M2: Drone server + exec runner up; infra as idempotent-reconcile oneshots
Convert proxy+drone bring-up to writeShellApplication systemd oneshots that reconcile every activation (orchestrator steer). pkgs.abra overlay. Runner connected via RPC (polling, capacity=2). install.md = clone + nixos-rebuild switch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
42
modules/drone-runner.nix
Normal file
42
modules/drone-runner.nix
Normal file
@ -0,0 +1,42 @@
|
||||
# Drone exec runner (M2). Runs on cc-ci itself (not in a container) so CI pipelines can drive
|
||||
# host `abra` to deploy real recipes onto the swarm (plan §4.2, §8: exec runner). The Drone
|
||||
# *server* is deployed separately via abra (scripts/deploy-drone.sh) as a swarm service.
|
||||
#
|
||||
# The exec runner is drone-runner-exec (the only exec runner upstream ever shipped; see
|
||||
# DECISIONS.md "CI engine"). It connects to the server over RPC at drone.ci.commoninternet.net,
|
||||
# sharing DRONE_RPC_SECRET with the server via the sops-rendered EnvironmentFile.
|
||||
{ pkgs, config, lib, ... }:
|
||||
{
|
||||
# Drone ships under the Polyform Small Business license (nixpkgs marks it unfree);
|
||||
# permitted for our internal CI use. Allow only this package.
|
||||
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||
builtins.elem (lib.getName pkg) [ "drone-runner-exec" ];
|
||||
|
||||
systemd.services.drone-runner-exec = {
|
||||
description = "Drone exec runner (drives host abra/swarm)";
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment = {
|
||||
DRONE_RPC_PROTO = "https";
|
||||
DRONE_RPC_HOST = "drone.ci.commoninternet.net";
|
||||
DRONE_RUNNER_CAPACITY = "2"; # concurrency cap (plan §4.2)
|
||||
DRONE_RUNNER_NAME = "cc-ci-exec";
|
||||
# exec runner needs a writable root for build workspaces
|
||||
DRONE_RUNNER_ROOT = "/var/lib/drone-runner";
|
||||
# Pipeline commands shell out to abra/docker/git — all live in the system path.
|
||||
PATH = lib.mkForce "/run/current-system/sw/bin:/run/wrappers/bin";
|
||||
};
|
||||
serviceConfig = {
|
||||
# DRONE_RPC_SECRET comes from the sops-rendered env file (shared with the server).
|
||||
EnvironmentFile = config.sops.templates."drone-runner.env".path;
|
||||
ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
StateDirectory = "drone-runner";
|
||||
# exec runner runs pipelines as this service's user; root is needed to drive docker/abra
|
||||
# and to read the abra config under /root/.abra (same as manual deploys).
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user