feat: add configuration templates

- docker-compose-gitea.yml.tpl: Gitea + SQLite container
- app.ini.tpl: Gitea config (INSTALL_LOCK, Actions enabled, no registration)
- docker-compose-runner.yml.tpl: act_runner Docker container (Linux)
- runner-config.yaml.tpl: act_runner config (capacity=1, timeout=3h)
- com.gitea.runner.plist.tpl: macOS launchd service for native runner
- nginx-gitea.conf.tpl: Nginx reverse proxy with SSL/WebSocket support
- workflows/security-scan.yml.tpl: Semgrep + Trivy + Gitleaks workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

templates/app.ini.tpl

@@ -0,0 +1,42 @@
+; Gitea configuration — rendered from app.ini.tpl
+; Do not edit directly on the server — re-render and redeploy instead.
+
+[server]
+ROOT_URL         = https://${GITEA_DOMAIN}/
+DOMAIN           = ${GITEA_DOMAIN}
+SSH_DOMAIN       = ${GITEA_DOMAIN}
+HTTP_PORT        = 3000
+DISABLE_SSH      = false
+START_SSH_SERVER = true
+SSH_PORT         = 22
+LFS_START_SERVER = true
+
+[database]
+DB_TYPE = ${GITEA_DB_TYPE}
+PATH    = /data/gitea/gitea.db
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY   = ${GITEA_SECRET_KEY}
+
+[service]
+DISABLE_REGISTRATION              = true
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+
+[repository]
+DEFAULT_BRANCH = main
+
+[actions]
+ENABLED = true
+
+[log]
+MODE  = console
+LEVEL = info
+
+[ui]
+DEFAULT_THEME = gitea-auto
+SHOW_USER_EMAIL = false
+
+[mailer]
+ENABLED = false

templates/com.gitea.runner.plist.tpl

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.gitea.runner.${RUNNER_NAME}</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>${RUNNER_DATA_PATH}/act_runner</string>
+    <string>daemon</string>
+    <string>--config</string>
+    <string>${RUNNER_DATA_PATH}/config.yaml</string>
+  </array>
+
+  <key>WorkingDirectory</key>
+  <string>${RUNNER_DATA_PATH}</string>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <true/>
+
+  <key>StandardOutPath</key>
+  <string>${RUNNER_DATA_PATH}/runner.out.log</string>
+
+  <key>StandardErrorPath</key>
+  <string>${RUNNER_DATA_PATH}/runner.err.log</string>
+
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+  </dict>
+</dict>
+</plist>

templates/docker-compose-gitea.yml.tpl

@@ -0,0 +1,18 @@
+version: "3"
+
+services:
+  gitea:
+    image: gitea/gitea:${GITEA_VERSION}
+    container_name: gitea
+    restart: unless-stopped
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    volumes:
+      - ${DATA_PATH}/data:/data
+      - ${DATA_PATH}/config:/data/gitea/conf
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "${GITEA_PORT}:3000"
+      - "${GITEA_SSH_PORT}:22"

templates/docker-compose-runner.yml.tpl

@@ -0,0 +1,15 @@
+version: "3"
+
+services:
+  runner:
+    image: gitea/act_runner:${ACT_RUNNER_VERSION}
+    container_name: gitea-runner-${RUNNER_NAME}
+    restart: unless-stopped
+    environment:
+      - GITEA_INSTANCE_URL=${GITEA_INTERNAL_URL}
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
+      - GITEA_RUNNER_NAME=${RUNNER_NAME}
+      - GITEA_RUNNER_LABELS=${RUNNER_LABELS}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${RUNNER_DATA_PATH}:/data

templates/nginx-gitea.conf.tpl

@@ -0,0 +1,68 @@
+# Nginx reverse proxy for Gitea — rendered from nginx-gitea.conf.tpl
+# SSL_ENABLED is set by the deployment script, not .env
+
+# HTTP server — always present
+server {
+    listen 80;
+    server_name ${GITEA_DOMAIN};
+
+    # ACME challenge for Let's Encrypt (used when SSL_MODE=letsencrypt)
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    # When SSL is enabled, redirect all other HTTP traffic to HTTPS
+    # When SSL is not yet enabled, proxy directly to Gitea
+    location / {
+        # SSL_REDIRECT_BLOCK_START
+        # This block is replaced by the deployment script:
+        # - Before SSL: proxy_pass to Gitea
+        # - After SSL: return 301 https://$host$request_uri;
+        proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        # SSL_REDIRECT_BLOCK_END
+    }
+}
+
+# HTTPS server — only present when SSL_ENABLED=true
+# SSL_HTTPS_BLOCK_START
+server {
+    listen 443 ssl;
+    server_name ${GITEA_DOMAIN};
+
+    # SSL certificate paths depend on SSL_MODE:
+    # letsencrypt: /etc/letsencrypt/live/${GITEA_DOMAIN}/
+    # existing: ${SSL_CERT_PATH} and ${SSL_KEY_PATH}
+    ssl_certificate     ${SSL_CERT_FULLPATH};
+    ssl_certificate_key ${SSL_KEY_FULLPATH};
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Allow large git pushes and LFS uploads
+    client_max_body_size 512m;
+
+    location / {
+        proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT};
+
+        # Standard proxy headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        # WebSocket support (needed for Gitea live features)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_buffering off;
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+    }
+}
+# SSL_HTTPS_BLOCK_END

templates/runner-config.yaml.tpl

@@ -0,0 +1,26 @@
+# act_runner configuration — rendered from runner-config.yaml.tpl
+log:
+  level: info
+
+runner:
+  name: ${RUNNER_NAME}
+  labels:
+    - "${RUNNER_LABELS}:docker://node:20-bookworm"
+  capacity: 1
+  timeout: 3h
+  insecure: false
+  fetch_timeout: 5s
+  fetch_interval: 2s
+
+cache:
+  enabled: true
+  dir: ""
+
+container:
+  network: ""
+  privileged: false
+  options:
+  workdir_parent:
+
+host:
+  workdir_parent:

templates/workflows/security-scan.yml.tpl

@@ -0,0 +1,43 @@
+# Security scanning workflow — rendered from security-scan.yml.tpl
+# Runs Semgrep, Trivy, and Gitleaks on every pull request.
+# Each job reports as a status check for branch protection.
+
+name: Security Scan
+
+on:
+  pull_request:
+    branches:
+      - ${PROTECTED_BRANCH}
+
+jobs:
+  semgrep:
+    name: Semgrep SAST
+    runs-on: linux
+    container:
+      image: returntocorp/semgrep:${SEMGREP_VERSION}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Semgrep
+        run: semgrep scan --config auto --error .
+
+  trivy:
+    name: Trivy Vulnerability Scan
+    runs-on: linux
+    container:
+      image: aquasec/trivy:${TRIVY_VERSION}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy filesystem scan
+        run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
+
+  gitleaks:
+    name: Gitleaks Secret Detection
+    runs-on: linux
+    container:
+      image: zricethezav/gitleaks:${GITLEAKS_VERSION}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Gitleaks
+        run: gitleaks detect --source . --exit-code 1