Pin NixOS service versions via nixpkgs-services overlay

Discovered during service review that nix-container-builder was running
12.7.2 but service-versions.yaml said 12.6.4 — flake updates had silently
upgraded it. Add a nixpkgs-services flake input pinned to a specific
nixpkgs commit, with an overlay that pulls forgejo-runner, snowflake, and
k3s from it. The Dagger flake-update pipeline now excludes this input.

Also adds k3s and minikube to service-versions.yaml tracking.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/reference/infrastructure/ringtail.md

@@ -108,6 +108,10 @@ A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd servi
 
 The runner resolves `<nixpkgs>` from the flake registry at build time. Container trust policy (`/etc/containers/policy.json`) and registry search order (`/etc/containers/registries.conf`) are configured minimally in `configuration.nix` for skopeo — no full `virtualisation.containers` module needed.
 
+## Pinned Service Versions
+
+Versioned services (forgejo-runner, snowflake, k3s) are pinned via a `nixpkgs-services` overlay in `flake.nix`, separate from the rolling `nixpkgs` input. This prevents `nix flake update` from silently upgrading them. The Dagger `flake-update` pipeline excludes `nixpkgs-services` automatically. See [[review-services]] for the upgrade procedure.
+
 ## Maintenance Notes
 
 **1Password:** Desktop app must be running for `op` CLI. Use `$mod+Shift+minus` to send to scratchpad.