use Cirrus CI

- Make more economic use of the free CI resources by removing redundant build tasks:
  - Build unstable pkgs in a single separate task ("pkgs_unstable").
  - All stable pkgs are implicitly built by the modules tests.
- The build script (ci/build.sh) can now be executed locally for easier
  debugging.
- Use an explicit 'cachix push' command instead of helper/wait-for-network-idle.rb.
  This is simpler and more reliable.

.cirrus.yml

@@ -0,0 +1,42 @@
+container:
+  image: nixos/nix
+  # Besides virtualization, this also enables privileged containers which are required for
+  # sandboxed builds
+  kvm: true
+  # Needed for package builds
+  memory: 8G
+
+environment:
+  CACHIX_SIGNING_KEY: ENCRYPTED[!cec502ed813cbcd0237697d2031f750186ff20eed5815b1ad950ad2f2d701702ae6ba2f0cb4cb1985687a696c8ee492c!]
+  # Save some traffic by excluding the full git history
+  CIRRUS_CLONE_DEPTH: 1
+
+task:
+  # Use the maximum timeout. Needed when rebuilding packages on a channel update.
+  timeout_in: 120m
+
+  matrix:
+    - name: modules_test
+      environment:
+        nixpkgs: nixpkgs
+      container:
+        # A maximum of 16 CPUs is shared among all concurrent tasks.
+        # https://cirrus-ci.org/faq/#are-there-any-limits
+        cpu: 4
+      matrix:
+        - environment:
+            scenario: default
+        - environment:
+            scenario: netns
+        - environment:
+            scenario: netnsRegtest
+
+    - name: pkgs_unstable
+      environment:
+        nixpkgs: nixpkgs-unstable
+
+  # This script is run as root
+  build_script:
+    - echo "sandbox = true" >> /etc/nix/nix.conf
+    - export NIX_PATH="nixpkgs=$(nix eval --raw -f pkgs/nixpkgs-pinned.nix $nixpkgs)"
+    - nix run -f '<nixpkgs>' bash cachix -c ./ci/build.sh