Publish rainix nix derivations to a shared binary cache (substituter)

[thedavidmeister]

Problem

CI builds custom derivations like buildWasmBindgenCli (wasm-bindgen-cli 0.2.122) from crate source on every store-cache miss. That fetch hit a hard wall today: crates.io's API download endpoint 403s nix's fetcher's User-Agent, so the build failed with cannot download wasm-bindgen-cli-0.2.122.tar.gz from any mirror, taking down Cargo test / rainlang-prelude in multiple repos' CI (meta Package Release, rainlang #518).

The immediate fix (fetch from static.crates.io CDN) is in flight, but the deeper fragility is that nix builds depend on crates.io download availability at build time at all.

Proposal

Push rainix's built derivations to a shared binary cache / substituter (Cachix or self-hosted attic), and configure consumers to use it as a substituter. Then every consumer substitutes the prebuilt wasm-bindgen-cli (and other rainix derivations) instead of rebuilding from crate source — fully decoupling nix builds from crates.io's download endpoint.

Acceptance

• rainix CI pushes its derivations (at least the rust/sol toolchain + custom builders) to a binary cache on main.
• Consumer flakes/CI list the cache as a substituter (+ trusted public key).
• A cold consumer build substitutes wasm-bindgen-cli rather than fetching it from crates.io.

Context: resilience option #2 from the crates.io 403 incident on 2026-05-27.