Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

secrets/.gitignore

@@ -0,0 +1,10 @@
+# Never commit an unencrypted secrets file.
+# The encrypted version (produced by `sops -e -i secrets.yaml`) IS committed.
+#
+# If you accidentally add the plaintext version, sops-encrypted files
+# contain a `sops:` key at the top — check before committing.
+#
+# Paranoia: ignore any plaintext variants you might create while editing.
+secrets.yaml.plaintext
+secrets.yaml.bak
+*.plain

secrets/.sops.yaml

@@ -0,0 +1,24 @@
+# sops configuration — controls which keys can decrypt secrets.yaml.
+#
+# SETUP STEPS (do this once on the Pi):
+#
+#   1. Install age:        nix-shell -p age
+#   2. Generate a key:     age-keygen -o /var/lib/sops-nix/key.txt
+#   3. Print the pubkey:   age-keygen -y /var/lib/sops-nix/key.txt
+#   4. Replace AGE-PUBLIC-KEY-PI-MAIN below with the output of step 3.
+#   5. (Optional) add your own age key or GPG key as a second recipient so
+#      you can edit secrets from your workstation without the Pi being on.
+#
+# To encrypt / edit secrets.yaml:
+#   sops secrets/secrets.yaml
+#
+# sops will re-encrypt the file for all keys listed here every time you save.
+
+creation_rules:
+  - path_regex: secrets/secrets\.yaml$
+    key_groups:
+      - age:
+          # Pi main host key — replace with output of `age-keygen -y /var/lib/sops-nix/key.txt`
+          - AGE-PUBLIC-KEY-PI-MAIN-REPLACE-ME
+          # (Optional) your workstation key for offline editing:
+          # - AGE-PUBLIC-KEY-YOUR-WORKSTATION

secrets/secrets.yaml

@@ -0,0 +1,54 @@
+# =============================================================================
+# Homey secrets — managed by sops-nix
+#
+# THIS FILE MUST BE ENCRYPTED WITH SOPS BEFORE COMMITTING.
+# It is shown here as a plaintext template so you know what to fill in.
+#
+# Workflow:
+#   1. Complete the .sops.yaml age key setup.
+#   2. Fill in the values below.
+#   3. Run: sops -e -i secrets/secrets.yaml
+#      This encrypts the file in-place. The encrypted version is safe to commit.
+#   4. To edit later: sops secrets/secrets.yaml
+#
+# Ports from old deployment:
+#   - openldap/admin_password    ← from k8s secret openldap-admin
+#   - openldap/config_password   ← from k8s secret openldap-config
+#   - openldap/ro_password       ← from k8s secret openldap-ro
+#   - gitea/admin_password       ← from k8s secret gitea-admin-pass
+#   - nextcloud/admin_password   ← from k8s secret nextcloud-admin-pass
+#   - nextcloud/postgres_password← from k8s secret nextcloud-postgres-pass
+#   The remaining secrets (authelia JWT, session key, encryption key, gitea
+#   LFS/OAuth2/internal tokens) are regenerated fresh — see notes below.
+# =============================================================================
+
+# --- OpenLDAP ---
+openldap/admin_password: "REPLACE-WITH-OLD-VALUE"
+openldap/config_password: "REPLACE-WITH-OLD-VALUE"
+openldap/ro_password: "REPLACE-WITH-OLD-VALUE"
+
+# --- Authelia (regenerated fresh — these are random strings) ---
+authelia/jwt_secret: "GENERATE-random-64-chars"
+authelia/session_secret: "GENERATE-random-64-chars"
+authelia/storage_encryption_key: "GENERATE-random-64-chars"
+
+# --- Gitea ---
+gitea/admin_password: "REPLACE-WITH-OLD-VALUE"
+# These three are regenerated — gitea will re-derive on first start:
+gitea/lfs_jwt_secret: "GENERATE-random-43-chars-base64url"
+gitea/oauth2_jwt_secret: "GENERATE-random-43-chars-base64url"
+gitea/internal_token: "GENERATE-random-100-alphanum"
+
+# --- Nextcloud ---
+nextcloud/admin_password: "REPLACE-WITH-OLD-VALUE"
+nextcloud/postgres_password: "REPLACE-WITH-OLD-VALUE"
+
+# --- Cloudflare (DNS-01 ACME + tunnel) ---
+cloudflare/api_token: "REPLACE-WITH-CF-DNS-EDIT-TOKEN"
+cloudflare/tunnel_token: "REPLACE-WITH-CF-TUNNEL-TOKEN"
+
+# --- Restic backup ---
+restic/password: "GENERATE-random-passphrase"
+# Repository destination — e.g. "sftp:user@nas:/backups/homey"
+# or "b2:bucketname:homey" for Backblaze B2
+# Set the actual repo URL in modules/backup.nix or override per-host.