Revert "muffin: test, move to 7.0"

This reverts commit f67ec5bde6.

flake.lock

@@ -109,11 +109,11 @@
     "cachyos-kernel": {
       "flake": false,
       "locked": {
-        "lastModified": 1776608760,
+        "lastModified": 1776881435,
-        "narHash": "sha256-ehDv8bF7k/2Kf4b8CCoSm51U/MOoFuLsRXqe5wZ57sE=",
+        "narHash": "sha256-j8AobLjMzeKJugseObrVC4O5k7/aZCWoft2sCS3jWYs=",
         "owner": "CachyOS",
         "repo": "linux-cachyos",
-        "rev": "7e06e29005853bbaaa3b1c1067f915d6e0db728a",
+        "rev": "1c61dfd1c3ad7762faa0db8b06c6af6c59cc4340",
         "type": "github"
       },
       "original": {
@@ -125,11 +125,11 @@
     "cachyos-kernel-patches": {
       "flake": false,
       "locked": {
-        "lastModified": 1776792814,
+        "lastModified": 1777002108,
-        "narHash": "sha256-39dlIhz9KxUNQFxGpE9SvCviaOWAivdW0XJM8RnPNmg=",
+        "narHash": "sha256-PIZCIf6xUTOUqLFbEGH0mSwu2O/YfeAmYlgdAbP4dhs=",
         "owner": "CachyOS",
         "repo": "kernel-patches",
-        "rev": "d7d558d0b2e239e27b40bcf1af6fe12e323aa391",
+        "rev": "46476ae2538db486462aef8a9de37d19030cdaf2",
         "type": "github"
       },
       "original": {
@@ -222,11 +222,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776967792,
+        "lastModified": 1777083982,
-        "narHash": "sha256-O3YfkXQz8P2kec6Ani8fmuXvuXRAyl5/qPdt0kDNFWk=",
+        "narHash": "sha256-O44P8qcFEv0PYQd+9vFAgCu/e9RclHIAyAmRDJ8qR5s=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "0041dd571ebebe8fa779b940fb13b6d447a48b87",
+        "rev": "42711d50137a45b8065c3e329946e2d4525235d0",
         "type": "github"
       },
       "original": {
@@ -266,11 +266,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1776916994,
+        "lastModified": 1777089773,
-        "narHash": "sha256-FgqUwRZ2bwbE5w1bCUv9MB3gvwqZ4oEyCgZ6z/6jdTY=",
+        "narHash": "sha256-ZIlNuebeWTncyl7mcV9VbceSLAaZki+UeXLPQG959xI=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "a2236006e5c70e2fc06e9acb016b1ac9c0fd5935",
+        "rev": "402ba229617a12d918c2a887a4c83a9a24f9a36c",
         "type": "gitlab"
       },
       "original": {
@@ -484,11 +484,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776964438,
+        "lastModified": 1777086106,
-        "narHash": "sha256-AF0cby9Xuijr5qaFpYKbm1mExV956Hk233bel6QxpFw=",
+        "narHash": "sha256-hlNpIN18pw3xo34Lsrp6vAMUPn0aB/zFBqL0QXI1Pmk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e09259dd2e147d35ef889784b51e89b0a10ffe15",
+        "rev": "5826802354a74af18540aef0b01bc1320f82cc17",
         "type": "github"
       },
       "original": {
@@ -631,11 +631,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776955347,
+        "lastModified": 1777066729,
-        "narHash": "sha256-VCPA/1RWMZggfXjpMcEMC2QfDrYp6eHgqvsPfDSKGSI=",
+        "narHash": "sha256-f+a+ikbq0VS6RQFf+A6EuVnsWYn2RR3ggRJNkzZgMto=",
         "owner": "TheTom",
         "repo": "llama-cpp-turboquant",
-        "rev": "67559e580b10e4e47e9a6fd6218873997976886d",
+        "rev": "11a241d0db78a68e0a5b99fe6f36de6683100f6a",
         "type": "github"
       },
       "original": {
@@ -657,11 +657,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1776966087,
+        "lastModified": 1777093284,
-        "narHash": "sha256-P+39paxTvpYiMv5wqGKte7YbmxJKoihcXssV1IhkSAo=",
+        "narHash": "sha256-tBvsFPJy0/2gocc6QGYFXJF44TvJ8PC726NsdTpFJ44=",
         "owner": "numtide",
         "repo": "llm-agents.nix",
-        "rev": "547d51c282c15a7c9b86c8388a1adb1695b1df59",
+        "rev": "6b4673fddbbe1f2656b3fa8d2a32666570aafbfa",
         "type": "github"
       },
       "original": {
@@ -704,11 +704,11 @@
         "xwayland-satellite-unstable": "xwayland-satellite-unstable"
       },
       "locked": {
-        "lastModified": 1776879043,
+        "lastModified": 1777068473,
-        "narHash": "sha256-M9RjuowtoqQbFRdQAm2P6GjFwgHjRcnWYcB7ChSjDms=",
+        "narHash": "sha256-atEzEdMgJMRPm/yxOiBvOSEcjSUgU20ieXYQeDfxhTo=",
         "owner": "sodiboo",
         "repo": "niri-flake",
-        "rev": "535ebbe038039215a5d1c6c0c67f833409a5be96",
+        "rev": "d543523b5cd4c1f10e41ad8801c49808198b9ca5",
         "type": "github"
       },
       "original": {
@@ -737,11 +737,11 @@
     "niri-unstable": {
       "flake": false,
       "locked": {
-        "lastModified": 1776853441,
+        "lastModified": 1777045529,
-        "narHash": "sha256-mSxfoEs7DiDhMCBzprI/1K7UXzMISuGq0b7T06LVJXE=",
+        "narHash": "sha256-EeAwmrvONsovL2qPwKGXF2xGhbo7MySesY3fW2pNLpM=",
         "owner": "YaLTeR",
         "repo": "niri",
-        "rev": "74d2b18603366b98ec9045ecf4a632422f472365",
+        "rev": "9438f59e2b9d8deb6fcec5922f8aca18162b673c",
         "type": "github"
       },
       "original": {
@@ -761,11 +761,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776796985,
+        "lastModified": 1777054238,
-        "narHash": "sha256-cNFg3H09sBZl1v9ds6PDHfLCUTDJbefGMSv+WxFs+9c=",
+        "narHash": "sha256-qaqHPZO3oQJiIZgD6sp5HKwvYAVyMtHVJiXVwPSEkx0=",
         "owner": "xddxdd",
         "repo": "nix-cachyos-kernel",
-        "rev": "ac5956bbceb022998fc1dd0001322f10ef1e6dda",
+        "rev": "acb94409639d6d6d64bea140f939ac34938560b1",
         "type": "github"
       },
       "original": {
@@ -846,11 +846,11 @@
         "systems": "systems_7"
       },
       "locked": {
-        "lastModified": 1776915193,
+        "lastModified": 1777001712,
-        "narHash": "sha256-bYyOT3OIWIKvDV+pOVd0hdCEG8orf85QX4b21LWUSEs=",
+        "narHash": "sha256-9JX9msZU1NvHzjKM24PRorP76Ge8GBy6LAkJKA21mlY=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "40c972ce0f45b8c05bf245d5065647b17552312c",
+        "rev": "394d3bfd943458baf29e4798bc9b256d824a3bb9",
         "type": "github"
       },
       "original": {
@@ -861,11 +861,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1776830795,
+        "lastModified": 1776983936,
-        "narHash": "sha256-PAfvLwuHc1VOvsLcpk6+HDKgMEibvZjCNvbM1BJOA7o=",
+        "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "72674a6b5599e844c045ae7449ba91f803d44ebc",
+        "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
         "type": "github"
       },
       "original": {
@@ -877,11 +877,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1776548001,
+        "lastModified": 1776877367,
-        "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
+        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
+        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
         "type": "github"
       },
       "original": {
@@ -991,11 +991,11 @@
         "noctalia-qs": "noctalia-qs"
       },
       "locked": {
-        "lastModified": 1776888984,
+        "lastModified": 1777079905,
-        "narHash": "sha256-Up2F/eoMuPUsZnPVYdH5TMHe1TBP2Ue1QuWd0vWZoxY=",
+        "narHash": "sha256-TvYEXwkZnRFQRuFyyqTNSfPnU2tMdhtiBOXSk2AWLJA=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "2c1808f9f8937fc0b82c54af513f7620fec56d71",
+        "rev": "a50c92167c8d438000270f7eca36f6eea74f388e",
         "type": "github"
       },
       "original": {
@@ -1133,11 +1133,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776914043,
+        "lastModified": 1777086717,
-        "narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
+        "narHash": "sha256-vEl3cGHRxEFdVNuP9PbrhAWnmU98aPOLGy9/1JXzSuM=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
+        "rev": "3be56bd430bfd65d3c468a50626c3a601c7dee03",
         "type": "github"
       },
       "original": {
@@ -1190,11 +1190,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776912132,
+        "lastModified": 1777000965,
-        "narHash": "sha256-UDR6PtHacMhAQJ8SPNbPROaxbtl2Pgjww0TzipTsTZE=",
+        "narHash": "sha256-xcrhVgfI13s1WH4hg5MLL83zAp6/htfF8Pjw4RPiKM8=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "e9ff039a72ff2c06271d5002eb431c443abf69fa",
+        "rev": "7ae6f096b2ffbd25d17da8a4d0fe299a164c4eac",
         "type": "github"
       },
       "original": {
@@ -1356,11 +1356,11 @@
     "trackerlist": {
       "flake": false,
       "locked": {
-        "lastModified": 1776895782,
+        "lastModified": 1777068584,
-        "narHash": "sha256-iHdp9lRoV3ejsTC96z7Pns/JvQKWyp+V0fdVcVOv8Xw=",
+        "narHash": "sha256-UZr6mQfauhIUo8n3SDYnBWeq11xs5lTAoc9onh2MHBc=",
         "owner": "ngosang",
         "repo": "trackerslist",
-        "rev": "e1a89caab7d4c5af3870a49ddc494cda745b236e",
+        "rev": "747c048c604c8d12b9d20cfccea4800a32382a66",
         "type": "github"
       },
       "original": {
@@ -1524,11 +1524,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776922304,
+        "lastModified": 1777084302,
-        "narHash": "sha256-T1r7GWzeqX0C6YauIMN6D0sdr5voDAPMg8jvn59Wm7g=",
+        "narHash": "sha256-qHE5XpgtRedzND5xzaqzbSOw4amse0aA4/BaVI4ONcU=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "91cc9ed57a893b2e944de60812511f05fd408ce6",
+        "rev": "f6bab88f8566ddc13fb5e5500bd6c720b61d5321",
         "type": "github"
       },
       "original": {

flake.nix

@@ -376,6 +376,7 @@
       nixosConfigurations = {
         mreow = mkDesktopHost "mreow";
         yarn = mkDesktopHost "yarn";
+        patiodeck = mkDesktopHost "patiodeck";
         muffin = muffinHost;
       };
 

home/progs/steam-shortcuts.nix

@@ -0,0 +1,29 @@
+# Declarative non-Steam game shortcuts for the Steam library.
+# Add entries to the `shortcuts` list to have them appear in Steam's UI.
+{
+  pkgs,
+  inputs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    inputs.json2steamshortcut.homeModules.default
+  ];
+
+  services.steam-shortcuts = {
+    enable = true;
+    overwriteExisting = true;
+    steamUserId = lib.strings.toInt (
+      lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id)
+    );
+    shortcuts = [
+      {
+        AppName = "Prism Launcher";
+        Exe = "${pkgs.prismlauncher}/bin/prismlauncher";
+        Icon = "${pkgs.prismlauncher}/share/icons/hicolor/scalable/apps/org.prismlauncher.PrismLauncher.svg";
+        Tags = [ "Game" ];
+      }
+    ];
+  };
+}

hosts/patiodeck/default.nix

@@ -0,0 +1,38 @@
+{
+  username,
+  inputs,
+  site_config,
+  ...
+}:
+{
+  imports = [
+    ../../modules/desktop-common.nix
+    ../../modules/desktop-jovian.nix
+    ./disk.nix
+    ./impermanence.nix
+
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  networking.hostId = "a1b2c3d4";
+
+  # SSH for remote management from laptop
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    site_config.ssh_keys.laptop
+  ];
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    site_config.ssh_keys.laptop
+  ];
+
+  jovian.devices.steamdeck.enable = true;
+}

hosts/patiodeck/disk.nix

@@ -0,0 +1,52 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            nix = {
+              size = "200G";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/nix";
+              };
+            };
+            persistent = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "f2fs";
+                mountpoint = "/persistent";
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "defaults"
+          "size=2G"
+          "mode=755"
+        ];
+      };
+    };
+  };
+
+  fileSystems."/persistent".neededForBoot = true;
+  fileSystems."/nix".neededForBoot = true;
+}

hosts/patiodeck/home.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ../../home/profiles/gui.nix
+    ../../home/profiles/desktop.nix
+    ../../home/progs/steam-shortcuts.nix
+  ];
+}

hosts/patiodeck/impermanence.nix

@@ -0,0 +1,48 @@
+{
+  username,
+  ...
+}:
+{
+  environment.persistence."/persistent" = {
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/systemd/coredump"
+      "/var/lib/nixos"
+      "/var/lib/systemd/timers"
+      # agenix identity sealed by the TPM
+      {
+        directory = "/var/lib/agenix";
+        mode = "0700";
+        user = "root";
+        group = "root";
+      }
+    ];
+
+    files = [
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/machine-id"
+    ];
+
+    users.root = {
+      files = [
+        ".local/share/fish/fish_history"
+      ];
+    };
+  };
+
+  # bind mount home directory from persistent storage
+  fileSystems."/home/${username}" = {
+    device = "/persistent/home/${username}";
+    fsType = "none";
+    options = [ "bind" ];
+    neededForBoot = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /etc 755 root"
+  ];
+}

hosts/yarn/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   pkgs,
   lib,
   username,
@@ -10,13 +9,13 @@
 {
   imports = [
     ../../modules/desktop-common.nix
+    ../../modules/desktop-jovian.nix
     ../../modules/no-rgb.nix
     ./disk.nix
     ./impermanence.nix
     ./vr.nix
 
     inputs.impermanence.nixosModules.impermanence
-    inputs.jovian-nixos.nixosModules.default
   ];
 
   fileSystems."/media/games" = {
@@ -83,145 +82,6 @@
 
   systemd.services.lactd.serviceConfig.ExecStartPre = "${lib.getExe pkgs.bash} -c \"sleep 3s\"";
 
-  # root-level service that applies a pending update. Triggered by
+  # yarn is not a Steam Deck
-  # steamos-update (via systemctl start) when the user accepts an update.
+  jovian.devices.steamdeck.enable = false;
-  # Runs as root so it can write the system profile and boot entry.
-  systemd.services.pull-update-apply = {
-    description = "Apply pending NixOS update pulled from binary cache";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
-        set -uo pipefail
-        export PATH=${
-          pkgs.lib.makeBinPath [
-            pkgs.curl
-            pkgs.coreutils
-            pkgs.nix
-          ]
-        }
-
-        STORE_PATH=$(curl -sf --max-time 30 "${site_config.binary_cache.url}/deploy/yarn" || true)
-        if [ -z "$STORE_PATH" ]; then
-          echo "server unreachable"
-          exit 1
-        fi
-
-        CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-        if [ "$CURRENT" = "$STORE_PATH" ]; then
-          echo "already up to date: $STORE_PATH"
-          exit 0
-        fi
-
-        echo "applying $STORE_PATH (was $CURRENT)"
-        nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \
-          || { echo "fetch failed"; exit 1; }
-        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \
-          || { echo "profile set failed"; exit 1; }
-        "$STORE_PATH/bin/switch-to-configuration" boot \
-          || { echo "boot entry failed"; exit 1; }
-        echo "update applied; reboot required"
-      '';
-    };
-  };
-
-  # Allow primary user to start pull-update-apply.service without a password
-  security.polkit.extraConfig = ''
-    polkit.addRule(function(action, subject) {
-      if (action.id == "org.freedesktop.systemd1.manage-units" &&
-          action.lookup("unit") == "pull-update-apply.service" &&
-          subject.user == "${username}") {
-        return polkit.Result.YES;
-      }
-    });
-  '';
-
-  nixpkgs.config.allowUnfreePredicate =
-    pkg:
-    builtins.elem (lib.getName pkg) [
-      "steamdeck-hw-theme"
-      "steam-jupiter-unwrapped"
-      "steam"
-      "steam-original"
-      "steam-unwrapped"
-      "steam-run"
-    ];
-
-  # Override jovian-stubs to disable steamos-update kernel check
-  # This prevents Steam from requesting reboots for "system updates"
-  # Steam client updates will still work normally
-  nixpkgs.overlays = [
-    (
-      final: prev:
-      let
-        deploy-url = "${site_config.binary_cache.url}/deploy/yarn";
-
-        steamos-update-script = final.writeShellScript "steamos-update" ''
-          export PATH=${
-            final.lib.makeBinPath [
-              final.curl
-              final.coreutils
-              final.systemd
-            ]
-          }
-
-          STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
-
-          if [ -z "$STORE_PATH" ]; then
-            >&2 echo "[steamos-update] server unreachable"
-            exit 7
-          fi
-
-          CURRENT=$(readlink -f /nix/var/nix/profiles/system)
-          if [ "$CURRENT" = "$STORE_PATH" ]; then
-            >&2 echo "[steamos-update] no update available"
-            exit 7
-          fi
-
-          # check-only mode: just report that an update exists
-          if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
-            >&2 echo "[steamos-update] update available"
-            exit 0
-          fi
-
-          # apply: trigger the root-running systemd service to install the update
-          >&2 echo "[steamos-update] applying update..."
-          if systemctl start --wait pull-update-apply.service; then
-            >&2 echo "[steamos-update] update installed, reboot to apply"
-            exit 0
-          else
-            >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
-            exit 1
-          fi
-        '';
-      in
-      {
-        # Only replace holo-update (and its steamos-update alias) with our
-        # binary-cache pull script. All other stubs (pkexec, sudo,
-        # holo-reboot, holo-select-branch, …) come from upstream unchanged.
-        jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
-          buildCommand = (old.buildCommand or "") + ''
-            install -D -m 755 ${steamos-update-script} $out/bin/holo-update
-            install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
-          '';
-        });
-      }
-    )
-  ];
-
-  jovian = {
-    devices.steamdeck.enable = false;
-    steam = {
-      enable = true;
-      autoStart = true;
-      desktopSession = "niri";
-      user = username;
-    };
-  };
-
-  # Jovian-NixOS requires sddm
-  # https://github.com/Jovian-Experiments/Jovian-NixOS/commit/52f140c07493f8bb6cd0773c7e1afe3e1fd1d1fa
-  services.displayManager.sddm.wayland.enable = true;
-
-  # Disable gamescope from common.nix to avoid conflict with jovian-nixos
-  programs.gamescope.enable = lib.mkForce false;
 }

hosts/yarn/home.nix

@@ -1,15 +1,12 @@
 {
   pkgs,
-  inputs,
-  lib,
-  config,
   ...
 }:
 {
   imports = [
     ../../home/profiles/gui.nix
     ../../home/profiles/desktop.nix
-    inputs.json2steamshortcut.homeModules.default
+    ../../home/progs/steam-shortcuts.nix
   ];
 
   home.packages = with pkgs; [
@@ -27,20 +24,4 @@
       obs-pipewire-audio-capture
     ];
   };
-
-  services.steam-shortcuts = {
-    enable = true;
-    overwriteExisting = true;
-    steamUserId = lib.strings.toInt (
-      lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id)
-    );
-    shortcuts = [
-      {
-        AppName = "Prism Launcher";
-        Exe = "${pkgs.prismlauncher}/bin/prismlauncher";
-        Icon = "${pkgs.prismlauncher}/share/icons/hicolor/scalable/apps/org.prismlauncher.PrismLauncher.svg";
-        Tags = [ "Game" ];
-      }
-    ];
-  };
 }

modules/desktop-jovian.nix

@@ -0,0 +1,40 @@
+# Jovian-NixOS deck-mode configuration shared by all hosts running Steam
+# in gamescope (yarn, patiodeck). Host-specific settings (like
+# jovian.devices.steamdeck.enable) stay in the host's default.nix.
+{
+  lib,
+  username,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    ./desktop-steam-update.nix
+    inputs.jovian-nixos.nixosModules.default
+  ];
+
+  nixpkgs.config.allowUnfreePredicate =
+    pkg:
+    builtins.elem (lib.getName pkg) [
+      "steamdeck-hw-theme"
+      "steam-jupiter-unwrapped"
+      "steam"
+      "steam-original"
+      "steam-unwrapped"
+      "steam-run"
+    ];
+
+  jovian.steam = {
+    enable = true;
+    autoStart = true;
+    desktopSession = "niri";
+    user = username;
+  };
+
+  # jovian overrides the display manager; sddm is required
+  services.displayManager.sddm.wayland.enable = true;
+
+  # desktop-common.nix enables programs.gamescope which conflicts with
+  # jovian's own gamescope wrapper
+  programs.gamescope.enable = lib.mkForce false;
+}

modules/desktop-steam-update.nix

@@ -0,0 +1,122 @@
+# Binary-cache update mechanism for Jovian-NixOS desktops.
+#
+# Replaces the upstream holo-update/steamos-update stubs with a script that
+# checks the private binary cache for a newer system closure, and provides a
+# root-level systemd service to apply it. Steam's deck UI calls
+# `steamos-update check` periodically; exit 7 = no update, exit 0 = update
+# applied or available.
+#
+# The deploy endpoint is ${binary_cache_url}/deploy/${hostname} — a plain
+# text file containing the /nix/store path of the latest closure, published
+# by CI after a successful build.
+{
+  pkgs,
+  lib,
+  hostname,
+  username,
+  site_config,
+  ...
+}:
+let
+  deploy-url = "${site_config.binary_cache.url}/deploy/${hostname}";
+
+  steamos-update-script = pkgs.writeShellScript "steamos-update" ''
+    export PATH=${
+      lib.makeBinPath [
+        pkgs.curl
+        pkgs.coreutils
+        pkgs.systemd
+      ]
+    }
+
+    STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
+
+    if [ -z "$STORE_PATH" ]; then
+      >&2 echo "[steamos-update] server unreachable"
+      exit 7
+    fi
+
+    CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+    if [ "$CURRENT" = "$STORE_PATH" ]; then
+      >&2 echo "[steamos-update] no update available"
+      exit 7
+    fi
+
+    # check-only mode: just report that an update exists
+    if [ "''${1:-}" = "check" ] || [ "''${1:-}" = "--check-only" ]; then
+      >&2 echo "[steamos-update] update available"
+      exit 0
+    fi
+
+    # apply: trigger the root-running systemd service to install the update
+    >&2 echo "[steamos-update] applying update..."
+    if systemctl start --wait pull-update-apply.service; then
+      >&2 echo "[steamos-update] update installed, reboot to apply"
+      exit 0
+    else
+      >&2 echo "[steamos-update] apply failed; see 'journalctl -u pull-update-apply'"
+      exit 1
+    fi
+  '';
+in
+{
+  nixpkgs.overlays = [
+    (_final: prev: {
+      jovian-stubs = prev.jovian-stubs.overrideAttrs (old: {
+        buildCommand = (old.buildCommand or "") + ''
+          install -D -m 755 ${steamos-update-script} $out/bin/holo-update
+          install -D -m 755 ${steamos-update-script} $out/bin/steamos-update
+        '';
+      });
+    })
+  ];
+
+  systemd.services.pull-update-apply = {
+    description = "Apply pending NixOS update pulled from binary cache";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "pull-update-apply" ''
+        set -uo pipefail
+        export PATH=${
+          lib.makeBinPath [
+            pkgs.curl
+            pkgs.coreutils
+            pkgs.nix
+          ]
+        }
+
+        STORE_PATH=$(curl -sf --max-time 30 "${deploy-url}" || true)
+        if [ -z "$STORE_PATH" ]; then
+          echo "server unreachable"
+          exit 1
+        fi
+
+        CURRENT=$(readlink -f /nix/var/nix/profiles/system)
+        if [ "$CURRENT" = "$STORE_PATH" ]; then
+          echo "already up to date: $STORE_PATH"
+          exit 0
+        fi
+
+        echo "applying $STORE_PATH (was $CURRENT)"
+        nix-store -r --add-root /nix/var/nix/gcroots/pull-update-apply-latest --indirect "$STORE_PATH" \
+          || { echo "fetch failed"; exit 1; }
+        nix-env -p /nix/var/nix/profiles/system --set "$STORE_PATH" \
+          || { echo "profile set failed"; exit 1; }
+        "$STORE_PATH/bin/switch-to-configuration" boot \
+          || { echo "boot entry failed"; exit 1; }
+        echo "update applied; reboot required"
+      '';
+    };
+  };
+
+  # allow the primary user to trigger pull-update-apply without a password
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          action.lookup("unit") == "pull-update-apply.service" &&
+          subject.user == "${username}") {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+}