diff --git a/system/pull-update.nix b/system/pull-update.nix
index 638e06f..f7b108e 100644
--- a/system/pull-update.nix
+++ b/system/pull-update.nix
@@ -2,18 +2,20 @@
 # CI builds the system closure on muffin (which Harmonia serves), then
 # records the output store path at /deploy/<hostname>.  On boot this
 # service fetches that path, pulls the closure from the binary cache,
-# and activates it.
+# sets it as the boot profile, and reboots into it.
 { pkgs, hostname, ... }:
 let
   deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
 
   pull-update = pkgs.writeShellScript "pull-update" ''
-    set -euo pipefail
+    set -uo pipefail
     export PATH=${
       pkgs.lib.makeBinPath [
         pkgs.curl
         pkgs.coreutils
         pkgs.nix
+        pkgs.systemd
+        pkgs.util-linux
       ]
     }
 
@@ -39,14 +41,15 @@ let
       exit 0
     fi
 
-    echo "Pulling update: $CURRENT -> $STORE_PATH"
-    nix-store -r "$STORE_PATH"
-    if ! nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"; then
-      echo "Profile locked (concurrent switch?), skipping"
-      exit 0
-    fi
-    "$STORE_PATH/bin/switch-to-configuration" switch
-    echo "Update applied"
+    echo "Update available: $CURRENT -> $STORE_PATH"
+
+    nix-store -r "$STORE_PATH" || { echo "Failed to fetch closure"; exit 1; }
+    nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "Failed to set profile"; exit 1; }
+    "$STORE_PATH/bin/switch-to-configuration" boot || { echo "Failed to install boot entry"; exit 1; }
+
+    wall "System update installed. Rebooting in 10 seconds..."
+    sleep 10
+    systemctl reboot
   '';
 in
 {
@@ -55,7 +58,6 @@ in
     after = [ "network-online.target" ];
     wants = [ "network-online.target" ];
     wantedBy = [ "multi-user.target" ];
-    # don't restart when deploying a new config via nixos-rebuild
     restartIfChanged = false;
     serviceConfig = {
       Type = "oneshot";