Update ringtail flake inputs, add flake-update pipeline (#240)

## Summary - Update all ringtail NixOS flake inputs (nixpkgs, disko, home-manager) to latest - Add `flake_update` Dagger function (`nix flake update`) alongside existing `flake_lock` (`nix flake lock`) - Add how-to guide for managing the ringtail lockfile - Update dagger and ringtail reference cards ## Deployment and Testing - [x] `mise run provision-ringtail` — deployed successfully, `changed=2` (repo + rebuild) - [x] `mise run services-check` — all services healthy - [x] Doc link and index checks pass Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/240
2026-02-22 08:17:52 -08:00 · 2026-02-22 08:17:52 -08:00 · a5429d5a34
commit a5429d5a34
parent b4015153c6
7 changed files with 88 additions and 13 deletions
--- a/.dagger/src/blumeops_ci/main.py
+++ b/.dagger/src/blumeops_ci/main.py
@ -151,3 +151,26 @@ class BlumeopsCi:
            )
            .file(f"/workspace/{flake_path}/flake.lock")
        )
+
+    @function
+    async def flake_update(
+        self, src: dagger.Directory, flake_path: str = "nixos/ringtail"
+    ) -> dagger.File:
+        """Update all flake inputs to latest and return updated flake.lock."""
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_directory("/workspace", src)
+            .with_workdir(f"/workspace/{flake_path}")
+            .with_exec(
+                [
+                    "nix",
+                    "--extra-experimental-features",
+                    "nix-command flakes",
+                    "flake",
+                    "update",
+                    "--accept-flake-config",
+                ]
+            )
+            .file(f"/workspace/{flake_path}/flake.lock")
+        )
--- a/docs/changelog.d/feature-ringtail-flake-update.infra.md
+++ b/docs/changelog.d/feature-ringtail-flake-update.infra.md
@ -0,0 +1 @@
+Add `flake-update` Dagger pipeline for updating ringtail NixOS flake inputs.
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -1,6 +1,6 @@
 ---
 title: How-To
-modified: 2026-02-17
+modified: 2026-02-22
 tags:
  - how-to
 ---
@ -64,6 +64,12 @@ Migration and transition plans for upcoming infrastructure changes.
 | [[upgrade-grafana-helm-chart]] | Upgrade Grafana Helm chart from 8.8.2 to 11.x |
 | [[operationalize-reolink-camera]] | Cloud-free NVR with Frigate and ring buffer recording |

+## Ringtail
+
+| Guide | Description |
+|-------|-------------|
+| [[manage-lockfile]] | Update or lock NixOS flake inputs via Dagger |
+
 ## Zot

 Mikado chain for hardening the zot registry. Track progress with `mise run docs-mikado harden-zot-registry`.
--- a/docs/how-to/ringtail/manage-lockfile.md
+++ b/docs/how-to/ringtail/manage-lockfile.md
@ -0,0 +1,39 @@
+---
+title: Manage Ringtail Lockfile
+modified: 2026-02-22
+tags:
+  - how-to
+  - ringtail
+  - nix
+---
+
+# Manage Ringtail Lockfile
+
+Two [[dagger]] pipelines manage the ringtail NixOS flake lockfile (`nixos/ringtail/flake.lock`) for different purposes.
+
+## Update All Inputs
+
+To pull the latest versions of all flake inputs (equivalent to `nix flake update`):
+
+```fish
+# Update flake.lock
+dagger call flake-update --src=. --flake-path=nixos/ringtail \
+    export --path=nixos/ringtail/flake.lock
+
+# Commit, push, then deploy
+git add nixos/ringtail/flake.lock
+git commit -m "Update ringtail flake inputs"
+git push
+mise run provision-ringtail
+```
+
+## Lock New Inputs Only
+
+`mise run provision-ringtail` automatically runs `flake-lock` before deploying. This resolves any newly added inputs without upgrading existing ones (equivalent to `nix flake lock`). If the lockfile changes, the task stages the file and exits — commit, push, and re-run.
+
+This is the right behavior for provisioning: configuration changes that add a new input get locked, but existing inputs stay pinned until explicitly updated.
+
+## Related
+
+- [[ringtail]] — Host reference
+- [[dagger]] — Build engine (provides both pipelines)
--- a/docs/reference/infrastructure/ringtail.md
+++ b/docs/reference/infrastructure/ringtail.md
@ -1,6 +1,6 @@
 ---
 title: Ringtail
-modified: 2026-02-19
+modified: 2026-02-22
 tags:
  - infrastructure
  - host
@ -43,7 +43,7 @@ Managed declaratively via `nixos/ringtail/configuration.nix`. Home-manager handl
 mise run provision-ringtail
 ```

-This updates `flake.lock` via Dagger, verifies the current commit is pushed to forge, then deploys the exact commit via ansible. If the lockfile changed, it stages the file and exits so you can commit and re-run.
+This locks new flake inputs via Dagger, verifies the current commit is pushed to forge, then deploys the exact commit via ansible. If the lockfile changed, it stages the file and exits so you can commit and re-run. To update all inputs to latest versions, see [[manage-lockfile]].

 ## K3s Cluster

--- a/docs/reference/tools/dagger.md
+++ b/docs/reference/tools/dagger.md
@ -1,6 +1,6 @@
 ---
 title: Dagger
-modified: 2026-02-20
+modified: 2026-02-22
 tags:
  - reference
  - ci-cd
@ -31,6 +31,7 @@ Build engine for BlumeOps CI/CD pipelines. Replaces shell-based build scripts wi
 | `nix_version` | `(package) → str` | Extract the version of a nixpkgs package |
 | `build_docs` | `(src, version) → File` | Build Quartz docs site, return docs tarball |
 | `flake_lock` | `(src, flake_path?) → File` | Resolve flake inputs, return updated `flake.lock` |
+| `flake_update` | `(src, flake_path?) → File` | Update all flake inputs to latest, return `flake.lock` |

 ## CLI Examples

@ -58,6 +59,10 @@ dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz

 # Debug a docs build failure
 dagger call --interactive build-docs --src=. --version=dev
+
+# Update all ringtail flake inputs
+dagger call flake-update --src=. --flake-path=nixos/ringtail \
+    export --path=nixos/ringtail/flake.lock
 ```

 ## Secrets
@ -84,3 +89,4 @@ In [[forgejo]] Actions, secrets are injected as env vars. Locally, mise tasks ca
 - [[zot]] — Container registry (publish target)
 - [[docs]] — Documentation site (build target)
 - [[adopt-dagger-ci]] — Adoption plan (phases 1–3 complete)
+- [[manage-lockfile]] — Ringtail flake lockfile management
--- a/nixos/ringtail/flake.lock
+++ b/nixos/ringtail/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771355198,
-        "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=",
+        "lastModified": 1771469470,
+        "narHash": "sha256-GnqdqhrguKNN3HtVfl6z+zbV9R9jhHFm3Z8nu7R6ml0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9",
+        "rev": "4707eec8d1d2db5182ea06ed48c820a86a42dc13",
        "type": "github"
      },
      "original": {
@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1770260404,
-        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
+        "lastModified": 1771744638,
+        "narHash": "sha256-EDLi+YAsEEAmMeZe1v6GccuGRbCkpSZp/+A6g+pivR8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
+        "rev": "cb6c151f5c9db4df0b69d06894dc8484de1f16a0",
        "type": "github"
      },
      "original": {
@ -43,11 +43,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1771208521,
-        "narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=",
+        "lastModified": 1771574726,
+        "narHash": "sha256-D1PA3xQv/s4W3lnR9yJFSld8UOLr0a/cBWMQMXS+1Qg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8",
+        "rev": "c217913993d6c6f6805c3b1a3bda5e639adfde6d",
        "type": "github"
      },
      "original": {
				`@ -0,0 +1 @@`
				Add `flake-update` Dagger pipeline for updating ringtail NixOS flake inputs.