diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 5905d63..b0f7ae3 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,10 +1,10 @@
-name: Build and Deploy
+name: Build
 on:
   push:
     branches: [main]
 
 jobs:
-  deploy:
+  build:
     runs-on: nix
     steps:
       - uses: https://github.com/actions/checkout@v4
@@ -18,22 +18,12 @@ jobs:
       - name: Build NixOS configuration (yarn)
         run: |
           nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
+          mkdir -p /var/lib/dotfiles-deploy
+          readlink -f result > /var/lib/dotfiles-deploy/yarn
 
       - name: Build NixOS configuration (mreow)
         run: |
           nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
-
-      - name: Deploy to desktop
-        run: |
-          eval $(ssh-agent -s)
-          ssh-add /run/agenix/ci-deploy-key
-          if ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@desktop "echo reachable" 2>/dev/null; then
-            nix run github:serokell/deploy-rs -- .#yarn --ssh-opts="-o StrictHostKeyChecking=no"
-            echo "Deploy to desktop succeeded"
-          else
-            echo "Desktop unreachable - skipping deploy. Build succeeded."
-          fi
-
       - name: Notify success
         if: success()
         run: |
diff --git a/AGENTS.md b/AGENTS.md
index ce5873b..b069751 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -4,7 +4,7 @@
 
 NixOS dotfiles for two hosts using Nix flakes + home-manager:
 - **mreow** — Framework 13 AMD AI 300 laptop, niri WM, greetd, swaylock
-- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, deploy-rs target
+- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, pull-based updates from CI
 
 Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-crypt. **Never read or write files in those directories.**
 
@@ -21,8 +21,10 @@ Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-
 nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
 nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
 
-# Remote deploy to yarn via deploy-rs
-deploy .#yarn
+# yarn pulls updates automatically on boot from the binary cache.
+# CI builds the yarn closure, records the store path, and Harmonia serves it.
+# To manually trigger the pull on yarn:
+systemctl start pull-update
 
 # Format all Nix files (uses nixfmt-tree, declared in flake.nix)
 nix fmt
diff --git a/flake.lock b/flake.lock
index 762dfa9..50fc7d7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -106,28 +106,6 @@
         "type": "github"
       }
     },
-    "deploy-rs": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1770019181,
-        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
-        "type": "github"
-      },
-      "original": {
-        "owner": "serokell",
-        "repo": "deploy-rs",
-        "type": "github"
-      }
-    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -211,22 +189,6 @@
       }
     },
     "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1767039857,
@@ -242,7 +204,7 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
+    "flake-compat_2": {
       "flake": false,
       "locked": {
         "lastModified": 1767039857,
@@ -299,7 +261,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -470,7 +432,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_3",
+        "systems": "systems_2",
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
@@ -551,7 +513,7 @@
       "inputs": {
         "cachyos-kernel": "cachyos-kernel",
         "cachyos-kernel-patches": "cachyos-kernel-patches",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts_2",
         "nixpkgs": [
           "nixpkgs"
@@ -581,7 +543,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1776078956,
@@ -708,7 +670,7 @@
           "noctalia",
           "nixpkgs"
         ],
-        "systems": "systems_5",
+        "systems": "systems_4",
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
@@ -727,7 +689,7 @@
     },
     "pre-commit": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": [
           "lanzaboote",
@@ -750,7 +712,6 @@
     },
     "root": {
       "inputs": {
-        "deploy-rs": "deploy-rs",
         "disko": "disko",
         "emacs-overlay": "emacs-overlay",
         "firefox-addons": "firefox-addons",
@@ -837,21 +798,6 @@
       }
     },
     "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_5": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -909,24 +855,6 @@
         "type": "github"
       }
     },
-    "utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "xwayland-satellite-stable": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index 9ad3e0b..16f4aa3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -63,12 +63,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.home-manager.follows = "home-manager";
     };
-
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     jovian-nixos = {
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -101,7 +95,6 @@
       lanzaboote,
       nixos-hardware,
       home-manager,
-      deploy-rs,
       jovian-nixos,
       ...
     }@inputs:
@@ -158,14 +151,5 @@
           };
         }
       ) { } hostnames;
-
-      # Deploy-rs configuration for yarn host only
-      deploy.nodes.yarn = {
-        hostname = "desktop";
-        profiles.system = {
-          sshUser = "root";
-          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.yarn;
-        };
-      };
     };
 }
diff --git a/system/pull-update.nix b/system/pull-update.nix
new file mode 100644
index 0000000..c73ceb8
--- /dev/null
+++ b/system/pull-update.nix
@@ -0,0 +1,44 @@
+# Pull-based NixOS updates for hosts that can't be pushed to reliably.
+# CI builds the system closure on muffin (which Harmonia serves), then
+# records the output store path at /deploy/<hostname>.  On boot this
+# service fetches that path, pulls the closure from the binary cache,
+# and activates it.
+{ pkgs, hostname, ... }:
+let
+  deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
+
+  pull-update = pkgs.writeShellScript "pull-update" ''
+    set -euo pipefail
+
+    STORE_PATH=$(${pkgs.lib.getExe pkgs.curl} -sf --max-time 30 "${deploy-url}" || true)
+
+    if [ -z "$STORE_PATH" ]; then
+      echo "Server unreachable or no deployment available, skipping"
+      exit 0
+    fi
+
+    CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+    if [ "$CURRENT" = "$STORE_PATH" ]; then
+      echo "Already on latest configuration"
+      exit 0
+    fi
+
+    echo "Pulling update: $CURRENT -> $STORE_PATH"
+    nix-store -r "$STORE_PATH"
+    nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"
+    "$STORE_PATH/bin/switch-to-configuration" switch
+    echo "Update applied"
+  '';
+in
+{
+  systemd.services.pull-update = {
+    description = "Pull latest NixOS configuration from binary cache";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pull-update;
+    };
+  };
+}
diff --git a/system/system-yarn.nix b/system/system-yarn.nix
index 8b0f064..2be8e6a 100644
--- a/system/system-yarn.nix
+++ b/system/system-yarn.nix
@@ -11,6 +11,7 @@
     ./disk_yarn.nix
     ./common.nix
     ./impermanence.nix
+    ./pull-update.nix
     ./no-rgb.nix
     ./vr.nix