Add Gitea Actions workflow for auto-deploy to LXC on push

SSH-based deploy: git pull, npm ci, build, db:push, systemctl restart.
Secrets configured in Gitea repo settings (DEPLOY_HOST, DEPLOY_USER,
DEPLOY_KEY). Includes setup guide in docs/ci-deploy-setup.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -0,0 +1,40 @@
+name: Deploy to LXC
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy via SSH
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_KEY }}
+          port: ${{ secrets.DEPLOY_PORT || 22 }}
+          script: |
+            set -e
+
+            cd ${{ secrets.DEPLOY_PATH || '/home/bflr/buildfor_life_repair' }}
+
+            echo "==> Pulling latest code..."
+            git pull origin main
+
+            echo "==> Installing dependencies..."
+            npm ci --production=false
+
+            echo "==> Building..."
+            npm run build
+
+            echo "==> Running migrations..."
+            npm run db:push
+
+            echo "==> Restarting service..."
+            sudo systemctl restart bflr
+
+            echo "==> Waiting for startup..."
+            sleep 2
+            systemctl is-active --quiet bflr && echo "Deploy successful!" || (echo "Service failed to start!" && exit 1)

docs/ci-deploy-setup.md

@@ -0,0 +1,79 @@
+# CI/CD Deploy Setup
+
+Auto-deploys to your LXC server on every push to `main`.
+
+## 1. Server preparation
+
+On the LXC server, allow the deploy user to restart the service without a password:
+
+```bash
+# As root on the LXC
+echo "bflr ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart bflr, /usr/bin/systemctl status bflr" > /etc/sudoers.d/bflr-deploy
+chmod 440 /etc/sudoers.d/bflr-deploy
+```
+
+Make sure the repo is cloned and the app works manually first (see `docs/deploy-proxmox-lxc.md`).
+
+## 2. Generate a deploy SSH key
+
+On your local machine (or the Gitea runner):
+
+```bash
+ssh-keygen -t ed25519 -C "gitea-deploy" -f deploy_key -N ""
+```
+
+Copy the **public** key to the server:
+
+```bash
+ssh-copy-id -i deploy_key.pub bflr@your-lxc-ip
+```
+
+## 3. Add secrets in Gitea
+
+Go to your repo on git.b4l.co.th → **Settings** → **Actions** → **Secrets**, and add:
+
+| Secret | Value |
+|--------|-------|
+| `DEPLOY_HOST` | LXC server IP (e.g. `192.168.1.50`) |
+| `DEPLOY_USER` | SSH user (e.g. `bflr`) |
+| `DEPLOY_KEY` | Contents of `deploy_key` (the private key, not .pub) |
+| `DEPLOY_PORT` | SSH port (optional, defaults to 22) |
+| `DEPLOY_PATH` | App directory (optional, defaults to `/home/bflr/buildfor_life_repair`) |
+
+## 4. Enable Actions in Gitea
+
+Make sure Gitea Actions is enabled on your instance:
+
+```ini
+# In app.ini (Gitea config)
+[actions]
+ENABLED = true
+```
+
+You also need a runner registered. If you don't have one, install the Gitea runner on the Gitea host or another machine:
+
+```bash
+# Download the runner
+wget https://gitea.com/gitea/act_runner/releases/latest/download/act_runner-linux-amd64
+chmod +x act_runner-linux-amd64
+
+# Register with your Gitea instance
+./act_runner-linux-amd64 register --instance https://git.b4l.co.th --token <your-runner-token>
+
+# Start
+./act_runner-linux-amd64 daemon
+```
+
+## 5. Test
+
+Push any change to `main` and check the Actions tab in Gitea for the deploy log.
+
+## What the workflow does
+
+1. SSHs into the LXC server
+2. `git pull` the latest code
+3. `npm ci` to install dependencies
+4. `npm run build` to compile
+5. `npm run db:push` to apply any schema changes
+6. `sudo systemctl restart bflr` to restart the service
+7. Verifies the service started successfully