────────────────────────────
           update_secret() {