yarn: rely on server for updates

system/pull-update.nix

@@ -0,0 +1,44 @@
+# Pull-based NixOS updates for hosts that can't be pushed to reliably.
+# CI builds the system closure on muffin (which Harmonia serves), then
+# records the output store path at /deploy/<hostname>.  On boot this
+# service fetches that path, pulls the closure from the binary cache,
+# and activates it.
+{ pkgs, hostname, ... }:
+let
+  deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
+
+  pull-update = pkgs.writeShellScript "pull-update" ''
+    set -euo pipefail
+
+    STORE_PATH=$(${pkgs.lib.getExe pkgs.curl} -sf --max-time 30 "${deploy-url}" || true)
+
+    if [ -z "$STORE_PATH" ]; then
+      echo "Server unreachable or no deployment available, skipping"
+      exit 0
+    fi
+
+    CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+    if [ "$CURRENT" = "$STORE_PATH" ]; then
+      echo "Already on latest configuration"
+      exit 0
+    fi
+
+    echo "Pulling update: $CURRENT -> $STORE_PATH"
+    nix-store -r "$STORE_PATH"
+    nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"
+    "$STORE_PATH/bin/switch-to-configuration" switch
+    echo "Update applied"
+  '';
+in
+{
+  systemd.services.pull-update = {
+    description = "Pull latest NixOS configuration from binary cache";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pull-update;
+    };
+  };
+}

system/system-yarn.nix

@@ -11,6 +11,7 @@
     ./disk_yarn.nix
     ./common.nix
     ./impermanence.nix
+    ./pull-update.nix
     ./no-rgb.nix
     ./vr.nix