actions-runner: trust podman interfaces in firewall

Allow containers to reach the runner's cache service by trusting
podman network interfaces. Uses "podman+" wildcard to match any
podman-prefixed interface regardless of name.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

services/actions-runner/default.nix

@@ -1,5 +1,9 @@
 { config, pkgs, ... }:
 {
+  # Trust podman interfaces so containers can reach the runner's cache service.
+  # "podman+" is a wildcard matching any interface starting with "podman".
+  networking.firewall.trustedInterfaces = [ "podman+" ];
+
   virtualisation.podman = {
     enable = true;
     dockerCompat = true;