Use Nix to pin dependencies for CI

Nix is a better packaging tool than the smog of tools that centers around pip. It has better support for different archives formats (including VCS), better tools for updating some dependencies, better support for non-Python packages, etc.

This is blocked on removing the pip-tools-based dependency management.