Nix container build for nettest (#214)

## Summary
- Add `containers/nettest/default.nix` using `dockerTools.buildLayeredImage` with curl, jq, dnsutils, cacert, and bash — equivalent to the existing Dockerfile
- Update `container-tag-and-release` to require `--nix` or `--dockerfile` flag when both build types exist for a container
- Update `container-list` to show `[dockerfile+nix]` label when both exist

## Deployment and Testing
- [ ] SSH to ringtail, run `nix build -f containers/nettest/default.nix -o result` to verify the nix expression builds
- [ ] Tag `nettest-nix-v1.0.0`, confirm `build-container-nix` workflow runs on `nix-container-builder` runner and pushes to registry
- [ ] Smoke test on ringtail k3s: `kubectl run nettest --image=registry.ops.eblu.me/blumeops/nettest:v1.0.0 --restart=Never && kubectl logs nettest`
- [ ] Verify `mise run container-list` shows `[dockerfile+nix]` for nettest
- [ ] Verify `mise run container-tag-and-release nettest v1.1.0` prompts for build type

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/214

docs/reference/infrastructure/ringtail.md

@@ -1,6 +1,6 @@
 ---
 title: Ringtail
-modified: 2026-02-18
+modified: 2026-02-19
 tags:
   - infrastructure
   - host
@@ -81,7 +81,7 @@ argocd cluster add default --name k3s-ringtail
 
 ### Forgejo Actions Runner
 
-A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix build` and pushes them to Zot via `skopeo`.
+A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix-build` and pushes them to Zot via `skopeo`.
 
 | Property | Value |
 |----------|-------|
@@ -89,6 +89,9 @@ A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd servi
 | **Execution** | Host (no containers) |
 | **Token** | `/etc/forgejo-runner/token.env` (provisioned by Ansible) |
 | **Service unit** | `gitea-runner-nix_container_builder.service` |
+| **Host packages** | bash, coreutils, curl, gawk, git, gnused, jq, nodejs, wget, nix, skopeo |
+
+The runner resolves `<nixpkgs>` from the flake registry at build time. Container trust policy (`/etc/containers/policy.json`) and registry search order (`/etc/containers/registries.conf`) are configured minimally in `configuration.nix` for skopeo — no full `virtualisation.containers` module needed.
 
 ## Maintenance Notes
 

docs/reference/services/forgejo.md

@@ -1,6 +1,6 @@
 ---
 title: Forgejo
-modified: 2026-02-08
+modified: 2026-02-19
 tags:
   - service
   - git
@@ -31,15 +31,20 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored
 
 ## CI/CD (Forgejo Actions)
 
-**Runner:** Kubernetes pod with Docker-in-Docker sidecar
-- Namespace: `forgejo-runner`
-- Labels: `k8s`
-- ArgoCD app: `forgejo-runner`
+**Runners:**
+
+| Runner | Host | Labels | Purpose |
+|--------|------|--------|---------|
+| k8s DinD pod | [[indri]] (minikube) | `k8s` | Dockerfile builds via Dagger |
+| ringtail-nix-builder | [[ringtail]] (native) | `nix-container-builder` | Nix builds via `nix-build` + `skopeo` |
 
 **Workflows:** `.forgejo/workflows/`
-- `build-container.yaml` - Container image builds on tag
+- `build-container.yaml` - Dockerfile builds on tag (runs on `k8s`)
+- `build-container-nix.yaml` - Nix builds on tag (runs on `nix-container-builder`)
 - `build-blumeops.yaml` - Documentation builds and releases
 
+Both container workflows trigger on the same tag pattern (`*-v[0-9]*`). Each checks for its build file (`Dockerfile` or `default.nix`) and skips if not present. See [[build-container-image]].
+
 ## Secrets (Forgejo Config)
 
 Server configuration secrets managed via 1Password → Ansible: