The nix-daemon runs as root and cannot access the gitea-runner user's
~/.ssh directory. Solution: write the deploy key and SSH config to
/etc/deploy/ and /etc/ssh/ssh_config.d/ which are readable by all
users including the nix-daemon.
- Deploy key is written to /etc/deploy/key (cleaned up after deploy)
- SSH config in /etc/ssh/ssh_config.d/deploy.conf (cleaned up after)
- Minimal NOPASSWD sudo rules for gitea-runner to manage these files
- Reverts local deploy approach, back to deploy-rs over SSH
Runner runs on the same server it deploys to, so SSH to itself was
unnecessarily complex. Now builds locally and activates directly.
- Replace deploy-rs SSH workflow with local build + switch
- Add NOPASSWD sudo for gitea-runner to run nix-env and
switch-to-configuration (required for local deployment)
- Remove SSH key setup from deploy workflow
