ci: add deploy workflow and authorize CI key for yarn

- add gitea actions workflow to build and deploy on push to main
- authorize CI deploy key for root SSH on desktop
- workflow unlocks git-crypt, builds yarn config, deploys if desktop reachable

.gitea/workflows/deploy.yml

@@ -0,0 +1,51 @@
+name: Build and Deploy Desktop
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: nix
+    steps:
+      - uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Unlock git-crypt
+        run: |
+          git-crypt unlock /run/agenix/git-crypt-key-dotfiles
+
+      - name: Build NixOS configuration (yarn)
+        run: |
+          nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
+
+      - name: Deploy to desktop
+        run: |
+          eval $(ssh-agent -s)
+          ssh-add /run/agenix/ci-deploy-key
+          if ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@desktop "echo reachable" 2>/dev/null; then
+            nix run github:serokell/deploy-rs -- .#yarn --ssh-opts="-o StrictHostKeyChecking=no"
+            echo "Deploy to desktop succeeded"
+          else
+            echo "Desktop unreachable - skipping deploy. Build succeeded."
+          fi
+
+      - name: Notify success
+        if: success()
+        run: |
+          curl -sf -X POST \
+            "https://ntfy.sigkill.computer/deployments" \
+            -H "Title: [yarn] Build succeeded" \
+            -H "Priority: default" \
+            -H "Tags: white_check_mark" \
+            -d "dotfiles built from commit ${GITHUB_SHA::8}"
+
+      - name: Notify failure
+        if: failure()
+        run: |
+          curl -sf -X POST \
+            "https://ntfy.sigkill.computer/deployments" \
+            -H "Title: [yarn] Build FAILED" \
+            -H "Priority: urgent" \
+            -H "Tags: rotating_light" \
+            -d "dotfiles build failed at commit ${GITHUB_SHA::8}"