diff --git a/machines/nixos/compute01/kanidm/default.nix b/machines/nixos/compute01/kanidm/default.nix
index 8e1a182..2d01b77 100644
--- a/machines/nixos/compute01/kanidm/default.nix
+++ b/machines/nixos/compute01/kanidm/default.nix
@@ -162,6 +162,23 @@ in
           ];
         };
 
+        dgn_openbao = {
+          displayName = "OpenBao [Vault]";
+          originLanding = "https://vault.dgnum.eu";
+          originUrl = [ "https://vault.dgnum.eu/ui/vault/auth/kanidm/oidc/callback" ];
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+
+          claimMaps.vault_group.valuesByGroup = {
+            grp_root = [ "admin" ];
+          };
+        };
+
         dgn_outline = {
           displayName = "Outline [Docs]";
           originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
diff --git a/machines/nixos/storage01/openbao.nix b/machines/nixos/storage01/openbao.nix
index 4d6e158..455788c 100644
--- a/machines/nixos/storage01/openbao.nix
+++ b/machines/nixos/storage01/openbao.nix
@@ -2,6 +2,8 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+{ nixpkgs, ... }:
+
 let
   host = "vault.dgnum.eu";
   port = 3100;
@@ -12,6 +14,8 @@ in
   services.openbao = {
     enable = true;
 
+    package = nixpkgs.nixos."25.05".openbao;
+
     settings = {
       listener.tcp = {
         address = "127.0.0.1:${builtins.toString port}";
@@ -26,6 +30,8 @@ in
 
       cluster_addr = "http://${host}:${toString clusterPort}";
       api_addr = "https://${host}";
+
+      ui = true;
     };
   };