Replace declarative NixOS provisioning examples with full CLI workflows.
POSIX users and groups are now managed entirely via kanidm CLI, which
allows setting all attributes (including UNIX passwords) in one step.
Declarative provisioning may still be used for OIDC clients later.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document UUID-based home directories with symlinks
- List currently enabled hosts (testvm01-03)
- Add cache-invalidate command to troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add troubleshooting tips discovered during testing:
- kanidm-unix status command for checking connectivity
- nscd restart required after config changes
- Direct PAM auth test with kanidm-unix auth-test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add homelab.kanidm.enable option for central authentication via Kanidm.
The module configures:
- PAM/NSS integration with kanidm-unixd
- Client connection to auth.home.2rjus.net
- Login authorization for ssh-users group
Enable on testvm01-03 for testing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
