vault: add OpenBao OIDC integration with Kanidm

services/kanidm/default.nix

@@ -40,6 +40,21 @@
         preferShortUsername = true;
         scopeMaps.users = [ "openid" "profile" "email" "groups" ];
       };
+
+      systems.oauth2.openbao = {
+        displayName = "OpenBao Secrets";
+        # Both CLI (localhost) and Web UI callback URLs
+        originUrl = [
+          "http://localhost:8250/oidc/callback"
+          "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback"
+        ];
+        originLanding = "https://vault.home.2rjus.net:8200/";
+        basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
+        preferShortUsername = true;
+        # Allow groups scope for role binding
+        scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
+        scopeMaps.users = [ "openid" "profile" "email" "groups" ];
+      };
     };
   };
 
@@ -72,6 +87,15 @@
     group = "kanidm";
   };
 
+  # Vault secret for OpenBao OAuth2 client secret
+  vault.secrets.openbao-oauth2 = {
+    secretPath = "services/openbao/oauth2-client-secret";
+    extractKey = "password";
+    services = [ "kanidm" ];
+    owner = "kanidm";
+    group = "kanidm";
+  };
+
   # Note: Kanidm does not expose Prometheus metrics
   # If metrics support is added in the future, uncomment:
   # homelab.monitoring.scrapeTargets = [