Add Kanidm identity provider to alexandria

Added Kanidm server configuration to serve as central identity provider for
all services. Configuration includes:
- Server on auth.baduhai.dev with HTTPS
- LDAP support on port 636 for legacy integrations
- Nginx reverse proxy with SSL termination
- Added to shared services for DNS resolution

Kanidm will provide OAuth2/OIDC authentication for Nextcloud, Vaultwarden,
Forgejo, and other services.

hosts/alexandria/kanidm.nix

@@ -0,0 +1,78 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+  kanidmCertDir = "/var/lib/kanidm/certs";
+in
+
+{
+  services.kanidm = {
+    enableServer = true;
+    package = pkgs.kanidm;
+
+    serverSettings = {
+      domain = "auth.baduhai.dev";
+      origin = "https://auth.baduhai.dev";
+      bindaddress = "127.0.0.1:8443";
+      ldapbindaddress = "127.0.0.1:636";
+      trust_x_forward_for = true;
+      # Use self-signed certificates for internal TLS
+      tls_chain = "${kanidmCertDir}/cert.pem";
+      tls_key = "${kanidmCertDir}/key.pem";
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."auth.baduhai.dev" = {
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:8443";
+        extraConfig = ''
+          proxy_ssl_verify off;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 636 ];
+
+  # Generate self-signed certificates for kanidm's internal TLS
+  systemd.services.kanidm-generate-certs = {
+    description = "Generate self-signed TLS certificates for Kanidm";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p ${kanidmCertDir}
+      if [ ! -f ${kanidmCertDir}/key.pem ]; then
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
+          -keyout ${kanidmCertDir}/key.pem \
+          -out ${kanidmCertDir}/cert.pem \
+          -days 3650 -nodes \
+          -subj "/CN=localhost" \
+          -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+        chown -R kanidm:kanidm ${kanidmCertDir}
+        chmod 600 ${kanidmCertDir}/key.pem
+        chmod 644 ${kanidmCertDir}/cert.pem
+      fi
+    '';
+  };
+
+  # Ensure certificate generation runs before kanidm starts
+  systemd.services.kanidm = {
+    after = [ "kanidm-generate-certs.service" ];
+    wants = [ "kanidm-generate-certs.service" ];
+  };
+}

shared/services.nix

@@ -1,9 +1,17 @@
 # Shared service definitions for cross-host configuration
 # Used by:
-# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin)
+# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin, kanidm)
 # - trantor: DNS server (Tailnet) + service hosting (forgejo)
 {
   services = [
+    {
+      name = "kanidm";
+      domain = "auth.baduhai.dev";
+      host = "alexandria";
+      lanIP = "192.168.15.142";
+      tailscaleIP = "100.76.19.50";
+      port = 8443;
+    }
     {
       name = "vaultwarden";
       domain = "pass.baduhai.dev";