Added Kanidm identity provider integration with Nextcloud:
- Enabled Kanidm client in kanidm.nix for CLI access
- Added user_oidc app to Nextcloud for OpenID Connect authentication
- Configured allow_local_remote_servers to permit Nextcloud to reach
Kanidm at auth.baduhai.dev (resolves to local IP 192.168.15.142)
OAuth2 client configuration (done via kanidm CLI):
- Client ID: nextcloud
- Scopes: openid, email, profile mapped to idm_all_accounts group
- Redirect URI: https://cloud.baduhai.dev/apps/user_oidc/code
- User mapping: name claim maps to Nextcloud username
This allows users to authenticate to Nextcloud using their Kanidm
credentials, with existing Nextcloud accounts linked via username.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added Kanidm server configuration to serve as central identity provider for
all services. Configuration includes:
- Server on auth.baduhai.dev with HTTPS
- LDAP support on port 636 for legacy integrations
- Nginx reverse proxy with SSL termination
- Added to shared services for DNS resolution
Kanidm will provide OAuth2/OIDC authentication for Nextcloud, Vaultwarden,
Forgejo, and other services.
