docs: update stale dotfiles/nixos flake paths 📝

Stage 4f cleanup. The flake moved from ~/dotfiles/nixos/ to ~/dotfiles/
in 88c5139; docs and install scripts hadn't been refreshed. Point all
rebuild / flake references at the new root:

- AGENTS.md, README.md, server-quickstart.md, docs/server-installer-usb.md,
  docs/sunken-ship-wifi.md, nixos/readme.md — rebuild command paths.
- scripts/nixos-server-install.sh — auto-detect now looks for flake.nix
  at repo root (was nixos/flake.nix).
- scripts/post-install-provision.sh — first-rebuild hint path.

`nixos/hosts/<host>-hardware.nix` and friends stay where they are —
host-specific NixOS modules still live under nixos/; only the flake
entry-points + sops/ + vars/ + lib/ + modules/ + flake-modules/ moved.

nixos/readme.md rewritten to reflect the split (flake at root, per-host
modules under nixos/).

AGENTS.md

@@ -10,11 +10,11 @@ From the Mac, agents can SSH to sunken-ship:
 ssh -i ~/.ssh/id_ed25519_sunken_ship danny@sunken-ship 'hostname; ip addr'
 ```
 
-Rebuild on the server: `ssh ... 'cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#sunken-ship'`. The server has WiFi; it remains reachable when ethernet is unplugged.
+Rebuild on the server: `ssh ... 'cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#sunken-ship'`. The server has WiFi; it remains reachable when ethernet is unplugged. Preferred from the mac: `nix run git+https://git.clan.lol/clan/clan-core#clan-cli -- machines update sunken-ship --flake ~/dotfiles`.
 
 ## Server installer USB (new machines only)
 
-Build from **Linux**: `cd ~/dotfiles/nixos && nix build .#installer-iso` (x86_64-linux only; cannot build on macOS). Or use official NixOS minimal ISO, write to USB, boot server, clone repo, run [scripts/nixos-server-install.sh](scripts/nixos-server-install.sh). See [docs/server-installer-usb.md](docs/server-installer-usb.md). Optional live WiFi: add `nixos/installer-wifi.nix` (gitignored) when building custom ISO on Linux.
+Build from **Linux**: `cd ~/dotfiles && nix build .#installer-iso` (x86_64-linux only; cannot build on macOS). Or use official NixOS minimal ISO, write to USB, boot server, clone repo, run [scripts/nixos-server-install.sh](scripts/nixos-server-install.sh). See [docs/server-installer-usb.md](docs/server-installer-usb.md). Optional live WiFi: add `nixos/installer-wifi.nix` (gitignored) when building custom ISO on Linux.
 
 ## Learnings (NixOS server)
 

README.md

@@ -25,7 +25,7 @@ nix-shell -p gh git
 gh auth login
 gh repo clone dannydannydanny/dotfiles && cd dotfiles
 # git checkout <branch>  # if needed
-sudo nixos-rebuild switch --flake ~/dotfiles/nixos#wsl
+sudo nixos-rebuild switch --flake ~/dotfiles#wsl
 ```
 
 ### Clone via SSH

docs/server-installer-usb.md

@@ -50,7 +50,7 @@ Bootable USB that installs NixOS on a new server with disk encryption (LUKS). Th
 8. SSH in: `ssh danny@phantom-ship`
 9. First rebuild to switch from generic `server-install` to `phantom-ship` config:
    ```bash
-   cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#phantom-ship
+   cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#phantom-ship
    ```
 10. Commit the generated `phantom-ship-hardware.nix` back to the repo.
 
@@ -87,7 +87,7 @@ Adds WiFi kernel modules for servers that need WiFi on the live system.
 ### Build directly on Linux
 
 ```bash
-cd ~/dotfiles/nixos && nix build .#installer-iso
+cd ~/dotfiles && nix build .#installer-iso
 # Write to USB:
 sudo dd if=result/iso/nixos-minimal-*.iso of=/dev/sdX status=progress bs=4M
 ```
@@ -117,7 +117,7 @@ sudo INSTALLER_SYSTEM_CONFIG_FILE=/path/to/wifi.json INSTALLER_HOSTNAME=my-serve
 
 ```bash
 sudo nix run github:nix-community/disko/latest#disko-install -- \
-  --flake 'path:/tmp/dotfiles/nixos#server-install' \
+  --flake 'path:/tmp/dotfiles#server-install' \
   --disk main /dev/sda \
   --system-config '{"networking":{"hostName":"my-server"}}'
 ```
@@ -130,5 +130,5 @@ sudo nix run github:nix-community/disko/latest#disko-install -- \
 | **Boot** | Boot new server from USB, plug Ethernet |
 | **Install** | `curl ... \| INSTALLER_HOSTNAME=phantom-ship SSH_PUBKEY_FILE=/tmp/key.pub sudo -E bash` |
 | **Reboot** | Remove USB, unlock LUKS |
-| **First rebuild** | `sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#phantom-ship` |
+| **First rebuild** | `sudo nixos-rebuild switch --flake /etc/dotfiles#phantom-ship` |
 | **Commit** | Push generated `phantom-ship-hardware.nix` to repo |

docs/sunken-ship-wifi.md

@@ -42,10 +42,10 @@ nix shell nixpkgs#wpa_supplicant -c wpa_passphrase "YOUR_SSID" "YOUR_PASSWORD"
 
 ## Rebuild (after changing Nix config)
 
-From the server (flake is in `nixos/`):
+From the server (flake is at the repo root):
 
 ```bash
-cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#sunken-ship
+cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#sunken-ship
 ```
 
 ## Verify

nixos/readme.md

@@ -1,32 +1,39 @@
-# NixOS flake
+# NixOS modules
 
-Rebuild from dotfiles dir:
+Host-specific NixOS and home-manager modules live under this dir:
+
+- `hosts/<machine>.nix` + `hosts/<machine>-hardware.nix`
+- `home/danny/home.nix` (home-manager)
+- `fish.nix`, `neovim.nix`, `ollama.nix`, `installer-iso.nix`, `disko-server.nix`
+
+The flake itself (`flake.nix`, `flake.lock`, `flake-modules/`, `lib/`, `modules/`, `sops/`, `vars/`) lives at the **repo root**, not here. See [CLAUDE.md](../CLAUDE.md) at the repo root for rebuild commands, clan.lol operations, and the `dotfiles-rebuild` timer.
+
+## Quick rebuild reference
 
 ```bash
 # macOS
-cd ~/dotfiles/nixos && darwin-rebuild switch --flake .
+cd ~/dotfiles && darwin-rebuild switch --flake .
 
 # WSL
-sudo nixos-rebuild switch --flake ~/dotfiles/nixos#wsl
+sudo nixos-rebuild switch --flake ~/dotfiles#wsl
 
-# sunken-ship (on server)
+# Servers (via clan from mac)
-sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship
+nix run git+https://git.clan.lol/clan/clan-core#clan-cli -- \
+  machines update sunken-ship --flake ~/dotfiles
 ```
 
-## Server (sunken-ship)
+## Server bootstrap (one-time)
-
-One-time bootstrap (no git until first rebuild):
 
 ```bash
-nix run --extra-experimental-features "nix-command flakes" nixpkgs#git -- clone https://github.com/DannyDannyDanny/dotfiles.git /tmp/dotfiles
+nix run --extra-experimental-features "nix-command flakes" nixpkgs#git -- \
+  clone https://github.com/DannyDannyDanny/dotfiles.git /tmp/dotfiles
 sudo mv /tmp/dotfiles /etc/dotfiles
-sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship --option accept-flake-config true
+sudo nixos-rebuild switch --flake /etc/dotfiles#sunken-ship \
+  --option accept-flake-config true
 ```
 
-If the daemon doesn't have flakes: copy [server-configuration-with-flakes.nix](server-configuration-with-flakes.nix) to `/etc/nixos/configuration.nix`, run `sudo nixos-rebuild switch`, then build and switch to the flake (see [server-quickstart.md](../server-quickstart.md) for SSH keys).
+If the daemon doesn't have flakes: copy [server-configuration-with-flakes.nix](server-configuration-with-flakes.nix) to `/etc/nixos/configuration.nix`, `sudo nixos-rebuild switch`, then build the flake.
 
 SSH keys (not in repo): `scp ~/.ssh/*.pub danny@server:/tmp/`, then on server `mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys`. See [docs/ssh-and-secrets.md](../docs/ssh-and-secrets.md).
 
-Timer: every 15 min the server pulls and rebuilds when `main` changes. Config: `hosts/sunken-ship.nix`, `hosts/sunken-ship-hardware.nix`.
-
 No git in PATH: `sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main`.

scripts/nixos-server-install.sh

@@ -16,12 +16,12 @@ set -euo pipefail
 
 FLAKE_REF="${FLAKE_REF:-}"
 if [[ -z "$FLAKE_REF" ]]; then
-  if [[ -d "$(dirname "$0")/../nixos" ]] && [[ -f "$(dirname "$0")/../nixos/flake.nix" ]]; then
+  if [[ -f "$(dirname "$0")/../flake.nix" ]]; then
     REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-    FLAKE_REF="path:${REPO_ROOT}/nixos"
+    FLAKE_REF="path:${REPO_ROOT}"
   else
     echo "FLAKE_REF not set and not running from dotfiles repo. Example:"
-    echo "  export FLAKE_REF=github:USER/REPO   # or path:/path/to/dotfiles/nixos"
+    echo "  export FLAKE_REF=github:USER/REPO   # or path:/path/to/dotfiles"
     exit 1
   fi
 fi
@@ -197,5 +197,5 @@ echo ""
 echo "=== Done! ==="
 echo "Remove the USB and reboot. After unlocking LUKS:"
 echo "  1. SSH in: ssh danny@${hostname}"
-echo "  2. First rebuild: cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#${hostname}"
+echo "  2. First rebuild: cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#${hostname}"
 echo "  3. Commit ${hostname}-hardware.nix back to the repo"

scripts/post-install-provision.sh

@@ -57,5 +57,5 @@ cryptsetup close crypted 2>/dev/null || true
 echo ""
 echo "=== Done! Remove USB and reboot. ==="
 echo "After unlocking LUKS, SSH in: ssh danny@${HOSTNAME}"
-echo "Then: cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#${HOSTNAME}"
+echo "Then: cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#${HOSTNAME}"
 echo "Commit ${HOSTNAME}-hardware.nix from the USB back to the repo."

server-quickstart.md

@@ -44,7 +44,7 @@ Optional: `services.openssh.settings = { PasswordAuthentication = false; PermitR
 
 ```bash
 sudo nixos-rebuild switch
-# or: sudo nixos-rebuild switch --flake /path/to/dotfiles/nixos#hostname
+# or: sudo nixos-rebuild switch --flake /path/to/dotfiles#hostname
 ```
 
 Then from your main machine: `ssh danny@myserver`