From 538c2ad097f428a866cbe996bf34381326441a7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 00:24:41 +0100
Subject: [PATCH] kanidm: fix secret file permissions for provisioning

Set owner/group to kanidm so the post-start provisioning
script can read the idm_admin password.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/kanidm/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index 8d15bd5..ad45c39 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -49,6 +49,8 @@
     secretPath = "kanidm/idm-admin-password";
     extractKey = "password";
     services = [ "kanidm" ];
+    owner = "kanidm";
+    group = "kanidm";
   };
 
   # Monitoring scrape target