phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports

- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin)
- modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks
- modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/
- hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix
- hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override
- modules/age-secrets.nix: file paths → ../secrets/server/*.age
- services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/
- home/profiles/*.nix: ./progs/ → ../progs/
- hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/
- home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/
- tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix
- lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)

tests/fail2ban-caddy.nix

@@ -17,7 +17,7 @@ pkgs.testers.runNixOSTest {
       }:
       {
         imports = [
-          ../modules/security.nix
+          ../modules/server-security.nix
         ];
 
         # Set up Caddy with basic auth (minimal config, no production stuff)

tests/fail2ban-gitea.nix

@@ -53,7 +53,7 @@ pkgs.testers.runNixOSTest {
       }:
       {
         imports = [
-          ../modules/security.nix
+          ../modules/server-security.nix
           giteaModule
         ];
 

tests/fail2ban-immich.nix

@@ -51,7 +51,7 @@ pkgs.testers.runNixOSTest {
       }:
       {
         imports = [
-          ../modules/security.nix
+          ../modules/server-security.nix
           immichModule
         ];
 

tests/fail2ban-jellyfin.nix

@@ -51,7 +51,7 @@ pkgs.testers.runNixOSTest {
       }:
       {
         imports = [
-          ../modules/security.nix
+          ../modules/server-security.nix
           jellyfinModule
         ];
 

tests/fail2ban-ssh.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  securityModule = import ../modules/security.nix;
+  securityModule = import ../modules/server-security.nix;
 
   sshModule =
     {

tests/fail2ban-vaultwarden.nix

@@ -46,7 +46,7 @@ pkgs.testers.runNixOSTest {
       }:
       {
         imports = [
-          ../modules/security.nix
+          ../modules/server-security.nix
           vaultwardenModule
         ];
 

tests/file-perms.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  testPkgs = pkgs.appendOverlays [ (import ../modules/overlays.nix) ];
+  testPkgs = pkgs.appendOverlays [ (import ../lib/overlays.nix) ];
 in
 testPkgs.testers.runNixOSTest {
   name = "file-perms test";

tests/minecraft.nix

@@ -22,7 +22,7 @@ let
     config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" ];
     overlays = [
       inputs.nix-minecraft.overlay
-      (import ../modules/overlays.nix)
+      (import ../lib/overlays.nix)
     ];
   };
 in

tests/ntfy-alerts.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  testPkgs = pkgs.appendOverlays [ (import ../modules/overlays.nix) ];
+  testPkgs = pkgs.appendOverlays [ (import ../lib/overlays.nix) ];
 in
 testPkgs.testers.runNixOSTest {
   name = "ntfy-alerts";

tests/zfs.nix

@@ -7,7 +7,7 @@
 }:
 let
   # Create pkgs with ensureZfsMounts overlay
-  testPkgs = pkgs.appendOverlays [ (import ../modules/overlays.nix) ];
+  testPkgs = pkgs.appendOverlays [ (import ../lib/overlays.nix) ];
 in
 testPkgs.testers.runNixOSTest {
   name = "zfs test";