diff --git a/docs/how-to/how-to.md b/docs/how-to/how-to.md index fc58ac6..09593d1 100644 --- a/docs/how-to/how-to.md +++ b/docs/how-to/how-to.md @@ -74,6 +74,7 @@ Mikado chain for hardening the zot registry. Track progress with `mise run docs- - [[enforce-tag-immutability]] - [[adopt-commit-based-container-tags]] - [[add-container-version-sync-check]] +- [[install-dagger-on-nix-runner]] - [[pin-container-versions]] - [[add-dagger-nix-build]] - [[fix-ntfy-nix-version]] diff --git a/docs/how-to/zot/adopt-commit-based-container-tags.md b/docs/how-to/zot/adopt-commit-based-container-tags.md index 785f066..ff65149 100644 --- a/docs/how-to/zot/adopt-commit-based-container-tags.md +++ b/docs/how-to/zot/adopt-commit-based-container-tags.md @@ -1,8 +1,10 @@ --- title: Adopt Commit-Based Container Tags modified: 2026-02-20 +status: active requires: - add-container-version-sync-check + - install-dagger-on-nix-runner tags: - how-to - containers diff --git a/docs/how-to/zot/install-dagger-on-nix-runner.md b/docs/how-to/zot/install-dagger-on-nix-runner.md new file mode 100644 index 0000000..2c5c502 --- /dev/null +++ b/docs/how-to/zot/install-dagger-on-nix-runner.md @@ -0,0 +1,40 @@ +--- +title: Install Dagger on Nix Runner +modified: 2026-02-20 +status: active +tags: + - how-to + - ci + - zot +--- + +# Install Dagger on Nix Runner + +Install the Dagger CLI on the ringtail nix-container-builder runner so that the nix container build workflow can use `dagger call nix-version` to extract package versions from nixpkgs. + +## Context + +The `build-container-nix.yaml` workflow extracts container versions in this order: + +1. `version = "..."` from `default.nix` (e.g. ntfy) +2. `ARG CONTAINER_APP_VERSION=` from Dockerfile (e.g. nettest) +3. `dagger call nix-version --package=` for nixpkgs packages (e.g. authentik) + +Step 3 fails on the ringtail nix runner because dagger is not installed. The runner currently only has nix, skopeo, and jq. + +## What to Do + +1. Add `dagger` to the ringtail nix runner environment in `nixos/ringtail/configuration.nix` (or equivalent) +2. Verify `dagger` is available in the runner's PATH +3. Re-run `mise run container-build-and-release authentik` to confirm the nix build succeeds + +## Verification + +- [ ] `ssh ringtail 'which dagger'` returns a path +- [ ] Authentik nix build workflow completes successfully +- [ ] `dagger call nix-version --package=authentik` works on the runner + +## Related + +- [[adopt-commit-based-container-tags]] — Parent card +- [[harden-zot-registry]] — Root goal