deploy: potentially fix self-deploy issue?

flake.nix

@@ -415,7 +415,27 @@
           # want to avoid when the deploy is supposed to be a no-op blocked by
           # the guard. Blocking before the deploy-rs invocation is the only
           # clean way to leave the running system untouched.
-          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin;
+          #
+          # Activation uses `switch-to-configuration boot` + a detached finalize
+          # (modules/server-deploy-finalize.nix) rather than the default
+          # `switch`. The gitea-actions runner driving CI deploys lives on
+          # muffin itself; a direct `switch` restarts gitea-runner-muffin mid-
+          # activation, killing the SSH session, the CI job, and deploy-rs's
+          # magic-rollback handshake. `boot` only touches the bootloader — no
+          # service restarts — and deploy-finalize schedules a pid1-owned
+          # transient unit that runs the real `switch` (or `systemctl reboot`
+          # when kernel/initrd/kernel-modules changed) ~60s later, surviving
+          # runner restart because it's decoupled from the SSH session.
+          path =
+            deploy-rs.lib.${system}.activate.custom self.nixosConfigurations.muffin.config.system.build.toplevel
+              ''
+                # matches activate.nixos's workaround for NixOS/nixpkgs#73404
+                cd /tmp
+
+                $PROFILE/bin/switch-to-configuration boot
+
+                ${nixpkgs-stable.lib.getExe self.nixosConfigurations.muffin.config.system.build.deployFinalize}
+              '';
         };
       };