Recommendations for a simple CI/build server setup

I’ve recently set up a NixOS server that I would like to use as a CI/build server and nix cache. My requirements are very simple - I just want my (flake-based) packages to be rebuilt whenever a new commit is pushed to one of several private Github repos, so that the build artifacts are available in the cache. I’d also like to be notified by mail when a build fails.

Hydra seems to be the default choice for a nix build server but I’ve run into an issue where Hydra doesn’t seem to support nix flakes that use git submodules, which are pervasive in our codebase. I took a shot at trying to fix this in the code but couldn’t figure out where/how Hydra is fetching the repos (I don’t really speak perl).

buildbot-nix looks interesting but seems to require setting up a Github oauth app, which in turn requires a public internet address, which this server doesn’t have.

Hercules-CI looks great but is commercial and overkill for my purposes.

I’ve thought about just setting up a cron job that simply fetches and rebuilds the projects periodically with something like nix-fast-build, but it would be nice to have the flexibility of a “real” solution.

you could configure hooks on the git server to build your config.
Cache can be filled via

  1. nix post-build-hook: tricky to get right and slows builds as it pushes to cache
  2. use a cronjob that syncs the nix store with an s3-like service. That’s what I do (with systemd timers)
  3. use the server as a cache directly (but it has no public IP ?)

I guess I should have mentioned that although the server doesn’t have a public address, it is accessible via VPN by the other machines that need the cache. So using nix-serve directly works fine.