Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc

- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01
- Native Authelia SSO with forward auth protecting homepage + camera
- Native go2rtc camera streaming (no more Docker)
- Auto-migration script for Authelia secrets and user database from Docker
- Homepage hrefs updated to use HTTPS domain names
- Fail2ban updated for native nginx log paths + new Authelia jail

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

services/fail2ban.nix

@@ -37,17 +37,29 @@
           };
         };
 
-        # Nginx Proxy Manager — watches Docker-mounted log files for 401/403s
-        nginx-proxy-manager = {
+        # Nginx — watches access log for HTTP auth failures
+        nginx = {
           settings = {
             enabled = true;
             filter = "nginx-http-auth";
-            logpath = "/home/fred/docker/nginx-proxy-manager/data/logs/*.log";
+            logpath = "/var/log/nginx/access.log";
             maxretry = 10;
             bantime = "1h";
           };
         };
 
+        # Authelia — failed login attempts via journald
+        authelia = {
+          settings = {
+            enabled = true;
+            backend = "systemd";
+            journalmatch = "_SYSTEMD_UNIT=authelia-main.service";
+            filter = "authelia";
+            maxretry = 5;
+            bantime = "2h";
+          };
+        };
+
         # Jellyfin auth failures — journald
         jellyfin = {
           settings = {
@@ -140,6 +152,13 @@
       ignoreregex =
     '';
 
+    # Authelia filter
+    environment.etc."fail2ban/filter.d/authelia.conf".text = ''
+      [Definition]
+      failregex = ^.*Unsuccessful .* authentication attempt by user .* from <HOST>.*$
+      ignoreregex =
+    '';
+
     # Jellyfin filter
     environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''
       [Definition]