Working NixOS port: all core services operational

- Fix Caddy cfProxy helper for cloudflared http:// vhosts (X-Forwarded-Proto)
- Fix Authelia LDAP bind (readonly user ACL + password sync)
- Add gitea-admin-setup oneshot service to survive rebuilds
- Update Authelia forward_auth with header_up X-Forwarded-Proto https
- Update TODO.org with completed tasks and LDAP config details
- Remove old Helm/k8s artifacts (Chart.yaml, templates/, values/, scripts)
- Add result to .gitignore

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

modules/services/phpldapadmin.nix

@@ -5,6 +5,11 @@
 # Stateless container (no persistent volumes needed).
 # Protected by Authelia two_factor, admins-only policy (defined in authelia.nix).
 # Bound to localhost:8081; Caddy reverse-proxies it.
+#
+# Networking: uses default bridge (podman) network with a port mapping
+# 127.0.0.1:8081->80 so Caddy can reach it.  OpenLDAP runs on the host
+# network at 127.0.0.1:389; the container reaches it via the special
+# host.containers.internal DNS name that podman injects automatically.
 
 let
   cfg = config.homey.phpldapadmin;
@@ -28,14 +33,17 @@ in
   config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers.phpldapadmin = {
       image = cfg.image;
-      ports = [ "127.0.0.1:${toString cfg.port}:80" ];
 
       environment = {
-        PHPLDAPADMIN_HTTPS       = "false";
-        PHPLDAPADMIN_LDAP_HOSTS  = "127.0.0.1";  # openldap on host network
+        PHPLDAPADMIN_HTTPS      = "false";
+        # host.containers.internal resolves to the host from inside a podman
+        # bridge container — reaches openldap which is on --network=host at :389
+        PHPLDAPADMIN_LDAP_HOSTS = "host.containers.internal";
       };
 
-      extraOptions = [ "--network=host" ];
+      # Bridge network (default) + port mapping: Apache binds inside the
+      # container on :80, podman maps it to 127.0.0.1:8081 on the host.
+      ports = [ "127.0.0.1:${toString cfg.port}:80" ];
     };
 
     systemd.services."podman-phpldapadmin" = {