yarn: move pull-update into steamos-update script

system/pull-update.nix

@@ -1,87 +0,0 @@
-# Pull-based NixOS updates for hosts that can't be pushed to reliably.
-# CI builds the system closure on muffin (which Harmonia serves), then
-# records the output store path at /deploy/<hostname>.  On boot this
-# service fetches that path, pulls the closure from the binary cache,
-# sets it as the boot profile, and reboots into it.
-#
-# Runs before the display manager so the user sees progress on the
-# console instead of staring at a frozen Steam loading screen.
-{
-  pkgs,
-  hostname,
-  lib,
-  ...
-}:
-let
-  deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
-
-  pull-update = pkgs.writeShellApplication {
-    name = "pull-update";
-
-    runtimeInputs = with pkgs; [
-      pkgs.curl
-      pkgs.coreutils
-      pkgs.nix
-      pkgs.systemd
-      pkgs.util-linux
-    ];
-
-    text = ''
-      set -uo pipefail
-
-      # wait for actual connectivity, not just networkd "up"
-      for i in $(seq 1 30); do
-        if curl -sf --max-time 5 "${deploy-url}" >/dev/null; then
-          break
-        fi
-        echo "Waiting for network... ($i/30)"
-        sleep 2
-      done
-
-      STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
-
-      if [ -z "$STORE_PATH" ]; then
-        echo "Server unreachable or no deployment available, skipping"
-        exit 0
-      fi
-
-      CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-      if [ "$CURRENT" = "$STORE_PATH" ]; then
-        echo "Already on latest configuration"
-        exit 0
-      fi
-
-      echo ""
-      echo "====================================="
-      echo " System update available. Installing."
-      echo "====================================="
-      echo ""
-
-      nix-store -r "$STORE_PATH" || { echo "Failed to fetch closure"; exit 1; }
-      nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { echo "Failed to set profile"; exit 1; }
-      "$STORE_PATH/bin/switch-to-configuration" boot || { echo "Failed to install boot entry"; exit 1; }
-
-      echo ""
-      echo "Update installed. Rebooting..."
-      echo ""
-      systemctl reboot
-    '';
-  };
-in
-{
-  systemd.services.pull-update = {
-    description = "Pull latest NixOS configuration from binary cache";
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    # run before the display manager so the message is visible on the console
-    before = [ "display-manager.service" ];
-    wantedBy = [ "multi-user.target" ];
-    restartIfChanged = false;
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = lib.getExe pull-update;
-      StandardOutput = "journal+console";
-      StandardError = "journal+console";
-    };
-  };
-}

system/system-yarn.nix

@@ -11,7 +11,6 @@
     ./disk_yarn.nix
     ./common.nix
     ./impermanence.nix
-    ./pull-update.nix
     ./no-rgb.nix
     ./vr.nix
 
@@ -97,65 +96,102 @@
   # This prevents Steam from requesting reboots for "system updates"
   # Steam client updates will still work normally
   nixpkgs.overlays = [
-    (final: prev: {
-      jovian-stubs = prev.stdenv.mkDerivation {
-        name = "jovian-stubs-no-update";
-        dontUnpack = true;
-        installPhase = ''
-          mkdir -p $out/bin
+    (
+      final: prev:
+      let
+        deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
 
-          # steamos-update: always report "no update available" (exit 7)
-          # This disables the kernel mismatch check that triggers reboot prompts
-          cat > $out/bin/steamos-update << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $* (system updates disabled)"
-          exit 7
-          STUB
+        steamos-update-script = final.writeShellScript "steamos-update" ''
+          export PATH=${
+            final.lib.makeBinPath [
+              final.curl
+              final.coreutils
+              final.nix
+            ]
+          }
 
-          # steamos-reboot: reboot the system
-          cat > $out/bin/steamos-reboot << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          systemctl reboot
-          STUB
+          STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
 
-          # steamos-select-branch: no-op stub
-          cat > $out/bin/steamos-select-branch << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          exit 0
-          STUB
+          if [ -z "$STORE_PATH" ]; then
+            >&2 echo "[steamos-update] server unreachable"
+            exit 7
+          fi
 
-          # steamos-factory-reset-config: no-op stub
-          cat > $out/bin/steamos-factory-reset-config << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          exit 0
-          STUB
+          CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+          if [ "$CURRENT" = "$STORE_PATH" ]; then
+            >&2 echo "[steamos-update] no update available"
+            exit 7
+          fi
 
-          # steamos-firmware-update: no-op stub
-          cat > $out/bin/steamos-firmware-update << 'STUB'
-          #!/bin/sh
-          >&2 echo "[JOVIAN] $0: stub called with: $*"
-          exit 0
-          STUB
+          # check-only mode: just report that an update exists
+          if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
+            >&2 echo "[steamos-update] update available"
+            exit 0
+          fi
 
-          # pkexec: pass through to real pkexec
-          cat > $out/bin/pkexec << 'STUB'
-          #!/bin/sh
-          exec /run/wrappers/bin/pkexec "$@"
-          STUB
+          >&2 echo "[steamos-update] downloading update..."
+          nix-store -r "$STORE_PATH" || { >&2 echo "[steamos-update] fetch failed"; exit 1; }
 
-          # sudo: pass through to doas
-          cat > $out/bin/sudo << 'STUB'
-          #!/bin/sh
-          exec /run/wrappers/bin/doas "$@"
-          STUB
+          >&2 echo "[steamos-update] installing update..."
+          nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" || { >&2 echo "[steamos-update] profile set failed"; exit 1; }
+          "$STORE_PATH/bin/switch-to-configuration" boot || { >&2 echo "[steamos-update] boot entry failed"; exit 1; }
 
-          chmod 755 $out/bin/*
+          >&2 echo "[steamos-update] update installed, reboot to apply"
         '';
-      };
-    })
+      in
+      {
+        jovian-stubs = prev.stdenv.mkDerivation {
+          name = "jovian-stubs";
+          dontUnpack = true;
+          installPhase = ''
+            mkdir -p $out/bin
+            ln -s ${steamos-update-script} $out/bin/steamos-update
+
+            # steamos-reboot: reboot the system
+            cat > $out/bin/steamos-reboot << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            systemctl reboot
+            STUB
+
+            # steamos-select-branch: no-op stub
+            cat > $out/bin/steamos-select-branch << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # steamos-factory-reset-config: no-op stub
+            cat > $out/bin/steamos-factory-reset-config << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # steamos-firmware-update: no-op stub
+            cat > $out/bin/steamos-firmware-update << 'STUB'
+            #!/bin/sh
+            >&2 echo "[JOVIAN] $0: stub called with: $*"
+            exit 0
+            STUB
+
+            # pkexec: pass through to real pkexec
+            cat > $out/bin/pkexec << 'STUB'
+            #!/bin/sh
+            exec /run/wrappers/bin/pkexec "$@"
+            STUB
+
+            # sudo: pass through to doas
+            cat > $out/bin/sudo << 'STUB'
+            #!/bin/sh
+            exec /run/wrappers/bin/doas "$@"
+            STUB
+
+            chmod 755 $out/bin/*
+          '';
+        };
+      }
+    )
   ];
 
   jovian = {