Add CI/CD infrastructure for animaltrack

New services:
- animaltrack.hcl: Python app with health checks and auto_revert
- act-runner.hcl: Gitea Actions runner on Nomad

New infrastructure:
- nix-runner/: Custom Nix Docker image for CI with modern Nix,
  local cache (c3), and bundled tools (skopeo, jq, etc.)

Modified:
- gitea.hcl: Enable Gitea Actions

The CI workflow (in animaltrack repo) builds Docker images with Nix,
pushes to Gitea registry, and triggers Nomad deployments with
automatic rollback on health check failure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

services/act-runner.hcl

@@ -0,0 +1,75 @@
+# ABOUTME: Gitea Actions runner for CI/CD pipelines.
+# ABOUTME: Runs containerized actions with Docker-in-Docker support.
+
+# Setup required before running:
+#   sudo mkdir -p /data/services/act-runner
+#   nomad var put secrets/act-runner registration_token="<token-from-gitea-ui>"
+
+job "act-runner" {
+  datacenters = ["alo"]
+  type        = "service"
+
+  group "runner" {
+    network {
+      mode = "host"
+    }
+
+    task "runner" {
+      driver = "docker"
+
+      config {
+        image        = "gitea/act_runner:latest"
+        network_mode = "host"
+        privileged   = true
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock",
+          "/data/services/act-runner:/data",
+          "local/config.yaml:/.runner/config.yaml",
+        ]
+      }
+
+      template {
+        destination = "local/config.yaml"
+        data        = <<EOH
+log:
+  level: info
+runner:
+  file: /data/.runner
+  capacity: 2
+  timeout: 3h
+  labels:
+    - "ubuntu-latest:docker://node:20-bookworm"
+    - "nix:docker://nixos/nix:latest"
+cache:
+  enabled: true
+  dir: /data/cache
+container:
+  network: "host"
+  privileged: true
+  valid_volumes:
+    - /data/services/**
+EOH
+      }
+
+      env {
+        GITEA_INSTANCE_URL = "https://gitea.v.paler.net"
+        GITEA_RUNNER_LABELS = "ubuntu-latest:docker://node:20-bookworm,nix:docker://gitea.v.paler.net/ppetru/nix-runner:v4"
+      }
+
+      # Template needed for nomadVar interpolation (secrets) and Nomad runtime vars
+      template {
+        destination = "secrets/env.env"
+        env         = true
+        data        = <<EOH
+GITEA_RUNNER_REGISTRATION_TOKEN={{ with nomadVar "secrets/act-runner" }}{{ .registration_token }}{{ end }}
+GITEA_RUNNER_NAME={{ env "NOMAD_ALLOC_ID" }}
+EOH
+      }
+
+      resources {
+        cpu    = 2000
+        memory = 2048
+      }
+    }
+  }
+}

services/animaltrack.hcl

@@ -0,0 +1,87 @@
+# ABOUTME: Nomad job for AnimalTrack - poultry farm management app.
+# ABOUTME: Runs FastHTML Python app with SQLite, behind Traefik with OIDC auth.
+
+# Setup required before running:
+#   sudo mkdir -p /data/services/animaltrack && sudo chown 1000:1000 /data/services/animaltrack
+#   nomad var put secrets/animaltrack csrf_secret="$(nix shell nixpkgs#openssl -c openssl rand -base64 32)"
+
+job "animaltrack" {
+  datacenters = ["alo"]
+
+  # Force re-pull of :latest images on each nomad run
+  meta {
+    uuid = uuidv4()
+  }
+
+  update {
+    max_parallel      = 1
+    health_check      = "checks"
+    min_healthy_time  = "30s"
+    healthy_deadline  = "5m"
+    progress_deadline = "10m"
+    auto_revert       = true
+  }
+
+  group "web" {
+    network {
+      port "http" {
+        to = 3366
+      }
+    }
+
+    task "app" {
+      driver = "docker"
+      user   = "1000"
+
+      config {
+        image      = "gitea.v.paler.net/ppetru/animaltrack:latest"
+        ports      = ["http"]
+        force_pull = true
+        volumes    = ["/data/services/animaltrack:/var/lib/animaltrack"]
+      }
+
+      env {
+        DB_PATH           = "/var/lib/animaltrack/animaltrack.db"
+        AUTH_HEADER_NAME  = "X-Oidc-Username"
+        SEED_ON_START     = "true"
+        TRUSTED_PROXY_IPS = "192.168.1.0/24"
+      }
+
+      # Template needed for nomadVar interpolation (secrets)
+      template {
+        destination = "secrets/env.env"
+        env         = true
+        data        = <<EOH
+CSRF_SECRET={{ with nomadVar "secrets/animaltrack" }}{{ .csrf_secret }}{{ end }}
+EOH
+      }
+
+      resources {
+        memory = 512
+      }
+
+      service {
+        name = "animaltrack"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.animaltrack.entryPoints=websecure",
+          "traefik.http.routers.animaltrack.middlewares=oidc-auth@file",
+        ]
+
+        check {
+          type     = "http"
+          path     = "/healthz"
+          interval = "10s"
+          timeout  = "5s"
+
+          check_restart {
+            limit = 3
+            grace = "60s"
+          }
+        }
+      }
+    }
+  }
+}

services/gitea.hcl

@@ -19,7 +19,9 @@ job "gitea" {
       driver = "docker"
 
       config {
-        image = "gitea/gitea:latest-rootless"
+        # TODO: revert to latest once 1.25.1+ is released
+        #image = "gitea/gitea:latest-rootless"
+        image = "gitea/gitea:1.25-nightly-rootless"
         ports = [
           "http",
           "ssh",
@@ -42,6 +44,8 @@ job "gitea" {
         GITEA__mailer__FROM = "gitea@paler.net"
         GITEA__mailer__PROTOCOL = "smtp"
         GITEA__mailer__SMTP_ADDR = "192.168.1.1"
+        GITEA__actions__ENABLED = "true"
+        GITEA__actions__DEFAULT_ACTIONS_URL = "https://gitea.com"
       }
 
       service {