Replace declarative NixOS provisioning examples with full CLI workflows.
POSIX users and groups are now managed entirely via kanidm CLI, which
allows setting all attributes (including UNIX passwords) in one step.
Declarative provisioning may still be used for OIDC clients later.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document UUID-based home directories with symlinks
- List currently enabled hosts (testvm01-03)
- Add cache-invalidate command to troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add troubleshooting tips discovered during testing:
- kanidm-unix status command for checking connectivity
- nscd restart required after config changes
- Direct PAM auth test with kanidm-unix auth-test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Configure uid_attr_map and gid_attr_map to use short names instead of
SPN format. This fixes SSH failing with "PAM user mismatch" because
getent returned "torjus@home.2rjus.net" instead of "torjus".
Also add user-management documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
