Add Attic binary cache and containerize gitea runner

Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.

.gitea/workflows/check-flake.yaml

@@ -16,4 +16,23 @@ jobs:
           fetch-depth: 0
 
       - name: Check Flake
-        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+
+      - name: Push to cache
+        env:
+          XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+        run: |
+          set -euo pipefail
+          attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
+          # Get all system toplevel store paths, keeping only those valid in the local store
+          toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json \
+            | jq -r '.[]' \
+            | xargs -I{} sh -c 'nix path-info {} >/dev/null 2>&1 && echo {}' || true)
+          echo "Found $(echo "$toplevels" | wc -l) valid system toplevels"
+          # Expand to full closures, deduplicate, and filter out paths already
+          # signed by cache.nixos.org — only our custom builds need caching
+          paths=$(echo "$toplevels" \
+            | xargs nix path-info -r --json \
+            | jq -r '[to_entries[] | select(.value.signatures | all(startswith("cache.nixos.org") | not)) | .key] | unique[]')
+          echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
+          echo "$paths" | xargs attic push local:nixos