Add Attic binary cache and containerize gitea runner

Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.

machines/storage/s0/hardware-configuration.nix

@@ -45,6 +45,12 @@
       fsType = "zfs";
       options = [ "zfsutil" "X-mount.mkdir" ];
     };
+  fileSystems."/var/lib/atticd" =
+    {
+      device = "rpool/nixos/var/lib/atticd";
+      fsType = "zfs";
+      options = [ "zfsutil" "X-mount.mkdir" ];
+    };
   fileSystems."/var/log" =
     {
       device = "rpool/nixos/var/log";
@@ -72,5 +78,5 @@
     };
   };
 
-  powerManagement.cpuFreqGovernor = "powersave";
+  powerManagement.cpuFreqGovernor = "schedutil";
 }