Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

flake.nix

@@ -0,0 +1,73 @@
+{
+  description = "Homey - self-hosted home server NixOS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+
+    # sops-nix for secret management
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # Caddy with Cloudflare DNS plugin (not in nixpkgs mainline)
+    caddy-cloudflare = {
+      url = "github:NixOS/nixpkgs/nixos-24.11"; # see modules/caddy.nix for override
+    };
+  };
+
+  outputs = { self, nixpkgs, sops-nix, ... }@inputs:
+  let
+    # Shared specialArgs passed to every host
+    commonArgs = {
+      inherit inputs;
+      # Top-level site config — override per-host if needed
+      homeyConfig = {
+        domain       = "home.zakobar.com";   # base domain for all services
+        organization = "Zakobar Home Server";
+        timezone     = "Asia/Jerusalem";
+        # External HD mount point — set in hardware.nix per host
+        # dataDir is intentionally NOT set here; each host sets it
+      };
+    };
+
+    mkHost = { system, hostPath, extraModules ? [] }:
+      nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = commonArgs;
+        modules = [
+          sops-nix.nixosModules.sops
+          hostPath
+          ./modules/common.nix
+          ./modules/storage.nix
+          ./modules/caddy.nix
+          ./modules/cloudflared.nix
+          ./modules/backup.nix
+          ./modules/services/openldap.nix
+          ./modules/services/authelia.nix
+          ./modules/services/gitea.nix
+          ./modules/services/nextcloud.nix
+          ./modules/services/phpldapadmin.nix
+          ./modules/services/jellyfin.nix
+          ./modules/services/transmission.nix
+        ] ++ extraModules;
+      };
+
+  in {
+    nixosConfigurations = {
+
+      # Primary Raspberry Pi 4
+      pi-main = mkHost {
+        system   = "aarch64-linux";
+        hostPath = ./hosts/pi-main/default.nix;
+      };
+
+      # Future second machine (placeholder — uncomment and configure when ready)
+      # pi-secondary = mkHost {
+      #   system   = "x86_64-linux";  # or aarch64-linux for another Pi
+      #   hostPath = ./hosts/pi-secondary/default.nix;
+      # };
+
+    };
+  };
+}