Add new dev-nix role for secure offline Nix installation

This commit introduces the new 'dev-nix' Ansible role, which installs the
Nix package manager in a secure and reproducible way using a locally stored,
SHA256-verified installer script.

Key features:
- Local pinned installer (no network download during execution)
- SHA256 checksum validation to prevent execution of modified installers
- Multi-user (daemon) installation mode
- Optional shell integration via /etc/profile.d
- Fully idempotent, distro-agnostic design

This role matches the structure and conventions of existing dev-* roles
in the Infinito.Nexus ecosystem.

https://chatgpt.com/share/69387c73-bf3c-800f-abcd-c5e7d3717059

roles/dev-nix/README.md

@@ -0,0 +1,32 @@
+# dev-nix
+
+This role installs the Nix package manager in a secure and reproducible way.
+
+## Description
+
+The role provides an offline-friendly and deterministic installation of Nix by
+using a locally stored installer script that is verified via SHA256 before
+execution. This avoids remote code downloads during Ansible runs and ensures a
+stable installation across different systems.
+
+## Overview
+
+The installer script is shipped with the role and copied to the target host.
+Its checksum is validated against a predefined SHA256 value. Only if the
+checksum matches, the installer is executed in multi-user (daemon) mode.
+Optionally, the role can install a small shell snippet to automatically load
+the Nix environment.
+
+## Features
+
+- Local, pinned Nix installer (no network download at runtime)
+- SHA256 checksum verification
+- Multi-user (daemon) installation mode
+- Optional shell integration via `/etc/profile.d`
+- Fully idempotent and distro-agnostic
+
+## Further Resources
+
+- Nix project: https://nixos.org
+- Nix releases: https://releases.nixos.org
+- Infinito.Nexus License: https://s.infinito.nexus/license

roles/dev-nix/defaults/main.yml

@@ -0,0 +1,18 @@
+---
+# Path to the installer script inside this role
+dev_nix_installer_source: "nix-install.sh"
+
+# Path where the installer will be copied on the target host
+dev_nix_installer_dest: "/usr/local/share/nix-install.sh"
+
+# Expected SHA256 of the installer file.
+# You MUST set this to the actual hash of files/nix-install.sh, e.g.:
+#   sha256sum roles/dev-nix/files/nix-install.sh
+dev_nix_installer_sha256: "CHANGE_ME_SHA256_OF_INSTALLER"
+
+# Whether to drop a small shell snippet into /etc/profile.d to ensure
+# Nix environment is available for login shells.
+dev_nix_enable_shell_snippet: false
+
+# Path of the profile.d snippet
+dev_nix_shell_snippet_path: "/etc/profile.d/nix.sh"

roles/dev-nix/files/nix-install.sh

@@ -0,0 +1 @@
+chmod +x roles/dev-nix/files/nix-install.sh

roles/dev-nix/meta/main.yml

@@ -0,0 +1,37 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Installs the Nix package manager using a locally stored installer script with SHA256 verification."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: EL
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+  galaxy_tags:
+    - nix
+    - devtools
+    - development
+    - build
+    - automation
+    - infinito-nexus
+dependencies: []

roles/dev-nix/tasks/install.yml

@@ -0,0 +1,44 @@
+---
+# Install Nix using a locally stored installer script with SHA256 verification.
+
+- name: Ensure Nix installer script is present on target
+  ansible.builtin.copy:
+    src: "{{ dev_nix_installer_source }}"
+    dest: "{{ dev_nix_installer_dest }}"
+    mode: "0755"
+  become: true
+
+- name: Verify Nix installer SHA256 checksum
+  ansible.builtin.command: >
+    sh -c "sha256sum '{{ dev_nix_installer_dest }}' | awk '{print $1}'"
+  register: dev_nix_checksum_result
+  changed_when: false
+  become: true
+
+- name: Fail if Nix installer checksum does not match
+  ansible.builtin.fail:
+    msg: >-
+      Nix installer checksum mismatch.
+      Expected '{{ dev_nix_installer_sha256 }}', got '{{ dev_nix_checksum_result.stdout }}'.
+      Refusing to execute the installer.
+  when: dev_nix_checksum_result.stdout != dev_nix_installer_sha256
+
+# Nix multi-user (daemon) mode: creates /nix/store when successful.
+- name: Run Nix installer in daemon (multi-user) mode if Nix is not installed
+  ansible.builtin.shell: >
+    "{{ dev_nix_installer_dest }}" --daemon
+  args:
+    creates: "/nix/store"
+  become: true
+
+- name: Optionally drop shell snippet for Nix
+  ansible.builtin.copy:
+    dest: "{{ dev_nix_shell_snippet_path }}"
+    mode: "0644"
+    content: |
+      # Added by dev-nix Ansible role
+      if [ -e /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+      fi
+  when: dev_nix_enable_shell_snippet | bool
+  become: true

roles/dev-nix/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+# Main entrypoint for the dev-nix role
+
+- name: Include installation tasks for Nix
+  ansible.builtin.include_tasks: install.yml

roles/dev-nix/vars/main.yml

@@ -0,0 +1 @@
+application_id: dev-nix