Working NixOS port: all core services operational

- Fix Caddy cfProxy helper for cloudflared http:// vhosts (X-Forwarded-Proto)
- Fix Authelia LDAP bind (readonly user ACL + password sync)
- Add gitea-admin-setup oneshot service to survive rebuilds
- Update Authelia forward_auth with header_up X-Forwarded-Proto https
- Update TODO.org with completed tasks and LDAP config details
- Remove old Helm/k8s artifacts (Chart.yaml, templates/, values/, scripts)
- Add result to .gitignore

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

PORTING.md

@@ -260,21 +260,21 @@ In the tunnel's "Public Hostnames" tab, add:
 
 | Subdomain | Domain | Service |
 |-----------|--------|---------|
-| `auth` | `home.zakobar.com` | `https://localhost:443` |
-| `git` | `home.zakobar.com` | `https://localhost:443` |
-| `nextcloud` | `home.zakobar.com` | `https://localhost:443` |
-| `ldapadmin` | `home.zakobar.com` | `https://localhost:443` |
-| `jellyfin` | `home.zakobar.com` | `https://localhost:443` |
-| `torrent` | `home.zakobar.com` | `https://localhost:443` |
+| `auth` | `zakobar.com` | `https://localhost:443` |
+| `git` | `zakobar.com` | `https://localhost:443` |
+| `nextcloud` | `zakobar.com` | `https://localhost:443` |
+| `ldapadmin` | `zakobar.com` | `https://localhost:443` |
+| `jellyfin` | `zakobar.com` | `https://localhost:443` |
+| `torrent` | `zakobar.com` | `https://localhost:443` |
 
 For each entry, under "Additional settings" → TLS → **No TLS Verify: ON**
 (because cloudflared connects to `localhost` but the cert is for the real hostname).
 
 ### 3.3 Update DNS in Cloudflare
 
-Add a CNAME for `home.zakobar.com` pointing to your tunnel's UUID (Cloudflare
+Add a CNAME for `zakobar.com` pointing to your tunnel's UUID (Cloudflare
 creates this automatically when you add hostnames). You do not need to add
-`home.zakobar.com` to your domain's A records — Cloudflare handles it.
+`zakobar.com` to your domain's A records — Cloudflare handles it.
 
 ---
 
@@ -294,19 +294,19 @@ sudo nixos-rebuild switch --flake /path/to/homey#pi-main
 systemctl list-units 'podman-*' --state=active
 
 # OpenLDAP responding?
-ldapsearch -x -H ldap://127.0.0.1:389 -b dc=home,dc=zakobar,dc=com -D "cn=admin,dc=home,dc=zakobar,dc=com" -W
+ldapsearch -x -H ldap://127.0.0.1:389 -b dc=zakobar,dc=com -D "cn=admin,dc=zakobar,dc=com" -W
 
 # Authelia health?
 curl -s http://localhost:9091/api/health | python3 -m json.tool
 
 # Caddy serving TLS?
-curl -I https://auth.home.zakobar.com
+curl -I https://auth.zakobar.com
 
 # Gitea login?
-# Visit https://git.home.zakobar.com — should redirect to authelia if not logged in
+# Visit https://git.zakobar.com — should redirect to authelia if not logged in
 
 # Nextcloud?
-# Visit https://nextcloud.home.zakobar.com
+# Visit https://nextcloud.zakobar.com
 
 # Cloudflare tunnel connected?
 systemctl status cloudflared-tunnel-pi-main
@@ -320,13 +320,13 @@ To access services without going through Cloudflare on the LAN, add these
 records to your router's DNS or Pi-hole:
 
 ```
-192.168.1.100  home.zakobar.com
-192.168.1.100  auth.home.zakobar.com
-192.168.1.100  git.home.zakobar.com
-192.168.1.100  nextcloud.home.zakobar.com
-192.168.1.100  ldapadmin.home.zakobar.com
-192.168.1.100  jellyfin.home.zakobar.com
-192.168.1.100  torrent.home.zakobar.com
+192.168.1.100  zakobar.com
+192.168.1.100  auth.zakobar.com
+192.168.1.100  git.zakobar.com
+192.168.1.100  nextcloud.zakobar.com
+192.168.1.100  ldapadmin.zakobar.com
+192.168.1.100  jellyfin.zakobar.com
+192.168.1.100  torrent.zakobar.com
 ```
 
 Replace `192.168.1.100` with your Pi's actual LAN IP.