Show HN: Garnix, fast and easy CI for Nix

120 points by jkarni ↗ HN
Hello HN!

For the past few months, I've been building a Nix-specific CI service, and quite a few people have been productively using it, so I thought I'd Show HN it.

You might be wondering why build a Nix-specific CI. It turns out its quite hard to get a really good CI setup for Nix without spending a lot of time or money on it (or both), and even then solutions don't tend to be optimal.

Garnix, on the other hand, handles everything, and simply. Just create an account, install the GitHub app on the repositories you want, and you're good to go! Each package gets its own GitHub check, and separate log output, which makes it really easy to figure out what went wrong (you can see an example here: https://garnix.io/build/X9knYZOB). Builds are very fast compared to e.g Github Actions. The build artifacts are made available in a Nix cache so you never have to rebuild locally. And there are builders for x86-64 Linux as well as M1 Macs and aarch64 Linux.

Try it out: https://garnix.io. It's free, though if you like it, consider donating! (Note that it only works with flakes.)

Cheers, Julian

64 comments

[ 3.7 ms ] story [ 134 ms ] thread
love the name
„gar nix“ is German slang for „nothing“ / „absolutely nothing“.
As an Ami who grew up in West Germany, das ist die erste Sache dass ich habe auch gesehen/that's the first thing I saw too.

Also, "gar nichts". But we would say gar nix for short.

What does Ami mean in this context?

(I know Amis people [1], but don't think it would be relevant here).

[1] https://en.wikipedia.org/wiki/Amis_people

"Ami" is German short form for "American"
According to the Wiktionary linked:

> (informal, mildly derogatory) Yank, Yankee, American (native or inhabitant of the USA)

German slang for "US citizens", shortend from "Amerikaner".

https://en.wiktionary.org/wiki/Ami

Be careful, it is derogatory.
What? No it isn't.
Some people seem to think all slang terms for cultural groups are automatically derogatory. A sizable proportion of people from the US get offended that people from Latin America call them “gringos” too (which is ridiculous IMO).
If you are not offended by it, good for you. If I was American I'd definitely be, and that is judged as a German who knows how that word is used here.

"Ami – go home!" is a popular enough slogan that it has it's own Wikipedia entry[1], unsurprisingly only in German and French.

[1] https://de.m.wikipedia.org/wiki/Ami_–_go_home!

EDIT: For some reason the link doesn't work on HN. Either copy and paste "https://de.m.wikipedia.org/wiki/Ami_–_go_home!" or use https://bit.ly/3CZXNxh

Interestingly, I assumed it was just a reference to author Garth Nix.
I hadn't heard of Garth Nix!

It was in fact from the German. I like the suggestion that the CI should feel like "nothing at all" (rather than the painful slow trial-and-error process of setting up most CIs, which makes you very much aware of them).

I also happen to live very near where Marlene Dietrich lived, who has a famous song in which "und sonst gar nichts/nix" is the refrain ("and nothing else") [0]. When garnix becomes a noun of its own, as here, it reads instead as "and otherwise, garnix", which I find mildly funny.

[0] https://www.youtube.com/watch?v=ahyLLX0tmD8

> It's free

But is it open-source? I can't find the code.

It isn't open-source yet (and might never be). But it also might, as I said in a sibling comment, I've been thinking about a license that would require only running it (and derived software) on green energy; that way, if competition were to arise, cheaper/dirtier energy wouldn't be what we would be competing on. But figuring out whether that's plausible, and what the consequences of the decision would be, is hard.

(In general the idea of a license that's viral like GPL, but oriented towards green and renewable energy, seems like an interesting thought to me.)

So essentially no then
Decidedly no.. just like they said very clearly.
I see. Interesting idea with the green energy. But basically a non-opensource CI would be very difficult to justify due to the vendor lock-in. Yet I'm using github-workflows out of convenience...
I've never worked anywhere that used a FOSS solution for CI. We currently use buildkite, my last two jobs used TeamCity and another job used Electric Commander (!).

We don't care about vendor lock in, we can rewrite the build scripts. We care about support.

There's not really space for lock-in with garnix - you really only need a flake.nix file, nothing garnix specific (or more precisely: at most a very simple 5 line YAML file). The idea is that "normal nix" is enough.
The only lockin here is convenience, garnix builds the existing outputs from your flake.nix, and there are already self hosted options which work the same way.

Not nearly as bad as writing a bunch of custom github actions or travis CI yaml files and needing to move.

You can replicate garnix's checks with much worse UX and less parallelism on any other service with a few lines of shell calling `nix flake check` and `nix build`. Making the UX good is left as an exercise for the reader.

Ah interesting. Thanks for the explanation.
You can modify GPL with an additional clause. Kinda like JSON did to the MIT license with their do-not-use-for-evil morality clause. Of course the project then will be considered non-free by both FSF and OSI. Ironically installation via Nix if it's put on nixpkgs will then require enabling allowUnfree.
(comment deleted)
That is true, and to add: If you are not careful with your additional clause you easily violate Debian's Free Software Guidelines (DFSG). The guidelines are used to determine whether your software can be included in Debian. If that is important to you a clause that adds additional restrictions (like green energy use) is out.
It's if anything better that way. The commitment would have to be one you consciously take on, after all.
I think you might be mixing JSON up with jslint? The famous story is that Crockford gave a license to “IBM and its minions” to use the software for nefarious purposes as a joke when their lawyers asked for an exclusion.
You can modify the GPL with an addition term that requires the use of green energy, but the resulting license is incompatible with the GPL with the result that code under the new license cannot be mixed with or linked with GPLed code. See section 7 ("additional terms") of the GPL:

https://www.gnu.org/licenses/gpl-3.0.en.html

(the GPL version 2 also has this property.)

Also, its unusual license is probably why jslint is not used much.

Used jslint extensively back in the days.

The reason why it fell mostly in disuse nowadays is because jshint appeared, which allowed a lot more customization of the available rules being applied.

Later eslint popped up with it's plugin engine allowing anyone to have their own custom set of rules.

As far as I know, no one cared about jshint's license because there was no code being shipped, and eventually code would be minified anyway leaving no traces of jshint.

Now... We can talk about the morality of ignoring a license, but ultimately jshint's license was simply ignored by almost everyone

You don't necessarily have to enable `allowUnfree` entirely. There's also `nixpkgs.config.allowUnfreePredicate` which lets you define a predicate that takes a package and decides if it's okay to install.
I doubt you would care very much (not many do), but this is a problem for those among us fortunate enough to be born in so-called "developing" countries.

I am from one where we still burn coal for heat (along with plastic bottles, tires, and rubber). You can imagine the impact of the electricity produced here. Yet there are IT jobs here and we're using many of the same products you do.

I've been using Drone and GitLab CI for years and likely won't be using anything like what you're describing because green energy is simply not available, and probably won't be for the next 50 years at the very least.

Hosting CI on the other side of the planet is a no-go for various reasons (we self-host everything since it makes a lot of sense for us).

I do care. I also was born in a developing country. (Though the correlation between development of country and proportion of green/renewable energy usage is I think quite low (and might not even be positive?) [0].)

I think access to software and services shouldn't be be based on the country you happen to live in, and I wouldn't want to contribute to that. But I would have thought either using a hosted service, or else self-hosting in a different country, are almost always options. Why is hosting CI on the other side of the planet for you a no-go?

(Also, I think right now a license that simply says "must be run with renewable energy" is infeasible almost everywhere still.)

[0] https://en.wikipedia.org/wiki/List_of_countries_by_renewable...

what about "you may run this locally on your, or your organization's servers, but you cannot offer it as a free or paid service?"
That makes sense!
Except that it isn’t then free software. Nix and its ecosystem is all free software, and it seems incongruous for people to build nonfree tools on top of and around it.
That's a pretty huge violation of layer isolation. Software should focus on being hardware efficient, hardware on being energy efficient, and energy on being CO2 efficient. If you want clean energy : great I'm 100% with you but a software license is not in any way the right approach for this. You software license is 10 degrees of separation removed from anyone having the slightest impact on the decision to build X or Y power plant. Please use political means to solve political problems.
I have been using it for past four months and have been generally happy with it. Any clue about when you're thinking of either open-sourcing it or launching paid plans?
Glad you're liking it!

I've been working on simplified hosting for nixosConfigurations; likely I'll launch paid plans along with that, since otherwise costs will be too high for me to shoulder, and anyhow free hosting leads to abuse or the moral hazard of accidentally using too many resources. I still have some hope for a donation-based system for individuals, and paid plans for companies, though.

I do think about open-sourcing it as well. I've been thinking about a license that would require only running it (and derived software) on green energy; that way, if competition were to arise, cheaper/dirtier energy wouldn't be what we would be competing on. But figuring out whether that's plausible, and what the consequences of the decision would be, is hard!

I can't say I like that idea for licensing the source code only to use in systems that run off of clean energy.

It's great in practice, and I would love for all electricity use to be non-renewable, but it's saying that many people in many countries are not allowed to use the software due to something entirely out of their control.

I think you're absolutely right that there are nuances such as what you described. More: I imagine there are very few offices/homes that run completely on clean energy - in the most naive formulation of the license, no one could test the software locally!

Likely first you'd need some progressive system (e.g.: no less than 80% now, no less than 100% by 2030).

But I disagree with you on that people in many countries would not be allowed to use the software - you would still be able to use the service (i.e., visit garnix.io, have it build things), or even host it yourself in a different country. Yes, countries with more green energy (rather than exclusively cheap energy) would benefit. But the countries with high green/renewable energy aren't even primarily rich ones [0], so I don't feel too bad about that.

Note that this argument only applies to services such as garnix, where you can still use the service (so it would be a bad license for, for example, a text editor).

[0] https://en.wikipedia.org/wiki/List_of_countries_by_renewable...

> But I disagree with you on that people in many countries would not be allowed to use the software - you would still be able to use the service (i.e., visit garnix.io, have it build things), or even host it yourself in a different country

Which in a way is nice as it enables areas that can't have clean energy (locally) to use clean energy (remotely) via the hosted version, which maybe they otherwise would not, so hopefully acts as an incentive to reward clean energy generation and services wherever they may be (and maybe increase interest in clean energy generation locally if/when that becomes possible in such areas)

> I would love for all electricity use to be non-renewable

This is supposed to say "renewable" rather than "non-renewable"

Such a license would not be open source (free software), it would be nonfree software with source available.
>To top it all up, we run on 100% renewable energy.

How is that? You run the entire infrastructure on solar panels or something?

We exclusively use Hetzner (Finland and Germany) for the servers, and they use hydropower and wind (see https://www.hetzner.com/unternehmen/umweltschutz/).

I've been wanting to write a blog post about what this means and how much it matters in practice, but there's a lot of research to do still. If someone here works in the area, please get in touch!

Wow, I didn't realize there were currently any hosting providers who had managed to find 24/7 carbon-free electricity (CFE). Hydro seems like the only option right now for data centers because we don't have energy storage on the scale needed to run a data center 24/7 using only wind and solar. Nuclear may also be an option in the future if small modular reactors get on a learning curve that reduces their price/kWh to be more competitive. I always forget about nuclear as a CFE energy source even though it's like 50% of the US's carbon free energy.

David Roberts, a very wonky and wonderful climate journalist, had Google's director of energy on his podcast to talk about Google's goal of having all their data centers operate on 24/7 CFE. This podcast is why I'm surprised any hosting provider has managed to do achieve 24/7 CFE because its an order or magnitude more difficult than achieving "100% CFE".

Here is the link to that episode: https://www.volts.wtf/p/volts-podcast-michael-terrell-on#det...

If you're interested in this enough to choose your hosting provider based off their energy mix I think you'd really enjoy his substack and podcast.

For other comment readers if you the difference between 100% CFE and 24/7 isn't clear, Google's blog post announcing their goal of 24/7 CFE explains the difference between the two and why 24/7 CFE is waaaay more difficult and currently only something a company with Google's resources could do.

That's lovely! I do find myself thinking about this often, and didn't know if any providers that did that other than GCP's "carbon-free" locations. TIL about Hetzner's green-ness.
I wouldn't really see using hydro power in Europe as being "green". Yes, it's renewable, but the installation capacities are pretty much exhausted, and have been before there was any significant share of renewables. So by cutting a deal with a hydro power supplier, you're only displacing another consumer who will possibly start using coal, and not doing anything to support the growth of renewable energies.

Smells a bit like greenwashing to me...

Google's datacenter in Iowa is apparently operating with 97% CFE. I think they have both wind and solar power purchase agreements for that data center but I assume wind is the differentiating factor that makes it their lowest carbon datacenter.
So, you're trying to build a more integrated service than Hercules (https://hercules-ci.com/)? How would you compare it?
The main difference is that you don't have to host anything. For most people, setting up servers (likely for multiple architectures) is time consuming, expensive, and wasteful (since your server is sitting idle while you/your team sleep).

There are of course situations in which you'd prefer that, though!

When the floodgates open to GitLab and more, it'll be a great option for folks.
Why would you recommend using this over for example GitHub Actions (also free) with a workflow that installs nix and then builds the flake?
You need to get caching right if the builds aren't going to take forever, which is a bit of work, especially since smart GC is hard, and it can be slow (the nix store gets big very quickly!). Then you also would ideally provide that cache (as a nix store cache) for yourself and others, so you don't have to rebuild it. But GH Actions doesn't do that, so you need to find a way on your own, or pay for a service like Cachix. Pushing the nix cache can be quite slow. Then the logs are formatted in a very nix-unaware way, which makes it hard to find what you want. And Github doesn't yet even have M1 Mac VMs, so you would get to test/cache that. (I think it's also not possible to do other architectures, like aarch64.)

Also, for whatever reason (in addition to the specific ones above), GitHub action runners are just slow...

In short: garnix is faster, has more features, and is easier to set up.

Why would you recommend nix/flakes over Docker?
There are lots of advantages and disadvantages to both, and use cases where one or the other shines. A proper response would probably be a blog post in length, but in brief, I find that Nix really makes everything explicit. You can see the source code and it reflects everything that went into a build; you can also control every bit of it. It is, however, consequently generally more verbose, and also requires a bit more learning. Nix also tends to compose much more cleanly than docker.

Maybe an analogy: nix is a package-lock.json. Docker is a package.json (with no version bounds) and a node_modules directory. You can just copy that node_modules directory around so everyone has the same setup, but it's much harder to introspect than a lock file, and the way you go about updating it is deleting the folder and rebuilding everything - no fine-grained control over one specific dependency.

> You can see the source code and it reflects everything that went into a build

There's no "FROM ...." for Nix like there is for a Dockerfile?

This looks really cool, and showcases how simple CI can be if every git repository exposes a nix flake. Congrats on shipping!
Hi Julian,

I just had a play with Garnix - and have to say I am impressed. Nicely executed.

Nice to see nix and flakes hitting hackernews through projects/services like this.