Update docs for unified container build pipeline

- build-container-image how-to: document nix builds, --dry-run, unified tag triggering both workflows, add nettest nix pattern - ringtail reference: expand runner section with host packages, nixpkgs resolution, and container config files - forgejo reference: document both runners and both workflows - changelog fragment: reflect final scope Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 08:41:03 -08:00 · 2026-02-19 08:41:03 -08:00 · 3fbbc2d412
commit 3fbbc2d412
parent e7f6a71e9b
4 changed files with 43 additions and 18 deletions
--- a/docs/changelog.d/feature-nettest-nix-container.feature.md
+++ b/docs/changelog.d/feature-nettest-nix-container.feature.md
@ -1 +1 @@
-Added Nix container build for nettest, validating the full nix-container-builder pipeline on ringtail. Updated container-list and container-tag-and-release to support containers with both Dockerfile and default.nix.
+Added Nix container build for nettest, validating the full nix-container-builder pipeline on ringtail. One git tag now triggers both Dockerfile and Nix workflows — each skips if its build file is absent. Rewrote container-tag-and-release as a typer CLI with --dry-run support. Added container policy.json and registries.conf to ringtail for skopeo.
--- a/docs/how-to/deployment/build-container-image.md
+++ b/docs/how-to/deployment/build-container-image.md
@ -1,6 +1,6 @@
 ---
 title: Build Container Image
-modified: 2026-02-15
+modified: 2026-02-19
 last-reviewed: 2026-02-15
 tags:
  - how-to
@ -14,30 +14,35 @@ How to create a custom container image in BlumeOps, build it locally, and releas

 ## Prerequisites

- [Dagger CLI](https://docs.dagger.io/install) installed locally
- A Dockerfile for the service you want to build
+- [Dagger CLI](https://docs.dagger.io/install) installed locally (for Dockerfile builds)
+- A `Dockerfile` and/or `default.nix` for the service

 ## 1. Create the container directory

-Add a `Dockerfile` (and any supporting files) under `containers/<name>/`:
+Add build files under `containers/<name>/`:

 ```
 containers/<name>/
-├── Dockerfile
+├── Dockerfile      (built by Dagger on the k8s runner)
+├── default.nix     (built by nix-build on the ringtail runner)
 └── (optional scripts, configs)
 ```

-The directory name becomes the image name: `registry.ops.eblu.me/blumeops/<name>`.
+A container can have one or both build files. The directory name becomes the image name: `registry.ops.eblu.me/blumeops/<name>`.

 ## 2. Build locally

-Test your image with Dagger:
+**Dockerfile** — test with Dagger:

 ```bash
 dagger call build --src=. --container-name=<name>
 ```

-This builds `containers/<name>/Dockerfile` using the Dagger `docker_build()` function. Fix any build errors before proceeding.
+**Nix** — test with nix-build (requires nix, e.g. on [[ringtail]]):
+
+```bash
+nix-build containers/<name>/default.nix -o result
+```

 ## 3. Release

@ -47,7 +52,14 @@ Once the image builds cleanly, create a tagged release:
 mise run container-tag-and-release <name> v1.0.0
 ```

-This creates a git tag `<name>-v1.0.0` and pushes it. The `build-container` Forgejo workflow triggers on the tag, builds the image via Dagger, and publishes it to the registry as `registry.ops.eblu.me/blumeops/<name>:v1.0.0`.
+Use `--dry-run` to preview without creating tags.
+
+This creates a single git tag `<name>-v1.0.0` and pushes it. Both Forgejo workflows trigger on the tag — each checks for its build file and skips if not present:
+
+| Build file | Workflow | Runner | Registry tag |
+|------------|----------|--------|--------------|
+| `Dockerfile` | `build-container.yaml` | `k8s` (indri) | `:v1.0.0` |
+| `default.nix` | `build-container-nix.yaml` | `nix-container-builder` ([[ringtail]]) | `:v1.0.0-nix` |

 Check available images and tags with:

@ -76,6 +88,7 @@ Existing containers demonstrate several build approaches:
 | Multi-stage with Node + Go | [[#navidrome]] | Separate UI and backend build stages |
 | Multi-stage Elixir | [[#teslamate]] | Elixir release with Node assets |
 | Runtime tarball download | [[#kiwix-serve]] | Download pre-built binary with arch detection |
+| Nix `dockerTools` | [[#nettest-nix]] | `buildLayeredImage` with nixpkgs tools |

 ### transmission

@ -97,6 +110,10 @@ Existing containers demonstrate several build approaches:

 `containers/kiwix-serve/Dockerfile` — Downloads a pre-built binary from upstream, with architecture detection for cross-platform support.

+### nettest (nix)
+
+`containers/nettest/default.nix` — Uses `dockerTools.buildLayeredImage` with `buildEnv` to merge nixpkgs tools (curl, jq, dnsutils, bash). Runs alongside the existing Dockerfile; the nix variant is tagged `:version-nix` in the registry.
+
 ## Related

 - [[deploy-k8s-service]] — Deploying the service that uses the image
--- a/docs/reference/infrastructure/ringtail.md
+++ b/docs/reference/infrastructure/ringtail.md
@ -1,6 +1,6 @@
 ---
 title: Ringtail
-modified: 2026-02-18
+modified: 2026-02-19
 tags:
  - infrastructure
  - host
@ -81,7 +81,7 @@ argocd cluster add default --name k3s-ringtail

 ### Forgejo Actions Runner

-A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix build` and pushes them to Zot via `skopeo`.
+A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix-build` and pushes them to Zot via `skopeo`.

 | Property | Value |
 |----------|-------|
@ -89,6 +89,9 @@ A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd servi
 | **Execution** | Host (no containers) |
 | **Token** | `/etc/forgejo-runner/token.env` (provisioned by Ansible) |
 | **Service unit** | `gitea-runner-nix_container_builder.service` |
+| **Host packages** | bash, coreutils, curl, gawk, git, gnused, jq, nodejs, wget, nix, skopeo |
+
+The runner resolves `<nixpkgs>` from the flake registry at build time. Container trust policy (`/etc/containers/policy.json`) and registry search order (`/etc/containers/registries.conf`) are configured minimally in `configuration.nix` for skopeo — no full `virtualisation.containers` module needed.

 ## Maintenance Notes

--- a/docs/reference/services/forgejo.md
+++ b/docs/reference/services/forgejo.md
@ -1,6 +1,6 @@
 ---
 title: Forgejo
-modified: 2026-02-08
+modified: 2026-02-19
 tags:
  - service
  - git
@ -31,15 +31,20 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored

 ## CI/CD (Forgejo Actions)

-**Runner:** Kubernetes pod with Docker-in-Docker sidecar
- Namespace: `forgejo-runner`
- Labels: `k8s`
- ArgoCD app: `forgejo-runner`
+**Runners:**
+
+| Runner | Host | Labels | Purpose |
+|--------|------|--------|---------|
+| k8s DinD pod | [[indri]] (minikube) | `k8s` | Dockerfile builds via Dagger |
+| ringtail-nix-builder | [[ringtail]] (native) | `nix-container-builder` | Nix builds via `nix-build` + `skopeo` |

 **Workflows:** `.forgejo/workflows/`
- `build-container.yaml` - Container image builds on tag
+- `build-container.yaml` - Dockerfile builds on tag (runs on `k8s`)
+- `build-container-nix.yaml` - Nix builds on tag (runs on `nix-container-builder`)
 - `build-blumeops.yaml` - Documentation builds and releases

+Both container workflows trigger on the same tag pattern (`*-v[0-9]*`). Each checks for its build file (`Dockerfile` or `default.nix`) and skips if not present. See [[build-container-image]].
+
 ## Secrets (Forgejo Config)

 Server configuration secrets managed via 1Password → Ansible: