Port to NixOS: replace Helm chart with flake-based NixOS config

Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:

- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
  second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)

secrets/secrets.yaml

@@ -0,0 +1,54 @@
+# =============================================================================
+# Homey secrets — managed by sops-nix
+#
+# THIS FILE MUST BE ENCRYPTED WITH SOPS BEFORE COMMITTING.
+# It is shown here as a plaintext template so you know what to fill in.
+#
+# Workflow:
+#   1. Complete the .sops.yaml age key setup.
+#   2. Fill in the values below.
+#   3. Run: sops -e -i secrets/secrets.yaml
+#      This encrypts the file in-place. The encrypted version is safe to commit.
+#   4. To edit later: sops secrets/secrets.yaml
+#
+# Ports from old deployment:
+#   - openldap/admin_password    ← from k8s secret openldap-admin
+#   - openldap/config_password   ← from k8s secret openldap-config
+#   - openldap/ro_password       ← from k8s secret openldap-ro
+#   - gitea/admin_password       ← from k8s secret gitea-admin-pass
+#   - nextcloud/admin_password   ← from k8s secret nextcloud-admin-pass
+#   - nextcloud/postgres_password← from k8s secret nextcloud-postgres-pass
+#   The remaining secrets (authelia JWT, session key, encryption key, gitea
+#   LFS/OAuth2/internal tokens) are regenerated fresh — see notes below.
+# =============================================================================
+
+# --- OpenLDAP ---
+openldap/admin_password: "REPLACE-WITH-OLD-VALUE"
+openldap/config_password: "REPLACE-WITH-OLD-VALUE"
+openldap/ro_password: "REPLACE-WITH-OLD-VALUE"
+
+# --- Authelia (regenerated fresh — these are random strings) ---
+authelia/jwt_secret: "GENERATE-random-64-chars"
+authelia/session_secret: "GENERATE-random-64-chars"
+authelia/storage_encryption_key: "GENERATE-random-64-chars"
+
+# --- Gitea ---
+gitea/admin_password: "REPLACE-WITH-OLD-VALUE"
+# These three are regenerated — gitea will re-derive on first start:
+gitea/lfs_jwt_secret: "GENERATE-random-43-chars-base64url"
+gitea/oauth2_jwt_secret: "GENERATE-random-43-chars-base64url"
+gitea/internal_token: "GENERATE-random-100-alphanum"
+
+# --- Nextcloud ---
+nextcloud/admin_password: "REPLACE-WITH-OLD-VALUE"
+nextcloud/postgres_password: "REPLACE-WITH-OLD-VALUE"
+
+# --- Cloudflare (DNS-01 ACME + tunnel) ---
+cloudflare/api_token: "REPLACE-WITH-CF-DNS-EDIT-TOKEN"
+cloudflare/tunnel_token: "REPLACE-WITH-CF-TUNNEL-TOKEN"
+
+# --- Restic backup ---
+restic/password: "GENERATE-random-passphrase"
+# Repository destination — e.g. "sftp:user@nas:/backups/homey"
+# or "b2:bucketname:homey" for Backblaze B2
+# Set the actual repo URL in modules/backup.nix or override per-host.