refactor(nix): move flake to repo root 🚚

clan-cli silently ignores the `?dir=` URL parameter when resolving a flake source, so with the flake at nixos/flake.nix `clan machines update` fails with "flake.nix does not exist". Move the flake tree up so the repo root contains flake.nix, flake.lock, flake-modules/, lib/, modules/, sops/, and vars/. Host-specific NixOS modules stay in nixos/{hosts,home,fish.nix,neovim.nix,…}; flake-module paths updated accordingly. - dotfiles-rebuild flakeRef is now "${dotfilesDir}#<host>" (was "${dotfilesDir}/nixos#<host>"). - CLAUDE.md build commands + clan section updated. nixupdate fish alias updated. sunken-ship hostsfile comment updated. - Existing /etc/dotfiles checkouts on the servers will pick up the new layout on the next `dotfiles-rebuild` timer tick; the rebuild service was pre-updated via rsync so its flakeRef matches before the pull. Also includes 4b follow-through: zerotier identities are now live on both servers (sunken-ship=d553a2de33 controller, phantom-ship=6c048abbdc peer) and IPv6 ping across the ZT mesh works.
2026-04-19 15:19:59 +02:00 · 2026-04-19 15:19:59 +02:00 · 88c51399d0
commit 88c51399d0
parent 9921a7f9f1
33 changed files with 29 additions and 24 deletions
--- a/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/machines/phantom-ship
+++ b/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/machines/phantom-ship
@ -0,0 +1 @@
+../../../../../../sops/machines/phantom-ship
--- a/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/secret
@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:g6eYxa672pfIHJ6jaTAf63ubXIJMPg08GJU2vwnF3hsCK73s5zkbFTd2GiLOZxlk641SK0bIfedABmsybG63qzFW2BOMIaUree0dlDv/u0oaRGdKCrrrrboxi6YbBncKgJLJpiAsmHZ9dsTz4bpicmj0JOBJ6f5HsD95qfy62yMOTSGZD7vdH43cXfbXxg49mKE7Ku2TL8a8awDiFc+Dqk+8QmMxr1XmF/IhYna+Amc+3OtmGGNEfoR8z7yHz13YA0CjJOe0QT2/GgRSUn5B43OkKhpR3e8mwtq6TAFRlBExt5Ccb4P09INcCA2oeAnyi0SEtwHg7KyPIDRJpEYVQ7jWAEFbNtOseBEbnibs,iv:QGNEvG0eLzVFw4lEqDYaSoUK318TRap61rqLD5Djzb0=,tag:vm73BNMMcF+0fiIkugqwxg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age18gtjh28qxeltg2r2tzxwl096crkqkqk8tjhersyf7mzdsddady7qs34x0m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUEJqQXNHcitJNnBEZDZW\nbFdieDFOaDFEazk4cUY5aXYrMjJabnVmWndVCjU0WmRpemNsWUMxN1N0R2dpSTla\nNzliTFFOU1o4VlBwSTJLN1krSEZ0TWMKLS0tIElyd3ovRno0Y3pGd1FFTE5VN0tM\ndTU2c25WcWN4YW15cGErSUJvYmFuRXcKKjBQln8jyOSBa1X1EJJSUg528waFL/8F\nkCpket2TGmNCvMDSai+5Iqe6X222J86uzoXsrLPl2PZaOCXD4t+gRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSFNPWW92QkFFYURROGJG\nbTZoS0hFQk52RVNSTWJsclBYRWxIS3c3RTFZCldhQ0QvUmhlRzg5Q3lHUnBnTUtN\nWEZqbWpFOUZhMStzNldCRXdyQzlyWnMKLS0tIGV6anNjVktWamkvbkF3OUxVS1Ji\nUGMzc2FxeE5YTmdMVTRtUDNuMlFaTlkKoJcPcmoMgxVRvcLv7ejws4IJnQd+Yt7s\njqWi0q4iwGLZSLUPb8NUZpWEn0Jbji2edSpATzf67uws1TFHGAMmuA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-19T12:31:44Z",
+		"mac": "ENC[AES256_GCM,data:hjIn5hcpgQkrWFTsQ3BdmQFPKeubs90opSl06z2Dh7mzTcSqCSF3cQ/l8fj+GD2GuptEMbPczOIoiJfKNxoLDp5L4iHIou7XwFXVhhdjm8fqIMHusnZc/eQBI/H6J2fHWzJ1gxgsKlkazsY3cbWxLfqdz7vAV06SflW5/B5Hbto=,iv:BeB417C5r4uVHSKs9UzwJI+A4F9NrrpoTRn+X14sMtA=,tag:PcaaJrMXO0h6EzdKpVl9xg==,type:str]",
+		"version": "3.12.2"
+	}
+}
--- a/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/users/danny
+++ b/vars/per-machine/phantom-ship/zerotier/zerotier-identity-secret/users/danny
@ -0,0 +1 @@
+../../../../../../sops/users/danny
--- a/vars/per-machine/phantom-ship/zerotier/zerotier-ip/value
+++ b/vars/per-machine/phantom-ship/zerotier/zerotier-ip/value
@ -0,0 +1 @@
+fdd5:53a2:de33:d269:6499:936c:48a:bbdc
--- a/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/machines/sunken-ship
+++ b/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/machines/sunken-ship
@ -0,0 +1 @@
+../../../../../../sops/machines/sunken-ship
--- a/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret
+++ b/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/secret
@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:6WHKA76dLKWJnGpNp45EAwf4gvHnoccXbGz1bCH5EYN/7o0zcl8KziabKjG+hY4BlG7CsNPCOVr2bWAVkWBjTQVoYNwaBNsQ2DF15E0/qxqCYUXKUNoZ5xkWvrcNbVCyEdDAZX9abpAyLenlOMRLFNaWlOsKVr44uG9j75KyMc8NNl4UvCjuBEdAvNLOhEOWuQaRJc73IJAet7pWxP7HkwkihR4+GVIft1UygNYmcThPr2A1+DdNf+IsCNJTR+FL2l3OupCIBawSR6/L/cjyBt1YvIu6fCSYs82r63+W2RKlIzpvoyupEH2vteSgiaLNQ8/j114f4MCZjSgJ3y8SKloZAQTPpsobsnHhYNUS,iv:oji4lQxeXdrvoERb/EtXJEC0LNqn4qBewxM2/rD1FfY=,tag:XQBCSwHw2MFiI4qRdX4klw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZmhNdTVjSG91RGpyMnlv\nY2x0azE3YTZhTDlzTGZOUXdvbEJhTmNqbzFZCmZPWWtOZG52V1NLVFRlODA2N1dB\neCtsWXg5Q3I3MTJKWlJkeTBwOG00aUUKLS0tIDBnRFRrcXJ5SnZEUTN3REs5VTZH\nNlN3MTJ6aWdpMHVkTDJ5MVRuUTVEak0Kw8VPmgp0XiIVlADbjQjHqxdK31kAAAf0\nN/VCLirEK+DOzXJIkMguL7K9Xe7HyIOvtkJGBE2et1mia1pXkxClqA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQL1NLbFlWdk5TQXNUSUFF\nNTFqQk01RzI0WUJrdklBSlBGbkJYU0N2Qnl3CnRDakRiamtMREJLQkhTN1VPWEtz\neFlWVTlmU2NPWTVxdGtHVzROS1ZmV3MKLS0tIEJsVTRZMy9pWTNTK2k1aklXeGY3\nODZGMy9TQytYOG9kbExnMVg1bEFOYUkKwa9MG/IXjaXjB/wxR5xBYN9CtpQHP7pj\nyDBTqa68JQHcUkFgtxBojjumWWADkHO+LmExPSP8Q7Jk+raR2JawXw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-19T12:31:44Z",
+		"mac": "ENC[AES256_GCM,data:/GMdb0AGXxWFr9nBFwyRD9iiqXloZu4zTsrDINpfdvGVzp4bQgny2KqHeCtUj2yaPrtEq9dXlLKdgMMlfiXx9b6I1A9AUM/DGle6ZCWyY07598/kNsFL4+2Fr/Xp3wcwVpxDpo2590jb1yT+8FSXzyy6oKjLOCBKixKq70U9bwo=,iv:OyShn5yuTDOhSSSF1AfVOFktFdk6vVVsemMOg2XhjrY=,tag:F7bTHCyhrMG6VyVcYNAVHA==,type:str]",
+		"version": "3.12.2"
+	}
+}
--- a/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/users/danny
+++ b/vars/per-machine/sunken-ship/zerotier/zerotier-identity-secret/users/danny
@ -0,0 +1 @@
+../../../../../../sops/users/danny
--- a/vars/per-machine/sunken-ship/zerotier/zerotier-ip/value
+++ b/vars/per-machine/sunken-ship/zerotier/zerotier-ip/value
@ -0,0 +1 @@
+fdd5:53a2:de33:d269:6499:93d5:53a2:de33
--- a/vars/per-machine/sunken-ship/zerotier/zerotier-network-id/value
+++ b/vars/per-machine/sunken-ship/zerotier/zerotier-network-id/value
@ -0,0 +1 @@
+d553a2de33d26964
				`@ -0,0 +1 @@`
				`../../../../../../sops/machines/phantom-ship`