diff --git a/system/pull-update.nix b/system/pull-update.nix
index c73ceb8..638e06f 100644
--- a/system/pull-update.nix
+++ b/system/pull-update.nix
@@ -9,8 +9,24 @@ let
 
   pull-update = pkgs.writeShellScript "pull-update" ''
     set -euo pipefail
+    export PATH=${
+      pkgs.lib.makeBinPath [
+        pkgs.curl
+        pkgs.coreutils
+        pkgs.nix
+      ]
+    }
 
-    STORE_PATH=$(${pkgs.lib.getExe pkgs.curl} -sf --max-time 30 "${deploy-url}" || true)
+    # wait for actual connectivity, not just networkd "up"
+    for i in $(seq 1 30); do
+      if curl -sf --max-time 5 "${deploy-url}" >/dev/null; then
+        break
+      fi
+      echo "Waiting for network... ($i/30)"
+      sleep 2
+    done
+
+    STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
 
     if [ -z "$STORE_PATH" ]; then
       echo "Server unreachable or no deployment available, skipping"
@@ -25,7 +41,10 @@ let
 
     echo "Pulling update: $CURRENT -> $STORE_PATH"
     nix-store -r "$STORE_PATH"
-    nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"
+    if ! nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"; then
+      echo "Profile locked (concurrent switch?), skipping"
+      exit 0
+    fi
     "$STORE_PATH/bin/switch-to-configuration" switch
     echo "Update applied"
   '';
@@ -36,6 +55,8 @@ in
     after = [ "network-online.target" ];
     wants = [ "network-online.target" ];
     wantedBy = [ "multi-user.target" ];
+    # don't restart when deploying a new config via nixos-rebuild
+    restartIfChanged = false;
     serviceConfig = {
       Type = "oneshot";
       ExecStart = pull-update;