M2: Drone server + exec runner up; infra as idempotent-reconcile oneshots

Convert proxy+drone bring-up to writeShellApplication systemd oneshots that
reconcile every activation (orchestrator steer). pkgs.abra overlay. Runner
connected via RPC (polling, capacity=2). install.md = clone + nixos-rebuild switch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/secrets.nix

@@ -2,7 +2,7 @@
 # ed25519 SSH host key as the age identity (no separate key file to manage on the box).
 # Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
 # listed in /.sops.yaml (host key + off-box master recovery key).
-{ ... }:
+{ config, ... }:
 {
   sops = {
     defaultSopsFile = ../secrets/secrets.yaml;
@@ -11,8 +11,19 @@
     # Do not also look for a GPG key.
     gnupg.sshKeyPaths = [ ];
 
-    # M0 proof secret — confirms the decrypt path works end to end. Real infra secrets
-    # (Drone RPC, webhook HMAC, OAuth, registry creds) are added in their milestones.
+    # M0 proof secret — confirms the decrypt path works end to end.
     secrets.test_secret = { };
+
+    # M2 Drone (A2 internal secrets). drone_rpc_secret is shared between the swarm-deployed
+    # Drone server (inserted as the `rpc_secret` swarm secret by scripts/deploy-drone.sh) and
+    # the host exec runner (read via the env template below). drone_gitea_client_secret is the
+    # Gitea OAuth app secret, inserted as the server's `client_secret` swarm secret.
+    secrets.drone_rpc_secret = { };
+    secrets.drone_gitea_client_secret = { };
+
+    # EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
+    templates."drone-runner.env".content = ''
+      DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}
+    '';
   };
 }