From a5f3ffc21b149ab9d47c0ba415505d09cb554927 Mon Sep 17 00:00:00 2001
From: Ivan Malison <IvanMalison@gmail.com>
Date: Wed, 18 Feb 2026 01:16:57 -0800
Subject: [PATCH] Add Cachix cache and CI workflow

---
 .github/workflows/cachix.yml             | 75 ++++++++++++++++++++++++
 docs/cachix.md                           | 39 ++++++++++++
 nixos/ci/railbird-secrets-stub/flake.nix | 20 +++++++
 nixos/flake.nix                          |  2 +
 nixos/nix.nix                            |  2 +
 5 files changed, 138 insertions(+)
 create mode 100644 .github/workflows/cachix.yml
 create mode 100644 docs/cachix.md
 create mode 100644 nixos/ci/railbird-secrets-stub/flake.nix

diff --git a/.github/workflows/cachix.yml b/.github/workflows/cachix.yml
new file mode 100644
index 00000000..7bf87edb
--- /dev/null
+++ b/.github/workflows/cachix.yml
@@ -0,0 +1,75 @@
+name: Build and Push Cachix (NixOS)
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - "nixos/**"
+      - "org-agenda-api/**"
+      - ".github/workflows/cachix.yml"
+  pull_request:
+    branches: [master]
+    paths:
+      - "nixos/**"
+      - "org-agenda-api/**"
+      - ".github/workflows/cachix.yml"
+  workflow_dispatch: {}
+
+jobs:
+  nixos-strixi-minaj:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v16
+
+      - name: Use GitHub Actions Cache for /nix/store
+        uses: DeterminateSystems/magic-nix-cache-action@v7
+
+      - name: Require Cachix config (push only)
+        if: github.event_name == 'push'
+        env:
+          CACHIX_CACHE_NAME: ${{ vars.CACHIX_CACHE_NAME }}
+          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "${CACHIX_CACHE_NAME:-}" ]; then
+            echo "Missing repo variable CACHIX_CACHE_NAME (Settings -> Secrets and variables -> Actions -> Variables)." >&2
+            exit 1
+          fi
+          if [ -z "${CACHIX_AUTH_TOKEN:-}" ]; then
+            echo "Missing repo secret CACHIX_AUTH_TOKEN (Settings -> Secrets and variables -> Actions -> Secrets)." >&2
+            exit 1
+          fi
+
+      - name: Setup Cachix (push)
+        if: github.event_name == 'push'
+        uses: cachix/cachix-action@v15
+        with:
+          name: ${{ vars.CACHIX_CACHE_NAME }}
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          skipPush: false
+
+      - name: Setup Cachix (PR, no push)
+        if: github.event_name == 'pull_request' && vars.CACHIX_CACHE_NAME != ''
+        uses: cachix/cachix-action@v15
+        with:
+          name: ${{ vars.CACHIX_CACHE_NAME }}
+          skipPush: true
+
+      - name: Build NixOS system (strixi-minaj)
+        run: |
+          set -euxo pipefail
+          nix build \
+            --no-link \
+            --print-build-logs \
+            ./nixos#nixosConfigurations.strixi-minaj.config.system.build.toplevel \
+            --override-input railbird-secrets ./nixos/ci/railbird-secrets-stub
diff --git a/docs/cachix.md b/docs/cachix.md
new file mode 100644
index 00000000..c0762f2c
--- /dev/null
+++ b/docs/cachix.md
@@ -0,0 +1,39 @@
+# Cachix for this repo
+
+This repo's NixOS flake lives under `nixos/`.
+
+The workflow in `.github/workflows/cachix.yml` can build the `strixi-minaj`
+system closure on GitHub Actions and push the results to a Cachix cache.
+
+## One-time setup
+
+1. Create a Cachix cache (on cachix.org).
+2. Create a Cachix auth token with write access to that cache.
+3. In the GitHub repo settings:
+   - Add a repo variable `CACHIX_CACHE_NAME` (the cache name).
+   - Add a repo secret `CACHIX_AUTH_TOKEN` (the write token).
+
+After that, pushes to `master` will populate the cache.
+
+## Using the cache locally
+
+Option A: ad-hoc (non-declarative)
+
+```sh
+cachix use <your-cache-name>
+```
+
+Option B: declarative via flake `nixConfig` (recommended for NixOS)
+
+1. Get the cache public key:
+
+```sh
+cachix show <your-cache-name>
+```
+
+2. Add it to `nixos/flake.nix` under `nixConfig.extra-substituters` and
+   `nixConfig.extra-trusted-public-keys`.
+
+Note: `nixos/nix.nix` sets `nix.settings.accept-flake-config = true`, so the
+flake `nixConfig` is honored during rebuilds.
+
diff --git a/nixos/ci/railbird-secrets-stub/flake.nix b/nixos/ci/railbird-secrets-stub/flake.nix
new file mode 100644
index 00000000..f3c57c99
--- /dev/null
+++ b/nixos/ci/railbird-secrets-stub/flake.nix
@@ -0,0 +1,20 @@
+{
+  description = "CI stub for the private railbird-secrets flake";
+
+  # The real railbird-secrets flake declares these inputs; the parent flake's
+  # lockfile also wires them up. Declaring them here avoids noisy warnings when
+  # this stub is used via `--override-input railbird-secrets ...`.
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+    agenix.url = "github:ryantm/agenix";
+  };
+
+  outputs = { self, nixpkgs, flake-utils, agenix }: {
+    # Keep this minimal: NixOS flake currently doesn't use railbird-secrets, but
+    # Nix will still try to fetch/resolve all inputs during evaluation.
+    keys = {
+      kanivanKeys = [ ];
+    };
+  };
+}
diff --git a/nixos/flake.nix b/nixos/flake.nix
index 0fac7015..9bfa903f 100644
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -418,6 +418,7 @@
         "http://192.168.1.26:5050"
         "https://cache.flox.dev"
         "https://org-agenda-api.cachix.org"
+        "https://colonelpanic8-dotfiles.cachix.org"
         "https://codex-cli.cachix.org"
         "https://claude-code.cachix.org"
       ];
@@ -425,6 +426,7 @@
         "1896Folsom.duckdns.org:U2FTjvP95qwAJo0oGpvmUChJCgi5zQoG1YisoI08Qoo="
         "flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs="
         "org-agenda-api.cachix.org-1:liKFemKkOLV/rJt2txDNcpDjRsqLuBneBjkSw/UVXKA="
+        "colonelpanic8-dotfiles.cachix.org-1:O6GF3nptpeMFapX29okzO92eSWXR36zqW6ZF2C8P0eQ="
         "codex-cli.cachix.org-1:1Br3H1hHoRYG22n//cGKJOk3cQXgYobUel6O8DgSing="
         "claude-code.cachix.org-1:YeXf2aNu7UTX8Vwrze0za1WEDS+4DuI2kVeWEE4fsRk="
       ];
diff --git a/nixos/nix.nix b/nixos/nix.nix
index 47c7c17c..9546e5c2 100644
--- a/nixos/nix.nix
+++ b/nixos/nix.nix
@@ -37,6 +37,7 @@
           "https://cache.railbird.ai?priority=45"
           "https://cuda-maintainers.cachix.org"
           "https://ai.cachix.org"
+          "https://colonelpanic8-dotfiles.cachix.org"
           "https://codex-cli.cachix.org"
           "https://claude-code.cachix.org"
         ];
@@ -44,6 +45,7 @@
           "cache.railbird.ai:KhnvcouxtIU2zxUcjJsm4bUK3o1S3p8xMf9qfZGF7/A="
           "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
           "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="
+          "colonelpanic8-dotfiles.cachix.org-1:O6GF3nptpeMFapX29okzO92eSWXR36zqW6ZF2C8P0eQ="
           "codex-cli.cachix.org-1:1Br3H1hHoRYG22n//cGKJOk3cQXgYobUel6O8DgSing="
           "claude-code.cachix.org-1:YeXf2aNu7UTX8Vwrze0za1WEDS+4DuI2kVeWEE4fsRk="
         ];