fix: use python_env as guard for ESP-IDF install task

The tools directory can exist without the Python venv being created,
causing install.sh to be skipped on re-runs. Check for python_env
instead, which is the actual output we need.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ansible/roles/gitea-actions/tasks/esp-idf.yml

@@ -86,7 +86,7 @@
     export IDF_TOOLS_PATH="{{ gitea_runner_home }}/.espressif"
     {{ esp_idf_path }}/install.sh esp32
   args:
-    creates: "{{ gitea_runner_home }}/.espressif/tools"
+    creates: "{{ gitea_runner_home }}/.espressif/python_env"
   environment:
     HOME: "{{ gitea_runner_home }}"
   tags: gitea-actions

ansible/roles/gitea-actions/tasks/user.yml

@@ -32,3 +32,42 @@
     state: directory
     mode: "0755"
   tags: gitea-actions
+
+- name: create .ssh directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ gitea_runner_home }}/.ssh"
+    state: directory
+    owner: "{{ gitea_runner_user }}"
+    group: "{{ gitea_runner_user }}"
+    mode: "0700"
+  tags: gitea-actions
+
+- name: generate SSH key for gitea-runner
+  become: true
+  become_user: "{{ gitea_runner_user }}"
+  ansible.builtin.command:
+    cmd: ssh-keygen -t ed25519 -f {{ gitea_runner_home }}/.ssh/id_ed25519 -N "" -C "gitea-runner@galactica"
+    creates: "{{ gitea_runner_home }}/.ssh/id_ed25519"
+  tags: gitea-actions
+
+- name: add Gitea SSH host keys to known_hosts
+  become: true
+  become_user: "{{ gitea_runner_user }}"
+  ansible.builtin.shell:
+    cmd: ssh-keyscan -p 2222 {{ item }} >> {{ gitea_runner_home }}/.ssh/known_hosts 2>/dev/null
+  args:
+    creates: "{{ gitea_runner_home }}/.ssh/known_hosts"
+  loop:
+    - git.skudak.com
+    - git.debyl.io
+  tags: gitea-actions
+
+- name: set known_hosts permissions
+  become: true
+  ansible.builtin.file:
+    path: "{{ gitea_runner_home }}/.ssh/known_hosts"
+    owner: "{{ gitea_runner_user }}"
+    group: "{{ gitea_runner_user }}"
+    mode: "0644"
+  tags: gitea-actions