fix(ci): replace overlay2 sync with workspace bind mount for DooD

runner-config.yaml: correct path to /srv/gitea-workspace (VPS, not Synology).
docker-compose.observability.yml: revert 5 bind mounts to plain relative paths;
  OBS_CONFIG_DIR variable is no longer needed.
nightly.yml / release.yml: remove OBS_CONFIG_DIR env injection and the
  "Sync observability configs to host" step from both workflows.

With workdir_parent=/srv/gitea-workspace and an identical host<->container
bind mount, $(pwd) inside job containers resolves to a real host path the
daemon can find — no privileged container, no overlay2 inspection, no nsenter.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -83,7 +83,6 @@ jobs:
           GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
           GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
-          OBS_CONFIG_DIR=/srv/familienarchiv-production/obs-configs
           EOF
 
       - name: Build images
@@ -105,16 +104,6 @@ jobs:
             --env-file .env.production \
             up -d --wait --remove-orphans
 
-      - name: Sync observability configs to host
-        # DooD: same overlay2 trick as nightly.yml — see that file for the
-        # full rationale. Production path: /srv/familienarchiv-production/obs-configs.
-        run: |
-          OVERLAY=$(docker inspect "$(hostname)" --format '{{.GraphDriver.Data.MergedDir}}')
-          SRC="${OVERLAY}$(pwd)/infra/observability"
-          docker run --rm --privileged --pid=host \
-            alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
-            sh -c "nsenter -t 1 -m -- sh -c 'mkdir -p /srv/familienarchiv-production/obs-configs && cp -r \"${SRC}/.\" /srv/familienarchiv-production/obs-configs/'"
-
       - name: Start observability stack
         run: |
           docker compose \