muffin: test, move to 6.18

- modules/desktop-jovian.nix: shared Jovian deck-mode config (unfree
  predicate, jovian.steam, sddm, gamescope override, imports
  desktop-steam-update.nix)
- home/progs/steam-shortcuts.nix: declarative non-Steam shortcuts
  (Prism Launcher); add new entries here for all Jovian hosts
- hosts/yarn/default.nix: reduced to host-specific config only
- hosts/patiodeck/default.nix: same

flake.nix

@@ -376,6 +376,7 @@
       nixosConfigurations = {
         mreow = mkDesktopHost "mreow";
         yarn = mkDesktopHost "yarn";
+        patiodeck = mkDesktopHost "patiodeck";
         muffin = muffinHost;
       };
 

home/progs/steam-shortcuts.nix

@@ -0,0 +1,29 @@
+# Declarative non-Steam game shortcuts for the Steam library.
+# Add entries to the `shortcuts` list to have them appear in Steam's UI.
+{
+  pkgs,
+  inputs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    inputs.json2steamshortcut.homeModules.default
+  ];
+
+  services.steam-shortcuts = {
+    enable = true;
+    overwriteExisting = true;
+    steamUserId = lib.strings.toInt (
+      lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id)
+    );
+    shortcuts = [
+      {
+        AppName = "Prism Launcher";
+        Exe = "${pkgs.prismlauncher}/bin/prismlauncher";
+        Icon = "${pkgs.prismlauncher}/share/icons/hicolor/scalable/apps/org.prismlauncher.PrismLauncher.svg";
+        Tags = [ "Game" ];
+      }
+    ];
+  };
+}

hosts/muffin/default.nix

@@ -145,7 +145,7 @@
     # 6.12 LTS until 2027-03. Kernel 6.18 causes a reproducible ZFS deadlock
     # in dbuf_evict due to page allocator changes (__free_frozen_pages).
     # https://github.com/openzfs/zfs/issues/18426
-    kernelPackages = pkgs.linuxPackages_6_12;
+    kernelPackages = pkgs.linuxPackages_6_18;
 
     loader = {
       # Use the systemd-boot EFI boot loader.

hosts/patiodeck/default.nix

@@ -0,0 +1,38 @@
+{
+  username,
+  inputs,
+  site_config,
+  ...
+}:
+{
+  imports = [
+    ../../modules/desktop-common.nix
+    ../../modules/desktop-jovian.nix
+    ./disk.nix
+    ./impermanence.nix
+
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  networking.hostId = "a1b2c3d4";
+
+  # SSH for remote management from laptop
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    site_config.ssh_keys.laptop
+  ];
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    site_config.ssh_keys.laptop
+  ];
+
+  jovian.devices.steamdeck.enable = true;
+}

hosts/patiodeck/disk.nix

@@ -0,0 +1,52 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            nix = {
+              size = "200G";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/nix";
+              };
+            };
+            persistent = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/persistent";
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "defaults"
+          "size=2G"
+          "mode=755"
+        ];
+      };
+    };
+  };
+
+  fileSystems."/persistent".neededForBoot = true;
+  fileSystems."/nix".neededForBoot = true;
+}

hosts/patiodeck/home.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ../../home/profiles/gui.nix
+    ../../home/profiles/desktop.nix
+    ../../home/progs/steam-shortcuts.nix
+  ];
+}

hosts/patiodeck/impermanence.nix

@@ -0,0 +1,48 @@
+{
+  username,
+  ...
+}:
+{
+  environment.persistence."/persistent" = {
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/systemd/coredump"
+      "/var/lib/nixos"
+      "/var/lib/systemd/timers"
+      # agenix identity sealed by the TPM
+      {
+        directory = "/var/lib/agenix";
+        mode = "0700";
+        user = "root";
+        group = "root";
+      }
+    ];
+
+    files = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/machine-id"
+    ];
+
+    users.root = {
+      files = [
+        ".local/share/fish/fish_history"
+      ];
+    };
+  };
+
+  # bind mount home directory from persistent storage
+  fileSystems."/home/${username}" = {
+    device = "/persistent/home/${username}";
+    fsType = "none";
+    options = [ "bind" ];
+    neededForBoot = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /etc 755 root"
+  ];
+}

hosts/yarn/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   pkgs,
   lib,
   username,
@@ -10,13 +9,13 @@
 {
   imports = [
     ../../modules/desktop-common.nix
+    ../../modules/desktop-jovian.nix
     ../../modules/no-rgb.nix
     ./disk.nix
     ./impermanence.nix
     ./vr.nix
 
     inputs.impermanence.nixosModules.impermanence
-    inputs.jovian-nixos.nixosModules.default
   ];
 
   fileSystems."/media/games" = {
@@ -83,145 +82,6 @@
 
   systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
 
-  # root-level service that applies a pending update. Triggered by
-  # steamos-update (via systemctl start) when the user accepts an update.
-  # Runs as root so it can write the system profile and boot entry.
-  systemd.services.pull-update-apply = {
-    description = "Apply pending NixOS update pulled from binary cache";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
-        set -uo pipefail
-        export PATH=${
-          pkgs.lib.makeBinPath [
-            pkgs.curl
-            pkgs.coreutils
-            pkgs.nix
-          ]
-        }
-
-        STORE_PATH=$(curl -sf --max-time 30 "${site_config.binary_cache.url}/deploy/yarn" || true)
-        if [ -z "$STORE_PATH" ]; then
-          echo "server unreachable"
-          exit 1
-        fi
-
-        CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-        if [ "$CURRENT" = "$STORE_PATH" ]; then
-          echo "already up to date: $STORE_PATH"
-          exit 0
-        fi
-
-        echo "applying $STORE_PATH (was $CURRENT)"
-        nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \
-          || { echo "fetch failed"; exit 1; }
-        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \
-          || { echo "profile set failed"; exit 1; }
-        "$STORE_PATH/bin/switch-to-configuration" boot \
-          || { echo "boot entry failed"; exit 1; }
-        echo "update applied; reboot required"
-      '';
-    };
-  };
-
-  # Allow primary user to start pull-update-apply.service without a password
-  security.polkit.extraConfig = ''
-    polkit.addRule(function(action, subject) {
-      if (action.id == "org.freedesktop.systemd1.manage-units" &&
-          action.lookup("unit") == "pull-update-apply.service" &&
-          subject.user == "${username}") {
-        return polkit.Result.YES;
-      }
-    });
-  '';
-
-  nixpkgs.config.allowUnfreePredicate =
-    pkg:
-    builtins.elem (lib.getName pkg) [
-      "steamdeck-hw-theme"
-      "steam-jupiter-unwrapped"
-      "steam"
-      "steam-original"
-      "steam-unwrapped"
-      "steam-run"
-    ];
-
-  # Override jovian-stubs to disable steamos-update kernel check
-  # This prevents Steam from requesting reboots for "system updates"
-  # Steam client updates will still work normally
-  nixpkgs.overlays = [
-    (
-      final: prev:
-      let
-        deploy-url = "${site_config.binary_cache.url}/deploy/yarn";
-
-        steamos-update-script = final.writeShellScript "steamos-update" ''
-          export PATH=${
-            final.lib.makeBinPath [
-              final.curl
-              final.coreutils
-              final.systemd
-            ]
-          }
-
-          STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
-
-          if [ -z "$STORE_PATH" ]; then
-            >&2 echo "[steamos-update] server unreachable"
-            exit 7
-          fi
-
-          CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-          if [ "$CURRENT" = "$STORE_PATH" ]; then
-            >&2 echo "[steamos-update] no update available"
-            exit 7
-          fi
-
-          # check-only mode: just report that an update exists
-          if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
-            >&2 echo "[steamos-update] update available"
-            exit 0
-          fi
-
-          # apply: trigger the root-running systemd service to install the update
-          >&2 echo "[steamos-update] applying update..."
-          if systemctl start --wait pull-update-apply.service; then
-            >&2 echo "[steamos-update] update installed, reboot to apply"
-            exit 0
-          else
-            >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
-            exit 1
-          fi
-        '';
-      in
-      {
-        # Only replace holo-update (and its steamos-update alias) with our
-        # binary-cache pull script. All other stubs (pkexec, sudo,
-        # holo-reboot, holo-select-branch, …) come from upstream unchanged.
-        jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
-          buildCommand = (old.buildCommand or "") + ''
-            install -D -m 755 ${steamos-update-script} $out/bin/holo-update
-            install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
-          '';
-        });
-      }
-    )
-  ];
-
-  jovian = {
-    devices.steamdeck.enable = false;
-    steam = {
-      enable = true;
-      autoStart = true;
-      desktopSession = "niri";
-      user = username;
-    };
-  };
-
-  # Jovian-NixOS requires sddm
-  # https://github.com/Jovian-Experiments/Jovian-NixOS/commit/52f140c07493f8bb6cd0773c7e1afe3e1fd1d1fa
-  services.displayManager.sddm.wayland.enable = true;
-
-  # Disable gamescope from common.nix to avoid conflict with jovian-nixos
-  programs.gamescope.enable = lib.mkForce false;
+  # yarn is not a Steam Deck
+  jovian.devices.steamdeck.enable = false;
 }

hosts/yarn/home.nix

@@ -1,15 +1,12 @@
 {
   pkgs,
-  inputs,
-  lib,
-  config,
   ...
 }:
 {
   imports = [
     ../../home/profiles/gui.nix
     ../../home/profiles/desktop.nix
-    inputs.json2steamshortcut.homeModules.default
+    ../../home/progs/steam-shortcuts.nix
   ];
 
   home.packages = with pkgs; [
@@ -27,20 +24,4 @@
       obs-pipewire-audio-capture
     ];
   };
-
-  services.steam-shortcuts = {
-    enable = true;
-    overwriteExisting = true;
-    steamUserId = lib.strings.toInt (
-      lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id)
-    );
-    shortcuts = [
-      {
-        AppName = "Prism Launcher";
-        Exe = "${pkgs.prismlauncher}/bin/prismlauncher";
-        Icon = "${pkgs.prismlauncher}/share/icons/hicolor/scalable/apps/org.prismlauncher.PrismLauncher.svg";
-        Tags = [ "Game" ];
-      }
-    ];
-  };
 }

modules/desktop-jovian.nix

@@ -0,0 +1,40 @@
+# Jovian-NixOS deck-mode configuration shared by all hosts running Steam
+# in gamescope (yarn, patiodeck). Host-specific settings (like
+# jovian.devices.steamdeck.enable) stay in the host's default.nix.
+{
+  lib,
+  username,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./desktop-steam-update.nix
+    inputs.jovian-nixos.nixosModules.default
+  ];
+
+  nixpkgs.config.allowUnfreePredicate =
+    pkg:
+    builtins.elem (lib.getName pkg) [
+      "steamdeck-hw-theme"
+      "steam-jupiter-unwrapped"
+      "steam"
+      "steam-original"
+      "steam-unwrapped"
+      "steam-run"
+    ];
+
+  jovian.steam = {
+    enable = true;
+    autoStart = true;
+    desktopSession = "niri";
+    user = username;
+  };
+
+  # jovian overrides the display manager; sddm is required
+  services.displayManager.sddm.wayland.enable = true;
+
+  # desktop-common.nix enables programs.gamescope which conflicts with
+  # jovian's own gamescope wrapper
+  programs.gamescope.enable = lib.mkForce false;
+}

modules/desktop-steam-update.nix

@@ -0,0 +1,122 @@
+# Binary-cache update mechanism for Jovian-NixOS desktops.
+#
+# Replaces the upstream holo-update/steamos-update stubs with a script that
+# checks the private binary cache for a newer system closure, and provides a
+# root-level systemd service to apply it. Steam's deck UI calls
+# `steamos-update check` periodically; exit 7 = no update, exit 0 = update
+# applied or available.
+#
+# The deploy endpoint is ${binary_cache_url}/deploy/${hostname} — a plain
+# text file containing the /nix/store path of the latest closure, published
+# by CI after a successful build.
+{
+  pkgs,
+  lib,
+  hostname,
+  username,
+  site_config,
+  ...
+}:
+let
+  deploy-url = "${site_config.binary_cache.url}/deploy/${hostname}";
+
+  steamos-update-script = pkgs.writeShellScript "steamos-update" ''
+    export PATH=${
+      lib.makeBinPath [
+        pkgs.curl
+        pkgs.coreutils
+        pkgs.systemd
+      ]
+    }
+
+    STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
+
+    if [ -z "$STORE_PATH" ]; then
+      >&2 echo "[steamos-update] server unreachable"
+      exit 7
+    fi
+
+    CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+    if [ "$CURRENT" = "$STORE_PATH" ]; then
+      >&2 echo "[steamos-update] no update available"
+      exit 7
+    fi
+
+    # check-only mode: just report that an update exists
+    if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
+      >&2 echo "[steamos-update] update available"
+      exit 0
+    fi
+
+    # apply: trigger the root-running systemd service to install the update
+    >&2 echo "[steamos-update] applying update..."
+    if systemctl start --wait pull-update-apply.service; then
+      >&2 echo "[steamos-update] update installed, reboot to apply"
+      exit 0
+    else
+      >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
+      exit 1
+    fi
+  '';
+in
+{
+  nixpkgs.overlays = [
+    (_final: prev: {
+      jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
+        buildCommand = (old.buildCommand or "") + ''
+          install -D -m 755 ${steamos-update-script} $out/bin/holo-update
+          install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
+        '';
+      });
+    })
+  ];
+
+  systemd.services.pull-update-apply = {
+    description = "Apply pending NixOS update pulled from binary cache";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
+        set -uo pipefail
+        export PATH=${
+          lib.makeBinPath [
+            pkgs.curl
+            pkgs.coreutils
+            pkgs.nix
+          ]
+        }
+
+        STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
+        if [ -z "$STORE_PATH" ]; then
+          echo "server unreachable"
+          exit 1
+        fi
+
+        CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+        if [ "$CURRENT" = "$STORE_PATH" ]; then
+          echo "already up to date: $STORE_PATH"
+          exit 0
+        fi
+
+        echo "applying $STORE_PATH (was $CURRENT)"
+        nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \
+          || { echo "fetch failed"; exit 1; }
+        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \
+          || { echo "profile set failed"; exit 1; }
+        "$STORE_PATH/bin/switch-to-configuration" boot \
+          || { echo "boot entry failed"; exit 1; }
+        echo "update applied; reboot required"
+      '';
+    };
+  };
+
+  # allow the primary user to trigger pull-update-apply without a password
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          action.lookup("unit") == "pull-update-apply.service" &&
+          subject.user == "${username}") {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+}