chore: document upstream nix usage & remove nix flake

.github/workflows/ci.yml

@@ -33,20 +33,6 @@ jobs:
       run: go mod download
     - name: Build
       run: go build -v -o /dev/null
-  nix-build:
-    name: Nix Build
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-      - name: Check Nix flake inputs
-        uses: DeterminateSystems/flake-checker-action@3164002371bc90729c68af0e24d5aacf20d7c9f6 # v12
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@90bb610b90bf290cad97484ba341453bd1cbefea # v19
-      - name: Build
-        run: nix build .
   # Run integration tests
   test:
     needs: build

CONTRIBUTING.md

@@ -8,14 +8,6 @@ OPKSSH is part of [the OpenPubkey project.](https://github.com/openpubkey/openpu
 
 Whether you're addressing an open issue (or filing a new one), fixing a typo in our documentation, adding to core capabilities of the project, or introducing a new use case, anyone from the community is welcome here at OpenPubkey.
 
-### Development environment
-
-If you’re using Nix with flakes support, you can enter a _barebones_
-development shell by running `nix develop` in the repo.  You can also
-easily test that `opkssh` builds by running `nix build`.  The binary
-will be under `./result/bin`.  If you just want to run `opkssh`, you
-can do so with `nix run`.
-
 ### Include Licensing at the Top of Each File
 
 At the top of each file in your commit, please ensure the following is captured in a comment:
@@ -85,19 +77,6 @@ Our automated PR checks verify that:
  1. All unit tests pass, which can be done locally by running `go test ./...`.
  2. The code has been formatted correctly, according to `go fmt`.
  3. There are no obvious errors, according to `go vet`.
- 4. `opkssh` can be built with Nix.
- 5. The `nixpkgs` Nix flake input isn’t stale.
-
-#### Nix specifics
-
-Technically speaking, the `flake.nix` doesn’t have to be updated _at
-all_; however, it’s generally a good idea to keep the `nixpkgs` input
-relatively up-to-date to pull in the latest security updates.  The
-pull request continuous integration checks are configured to try and
-build `opkssh` à la `nix build` and also check that the `nixpkgs`
-flake input isn’t stale.  If `opkssh` fails to build, ensure that you
-can build it manually in the Nix develop shell.  If the Nix flake
-input check fails, try running `nix flake update nixpkgs`.
 
 ## Building and Testing
 
@@ -138,7 +117,7 @@ Then run the integration tests with:
 export OS_TYPE="ubuntu"
 go test -tags=integration ./test/integration -timeout=15m -count=1 -v
 ```
-  
+
 or
 
 ```bash

README.md

@@ -52,6 +52,14 @@ To install with [Chocolatey](https://chocolatey.org/install) run:
 choco install opkssh -y
 ```
 
+### Nix Install
+
+Use the [opkssh nixpkg](https://search.nixos.org/packages?channel=unstable&show=opkssh&query=opkssh) as normal, or test it via:
+
+```bash
+nix-shell -p opkssh
+```
+
 ### Manual Install (Windows, Linux, macOS)
 
 To install manually, download the opkssh binary and run it:
@@ -231,7 +239,7 @@ sudo chown root:opksshuser /etc/opk/providers
 sudo chmod 640 /etc/opk/providers
 ```
 
-## `/etc/opk/auth_id`
+### `/etc/opk/auth_id`
 
 `/etc/opk/auth_id` is the global authorized identities file.
 This is a server wide file where policies can be configured to determine which identities can assume what linux user accounts.
@@ -315,6 +323,40 @@ AuthorizedKeysCommand /usr/local/bin/opkssh verify %u %k %t
 AuthorizedKeysCommandUser opksshuser
 ```
 
+## Server Configuration (NixOS)
+
+On NixOS, you can configure the SSH daemon by **including** the following lines to your config:
+
+```nix
+{ ... }:
+
+{
+  services.opkssh = {
+    enable = true;
+
+    providers = {
+      google = {
+        issuer = "https://accounts.google.com";
+        clientId =
+          "206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com";
+        lifetime = "24h";
+      };
+    };
+
+    authorizations = [
+      {
+        user = "YOUR_USERNAME";
+        principal = "YOUR_GMAIL";
+        issuer = "https://accounts.google.com";
+      }
+    ];
+  };
+}
+```
+
+See [search.nixos.org](https://search.nixos.org/options?channel=unstable&query=services.opkssh) for
+all available configuration options.
+
 ## Custom OpenID Providers (Authentik, Authelia, Keycloak, Zitadel...)
 
 To log in using a custom OpenID Provider, run:
@@ -524,4 +566,4 @@ For integration tests run:
 - [CONTRIBUTING.md](https://github.com/openpubkey/opkssh/blob/main/CONTRIBUTING.md) Guide to contributing to opkssh (includes developer help).
 - [docs/gitlab-selfhosted.md](docs/gitlab-selfhosted.md) Guide on configuring and using a self hosted GitLab instance with opkssh.
 - [docs/paramiko.md](docs/paramiko.md) Guide to using the python SSH paramiko library with opkssh.
-- [docs/putty.md](docs/putty.md) Guide to using PuTTY with opkssh.
+- [docs/putty.md](docs/putty.md) Guide to using PuTTY with opkssh.