{ config, pkgs, ... }:

{
  users.users.drone-runner = {
    isSystemUser = true;
    group = "drone-runner";
    home = "/var/lib/drone-runner";
    createHome = true;
  };
  users.groups.drone-runner = { };
  users.groups.docker.members = [ "drone-runner" ];

  systemd.services.drone-runner = {
    description = "Drone Runner (CI CD Service)";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    path = [ pkgs.podman ];

    serviceConfig = {
      Name = "drone-runner";
      User = "drone-runner";
      Group = "drone-runner";
      Restart = "always";
      ExecStartPre= ''
        -${pkgs.podman}/bin/podman stop %n \
        ${pkgs.podman}/bin/podman rm %n
      '';
      ExecStart= ''
        ${pkgs.podman}/bin/podman run --rm --name %n \
        --volume=/var/run/podman.sock:/var/run/podman.sock \
        --env-file=/run/secrets/drone-runner \
        --env=DRONE_RPC_PROTO=https \
        --env=DRONE_RPC_HOST=drone.cloonar.com \
        --env=DRONE_RUNNER_CAPACITY=2 \
        drone/drone-runner-docker:1.8.3
      '';
    };
  };

  sops.secrets.drone-runner = {
    owner = config.systemd.services.drone-runner.serviceConfig.User;
    key = "drone";
  };
}