refactor(nix): move flake to repo root 🚚

clan-cli silently ignores the `?dir=` URL parameter when resolving a
flake source, so with the flake at nixos/flake.nix `clan machines
update` fails with "flake.nix does not exist". Move the flake tree up
so the repo root contains flake.nix, flake.lock, flake-modules/, lib/,
modules/, sops/, and vars/. Host-specific NixOS modules stay in
nixos/{hosts,home,fish.nix,neovim.nix,…}; flake-module paths updated
accordingly.

- dotfiles-rebuild flakeRef is now "${dotfilesDir}#<host>" (was
  "${dotfilesDir}/nixos#<host>").
- CLAUDE.md build commands + clan section updated. nixupdate fish alias
  updated. sunken-ship hostsfile comment updated.
- Existing /etc/dotfiles checkouts on the servers will pick up the new
  layout on the next `dotfiles-rebuild` timer tick; the rebuild service
  was pre-updated via rsync so its flakeRef matches before the pull.

Also includes 4b follow-through: zerotier identities are now live on
both servers (sunken-ship=d553a2de33 controller, phantom-ship=6c048abbdc
peer) and IPv6 ping across the ZT mesh works.

CLAUDE.md

@@ -2,8 +2,10 @@
 
 ## Build commands
 
+The flake lives at the repo root (`~/dotfiles/flake.nix`) — clan-cli doesn't handle flakes in subdirs.
+
 ```bash
-# macOS (from ~/dotfiles/nixos)
+# macOS (from ~/dotfiles)
 darwin-rebuild switch --flake .
 
 # NixOS servers (SSH from mac, or on server)
@@ -11,13 +13,17 @@ sudo nixos-rebuild switch --flake .#sunken-ship
 sudo nixos-rebuild switch --flake .#phantom-ship
 
 # WSL
-sudo nixos-rebuild switch --flake ~/dotfiles/nixos#wsl
+sudo nixos-rebuild switch --flake ~/dotfiles#wsl
 
 # Update flake + rebuild (fish alias: nixupdate)
-cd ~/dotfiles/nixos && sudo nix flake update && sudo darwin-rebuild switch --flake ~/dotfiles/nixos#Daniel-Macbook-Air
+cd ~/dotfiles && sudo nix flake update && sudo darwin-rebuild switch --flake ~/dotfiles#Daniel-Macbook-Air
 
 # Installer ISO (Linux only, cannot build on macOS)
-cd ~/dotfiles/nixos && nix build .#installer-iso
+cd ~/dotfiles && nix build .#installer-iso
+
+# Clan push update (from mac; builds on target so aarch64-darwin → x86_64-linux works)
+nix run git+https://git.clan.lol/clan/clan-core#clan-cli -- \
+  machines update sunken-ship --flake ~/dotfiles
 ```
 
 ## Rebuild protocol
@@ -47,7 +53,7 @@ cd ~/dotfiles/nixos && nix build .#installer-iso
 ## Server (sunken-ship)
 
 - SSH: `ssh -i ~/.ssh/id_ed25519_sunken_ship danny@sunken-ship`
-- Remote rebuild: `ssh ... 'cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#sunken-ship'`
+- Remote rebuild: `ssh ... 'cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#sunken-ship'`
 - Auto-rebuild timer: `dotfiles-rebuild` — every 15 min. Check with `systemctl is-active dotfiles-rebuild.timer`.
 - WiFi connected; stays reachable when ethernet is unplugged.
 - Services: UxPlay (AirPlay receiver on Scarlett Solo)
@@ -55,7 +61,7 @@ cd ~/dotfiles/nixos && nix build .#installer-iso
 ## Server (phantom-ship)
 
 - SSH: `ssh danny@phantom-ship`
-- Remote rebuild: `ssh ... 'cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#phantom-ship'`
+- Remote rebuild: `ssh ... 'cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#phantom-ship'`
 - Auto-rebuild timer: same pattern as sunken-ship.
 - Ethernet only (no WiFi).
 
@@ -72,11 +78,10 @@ Terminal colors follow **System Settings → Appearance**: `programs.alacritty`
 **CLI invocation:** clan-cli is not installed globally. Run ad-hoc via:
 
 ```bash
-nix run git+https://git.clan.lol/clan/clan-core#clan-cli -- machines list \
+nix run git+https://git.clan.lol/clan/clan-core#clan-cli -- machines list --flake ~/dotfiles
-  --flake 'path:/Users/danny/dotfiles/nixos'
 ```
 
-**Flake path quirk:** `--flake .` and `--flake git+…` both fail from a git worktree when the flake lives in a subdir (`nixos/`). Use `--flake 'path:…/nixos'` explicitly. May not be needed from the main checkout — retest.
+Flake lives at the repo root (not `nixos/`) — clan-cli silently ignores `?dir=` so a subdir flake breaks `clan machines update`.
 
 **`enableRecommendedDefaults = false`:** we opted out fleet-wide because clan's defaults flip to `systemd-networkd` + `systemd-resolved` + `boot.initrd.systemd`, which breaks dnsmasq (NAT DNS on phantom-ship) and navidrome's resolv.conf bind-mount on sunken-ship. Revisit per-service in a later pass — the defaults also include handy extras (tcpdump, htop, curl, jq, nixos-facter). Option defined in `nixosModules/clanCore/defaults.nix` + `nixosModules/clanCore/networking.nix` inside the `clan-core` flake.
 

flake-modules/clan.nix

@@ -47,7 +47,7 @@ in {
           clan.core.networking.targetHost = "danny@sunken-ship";
           clan.core.networking.buildHost = "danny@sunken-ship";
         }
-        ../hosts/sunken-ship.nix
+        ../nixos/hosts/sunken-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
         inputs.home-manager.nixosModules.home-manager
         (hmModule {
@@ -66,7 +66,7 @@ in {
           clan.core.networking.buildHost = "danny@phantom-ship";
         }
         inputs.nix-openclaw.nixosModules.openclaw-gateway
-        ../hosts/phantom-ship.nix
+        ../nixos/hosts/phantom-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
         inputs.home-manager.nixosModules.home-manager
         (hmModule {

flake-modules/daniel-macbook-air.nix

@@ -7,15 +7,15 @@
         }) ];
       }
 
-      ../hosts/daniel-macbook-air.nix
+      ../nixos/hosts/daniel-macbook-air.nix
-      ../fish.nix
+      ../nixos/fish.nix
 
       inputs.home-manager.darwinModules.home-manager
       (import ../lib/home-manager-user.nix {
         lib = inputs.nixpkgs.lib;
         user = "danny";
         homeDirectory = "/Users/danny";
-        userImports = [ ../home/danny/home.nix ];
+        userImports = [ ../nixos/home/danny/home.nix ];
       })
     ];
   };

flake-modules/installer-iso.nix

@@ -3,7 +3,7 @@
   # Optional: add ./installer-wifi.nix (gitignored) to modules for live WiFi.
   flake.nixosConfigurations.installer-iso = inputs.nixpkgs.lib.nixosSystem {
     system = "x86_64-linux";
-    modules = [ ../installer-iso.nix ];
+    modules = [ ../nixos/installer-iso.nix ];
   };
 
   flake.packages.x86_64-linux.installer-iso =

flake-modules/server-install.nix

@@ -4,8 +4,8 @@
     system = "x86_64-linux";
     modules = [
       inputs.disko.nixosModules.disko
-      ../disko-server.nix
+      ../nixos/disko-server.nix
-      ../hosts/server-install.nix
+      ../nixos/hosts/server-install.nix
     ];
   };
 }

flake-modules/wsl.nix

@@ -4,15 +4,15 @@
     modules = [
       inputs.nixos-wsl.nixosModules.default
       inputs.vscode-server.nixosModules.default
-      ../hosts/wsl.nix
+      ../nixos/hosts/wsl.nix
-      ../fish.nix
+      ../nixos/fish.nix
 
       inputs.home-manager.nixosModules.home-manager
       (import ../lib/home-manager-user.nix {
         lib = inputs.nixpkgs.lib;
         user = "dth";
         homeDirectory = "/home/dth";
-        userImports = [ ../home/danny/home.nix ];
+        userImports = [ ../nixos/home/danny/home.nix ];
       })
     ];
   };

modules/dotfiles-rebuild.nix

@@ -1,13 +1,13 @@
 # Shared auto-rebuild-from-git service for homelab hosts.
 #
 # Every 15 min: git fetch origin, fast-forward main, and if there were any
-# new commits run nixos-rebuild switch against `<dotfilesDir>/nixos#<host>`.
+# new commits run nixos-rebuild switch against `<dotfilesDir>#<host>`.
 #
 # Assumes /etc/dotfiles is an already-cloned checkout of the dotfiles repo.
 { config, lib, pkgs, ... }:
 let
   dotfilesDir = "/etc/dotfiles";
-  flakeRef = "${dotfilesDir}/nixos#${config.networking.hostName}";
+  flakeRef = "${dotfilesDir}#${config.networking.hostName}";
 in {
   environment.systemPackages = [ pkgs.git ];
 

nixos/fish.nix

@@ -11,7 +11,7 @@
       weather = "curl wttr.in/?T";
       # TODO: rename and move 25_flakes into dotfiles
       nide = "nix develop ~/python-projects/25_flakes/$(basename (pwd)) -c $(which fish)";
-      nixupdate = "cd ~/dotfiles/nixos && sudo nix flake update && sudo darwin-rebuild switch --flake ~/dotfiles/nixos#Daniel-Macbook-Air";
+      nixupdate = "cd ~/dotfiles && sudo nix flake update && sudo darwin-rebuild switch --flake ~/dotfiles#Daniel-Macbook-Air";
     };
     interactiveShellInit = ''
       function fish_user_key_bindings

nixos/hosts/sunken-ship.nix

@@ -2,7 +2,7 @@
 #
 # One-time on server: clone repo to /etc/dotfiles (root needs git access).
 # If private repo: use SSH (ssh:// or git@) and add root's key to GitHub, or use HTTPS + token.
-# Then: sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship
+# Then: sudo nixos-rebuild switch --flake /etc/dotfiles#sunken-ship
 # If sudo git is not found: sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main
 # Timer runs every 15 min: git fetch, pull if origin/main changed, rebuild.
 { config, lib, pkgs, ... }: