vault: add OpenBao OIDC integration with Kanidm

Enable Kanidm users to authenticate to OpenBao via OIDC for Web UI access.
Members of the admins group get full read/write access to secrets.

Changes:
- Add OIDC auth backend in Terraform (oidc.tf)
- Add oidc-admin and oidc-default policies
- Add openbao OAuth2 client to Kanidm
- Enable legacy crypto (RS256) for OpenBao compatibility
- Allow imperative group membership management in Kanidm

Limitations:
- CLI login not supported (Kanidm requires HTTPS for confidential client redirects)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/approle.tf

@@ -106,6 +106,7 @@ locals {
         "secret/data/hosts/kanidm01/*",
         "secret/data/kanidm/*",
         "secret/data/services/grafana/*",
+        "secret/data/services/openbao/*",
       ]
     }