diff --git a/CLAUDE.md b/CLAUDE.md
index d525137..70dc7f1 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,54 +4,71 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## What This Is
 
-Personal NixOS system configuration for host `cesium` — a QEMU/KVM-virtualized x86_64 desktop workstation. Uses NixOS with Home Manager (channel-based, no Flakes). NixOS version is locked to 25.11.
+Personal NixOS system configuration for host `cesium` — an x86_64 desktop workstation with NVIDIA GPU. Uses NixOS with **Flakes** and Home Manager. NixOS version is locked to 25.11.
+
+The project root is `/mnt/data/nixos/`. The actual NixOS configuration lives in the `nixos/` subdirectory and is synced to `/etc/nixos/` via `make sync-etc`, or built directly from `nixos/` via `make rebuild`.
 
 ## Commands
 
 ```bash
-# Rebuild and apply configuration (aliased as 'rebuild')
-sudo nixos-rebuild switch
+# Rebuild from ./nixos directly (no sync to /etc/nixos)
+make rebuild
 
-# Rebuild with package upgrades (aliased as 'update')
-sudo nixos-rebuild switch --upgrade
+# Rebuild after upgrading flake inputs (updates flake.lock)
+make upgrade
 
-# Test configuration without persisting (loads into current session only)
-sudo nixos-rebuild test
+# Sync nixos/ to /etc/nixos and rebuild
+make sync-etc
 
-# Build without applying (useful to check for errors)
-sudo nixos-rebuild build
+# Sync nixos/ to /etc/nixos and upgrade flake inputs
+make upgrade-etc
 
-# Optimize store and garbage collect (aliased as 'ngc')
-sudo nix-store --optimise && sudo nix-collect-garbage -d
+# Dry-run sync to preview file changes
+make sync-etc-dry-run
 
-# After first install: setup SMB credentials
-sudo /etc/nixos/setup-smb-credentials.sh
+# Validate all .nix files (runs automatically as pre-commit hook)
+make test
+
+# Optimize store and garbage collect
+make cleanup
 ```
 
 ## Architecture
 
-Entry point is `config/configuration.nix`, which imports all other modules:
+Entry point is `nixos/flake.nix`, which defines the `cesium` NixOS configuration:
 
 ```
-config/configuration.nix          # Top-level: imports all modules, enables Home Manager
-├── hardware-configuration.nix    # Auto-generated (gitignored), QEMU guest hardware
+nixos/flake.nix                   # Flake: inputs (nixpkgs 25.11, home-manager, nix-flatpak, unstable)
+nixos/configuration.nix           # Top-level: imports all modules, enables Home Manager
+├── hardware-configuration.nix    # Auto-generated (gitignored), host hardware
+├── cesium.nix                    # Host-specific: NVIDIA drivers, hostname, firewall ports
 ├── common.nix                    # System-wide: bootloader, locale, GNOME, PipeWire, packages
 ├── mounts.nix                    # CIFS/SMB mounts to TrueNAS (automount with systemd)
 ├── services.nix                  # Docker (custom data root /home/docker), ddev
 ├── users/sebastian.nix           # User account, groups, SSH askpass
-│   └── imports home.nix          # Home Manager config for this user
-├── home.nix                      # User environment: apps, shell, git, scripts, Flatpak
+├── home.nix                      # Home Manager: apps, shell, git, scripts, Flatpak
+├── programs.nix                  # Home Manager: git, shell programs config
+├── dconf.nix                     # Home Manager: GNOME dconf settings
 ├── scripts.nix                   # Custom shell scripts (composer, lazydocker, gclb)
+├── flakes.nix                    # Extra flake-based packages (e.g. Hytale launcher)
 ├── vm-guest.nix                  # Optional: SPICE agent for VM clipboard/file sharing
 └── vm-host.nix                   # Optional: KVM/QEMU host with libvirtd, virt-manager
 ```
 
+Supporting files in `nixos/config/`:
+- `p10k.zsh` — Powerlevel10k prompt config
+- `zsh-custom.zsh` — Custom zsh configuration
+- `crest_iv_black-cut.jpg` — Wallpaper
+
 Key design patterns:
-- `common.nix` handles all system-level config (boot, locale, desktop, audio, auto-updates, garbage collection)
-- `home.nix` handles all user-level config via Home Manager (applications, shell aliases, git, vim, GTK theme, GNOME extensions, Flatpak activation scripts)
-- `scripts.nix` defines Docker-wrapped CLI tools (composer, lazydocker) and git helpers using `writeShellScriptBin`
+- `cesium.nix` contains all host-specific hardware config (NVIDIA, hostname, ports)
+- `common.nix` handles system-level config (boot, locale, desktop, audio, auto-updates, GC)
+- `home.nix` handles user-level config via Home Manager (applications, shell, GTK theme, Flatpak)
+- `programs.nix` and `dconf.nix` split out Home Manager programs and GNOME settings
+- `scripts.nix` defines Docker-wrapped CLI tools using `writeShellScriptBin`
 - `mounts.nix` uses systemd automount with 60s idle timeout for TrueNAS SMB shares
-- `vm-guest.nix` and `vm-host.nix` are optional modules (not imported by default in configuration.nix)
+- `vm-guest.nix` and `vm-host.nix` are optional modules (not imported by default)
+- `nixpkgs-unstable` overlay is used selectively (e.g. `rustdesk-flutter`)
 
 ## Conventions
 
diff --git a/Makefile b/Makefile
index da3d1b6..8a534fd 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@ sync-etc:
 
 .PHONY: upgrade-etc
 upgrade-etc:
-	sudo nix flake update /etc/nixos --commit-lock-file
+	sudo nix flake update --flake /etc/nixos --commit-lock-file
 	sudo nixos-rebuild switch --flake /etc/nixos#cesium
 	sudo cp /etc/nixos/flake.lock nixos/flake.lock 2>/dev/null || true
 
@@ -44,7 +44,7 @@ rebuild:
 
 .PHONY: upgrade
 upgrade:
-	sudo nix flake update $(CURDIR)/nixos --commit-lock-file
+	sudo nix flake update --flake $(CURDIR)/nixos --commit-lock-file
 	sudo nixos-rebuild switch --flake path:$(CURDIR)/nixos
 
 #
diff --git a/nixos/flake.lock b/nixos/flake.lock
index 383b55c..e2ee1e1 100644
--- a/nixos/flake.lock
+++ b/nixos/flake.lock
@@ -23,11 +23,11 @@
     },
     "nix-flatpak": {
       "locked": {
-        "lastModified": 1768656715,
-        "narHash": "sha256-Sbh037scxKFm7xL0ahgSCw+X2/5ZKeOwI2clqrYr9j4=",
+        "lastModified": 1777402031,
+        "narHash": "sha256-6gkfl9y3+ti0Z6dgby8/R4/DRT8sWU0I0TLCIxwWtjk=",
         "owner": "gmodena",
         "repo": "nix-flatpak",
-        "rev": "123fe29340a5b8671367055b75a6e7c320d6f89a",
+        "rev": "22a3adbe7c5c8c8a10a635d32c9ef7fc01a6e4b8",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1776067740,
-        "narHash": "sha256-B35lpsqnSZwn1Lmz06BpwF7atPgFmUgw1l8KAV3zpVQ=",
+        "lastModified": 1777428379,
+        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7e495b747b51f95ae15e74377c5ce1fe69c1765f",
+        "rev": "755f5aa91337890c432639c60b6064bb7fe67769",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
         "type": "github"
       },
       "original": {