kanidm01: add kanidm authentication server

- New test-tier VM at 10.69.13.23 with role=auth
- Kanidm 1.8 server with HTTPS (443) and LDAPS (636)
- ACME certificate from internal CA (auth.home.2rjus.net)
- Provisioned groups: admins, users, ssh-users
- Provisioned user: torjus
- Daily backups at 22:00 (7 versions)
- Prometheus monitoring scrape target

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/hosts-generated.tf

@@ -33,6 +33,12 @@ locals {
         "secret/data/shared/homelab-deploy/*",
       ]
     }
+    "kanidm01" = {
+      paths = [
+        "secret/data/hosts/kanidm01/*",
+        "secret/data/kanidm/*",
+      ]
+    }
   
   }
 

terraform/vault/secrets.tf

@@ -102,6 +102,12 @@ locals {
       auto_generate = false
       data          = { nkey = var.homelab_deploy_admin_deployer_nkey }
     }
+
+    # Kanidm idm_admin password
+    "kanidm/idm-admin-password" = {
+      auto_generate   = true
+      password_length = 32
+    }
   }
 }
 

terraform/vms.tf

@@ -72,6 +72,13 @@ locals {
       disk_size = "20G"
       vault_wrapped_token = "s.b6ge0KMtNQctdKkvm0RNxGdt"
     }
+    "kanidm01" = {
+      ip        = "10.69.13.23/24"
+      cpu_cores = 2
+      memory    = 2048
+      disk_size = "20G"
+      vault_wrapped_token = "s.OOqjEECeIV7dNgCS6jNmyY3K"
+    }
   }
 
   # Compute VM configurations with defaults applied