Initial commit: Ansible playbook for Gitea Act Runner deployment

Automated deployment of act_runner on Ubuntu 20.04+ servers:
- Docker CE installation (DEB822 format)
- Node.js 24.x via NodeSource
- act_runner binary with SHA256 verification
- systemd service with security hardening
- CI: ansible-lint via Gitea Actions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.gitea/workflows/lint.yml

@@ -0,0 +1,139 @@
+# =============================================================================
+# Gitea Actions Workflow - Ansible Lint
+# =============================================================================
+#
+# This workflow validates Ansible playbooks and roles using ansible-lint.
+# Runs automatically on push and pull request events.
+#
+# WORKFLOW LOCATION:
+#   Gitea Actions requires workflow files in `.gitea/workflows/` directory.
+#   This differs from GitHub Actions which uses `.github/workflows/`.
+#   See: https://docs.gitea.com/usage/actions/quickstart
+#
+# RUNNER CONFIGURATION:
+#   - `runs-on: ubuntu-latest` matches our runner label from act_runner config
+#   - Jobs execute on self-hosted runners registered with this repository's Gitea
+#   - Requires runner with `ubuntu-latest:host` label (host execution mode)
+#
+# WHAT THIS WORKFLOW DOES:
+#   1. Checks out the repository code
+#   2. Installs uv package manager
+#   3. Syncs dependencies from pyproject.toml
+#   4. Runs ansible-lint against the playbook
+#
+# MANUAL TRIGGER:
+#   You can manually trigger this workflow from Gitea UI:
+#   Repository > Actions > Select workflow > "Run workflow"
+#
+# DOCUMENTATION:
+#   - Gitea Actions: https://docs.gitea.com/usage/actions/overview
+#   - Ansible Lint: https://ansible.readthedocs.io/projects/lint/
+#   - uv: https://docs.astral.sh/uv/
+#   - Workflow Syntax: https://docs.gitea.com/usage/actions/workflow-syntax
+#
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Workflow Metadata
+# -----------------------------------------------------------------------------
+
+# Human-readable name displayed in Gitea Actions UI.
+# Shown in repository's Actions tab and in commit status checks.
+name: Ansible Lint
+
+# -----------------------------------------------------------------------------
+# Trigger Events
+# -----------------------------------------------------------------------------
+# Define when this workflow should run.
+# See: https://docs.gitea.com/usage/actions/workflow-syntax#on
+
+on:
+  # Run on every push to any branch.
+  # This catches issues before they're merged.
+  push:
+    # Optionally limit to specific branches:
+    # branches:
+    #   - master
+    #   - main
+
+  # Run on pull requests targeting any branch.
+  # Provides feedback before merge.
+  pull_request:
+    # Optionally limit to PRs targeting specific branches:
+    # branches:
+    #   - master
+    #   - main
+
+  # Allow manual triggering from Gitea UI.
+  # Useful for re-running after fixing external issues (e.g., runner problems).
+  workflow_dispatch:
+
+# -----------------------------------------------------------------------------
+# Jobs
+# -----------------------------------------------------------------------------
+# A workflow consists of one or more jobs that run in parallel by default.
+# Use `needs:` to create dependencies between jobs if sequential execution
+# is required.
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Lint Job
+  # ---------------------------------------------------------------------------
+  # Validates Ansible code quality and best practices.
+  lint:
+    # Human-readable name shown in Gitea UI for this job.
+    name: Ansible Lint Check
+
+    # Runner label to execute this job.
+    # Must match a label registered with act_runner.
+    # Our runner uses: `ubuntu-latest:host` (see roles/act_runner/defaults/main.yml)
+    runs-on: ubuntu-latest
+
+    # -------------------------------------------------------------------------
+    # Job Steps
+    # -------------------------------------------------------------------------
+    # Steps run sequentially within a job.
+    # Each step can run commands or use pre-built actions.
+    steps:
+      # -----------------------------------------------------------------------
+      # Step 1: Checkout Repository
+      # -----------------------------------------------------------------------
+      # Clone the repository to the runner's workspace.
+      # Uses the official checkout action maintained by GitHub/Gitea.
+      # See: https://github.com/actions/checkout
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        # Default behavior:
+        #   - Clones the commit that triggered the workflow
+        #   - For PRs, clones the merge commit
+        #   - Shallow clone (depth=1) for faster checkout
+
+      # -----------------------------------------------------------------------
+      # Step 2: Install uv
+      # -----------------------------------------------------------------------
+      # Install uv - a fast Python package manager from Astral.
+      # Replaces pip/virtualenv with a single, faster tool.
+      # See: https://docs.astral.sh/uv/
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      # -----------------------------------------------------------------------
+      # Step 3: Sync Dependencies and Run Linter
+      # -----------------------------------------------------------------------
+      # uv sync reads pyproject.toml and creates a virtual environment
+      # with all dependencies (ansible, ansible-lint).
+      # uv run executes commands within that environment.
+      - name: Run ansible-lint
+        run: |
+          # Install dependencies from pyproject.toml.
+          uv sync
+
+          # Run ansible-lint on the main playbook.
+          # Exit code 0 = success (no issues found)
+          # Exit code non-zero = linting errors found (fails the workflow)
+          #
+          # The linter uses .ansible-lint config file for:
+          #   - Profile: production (strictest rules)
+          #   - Excluded paths: .git/, .gitignore
+          #   - Offline mode: true (no network calls)
+          uv run ansible-lint playbook.yml