Retire dotfiles-rebuild, switch to dm-pull-deploy push timer

- Drop modules/dotfiles-rebuild.nix and its imports in clan.nix;
  sunken-ship + phantom-ship no longer ship the legacy 15-min
  rebuild-from-git timer.
- Add dm-pull-deploy-push systemd timer on sunken-ship: every 15min
  runs dm-send-deploy to announce origin/main rev via data-mesher
  gossip (sunken is the dm-pull-deploy push node).
- Fix mulbo-pull service path: add openssh so 'git fetch' over an
  SSH remote stops failing with 'cannot run ssh'.
- vps-relay authorized_keys: rename Mac key comment to mac-admin,
  add sunken-ship's actual ed25519 key for ZT mesh debugging.
- home.nix: add cinny-desktop (Matrix client).
- neovim: enable cursorline.

flake-modules/clan.nix

@@ -125,7 +125,6 @@ in {
         }
         clanHostsModule
         ../nixos/hosts/sunken-ship.nix
-        config.flake.nixosModules.dotfiles-rebuild
         config.flake.nixosModules.server-debug-tools
         config.flake.nixosModules.monitoring-node-exporter
         config.flake.nixosModules.monitoring-prometheus-server
@@ -169,7 +168,6 @@ in {
         inputs.nix-openclaw.nixosModules.openclaw-gateway
         inputs.catppuccin.nixosModules.catppuccin
         ../nixos/hosts/phantom-ship.nix
-        config.flake.nixosModules.dotfiles-rebuild
         config.flake.nixosModules.server-debug-tools
         config.flake.nixosModules.monitoring-node-exporter
         inputs.home-manager.nixosModules.home-manager

flake-modules/nixos-modules.nix

@@ -1,9 +1,8 @@
 # Expose reusable NixOS modules via `flake.nixosModules`.
 #
 # Consume from a host's flake-module via:
-#   modules = [ config.flake.nixosModules.dotfiles-rebuild ];
+#   modules = [ config.flake.nixosModules.server-debug-tools ];
 { ... }: {
-  flake.nixosModules.dotfiles-rebuild = ../modules/dotfiles-rebuild.nix;
   flake.nixosModules.server-debug-tools = ../modules/server-debug-tools.nix;
   flake.nixosModules.monitoring-node-exporter = ../modules/monitoring-node-exporter.nix;
   flake.nixosModules.monitoring-prometheus-server = ../modules/monitoring-prometheus-server.nix;

modules/dotfiles-rebuild.nix

@@ -1,44 +0,0 @@
-# Shared auto-rebuild-from-git service for homelab hosts.
-#
-# Every 15 min: git fetch origin, fast-forward main, and if there were any
-# new commits run nixos-rebuild switch against `<dotfilesDir>#<host>`.
-#
-# Assumes /etc/dotfiles is an already-cloned checkout of the dotfiles repo.
-{ config, lib, pkgs, ... }:
-let
-  dotfilesDir = "/etc/dotfiles";
-  flakeRef = "${dotfilesDir}#${config.networking.hostName}";
-in {
-  environment.systemPackages = [ pkgs.git ];
-
-  # Trust /etc/dotfiles as root even though it's owned by `danny`.
-  # nix/libgit2 reads safe.directory from /etc/gitconfig; the GIT_CONFIG_*
-  # env vars on the service only affect the git CLI, not nix.
-  programs.git.enable = true;
-  programs.git.config.safe.directory = [ dotfilesDir ];
-
-  systemd.services.dotfiles-rebuild = {
-    description = "Pull dotfiles and run nixos-rebuild if repo changed";
-    path = with pkgs; [ git nix nixos-rebuild ];
-    environment.GIT_CONFIG_COUNT = "1";
-    environment.GIT_CONFIG_KEY_0 = "safe.directory";
-    environment.GIT_CONFIG_VALUE_0 = dotfilesDir;
-    script = ''
-      set -euo pipefail
-      cd ${dotfilesDir}
-      git fetch origin
-      if [ "$(git rev-parse HEAD)" = "$(git rev-parse origin/main)" ]; then
-        exit 0
-      fi
-      git pull origin main
-      exec nixos-rebuild switch --flake ${flakeRef}
-    '';
-    serviceConfig.Type = "oneshot";
-  };
-
-  systemd.timers.dotfiles-rebuild = {
-    wantedBy = [ "timers.target" ];
-    timerConfig.OnCalendar = "*-*-* *:00/15:00";  # every 15 minutes
-    timerConfig.RandomizedDelaySec = "2min";
-  };
-}

nixos/home/danny/home.nix

@@ -231,6 +231,7 @@
     zed-editor
     code-cursor
     cursor-cli
+    cinny-desktop # Matrix client (Tauri wrapper around the Cinny web app)
     dfu-util      # USB DFU firmware flasher (Flipper Zero etc.)
     discord
     mapscii

nixos/hosts/sunken-ship.nix

@@ -72,7 +72,7 @@
   # x86_64-linux builds here via ssh-ng://danny@sunken-ship-zt).
   nix.settings.trusted-users = [ "root" "danny" ];
   environment.systemPackages = with pkgs; [
-    git # clone/bootstrap and dotfiles-rebuild timer
+    git # clone/bootstrap, repo-pull timers, dm-pull-deploy push
     brightnessctl # manual backlight; replaces removed `light` from nixpkgs
     uxplay # AirPlay mirroring receiver
     alsa-utils # aplay, amixer, arecord for audio debugging
@@ -347,7 +347,10 @@
   # not in the repo, so they survive pulls.
   systemd.services.mulbo-pull = {
     description = "Pull mulbo repo and restart mulbo-server if changed";
-    path = with pkgs; [ git systemd ];
+    # openssh: `git fetch origin` over an SSH remote forks `ssh`; without
+    # it git dies with "cannot run ssh: No such file or directory" and the
+    # unit fails (shows up as system `degraded`).
+    path = with pkgs; [ git openssh systemd ];
     environment = {
       GIT_CONFIG_COUNT   = "1";
       GIT_CONFIG_KEY_0   = "safe.directory";
@@ -372,6 +375,33 @@
     timerConfig.RandomizedDelaySec = "2min";
   };
 
+  # dm-pull-deploy push automation. sunken-ship is the push node for the
+  # clan dm-pull-deploy instance (wired in flake-modules/clan.nix), but
+  # the upstream module only ships a manual `dm-send-deploy` binary — no
+  # scheduler. This timer announces the latest origin/main rev over
+  # data-mesher gossip; the watchers (dm-pull-deploy.path on sunken +
+  # phantom) compare and only rebuild when the rev actually changes, so
+  # re-announcing the same rev is a cheap no-op. This is the replacement
+  # for the legacy dotfiles-rebuild pull timer (being retired).
+  #
+  # dm-send-deploy self-discovers the rev via `git ls-remote` and signs
+  # with /run/secrets/vars/dm-pull-deploy-signing-key — needs root.
+  systemd.services.dm-pull-deploy-push = {
+    description = "Announce latest origin/main rev via data-mesher (dm-pull-deploy push)";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "/run/current-system/sw/bin/dm-send-deploy";
+      User = "root";
+    };
+  };
+
+  systemd.timers.dm-pull-deploy-push = {
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = "*-*-* *:04/15:00";  # every 15 min, offset from the other pull timers
+    timerConfig.RandomizedDelaySec = "2min";
+    timerConfig.Persistent = true;
+  };
+
   # One-shot backfill: walks Navidrome's media_file, computes
   # (sha256, chromaprint) per file, populates mulbo-server's tracks_index
   # with the corresponding navidrome_track_id. Idempotent — existing rows
@@ -443,6 +473,8 @@
     };
   };
 
-  # Auto-rebuild service/timer + safe.directory provided by the
+  # Deploys now flow through clan dm-pull-deploy: the dm-pull-deploy-push
-  # shared dotfiles-rebuild NixOS module (see nixos/modules/dotfiles-rebuild.nix).
+  # timer above announces origin/main, and the dm-pull-deploy.path watcher
+  # rebuilds on change. The legacy pull-based dotfiles-rebuild module was
+  # retired 2026-05-19.
 }

nixos/hosts/vps-relay.nix

@@ -46,8 +46,13 @@
     isNormalUser = true;
     extraGroups = [ "wheel" ];
     openssh.authorizedKeys.keys = [
-      # Same pubkey used to reach sunken-ship; set at install via clan.
+      # Mac admin key (~/.ssh/id_ed25519_sunken_ship on the laptop — the
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship"
+      # key the Mac uses to reach the fleet). Used for `clan machines
+      # update vps-relay` from the Mac and at install via clan.
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@mac-admin"
+      # sunken-ship's own key, so the push node can SSH into vps-relay
+      # over ZeroTier for mesh introspection / debugging.
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9t4YAaoHvVouqp+qyFOq8o3SAtXMiAmjF6J0ldyx4g danny@sunken-ship"
     ];
   };
   users.users.root.openssh.authorizedKeys.keys =

nixos/neovim.nix

@@ -41,6 +41,7 @@
       end
 
       -- General options
+      vim.opt.cursorline = true
       vim.opt.mouse = "a"
       vim.opt.listchars = { tab = "→ ", space = "·", nbsp = "␣", trail = "•", eol = "¶", precedes = "«", extends = "»" }
       vim.opt.clipboard:append("unnamedplus")