Initial commit: Ansible playbook for Gitea Act Runner deployment

Automated deployment of act_runner on Ubuntu 20.04+ servers:
- Docker CE installation (DEB822 format)
- Node.js 24.x via NodeSource
- act_runner binary with SHA256 verification
- systemd service with security hardening
- CI: ansible-lint via Gitea Actions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

group_vars/all/vars.yml

@@ -0,0 +1,79 @@
+---
+# =============================================================================
+# Group Variables - All Hosts
+# =============================================================================
+#
+# This file maps vault secrets to role variables and sets common overrides.
+#
+# VARIABLE RESOLUTION ORDER (lowest to highest priority):
+#   1. roles/act_runner/defaults/main.yml  (role defaults)
+#   2. group_vars/all.yml                  (this file)
+#   3. inventory host_vars                 (per-host overrides)
+#   4. command line --extra-vars           (highest priority)
+#
+# Vault variables (prefixed with vault_) are stored encrypted in vault.yml.
+# Role variables are defined in roles/act_runner/defaults/main.yml.
+#
+# HOW TO USE:
+#   1. Create the vault: ansible-vault create group_vars/vault.yml
+#   2. Add your secrets to the vault (see vault.yml.example)
+#   3. The mappings below will reference those vault variables
+#
+# See: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Vault Secret Mappings
+# -----------------------------------------------------------------------------
+# These map encrypted vault variables to the role's expected variable names.
+# This indirection allows vault structure to differ from role expectations.
+#
+# REQUIRED: These must be set in group_vars/vault.yml
+
+# URL of your Gitea instance (e.g., "https://git.example.com")
+gitea_instance_url: "{{ vault_gitea_instance_url }}"
+
+# Registration token from Gitea admin panel
+# Get it from: {{ gitea_instance_url }}/-/admin/actions/runners
+act_runner_token: "{{ vault_act_runner_token }}"
+
+# Package registry hostname (usually same as Gitea host, without https://)
+gitea_registry: "{{ vault_gitea_registry }}"
+
+# Service account username for package registry authentication
+gitea_actions_user: "{{ vault_gitea_actions_user }}"
+
+# Personal Access Token (PAT) for package registry
+# Create at: {{ gitea_instance_url }}/user/settings/applications
+gitea_packages_token: "{{ vault_gitea_packages_token }}"
+
+# -----------------------------------------------------------------------------
+# Role Variable Overrides (Optional)
+# -----------------------------------------------------------------------------
+# Uncomment and modify to override role defaults for all hosts.
+# See roles/act_runner/defaults/main.yml for all available variables.
+
+# Act Runner Version
+# Check available versions: https://dl.gitea.com/act_runner/
+# act_runner_version: "0.2.13"
+
+# Node.js Version
+# Valid values: "18", "20", "22", "24"
+# See: https://nodejs.org/en/about/previous-releases
+# nodejs_version: "24"
+
+# Runner Labels
+# Define what jobs this runner can handle.
+# Format: "label:executor" where executor is "host" or "docker://image"
+# act_runner_labels:
+#   - "ubuntu-latest:host"
+#   - "self-hosted:host"
+
+# Concurrent Jobs
+# How many jobs can run simultaneously on each runner.
+# Higher values = more parallelism but more resource usage.
+# runner_capacity: 1
+
+# Container Settings
+# Whether to always pull images before running (recommended: true)
+# container_force_pull: true

group_vars/all/vault.yml.example

@@ -0,0 +1,94 @@
+---
+# =============================================================================
+# Ansible Vault - Encrypted Secrets (EXAMPLE)
+# =============================================================================
+#
+# This is an EXAMPLE file showing what should go in your encrypted vault.
+# DO NOT commit actual secrets to version control.
+#
+# HOW TO CREATE THE REAL VAULT:
+#   1. Copy this file's contents
+#   2. Run: ansible-vault create group_vars/vault.yml
+#   3. Paste and edit with your actual values
+#   4. Save and exit
+#
+# HOW TO MANAGE THE VAULT:
+#   - Edit:   ansible-vault edit group_vars/vault.yml
+#   - View:   ansible-vault view group_vars/vault.yml
+#   - Rekey:  ansible-vault rekey group_vars/vault.yml
+#
+# SECURITY NOTES:
+#   - Never commit the vault password to version control
+#   - Store vault password in a secure location (password manager, etc.)
+#   - Consider using --vault-password-file for automation
+#   - Add vault.yml to .gitignore (this example file is safe to commit)
+#
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Gitea Instance Configuration
+# -----------------------------------------------------------------------------
+
+# URL of your Gitea instance (including https://).
+# This is where the runner will connect to pick up jobs.
+# Example: "https://git.example.com"
+vault_gitea_instance_url: "https://git.karmaxplan.ru"
+
+# -----------------------------------------------------------------------------
+# Runner Registration Token
+# -----------------------------------------------------------------------------
+
+# Registration token from Gitea for authenticating new runners.
+#
+# HOW TO GET THIS TOKEN:
+#   1. Log into Gitea as admin
+#   2. Go to: Site Administration > Actions > Runners
+#      URL: {{ vault_gitea_instance_url }}/-/admin/actions/runners
+#   3. Click "Create new Runner"
+#   4. Copy the displayed token
+#
+# IMPORTANT:
+#   - Tokens are SINGLE-USE: one token = one runner registration
+#   - Generate a new token for each server you deploy to
+#   - Token expires if not used within a certain time
+vault_act_runner_token: "<your-registration-token-here>"
+
+# -----------------------------------------------------------------------------
+# Package Registry Configuration
+# -----------------------------------------------------------------------------
+# These values enable the runner to authenticate with Gitea's package registry.
+# This is needed if your workflows push/pull container images or packages.
+
+# Hostname of the Gitea package registry.
+# Usually the same as your Gitea instance hostname (without https://).
+vault_gitea_registry: "git.karmaxplan.ru"
+
+# Service account username for package registry operations.
+# Best practice: Create a dedicated "actions" user in Gitea for CI/CD.
+# This user should have appropriate permissions for your repositories.
+vault_gitea_actions_user: "actions"
+
+# Personal Access Token (PAT) for package registry authentication.
+#
+# HOW TO CREATE THE PAT:
+#   1. Log into Gitea as the service account (e.g., "actions")
+#   2. Go to: User Settings > Applications
+#      URL: {{ vault_gitea_instance_url }}/user/settings/applications
+#   3. Under "Generate New Token", enter a name (e.g., "act-runner-packages")
+#   4. Select scopes:
+#      - read:package   (required for pulling images)
+#      - write:package  (required for pushing images)
+#   5. Click "Generate Token"
+#   6. Copy the token immediately (it won't be shown again)
+#
+# SECURITY NOTES:
+#   - This token grants package access - keep it secret
+#   - Rotate tokens periodically
+#   - Use the minimum required scopes
+vault_gitea_packages_token: "<your-packages-pat-here>"
+
+# -----------------------------------------------------------------------------
+# Optional: Sudo Password (if using non-root user with password sudo)
+# -----------------------------------------------------------------------------
+# Uncomment if your ansible_user requires a password for sudo.
+# vault_sudo_password: "<your-sudo-password-here>"