Nix container build for nettest (#214)

## Summary
- Add `containers/nettest/default.nix` using `dockerTools.buildLayeredImage` with curl, jq, dnsutils, cacert, and bash — equivalent to the existing Dockerfile
- Update `container-tag-and-release` to require `--nix` or `--dockerfile` flag when both build types exist for a container
- Update `container-list` to show `[dockerfile+nix]` label when both exist

## Deployment and Testing
- [ ] SSH to ringtail, run `nix build -f containers/nettest/default.nix -o result` to verify the nix expression builds
- [ ] Tag `nettest-nix-v1.0.0`, confirm `build-container-nix` workflow runs on `nix-container-builder` runner and pushes to registry
- [ ] Smoke test on ringtail k3s: `kubectl run nettest --image=registry.ops.eblu.me/blumeops/nettest:v1.0.0 --restart=Never && kubectl logs nettest`
- [ ] Verify `mise run container-list` shows `[dockerfile+nix]` for nettest
- [ ] Verify `mise run container-tag-and-release nettest v1.1.0` prompts for build type

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/214

containers/nettest/default.nix

@@ -0,0 +1,39 @@
+# Nix-built nettest container
+# Equivalent to the Dockerfile: curl, jq, bind (nslookup), ca-certs, bash
+# Built with dockerTools.buildLayeredImage for efficient layer caching
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  testScript = ./test-connectivity.sh;
+
+  tools = pkgs.buildEnv {
+    name = "nettest-tools";
+    paths = [
+      pkgs.curl
+      pkgs.jq
+      pkgs.dnsutils # provides nslookup, dig
+      pkgs.cacert
+      pkgs.coreutils
+      pkgs.hostname
+      pkgs.bashInteractive
+    ];
+  };
+in
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/nettest";
+  tag = "latest";
+
+  contents = [ tools ];
+
+  extraCommands = ''
+    cp ${testScript} test-connectivity.sh
+    chmod +x test-connectivity.sh
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/bash" "/test-connectivity.sh" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+    ];
+  };
+}