Use hercule with non-github websites (Gitea/Gitlab...)

[tobiasBora]

Hello,

First, thanks for this tool. This project looks very promising, but I'm curious to know, are there some ways for me to integrate this tool with other websites than github? For example, I'd be interested to use hercules on self-hosted instances of Gitea or Gitlab. Also, being new to this field, how does hercules-ci compares with drone.io + a shell runner that will compile my project using nix-build?

Thanks!

[roberth]

Hi @tobiasBora,

Currently, Hercules CI only integrates with GitHub. We're investigating the feasibility of a GitLab integration, but for now we're prioritizing other features.

Compared to drone.io or buildkite, we provide a better experience by integrating Nix. This improves

• support: Nix isn't "first-class" on our CI; it's the core. If you're having Nix-specific trouble, we have you covered.
• the dashboard, designed specifically for Nix. No more interleaved logs. Nix-specific build info is made available.
• simplified configuration: no need to maintain builds scripts to find the right file, push to the right cache, etc
• sandboxed builds: in Nix, sandboxing isn't just about security. The correctness of the build output can depend on it. Running in a Docker container prevents Nix from setting up its sandbox. The Hercules CI agent runs outside docker and gives you correct builds from the Nix sandbox.
• automatic caching: the agent's Nix store is an instantly available cache, speeding up your builds. Adding a binary cache is a one-time setup covering all your repositories.

The only thing that's currently missing is the ability to run arbitrary commands in environments other than the Nix sandbox, but that will land soon.

[tobiasBora]

Thanks a lot for the detailled answer. Too bad it's github specific, and therefore not self-hostable, but I can understand your point. Pushing this project to gitlab (or in some dreams gitea) would be amazing though. I just would like to come back on one of your comments :

- **sandboxed builds**: in Nix, sandboxing isn't just about security. The correctness of the build output can depend on it. Running in a Docker container prevents Nix from setting up its sandbox. The Hercules CI agent runs outside docker and gives you correct builds from the Nix sandbox.

Is this sandbox "secure enough" to provide secure execution of untrusted code on the runner, at least as secure as the sandboxing provided by docker? Thanks!

[roberth]

The Nix sandbox should be about as secure as a Docker container, but I am not willing to assume this, because while it uses most of the same Linux kernel features, it is a distinct implementation that hasn't been scrutinized as much.
Also note that cloud providers typically don't trust Docker for isolating their tenants.

For these reasons, Hercules CI only builds automatically for pushes by people with direct push access to the actual repo. This works perfectly for most teams. If they're maintaining actively contributed open source software, they'll benefit from e.g. bors bot to build contributions from otherwise untrusted forks after some human review.

[OliverEvans96]

I agree, it would be great to have nix-first CI across hosting providers.