add CF Access service token for Gitea Actions runner

The Gitea CI runners need to authenticate to git.neuralplatform.ai
through Cloudflare Access without going through Google OAuth. Add a
non-identity service token Will can attach to the existing
dashboard-managed Gitea Access application via a Service Auth policy.

The application itself stays dashboard-managed for now to avoid
drifting the human-auth policy that's already working. The token id
goes to Vault at secret/gitea-runner-cf-access where ESO picks it up
into the runner secret.

servers/legion/gitea-access.tf

@@ -0,0 +1,42 @@
+# Cloudflare Zero Trust Access — git.neuralplatform.ai (Gitea)
+#
+# The Gitea Access application itself is currently managed in the Cloudflare
+# dashboard, NOT in Terraform. This file only manages the *service token* the
+# Gitea Actions runners use to authenticate through CF Access while still
+# keeping the human Google-OAuth gate for browser users.
+#
+# Why not import the application here?
+#   - Importing the existing dashboard app risks drifting the human-auth
+#     policy (Google IdP, allowed emails) which is settled and working.
+#   - Service tokens can be added to a dashboard-managed app without
+#     importing the app itself; the token resource lives at the account
+#     level and is referenced from a policy.
+#   - We pay only the cost we need to. If we later want all Access apps
+#     in TF we can do a focused import pass.
+#
+# After `terraform apply` produces the token id/secret, Will must:
+#   1. Run `vault kv put secret/gitea-runner-cf-access ...` (see outputs).
+#   2. In the Cloudflare dashboard, edit the existing "Gitea" Access
+#      application's policies and add a new policy:
+#         Action:  Service Auth (decision = non_identity)
+#         Include: Service Token = "gitea-runner"
+#      This grants the service token bypass through CF Access on
+#      git.neuralplatform.ai without changing the human-auth flow.
+
+resource "cloudflare_zero_trust_access_service_token" "gitea_runner" {
+  account_id = var.cloudflare_account_id
+  name       = "gitea-runner"
+  # Default duration is "8760h" (1 year). Rotate via re-apply when needed.
+  duration = "forever"
+}
+
+output "gitea_runner_cf_access_client_id" {
+  description = "CF Access service token client ID for the Gitea Actions runner. Store in Vault at secret/gitea-runner-cf-access."
+  value       = cloudflare_zero_trust_access_service_token.gitea_runner.client_id
+}
+
+output "gitea_runner_cf_access_client_secret" {
+  description = "CF Access service token client secret. Store in Vault at secret/gitea-runner-cf-access. Only emitted at creation time."
+  value       = cloudflare_zero_trust_access_service_token.gitea_runner.client_secret
+  sensitive   = true
+}