Working NixOS port: all core services operational

- Fix Caddy cfProxy helper for cloudflared http:// vhosts (X-Forwarded-Proto)
- Fix Authelia LDAP bind (readonly user ACL + password sync)
- Add gitea-admin-setup oneshot service to survive rebuilds
- Update Authelia forward_auth with header_up X-Forwarded-Proto https
- Update TODO.org with completed tasks and LDAP config details
- Remove old Helm/k8s artifacts (Chart.yaml, templates/, values/, scripts)
- Add result to .gitignore

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

modules/cloudflared.nix

@@ -14,12 +14,12 @@
 #   2. Name it (e.g. "pi-main")
 #   3. Copy the tunnel token — add it to secrets.yaml as cloudflare/tunnel_token
 #   4. In the tunnel's "Public Hostnames" config, add routes:
-#        auth.home.zakobar.com        → http://localhost:80  (or https://localhost:443)
-#        git.home.zakobar.com         → https://localhost:443
-#        nextcloud.home.zakobar.com   → https://localhost:443
-#        ldapadmin.home.zakobar.com   → https://localhost:443
-#        jellyfin.home.zakobar.com    → https://localhost:443
-#        torrent.home.zakobar.com     → https://localhost:443
+#        auth.zakobar.com        → http://localhost:80  (or https://localhost:443)
+#        git.zakobar.com         → https://localhost:443
+#        nextcloud.zakobar.com   → https://localhost:443
+#        ldapadmin.zakobar.com   → https://localhost:443
+#        jellyfin.zakobar.com    → https://localhost:443
+#        torrent.zakobar.com     → https://localhost:443
 #      Set "No TLS Verify" = true (Caddy's cert is from Let's Encrypt but
 #      the hostname seen by cloudflared is localhost, so hostname verification
 #      would fail without this flag).