vault: add OpenBao OIDC integration with Kanidm

Enable Kanidm users to authenticate to OpenBao via OIDC for Web UI access. Members of the admins group get full read/write access to secrets. Changes: - Add OIDC auth backend in Terraform (oidc.tf) - Add oidc-admin and oidc-default policies - Add openbao OAuth2 client to Kanidm - Enable legacy crypto (RS256) for OpenBao compatibility - Allow imperative group membership management in Kanidm Limitations: - CLI login not supported (Kanidm requires HTTPS for confidential client redirects) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-09 19:42:26 +01:00
parent 2f5a2a4bf1
commit e85f15b73d
5 changed files with 131 additions and 3 deletions
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -24,9 +24,10 @@
      idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;

      groups = {
-        admins = { };
-        users = { };
-        ssh-users = { };
+        # overwriteMembers = false allows imperative member management via CLI
+        admins = { overwriteMembers = false; };
+        users = { overwriteMembers = false; };
+        ssh-users = { overwriteMembers = false; };
      };

      # Regular users (persons) are managed imperatively via kanidm CLI
@@ -40,6 +41,20 @@
        preferShortUsername = true;
        scopeMaps.users = [ "openid" "profile" "email" "groups" ];
      };
+
+      systems.oauth2.openbao = {
+        displayName = "OpenBao Secrets";
+        # Web UI callback only (CLI localhost not supported with confidential clients)
+        originUrl = "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback";
+        originLanding = "https://vault.home.2rjus.net:8200/";
+        basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
+        preferShortUsername = true;
+        # Enable RS256 signing algorithm (required by OpenBao)
+        enableLegacyCrypto = true;
+        # Allow groups scope for role binding
+        scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
+        scopeMaps.users = [ "openid" "profile" "email" "groups" ];
+      };
    };
  };

@@ -72,6 +87,15 @@
    group = "kanidm";
  };

+  # Vault secret for OpenBao OAuth2 client secret
+  vault.secrets.openbao-oauth2 = {
+    secretPath = "services/openbao/oauth2-client-secret";
+    extractKey = "password";
+    services = [ "kanidm" ];
+    owner = "kanidm";
+    group = "kanidm";
+  };
+
  # Note: Kanidm does not expose Prometheus metrics
  # If metrics support is added in the future, uncomment:
  # homelab.monitoring.scrapeTargets = [