diff --git a/.dagger/src/blumeops_ci/main.py b/.dagger/src/blumeops_ci/main.py
index c20709f..3b72087 100644
--- a/.dagger/src/blumeops_ci/main.py
+++ b/.dagger/src/blumeops_ci/main.py
@@ -151,3 +151,26 @@ class BlumeopsCi:
             )
             .file(f"/workspace/{flake_path}/flake.lock")
         )
+
+    @function
+    async def flake_update(
+        self, src: dagger.Directory, flake_path: str = "nixos/ringtail"
+    ) -> dagger.File:
+        """Update all flake inputs to latest and return updated flake.lock."""
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_directory("/workspace", src)
+            .with_workdir(f"/workspace/{flake_path}")
+            .with_exec(
+                [
+                    "nix",
+                    "--extra-experimental-features",
+                    "nix-command flakes",
+                    "flake",
+                    "update",
+                    "--accept-flake-config",
+                ]
+            )
+            .file(f"/workspace/{flake_path}/flake.lock")
+        )
diff --git a/docs/changelog.d/feature-ringtail-flake-update.infra.md b/docs/changelog.d/feature-ringtail-flake-update.infra.md
new file mode 100644
index 0000000..50ed01f
--- /dev/null
+++ b/docs/changelog.d/feature-ringtail-flake-update.infra.md
@@ -0,0 +1 @@
+Add `flake-update` Dagger pipeline for updating ringtail NixOS flake inputs.
diff --git a/docs/how-to/how-to.md b/docs/how-to/how-to.md
index 09593d1..3c1ec1b 100644
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@@ -1,6 +1,6 @@
 ---
 title: How-To
-modified: 2026-02-17
+modified: 2026-02-22
 tags:
   - how-to
 ---
@@ -64,6 +64,12 @@ Migration and transition plans for upcoming infrastructure changes.
 | [[upgrade-grafana-helm-chart]] | Upgrade Grafana Helm chart from 8.8.2 to 11.x |
 | [[operationalize-reolink-camera]] | Cloud-free NVR with Frigate and ring buffer recording |
 
+## Ringtail
+
+| Guide | Description |
+|-------|-------------|
+| [[manage-lockfile]] | Update or lock NixOS flake inputs via Dagger |
+
 ## Zot
 
 Mikado chain for hardening the zot registry. Track progress with `mise run docs-mikado harden-zot-registry`.
diff --git a/docs/how-to/ringtail/manage-lockfile.md b/docs/how-to/ringtail/manage-lockfile.md
new file mode 100644
index 0000000..b393d24
--- /dev/null
+++ b/docs/how-to/ringtail/manage-lockfile.md
@@ -0,0 +1,39 @@
+---
+title: Manage Ringtail Lockfile
+modified: 2026-02-22
+tags:
+  - how-to
+  - ringtail
+  - nix
+---
+
+# Manage Ringtail Lockfile
+
+Two [[dagger]] pipelines manage the ringtail NixOS flake lockfile (`nixos/ringtail/flake.lock`) for different purposes.
+
+## Update All Inputs
+
+To pull the latest versions of all flake inputs (equivalent to `nix flake update`):
+
+```fish
+# Update flake.lock
+dagger call flake-update --src=. --flake-path=nixos/ringtail \
+    export --path=nixos/ringtail/flake.lock
+
+# Commit, push, then deploy
+git add nixos/ringtail/flake.lock
+git commit -m "Update ringtail flake inputs"
+git push
+mise run provision-ringtail
+```
+
+## Lock New Inputs Only
+
+`mise run provision-ringtail` automatically runs `flake-lock` before deploying. This resolves any newly added inputs without upgrading existing ones (equivalent to `nix flake lock`). If the lockfile changes, the task stages the file and exits — commit, push, and re-run.
+
+This is the right behavior for provisioning: configuration changes that add a new input get locked, but existing inputs stay pinned until explicitly updated.
+
+## Related
+
+- [[ringtail]] — Host reference
+- [[dagger]] — Build engine (provides both pipelines)
diff --git a/docs/reference/infrastructure/ringtail.md b/docs/reference/infrastructure/ringtail.md
index eba2883..ef77702 100644
--- a/docs/reference/infrastructure/ringtail.md
+++ b/docs/reference/infrastructure/ringtail.md
@@ -1,6 +1,6 @@
 ---
 title: Ringtail
-modified: 2026-02-19
+modified: 2026-02-22
 tags:
   - infrastructure
   - host
@@ -43,7 +43,7 @@ Managed declaratively via `nixos/ringtail/configuration.nix`. Home-manager handl
 mise run provision-ringtail
 ```
 
-This updates `flake.lock` via Dagger, verifies the current commit is pushed to forge, then deploys the exact commit via ansible. If the lockfile changed, it stages the file and exits so you can commit and re-run.
+This locks new flake inputs via Dagger, verifies the current commit is pushed to forge, then deploys the exact commit via ansible. If the lockfile changed, it stages the file and exits so you can commit and re-run. To update all inputs to latest versions, see [[manage-lockfile]].
 
 ## K3s Cluster
 
diff --git a/docs/reference/tools/dagger.md b/docs/reference/tools/dagger.md
index fcd5520..81a1410 100644
--- a/docs/reference/tools/dagger.md
+++ b/docs/reference/tools/dagger.md
@@ -1,6 +1,6 @@
 ---
 title: Dagger
-modified: 2026-02-20
+modified: 2026-02-22
 tags:
   - reference
   - ci-cd
@@ -31,6 +31,7 @@ Build engine for BlumeOps CI/CD pipelines. Replaces shell-based build scripts wi
 | `nix_version` | `(package) → str` | Extract the version of a nixpkgs package |
 | `build_docs` | `(src, version) → File` | Build Quartz docs site, return docs tarball |
 | `flake_lock` | `(src, flake_path?) → File` | Resolve flake inputs, return updated `flake.lock` |
+| `flake_update` | `(src, flake_path?) → File` | Update all flake inputs to latest, return `flake.lock` |
 
 ## CLI Examples
 
@@ -58,6 +59,10 @@ dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz
 
 # Debug a docs build failure
 dagger call --interactive build-docs --src=. --version=dev
+
+# Update all ringtail flake inputs
+dagger call flake-update --src=. --flake-path=nixos/ringtail \
+    export --path=nixos/ringtail/flake.lock
 ```
 
 ## Secrets
@@ -84,3 +89,4 @@ In [[forgejo]] Actions, secrets are injected as env vars. Locally, mise tasks ca
 - [[zot]] — Container registry (publish target)
 - [[docs]] — Documentation site (build target)
 - [[adopt-dagger-ci]] — Adoption plan (phases 1–3 complete)
+- [[manage-lockfile]] — Ringtail flake lockfile management
diff --git a/nixos/ringtail/flake.lock b/nixos/ringtail/flake.lock
index 2cd5e75..3c67dc5 100644
--- a/nixos/ringtail/flake.lock
+++ b/nixos/ringtail/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771355198,
-        "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=",
+        "lastModified": 1771469470,
+        "narHash": "sha256-GnqdqhrguKNN3HtVfl6z+zbV9R9jhHFm3Z8nu7R6ml0=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9",
+        "rev": "4707eec8d1d2db5182ea06ed48c820a86a42dc13",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770260404,
-        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
+        "lastModified": 1771744638,
+        "narHash": "sha256-EDLi+YAsEEAmMeZe1v6GccuGRbCkpSZp/+A6g+pivR8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
+        "rev": "cb6c151f5c9db4df0b69d06894dc8484de1f16a0",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771208521,
-        "narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=",
+        "lastModified": 1771574726,
+        "narHash": "sha256-D1PA3xQv/s4W3lnR9yJFSld8UOLr0a/cBWMQMXS+1Qg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8",
+        "rev": "c217913993d6c6f6805c3b1a3bda5e639adfde6d",
         "type": "github"
       },
       "original": {