Hercules CI
If you start adding your own packages and configurations, you'll probably have at least a few binary artifacts. With hercules we can build every package in our configuration automatically, on every commit. Additionally, we can have it upload all our build artifacts to a binary cache like cachix.
This will work whether your copy is a fork, or a bare template, as long as your repo is hosted on GitHub.
Setup
Just head over to hercules-ci.com to make an account.
Then follow the docs to set up an agent, if you want to deploy to a binary cache (and of course you do), be sure not to skip the binary-caches.json.
Ready to Use
The repo is already set up with the proper default.nix file, building all declared packages, checks, profiles and shells. So you can see if something breaks, and never build the same package twice!
If you want to get fancy, you could even have hercules deploy your configuration!
Note:
Hercules doesn't have access to anything encrypted in the secrets folder, so none of your secrets will accidentally get pushed to a cache by mistake.
You could pull all your secrets via your user, and then exclude it from allUsers to keep checks passing.