Add reusable CI/CD workflow and documentation

- .gitea/workflows/deploy-nomad.yaml: Shared workflow for build/push/deploy
- docs/CICD_SETUP.md: Guide for adding CI/CD to new services
- nix-runner/README.md: Document the custom Nix runner image

Services can now use a 10-line workflow that calls the shared one:
  uses: ppetru/alo-cluster/.gitea/workflows/deploy-nomad.yaml@master

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.gitea/workflows/deploy-nomad.yaml

@@ -0,0 +1,96 @@
+# ABOUTME: Reusable workflow for building Nix Docker images and deploying to Nomad.
+# ABOUTME: Called by service repos with: uses: ppetru/alo-cluster/.gitea/workflows/deploy-nomad.yaml@master
+
+name: Deploy to Nomad
+
+on:
+  workflow_call:
+    inputs:
+      service_name:
+        required: true
+        type: string
+        description: "Nomad job name (must match job ID in services/*.hcl)"
+      flake_output:
+        required: false
+        type: string
+        default: "dockerImage"
+        description: "Flake output to build (default: dockerImage)"
+      registry:
+        required: false
+        type: string
+        default: "gitea.v.paler.net"
+        description: "Container registry hostname"
+    secrets:
+      REGISTRY_USERNAME:
+        required: true
+      REGISTRY_PASSWORD:
+        required: true
+      NOMAD_ADDR:
+        required: true
+
+jobs:
+  build-and-deploy:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          echo "Building .#${{ inputs.flake_output }}..."
+          nix build ".#${{ inputs.flake_output }}" --out-link result
+
+      - name: Push to registry
+        run: |
+          echo "Pushing to ${{ inputs.registry }}/ppetru/${{ inputs.service_name }}:latest..."
+          skopeo copy \
+            --dest-creds "${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_PASSWORD }}" \
+            --insecure-policy \
+            docker-archive:result \
+            "docker://${{ inputs.registry }}/ppetru/${{ inputs.service_name }}:latest"
+
+      - name: Deploy to Nomad
+        env:
+          NOMAD_ADDR: ${{ secrets.NOMAD_ADDR }}
+          SERVICE: ${{ inputs.service_name }}
+        run: |
+          echo "Deploying $SERVICE to Nomad..."
+
+          # Fetch current job, update UUID to force deployment
+          JOB=$(curl -sS "$NOMAD_ADDR/v1/job/$SERVICE")
+          NEW_UUID=$(cat /proc/sys/kernel/random/uuid)
+          echo "New deployment UUID: $NEW_UUID"
+          UPDATED_JOB=$(echo "$JOB" | jq --arg uuid "$NEW_UUID" '.Meta.uuid = $uuid')
+
+          # Submit updated job
+          RESULT=$(echo "{\"Job\": $UPDATED_JOB}" | curl -sS -X POST "$NOMAD_ADDR/v1/jobs" \
+            -H "Content-Type: application/json" -d @-)
+          echo "Submit result: $RESULT"
+
+          # Monitor deployment
+          sleep 3
+          DEPLOY_ID=$(curl -sS "$NOMAD_ADDR/v1/job/$SERVICE/deployments" | jq -r '.[0].ID')
+          echo "Deployment ID: $DEPLOY_ID"
+
+          if [ "$DEPLOY_ID" = "null" ]; then
+            echo "ERROR: No deployment created. Ensure job has 'update' stanza with 'auto_revert = true'"
+            exit 1
+          fi
+
+          echo "Monitoring deployment..."
+          for i in $(seq 1 30); do
+            STATUS=$(curl -sS "$NOMAD_ADDR/v1/deployment/$DEPLOY_ID" | jq -r '.Status')
+            echo "[$i/30] Deployment status: $STATUS"
+            case $STATUS in
+              successful)
+                echo "Deployment successful!"
+                exit 0
+                ;;
+              failed|cancelled)
+                echo "Deployment failed or cancelled"
+                exit 1
+                ;;
+            esac
+            sleep 10
+          done
+          echo "Timeout waiting for deployment"
+          exit 1