Initial commit: Ansible playbook for Gitea Act Runner deployment

Automated deployment of act_runner on Ubuntu 20.04+ servers:
- Docker CE installation (DEB822 format)
- Node.js 24.x via NodeSource
- act_runner binary with SHA256 verification
- systemd service with security hardening
- CI: ansible-lint via Gitea Actions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,71 @@
+# =============================================================================
+# Gitea Act Runner - Systemd Service Unit
+# =============================================================================
+# Managed by Ansible - DO NOT EDIT MANUALLY
+#
+# Common commands:
+#   systemctl status act_runner    - Check service status
+#   systemctl restart act_runner   - Restart the service
+#   journalctl -u act_runner -f    - Follow service logs
+#
+# See: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html
+# =============================================================================
+
+[Unit]
+# Human-readable description
+Description=Gitea Actions runner
+
+# Documentation link
+Documentation=https://gitea.com/gitea/act_runner
+
+# Start after Docker and network are available
+After=docker.service network-online.target
+
+# Request network-online.target to be started
+Wants=network-online.target
+
+[Service]
+# Simple type: process runs in foreground
+Type=simple
+
+# Main command
+ExecStart={{ act_runner_bin_path }} daemon --config {{ act_runner_config_dir }}/config.yaml
+
+# Reload command (sends HUP signal)
+ExecReload=/bin/kill -s HUP $MAINPID
+
+# Working directory
+WorkingDirectory={{ act_runner_home }}
+
+# No timeout for start/stop (jobs may take long)
+TimeoutSec=0
+
+# Wait before restarting after failure
+RestartSec=10
+
+# Always restart on any exit
+Restart=always
+
+# Run as unprivileged user
+User={{ act_runner_user }}
+Group={{ act_runner_group }}
+
+# ---------------------------------------------------------------------------
+# Security Hardening
+# ---------------------------------------------------------------------------
+
+# No new privileges via setuid/setgid
+NoNewPrivileges=true
+
+# Make /usr, /boot, /efi read-only
+ProtectSystem=strict
+
+# Allow writes only to these paths
+ReadWritePaths={{ act_runner_home }} {{ act_runner_config_dir }}
+
+# Private /tmp directory
+PrivateTmp=true
+
+[Install]
+# Start on normal boot
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,113 @@
+# =============================================================================
+# Gitea Act Runner - Configuration File
+# =============================================================================
+# Managed by Ansible - DO NOT EDIT MANUALLY
+#
+# To modify settings, update the role variables and re-run the playbook.
+#
+# Reference: https://docs.gitea.com/usage/actions/act-runner
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Logging Configuration
+# -----------------------------------------------------------------------------
+log:
+  # Log verbosity level.
+  # Valid values: trace, debug, info, warn, error, fatal
+  level: info
+
+# -----------------------------------------------------------------------------
+# Runner Core Configuration
+# -----------------------------------------------------------------------------
+runner:
+  # Path to the runner registration state file.
+  # Created during 'act_runner register'. DO NOT DELETE.
+  file: {{ act_runner_home }}/.runner
+
+  # Maximum number of concurrent jobs.
+  capacity: 1
+
+  # Environment variables injected into every job.
+  envs:
+    # Package registry hostname
+    registry: {{ gitea_registry }}
+
+    # Service account username
+    actions_user: {{ gitea_actions_user }}
+
+    # PAT for package registry authentication
+    PACKAGES_TOKEN: {{ gitea_packages_token }}
+
+  # Optional file for additional environment variables.
+  env_file: .env
+
+  # Maximum job duration (also limited by Gitea instance).
+  timeout: 3h
+
+  # Grace period for jobs during shutdown.
+  shutdown_timeout: 0s
+
+  # Skip TLS verification. WARNING: Security risk if true.
+  insecure: false
+
+  # Job polling settings.
+  fetch_timeout: 5s
+  fetch_interval: 2s
+
+  # Labels determine which jobs this runner handles.
+  labels:
+{% for label in act_runner_labels %}
+    - "{{ label }}"
+{% endfor %}
+
+# -----------------------------------------------------------------------------
+# Cache Server Configuration
+# -----------------------------------------------------------------------------
+cache:
+  # Enable built-in cache server for actions/cache.
+  enabled: true
+
+  # Cache storage directory (empty = default).
+  dir: ""
+
+  # Network settings (empty = auto-detect).
+  host: ""
+  port: 0
+
+  # External cache server URL (empty = use built-in).
+  external_server: ""
+
+# -----------------------------------------------------------------------------
+# Container Execution Configuration
+# -----------------------------------------------------------------------------
+container:
+  # Docker network (empty = isolated per job).
+  network: ""
+
+  # Privileged mode. WARNING: Security risk if true.
+  privileged: false
+
+  # Additional docker run options.
+  options:
+
+  # Working directory inside containers.
+  workdir_parent:
+
+  # Allowed volume mounts (empty = none, ["**"] = any).
+  valid_volumes: []
+
+  # Docker daemon (empty = auto-detect).
+  docker_host: ""
+
+  # Always pull images before jobs.
+  force_pull: {{ act_runner_container_force_pull | lower }}
+
+  # Rebuild images even if they exist.
+  force_rebuild: false
+
+# -----------------------------------------------------------------------------
+# Host Execution Configuration
+# -----------------------------------------------------------------------------
+host:
+  # Working directory for host execution.
+  workdir_parent: