feat: add Gitea Actions runner (#6)

## Summary
- Adds a private runner server on the Hetzner private network (no public IP)
- NAT through the gitea server for outbound internet access via `hcloud_network_route` and iptables forwarding rules
- Runner connects to gitea over HTTPS on the private network with TLS verification disabled
- Includes Taskfile commands for runner deployment and SSH access

## Test plan
- [x] Runner registers with gitea instance
- [x] Private network connectivity verified
- [ ] Run a test workflow to confirm end-to-end CI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #6
Co-authored-by: M.V. Hutz <git@maximhutz.me>
Co-committed-by: M.V. Hutz <git@maximhutz.me>

playbooks/deploy.yml

@@ -108,6 +108,41 @@
           - docker-buildx-plugin
           - docker-compose-plugin
 
+- name: Enable NAT for private network.
+  hosts: server
+  gather_facts: false
+  tasks:
+    - name: Enable IP forwarding.
+      ansible.posix.sysctl:
+        name: net.ipv4.ip_forward
+        value: "1"
+        sysctl_set: true
+        reload: true
+
+    - name: Add NAT masquerade rule.
+      ansible.builtin.iptables:
+        table: nat
+        chain: POSTROUTING
+        source: "10.0.1.0/24"
+        jump: MASQUERADE
+        state: present
+
+    - name: Allow forwarding from private network.
+      ansible.builtin.iptables:
+        chain: DOCKER-USER
+        source: "10.0.1.0/24"
+        jump: ACCEPT
+        action: insert
+        state: present
+
+    - name: Allow established/related return traffic.
+      ansible.builtin.iptables:
+        chain: DOCKER-USER
+        ctstate: ESTABLISHED,RELATED
+        jump: ACCEPT
+        action: insert
+        state: present
+
 - name: Deploy artifact to instance.
   hosts: server
   tags: