Harden zot registry, pt 1 (#231)

## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
2026-02-20 22:50:01 -08:00 · 2026-02-20 22:50:01 -08:00 · 0e2c10176d
commit 0e2c10176d
parent 6d7071e5ec
28 changed files with 743 additions and 30 deletions
--- a/docs/reference/tools/dagger.md
+++ b/docs/reference/tools/dagger.md
@ -1,6 +1,6 @@
 ---
 title: Dagger
-modified: 2026-02-12
+modified: 2026-02-20
 tags:
  - reference
  - ci-cd
@ -27,7 +27,10 @@ Build engine for BlumeOps CI/CD pipelines. Replaces shell-based build scripts wi
 |----------|-----------|-------------|
 | `build` | `(src, container_name) → Container` | Build a container from `containers/<name>/Dockerfile` |
 | `publish` | `(src, container_name, version, registry?) → str` | Build and push to registry (default: `registry.ops.eblu.me`) |
+| `build_nix` | `(src, container_name) → File` | Build a nix container from `containers/<name>/default.nix`, return docker-archive tarball |
+| `nix_version` | `(package) → str` | Extract the version of a nixpkgs package |
 | `build_docs` | `(src, version) → File` | Build Quartz docs site, return docs tarball |
+| `flake_lock` | `(src, flake_path?) → File` | Resolve flake inputs, return updated `flake.lock` |

 ## CLI Examples

@ -44,6 +47,12 @@ dagger call --interactive build --src=. --container-name=devpi
 # Publish a container to zot
 dagger call publish --src=. --container-name=devpi --version=v1.1.0

+# Build a nix container (no local nix required)
+dagger call build-nix --src=. --container-name=nettest export --path=./nettest.tar.gz
+
+# Check a nixpkgs package version
+dagger call nix-version --package=authentik
+
 # Build docs tarball locally
 dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz