Add Gitea runner service with resource limits

- Added act-runner service for CI/CD automation
- Configured runner with 2 CPU cores, 4GB memory limit
- Isolated runner on gitea-network for security
- Added gitea-network to server service for runner communication
- Fixed typos in comments (sincer→since, Not→Note, colide→collide)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docker-compose.yaml

@@ -4,12 +4,16 @@ networks:
   traefik-network:
     name: traefik-network
     external: true
+  # this network isolates Gitea server-runner communication from other services
+  gitea-network:
+    name: gitea-network
 
 services:
   server:
     image: docker.gitea.com/gitea:1.25.3-rootless
     networks:
       - traefik-network
+      - gitea-network
     restart: always
     stop_grace_period: 1m # Allow Gitea time to shut down gracefully
 
@@ -44,7 +48,7 @@ services:
       - GITEA__server__ROOT_URL=https://gitea.budakova.org/
       - GITEA__server__PROTOCOL=http # Traefik handles TLS
       - GITEA__server__SSH_PORT=2222
-      - GITEA__server__SSH_DOMAIN=git.budakova.org # CloudFlare tunnel hostname for SSH access (must not colide with web console hostname)
+      - GITEA__server__SSH_DOMAIN=git.budakova.org # CloudFlare tunnel hostname for SSH access (must not collide with web console hostname)
 
       # Enable Docker Registry support
       - GITEA__packages__ENABLED=true
@@ -60,7 +64,7 @@ services:
       # Web Console
       - traefik.http.routers.gitea.rule=Host(`gitea.budakova.org`)
       - traefik.http.routers.gitea.entrypoints=http # using `http` - see notes below
-      # Note: NOT using `https` entrypoint sincer CloudFlare does SSL offloading
+      # Note: NOT using `https` entrypoint since CloudFlare does SSL offloading
       #       Also CloudFlare tunnel rejects Let's Encrypt cert since it sees
       #       the server as running at https://10.10.1.200:443 and NOT as `gitea.budakova.org`
       # - traefik.http.routers.gitea.entrypoints=https
@@ -68,10 +72,34 @@ services:
       # - traefik.http.routers.gitea.tls.certresolver=letsencrypt
     
       # Registry (only /v2)
-      # Not: here we can use `https` since it's not published via CloudFlare
-      #      but via local IP address
+      # Note: here we can use `https` since it's not published via CloudFlare
+      #       but via local IP address
       - traefik.http.routers.gitea-registry.entrypoints=https
       - traefik.http.routers.gitea-registry.rule=Host(`registry.budakova.org`) && PathPrefix(`/v2`)
       - traefik.http.routers.gitea-registry.tls=true
       - traefik.http.routers.gitea-registry.tls.certresolver=letsencrypt
       - traefik.http.routers.gitea-registry.service=gitea
+  runner:
+    image: gitea/act-runner:0.2.13
+    networks:
+      - gitea-network
+    restart: always
+    depends_on:
+      - server
+
+    # Resource limits for CI/CD runner
+    cpus: "2.0"
+    mem_limit: 4g
+    mem_reservation: 1g
+    pids_limit: 512
+
+    environment:
+      CONFIG_FILE: /config.yaml
+      # use service name `server` since both services are on the same `gitea-network`
+      GITEA_INSTANCE_URL: "http://server:3000/"
+      GITEA_RUNNER_REGISTRATION_TOKEN: "${REGISTRATION_TOKEN:-cOUnze8BFR5OhW30pcdfCL4oSvSXbsd4PUqDzo6Y}"
+      GITEA_RUNNER_NAME: "${GITEA_RUNNER_NAME:-gitea-runner-1}"
+    volumes:
+      - /home/knee-cola/docker/d-gitea/runner-config.yaml:/config.yaml
+      - /home/knee-cola/docker/d-gitea/runner-data:/data
+      - /var/run/docker.sock:/var/run/docker.sock