refactor(nix): move flake to repo root 🚚

clan-cli silently ignores the `?dir=` URL parameter when resolving a
flake source, so with the flake at nixos/flake.nix `clan machines
update` fails with "flake.nix does not exist". Move the flake tree up
so the repo root contains flake.nix, flake.lock, flake-modules/, lib/,
modules/, sops/, and vars/. Host-specific NixOS modules stay in
nixos/{hosts,home,fish.nix,neovim.nix,…}; flake-module paths updated
accordingly.

- dotfiles-rebuild flakeRef is now "${dotfilesDir}#<host>" (was
  "${dotfilesDir}/nixos#<host>").
- CLAUDE.md build commands + clan section updated. nixupdate fish alias
  updated. sunken-ship hostsfile comment updated.
- Existing /etc/dotfiles checkouts on the servers will pick up the new
  layout on the next `dotfiles-rebuild` timer tick; the rebuild service
  was pre-updated via rsync so its flakeRef matches before the pull.

Also includes 4b follow-through: zerotier identities are now live on
both servers (sunken-ship=d553a2de33 controller, phantom-ship=6c048abbdc
peer) and IPv6 ping across the ZT mesh works.

flake-modules/clan.nix

@@ -0,0 +1,80 @@
+# clan.lol wiring for the homelab.
+#
+# Declares `sunken-ship` and `phantom-ship` as clan machines. Each machine's
+# `imports` list is the NixOS module set that used to live in its own
+# flake-module. clan-core produces `flake.nixosConfigurations.<name>` from
+# these, which is why the old per-host flake-modules were removed.
+#
+# The mac stays outside the clan — admin only, uses `clan machines update`
+# to push to the servers.
+{ config, inputs, ... }:
+let
+  lib = inputs.nixpkgs.lib;
+  hmModule = { user, homeDirectory, stateVersion ? null, userImports ? [ ] }:
+    import ../lib/home-manager-user.nix {
+      inherit lib user homeDirectory stateVersion userImports;
+    };
+in {
+  imports = [ inputs.clan-core.flakeModules.default ];
+
+  clan = {
+    meta.name = "homelab";
+
+    # Inventory machines — required for `inventory.instances` role bindings
+    # to resolve. Host-specific NixOS config lives under `machines.<name>`
+    # below.
+    inventory.machines.sunken-ship = { };
+    inventory.machines.phantom-ship = { };
+
+    # ZeroTier mesh VPN. sunken-ship is the controller (manages network
+    # membership); phantom-ship is a peer. The mac joins manually as an
+    # external ZT client and is authorized on the controller by node ID.
+    inventory.instances.zerotier = {
+      module.name = "zerotier";
+      module.input = "clan-core";
+      roles.controller.machines.sunken-ship = { };
+      roles.peer.machines.phantom-ship = { };
+      roles.peer.machines.sunken-ship = { };
+    };
+
+    # Preserve current network / init stack (no systemd-networkd/resolved,
+    # no boot.initrd.systemd, no extra debug packages). Revisit per-service
+    # in later stages rather than flipping this fleet-wide.
+    machines.sunken-ship = {
+      imports = [
+        {
+          clan.core.enableRecommendedDefaults = false;
+          clan.core.networking.targetHost = "danny@sunken-ship";
+          clan.core.networking.buildHost = "danny@sunken-ship";
+        }
+        ../nixos/hosts/sunken-ship.nix
+        config.flake.nixosModules.dotfiles-rebuild
+        inputs.home-manager.nixosModules.home-manager
+        (hmModule {
+          user = "danny";
+          homeDirectory = "/home/danny";
+          stateVersion = "25.11";
+        })
+      ];
+    };
+
+    machines.phantom-ship = {
+      imports = [
+        {
+          clan.core.enableRecommendedDefaults = false;
+          clan.core.networking.targetHost = "danny@phantom-ship";
+          clan.core.networking.buildHost = "danny@phantom-ship";
+        }
+        inputs.nix-openclaw.nixosModules.openclaw-gateway
+        ../nixos/hosts/phantom-ship.nix
+        config.flake.nixosModules.dotfiles-rebuild
+        inputs.home-manager.nixosModules.home-manager
+        (hmModule {
+          user = "danny";
+          homeDirectory = "/home/danny";
+          stateVersion = "25.11";
+        })
+      ];
+    };
+  };
+}

flake-modules/daniel-macbook-air.nix

@@ -0,0 +1,22 @@
+{ inputs, ... }: {
+  flake.darwinConfigurations."Daniel-Macbook-Air" = inputs.nix-darwin.lib.darwinSystem {
+    modules = [
+      # Overlay: make zen-browser available as pkgs.zen-browser
+      { nixpkgs.overlays = [ (final: prev: {
+          zen-browser = inputs.zen-browser.packages.${final.stdenv.hostPlatform.system}.default;
+        }) ];
+      }
+
+      ../nixos/hosts/daniel-macbook-air.nix
+      ../nixos/fish.nix
+
+      inputs.home-manager.darwinModules.home-manager
+      (import ../lib/home-manager-user.nix {
+        lib = inputs.nixpkgs.lib;
+        user = "danny";
+        homeDirectory = "/Users/danny";
+        userImports = [ ../nixos/home/danny/home.nix ];
+      })
+    ];
+  };
+}

flake-modules/installer-iso.nix

@@ -0,0 +1,11 @@
+{ inputs, self, ... }: {
+  # Custom minimal installer ISO (build with: nix build .#installer-iso).
+  # Optional: add ./installer-wifi.nix (gitignored) to modules for live WiFi.
+  flake.nixosConfigurations.installer-iso = inputs.nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [ ../nixos/installer-iso.nix ];
+  };
+
+  flake.packages.x86_64-linux.installer-iso =
+    self.nixosConfigurations.installer-iso.config.system.build.isoImage;
+}

flake-modules/nixos-modules.nix

@@ -0,0 +1,7 @@
+# Expose reusable NixOS modules via `flake.nixosModules`.
+#
+# Consume from a host's flake-module via:
+#   modules = [ config.flake.nixosModules.dotfiles-rebuild ];
+{ ... }: {
+  flake.nixosModules.dotfiles-rebuild = ../modules/dotfiles-rebuild.nix;
+}

flake-modules/server-install.nix

@@ -0,0 +1,11 @@
+{ inputs, ... }: {
+  # For disko-install: LUKS + WiFi; hostname/WiFi via --system-config.
+  flake.nixosConfigurations.server-install = inputs.nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [
+      inputs.disko.nixosModules.disko
+      ../nixos/disko-server.nix
+      ../nixos/hosts/server-install.nix
+    ];
+  };
+}

flake-modules/wsl.nix

@@ -0,0 +1,19 @@
+{ inputs, ... }: {
+  flake.nixosConfigurations.wsl = inputs.nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [
+      inputs.nixos-wsl.nixosModules.default
+      inputs.vscode-server.nixosModules.default
+      ../nixos/hosts/wsl.nix
+      ../nixos/fish.nix
+
+      inputs.home-manager.nixosModules.home-manager
+      (import ../lib/home-manager-user.nix {
+        lib = inputs.nixpkgs.lib;
+        user = "dth";
+        homeDirectory = "/home/dth";
+        userImports = [ ../nixos/home/danny/home.nix ];
+      })
+    ];
+  };
+}