Add dagger to nix-container-builder runner (#234)

## Summary
- Add `dagger` to `hostPackages` for the ringtail nix-container-builder runner
- Needed for `dagger call nix-version` fallback in the nix build workflow (authentik)
- `hostPackages` is scoped to the runner's systemd unit PATH, not system-wide
- Marks `install-dagger-on-nix-runner` Mikado card complete

## Deployment and Testing
- [ ] Merge, then `mise run provision-ringtail`
- [ ] `mise run container-build-and-release authentik` to verify nix build succeeds

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/234

docs/how-to/zot/install-dagger-on-nix-runner.md

@@ -1,7 +1,6 @@
 ---
 title: Install Dagger on Nix Runner
 modified: 2026-02-20
-status: active
 tags:
   - how-to
   - ci

docs/reference/infrastructure/ringtail.md

@@ -96,7 +96,6 @@ A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd servi
 | **Execution** | Host (no containers) |
 | **Token** | `/etc/forgejo-runner/token.env` (provisioned by Ansible) |
 | **Service unit** | `gitea-runner-nix_container_builder.service` |
-| **Host packages** | bash, coreutils, curl, gawk, git, gnused, jq, nodejs, wget, nix, skopeo |
 
 The runner resolves `<nixpkgs>` from the flake registry at build time. Container trust policy (`/etc/containers/policy.json`) and registry search order (`/etc/containers/registries.conf`) are configured minimally in `configuration.nix` for skopeo — no full `virtualisation.containers` module needed.
 

nixos/ringtail/configuration.nix

@@ -500,7 +500,7 @@ in
       tokenFile = "/etc/forgejo-runner/token.env";
       labels = [ "nix-container-builder:host" ];
       hostPackages = with pkgs; [
-        bash coreutils curl gawk gitMinimal gnused jq nodejs wget
+        bash coreutils curl dagger gawk gitMinimal gnused jq nodejs wget
         nix skopeo
       ];
       settings = {