torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

kanidm: remove declarative user provisioning

Browse Source 
Keep base groups (admins, users, ssh-users) provisioned declaratively
but manage regular users via the kanidm CLI. This allows setting POSIX
attributes and passwords in a single workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-08 14:55:19 +01:00
parent 54b6e37420
commit b31c64f1b9
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
services/kanidm/default.nix
View File

@@ -17,7 +17,8 @@
}; };
}; };
# Provisioning - initial users/groups # Provision base groups only - users are managed via CLI
# See docs/user-management.md for details
provision = { provision = {
enable = true; enable = true;
idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir; idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
@@ -28,10 +29,7 @@
ssh-users = { }; ssh-users = { };
}; };
persons.torjus = { # Regular users (persons) are managed imperatively via kanidm CLI
displayName = "Torjus";
groups = [ "admins" "users" "ssh-users" ];
};
}; };
}; };
@@ -46,7 +44,7 @@
extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ]; extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
}; };
# Vault secret for idm_admin password # Vault secret for idm_admin password (used for provisioning)
vault.secrets.kanidm-idm-admin = { vault.secrets.kanidm-idm-admin = {
secretPath = "kanidm/idm-admin-password"; secretPath = "kanidm/idm-admin-password";
extractKey = "password"; extractKey = "password";