feat: add Gitea Actions runner (#6)

## Summary - Adds a private runner server on the Hetzner private network (no public IP) - NAT through the gitea server for outbound internet access via `hcloud_network_route` and iptables forwarding rules - Runner connects to gitea over HTTPS on the private network with TLS verification disabled - Includes Taskfile commands for runner deployment and SSH access ## Test plan - [x] Runner registers with gitea instance - [x] Private network connectivity verified - [ ] Run a test workflow to confirm end-to-end CI 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #6 Co-authored-by: M.V. Hutz <git@maximhutz.me> Co-committed-by: M.V. Hutz <git@maximhutz.me>
2026-03-16 01:40:44 +00:00
parent af5d40d84e
commit 04ca230bee
10 changed files with 312 additions and 73 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -11,6 +11,7 @@ tasks:
  deploy: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
  destroy: ansible-playbook playbooks/destroy.yml {{.CLI_ARGS}}
  restore: ansible-playbook playbooks/restore.yml {{.CLI_ARGS}}
+  runner: ansible-playbook playbooks/runner.yml {{.CLI_ARGS}}

  assets:
    - cp ./assets/icon.png ./gitea/custom/public/assets/img/logo.png
@@ -25,3 +26,10 @@ tasks:
    vars:
      KEY: { sh: ansible-vault view vault.yml | yq -r ".secret.private_ssh_key_path" }
      IP: { sh: cat dist/terraform_outputs.yml | jq -r ".server_ip.value" }
+
+  enter-runner:
+    cmd: ssh -i {{.KEY}} -o ProxyCommand="ssh -i {{.KEY}} -p 2222 -W %h:%p root@{{.IP}}" root@{{.RUNNER_IP}}
+    vars:
+      KEY: { sh: ansible-vault view vault.yml | yq -r ".secret.private_ssh_key_path" }
+      IP: { sh: cat dist/terraform_outputs.yml | jq -r ".server_ip.value" }
+      RUNNER_IP: { sh: cat dist/terraform_outputs.yml | jq -r ".runner_ip.value" }