Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

hosts/pi-main/default.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, homeyConfig, ... }:
+
+# Pi-main host configuration.
+# This file declares which services run on this machine and any
+# host-specific overrides.  Hardware config lives in hardware.nix.
+
+{
+  imports = [
+    ./hardware.nix
+  ];
+
+  # -------------------------------------------------------------------------
+  # Identity
+  # -------------------------------------------------------------------------
+  networking.hostName = "pi-main";
+
+  # -------------------------------------------------------------------------
+  # Admin user
+  # -------------------------------------------------------------------------
+  users.users.admin = {
+    isNormalUser    = true;
+    extraGroups     = [ "wheel" "podman" ];
+    # Paste your SSH public key here
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAA... your-key-here"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;  # convenience on a home server
+
+  # -------------------------------------------------------------------------
+  # External HD
+  # -------------------------------------------------------------------------
+  homey.storage = {
+    # Replace with the actual by-id path of your USB drive.
+    # Find it: ls -la /dev/disk/by-id/ | grep -v part
+    device     = "/dev/disk/by-id/REPLACE-WITH-YOUR-DRIVE-ID";
+    mountPoint = "/mnt/data";
+    fsType     = "ext4";
+  };
+
+  # -------------------------------------------------------------------------
+  # Services enabled on this host
+  # -------------------------------------------------------------------------
+
+  # Auth stack (run these together — authelia depends on openldap)
+  homey.openldap.enable    = true;
+  homey.authelia.enable    = true;
+
+  # Productivity
+  homey.gitea.enable       = true;
+  homey.nextcloud.enable   = true;
+  homey.phpldapadmin.enable = true;
+
+  # Media (enable when ready)
+  homey.jellyfin.enable    = false;
+  homey.transmission.enable = false;
+
+  # Reverse proxy + Cloudflare
+  homey.caddy.enable      = true;
+  homey.cloudflared.enable = true;
+
+  # Backups
+  homey.backup.enable     = true;
+  # Where to send restic backups — set to your backup destination:
+  #   "sftp:user@nas.local:/backups/homey"
+  #   "b2:your-bucket-name:homey"
+  #   "rclone:remote:homey"
+  homey.backup.repository = "sftp:REPLACE-WITH-BACKUP-DESTINATION";
+
+  # -------------------------------------------------------------------------
+  # Local DNS overrides (optional — makes LAN clients hit the Pi directly
+  # instead of going through Cloudflare for *.home.zakobar.com)
+  # -------------------------------------------------------------------------
+  # If you run Pi-hole or Adguard, add these records there instead.
+  # networking.extraHosts = ''
+  #   192.168.1.100 home.zakobar.com
+  #   192.168.1.100 auth.home.zakobar.com
+  #   192.168.1.100 git.home.zakobar.com
+  #   192.168.1.100 nextcloud.home.zakobar.com
+  #   192.168.1.100 ldapadmin.home.zakobar.com
+  # '';
+}

hosts/pi-main/hardware.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+# Hardware configuration for the primary Raspberry Pi 4 (8 GB).
+#
+# SD card layout assumed:
+#   /dev/mmcblk0p1  — /boot/firmware  (FAT32, ~256 MB)
+#   /dev/mmcblk0p2  — /              (ext4)
+#
+# External HD:
+#   Set homey.storage.device to the by-id path of your USB drive.
+#   Example: /dev/disk/by-id/usb-WD_Elements_12345-0:0-part1
+#   Find it with: ls -la /dev/disk/by-id/
+#
+# To generate this file fresh after installing NixOS on the Pi, run:
+#   nixos-generate-config --show-hardware-config
+# and merge the output here.
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # -------------------------------------------------------------------------
+  # Boot loader — Raspberry Pi 4 uses U-Boot / extlinux
+  # -------------------------------------------------------------------------
+  boot = {
+    loader = {
+      grub.enable          = false;
+      generic-extlinux-compatible.enable = true;
+    };
+
+    # Pi 4 kernel — use the mainline kernel with RPi patches
+    kernelPackages = pkgs.linuxPackages_rpi4;
+
+    # tmpfs for /tmp — keep the SD card writes down
+    tmp.useTmpfs = true;
+
+    # Modules needed for USB storage (external HD)
+    initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "uas" ];
+    kernelModules = [];
+    extraModulePackages = [];
+  };
+
+  # -------------------------------------------------------------------------
+  # Filesystems
+  # -------------------------------------------------------------------------
+  fileSystems."/" = {
+    device  = "/dev/disk/by-label/NIXOS_SD";  # label the root partition NIXOS_SD when flashing
+    fsType  = "ext4";
+    options = [ "noatime" ];
+  };
+
+  fileSystems."/boot/firmware" = {
+    device  = "/dev/disk/by-label/FIRMWARE";  # FAT32 boot partition
+    fsType  = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  # External HD — device path is set in default.nix via homey.storage.device.
+  # storage.nix creates the actual fileSystems entry from that option.
+
+  swapDevices = [];
+
+  # -------------------------------------------------------------------------
+  # Hardware
+  # -------------------------------------------------------------------------
+  hardware = {
+    # Enable the RPi firmware (needed for GPU, WiFi, Bluetooth)
+    raspberry-pi."4".apply-overlays-dtmerge.enable = true;
+
+    # Disable GPU memory split for a headless server (gives more RAM to OS)
+    # Set via config.txt if needed: gpu_mem=16
+  };
+
+  # -------------------------------------------------------------------------
+  # Platform
+  # -------------------------------------------------------------------------
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+
+  # -------------------------------------------------------------------------
+  # Power management
+  # -------------------------------------------------------------------------
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}