kanidm: add vaultwarden

hosts/vps1/kanidm.nix

@@ -19,6 +19,7 @@ in
 
   age.secrets.kanidm-oauth2-gitea = mkRandomSecret;
   age.secrets.kanidm-oauth2-open-webui = mkRandomSecret;
+  age.secrets.kanidm-oauth2-vaultwarden = mkRandomSecret;
 
   services.kanidm =
     let
@@ -58,6 +59,7 @@ in
             "jellyfin_users"
             "open-webui_admins"
             "open-webui_users"
+            "vaultwarden_users"
           ];
         };
 
@@ -102,6 +104,19 @@ in
             valuesByGroup."open-webui_admins" = [ "admin" ];
           };
         };
+
+        groups."vaultwarden_users" = { };
+        systems.oauth2.vaultwarden = {
+          displayName = "Vaultwarden";
+          originUrl = "https://vaultwarden.vimium.com/identity/connect/oidc-signin";
+          originLanding = "https://vaultwarden.vimium.com/";
+          basicSecretFile = config.age.secrets.kanidm-oauth2-vaultwarden.path;
+          scopeMaps."vaultwarden_users" = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
       };
     };
 

secrets/rekeyed/vps1/fca01dd09f0ae4a1ffdc7a24a884ae5a-kanidm-oauth2-vaultwarden.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA lN4CAdRzmrQqTaI75QwSyhPF34tXWvnyT3EF+wYp5H0
+z9b9Rm/zk4PHrw35EeLtx4Gyp6Nlv55SWM/OxuuqOcA
+-> CJNg-grease ^p}Pf r@D 94/&
+eM0eWh2/4FSBoFvqSvVI
+--- y0Tsd45+A1Q8XwnUee6RZJPkYiazusnxYkmBeHqru0E
+W`.)"<22>(<28><><EFBFBD>Ys<59><1F><><EFBFBD><EFBFBD>r<EFBFBD><72><EFBFBD>0<EFBFBD>“ <20><>r<EFBFBD>g<>Y<EFBFBD><59><EFBFBD>6<EFBFBD>P=;[Y<><59><EFBFBD>&<26>
b<>R<EFBFBD><52>6Wv<57><1B>Ǡ<EFBFBD><C7A0>Æs<C386>&<26><><EFBFBD>=U