gitea: add actions runner and CI/CD deploy workflow

This will avoid me having to run "deploy" myself on my laptop.
All I will need to do is push a commit and it will self-deploy.

modules/age-secrets.nix

@@ -68,19 +68,19 @@
       group = "root";
     };
 
-    # ntfy-alerts secrets
+    # ntfy-alerts secrets (group-readable for CI runner notifications)
     ntfy-alerts-topic = {
       file = ../secrets/ntfy-alerts-topic.age;
-      mode = "0400";
+      mode = "0440";
       owner = "root";
-      group = "root";
+      group = "gitea-runner";
     };
 
     ntfy-alerts-token = {
       file = ../secrets/ntfy-alerts-token.age;
-      mode = "0400";
+      mode = "0440";
       owner = "root";
-      group = "root";
+      group = "gitea-runner";
     };
 
     # Firefox Sync server secrets (SYNC_MASTER_SECRET)
@@ -128,5 +128,36 @@
       group = "continuwuity";
     };
 
+    # CI deploy SSH key
+    ci-deploy-key = {
+      file = ../secrets/ci-deploy-key.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
+    # Git-crypt symmetric key for dotfiles repo
+    git-crypt-key-dotfiles = {
+      file = ../secrets/git-crypt-key-dotfiles.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
+
+    # Git-crypt symmetric key for server-config repo
+    git-crypt-key-server-config = {
+      file = ../secrets/git-crypt-key-server-config.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
+    # Gitea Actions runner registration token
+    gitea-runner-token = {
+      file = ../secrets/gitea-runner-token.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
   };
 }

modules/impermanence.nix

@@ -24,6 +24,7 @@
       # ZFS cache directory - persisting the directory instead of the file
       # avoids "device busy" errors when ZFS atomically updates the cache
       "/etc/zfs"
+      "/var/lib/gitea-runner"
     ];
 
     files = [