feat: fw update gitea to use a docker image with puppeteer, webp and avif deps

Implement AVIF image content negotiation with WebP fallback for
cloonar.dev website. Browser will receive AVIF if supported and
available, otherwise WebP, falling back to original JPEG/PNG.

- Add AVIF-first content negotiation in image location block
- Maintain existing WebP fallback logic
- Include .avif in long-term cache headers (365d)
- Add Vary: Accept header for proper CDN/browser caching

AVIF files should be placed at /avif/$request_uri.avif to be served.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

hosts/fw/modules/gitea-runner-image-README.md

@@ -0,0 +1,44 @@
+# Gitea Runner Docker Image
+
+This directory contains the Dockerfile for the custom Gitea Actions runner image that includes additional dependencies needed for CI workflows.
+
+## Included Tools
+
+- **Base**: `shivammathur/node:latest` (includes Node.js and common development tools)
+- **Chrome dependencies**: Full Puppeteer/Chromium dependencies for headless browser testing
+- **webp**: WebP image format tools (`cwebp`, `dwebp`)
+- **libavif-bin**: AVIF image format tools (`avifenc`, `avifdec`)
+
+## Building the Image
+
+```bash
+cd hosts/fw/modules
+docker build -f gitea-runner.Dockerfile -t git.cloonar.com/infrastructure/gitea-runner:latest .
+```
+
+## Pushing to Registry
+
+First, authenticate with your Gitea container registry:
+
+```bash
+docker login git.cloonar.com
+```
+
+Then push the image:
+
+```bash
+docker push git.cloonar.com/infrastructure/gitea-runner:latest
+```
+
+## Using the Image
+
+The image is already configured in `gitea-vm.nix` and will be used automatically by the Gitea Actions runners for jobs labeled with `ubuntu-latest`.
+
+## Updating the Image
+
+When you need to add new dependencies:
+
+1. Edit `gitea-runner.Dockerfile`
+2. Rebuild the image with the commands above
+3. Push to the registry
+4. Restart the runner VMs: `systemctl restart microvm@git-runner-1.service microvm@git-runner-2.service`

hosts/fw/modules/gitea-runner.Dockerfile

@@ -0,0 +1,47 @@
+FROM shivammathur/node:latest
+
+# Install Chrome dependencies for Puppeteer
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    fonts-liberation \
+    libappindicator3-1 \
+    libasound2t64 \
+    libatk-bridge2.0-0 \
+    libatk1.0-0 \
+    libc6 \
+    libcairo2 \
+    libcups2 \
+    libdbus-1-3 \
+    libexpat1 \
+    libfontconfig1 \
+    libgbm1 \
+    libgcc-s1 \
+    libglib2.0-0 \
+    libgtk-3-0 \
+    libnspr4 \
+    libnss3 \
+    libpango-1.0-0 \
+    libpangocairo-1.0-0 \
+    libstdc++6 \
+    libx11-6 \
+    libx11-xcb1 \
+    libxcb1 \
+    libxcomposite1 \
+    libxcursor1 \
+    libxdamage1 \
+    libxext6 \
+    libxfixes3 \
+    libxi6 \
+    libxrandr2 \
+    libxrender1 \
+    libxss1 \
+    libxtst6 \
+    lsb-release \
+    wget \
+    xdg-utils \
+    webp \
+    libavif-bin \
+    && rm -rf /var/lib/apt/lists/*
+
+# Verify installations
+RUN cwebp -version && avifenc --version

hosts/fw/modules/gitea-vm.nix

@@ -55,7 +55,8 @@ in {
         name = runner;
         tokenFile = "/run/secrets/gitea-runner-token";
         labels = [
-          "ubuntu-latest:docker://shivammathur/node:latest"
+          # "ubuntu-latest:docker://shivammathur/node:latest"
+          "ubuntu-latest:docker://git.cloonar.com/infrastructure/gitea-runner:latest"
         ];
         settings = {
           container = {

hosts/fw/modules/gitea.nix

@@ -70,6 +70,9 @@ in
         sslCertificateKey = "/var/lib/acme/gitea/key.pem";
         sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem";
         forceSSL = true;
+        extraConfig = ''
+          client_max_body_size 2048M;
+        '';
         locations."/" = {
           proxyPass = "http://localhost:3001/";
         };
@@ -109,6 +112,12 @@ in
             USER           = "gitea@cloonar.com";
           };
           actions.ENABLED=true;
+          attachment = {
+            MAX_SIZE = 2048;  # 2GB in MB for general attachments
+          };
+          packages = {
+            ENABLED = true;
+          };
         };
       };
 

hosts/nb/users/dominik.nix

@@ -655,7 +655,7 @@ in
         };
         "tools.epicenter.works" = {
           user = "root";
-          identityFile = "~/.ssh/epicenter.id_rsa";
+          identityFile = "~/.ssh/epicenter_id_ed25519";
         };
         "*.epicenter.works !tools.epicenter.works" = {
           user = "dominik";

hosts/web-arm/sites/cloonar.com.nix

@@ -62,7 +62,7 @@ in {
     #home = "/home/${domain}";
     group  = "nginx";
     openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKKJEgyfKyz5sf5GT0HYXiDmf36fnLe/exbXbRpsNJi"
     ];
   };
   users.groups.${domain} = {};

hosts/web-arm/sites/cloonar.dev.nix

@@ -14,20 +14,42 @@ in {
     '';
 
     locations."~* \.(jpe?g|png)$".extraConfig = ''
-      set $red Z;
+      set $img_format Z;
+
+      # Check for AVIF support (highest priority)
+      if ($http_accept ~* "avif") {
+          set $img_format A;
+      }
+
+      if (-f $document_root/avif/$request_uri.avif) {
+          set $img_format "''${img_format}V";
+      }
+
+      # Serve AVIF if supported and available
+      if ($img_format = "AV") {
+          add_header Vary Accept;
+          rewrite ^ /avif/$request_uri.avif break;
+      }
+
+      # Reset and check for WebP support (fallback)
+      set $img_format Z;
 
       if ($http_accept ~* "webp") {
-          set $red A;
+          set $img_format W;
       }
 
       if (-f $document_root/webp/$request_uri.webp) {
-          set $red "''${red}B";
+          set $img_format "''${img_format}P";
       }
 
-      if ($red = "AB") {
+      # Serve WebP if supported and available
+      if ($img_format = "WP") {
           add_header Vary Accept;
-          rewrite ^ /webp/$request_uri.webp;
+          rewrite ^ /webp/$request_uri.webp break;
       }
+
+      # If neither AVIF nor WebP matched, serve original format
+      add_header Vary Accept;
     '';
 
     locations."^~ /vcards/".extraConfig = ''
@@ -40,7 +62,7 @@ in {
         try_files $uri $uri/ /vcards/index.php$is_args$args;
     '';
 
-    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+    locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
       expires 365d;
       add_header Pragma "public";
       add_header Cache-Control "public";