From 2e26d50a904fd17988e6b44b54296eb376686d99 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Tue, 2 Sep 2025 00:48:29 +0100
Subject: [PATCH] kanidm: add vaultwarden

---
 hosts/vps1/kanidm.nix                            |  15 +++++++++++++++
 .../generated/vps1/kanidm-oauth2-vaultwarden.age | Bin 0 -> 294 bytes
 ...fdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age |   7 +++++++
 3 files changed, 22 insertions(+)
 create mode 100644 secrets/generated/vps1/kanidm-oauth2-vaultwarden.age
 create mode 100644 secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age

diff --git a/hosts/vps1/kanidm.nix b/hosts/vps1/kanidm.nix
index 5ea45c3..0959c1e 100644
--- a/hosts/vps1/kanidm.nix
+++ b/hosts/vps1/kanidm.nix
@@ -19,6 +19,7 @@ in
 
   age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
   age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
+  age.secrets.kanidm-oauth2-vaultwarden = mkRandomSecret;
 
   services.kanidm =
     let
@@ -58,6 +59,7 @@ in
             "jellyfin_users"
             "open-webui_admins"
             "open-webui_users"
+            "vaultwarden_users"
           ];
         };
 
@@ -102,6 +104,19 @@ in
             valuesByGroup."open-webui_admins" = [ "admin" ];
           };
         };
+
+        groups."vaultwarden_users" = { };
+        systems.oauth2.vaultwarden = {
+          displayName = "Vaultwarden";
+          originUrl = "https://vaultwarden.vimium.com/identity/connect/oidc-signin";
+          originLanding = "https://vaultwarden.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-vaultwarden.path;
+          scopeMaps."vaultwarden_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
       };
     };
 
diff --git a/secrets/generated/vps1/kanidm-oauth2-vaultwarden.age b/secrets/generated/vps1/kanidm-oauth2-vaultwarden.age
new file mode 100644
index 0000000000000000000000000000000000000000..f4e65787c6830651b79b81ba0008b22554449df5
GIT binary patch
literal 294
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$NHp{_if~kLEDd!|Ny^ZV
za8Iu&b#$`y52=hQF*nH$$jS7GFh~w9@Ygq}N=na2^EYwjGSPPo%FD0F%W{n@uB;02
zPEW1K_ew1(%PGssO!vqzDzYd_aY@Pbc1#Wh*=1&{9F(o6Qlpz*l$uzas-RwzS8835
zp`aDSW#U@t%B8ETtB`IU>7k!%X;5e!RAdqC9FSLNR*~UR7-V4TTBM(!V;bRJ>TYV_
z85v~~$W<5f@wWJ}Po?7DZyfr4zc?w@JtK$7Z^;zhjyubbXv(#=S#J@@Ytj9Btk=Cs
rf#J!{Rei$Se8O}5MLsLIZ%$cYx_`II7nZgBnftGQ-q4X$Yw;fdEWd1n

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age b/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age
new file mode 100644
index 0000000..8a9b7c2
--- /dev/null
+++ b/secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA lN4CAdRzmrQqTaI75QwSyhPF34tXWvnyT3EF+wYp5H0
+z9b9Rm/zk4PHrw35EeLtx4Gyp6Nlv55SWM/OxuuqOcA
+-> CJNg-grease ^p}Pf r@D 94/&
+eM0eWh2/4FSBoFvqSvVI
+--- y0Tsd45+A1Q8XwnUee6RZJPkYiazusnxYkmBeHqru0E
+W`.)"(¸ƒÖYs·²ãóûrœ¡²0ÊÂ“ ƒŸrÇg‘Y‰‡»6®P=;[YÞì±&¼bŒR¿ð6WvÑèÇ ¿÷Ã†sö&» =U
\ No newline at end of file