M1: Docker + single-node swarm via Nix (swarm-init + proxy overlay)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/swarm.nix

@@ -0,0 +1,41 @@
+# Docker + single-node Swarm — the deploy target for recipes under test (M1).
+# Traefik (modules/traefik.nix) and abra layer on top; recipes attach to the `proxy`
+# overlay network, exactly as a real Co-op Cloud host expects.
+{ pkgs, ... }:
+{
+  virtualisation.docker = {
+    enable = true;
+    # Reclaim disk from churning per-run images/volumes (cc-ci root is ~28 GiB).
+    autoPrune = {
+      enable = true;
+      dates = "daily";
+      flags = [ "--all" "--volumes" "--filter" "until=24h" ];
+    };
+  };
+
+  environment.systemPackages = [ pkgs.docker ];
+
+  # Bring up a single-node swarm + the shared `proxy` overlay network. Idempotent:
+  # safe to re-run every boot/rebuild. advertise-addr 127.0.0.1 is fine for a lone node.
+  systemd.services.swarm-init = {
+    description = "Initialise single-node Docker Swarm + proxy overlay network";
+    after = [ "docker.service" ];
+    requires = [ "docker.service" ];
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      set -eu
+      state="$(docker info --format '{{.Swarm.LocalNodeState}}' 2>/dev/null || echo error)"
+      if [ "$state" != "active" ]; then
+        docker swarm init --advertise-addr 127.0.0.1
+      fi
+      if ! docker network inspect proxy >/dev/null 2>&1; then
+        docker network create --driver overlay --attachable proxy
+      fi
+    '';
+  };
+}