Configure Cachix signing and upload in CI

[twoolie]

This adds the minimal config to sign and push build derivations to Cachix.
Included is documentation for how to configure your client to pull and verify built packages.

You will need to create a (free-tier) account at https://app.cachix.org/signup (i'm assuming you pick the name himmelblau) and generate some signing keys locally with:

$ cachix authtoken <your auth token>
$ cachix generate-keypair himmelblau

The signing key is printed to stdout, and this is the only copy so make sure you copy it straight into github with the name CACHIX_SIGNING_KEY.

Please let me know if you have any issues setting this up, or if you would like some further documentation written.

[dmulder]

I have no idea how to install cachix. I looked around, and it seems I need the nix command to install cachix (even to build it), which I also don't have and don't know how to install.

[twoolie]

You will need to have the nix tool installed locally. It can be installed on any linux or darwin system, and will co-exist with your existing package manager. The easiest way is to use this rust-based installer from determinate systems:

$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install

After you have reloaded your session (to get the new paths on your PATH), you can install the cachix client with:

nix profile install --accept-flake-config 'nixpkgs#cachix'

If you don't want to or can't get it working, you can add me as a contributor and I can set this up on your behalf.