From e02f846b5c588f1ab407d7ee2ec535754d3a8393 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Tue, 2 Sep 2025 01:01:54 +0100
Subject: [PATCH] vaultwarden: use SSO with Kanidm

---
 hosts/vps1/secrets/vaultwarden-env.age              | 13 +++++++------
 hosts/vps1/vaultwarden.nix                          |  3 +++
 ...3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age |  7 -------
 ...9af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age | 10 ++++++++++
 4 files changed, 20 insertions(+), 13 deletions(-)
 delete mode 100644 secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
 create mode 100644 secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age

diff --git a/hosts/vps1/secrets/vaultwarden-env.age b/hosts/vps1/secrets/vaultwarden-env.age
index 00b059f..279305c 100644
--- a/hosts/vps1/secrets/vaultwarden-env.age
+++ b/hosts/vps1/secrets/vaultwarden-env.age
@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> piv-p256 a1N2XA Ag/fE6bqn8kUPXEmxU7IcEaW4pRp8Ug5Tvj/49d3kN55
-TNVXUZ38JKTWte+31iuyGDy7P4zJkQzYb+g4QVXu1QM
--> 0S&-grease fn plj(( ShqRnf
-qZ/b2Xf2MA
---- 4HChQHR3R3I0DwDrx7DNmAa+gMhlzY18s3qyGndAitM
-H�h>��p�5�vybdN�X��ki]�)�!p|�8HL��OM{�����8�s��LF��jM}�:�]��Ǡk��%$���H���7R���Q�#�#�f�*\�X	F4�.}�0�����{�փpto�,��yTs�M-���X��7��H��usfa[�#�K�}���:K�0q���B(o#?eG�5
0��Ҹ��ɧ�P�_gC�F
\ No newline at end of file
+-> piv-p256 a1N2XA A+JTQrgN4xxrQpLhyMtfq82/26DwsudKmxyE8gx9PlJU
+oZjXRvr2mza+28asKcXzSDU0em5edPpazk5dOLXrvZ8
+-> )z\cT7C|-grease v>P/r|O s\(zEXaF Q ,!Y2g+NM
+ZAEVPuF8OEWWNKFP+7IUrpaDydZDAFCRnj1vOdGiBf6BzgbicAAmIF4XgBQqpE5M
+JoCzgjdKB1kLOQB2PWRfJ02L93/zFQXm
+--- vcFS71G0ZZ1bU8dKgMmLMv5sUIi/TYjOu41EuDpJyXw
+:������!�-<��:����rg?�N-i���?�d�Z2h�3��]
yfѺb��!�
Ba��64{r#V��[�2����5��A�P��ͣ����U 	����5E��:�
Q��W��(��[�Ûr28A�۠\���6A�4��q��VR��e��.��&�RGa��?r�4?MTPC��ZD�{���|dd�z�((~�{9�K�^CtM)\�ۑ#�f��J��.���:1?��`^3�4t��B[_'�$yM�2���RL�-Q
\ No newline at end of file
diff --git a/hosts/vps1/vaultwarden.nix b/hosts/vps1/vaultwarden.nix
index caa4e19..642418d 100644
--- a/hosts/vps1/vaultwarden.nix
+++ b/hosts/vps1/vaultwarden.nix
@@ -28,6 +28,9 @@ in
 
       rocketPort = 8222;
 
+      ssoEnabled = true;
+      ssoAuthority = "https://auth.vimium.com/oauth2/openid/vaultwarden";
+      ssoClientId = "vaultwarden";
       signupsAllowed = false;
       passwordIterations = 1000000;
       invitationsAllowed = true;
diff --git a/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age b/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
deleted file mode 100644
index 7cd93b0..0000000
--- a/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 lOyIlA goXUvK9rMf7kQ+UZ3aXjHxa5HukNU8pNafu5AbnDaT4
-7DrqHf133Y3A3NV/tjW/jMGrim02LZ79EMM2yLNEKR8
--> }AV-grease VKakg LdQ~#
-aiiVL/zHxATk1wMQ6vFN91tz1hawMBndFzE6Vl/ck6OeL9DS0GswlylbXvuCbg
---- FNJQXjKg1S56UIcgg5+jsRSbtXKVyHKXgtajpaqvqNs
-��i��L�����|�2\�g5�mC�= ,��;��������F��p�N��
K;=�8��Kꞛ�%����~o�L�:��R��j�����LD/vps�R���?�~�d����k���p�:n�[��
k��?��!l�b��aO��,�s�GWp�>�@�$eN�	�(c]$�ڦ��"n�4��G}r�#�K�ݷ���
��#�I�
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age b/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age
new file mode 100644
index 0000000..511cc8b
--- /dev/null
+++ b/secrets/rekeyed/vps1/87759af7d4ddc9e7d805487478d2f53e-vaultwarden-env.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA Tyyx5kyLTN9MI+Bc66Rh7RbQ+qZF0S5Y2HCTvUFRqBo
+lzPjwPDXjg8ioc4XAJewTDdzXN5QO3BeGbTVxGW1B0U
+-> *-grease >|vs MPFf.c. nm=m ^
+OHDKbCO9uIoRv9Ar2kbIENz1NLY8iUlzmV07SouSJcxNWyEAqsVzxAkLsIeQKYn5
+XbtjLv88wHhf2w
+--- 7kHTJevOeZdsk2v9qP1V7wL4/Qz8wmFgoQiPMcx56WU
+�L��ȼam���w�B]��
+��m�ھځ��Od��L%�P�I��'�X��<ko�>OF�j�8���8s�[�(��C�lTd���H�[9�� ��$A�l�Pf�}��jCo]`����nݢ�jw*�Y�<i�MO�D���[!T#��ȕX�ق�K�X�-���{f�$%����g�T}��k�R1�Q?��?٭Q��h�W� e��||z�Xe�rD3\';�j�F���hY
+��R�H1��Rꑱ/*w	�	3ǷY"�{���LN�s"���7B�
\ No newline at end of file