Add Dagger flake-lock function and improve provision-ringtail

- New `flake-lock` Dagger function: runs `nix flake lock` in a nixos/nix container, returns the updated flake.lock file. - provision-ringtail now: updates flake.lock via Dagger before deploy, verifies current commit is pushed to forge, and passes the exact commit SHA to the ansible playbook. - Playbook accepts `ringtail_commit` var to deploy a specific ref. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 10:21:29 -08:00 · 2026-02-18 10:21:29 -08:00 · df5d1bae4d
commit df5d1bae4d
parent 1f97c5498e
3 changed files with 40 additions and 2 deletions
--- a/.dagger/src/blumeops_ci/main.py
+++ b/.dagger/src/blumeops_ci/main.py
@ -1,6 +1,8 @@
 import dagger
 from dagger import dag, function, object_type

+NIX_IMAGE = "nixos/nix:2.33.3"
+

@object_type
 class BlumeopsCi:
@ -67,3 +69,17 @@ class BlumeopsCi:
            )
            .file(f"/docs-{version}.tar.gz")
        )
+
+    @function
+    async def flake_lock(
+        self, src: dagger.Directory, flake_path: str = "nixos/ringtail"
+    ) -> dagger.File:
+        """Resolve flake inputs and return updated flake.lock."""
+        return await (
+            dag.container()
+            .from_(NIX_IMAGE)
+            .with_directory("/workspace", src)
+            .with_workdir(f"/workspace/{flake_path}")
+            .with_exec(["nix", "flake", "lock", "--accept-flake-config"])
+            .file(f"/workspace/{flake_path}/flake.lock")
+        )
--- a/ansible/playbooks/ringtail.yml
+++ b/ansible/playbooks/ringtail.yml
@ -8,7 +8,7 @@
      ansible.builtin.git:
        repo: "https://forge.ops.eblu.me/eblume/blumeops.git"
        dest: /etc/blumeops
-        version: main
+        version: "{{ ringtail_commit | default('main') }}"
        force: true
      register: _repo

--- a/mise-tasks/provision-ringtail
+++ b/mise-tasks/provision-ringtail
@ -5,5 +5,27 @@ set -euo pipefail

 export MISE_TASK_OUTPUT=interleave

+# Update flake.lock via Dagger before deploying
+echo "Updating nixos/ringtail/flake.lock..."
+dagger call flake-lock --src=. --flake-path=nixos/ringtail \
+    export --path=nixos/ringtail/flake.lock
+
+if ! git diff --quiet nixos/ringtail/flake.lock; then
+    git add nixos/ringtail/flake.lock
+    echo "flake.lock changed and staged. Commit, push, and re-run."
+    exit 1
+fi
+
+COMMIT=$(git rev-parse HEAD)
+REMOTE_REF=$(git ls-remote origin "$(git rev-parse --abbrev-ref HEAD)" 2>/dev/null | awk '{print $1}')
+
+if [[ "$REMOTE_REF" != "$COMMIT" ]]; then
+    echo "ERROR: Current commit $COMMIT is not pushed to forge."
+    echo "Push your changes first: git push"
+    exit 1
+fi
+
+echo "Deploying commit $COMMIT to ringtail..."
+
 cd ansible
-ansible-playbook playbooks/ringtail.yml "$@"
+ansible-playbook playbooks/ringtail.yml -e "ringtail_commit=$COMMIT" "$@"