restructure CI/CD: flake-check gates all deployments

Consolidate 4 separate workflows into 2:

- ci.yml (pull_request): flake-check -> build-hosts
- deploy.yml (push to main): flake-check -> deploy + build-pi-images

Previously, deploy and build-pi-image ran on push to main without
any checks. Now flake-check must pass before anything gets deployed
or built.

.forgejo/workflows/ci.yml

@@ -1,12 +1,24 @@
-name: Build hosts
+name: CI
 
-on:
-  pull_request:
-    branches:
-      - main
+on: [pull_request]
 
 jobs:
+  flake-check:
+    runs-on: docker
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Run flake check
+        run: nix flake check --impure
+
   build-hosts:
+    needs: flake-check
     runs-on: docker
     steps:
       - name: Checkout repository

.forgejo/workflows/deploy-main.yml

@@ -1,34 +0,0 @@
-name: Deploy cryodev-main
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  deploy-cryodev-main:
-    runs-on: docker
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@v27
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-
-      - name: Set up SSH
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-        run: |
-          mkdir -p ~/.ssh
-          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          
-          # Add host key (replace with actual host key or use ssh-keyscan in unsafe environments)
-          ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
-
-      - name: Deploy with deploy-rs
-        run: |
-          # Deploy using deploy-rs
-          nix run github:serokell/deploy-rs -- -s .#cryodev-main

.forgejo/workflows/deploy.yml

@@ -1,27 +1,56 @@
-name: Build Raspberry Pi SD Images
+name: Deploy
 
 on:
   push:
     branches:
       - main
-    paths:
-      - 'hosts/**'
-      - 'modules/**'
-      - 'templates/**'
-      - 'flake.nix'
-      - 'flake.lock'
-      - 'constants.nix'
-  workflow_dispatch:
 
 jobs:
+  flake-check:
+    runs-on: docker
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Run flake check
+        run: nix flake check --impure
+
+  deploy-cryodev-main:
+    needs: flake-check
+    runs-on: docker
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Set up SSH
+        env:
+          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
+
+      - name: Deploy with deploy-rs
+        run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
+
   build-pi-images:
+    needs: flake-check
     runs-on: host
     strategy:
       matrix:
-        # Add new Pi hosts to this list when created
         host: [cryodev-pi]
       fail-fast: false
-    
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -29,8 +58,6 @@ jobs:
       - name: Build SD image for ${{ matrix.host }}
         run: |
           echo "Building SD image for: ${{ matrix.host }}"
-          echo "This may take 30-60 minutes with emulation..."
-          
           nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.sdImage \
             --extra-platforms aarch64-linux \
             --out-link result-${{ matrix.host }}
@@ -73,7 +100,6 @@ jobs:
         run: |
           VERSION="v$(date +%Y-%m-%d)-$(git rev-parse --short HEAD)"
 
-          # Create release via API
           curl -s -X POST \
             -H "Authorization: token ${GITHUB_TOKEN}" \
             -H "Content-Type: application/json" \
@@ -84,7 +110,6 @@ jobs:
           RELEASE_ID=$(jq -r '.id' release.json)
           echo "Release ID: $RELEASE_ID"
 
-          # Upload all files
           for file in $(find artifacts -type f); do
             echo "Uploading: $(basename $file)"
             curl -s -X POST \

.forgejo/workflows/flake-check.yml

@@ -1,18 +0,0 @@
-name: Flake check
-
-on: [pull_request]
-
-jobs:
-  flake-check:
-    runs-on: docker
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@v27
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-
-      - name: Run flake check
-        run: nix flake check --impure