# Drone exec runner (M2). Runs on cc-ci itself (not in a container) so CI pipelines can drive
# host `abra` to deploy real recipes onto the swarm (plan §4.2, §8: exec runner). The Drone
# *server* is deployed separately via abra (scripts/deploy-drone.sh) as a swarm service.
#
# The exec runner is drone-runner-exec (the only exec runner upstream ever shipped; see
# DECISIONS.md "CI engine"). It connects to the server over RPC at drone.ci.commoninternet.net,
# sharing DRONE_RPC_SECRET with the server via the sops-rendered EnvironmentFile.
{ pkgs, config, lib, ... }:
let
  # MAX_TESTS (plan §4.2/§4.3 resource safety): max CI builds the exec runner runs at once. Drone
  # queues the rest in its native pending-build queue (no custom queue). THE concurrency cap that
  # bounds how many test apps can be live at once.
  #
  # Raised to 2 (operator request 2026-06-09) so two recipes can be tested in parallel (e.g. immich
  # and plausible under active development at once). Verified safe on the current node (Hetzner cpx22,
  # ~7.6 GiB / 4 vCPU — NOTE: smaller than the original 28 GiB this was written for): a full immich CI
  # stack measured ~1 GiB (server+ML+pg+redis) with multiple GiB free, so two concurrent recipes fit.
  # The concurrency PRECONDITION holds: the run-start janitor is age-based (default 2h) + run-app-name
  # scoped, so it never reaps a concurrent in-flight run (harness.lifecycle.janitor). TRADE-OFF: with
  # capacity>1 a SIGKILL'd build (no teardown) leaves an orphan the run-start sweep can't reap
  # immediately (it might be a live run) — bounded instead by the 2h janitor + the /upgrade-all
  # start/end reap + sweep-orphans. Revert to "1" if OOM / disk-I/O contention is observed under load.
  maxTests = "2";
in
{
  # Drone ships under the Polyform Small Business license (nixpkgs marks it unfree);
  # permitted for our internal CI use. Allow only this package.
  nixpkgs.config.allowUnfreePredicate = pkg:
    builtins.elem (lib.getName pkg) [ "drone-runner-exec" ];

  systemd.services.drone-runner-exec = {
    description = "Drone exec runner (drives host abra/swarm)";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    environment = {
      DRONE_RPC_PROTO = "https";
      DRONE_RPC_HOST = "drone.ci.commoninternet.net";
      DRONE_RUNNER_CAPACITY = maxTests; # MAX_TESTS concurrency cap (see let-binding above)
      DRONE_RUNNER_NAME = "cc-ci-exec";
      # exec runner needs a writable root for build workspaces
      DRONE_RUNNER_ROOT = "/var/lib/drone-runner";
      # Pipeline commands shell out to abra/docker/git — all live in the system path.
      PATH = lib.mkForce "/run/current-system/sw/bin:/run/wrappers/bin";
    };
    serviceConfig = {
      # DRONE_RPC_SECRET comes from the sops-rendered env file (shared with the server).
      EnvironmentFile = config.sops.templates."drone-runner.env".path;
      ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
      Restart = "always";
      RestartSec = "5s";
      StateDirectory = "drone-runner";
      # exec runner runs pipelines as this service's user; root is needed to drive docker/abra
      # and to read the abra config under /root/.abra (same as manual deploys).
      User = "root";
    };
  };
}