ci: add publish workflow with frontend and backend deploy

publish.yml — triggered on push to main, two parallel jobs:

frontend:
- Builds Vite frontend (fnm + npm ci + npm run build)
- Rsyncs dist/ to gitea_ci@UI_HOST:UI_PATH/
- Rsyncs nginx config to UI_HOST, creates sites-enabled symlink,
  runs nginx -t && systemctl reload nginx

backend:
- Builds release binary (cargo build --release -p ericrfb-proxy)
- Stops blekin.service on WS_HOST
- Rsyncs binary to WS_HOST:/usr/local/bin/ericrfb-proxy via sudo rsync
- Rsyncs systemd unit to WS_HOST:/etc/systemd/system/blekin.service
- Enables and starts the service

asset/nginx/blekin.kosherinata.internal.conf:
- Serves static frontend from UI_PATH
- Reverse proxies /api/ to frootmig:3000 with WebSocket upgrade
- 24h read/send timeouts for long-lived KVM sessions

asset/systemd/blekin.service:
- Runs ericrfb-proxy with BLEKIN_HOST=10.3.0.130
- Restart on failure with 5s backoff

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/publish.yml

@@ -0,0 +1,78 @@
+name: Publish
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  frontend:
+    runs-on: rust
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Node.js
+        run: |
+          curl -fsSL https://fnm.vercel.app/install | bash -s -- --skip-shell
+          export PATH="$HOME/.local/share/fnm:$PATH"
+          eval "$(fnm env)"
+          fnm install --lts
+          fnm use --lts
+          node --version
+          npm --version
+
+      - name: Build frontend
+        run: |
+          export PATH="$HOME/.local/share/fnm:$PATH"
+          eval "$(fnm env)"
+          cd crates/ericrfb-frontend
+          npm ci
+          npm run build
+
+      - name: Set up SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.PUBLISH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H ${{ vars.UI_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Deploy static files to UI host
+        run: |
+          rsync -avz --delete dist/ gitea_ci@${{ vars.UI_HOST }}:${{ vars.UI_PATH }}/
+
+      - name: Deploy nginx config and reload
+        run: |
+          rsync -avz asset/nginx/blekin.kosherinata.internal.conf gitea_ci@${{ vars.UI_HOST }}:/etc/nginx/sites-available/blekin.kosherinata.internal.conf
+          ssh gitea_ci@${{ vars.UI_HOST }} 'sudo /usr/bin/ln -sf /etc/nginx/sites-available/blekin.kosherinata.internal.conf /etc/nginx/sites-enabled/blekin.kosherinata.internal.conf && sudo /usr/bin/nginx -t && sudo /usr/bin/systemctl reload nginx.service'
+
+  backend:
+    runs-on: rust
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build release binary
+        run: cargo build --release -p ericrfb-proxy
+
+      - name: Set up SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.PUBLISH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H ${{ vars.WS_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Stop service
+        run: |
+          ssh gitea_ci@${{ vars.WS_HOST }} 'sudo /usr/bin/systemctl stop blekin.service' || true
+
+      - name: Deploy binary
+        run: |
+          rsync -avz target/release/ericrfb-proxy gitea_ci@${{ vars.WS_HOST }}:~/ericrfb-proxy
+          ssh gitea_ci@${{ vars.WS_HOST }} 'sudo /usr/bin/rsync ~/ericrfb-proxy /usr/local/bin/ericrfb-proxy && rm ~/ericrfb-proxy'
+
+      - name: Deploy systemd unit
+        run: |
+          rsync -avz asset/systemd/blekin.service gitea_ci@${{ vars.WS_HOST }}:~/blekin.service
+          ssh gitea_ci@${{ vars.WS_HOST }} 'sudo /usr/bin/rsync ~/blekin.service /etc/systemd/system/blekin.service && rm ~/blekin.service'
+
+      - name: Start and enable service
+        run: |
+          ssh gitea_ci@${{ vars.WS_HOST }} 'sudo /usr/bin/systemctl enable blekin.service && sudo /usr/bin/systemctl start blekin.service'

asset/nginx/blekin.kosherinata.internal.conf

@@ -0,0 +1,22 @@
+server {
+    listen 80;
+    server_name blekin.kosherinata.internal;
+
+    root /var/www/blekin.kosherinata.internal;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    location /api/ {
+        proxy_pass http://frootmig.kosherinata.internal:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+    }
+}

asset/systemd/blekin.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=blekin e-RIC RFB to HTML5 KVM proxy
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/ericrfb-proxy
+WorkingDirectory=/var/lib/blekin
+Environment=RUST_LOG=ericrfb_proxy=info
+Environment=BLEKIN_HOST=10.3.0.130
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target