nix-cache02: add native nix forgejo runner instance

Add a second runner instance (actions-native) that executes jobs
directly on the host, giving workflows persistent nix store access
and automatic binary cache population via Harmonia.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

hosts/nix-cache02/actions-runner.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ config, pkgs, ... }:
 {
   # Fetch runner token from Vault
   vault.secrets.forgejo-runner-token = {
@@ -13,4 +13,39 @@
     tokenFile = "/run/secrets/forgejo-runner-token";
     settings.runner.capacity = 4;
   };
+
+  # Fetch native runner token from Vault
+  vault.secrets.forgejo-native-runner-token = {
+    secretPath = "hosts/nix-cache02/forgejo-native-runner-token";
+    extractKey = "token";
+    mode = "0444";
+    services = [ "gitea-runner-actions-native" ];
+  };
+
+  # Native nix runner instance (user-level, no containers)
+  services.gitea-actions-runner.instances.actions-native = {
+    enable = true;
+    name = "${config.networking.hostName}-native";
+    url = "https://code.t-juice.club";
+    tokenFile = "/run/secrets/forgejo-native-runner-token";
+    labels = [ "native-nix:host" ];
+    hostPackages = with pkgs; [
+      bash
+      coreutils
+      curl
+      gawk
+      git
+      gnused
+      nodejs
+      wget
+      nix
+    ];
+    settings = {
+      runner.capacity = 4;
+      cache = {
+        enabled = true;
+        dir = "/var/lib/gitea-runner/actions-native/cache";
+      };
+    };
+  };
 }