kanidm: remove declarative user provisioning

Keep base groups (admins, users, ssh-users) provisioned declaratively but manage regular users via the kanidm CLI. This allows setting POSIX attributes and passwords in a single workflow. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-08 14:55:19 +01:00
parent 71a41d83ef
commit 264d26c2b3
1 changed files with 4 additions and 6 deletions
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -17,7 +17,8 @@
      };
    };

-    # Provisioning - initial users/groups
+    # Provision base groups only - users are managed via CLI
+    # See docs/user-management.md for details
    provision = {
      enable = true;
      idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
@@ -28,10 +29,7 @@
        ssh-users = { };
      };

-      persons.torjus = {
-        displayName = "Torjus";
-        groups = [ "admins" "users" "ssh-users" ];
-      };
+      # Regular users (persons) are managed imperatively via kanidm CLI
    };
  };

@@ -46,7 +44,7 @@
    extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
  };

-  # Vault secret for idm_admin password
+  # Vault secret for idm_admin password (used for provisioning)
  vault.secrets.kanidm-idm-admin = {
    secretPath = "kanidm/idm-admin-password";
    extractKey = "password";