ci: add ansible and CICD deployment

deploy/ansible/tasks/install_one_runner.yml

@@ -0,0 +1,68 @@
+---
+# Installs + registers + services a single act_runner instance.
+# Inputs: project_spec (dict), idx (int), project_token (str).
+- name: Set per-runner facts
+  ansible.builtin.set_fact:
+    runner_name: "{{ inventory_hostname }}-{{ project_spec.project }}-{{ runner_env }}-{{ idx }}"
+    runner_dir:  "{{ runner_home }}/act-runner-{{ project_spec.project }}-{{ idx }}"
+    svc_name:    "gitea-runner-{{ project_spec.project }}-{{ idx }}"
+
+- name: "Create runner dir {{ runner_dir }}"
+  ansible.builtin.file:
+    path: "{{ runner_dir }}"
+    state: directory
+    owner: "{{ runner_user }}"
+    group: "{{ runner_user }}"
+    mode: "0755"
+
+- name: Download act_runner binary (sha256 verified)
+  ansible.builtin.get_url:
+    url: "{{ act_runner_download_url }}"
+    dest: "{{ runner_dir }}/gitea-runner"
+    checksum: "sha256:{{ act_runner_sha256 }}"
+    owner: "{{ runner_user }}"
+    group: "{{ runner_user }}"
+    mode: "0755"
+
+- name: "Register runner {{ runner_name }}"
+  ansible.builtin.command:
+    cmd: >-
+      ./gitea-runner register
+      --no-interactive
+      --instance {{ gitea_instance }}
+      --token {{ project_token }}
+      --name {{ runner_name }}
+      --labels {{ project_spec.labels }}
+    chdir: "{{ runner_dir }}"
+    creates: "{{ runner_dir }}/.runner"
+  become_user: "{{ runner_user }}"
+
+- name: "Write systemd unit for {{ svc_name }}"
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/{{ svc_name }}.service"
+    owner: root
+    group: root
+    mode: "0644"
+    content: |
+      [Unit]
+      Description=Gitea Actions Runner ({{ runner_name }})
+      After=network.target
+
+      [Service]
+      Type=simple
+      User={{ runner_user }}
+      WorkingDirectory={{ runner_dir }}
+      ExecStart={{ runner_dir }}/gitea-runner daemon
+      Restart=always
+      RestartSec=5s
+      Environment=HOME={{ runner_home }}
+
+      [Install]
+      WantedBy=multi-user.target
+
+- name: "Enable + start {{ svc_name }}"
+  ansible.builtin.systemd:
+    name: "{{ svc_name }}"
+    enabled: true
+    state: started
+    daemon_reload: true

deploy/ansible/tasks/install_project.yml

@@ -0,0 +1,20 @@
+---
+# Expands one project entry into `count` runner instances.
+- name: "Read registration token for {{ project_spec.project }} from env var"
+  ansible.builtin.set_fact:
+    project_token: "{{ lookup('ansible.builtin.env', project_spec.token_env) }}"
+
+- name: "Warn and skip {{ project_spec.project }} — token missing"
+  ansible.builtin.debug:
+    msg: >-
+      Skipping {{ project_spec.project }}: env var {{ project_spec.token_env }} is empty/unset.
+      Export a fresh registration token (Gitea repo → Settings → Actions → Runners → Create new runner token).
+  when: project_token | length == 0
+
+- name: "Install {{ project_spec.count }} runner(s) for {{ project_spec.project }}"
+  ansible.builtin.include_tasks: install_one_runner.yml
+  loop: "{{ range(1, project_spec.count | int + 1) | list }}"
+  loop_control:
+    loop_var: idx
+    label: "{{ project_spec.project }}-{{ idx }}"
+  when: project_token | length > 0