feat: add Gitea Actions runner on private compute

Adds a private runner server on the Hetzner private network with NAT
through the gitea server for outbound internet access. Includes
Terraform resources, Ansible playbooks, and iptables forwarding rules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Taskfile.yml

@@ -11,6 +11,7 @@ tasks:
   deploy: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
   destroy: ansible-playbook playbooks/destroy.yml {{.CLI_ARGS}}
   restore: ansible-playbook playbooks/restore.yml {{.CLI_ARGS}}
+  runner: ansible-playbook playbooks/runner.yml {{.CLI_ARGS}}
 
   assets:
     - cp ./assets/icon.png ./gitea/custom/public/assets/img/logo.png
@@ -25,3 +26,10 @@ tasks:
     vars:
       KEY: { sh: ansible-vault view vault.yml | yq -r ".secret.private_ssh_key_path" }
       IP: { sh: cat dist/terraform_outputs.yml | jq -r ".server_ip.value" }
+
+  enter-runner:
+    cmd: ssh -i {{.KEY}} -o ProxyCommand="ssh -i {{.KEY}} -p 2222 -W %h:%p root@{{.IP}}" root@{{.RUNNER_IP}}
+    vars:
+      KEY: { sh: ansible-vault view vault.yml | yq -r ".secret.private_ssh_key_path" }
+      IP: { sh: cat dist/terraform_outputs.yml | jq -r ".server_ip.value" }
+      RUNNER_IP: { sh: cat dist/terraform_outputs.yml | jq -r ".runner_ip.value" }