Add nix flake for dev shell and package build

[pablodeymo]

Motivation

Provide a reproducible development environment and build via nix, so contributors can get a working setup with a single command regardless of their system package manager.

Description

Adds a nix flake using crane for Rust builds and rust-overlay to pin the exact Rust 1.92.0 toolchain.

Outputs

Output	What it provides
devShells.default	Rust 1.92.0 + clippy + rustfmt + libclang + pkg-config + cargo-watch
packages.default	ethlambda release binary

Build structure

Crane's two-phase build (buildDepsOnly → buildPackage) caches compiled dependencies separately from source code, giving fast incremental rebuilds similar to cargo-chef in Docker.

vergen-git2 handling

Nix cleans the source tree, so .git is absent at build time. The flake sets VERGEN_GIT_SHA (from the flake's git rev) and VERGEN_GIT_BRANCH ("nix") as env vars. vergen-git2 falls back to these when git info is unavailable.

Platform support

Supports x86_64-linux, aarch64-linux, x86_64-darwin, and aarch64-darwin. Darwin builds include libiconv and apple-sdk_15; these are gated behind isDarwin and don't affect Linux.

Files

• flake.nix — flake definition
• flake.lock — pinned input revisions
• .envrc — direnv integration (use flake)

How to Test

# Validate flake structure
nix flake check

# Enter dev shell, verify toolchain
nix develop
rustc --version  # 1.92.0

# Build the binary
nix build
./result/bin/ethlambda --version

# Or with direnv: cd into the repo and the shell activates automatically
direnv allow

[github-actions]

🤖 Kimi Code Review

This PR adds Nix flake support for reproducible builds and development environments. The changes are configuration-only and don't affect consensus-critical code.

Issues found:

1. Hard-coded Rust version (flake.nix:23): The Rust version is pinned to 1.92.0 which may become outdated. Consider using pkgs.rust-bin.stable.latest.default or adding a comment explaining why this specific version is required.

2. Missing cargoLock input (flake.nix:43): The crane build doesn't specify cargoLock = ./Cargo.lock; which could lead to non-reproducible builds if dependencies change. Add:

   cargoLock = ./Cargo.lock;

3. Inconsistent Apple SDK version (flake.nix:51, 89): The flake uses apple-sdk_15 but this might be too new for some systems. Consider using apple-sdk_11 or the default SDK unless there's a specific requirement for 15.

4. Missing doCheck = true (flake.nix:71): The build doesn't run tests. Add doCheck = true; to ensure tests are executed during the build process.

5. Potential git metadata issue (flake.nix:60-61): When building from a tarball or shallow clone, VERGEN_GIT_SHA and VERGEN_GIT_BRANCH will be "unknown" and "nix" respectively. This is acceptable but should be documented.

Security considerations:

• No security issues identified as this only affects build/dev tooling
• The flake.lock pins specific commits for all dependencies, ensuring reproducible builds

Performance implications:

• Minimal impact; Nix builds may be slower initially due to dependency downloads but provide better caching

The flake configuration appears well-structured and follows Nix best practices.

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

No consensus-layer or Rust code changes in this PR. It only adds Nix/direnv tooling. I don’t see correctness, security, or performance risks for the client itself.

If you want one minor maintainability note:

• flake.nix pins VERGEN_GIT_BRANCH = "nix" and VERGEN_GIT_SHA to self.shortRev/dirtyShortRev. If you want Nix builds to reflect the real branch name when .git is present, you could allow overriding via env vars or pass through from vergen on non-Nix builds. This is optional and not a bug. (flake.nix around the VERGEN_* assignments)

Otherwise looks good.

---

Automated review by OpenAI Codex · custom prompt

[github-actions]

🤖 Claude Code Review

PR Review: Add nix flake for dev shell and package build

This PR is purely tooling infrastructure — no consensus-layer or Rust source changes. The flake is well-structured and follows modern Nix/crane conventions.

---

Correctness

Rust version consistency (flake.nix:23, rust-toolchain.toml:2): The version 1.92.0 is duplicated across both files. If rust-toolchain.toml is the single source of truth (as it should be), the flake should read from it directly to prevent silent drift:

rustToolchain = pkgs: pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;

This also ensures the components list stays in sync — rust-toolchain.toml declares ["rustfmt", "clippy"] and the flake re-declares the same extensions, which currently agree but could diverge.

VERGEN_GIT_SHA fallback ordering (flake.nix:54): self.shortRev or self.dirtyShortRev or "unknown" is correct Nix attribute-fallback syntax and handles the clean/dirty/offline cases properly. No issue here.

buildDepsOnly not filtering to --bin ethlambda (flake.nix:58): This is correct crane behavior. buildDepsOnly should compile all workspace dependencies (not just the target binary's) to populate the cache. The cargoExtraArgs filter on buildPackage is the right place to scope to the final binary.

---

Minor Issues

buildInputs/env var duplication (flake.nix:44–51 vs 84–91): llvmPackages.libclang, the Darwin conditionals, and LIBCLANG_PATH are duplicated verbatim between commonArgs (package build) and devShells.default. Consider using inputsFrom in the devShell:

default = pkgs.mkShell {
  inputsFrom = [ ethlambda ];
  nativeBuildInputs = with pkgs; [ (rustToolchain pkgs) pkg-config cargo-watch ];
};

This requires restructuring slightly (packages must be computed before devShells), but eliminates the duplication entirely and keeps both environments in lockstep automatically.

rust-src not included in devShell (flake.nix:78–82): Users running rust-analyzer (e.g. via an IDE) inside nix develop will hit missing rust-src. The rust-toolchain.toml also omits it, so this is consistent — but if contributor IDE experience matters, adding "rust-src" to the toolchain extensions is worth considering.

nixpkgs-unstable as the channel (flake.nix:3): Using unstable is fine since flake.lock pins a specific commit, but updating the lock is a potentially breaking action. A brief comment in the flake (e.g. # nixpkgs-unstable for recent Rust toolchains and apple-sdk_15) would help maintainers understand why unstable was chosen over a stable channel.

---

Kimi Bot Note Corrections

The Kimi review suggested adding cargoLock = ./Cargo.lock; — this is incorrect. That attribute belongs to Nix's buildRustPackage, not to crane. Crane reads Cargo.lock via cleanCargoSource and handles it internally. No change needed here.

---

Summary

The flake is clean and correct. The main actionable item is reading from rust-toolchain.toml directly (line 23) to avoid version drift. The inputsFrom refactor is a worthwhile cleanup but not a bug. Everything else is minor polish.

---

Automated review by Claude (Anthropic) · custom prompt

[greptile-apps]

Greptile Summary

Introduces Nix flake infrastructure for reproducible development environments and builds, using crane for optimized Rust compilation and rust-overlay to pin Rust 1.92.0 matching Cargo.toml requirements.

• Sets up two-phase crane build (buildDepsOnly → buildPackage) for efficient dependency caching
• Configures dev shell with Rust toolchain, clippy, rustfmt, and cargo-watch
• Handles vergen-git2 fallback by setting VERGEN_GIT_SHA and VERGEN_GIT_BRANCH environment variables for builds without .git
• Supports cross-platform builds for Linux (x86_64, aarch64) and macOS (x86_64, aarch64) with appropriate Darwin dependencies
• Adds .envrc for direnv integration enabling automatic dev shell activation

Confidence Score: 5/5

• Safe to merge - well-structured Nix flake with proper toolchain pinning and no impact on existing workflows
• Implementation follows Nix flake best practices with crane for efficient builds, proper Rust version matching (1.92.0 from Cargo.toml), correct vergen-git2 environment variable handling, cross-platform support, and additive changes that don't affect existing cargo-based workflows
• No files require special attention

Important Files Changed

Filename	Overview
flake.nix	Adds Nix flake with crane-based Rust build, proper toolchain pinning (1.92.0), and cross-platform dev shell support
.envrc	Adds direnv integration for automatic dev shell activation
flake.lock	Pins nixpkgs, crane, and rust-overlay dependencies with proper hash verification

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[flake.nix] --> B{Output Type}
    B -->|devShells.default| C[Dev Environment]
    B -->|packages.default| D[Build Pipeline]
    
    C --> C1[rust-overlay]
    C1 --> C2[Rust 1.92.0 + clippy + rustfmt]
    C2 --> C3[pkg-config + cargo-watch]
    C3 --> C4[libclang + Darwin deps]
    
    D --> D1[craneLib.cleanCargoSource]
    D1 --> D2[buildDepsOnly]
    D2 --> D3[Cache Dependencies]
    D3 --> D4[buildPackage]
    D4 --> D5[Set VERGEN_GIT_SHA/BRANCH]
    D5 --> D6[ethlambda binary]
    
    E[.envrc] -.->|direnv integration| C
    
    F[flake.lock] -.->|pins versions| A

Loading

_{Last reviewed commit: a569142}