feat(_update): replace watchtower with custom nightly update script

Removes the watchtower container in favour of a host-side script that
runs daily at 2:00 AM via systemd timer.  Mirrors the _backup pattern:
auto-discovers stacks, pulls images, recreates changed containers,
prunes dangling images, and notifies via n8n → Telegram.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

gitea/compose.yml

@@ -58,7 +58,6 @@ services:
       - "traefik.http.routers.gitea-web-secure.middlewares=security-headers@file"
       - "traefik.http.services.gitea-web-secure.loadbalancer.server.port=3000"
       - "traefik.docker.network=${NETWORK_NAME}"
-      - "com.centurylinklabs.watchtower.enable=true"
     networks:
       - compose_network
   runner:
@@ -78,7 +77,6 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./runner-config.yaml:/data/config.yaml:ro
     labels:
-      - "com.centurylinklabs.watchtower.enable=true"
     restart: always
     networks:
       - compose_network