Add dagger to nix-container-builder runner hostPackages

The nix workflow's version extraction fallback (dagger call nix-version)
needs dagger available on the ringtail runner. hostPackages is scoped to
the runner's systemd unit PATH, not system-wide.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/how-to/zot/install-dagger-on-nix-runner.md

@@ -1,7 +1,6 @@
 ---
 title: Install Dagger on Nix Runner
 modified: 2026-02-20
-status: active
 tags:
   - how-to
   - ci

docs/reference/infrastructure/ringtail.md

@@ -96,7 +96,6 @@ A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd servi
 | **Execution** | Host (no containers) |
 | **Token** | `/etc/forgejo-runner/token.env` (provisioned by Ansible) |
 | **Service unit** | `gitea-runner-nix_container_builder.service` |
-| **Host packages** | bash, coreutils, curl, gawk, git, gnused, jq, nodejs, wget, nix, skopeo |
 
 The runner resolves `<nixpkgs>` from the flake registry at build time. Container trust policy (`/etc/containers/policy.json`) and registry search order (`/etc/containers/registries.conf`) are configured minimally in `configuration.nix` for skopeo — no full `virtualisation.containers` module needed.
 

nixos/ringtail/configuration.nix

@@ -500,7 +500,7 @@ in
       tokenFile = "/etc/forgejo-runner/token.env";
       labels = [ "nix-container-builder:host" ];
       hostPackages = with pkgs; [
-        bash coreutils curl gawk gitMinimal gnused jq nodejs wget
+        bash coreutils curl dagger gawk gitMinimal gnused jq nodejs wget
         nix skopeo
       ];
       settings = {