Add Nix container build for nettest

Create containers/nettest/default.nix using dockerTools.buildLayeredImage
with the same tools as the Dockerfile (curl, jq, dnsutils, cacert, bash).
Update container-list and container-tag-and-release to handle containers
that have both a Dockerfile and default.nix, requiring --nix or --dockerfile
flag when both exist.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

containers/nettest/default.nix

@@ -0,0 +1,38 @@
+# Nix-built nettest container
+# Equivalent to the Dockerfile: curl, jq, bind (nslookup), ca-certs, bash
+# Built with dockerTools.buildLayeredImage for efficient layer caching
+{ pkgs ? import <nixpkgs> { system = "aarch64-linux"; } }:
+
+let
+  testScript = ./test-connectivity.sh;
+
+  tools = pkgs.buildEnv {
+    name = "nettest-tools";
+    paths = [
+      pkgs.curl
+      pkgs.jq
+      pkgs.dnsutils # provides nslookup, dig
+      pkgs.cacert
+      pkgs.coreutils
+      pkgs.bashInteractive
+    ];
+  };
+in
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/nettest";
+  tag = "latest";
+
+  contents = [ tools ];
+
+  extraCommands = ''
+    cp ${testScript} test-connectivity.sh
+    chmod +x test-connectivity.sh
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/bash" "/test-connectivity.sh" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+    ];
+  };
+}

docs/changelog.d/feature-nettest-nix-container.feature.md

@@ -0,0 +1 @@
+Added Nix container build for nettest, validating the full nix-container-builder pipeline on ringtail. Updated container-list and container-tag-and-release to support containers with both Dockerfile and default.nix.

mise-tasks/container-list

@@ -14,20 +14,26 @@ echo ""
 for dir in "$CONTAINER_DIR"/*/; do
     [[ -d "$dir" ]] || continue
 
-    # Determine build type
-    if [[ -f "$dir/default.nix" ]]; then
-        build_type="nix"
-    elif [[ -f "$dir/Dockerfile" ]]; then
-        build_type="dockerfile"
-    else
-        continue
-    fi
+    # Determine available build types
+    has_dockerfile=false
+    has_nix=false
+    [[ -f "$dir/Dockerfile" ]] && has_dockerfile=true
+    [[ -f "$dir/default.nix" ]] && has_nix=true
+
+    # Skip directories with no build files
+    $has_dockerfile || $has_nix || continue
+
+    # Build type label
+    types=()
+    $has_dockerfile && types+=("dockerfile")
+    $has_nix && types+=("nix")
+    label=$(IFS=+; echo "${types[*]}")
 
     # Extract container name from directory
     container=$(basename "$dir")
     image="blumeops/$container"
 
-    echo "[$build_type] $container"
+    echo "[$label] $container"
     echo "   Image: $REGISTRY/$image"
     echo "   Path: $dir"
 
@@ -48,6 +54,8 @@ done
 echo "---"
 echo "To release a new version:"
 echo "  mise run container-tag-and-release <container> <version>"
+echo "  mise run container-tag-and-release <container> <version> --nix        # nix build"
+echo "  mise run container-tag-and-release <container> <version> --dockerfile # dockerfile build"
 echo ""
 echo "Example:"
 echo "  mise run container-tag-and-release nettest v1.0.0"

mise-tasks/container-tag-and-release

@@ -5,9 +5,13 @@ set -euo pipefail
 
 CONTAINER="${1:-}"
 VERSION="${2:-}"
+BUILD_TYPE_FLAG="${3:-}"
 
 if [[ -z "$CONTAINER" || -z "$VERSION" ]]; then
-    echo "Usage: mise run container-tag-and-release <container> <version>"
+    echo "Usage: mise run container-tag-and-release <container> <version> [--nix|--dockerfile]"
+    echo ""
+    echo "When a container has both a Dockerfile and default.nix, you must specify"
+    echo "the build type with --nix or --dockerfile."
     echo ""
     echo "Run 'mise run container-list' to see available containers and recent tags."
     exit 1
@@ -21,28 +25,57 @@ fi
 
 # Determine build type: Nix or Dockerfile
 CONTAINER_DIR="containers/${CONTAINER}"
-if [[ -f "$CONTAINER_DIR/default.nix" ]]; then
-    BUILD_TYPE="nix"
-    TAG="${CONTAINER}-nix-${VERSION}"
-elif [[ -f "$CONTAINER_DIR/Dockerfile" ]]; then
-    BUILD_TYPE="dockerfile"
-    TAG="${CONTAINER}-${VERSION}"
-else
+HAS_NIX=false
+HAS_DOCKERFILE=false
+
+[[ -f "$CONTAINER_DIR/default.nix" ]] && HAS_NIX=true
+[[ -f "$CONTAINER_DIR/Dockerfile" ]] && HAS_DOCKERFILE=true
+
+if ! $HAS_NIX && ! $HAS_DOCKERFILE; then
     echo "Error: No Dockerfile or default.nix found in '$CONTAINER_DIR'"
     echo ""
     echo "Available containers:"
     for dir in containers/*/; do
         [[ -d "$dir" ]] || continue
         name=$(basename "$dir")
-        if [[ -f "$dir/default.nix" ]]; then
-            echo "  - $name (nix)"
-        elif [[ -f "$dir/Dockerfile" ]]; then
-            echo "  - $name (dockerfile)"
-        fi
+        types=()
+        [[ -f "$dir/Dockerfile" ]] && types+=("dockerfile")
+        [[ -f "$dir/default.nix" ]] && types+=("nix")
+        [[ ${#types[@]} -gt 0 ]] && echo "  - $name ($(IFS=, ; echo "${types[*]}"))"
     done
     exit 1
 fi
 
+if $HAS_NIX && $HAS_DOCKERFILE; then
+    # Both exist — require explicit flag
+    case "$BUILD_TYPE_FLAG" in
+        --nix)
+            BUILD_TYPE="nix"
+            ;;
+        --dockerfile)
+            BUILD_TYPE="dockerfile"
+            ;;
+        *)
+            echo "Error: '$CONTAINER' has both a Dockerfile and default.nix."
+            echo ""
+            echo "Specify the build type:"
+            echo "  mise run container-tag-and-release $CONTAINER $VERSION --nix"
+            echo "  mise run container-tag-and-release $CONTAINER $VERSION --dockerfile"
+            exit 1
+            ;;
+    esac
+elif $HAS_NIX; then
+    BUILD_TYPE="nix"
+elif $HAS_DOCKERFILE; then
+    BUILD_TYPE="dockerfile"
+fi
+
+if [[ "$BUILD_TYPE" == "nix" ]]; then
+    TAG="${CONTAINER}-nix-${VERSION}"
+else
+    TAG="${CONTAINER}-${VERSION}"
+fi
+
 echo "Creating release tag: $TAG"
 echo "Build type: $BUILD_TYPE"
 echo ""