From 40024cd3708b89a40ec21a87fd6cf22af6444ab7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 14:55:19 +0100
Subject: [PATCH] kanidm: remove declarative user provisioning

Keep base groups (admins, users, ssh-users) provisioned declaratively
but manage regular users via the kanidm CLI. This allows setting POSIX
attributes and passwords in a single workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/kanidm/default.nix | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index c245079..c7baaa1 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -17,7 +17,8 @@
       };
     };
 
-    # Provisioning - initial users/groups
+    # Provision base groups only - users are managed via CLI
+    # See docs/user-management.md for details
     provision = {
       enable = true;
       idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
@@ -28,10 +29,7 @@
         ssh-users = { };
       };
 
-      persons.torjus = {
-        displayName = "Torjus";
-        groups = [ "admins" "users" "ssh-users" ];
-      };
+      # Regular users (persons) are managed imperatively via kanidm CLI
     };
   };
 
@@ -46,7 +44,7 @@
     extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
   };
 
-  # Vault secret for idm_admin password
+  # Vault secret for idm_admin password (used for provisioning)
   vault.secrets.kanidm-idm-admin = {
     secretPath = "kanidm/idm-admin-password";
     extractKey = "password";