From c091852d9ec80cde6e72639f11ff514ce767df06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Mon, 9 Feb 2026 19:36:26 +0100
Subject: [PATCH] kanidm: allow imperative group membership management

---
 services/kanidm/default.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index 744ed73..394bb63 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -24,9 +24,10 @@
       idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;
 
       groups = {
-        admins = { };
-        users = { };
-        ssh-users = { };
+        # overwriteMembers = false allows imperative member management via CLI
+        admins = { overwriteMembers = false; };
+        users = { overwriteMembers = false; };
+        ssh-users = { overwriteMembers = false; };
       };
 
       # Regular users (persons) are managed imperatively via kanidm CLI