Add install-dagger-on-nix-runner Mikado card

The nix-container-builder runner on ringtail lacks dagger, which is needed for the nix workflow's version extraction fallback (dagger call nix-version). Re-opens adopt-commit-based-container-tags with this new prerequisite. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 23:01:22 -08:00 · 2026-02-20 23:01:22 -08:00 · b64de7a84b
commit b64de7a84b
parent ffa8727660
3 changed files with 43 additions and 0 deletions
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -74,6 +74,7 @@ Mikado chain for hardening the zot registry. Track progress with `mise run docs-
 - [[enforce-tag-immutability]]
 - [[adopt-commit-based-container-tags]]
 - [[add-container-version-sync-check]]
+- [[install-dagger-on-nix-runner]]
 - [[pin-container-versions]]
 - [[add-dagger-nix-build]]
 - [[fix-ntfy-nix-version]]
--- a/docs/how-to/zot/adopt-commit-based-container-tags.md
+++ b/docs/how-to/zot/adopt-commit-based-container-tags.md
@ -1,8 +1,10 @@
 ---
 title: Adopt Commit-Based Container Tags
 modified: 2026-02-20
+status: active
 requires:
  - add-container-version-sync-check
+  - install-dagger-on-nix-runner
 tags:
  - how-to
  - containers
--- a/docs/how-to/zot/install-dagger-on-nix-runner.md
+++ b/docs/how-to/zot/install-dagger-on-nix-runner.md
@ -0,0 +1,40 @@
+---
+title: Install Dagger on Nix Runner
+modified: 2026-02-20
+status: active
+tags:
+  - how-to
+  - ci
+  - zot
+---
+
+# Install Dagger on Nix Runner
+
+Install the Dagger CLI on the ringtail nix-container-builder runner so that the nix container build workflow can use `dagger call nix-version` to extract package versions from nixpkgs.
+
+## Context
+
+The `build-container-nix.yaml` workflow extracts container versions in this order:
+
+1. `version = "..."` from `default.nix` (e.g. ntfy)
+2. `ARG CONTAINER_APP_VERSION=` from Dockerfile (e.g. nettest)
+3. `dagger call nix-version --package=<name>` for nixpkgs packages (e.g. authentik)
+
+Step 3 fails on the ringtail nix runner because dagger is not installed. The runner currently only has nix, skopeo, and jq.
+
+## What to Do
+
+1. Add `dagger` to the ringtail nix runner environment in `nixos/ringtail/configuration.nix` (or equivalent)
+2. Verify `dagger` is available in the runner's PATH
+3. Re-run `mise run container-build-and-release authentik` to confirm the nix build succeeds
+
+## Verification
+
+- [ ] `ssh ringtail 'which dagger'` returns a path
+- [ ] Authentik nix build workflow completes successfully
+- [ ] `dagger call nix-version --package=authentik` works on the runner
+
+## Related
+
+- [[adopt-commit-based-container-tags]] — Parent card
+- [[harden-zot-registry]] — Root goal