Working NixOS port: all core services operational

- Fix Caddy cfProxy helper for cloudflared http:// vhosts (X-Forwarded-Proto)
- Fix Authelia LDAP bind (readonly user ACL + password sync)
- Add gitea-admin-setup oneshot service to survive rebuilds
- Update Authelia forward_auth with header_up X-Forwarded-Proto https
- Update TODO.org with completed tasks and LDAP config details
- Remove old Helm/k8s artifacts (Chart.yaml, templates/, values/, scripts)
- Add result to .gitignore

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

hosts/pi-main/default.nix

@@ -9,6 +9,10 @@
     ./hardware.nix
   ];
 
+  # linux_rpi4 is the Raspberry Pi Foundation's kernel, sourced from nixpkgs
+  # and pre-built in cache.nixos.org. Avoids a multi-hour native compilation.
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+
   # -------------------------------------------------------------------------
   # Identity
   # -------------------------------------------------------------------------
@@ -50,7 +54,7 @@
     extraGroups     = [ "wheel" "podman" ];
     # Paste your SSH public key here
     openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBFZRqiTsOCAJPMqUyMeLd2MbyjdGoyqDVq5/Inhb6EOaM1NUGG4b6FPmYgFLyJIm5LC9BOo6M7npiaiOs/zMqp+hoGLNQUNwm5/G0uy1bjkEfKdUTdGnJ2+M9rkxrR1c+KXrjkiqECqTbnPE4mJbGyVxBW2MwMeP5w8c0DB5KO528PetvHMPPQuEdXyZzDI4kKtVpMlJoPIrIGlNFX0G/wrgXcM4zU1snOTuYGqZnWW++4kBsgIlRKpf/bLJyUMTp30eLVr0fQ6OMBtj1tzUUBaaowU6VGYQQDU/rIh/NpkA2cEVPXZegM4OohkAqrJBFPIAg90WD9Z/SyQlz0Jn8PpAloP0Cuq2vVRr+QLEwxqGiFq91YQ2VtwksMHwJGVrXRCNegpxTZQijWMEd+o0FD2cEd7Ftw6v2L6g12GJ3QGX/q0d/u0GongLLa9fPXl4VoAu7AL+cUcbX/SS7RCG8kYAR3DwOazVbK0NWEdwvWdoSU4lZ3j2at1xqMGjHjyLiTeUqZBjm+Sl5MJWIYNg+8hnONljvggg4SzDFDAkgVLZtOCaZibsMA1ucGR7VRCM09uoaEI4/ZS5pCBtYcp8X67Bv67Og8s2NFf5sUfYBPPKpdBSs+dEPycNVff6JlmzfNiyzLawacGKIDWYSgkOl43N/5ehtpsL3HMZ+5SVNIw=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfzDDO5juINctECmWlsYtGghEiX/RnTJ1cazLvOWSrPfsTyEd+B1+Ig8kFefNryjkpApfRXqj5KtLPNlpLfdVBrOIfhIveEp2MGqhgOGZFNVxQyXnZgii8Zdh4cqZ2O3pZpMsaAQBaJ9nH6dK0dJjicWT5f6TqwrVcInywRc5SuyizoSxoFmg7ch2rnlVi0j5XMVqdh8XLzHXZ7yWCzXy7+hWl/d7pwpyuzoK8dBw2EU9TauhgRDruom5Q9vWJTLStALC9pAIb0v9UFj9y+1zwx7pXsXp5F1g73EYrE4QR+QQ6z2LebuK280W0t+VA/fSCEB13DnkmofgqZQxX5MSCmrxZ5lTFp1FjW6yJo7As9FheF/GECowYkMRIx4IiQsjjHjZqlLRpLas11yAp6tGoZnw59hFo6Lu0Kva39jGVVmioYHtAeE5rD5w+v5kseJR4jlQ8aKB5yOjYUQOIz2AHQyoidgaeR2jPWqZUeRQbACI+/p3CHO45r3hrjATtGloBg0xF95Qws7Be3mjHVhbBLOoob8MdZ8nYAGnhlWrZphlkvXsHC6OUkuDJW00tmMjWXRlFwhFJ+nqUQCgLVjxVHQJ5rq9GeXBUuNXAeCm5BKBsdq+9qqVlt7D9iGyfr0lcZ7peKz/96KwPCWpG2En1Ur0/cVcbWnXEfG/xWO10tQ== cardno:24_758_470"
     ];
   };
 
@@ -62,7 +66,7 @@
   homey.storage = {
     # Replace with the actual by-id path of your USB drive.
     # Find it: ls -la /dev/disk/by-id/ | grep -v part
-    device     = "/dev/disk/by-id/usb-WD_Ext_HDD_1021_5743415A4146313531393031-0:0-part1";
+    device     = "/dev/disk/by-label/homey-data";
     mountPoint = "/mnt/data";
     fsType     = "ext4";
   };
@@ -98,14 +102,14 @@
 
   # -------------------------------------------------------------------------
   # Local DNS overrides (optional — makes LAN clients hit the Pi directly
-  # instead of going through Cloudflare for *.home.zakobar.com)
+  # instead of going through Cloudflare for *.zakobar.com)
   # -------------------------------------------------------------------------
   # If you run Pi-hole or Adguard, add these records there instead.
   # networking.extraHosts = ''
-  #   192.168.1.100 home.zakobar.com
-  #   192.168.1.100 auth.home.zakobar.com
-  #   192.168.1.100 git.home.zakobar.com
-  #   192.168.1.100 nextcloud.home.zakobar.com
-  #   192.168.1.100 ldapadmin.home.zakobar.com
+  #   192.168.1.100 zakobar.com
+  #   192.168.1.100 auth.zakobar.com
+  #   192.168.1.100 git.zakobar.com
+  #   192.168.1.100 nextcloud.zakobar.com
+  #   192.168.1.100 ldapadmin.zakobar.com
   # '';
 }