vault: revert to confidential client, Web UI only (no CLI)

services/kanidm/default.nix

@@ -43,12 +43,10 @@
 
       systems.oauth2.openbao = {
         displayName = "OpenBao Secrets";
-        # Public client for CLI support (uses PKCE instead of client secret)
-        public = true;
-        enableLocalhostRedirects = true;
-        # Both CLI (localhost) and Web UI callback URLs
+        # Web UI callback only (CLI localhost not supported with confidential clients)
         originUrl = "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback";
         originLanding = "https://vault.home.2rjus.net:8200/";
+        basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
         preferShortUsername = true;
         # Allow groups scope for role binding
         scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
@@ -86,6 +84,14 @@
     group = "kanidm";
   };
 
+  # Vault secret for OpenBao OAuth2 client secret
+  vault.secrets.openbao-oauth2 = {
+    secretPath = "services/openbao/oauth2-client-secret";
+    extractKey = "password";
+    services = [ "kanidm" ];
+    owner = "kanidm";
+    group = "kanidm";
+  };
 
   # Note: Kanidm does not expose Prometheus metrics
   # If metrics support is added in the future, uncomment: