Add Attic binary cache and containerize gitea runner

Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.

.gitea/workflows/check-flake.yaml

@@ -16,4 +16,11 @@ jobs:
           fetch-depth: 0
 
       - name: Check Flake
-        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+
+      - name: Push to cache
+        run: |
+          attic login local "${{ secrets.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
+          nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json \
+            | jq -r '.[]' \
+            | xargs attic push nixos