Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

README.org

@@ -1,115 +0,0 @@
-#+title: Homey
-
-A home environment for everyone!
-
-* Installation
-
-Install using
-
-#+begin_src bash
-helm upgrade --install homey . -n homey
-#+end_src
-
-* Backing up
-
-We must find a better solution
-
-https://perfectmediaserver.com/day-two/top10apps.html
-
-Nefarious
-
-* LDAP Configuration
-
-Logins are done to PHPLDAPADMIN
-
-DN is like:
-
-cn=admin,dc=home,dc=,dc=io
-get-secret-val.sh homey openldap-admin password
-
-First thing we do is create an organization unit called users
-
-To add a new user, we create a child entry to ou=users
-
-It has to be of type inetOrgPerson
-
-cn = Common Name, sn = Sur Name.
-Select RDN = User Name (uid) (FROM DROP DOWN MENU)
-UID = USERNAME, that is what is important. (In PHPLdapAdmin it is under User Name)
-
-Now we may continue!
-
-* GITEA
-
-Site Title: whatever
-
-SSH Server Domain: git.<YOUR URL>
-SSH Server Port: 2222
-Gitea Base URL: http://git.<YOUR URL>
-
-Then add Administrator Account Settings:
-
-Administrator Username: gitea-admin
-Password: from gitea-admin-pass
-Email address must be populated
-
-That will work after a few minutes.
-
-Now we go into Authentication Sources
-
-Add a new LDAP Authentication source
-
-Authentication name: Home LDAP
-Host: openldap
-Port: 389
-Bind DN = cn=readonly,dc=home,dc=,dc=io
-Bind Password: openldap-ro password
-User Search Base: ou=users,dc=home,dc=,dc=io
-user search filter = (uid=%s)
-Admin filter (title=admin)
-Username Attribute: uid
-First Name Attribute: cn
-Surname Attribute: sn
-Email Attribute: mail
-
-* AUTHELIA
-
-https://github.com/authelia/authelia/blob/57d5fbd3f5c82e83296023dc1de6e4f5ff063c00/examples/compose/lite/authelia/configuration.yml
-This fucking sucks
-https://gist.github.com/james-d-elliott/5152d27c0781aee856a3383f1284998e
-
-* EVERYTHING
-https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
-
-* DRONE AND GITEA
-?
-https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l
-
-* DAV
-
-https://gitlab.com/davical-project/davical/-/blob/master/config/example-config.php
-
-Line 800 ish for auth from reverse proxy
-
-* NEXTCLOUD
-
-I ran THIS command inside
-su www-data -s /bin/bash -c php occ ldap:promote-group "admins"
-
-** When maintenence mode
-
-#+begin_example
-kubectl exec --tty --stdin -n homey deploy/nextcloud -- su -l www-data -s /bin/bash
-php /var/www/html/occ maintenance:mode --off
-#+end_src
-
-* I UNDERSTAND
-
-I need to backup Chen's stuff
-And... I need to Jellyfin
-
-* PAPERLESS
-
-https://github.com/paperless-ngx/paperless-ngx/blob/74c44fe418a91a526b5dab1a91fde4aaebd28bb1/docker/compose/docker-compose.postgres.yml
-
-For docker