hydra: actually use version from flake

flake.lock

@@ -144,17 +144,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1718119663,
-        "narHash": "sha256-36+umLoMsx0ZHNcuTNAhmRTw3JoyaIS9vOy9NnKRPhQ=",
+        "lastModified": 1719253535,
+        "narHash": "sha256-HE0QHbOEfmmiFRBtWy+7pTlaDolxDfo5mgPcV20KOGA=",
         "ref": "refs/heads/main",
-        "rev": "cbe527a3ee6256de0c5bde5b10821f5095b60e22",
-        "revCount": 4170,
+        "rev": "e9d0a3a754d5a477126ecb3c0bac3bf91a5bb189",
+        "revCount": 4171,
         "type": "git",
-        "url": "https://git.lix.systems/lix-project/hydra.git"
+        "url": "file:///home/delroth/work/hydra-lix"
       },
       "original": {
         "type": "git",
-        "url": "https://git.lix.systems/lix-project/hydra.git"
+        "url": "file:///home/delroth/work/hydra-lix"
       }
     },
     "nix": {
@@ -169,11 +169,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1718081112,
-        "narHash": "sha256-3cpIVHuyo6yz9n7U/7U/p2Lmwjj1xHdTJR2RkT5JntY=",
+        "lastModified": 1719211568,
+        "narHash": "sha256-oIgmvhe3CV/36LC0KXgqWnKXma39wabks8U9JBMDfO4=",
         "ref": "refs/heads/main",
-        "rev": "8a3d063a494c4b8c767190a5ce3e4075a75f9d07",
-        "revCount": 15756,
+        "rev": "4c3d93611f2848c56ebc69c85f2b1e18001ed3c7",
+        "revCount": 15877,
         "type": "git",
         "url": "https://git@git.lix.systems/lix-project/lix"
       },
@@ -251,6 +251,10 @@
         "agenix": "agenix",
         "colmena": "colmena",
         "hydra": "hydra",
+        "lix": [
+          "hydra",
+          "nix"
+        ],
         "nixpkgs": "nixpkgs"
       }
     },

flake.nix

@@ -12,12 +12,18 @@
 
     hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
     hydra.inputs.nixpkgs.follows = "nixpkgs";
+
+    lix.follows = "hydra/nix";
   };
 
   outputs = { nixpkgs, ... } @ inputs: {
     colmena = {
       meta.nixpkgs = import nixpkgs {
         system = "x86_64-linux";
+        overlays = [
+          inputs.hydra.overlays.default
+          inputs.lix.overlays.default
+        ];
       };
       meta.specialArgs.inputs = inputs;
 

secrets.nix

@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-ssh-key-priv = [ machines.bagel-box ];
   };
 in
   builtins.listToAttrs (

services/hydra/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   cfg = config.bagel.services.hydra;
@@ -20,6 +20,11 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
+
+    age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
+
     systemd.tmpfiles.rules = [
       "d /var/cache/hydra 0755 hydra hydra -  -"
       "d ${narCacheDir}   0755 hydra hydra 1d -"
@@ -42,6 +47,16 @@ in {
 
       notificationSender = "bagel@delroth.net";
 
+      # XXX: hydra overlay sets pkgs.hydra, but hydra's nixos module uses
+      # pkgs.hydra_unstable...
+      package = pkgs.hydra;
+
+      buildMachinesFiles = [
+        (pkgs.writeText "hydra-builders.conf" ''
+          ssh://bagel-builder@epyc.infra.newtype.fr x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUJwcFBwKzhsdDFSTDNodW5aaGlXRUUvY1laaHJXYjFzaVhKVWpiU2l6Rzggcm9vdEBlcHljCg==
+        '')
+      ];
+
       extraConfig = ''
         store_uri = s3://bagel-cache?${mkCacheSettings {
           endpoint = "s3.delroth.net";
@@ -73,9 +88,8 @@ in {
       '';
     };
 
-    age.secrets."hydra-s3-credentials".file = ../../secrets/hydra-s3-credentials.age;
     systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
-      config.age.secrets."hydra-s3-credentials".path;
+      config.age.secrets.hydra-s3-credentials.path;
 
     services.nginx = {
       enable = true;