Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

modules/services/phpldapadmin.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs, homeyConfig, ... }:
+
+# phpLDAPadmin — web UI for OpenLDAP management.
+#
+# Stateless container (no persistent volumes needed).
+# Protected by Authelia two_factor, admins-only policy (defined in authelia.nix).
+# Bound to localhost:8081; Caddy reverse-proxies it.
+
+let
+  cfg = config.homey.phpldapadmin;
+in
+{
+  options.homey.phpldapadmin = {
+    enable = lib.mkEnableOption "phpLDAPadmin web interface";
+
+    image = lib.mkOption {
+      type    = lib.types.str;
+      default = "docker.io/osixia/phpldapadmin:latest";
+    };
+
+    port = lib.mkOption {
+      type    = lib.types.port;
+      default = 8081;
+      description = "Host port phpLDAPadmin listens on (bound to 127.0.0.1).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers.phpldapadmin = {
+      image = cfg.image;
+      ports = [ "127.0.0.1:${toString cfg.port}:80" ];
+
+      environment = {
+        PHPLDAPADMIN_HTTPS       = "false";
+        PHPLDAPADMIN_LDAP_HOSTS  = "127.0.0.1";  # openldap on host network
+      };
+
+      extraOptions = [ "--network=host" ];
+    };
+
+    systemd.services."podman-phpldapadmin" = {
+      after = lib.mkAfter [ "podman-openldap.service" ];
+      wants = lib.mkAfter [ "podman-openldap.service" ];
+    };
+  };
+}