write: 进 cube 仓库 + 接 gitea CI 自动部署

- 整 apps/write/ 进 git（含 frontend 源码 + Makefile + systemd unit + k8s service/ingress）
- .gitea/workflows/deploy-write.yml: act_runner fam 用户跑 host shell
    cargo build → npm build → install 到 ~/.local/bin/share/config →
    systemctl --user daemon-reload + restart → kubectl apply svc/ingress
- 前端 3 处"麻薯"字样去掉（思考中 / placeholder × 2）

注意 ~/.config/write/env 已有 passphrase，CI placeholder 逻辑会跳过不覆盖。

.gitea/workflows/deploy-write.yml

@@ -0,0 +1,63 @@
+name: deploy write
+# write.famzheng.me — host systemd service（不是 k8s pod），act_runner fam 用户直接 cp 本地
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'apps/write/**'
+      - 'crates/cube-core/**'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '.gitea/workflows/deploy-write.yml'
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    env:
+      APP: write
+      # systemctl --user 需要 runtime dir；fam 已 enable linger
+      XDG_RUNTIME_DIR: /run/user/1001
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build backend
+        run: |
+          export PATH="$HOME/.cargo/bin:$PATH"
+          cargo build --release -p "$APP"
+
+      - name: Build frontend
+        run: |
+          cd "apps/$APP/frontend"
+          npm ci
+          npm run build
+
+      - name: Install binary + dist + systemd unit
+        run: |
+          mkdir -p \
+            "$HOME/.local/bin" \
+            "$HOME/.local/share/$APP/dist" \
+            "$HOME/.local/state/$APP" \
+            "$HOME/.config/$APP" \
+            "$HOME/.config/systemd/user"
+          install -m 755 "target/release/$APP" "$HOME/.local/bin/$APP"
+          rsync -a --delete "apps/$APP/frontend/dist/" "$HOME/.local/share/$APP/dist/"
+          install -m 644 "apps/$APP/systemd/$APP.service" "$HOME/.config/systemd/user/$APP.service"
+          # 首次部署占位 env（已有则不动，避免覆盖 passphrase）
+          if [ ! -f "$HOME/.config/$APP/env" ]; then
+            echo "WRITE_PASSPHRASE=CHANGE-ME" > "$HOME/.config/$APP/env"
+            chmod 600 "$HOME/.config/$APP/env"
+            echo "⚠ created placeholder ~/.config/$APP/env, edit + restart"
+          fi
+
+      - name: Reload + restart write.service
+        run: |
+          systemctl --user daemon-reload
+          systemctl --user enable "$APP.service"
+          systemctl --user restart "$APP.service"
+          sleep 1
+          systemctl --user --no-pager status "$APP.service" | head -15
+
+      - name: Apply k8s service/ingress
+        run: kubectl apply -f "apps/$APP/k8s/all.yaml"