11 changed files with 158 additions and 78 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -23,4 +23,4 @@ jobs:
        run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure

      - name: Build cryodev-pi
-        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure --extra-platforms aarch64-linux
+        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -26,10 +26,10 @@ jobs:
        run: nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel --impure

      - name: Build cryodev-pi
-        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure --extra-platforms aarch64-linux
+        run: nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel --impure

  build-pi-images:
-    needs: build-hosts
+    needs: flake-check
    runs-on: host
    strategy:
      matrix:
--- a/AGENTS.md
+++ b/AGENTS.md
@ -27,7 +27,7 @@ nix build .#nixosConfigurations.cryodev-pi.config.system.build.sdImage
 # Format code (required before committing)
 nix fmt

-# Run all checks (lint, formatting)
+# Run all checks (lint, formatting, deploy-rs validation)
 nix flake check

 # Quick evaluation test (faster than full build)
@ -46,17 +46,14 @@ nix develop
 # Deploy all hosts via deploy app (uses deploy.json)
 nix run .#deploy

-# Deploy a specific host
-nix run .#deploy -- -n cryodev-main
+# Deploy to cryodev-main via deploy-rs
+nix run github:serokell/deploy-rs -- .#cryodev-main

 # Manual deployment via SSH
 NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .#<hostname> \
  --target-host <user>@<ip> --sudo --ask-sudo-password
 ```

-> **Note:** Both hosts use Comin for automatic pull-based deployment.
-> Manual deployment is only needed for the initial setup or emergencies.
-
 ### Apps

 ```bash
@ -203,7 +200,7 @@ services.nginx.enable = lib.mkDefault true;

 | Host | Strategy | Trigger |
 |------|----------|---------|
-| `cryodev-main` | Pull via Comin | Automatic polling |
+| `cryodev-main` | Push via deploy-rs | Forgejo Actions on push to main |
 | `cryodev-pi` | Pull via Comin | Automatic polling |
 | SD Images | Built in CI | Push to main (for Pi hosts) |

--- a/README.md
+++ b/README.md
@ -6,8 +6,8 @@ Declarative NixOS infrastructure for the **cryodev** environment, managed with N

 ```bash
 # Clone repository
-git clone https://git.cryodev.xyz/steffen/cryodev.git
-cd cryodev
+git clone https://git.cryodev.xyz/steffen/cryodev-server.git
+cd cryodev-server

 # Check configuration
 nix flake check
@ -20,7 +20,7 @@ nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel

 | Host | Architecture | Deployment | Description |
 |------|--------------|------------|-------------|
-| `cryodev-main` | x86_64 | Pull (Comin) | Main server |
+| `cryodev-main` | x86_64 | Push (deploy-rs) | Main server |
 | `cryodev-pi` | aarch64 | Pull (Comin) | Raspberry Pi client |

 ## Services
@ -37,7 +37,7 @@ nix build .#nixosConfigurations.cryodev-main.config.system.build.toplevel

 SD card images for Raspberry Pi clients are **built automatically** on every push to `main`.

-Download from: [Releases](https://git.cryodev.xyz/steffen/cryodev/releases)
+Download from: [Releases](https://git.cryodev.xyz/steffen/cryodev-server/releases)

 ```bash
 # Flash to SD card
--- a/docs/deployment/cd.md
+++ b/docs/deployment/cd.md
@ -1,38 +1,121 @@
 # Continuous Deployment

-All hosts use **Comin** (pull-based) for automatic deployment.
+The cryodev infrastructure uses two deployment strategies optimized for different host types.

 ## Overview

 | Host | Strategy | Tool | Trigger |
 |------|----------|------|---------|
-| `cryodev-main` | Pull-based | Comin | Automatic polling |
-| `cryodev-pi` | Pull-based | Comin | Automatic polling |
+| `cryodev-main` | Push-based | deploy-rs | Git push via Forgejo Actions |
+| `cryodev-pi` | Pull-based | Comin | Periodic polling |

-## How It Works
+## Push-based Deployment (cryodev-main)
+
+### How It Works

 1. Developer pushes to `main` branch
-2. CI (Forgejo Actions) runs flake-check and builds all hosts
-3. Comin on each host periodically polls the Git repository
-4. On changes, Comin builds and activates the new configuration
+2. Forgejo Actions workflow triggers
+3. `deploy-rs` connects via SSH and deploys

-## Configuration
+### Setup
+
+#### 1. Generate Deploy Key
+
+```bash
+ssh-keygen -t ed25519 -f deploy_key -C "forgejo-actions"
+```
+
+#### 2. Add Public Key to Server
+
+On `cryodev-main`:
+
+```bash
+echo "PUBLIC_KEY_CONTENT" >> /root/.ssh/authorized_keys
+```
+
+#### 3. Add Private Key to Forgejo
+
+1. Go to Repository Settings > Secrets
+2. Add secret named `DEPLOY_SSH_KEY`
+3. Paste the private key content
+
+#### 4. Workflow Configuration
+
+`.forgejo/workflows/deploy.yaml`:
+
+```yaml
+name: Deploy
+on:
+  push:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v24
+      - run: nix flake check
+
+  deploy:
+    needs: check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v24
+      
+      - name: Setup SSH
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan cryodev-main >> ~/.ssh/known_hosts
+          
+      - name: Deploy
+        run: nix run github:serokell/deploy-rs -- .#cryodev-main
+```
+
+### Rollback
+
+deploy-rs automatically rolls back if the new configuration fails health checks.
+
+Manual rollback:
+
+```bash
+# List generations
+sudo nix-env -p /nix/var/nix/profiles/system --list-generations
+
+# Rollback to previous
+sudo nixos-rebuild switch --rollback
+```
+
+## Pull-based Deployment (cryodev-pi)
+
+### How It Works
+
+1. Comin periodically polls the Git repository
+2. On changes, it builds and activates the new configuration
+3. Works through NAT without incoming connections
+
+### Configuration

 ```nix
-# hosts/<hostname>/services/comin.nix
+# hosts/cryodev-pi/services/comin.nix
 {
  services.comin = {
    enable = true;
    remotes = [{
      name = "origin";
-      url = "https://git.cryodev.xyz/steffen/cryodev.git";
+      url = "https://git.cryodev.xyz/steffen/cryodev-server.git";
      branches.main.name = "main";
    }];
  };
 }
 ```

-## Monitoring
+### Monitoring

 Check Comin status:

@ -47,7 +130,7 @@ Force immediate update:
 sudo systemctl restart comin
 ```

-## Troubleshooting
+### Troubleshooting

 If Comin fails to build:

@ -57,30 +140,23 @@ sudo journalctl -u comin --since "1 hour ago"

 # Manual build test
 cd /var/lib/comin/repo
-nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
-```
-
-## Rollback
-
-```bash
-# List generations
-sudo nix-env -p /nix/var/nix/profiles/system --list-generations
-
-# Rollback to previous
-sudo nixos-rebuild switch --rollback
+nix build .#nixosConfigurations.cryodev-pi.config.system.build.toplevel
 ```

 ## Manual Deployment

-For initial setup or emergencies:
+For hosts not using automated deployment:

 ```bash
-# Using the deploy app
-nix run .#deploy -- -n <hostname>
+# Build locally
+nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel

-# Or manually with nixos-rebuild
+# Deploy with nixos-rebuild
 NIX_SSHOPTS="-p 2299" nixos-rebuild switch --flake .#<hostname> \
  --target-host <user>@<hostname> --sudo --ask-sudo-password
+
+# Or using deploy-rs
+nix run github:serokell/deploy-rs -- .#<hostname>
 ```

 ## Testing Changes
--- a/docs/index.md
+++ b/docs/index.md
@ -90,5 +90,5 @@ Für Raspberry Pi: [SD-Image Referenz](getting-started/sd-image.md)

 | Host | Strategie | Tool | Beschreibung |
 |------|-----------|------|--------------|
-| `cryodev-main` | Pull-basiert | Comin | Pollt Repository auf Aenderungen |
-| `cryodev-pi` | Pull-basiert | Comin | Pollt Repository auf Aenderungen |
+| `cryodev-main` | Push-basiert | deploy-rs via Forgejo Actions | Sofortige Updates bei Push |
+| `cryodev-pi` | Pull-basiert | Comin | Pollt Repository auf Änderungen |
--- a/docs/services/forgejo.md
+++ b/docs/services/forgejo.md
@ -75,23 +75,44 @@ forgejo-runner:

 ## CI/CD Workflows

-CI runs on every push to `main` via Forgejo Actions:
+### deploy-rs Workflow

-1. **flake-check** -- validates the flake
-2. **build-hosts** -- builds all host configurations
+`.forgejo/workflows/deploy.yaml`:

-Deployment is handled by **Comin** (pull-based), not by CI.
-See [CD documentation](../deployment/cd.md) for details.
+```yaml
+name: Deploy
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Install Nix
+        uses: cachix/install-nix-action@v24
+        
+      - name: Deploy
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          nix run .#deploy
+```

 ## Administration

 ### Create Admin User

 ```bash
-forgejo admin user create \
-  --username <benutzername> \
-  --email <email>@<domain> \
-  --password <passwort> \
+sudo -u forgejo forgejo admin user create \
+  --username admin \
+  --password changeme \
+  --email admin@cryodev.xyz \
  --admin
 ```

--- a/hosts/cryodev-pi/hardware.nix
+++ b/hosts/cryodev-pi/hardware.nix
@ -3,15 +3,11 @@
 {
  boot = {
    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
-    initrd = {
-      availableKernelModules = [
-        "xhci_pci"
-        "usbhid"
-        "usb_storage"
-      ];
-      # Disable default x86 modules that don't exist in the Pi kernel (e.g. dw-hdmi)
-      includeDefaultModules = false;
-    };
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "usbhid"
+      "usb_storage"
+    ];
  };

  fileSystems = {
--- a/hosts/cryodev-pi/sd-image.nix
+++ b/hosts/cryodev-pi/sd-image.nix
@ -27,12 +27,4 @@
    "vfat"
    "ext4"
  ];
-
-  # sd-image.nix imports all-hardware.nix which adds x86 modules like dw-hdmi
-  # that don't exist in the RPi4 kernel. Filter them out.
-  boot.initrd.availableKernelModules = lib.mkForce [
-    "xhci_pci"
-    "usbhid"
-    "usb_storage"
-  ];
 }
--- a/modules/nixos/nixvim/plugins/default.nix
+++ b/modules/nixos/nixvim/plugins/default.nix
@ -11,6 +11,8 @@
  ];

  config.programs.nixvim.plugins = {
+    markdown-preview.enable = lib.mkDefault true;
+    # warning: Nixvim: `plugins.web-devicons` was enabled automatically because the following plugins are enabled. This behaviour is deprecated. Please explicitly define `plugins.web-devicons.enable`
    web-devicons.enable = true;
  };
 }
--- a/templates/raspberry-pi/hardware.nix
+++ b/templates/raspberry-pi/hardware.nix
@ -3,15 +3,11 @@
 {
  boot = {
    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
-    initrd = {
-      availableKernelModules = [
-        "xhci_pci"
-        "usbhid"
-        "usb_storage"
-      ];
-      # Disable default x86 modules that don't exist in the Pi kernel (e.g. dw-hdmi)
-      includeDefaultModules = false;
-    };
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "usbhid"
+      "usb_storage"
+    ];
  };

  fileSystems = {