yarn: rely on server for updates

2026-04-14 20:56:35 -04:00
parent 6254f98ca7
commit d2032e517b
6 changed files with 61 additions and 112 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,10 +1,10 @@
-name: Build and Deploy
+name: Build
 on:
  push:
    branches: [main]
 jobs:
-  deploy:
+  build:
    runs-on: nix
    steps:
      - uses: https://github.com/actions/checkout@v4
@@ -18,22 +18,12 @@ jobs:
      - name: Build NixOS configuration (yarn)
        run: |
          nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
          mkdir -p /var/lib/dotfiles-deploy
          readlink -f result > /var/lib/dotfiles-deploy/yarn
      - name: Build NixOS configuration (mreow)
        run: |
          nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
      - name: Deploy to desktop
        run: |
          eval $(ssh-agent -s)
          ssh-add /run/agenix/ci-deploy-key
          if ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@desktop "echo reachable" 2>/dev/null; then
            nix run github:serokell/deploy-rs -- .#yarn --ssh-opts="-o StrictHostKeyChecking=no"
            echo "Deploy to desktop succeeded"
          else
            echo "Desktop unreachable - skipping deploy. Build succeeded."
          fi
      - name: Notify success
        if: success()
        run: |
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -4,7 +4,7 @@
 NixOS dotfiles for two hosts using Nix flakes + home-manager:
 - **mreow** — Framework 13 AMD AI 300 laptop, niri WM, greetd, swaylock
- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, deploy-rs target
+- **yarn** — Desktop, Jovian-NixOS (Steam deck mode), impermanence, sddm, pull-based updates from CI
 Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-crypt. **Never read or write files in those directories.**
@@ -21,8 +21,10 @@ Secrets in `system/secrets/` and `home-manager/secrets/` are encrypted with git-
 nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L
 nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L
-# Remote deploy to yarn via deploy-rs
+# yarn pulls updates automatically on boot from the binary cache.
-deploy .#yarn
+# CI builds the yarn closure, records the store path, and Harmonia serves it.
 # To manually trigger the pull on yarn:
 systemctl start pull-update
 # Format all Nix files (uses nixfmt-tree, declared in flake.nix)
 nix fmt
--- a/flake.lock
+++ b/flake.lock
@@ -106,28 +106,6 @@
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1770019181,
        "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -211,22 +189,6 @@
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@@ -242,7 +204,7 @@
        "type": "github"
      }
    },
-    "flake-compat_3": {
+    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@@ -299,7 +261,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
      },
      "locked": {
        "lastModified": 1710146030,
@@ -470,7 +432,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "systems": "systems_3",
+        "systems": "systems_2",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
@@ -551,7 +513,7 @@
      "inputs": {
        "cachyos-kernel": "cachyos-kernel",
        "cachyos-kernel-patches": "cachyos-kernel-patches",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "nixpkgs"
@@ -581,7 +543,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "systems": "systems_4"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1776078956,
@@ -708,7 +670,7 @@
          "noctalia",
          "nixpkgs"
        ],
-        "systems": "systems_5",
+        "systems": "systems_4",
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
@@ -727,7 +689,7 @@
    },
    "pre-commit": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "lanzaboote",
@@ -750,7 +712,6 @@
    },
    "root": {
      "inputs": {
        "deploy-rs": "deploy-rs",
        "disko": "disko",
        "emacs-overlay": "emacs-overlay",
        "firefox-addons": "firefox-addons",
@@ -837,21 +798,6 @@
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -909,24 +855,6 @@
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "xwayland-satellite-stable": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@@ -63,12 +63,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    jovian-nixos = {
      url = "github:Jovian-Experiments/Jovian-NixOS";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -101,7 +95,6 @@
      lanzaboote,
      nixos-hardware,
      home-manager,
      deploy-rs,
      jovian-nixos,
      ...
    }@inputs:
@@ -158,14 +151,5 @@
          };
        }
      ) { } hostnames;
      # Deploy-rs configuration for yarn host only
      deploy.nodes.yarn = {
        hostname = "desktop";
        profiles.system = {
          sshUser = "root";
          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.yarn;
        };
      };
    };
 }
--- a/system/pull-update.nix
+++ b/system/pull-update.nix
@@ -0,0 +1,44 @@
 # Pull-based NixOS updates for hosts that can't be pushed to reliably.
 # CI builds the system closure on muffin (which Harmonia serves), then
 # records the output store path at /deploy/<hostname>.  On boot this
 # service fetches that path, pulls the closure from the binary cache,
 # and activates it.
 { pkgs, hostname, ... }:
 let
  deploy-url = "https://nix-cache.sigkill.computer/deploy/${hostname}";
  pull-update = pkgs.writeShellScript "pull-update" ''
    set -euo pipefail
    STORE_PATH=$(${pkgs.lib.getExe pkgs.curl} -sf --max-time 30 "${deploy-url}" || true)
    if [ -z "$STORE_PATH" ]; then
      echo "Server unreachable or no deployment available, skipping"
      exit 0
    fi
    CURRENT=$(readlink -f /nix/var/nix/profiles/system)
    if [ "$CURRENT" = "$STORE_PATH" ]; then
      echo "Already on latest configuration"
      exit 0
    fi
    echo "Pulling update: $CURRENT -> $STORE_PATH"
    nix-store -r "$STORE_PATH"
    nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH"
    "$STORE_PATH/bin/switch-to-configuration" switch
    echo "Update applied"
  '';
 in
 {
  systemd.services.pull-update = {
    description = "Pull latest NixOS configuration from binary cache";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = pull-update;
    };
  };
 }
--- a/system/system-yarn.nix
+++ b/system/system-yarn.nix
@@ -11,6 +11,7 @@
    ./disk_yarn.nix
    ./common.nix
    ./impermanence.nix
    ./pull-update.nix
    ./no-rgb.nix
    ./vr.nix