Add NixOS packaging

[stephank]

I'm not sure if this is useful to land here / something we'd want to maintain here, but I thought I'd open a draft PR to al least share the idea.

This adds a dist/package.nix containing a Nix package definition. We can't just swap out libssl on NixOS, so this recreates a typical install, reusing the OpenSSL libcrypto and headers via symlinks.

The flake.nix is optional convenience for consuming the git repo as a dependency.

I derived an automated integration test with Nginx from an existing NixOS test. With Nix installed, you can run this with nix-build tests/nixos.nix.

Turns out HTTP/3 doesn't yet work, though. 🤷

[cpu]

Thanks!

I'm not sure if this is useful to land here / something we'd want to maintain here, but I thought I'd open a draft PR to al least share the idea.

I'm supportive but defer to @ctz for the final decision since I'm a biased Nix-enjoyer-slash-sicko. I think if he's onboard we should add some CI integration to try and keep away the bitrot.

[ctz]

Yes I don't object to this living here; though I don't use Nix myself so something to defend it in CI is extremely desirable.

[stephank]

Running the test on GitHub Actions is a little over 3 minutes: https://github.com/stephank/rustls-openssl-compat/actions/runs/12256865517/job/34193063214

I think I'll run this work by NixOS itself first. There's a decent chance they'll land it any way, and NixOS CI has hot caches for this stuff, unlike GitHub. NixOS/nixpkgs#363932

3 minutes isn't that bad, but it's also fetching a whole bunch from cache.nixos.org, which I believe is a bit of a topic in NixOS at the moment, because of hosting/bandwidth sponsorships falling away. Building an integration test on Ubuntu is probably more performant here.

So I guess the remaining point of this PR is: do we want broader distribution testing in this repo? :)

[cpu]

Running the test on GitHub Actions is a little over 3 minutes: https://github.com/stephank/rustls-openssl-compat/actions/runs/12256865517/job/34193063214

That doesn't seem unreasonable to me.

I think I'll run this work by NixOS itself first. There's a decent chance they'll land it any way, and NixOS CI has hot caches for this stuff, unlike GitHub. NixOS/nixpkgs#363932

Cool 👍

3 minutes isn't that bad, but it's also fetching a whole bunch from cache.nixos.org, which I believe is a bit of a topic in NixOS at the moment, because of hosting/bandwidth sponsorships falling away. Building an integration test on Ubuntu is probably more performant here.

Over in rustls-platform-verifier where I landed a bit of Nix we're using DeterminateSystems/magic-nix-cache-action. Is there a reason you'd prefer not to do the same here? I don't have strong feelings, just curious.

So I guess the remaining point of this PR is: do we want broader distribution testing in this repo? :)

My feeling is that if we're going to keep some .nix in this repo it should be tested in CI. If the NixOS PR lands and you think it's better tested in that repo then I'd vote we remove the .nix here vs keeping both in sync with only the external repo getting test coverage.