Add cache signing and pushing to Bild.hs

Add --cache flag to bild for signing and pushing closures to S3.

Files to Modify

• Omni/Bild.hs - Add --cache flag and cache functions

Implementation

1. Add --cache flag to help docopt (around line 365):

Options:
  --cache, -C     Sign and push to S3 binary cache after build

2. Add cache functions after nixBuild (around line 1600):

-- | Sign and push a store path to S3 cache
cacheStorePath :: FilePath -> IO ()
cacheStorePath storePath = do
  keyPath <- Env.lookupEnv "NIX_CACHE_KEY"
  case keyPath of
    Nothing -> Log.warn ["cache", "NIX_CACHE_KEY not set, skipping cache"]
    Just key -> do
      let s3Url = "s3://omni-nix-cache?profile=digitalocean&scheme=https&endpoint=nyc3.digitaloceanspaces.com"
      -- Sign
      (exitSign, _, _) <- Process.readProcessWithExitCode "nix" 
        ["store", "sign", "--key-file", key, storePath] ""
      case exitSign of
        ExitSuccess -> do
          -- Push
          (exitPush, _, _) <- Process.readProcessWithExitCode "nix"
            ["copy", "--to", s3Url, storePath] ""
          case exitPush of
            ExitSuccess -> Log.good ["cache", "pushed", str storePath]
            _ -> Log.fail ["cache", "push failed", str storePath]
        _ -> Log.fail ["cache", "sign failed", str storePath]

3. Call cacheStorePath after successful build in buildTarget (around line 1207):

-- After successful build, if --cache flag set:
when (isCache && isSuccess (fst result)) do
  cacheStorePath (nixdir </> outname out)

4. Output store path for push.sh to capture:

When --cache is set, print the store path to stdout after caching.

Environment Variables

• NIX_CACHE_KEY: Path to private signing key (e.g., ~/.config/nix/cache-priv-key.pem)

Testing

export NIX_CACHE_KEY=~/.config/nix/cache-priv-key.pem
bild --cache Biz/PodcastItLater/Web.py
# Should output store path and push to S3