nult/roles/act_runner/tasks/user.yml

---
# =============================================================================
# Gitea Act Runner - System User Setup
# =============================================================================
#
# Creates a dedicated system user for running the act_runner service.
# Running as an unprivileged user improves security by:
#   - Limiting what the service can access
#   - Isolating it from other services
#   - Following the principle of least privilege
#
# =============================================================================

# Create the act_runner system group.
- name: Create act_runner group
  ansible.builtin.group:
    name: "{{ act_runner_group }}"
    state: present
    system: true

# Create the act_runner system user.
- name: Create act_runner user
  ansible.builtin.user:
    name: "{{ act_runner_user }}"
    group: "{{ act_runner_group }}"
    # Add to docker group for container access.
    groups: docker
    append: true
    # Use bash shell for better compatibility with actions.
    shell: /bin/bash
    # Home directory for runner data.
    home: "{{ act_runner_home }}"
    create_home: true
    # System user (no login, low UID).
    system: true
    state: present

# Ensure home directory has correct permissions.
- name: Set permissions on home directory
  ansible.builtin.file:
    path: "{{ act_runner_home }}"
    state: directory
    owner: "{{ act_runner_user }}"
    group: "{{ act_runner_group }}"
    mode: '0750'

# Create configuration directory.
- name: Create configuration directory
  ansible.builtin.file:
    path: "{{ act_runner_config_dir }}"
    state: directory
    owner: "{{ act_runner_user }}"
    group: "{{ act_runner_group }}"
    mode: '0750'