Reapply "feat(clan): data-mesher + dm-pull-deploy wiring 🌊"

This reverts commit c4c40e80d5.

flake-modules/clan.nix

@@ -14,11 +14,31 @@ let
     import ../lib/home-manager-user.nix {
       inherit lib user homeDirectory stateVersion userImports;
     };
+
+  # ZT IPv6 addresses of the two clan machines. Clan publishes these as
+  # generated vars at vars/per-machine/<host>/zerotier/zerotier-ip/value,
+  # duplicated here for /etc/hosts use (clan's var values aren't trivially
+  # readable at module-eval time on the consuming host).
+  sunkenShipZTv6 = "fdd5:53a2:de33:d269:6499:93d5:53a2:de33";
+  phantomShipZTv6 = "fdd5:53a2:de33:d269:6499:936c:48a:bbdc";
+
+  # Shared across both servers: /etc/hosts entries so data-mesher's
+  # libp2p /dns/<machine>.clan/... multiaddrs resolve over ZT.
+  clanHostsModule = {
+    networking.hosts = {
+      "${sunkenShipZTv6}" = [ "sunken-ship.clan" ];
+      "${phantomShipZTv6}" = [ "phantom-ship.clan" ];
+    };
+  };
 in {
   imports = [ inputs.clan-core.flakeModules.default ];
 
   clan = {
     meta.name = "homelab";
+    # data-mesher uses `<machine>.${domain}` as a libp2p /dns/ multiaddr.
+    # We don't run a DNS server for it; per-machine networking.hosts entries
+    # (set below via machineCommon) map "<host>.clan" → the host's ZT IPv6.
+    meta.domain = "clan";
 
     # Inventory machines — required for `inventory.instances` role bindings
     # to resolve. Host-specific NixOS config lives under `machines.<name>`
@@ -37,6 +57,36 @@ in {
       roles.peer.machines.sunken-ship = { };
     };
 
+    # data-mesher — signed-file gossip protocol over libp2p (port 7946).
+    # Underpins dm-pull-deploy below. Files are registered + their allowed
+    # signers managed automatically via clan service exports.
+    # sunken-ship is the bootstrap node; phantom-ship joins via its
+    # /dns/sunken-ship.clan/... multiaddr (resolved via /etc/hosts on each
+    # machine — see machineCommon below).
+    inventory.instances.data-mesher = {
+      module.name = "data-mesher";
+      module.input = "clan-core";
+      roles.default.machines.sunken-ship = { };
+      roles.default.machines.phantom-ship = { };
+      roles.bootstrap.machines.sunken-ship = { };
+    };
+
+    # dm-pull-deploy — pull-based NixOS deploy via data-mesher gossip.
+    # sunken-ship is the push node (runs `dm-send-deploy` manually or on a
+    # timer); both servers watch for new targets and nixos-rebuild switch.
+    # Replaces the current dotfiles-rebuild timer once proven. `switch` is
+    # aggressive — rolls all default hosts immediately on any pushed target.
+    inventory.instances.dm-pull-deploy = {
+      module.name = "dm-pull-deploy";
+      module.input = "clan-community";
+      roles.push.machines.sunken-ship.settings = {
+        gitUrl = "https://github.com/DannyDannyDanny/dotfiles.git";
+        branch = "main";
+      };
+      roles.default.machines.sunken-ship.settings.action = "switch";
+      roles.default.machines.phantom-ship.settings.action = "switch";
+    };
+
     # `clan machines update` connection target. Priority 2000 > ZT's 900
     # and overrides the ZT service's root@ default. Using the ZT IPv6 as
     # the host makes updates work regardless of LAN DNS / mDNS state.
@@ -63,6 +113,7 @@ in {
           clan.core.networking.targetHost = "danny@[fdd5:53a2:de33:d269:6499:93d5:53a2:de33]";
           clan.core.networking.buildHost = "danny@[fdd5:53a2:de33:d269:6499:93d5:53a2:de33]";
         }
+        clanHostsModule
         ../nixos/hosts/sunken-ship.nix
         config.flake.nixosModules.dotfiles-rebuild
         inputs.home-manager.nixosModules.home-manager
@@ -81,6 +132,7 @@ in {
           clan.core.networking.targetHost = "danny@[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]";
           clan.core.networking.buildHost = "danny@[fdd5:53a2:de33:d269:6499:936c:48a:bbdc]";
         }
+        clanHostsModule
         inputs.nix-openclaw.nixosModules.openclaw-gateway
         ../nixos/hosts/phantom-ship.nix
         config.flake.nixosModules.dotfiles-rebuild