Add Vault OIDC authentication via Authentik

Configure Vault to use Authentik as OIDC identity provider for SSO login.
Creates OAuth2 provider/application in Authentik, adds OIDC auth backend,
admin policy, and maps "authentik Admins" group to full vault-admin access.

stacks/vault/vault_provider.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
+variable "vault_root_token" {
+  type      = string
+  sensitive = true
+}
+
+provider "vault" {
+  address = "https://vault.viktorbarzin.me"
+  token   = var.vault_root_token
+}