9 changed files with 121 additions and 145 deletions
--- a/flake-modules/clan.nix
+++ b/flake-modules/clan.nix
@ -125,6 +125,7 @@ in {
        }
        clanHostsModule
        ../nixos/hosts/sunken-ship.nix
+        config.flake.nixosModules.dotfiles-rebuild
        config.flake.nixosModules.server-debug-tools
        config.flake.nixosModules.monitoring-node-exporter
        config.flake.nixosModules.monitoring-prometheus-server
@ -167,6 +168,7 @@ in {
        clanHostsModule
        inputs.nix-openclaw.nixosModules.openclaw-gateway
        ../nixos/hosts/phantom-ship.nix
+        config.flake.nixosModules.dotfiles-rebuild
        config.flake.nixosModules.server-debug-tools
        config.flake.nixosModules.monitoring-node-exporter
        inputs.home-manager.nixosModules.home-manager
--- a/flake-modules/nixos-modules.nix
+++ b/flake-modules/nixos-modules.nix
@ -1,8 +1,9 @@
 # Expose reusable NixOS modules via `flake.nixosModules`.
 #
 # Consume from a host's flake-module via:
-#   modules = [ config.flake.nixosModules.server-debug-tools ];
+#   modules = [ config.flake.nixosModules.dotfiles-rebuild ];
 { ... }: {
+  flake.nixosModules.dotfiles-rebuild = ../modules/dotfiles-rebuild.nix;
  flake.nixosModules.server-debug-tools = ../modules/server-debug-tools.nix;
  flake.nixosModules.monitoring-node-exporter = ../modules/monitoring-node-exporter.nix;
  flake.nixosModules.monitoring-prometheus-server = ../modules/monitoring-prometheus-server.nix;
--- a/flake.lock
+++ b/flake.lock
@ -13,11 +13,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1778267301,
-        "narHash": "sha256-/SEnX0wGQuvQ78EKWTIDA8nCUaJhCD0nVbtP5evFdSQ=",
+        "lastModified": 1776708356,
+        "narHash": "sha256-Smv2algQmojsu0m9EEXs+Oy0Tg/SjwI5WN66u/BaxYs=",
        "ref": "fix/dm-pull-deploy-hyphen-hostnames",
-        "rev": "bd2f9c63ed5613eb52a03116df88b06275171f55",
-        "revCount": 47,
+        "rev": "796ee625b60941bb959039924bfc39e5d13481cc",
+        "revCount": 46,
        "type": "git",
        "url": "https://git.clan.lol/dannydannydanny/clan-community.git"
      },
@ -44,11 +44,11 @@
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
-        "lastModified": 1778462753,
-        "narHash": "sha256-/9qWZbrwoVWP0YWuC1Z5HMEb/oy6rNsjypUKTuk1PB4=",
-        "rev": "09551fdb27a7e5712bef371e9271034d503242ed",
+        "lastModified": 1776557977,
+        "narHash": "sha256-j+UWg3fR6jWKPqkPoqRf1a6nR1b/AnZXDuh04H+voUc=",
+        "rev": "e9ced950bedc726492e5cb52139bf5f17258dc69",
        "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/09551fdb27a7e5712bef371e9271034d503242ed.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/e9ced950bedc726492e5cb52139bf5f17258dc69.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -71,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776654564,
-        "narHash": "sha256-5bpzOOXsaAr4g25/ghtKdYO17xg0l+MieCcWgqx24eY=",
-        "rev": "ad23733ebc47284dc1158db43218cf4027824aee",
+        "lastModified": 1776506822,
+        "narHash": "sha256-WlxAhXEoDHbkfFw3uNYra0CXce7pBk314x9chPu7ycE=",
+        "rev": "c3f48f5931b27bb9cc58de8799d36ecefb867d98",
        "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/ad23733ebc47284dc1158db43218cf4027824aee.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/c3f48f5931b27bb9cc58de8799d36ecefb867d98.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -90,11 +90,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1776613567,
-        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
+        "lastModified": 1773889306,
+        "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
+        "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
        "type": "github"
      },
      "original": {
@ -110,11 +110,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777713215,
-        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
+        "lastModified": 1773889306,
+        "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
+        "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
        "type": "github"
      },
      "original": {
@ -167,11 +167,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777988971,
-        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@ -223,11 +223,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778444552,
-        "narHash": "sha256-f18pIiR9q/p1vHY93gmAum7aHhQOG49oGvAB9+lptRo=",
+        "lastModified": 1776184304,
+        "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "dcebe66f958673729896eec2de4abfd86ef22d21",
+        "rev": "3c7524c68348ef79ce48308e0978611a050089b2",
        "type": "github"
      },
      "original": {
@ -265,11 +265,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777594677,
-        "narHash": "sha256-h90sHwoRJLRvaTpZroTvU2JRHDFj0czUafM8eqLe1RI=",
+        "lastModified": 1774991950,
+        "narHash": "sha256-kScKj3qJDIWuN9/6PMmgy5esrTUkYinrO5VvILik/zw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "899c08a15beae5da51a5cecd6b2b994777a948da",
+        "rev": "f2d3e04e278422c7379e067e323734f3e8c585a7",
        "type": "github"
      },
      "original": {
@ -321,11 +321,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1777780666,
-        "narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
+        "lastModified": 1775037210,
+        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
+        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
        "type": "github"
      },
      "original": {
@ -339,18 +339,17 @@
      "inputs": {
        "flake-utils": "flake-utils",
        "home-manager": "home-manager_2",
-        "nix-openclaw-tools": "nix-openclaw-tools",
+        "nix-steipete-tools": "nix-steipete-tools",
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "qmd": "qmd"
+        ]
      },
      "locked": {
-        "lastModified": 1778353239,
-        "narHash": "sha256-g0yC+loN19X3Xyn6RuBHeWzevH7Qymt0REW+kyGuCLY=",
+        "lastModified": 1776183358,
+        "narHash": "sha256-uRWaRXGhkyGWMbNgQcmx0+RPzPLenVGopkNHgAEfmBQ=",
        "owner": "openclaw",
        "repo": "nix-openclaw",
-        "rev": "e2ea91056fdd0836bef96326a2b687277dbe3e1c",
+        "rev": "53aac0dce0810c40c75793fdad3d41b0f7e7baaf",
        "type": "github"
      },
      "original": {
@ -359,24 +358,6 @@
        "type": "github"
      }
    },
-    "nix-openclaw-tools": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      },
-      "locked": {
-        "lastModified": 1778060041,
-        "narHash": "sha256-tXWkN1VnwFG8XlRqW/e7VwbKnUfyU9tB7YDm9QHJXTY=",
-        "owner": "openclaw",
-        "repo": "nix-openclaw-tools",
-        "rev": "4c1cee3c7eaf68f9de0f756be1484534f5bb5f34",
-        "type": "github"
-      },
-      "original": {
-        "owner": "openclaw",
-        "repo": "nix-openclaw-tools",
-        "type": "github"
-      }
-    },
    "nix-select": {
      "locked": {
        "lastModified": 1763303120,
@ -390,17 +371,35 @@
        "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz"
      }
    },
+    "nix-steipete-tools": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1773561580,
+        "narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=",
+        "owner": "openclaw",
+        "repo": "nix-steipete-tools",
+        "rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "openclaw",
+        "repo": "nix-steipete-tools",
+        "type": "github"
+      }
+    },
    "nixos-wsl": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1777732699,
-        "narHash": "sha256-2uX/XtOWZ/oy2rerRynVhqVA//ZXZ3Fo60PikLHEPQc=",
+        "lastModified": 1776255237,
+        "narHash": "sha256-LQjlc0VEn55WAT4BiI8sIsokb/2FNlcbBD+Xr3MTE24=",
        "owner": "nix-community",
        "repo": "NixOS-WSL",
-        "rev": "5482f113fd31ebac131d1ebeb2ae90bf0d5e41f5",
+        "rev": "9a8c2a85f1ffdcecfb0f9c52c5a73c49ceb43911",
        "type": "github"
      },
      "original": {
@ -428,11 +427,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1776169885,
-        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
+        "lastModified": 1773734432,
+        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
+        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
        "type": "github"
      },
      "original": {
@ -444,11 +443,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1778274207,
-        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
+        "lastModified": 1776255774,
+        "narHash": "sha256-psVTpH6PK3q1htMJpmdz1hLF5pQgEshu7gQWgKO6t6Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
+        "rev": "566acc07c54dc807f91625bb286cb9b321b5f42a",
        "type": "github"
      },
      "original": {
@ -472,32 +471,6 @@
        "type": "indirect"
      }
    },
-    "qmd": {
-      "inputs": {
-        "flake-utils": [
-          "nix-openclaw",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nix-openclaw",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1775429264,
-        "narHash": "sha256-bqIVaNRTa8H5vrw3RwsD7QdtTa0xNvRuEVzlzE1hIBQ=",
-        "owner": "tobi",
-        "repo": "qmd",
-        "rev": "65cd1b3fd02891d1ee0eefa751620918664fa321",
-        "type": "github"
-      },
-      "original": {
-        "owner": "tobi",
-        "ref": "v2.1.0",
-        "repo": "qmd",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
        "clan-community": "clan-community",
@ -665,11 +638,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1778394798,
-        "narHash": "sha256-/jR8bModWv0ji305ecMgAB+2eaXLZiYdH+9Z4JIRkuA=",
+        "lastModified": 1776317517,
+        "narHash": "sha256-JP1XVRabZquf7pnXvRUjp7DV+EBrB6Qmp3+vG3HMy/k=",
        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "45bc54456044b96492923739bfae633e1a4352e1",
+        "rev": "0a7be59e988bb2cb452080f59aaabae70bc415ae",
        "type": "github"
      },
      "original": {
--- a/modules/dotfiles-rebuild.nix
+++ b/modules/dotfiles-rebuild.nix
@ -0,0 +1,44 @@
+# Shared auto-rebuild-from-git service for homelab hosts.
+#
+# Every 15 min: git fetch origin, fast-forward main, and if there were any
+# new commits run nixos-rebuild switch against `<dotfilesDir>#<host>`.
+#
+# Assumes /etc/dotfiles is an already-cloned checkout of the dotfiles repo.
+{ config, lib, pkgs, ... }:
+let
+  dotfilesDir = "/etc/dotfiles";
+  flakeRef = "${dotfilesDir}#${config.networking.hostName}";
+in {
+  environment.systemPackages = [ pkgs.git ];
+
+  # Trust /etc/dotfiles as root even though it's owned by `danny`.
+  # nix/libgit2 reads safe.directory from /etc/gitconfig; the GIT_CONFIG_*
+  # env vars on the service only affect the git CLI, not nix.
+  programs.git.enable = true;
+  programs.git.config.safe.directory = [ dotfilesDir ];
+
+  systemd.services.dotfiles-rebuild = {
+    description = "Pull dotfiles and run nixos-rebuild if repo changed";
+    path = with pkgs; [ git nix nixos-rebuild ];
+    environment.GIT_CONFIG_COUNT = "1";
+    environment.GIT_CONFIG_KEY_0 = "safe.directory";
+    environment.GIT_CONFIG_VALUE_0 = dotfilesDir;
+    script = ''
+      set -euo pipefail
+      cd ${dotfilesDir}
+      git fetch origin
+      if [ "$(git rev-parse HEAD)" = "$(git rev-parse origin/main)" ]; then
+        exit 0
+      fi
+      git pull origin main
+      exec nixos-rebuild switch --flake ${flakeRef}
+    '';
+    serviceConfig.Type = "oneshot";
+  };
+
+  systemd.timers.dotfiles-rebuild = {
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = "*-*-* *:00/15:00";  # every 15 minutes
+    timerConfig.RandomizedDelaySec = "2min";
+  };
+}
--- a/nixos/home/danny/home.nix
+++ b/nixos/home/danny/home.nix
@ -228,10 +228,9 @@
    # alacritty   # TODO: configured via programs.alacritty above, so not needed here
    # warp-terminal # TODO: Bloat
    # vscodium     # TODO: Bloat
-    zed-editor
+    # zed-editor   # TODO: Bloat
    code-cursor
    cursor-cli
-    cinny-desktop # Matrix client (Tauri wrapper around the Cinny web app)
    dfu-util      # USB DFU firmware flasher (Flipper Zero etc.)
    discord
    mapscii
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@ -545,7 +545,7 @@ in
  systemd.timers.hara-heartbeat = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
-      OnCalendar = "06:07";
+      OnCalendar = "06,10,14,18:07";
      Timezone = "Europe/Copenhagen";
      Persistent = true;
    };
--- a/nixos/hosts/sunken-ship.nix
+++ b/nixos/hosts/sunken-ship.nix
@ -72,7 +72,7 @@
  # x86_64-linux builds here via ssh-ng://danny@sunken-ship-zt).
  nix.settings.trusted-users = [ "root" "danny" ];
  environment.systemPackages = with pkgs; [
-    git # clone/bootstrap, repo-pull timers, dm-pull-deploy push
+    git # clone/bootstrap and dotfiles-rebuild timer
    brightnessctl # manual backlight; replaces removed `light` from nixpkgs
    uxplay # AirPlay mirroring receiver
    alsa-utils # aplay, amixer, arecord for audio debugging
@ -347,10 +347,7 @@
  # not in the repo, so they survive pulls.
  systemd.services.mulbo-pull = {
    description = "Pull mulbo repo and restart mulbo-server if changed";
-    # openssh: `git fetch origin` over an SSH remote forks `ssh`; without
-    # it git dies with "cannot run ssh: No such file or directory" and the
-    # unit fails (shows up as system `degraded`).
-    path = with pkgs; [ git openssh systemd ];
+    path = with pkgs; [ git systemd ];
    environment = {
      GIT_CONFIG_COUNT   = "1";
      GIT_CONFIG_KEY_0   = "safe.directory";
@ -375,33 +372,6 @@
    timerConfig.RandomizedDelaySec = "2min";
  };

-  # dm-pull-deploy push automation. sunken-ship is the push node for the
-  # clan dm-pull-deploy instance (wired in flake-modules/clan.nix), but
-  # the upstream module only ships a manual `dm-send-deploy` binary — no
-  # scheduler. This timer announces the latest origin/main rev over
-  # data-mesher gossip; the watchers (dm-pull-deploy.path on sunken +
-  # phantom) compare and only rebuild when the rev actually changes, so
-  # re-announcing the same rev is a cheap no-op. This is the replacement
-  # for the legacy dotfiles-rebuild pull timer (being retired).
-  #
-  # dm-send-deploy self-discovers the rev via `git ls-remote` and signs
-  # with /run/secrets/vars/dm-pull-deploy-signing-key — needs root.
-  systemd.services.dm-pull-deploy-push = {
-    description = "Announce latest origin/main rev via data-mesher (dm-pull-deploy push)";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "/run/current-system/sw/bin/dm-send-deploy";
-      User = "root";
-    };
-  };
-
-  systemd.timers.dm-pull-deploy-push = {
-    wantedBy = [ "timers.target" ];
-    timerConfig.OnCalendar = "*-*-* *:04/15:00";  # every 15 min, offset from the other pull timers
-    timerConfig.RandomizedDelaySec = "2min";
-    timerConfig.Persistent = true;
-  };
-
  # One-shot backfill: walks Navidrome's media_file, computes
  # (sha256, chromaprint) per file, populates mulbo-server's tracks_index
  # with the corresponding navidrome_track_id. Idempotent — existing rows
@ -473,8 +443,6 @@
    };
  };

-  # Deploys now flow through clan dm-pull-deploy: the dm-pull-deploy-push
-  # timer above announces origin/main, and the dm-pull-deploy.path watcher
-  # rebuilds on change. The legacy pull-based dotfiles-rebuild module was
-  # retired 2026-05-19.
+  # Auto-rebuild service/timer + safe.directory provided by the
+  # shared dotfiles-rebuild NixOS module (see nixos/modules/dotfiles-rebuild.nix).
 }
--- a/nixos/hosts/vps-relay.nix
+++ b/nixos/hosts/vps-relay.nix
@ -46,13 +46,8 @@
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
-      # Mac admin key (~/.ssh/id_ed25519_sunken_ship on the laptop — the
-      # key the Mac uses to reach the fleet). Used for `clan machines
-      # update vps-relay` from the Mac and at install via clan.
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@mac-admin"
-      # sunken-ship's own key, so the push node can SSH into vps-relay
-      # over ZeroTier for mesh introspection / debugging.
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9t4YAaoHvVouqp+qyFOq8o3SAtXMiAmjF6J0ldyx4g danny@sunken-ship"
+      # Same pubkey used to reach sunken-ship; set at install via clan.
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship"
    ];
  };
  users.users.root.openssh.authorizedKeys.keys =
@ -150,11 +145,6 @@
      "dannydannydanny.me".extraConfig = ''
        reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8092
      '';
-      # kf — Kyranna Fardi architecture portfolio. Same notes service on
-      # phantom :8092, routed by Host header (PORTFOLIO_HOST).
-      "kf.dannydannydanny.me".extraConfig = ''
-        reverse_proxy http://[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]:8092
-      '';
    };
  };

--- a/nixos/neovim.nix
+++ b/nixos/neovim.nix
@ -41,7 +41,6 @@
      end

      -- General options
-      vim.opt.cursorline = true
      vim.opt.mouse = "a"
      vim.opt.listchars = { tab = "→ ", space = "·", nbsp = "␣", trail = "•", eol = "¶", precedes = "«", extends = "»" }
      vim.opt.clipboard:append("unnamedplus")