deploy guard: expose binary

deploy.sh

@@ -13,6 +13,13 @@
 # the remote deploy via deploy-rs when explicitly named.
 #
 # DEPLOY_GUARD_FORCE=1 is equivalent to passing --force.
+#
+# The preflight builds the guard derivation locally, copies it to muffin's
+# nix store, then invokes it by /nix/store path over SSH as root (so the
+# jellyfin check can read /run/agenix/jellyfin-api-key). Building the exact
+# binary we're about to deploy avoids the bootstrap gap where
+# /run/current-system/sw/bin/deploy-guard-check may not yet exist on the target
+# (first deploy of the feature, post-rollback wiping it, etc).
 
 set -eu
 
@@ -30,11 +37,15 @@ case "$arg" in
     if [ "$force" = "1" ]; then
       echo "deploy-guard: preflight skipped (--force)"
     else
-      # Single SSH probe. Exit 255 is a connectivity failure; treat as a hard
-      # abort — without the preflight there is no other gate that prevents
-      # deploy-rs from partially activating while users are online.
+      echo "deploy-guard: building preflight binary..."
+      guard=$(nix build --no-link --print-out-paths \
+        '.#nixosConfigurations.muffin.config.system.build.deployGuardCheck')
+
+      echo "deploy-guard: copying to muffin..."
+      nix copy --to ssh-ng://root@server-public "$guard"
+
       output=$(ssh -o BatchMode=yes -o ConnectTimeout=5 \
-        root@server-public deploy-guard-check 2>&1) && rc=0 || rc=$?
+        root@server-public "$guard/bin/deploy-guard-check" 2>&1) && rc=0 || rc=$?
 
       if [ "$rc" -eq 0 ]; then
         [ -n "$output" ] && printf '%s\n' "$output"