Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

modules/services/transmission.nix

@@ -0,0 +1,61 @@
+{ config, lib, pkgs, homeyConfig, ... }:
+
+# Transmission — BitTorrent client. (Deferred — enable when ready.)
+#
+# NOTE: Transmission's web UI also runs on port 9091. To avoid clashing
+# with Authelia (also 9091), this module binds Transmission to 9092.
+#
+# Volume layout:
+#   <dataDir>/transmission/config/  → /config
+#   <dataDir>/media/movies/         → /downloads/movies
+#   <dataDir>/media/tvshows/        → /downloads/tvshows
+#   <dataDir>/media/general/        → /downloads/general
+#   <dataDir>/media/complete/       → /downloads/complete
+
+let
+  cfg     = config.homey.transmission;
+  dataDir = config.homey.storage.mountPoint;
+in
+{
+  options.homey.transmission = {
+    enable = lib.mkEnableOption "Transmission torrent client";
+
+    image = lib.mkOption {
+      type    = lib.types.str;
+      default = "docker.io/linuxserver/transmission:latest";
+    };
+
+    port = lib.mkOption {
+      type    = lib.types.port;
+      default = 9092;
+      description = "Host port for Transmission web UI (9092 to avoid clash with authelia@9091).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers.transmission = {
+      image = cfg.image;
+      ports = [ "127.0.0.1:${toString cfg.port}:9091" ];
+
+      environment = {
+        PUID = "1000";
+        PGID = "1000";
+      };
+
+      volumes = [
+        "${dataDir}/transmission/config:/config"
+        "${dataDir}/media/movies:/downloads/movies"
+        "${dataDir}/media/tvshows:/downloads/tvshows"
+        "${dataDir}/media/general:/downloads/general"
+        "${dataDir}/media/complete:/downloads/complete"
+      ];
+
+      extraOptions = [ "--network=host" ];
+    };
+
+    systemd.services."podman-transmission" = {
+      after    = lib.mkAfter [ "mnt-data.mount" ];
+      requires = lib.mkAfter [ "mnt-data.mount" ];
+    };
+  };
+}