feat: add Gitea Actions runner on private compute

Adds a private runner server on the Hetzner private network with NAT
through the gitea server for outbound internet access. Includes
Terraform resources, Ansible playbooks, and iptables forwarding rules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

terraform/outputs.tf

@@ -1,11 +1,17 @@
 output "server_ip" {
   description = "The public address of the server."
-  value = hcloud_server.server_instance.ipv4_address
-  sensitive = false
+  value       = hcloud_server.server_instance.ipv4_address
+  sensitive   = false
 }
 
 output "server_fqdn" {
   description = "The public domain of the server."
-  value = "${local.subdomain}.${local.domain}"
-  sensitive = false
+  value       = "${local.subdomain}.${local.domain}"
+  sensitive   = false
+}
+
+output "runner_ip" {
+  description = "The private network address of the runner."
+  value       = local.runner_ip
+  sensitive   = false
 }