vault: use public OIDC client for CLI localhost redirect support

services/kanidm/default.nix

@@ -43,13 +43,12 @@
 
       systems.oauth2.openbao = {
         displayName = "OpenBao Secrets";
+        # Public client for CLI support (uses PKCE instead of client secret)
+        public = true;
+        enableLocalhostRedirects = true;
         # Both CLI (localhost) and Web UI callback URLs
-        originUrl = [
-          "http://localhost:8250/oidc/callback"
-          "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback"
-        ];
+        originUrl = "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback";
         originLanding = "https://vault.home.2rjus.net:8200/";
-        basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
         preferShortUsername = true;
         # Allow groups scope for role binding
         scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
@@ -87,14 +86,6 @@
     group = "kanidm";
   };
 
-  # Vault secret for OpenBao OAuth2 client secret
-  vault.secrets.openbao-oauth2 = {
-    secretPath = "services/openbao/oauth2-client-secret";
-    extractKey = "password";
-    services = [ "kanidm" ];
-    owner = "kanidm";
-    group = "kanidm";
-  };
 
   # Note: Kanidm does not expose Prometheus metrics
   # If metrics support is added in the future, uncomment:

terraform/vault/approle.tf

@@ -106,7 +106,6 @@ locals {
         "secret/data/hosts/kanidm01/*",
         "secret/data/kanidm/*",
         "secret/data/services/grafana/*",
-        "secret/data/services/openbao/*",
       ]
     }
 

terraform/vault/oidc.tf

@@ -1,10 +1,10 @@
 # OIDC authentication backend for Kanidm integration
+# Using a public client (no secret) to support CLI localhost redirects
 resource "vault_jwt_auth_backend" "oidc" {
   path               = "oidc"
   type               = "oidc"
   oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
   oidc_client_id     = "openbao"
-  oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
   default_role       = "default"
 
   tune {

terraform/vault/secrets.tf

@@ -115,11 +115,6 @@ locals {
       password_length = 64
     }
 
-    # OpenBao OAuth2 client secret (for Kanidm OIDC)
-    "services/openbao/oauth2-client-secret" = {
-      auto_generate   = true
-      password_length = 64
-    }
 
     # NKey for nixos-exporter NATS cache sharing
     "shared/nixos-exporter/nkey" = {