actions-runner: add Forgejo runner to nix-cache02 with Vault token

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

hosts/nix-cache02/actions-runner.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  # Fetch runner token from Vault
+  vault.secrets.forgejo-runner-token = {
+    secretPath = "hosts/nix-cache02/forgejo-runner-token";
+    extractKey = "token";
+    mode = "0444";
+    services = [ "gitea-runner-actions1" ];
+  };
+
+  # Override token source and runner capacity
+  services.gitea-actions-runner.instances.actions1 = {
+    tokenFile = "/run/secrets/forgejo-runner-token";
+    settings.runner.capacity = 4;
+  };
+}