M8/D7: results dashboard — overview + SVG badges at ci.commoninternet.net

Stdlib HTTP service (like the bridge): polls the Drone API for recipe-CI builds (event=custom),
groups latest-run-per-recipe, renders a YunoHost-CI-like overview table with pass/fail/running
badges + links to the canonical Drone run, plus /badge/<recipe>.svg. Nix-built OCI image, swarm
service on proxy, traefik Host(ci.commoninternet.net) (the bridge's /hook rule stays higher
priority by length). Reuses the Drone token (read-only). Reconcile oneshot like bridge/drone.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/dashboard.nix

@@ -0,0 +1,86 @@
+# Results dashboard (§4.5, D7): the YunoHost-CI-like overview at ci.commoninternet.net. Reads the
+# Drone API (read-only) and renders latest-run-per-recipe + SVG badges. Packaged as a Nix-built OCI
+# image and run as a swarm service on `proxy`, routed by traefik at Host(ci.commoninternet.net) — the
+# comment-bridge's Host && PathPrefix(`/hook`) rule is longer, so /hook still wins (priority by rule
+# length). Deployed by an idempotent-reconcile oneshot (same pattern as bridge/drone).
+{ pkgs, ... }:
+let
+  dashApp = pkgs.runCommand "cc-ci-dashboard-app" { } ''
+    mkdir -p $out/app
+    cp ${../dashboard/dashboard.py} $out/app/dashboard.py
+  '';
+
+  image = pkgs.dockerTools.buildLayeredImage {
+    name = "cc-ci-dashboard";
+    tag = "latest";
+    contents = [ pkgs.python3 pkgs.cacert dashApp ];
+    config = {
+      Cmd = [ "${pkgs.python3}/bin/python3" "/app/dashboard.py" ];
+      Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
+      ExposedPorts = { "8080/tcp" = { }; };
+    };
+  };
+
+  stack = pkgs.writeText "cc-ci-dashboard-stack.yml" ''
+    version: "3.8"
+    services:
+      app:
+        image: cc-ci-dashboard:latest
+        environment:
+          - DRONE_URL=https://drone.ci.commoninternet.net
+          - CI_REPO=recipe-maintainers/cc-ci
+          - DASH_LISTEN=0.0.0.0:8080
+          - DRONE_TOKEN_FILE=/run/secrets/drone_token
+        secrets:
+          - drone_token
+        networks:
+          - proxy
+        deploy:
+          replicas: 1
+          restart_policy:
+            condition: any
+          labels:
+            - "traefik.enable=true"
+            - "traefik.http.services.ccci-dashboard.loadbalancer.server.port=8080"
+            - "traefik.http.routers.ccci-dashboard.rule=Host(`ci.commoninternet.net`)"
+            - "traefik.http.routers.ccci-dashboard.entrypoints=web-secure"
+            - "traefik.http.routers.ccci-dashboard.tls=true"
+    networks:
+      proxy:
+        external: true
+    secrets:
+      drone_token:
+        external: true
+        name: cc_ci_dashboard_drone_token_v1
+  '';
+
+  reconcile = pkgs.writeShellApplication {
+    name = "cc-ci-reconcile-dashboard";
+    runtimeInputs = with pkgs; [ docker coreutils ];
+    text = ''
+      if [ ! -r /run/secrets/bridge_drone_token ]; then
+        echo "FATAL: /run/secrets/bridge_drone_token missing (rebuild ordering?)" >&2
+        exit 1
+      fi
+      docker load -i ${image}
+      # Dashboard reads the Drone API read-only; reuse the same Drone token value as the bridge.
+      docker secret inspect cc_ci_dashboard_drone_token_v1 >/dev/null 2>&1 \
+        || docker secret create cc_ci_dashboard_drone_token_v1 /run/secrets/bridge_drone_token >/dev/null
+      docker stack deploy --detach=true -c ${stack} ccci-dashboard
+    '';
+  };
+in
+{
+  systemd.services.deploy-dashboard = {
+    description = "Reconcile the cc-ci results dashboard (overview + badges) swarm service";
+    after = [ "deploy-proxy.service" "swarm-init.service" "docker.service" "network-online.target" ];
+    requires = [ "swarm-init.service" "docker.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${reconcile}/bin/cc-ci-reconcile-dashboard";
+    };
+  };
+}