Harden zot registry, pt 1 (#231)

## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
2026-02-20 22:50:01 -08:00 · 2026-02-20 22:50:01 -08:00 · 0e2c10176d
commit 0e2c10176d
parent 6d7071e5ec
28 changed files with 743 additions and 30 deletions
--- a/.dagger/src/blumeops_ci/main.py
+++ b/.dagger/src/blumeops_ci/main.py
@ -70,6 +70,57 @@ class BlumeopsCi:
            .file(f"/docs-{version}.tar.gz")
        )

+    @function
+    async def build_nix(
+        self, src: dagger.Directory, container_name: str
+    ) -> dagger.File:
+        """Build a nix container from containers/<name>/default.nix.
+
+        Returns the docker-archive tarball that can be loaded with
+        `docker load` or pushed with `skopeo copy`.
+        """
+        nix_file = f"containers/{container_name}/default.nix"
+        # Resolve nixpkgs store path from flake registry, then build.
+        # Uses nix-instantiate to parse JSON (avoids needing jq).
+        resolve_and_build = (
+            "set -e; "
+            "nix --extra-experimental-features 'nix-command flakes' "
+            "flake metadata nixpkgs --json > /tmp/nixpkgs.json; "
+            "NIXPKGS_PATH=$(nix-instantiate --eval -E "
+            '"(builtins.fromJSON (builtins.readFile /tmp/nixpkgs.json)).path" '
+            "| tr -d '\"'); "
+            'export NIX_PATH="nixpkgs=$NIXPKGS_PATH"; '
+            'echo "NIX_PATH=$NIX_PATH"; '
+            'nix-build "$1" -o /result'
+        )
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_directory("/workspace", src)
+            .with_workdir("/workspace")
+            .with_exec(["sh", "-c", resolve_and_build, "_", nix_file])
+            .file("/result")
+        )
+
+    @function
+    async def nix_version(self, package: str) -> str:
+        """Extract the version of a nixpkgs package. Returns version string."""
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_exec(
+                [
+                    "nix",
+                    "--extra-experimental-features",
+                    "nix-command flakes",
+                    "eval",
+                    "--raw",
+                    f"nixpkgs#{package}.version",
+                ]
+            )
+            .stdout()
+        )
+
    @function
    async def flake_lock(
        self, src: dagger.Directory, flake_path: str = "nixos/ringtail"