From 1556f86779d2eb54b8c582a0275612cf105dbccc Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 20 Feb 2026 19:41:00 -0800
Subject: [PATCH] Add Dagger build_nix and nix_version functions

build_nix: builds nix containers inside nixos/nix:2.33.3 via Dagger,
resolving nixpkgs from the flake registry. Returns docker-archive tarball.

nix_version: extracts package version from nixpkgs (e.g., authentik ->
2025.10.1). Used by the container version sync check.

Tested: nettest builds successfully, ntfy-sh and authentik versions resolve.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .dagger/src/blumeops_ci/main.py | 51 +++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/.dagger/src/blumeops_ci/main.py b/.dagger/src/blumeops_ci/main.py
index b14057a..f30e954 100644
--- a/.dagger/src/blumeops_ci/main.py
+++ b/.dagger/src/blumeops_ci/main.py
@@ -70,6 +70,57 @@ class BlumeopsCi:
             .file(f"/docs-{version}.tar.gz")
         )
 
+    @function
+    async def build_nix(
+        self, src: dagger.Directory, container_name: str
+    ) -> dagger.File:
+        """Build a nix container from containers/<name>/default.nix.
+
+        Returns the docker-archive tarball that can be loaded with
+        `docker load` or pushed with `skopeo copy`.
+        """
+        nix_file = f"containers/{container_name}/default.nix"
+        # Resolve nixpkgs store path from flake registry, then build.
+        # Uses nix-instantiate to parse JSON (avoids needing jq).
+        resolve_and_build = (
+            "set -e; "
+            "nix --extra-experimental-features 'nix-command flakes' "
+            "flake metadata nixpkgs --json > /tmp/nixpkgs.json; "
+            "NIXPKGS_PATH=$(nix-instantiate --eval -E "
+            '"(builtins.fromJSON (builtins.readFile /tmp/nixpkgs.json)).path" '
+            "| tr -d '\"'); "
+            'export NIX_PATH="nixpkgs=$NIXPKGS_PATH"; '
+            'echo "NIX_PATH=$NIX_PATH"; '
+            'nix-build "$1" -o /result'
+        )
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_directory("/workspace", src)
+            .with_workdir("/workspace")
+            .with_exec(["sh", "-c", resolve_and_build, "_", nix_file])
+            .file("/result")
+        )
+
+    @function
+    async def nix_version(self, package: str) -> str:
+        """Extract the version of a nixpkgs package. Returns version string."""
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_exec(
+                [
+                    "nix",
+                    "--extra-experimental-features",
+                    "nix-command flakes",
+                    "eval",
+                    "--raw",
+                    f"nixpkgs#{package}.version",
+                ]
+            )
+            .stdout()
+        )
+
     @function
     async def flake_lock(
         self, src: dagger.Directory, flake_path: str = "nixos/ringtail"