gitea: add actions runner and CI/CD deploy workflow

- enable gitea actions
- add native host runner (nix:host label, capacity 1)
- add gitea-runner system user with persisted state
- add agenix-encrypted CI secrets (deploy key, git-crypt key, runner token)
- authorize CI deploy key for root SSH
- add build-and-deploy workflow triggered on push to main

configuration.nix

@@ -26,6 +26,7 @@
     ./services/caddy.nix
     ./services/immich.nix
     ./services/gitea.nix
+    ./services/gitea-actions-runner.nix
     ./services/minecraft.nix
 
     ./services/wg.nix
@@ -249,6 +250,14 @@
 
   users.groups.${service_configs.media_group} = { };
 
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+    home = "/var/lib/gitea-runner";
+    description = "Gitea Actions CI runner";
+  };
+  users.groups.gitea-runner = { };
+
   users.users.${username} = {
     isNormalUser = true;
     extraGroups = [