M2 start: Drone CI decision; Gitea OAuth app + Drone secrets (sops)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL.md

@@ -186,3 +186,26 @@ Verify: `docker service ls` → app+socket-proxy 1/1; via gateway `curl --resolv
 **docs/install.md** seeded (flake apply + deploy-proxy + verify). M1 gate CLAIMED in STATUS.md.
 
 **Next:** M2 — Drone server + exec runner via Nix, Gitea OAuth app, hello-world .drone.yml green.
+
+## 2026-05-26 — M2 start: CI engine decision + Gitea OAuth app + Drone secrets
+
+**Decision (DECISIONS.md):** keep Drone per plan. nixpkgs 24.11 has drone server 2.24.0 but only the
+abandoned `drone-runner-exec` (unstable-2020) — accepted (stable RPC), Woodpecker is the documented
+fallback. Deploy shape mirrors traefik: server via coop-cloud `drone` recipe (abra, swarm,
+traefik-routed at drone.ci.commoninternet.net, no ACME), exec runner as a host Nix systemd service.
+
+**Recipe recon:** coop-cloud `drone` recipe = drone/drone:2.26.0, secrets `rpc_secret` +
+`CLIENT_SECRET` (Gitea OAuth), Gitea SSO via `compose.gitea.yml` (`GITEA_CLIENT_ID`, `GITEA_DOMAIN`).
+Server env: DRONE_SERVER_HOST/PROTO, DRONE_USER_CREATE.
+
+**Done this tick:**
+- Created Gitea OAuth app `cc-ci-drone` (bot): client_id `ab4cdb9d-…`, redirect
+  `https://drone.ci.commoninternet.net/login`.
+- Generated `DRONE_RPC_SECRET` (openssl-equivalent /dev/urandom hex32) + stored client_secret;
+  both added to `secrets/secrets.yaml` via `sops set` (needed `SOPS_AGE_KEY` from the host ssh key:
+  `ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key`). Verified: decrypt shows keys
+  test_secret/drone_rpc_secret/drone_gitea_client_secret; file stays encrypted (4× ENC).
+
+**Next:** scripts/deploy-drone.sh (abra deploy of drone server w/ Gitea SSO + rpc/client secrets),
+modules/drone-runner.nix (exec runner systemd unit, rpc secret from sops), wire sops secrets for the
+runner, then push a hello-world .drone.yml and confirm a green build (M2 gate).