feat: add Gitea Actions runner on private compute

Adds a private runner server on the Hetzner private network with NAT
through the gitea server for outbound internet access. Includes
Terraform resources, Ansible playbooks, and iptables forwarding rules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

playbooks/deploy.yml

@@ -108,6 +108,41 @@
           - docker-buildx-plugin
           - docker-compose-plugin
 
+- name: Enable NAT for private network.
+  hosts: server
+  gather_facts: false
+  tasks:
+    - name: Enable IP forwarding.
+      ansible.posix.sysctl:
+        name: net.ipv4.ip_forward
+        value: "1"
+        sysctl_set: true
+        reload: true
+
+    - name: Add NAT masquerade rule.
+      ansible.builtin.iptables:
+        table: nat
+        chain: POSTROUTING
+        source: "10.0.1.0/24"
+        jump: MASQUERADE
+        state: present
+
+    - name: Allow forwarding from private network.
+      ansible.builtin.iptables:
+        chain: DOCKER-USER
+        source: "10.0.1.0/24"
+        jump: ACCEPT
+        action: insert
+        state: present
+
+    - name: Allow established/related return traffic.
+      ansible.builtin.iptables:
+        chain: DOCKER-USER
+        ctstate: ESTABLISHED,RELATED
+        jump: ACCEPT
+        action: insert
+        state: present
+
 - name: Deploy artifact to instance.
   hosts: server
   tags: