Unify container build workflows (#306)

## Summary
- Merges `build-container.yaml` and `build-container-nix.yaml` into a single workflow
- Detect job classifies each changed container by presence of `Dockerfile` and/or `default.nix`
- Dockerfile containers build on `k8s` (indri) via Dagger; Nix containers build on `nix-container-builder` (ringtail) via nix-build + skopeo
- Containers with both build files (alloy, nettest, ntfy) get built on both runners

## Test plan
- [ ] Push a change to a Dockerfile-only container (e.g. grafana) — verify it builds on k8s only
- [ ] Push a change to a nix-only container (e.g. jobsync) — verify it builds on nix-container-builder only
- [ ] Push a change to a dual container (e.g. ntfy) — verify it builds on both runners
- [ ] Test workflow_dispatch with a specific container name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #306

docs/changelog.d/unify-container-workflows.infra.md

@@ -0,0 +1 @@
+Unified Dockerfile and Nix container build workflows into a single workflow that auto-classifies containers by build type and routes to the correct runner (k8s for Dockerfile, nix-container-builder for Nix). Removed nettest container (outgrown). Nix builds now require an explicit `version = "..."` declaration — no implicit nixpkgs fallback.

docs/how-to/deployment/build-container-image.md

@@ -117,7 +117,7 @@ Existing containers demonstrate several build approaches:
 | Multi-stage with Node + Go | [[#navidrome]] | Separate UI and backend build stages |
 | Multi-stage Elixir | [[#teslamate]] | Elixir release with Node assets |
 | Runtime tarball download | [[#kiwix-serve]] | Download pre-built binary with arch detection |
-| Nix `dockerTools` | [[#nettest-nix]] | `buildLayeredImage` with nixpkgs tools |
+| Nix `dockerTools` | [[#ntfy-nix]] | `buildLayeredImage` with nix-built app |
 
 ### transmission
 
@@ -139,9 +139,9 @@ Existing containers demonstrate several build approaches:
 
 `containers/kiwix-serve/Dockerfile` — Downloads a pre-built binary from upstream, with architecture detection for cross-platform support.
 
-### nettest (nix)
+### ntfy (nix)
 
-`containers/nettest/default.nix` — Uses `dockerTools.buildLayeredImage` with `buildEnv` to merge nixpkgs tools (curl, jq, dnsutils, bash). Runs alongside the existing Dockerfile; the nix variant is tagged `:version-nix` in the registry.
+`containers/ntfy/default.nix` — Builds ntfy from source using `buildGoModule` and packages it with `dockerTools.buildLayeredImage`. Runs alongside the existing Dockerfile; the nix variant is tagged `:version-nix` in the registry.
 
 ## Related
 

docs/how-to/zot/add-container-version-sync-check.md

@@ -30,7 +30,7 @@ A typer-based uv-script that iterates over `containers/*/` and validates five ru
 
 Scoping: by default only checks containers changed vs main. `--all-files` checks everything. If `service-versions.yaml` itself changed, all containers are checked.
 
-Blacklisted containers (utility images, not tracked services): `kubectl`, `nettest`.
+Blacklisted containers (utility images, not tracked services): `kubectl`.
 
 Container-to-service name mapping: `quartz` → `docs`, `kiwix-serve` → `kiwix`.
 

docs/how-to/zot/add-dagger-nix-build.md

@@ -15,7 +15,7 @@ Add Dagger functions for building nix container images and extracting version in
 
 ## Context
 
-Discovered during analysis of [[adopt-commit-based-container-tags]]: nix containers (authentik, ntfy, nettest) derive their bundled app version from the nixpkgs pin, not from an explicit declaration. To validate that a VERSION file matches the actual nix-built version, we need a way to query the version from nix.
+Discovered during analysis of [[adopt-commit-based-container-tags]]: nix containers (authentik, ntfy) derive their bundled app version from the nixpkgs pin, not from an explicit declaration. To validate that a VERSION file matches the actual nix-built version, we need a way to query the version from nix.
 
 Currently, nix containers can only be built on ringtail (the `nix-container-builder` runner). There is no local build path for developers — the only option is to push and wait for CI. Adding a Dagger-based nix build gives both local evaluation and version extraction.
 
@@ -84,7 +84,7 @@ The `flake_lock` function already demonstrates running nix inside Dagger using `
 
 ## Verification
 
-- [ ] `dagger call build-nix --src=. --container-name=nettest` produces a valid docker-archive tarball
+- [ ] `dagger call build-nix --src=. --container-name=ntfy` produces a valid docker-archive tarball
 - [ ] `dagger call nix-version --src=. --package=ntfy-sh` returns the correct version string
 - [ ] `dagger call nix-version --src=. --package=authentik` returns the Authentik version
 - [ ] Tarball from `build-nix` can be loaded with `docker load` and run locally

docs/how-to/zot/pin-container-versions.md

@@ -29,7 +29,6 @@ Specific changes:
 - **devpi**: Pinned devpi-server==6.19.1 and devpi-web==5.0.1
 - **cv**: `CONTAINER_APP_VERSION=1.0.3` (matches latest Forgejo package release)
 - **quartz**: `CONTAINER_APP_VERSION=1.28.2` (pinned nginx:1.28.2-alpine base)
-- **nettest**: `CONTAINER_APP_VERSION=0.1.0` (internal, no upstream)
 - **All others**: Existing versions carried forward with new uniform ARG pattern
 
 ## Key Files

docs/reference/tools/dagger.md

@@ -49,7 +49,7 @@ dagger call --interactive build --src=. --container-name=devpi
 dagger call publish --src=. --container-name=devpi --version=v1.1.0
 
 # Build a nix container (no local nix required)
-dagger call build-nix --src=. --container-name=nettest export --path=./nettest.tar.gz
+dagger call build-nix --src=. --container-name=ntfy export --path=./ntfy.tar.gz
 
 # Check a nixpkgs package version
 dagger call nix-version --package=authentik