Add Nix flake, instructions, and Nix CI (#1970)

Signed-off-by: Aiden Fox Ivey <aiden@aidenfoxivey.com>

.github/workflows/basic.yml

@@ -156,3 +156,18 @@ jobs:
       - name: Short fuzz check (30s)
         run: ./tests/fuzz_test_sig -max_total_time=30
         working-directory: ${{ env.RANDOM_BUILD_DIR }}
+
+  nixflakecheck:
+    name: Check that Nix flake has correct syntax and can build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72
+      - name: Check devShell
+        run: nix develop --command echo 
+      - name: Check flake syntax
+        run: nix flake check --no-build # check for accurate syntax
+      - name: Check that the flake builds
+        run: nix build # check that the build runs

.gitignore

@@ -37,3 +37,6 @@ __pycache__
 .CMake/a.out
 compile_commands.json
 
+# Generated by Nix flake
+result/
+

README.md

@@ -109,6 +109,10 @@ In order to optimize support effort,
 		brew install cmake ninja openssl@3 wget doxygen graphviz astyle valgrind
 		pip3 install pytest pytest-xdist pyyaml
 
+	Using Nix:
+
+	    nix develop
+
 	Note that, if you want liboqs to use OpenSSL for various symmetric crypto algorithms (AES, SHA-2, etc.) then you must have OpenSSL installed (version 3.x recommended; EOL version 1.1.1 also still possible).
 
 2. Get the source:

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,94 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+  }:
+    flake-utils.lib.eachDefaultSystem (system: let
+      name = "liboqs";
+      src = ./.;
+      pkgs = nixpkgs.legacyPackages.${system};
+
+      # Function to create compiler-specific package sets
+      mkPackageSet = compiler: let
+        # Override the stdenv to use the specified compiler
+        stdenv =
+          if compiler == "clang"
+          then pkgs.clangStdenv
+          else pkgs.stdenv;
+
+        mkLib = shared:
+          stdenv.mkDerivation {
+            inherit name src;
+            # for whatever reason, trying to 'fix' the CMake file causes a failure
+            dontFixCmake = true;
+
+            nativeBuildInputs = with pkgs;
+              [cmake ninja doxygen pkg-config graphviz]
+              ++ (
+                if compiler == "clang"
+                then [pkgs.clang]
+                else [pkgs.gcc]
+              );
+
+            buildInputs = with pkgs; [openssl];
+
+            cmakeFlags = [
+              "-GNinja"
+              "-DOQS_DIST_BUILD=ON"
+              "-DOQS_BUILD_ONLY_LIB=ON"
+              "-DBUILD_SHARED_LIBS=${
+                if shared
+                then "ON"
+                else "OFF"
+              }"
+              "-DCMAKE_INSTALL_LIBDIR=lib"
+              "-DCMAKE_INSTALL_INCLUDEDIR=include"
+              "-DCMAKE_INSTALL_PREFIX=${placeholder "out"}"
+              "-DCMAKE_INSTALL_FULL_LIBDIR=${placeholder "out"}/lib"
+              "-DCMAKE_INSTALL_FULL_INCLUDEDIR=${placeholder "out"}/include"
+            ];
+          };
+      in {
+        shared = mkLib true;
+        static = mkLib false;
+      };
+
+      # Create development shell for specified compiler
+      mkDevShell = compiler: let
+        packageSet = mkPackageSet compiler;
+      in
+        pkgs.mkShell {
+          inherit (packageSet.shared) nativeBuildInputs buildInputs;
+
+          # astyle formats C source code and alejandra formats nix source code
+          packages = with pkgs; [astyle alejandra];
+
+          shellHook = ''
+            export CMAKE_EXPORT_COMPILE_COMMANDS=1
+            echo "Using ${compiler} toolchain"
+          '';
+        };
+    in {
+      formatter = pkgs.alejandra;
+
+      packages = {
+        default = (mkPackageSet "gcc").shared; # default is gcc shared
+        gcc-shared = (mkPackageSet "gcc").shared;
+        clang-shared = (mkPackageSet "clang").shared;
+        gcc-static = (mkPackageSet "gcc").static;
+        clang-static = (mkPackageSet "clang").static;
+      };
+
+      # Development shells
+      devShells = {
+        default = mkDevShell "gcc";
+        gcc = mkDevShell "gcc";
+        clang = mkDevShell "clang";
+      };
+    });
+}