Integrate Kanidm with Nextcloud via OIDC

Added Kanidm identity provider integration with Nextcloud:
- Enabled Kanidm client in kanidm.nix for CLI access
- Added user_oidc app to Nextcloud for OpenID Connect authentication
- Configured allow_local_remote_servers to permit Nextcloud to reach
  Kanidm at auth.baduhai.dev (resolves to local IP 192.168.15.142)

OAuth2 client configuration (done via kanidm CLI):
- Client ID: nextcloud
- Scopes: openid, email, profile mapped to idm_all_accounts group
- Redirect URI: https://cloud.baduhai.dev/apps/user_oidc/code
- User mapping: name claim maps to Nextcloud username

This allows users to authenticate to Nextcloud using their Kanidm
credentials, with existing Nextcloud accounts linked via username.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

hosts/alexandria/kanidm.nix

@@ -15,6 +15,7 @@ in
 {
   services.kanidm = {
     enableServer = true;
+    enableClient = true;
     package = pkgs.kanidm;
 
     serverSettings = {
@@ -27,6 +28,10 @@ in
       tls_chain = "${kanidmCertDir}/cert.pem";
       tls_key = "${kanidmCertDir}/key.pem";
     };
+
+    clientSettings = {
+      uri = "https://auth.baduhai.dev";
+    };
   };
 
   services.nginx.virtualHosts = mkNginxVHosts {

hosts/alexandria/nextcloud.nix

@@ -29,6 +29,7 @@ in
           contacts
           notes
           tasks
+          user_oidc
           ;
       };
       extraAppsEnable = true;
@@ -40,6 +41,7 @@ in
         trusted_proxies = [ "127.0.0.1" ];
         default_phone_region = "BR";
         maintenance_window_start = "4";
+        allow_local_remote_servers = true;
         enabledPreviewProviders = [
           "OC\\Preview\\BMP"
           "OC\\Preview\\EMF"