Update ringtail flake inputs, add flake-update pipeline (#240)

## Summary
- Update all ringtail NixOS flake inputs (nixpkgs, disko, home-manager) to latest
- Add `flake_update` Dagger function (`nix flake update`) alongside existing `flake_lock` (`nix flake lock`)
- Add how-to guide for managing the ringtail lockfile
- Update dagger and ringtail reference cards

## Deployment and Testing
- [x] `mise run provision-ringtail` — deployed successfully, `changed=2` (repo + rebuild)
- [x] `mise run services-check` — all services healthy
- [x] Doc link and index checks pass

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/240

docs/reference/tools/dagger.md

@@ -1,6 +1,6 @@
 ---
 title: Dagger
-modified: 2026-02-20
+modified: 2026-02-22
 tags:
   - reference
   - ci-cd
@@ -31,6 +31,7 @@ Build engine for BlumeOps CI/CD pipelines. Replaces shell-based build scripts wi
 | `nix_version` | `(package) → str` | Extract the version of a nixpkgs package |
 | `build_docs` | `(src, version) → File` | Build Quartz docs site, return docs tarball |
 | `flake_lock` | `(src, flake_path?) → File` | Resolve flake inputs, return updated `flake.lock` |
+| `flake_update` | `(src, flake_path?) → File` | Update all flake inputs to latest, return `flake.lock` |
 
 ## CLI Examples
 
@@ -58,6 +59,10 @@ dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz
 
 # Debug a docs build failure
 dagger call --interactive build-docs --src=. --version=dev
+
+# Update all ringtail flake inputs
+dagger call flake-update --src=. --flake-path=nixos/ringtail \
+    export --path=nixos/ringtail/flake.lock
 ```
 
 ## Secrets
@@ -84,3 +89,4 @@ In [[forgejo]] Actions, secrets are injected as env vars. Locally, mise tasks ca
 - [[zot]] — Container registry (publish target)
 - [[docs]] — Documentation site (build target)
 - [[adopt-dagger-ci]] — Adoption plan (phases 1–3 complete)
+- [[manage-lockfile]] — Ringtail flake lockfile management