Add install-dagger-on-nix-runner Mikado card (#233)

## Summary - New Mikado card: the ringtail nix-container-builder runner lacks dagger, which the nix workflow needs for `dagger call nix-version` (authentik version extraction fallback) - Re-opens `adopt-commit-based-container-tags` with this new prerequisite - All other containers (11 Dockerfile-only, nettest + ntfy with nix) build fine — only authentik's nix build is blocked ## Deployment and Testing - Docs only, no deployment needed Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/233
2026-02-20 23:03:12 -08:00 · 2026-02-20 23:03:12 -08:00 · a68a170a10
commit a68a170a10
parent ffa8727660
3 changed files with 43 additions and 0 deletions
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -74,6 +74,7 @@ Mikado chain for hardening the zot registry. Track progress with `mise run docs-
 - [[enforce-tag-immutability]]
 - [[adopt-commit-based-container-tags]]
 - [[add-container-version-sync-check]]
+- [[install-dagger-on-nix-runner]]
 - [[pin-container-versions]]
 - [[add-dagger-nix-build]]
 - [[fix-ntfy-nix-version]]
--- a/docs/how-to/zot/adopt-commit-based-container-tags.md
+++ b/docs/how-to/zot/adopt-commit-based-container-tags.md
@ -1,8 +1,10 @@
 ---
 title: Adopt Commit-Based Container Tags
 modified: 2026-02-20
+status: active
 requires:
  - add-container-version-sync-check
+  - install-dagger-on-nix-runner
 tags:
  - how-to
  - containers
--- a/docs/how-to/zot/install-dagger-on-nix-runner.md
+++ b/docs/how-to/zot/install-dagger-on-nix-runner.md
@ -0,0 +1,40 @@
+---
+title: Install Dagger on Nix Runner
+modified: 2026-02-20
+status: active
+tags:
+  - how-to
+  - ci
+  - zot
+---
+
+# Install Dagger on Nix Runner
+
+Install the Dagger CLI on the ringtail nix-container-builder runner so that the nix container build workflow can use `dagger call nix-version` to extract package versions from nixpkgs.
+
+## Context
+
+The `build-container-nix.yaml` workflow extracts container versions in this order:
+
+1. `version = "..."` from `default.nix` (e.g. ntfy)
+2. `ARG CONTAINER_APP_VERSION=` from Dockerfile (e.g. nettest)
+3. `dagger call nix-version --package=<name>` for nixpkgs packages (e.g. authentik)
+
+Step 3 fails on the ringtail nix runner because dagger is not installed. The runner currently only has nix, skopeo, and jq.
+
+## What to Do
+
+1. Add `dagger` to the ringtail nix runner environment in `nixos/ringtail/configuration.nix` (or equivalent)
+2. Verify `dagger` is available in the runner's PATH
+3. Re-run `mise run container-build-and-release authentik` to confirm the nix build succeeds
+
+## Verification
+
+- [ ] `ssh ringtail 'which dagger'` returns a path
+- [ ] Authentik nix build workflow completes successfully
+- [ ] `dagger call nix-version --package=authentik` works on the runner
+
+## Related
+
+- [[adopt-commit-based-container-tags]] — Parent card
+- [[harden-zot-registry]] — Root goal