From dbad03a65449c798ac8bccaf806dbdef8a360689 Mon Sep 17 00:00:00 2001
From: Elizabeth <me@liz.coffee>
Date: Thu, 29 May 2025 13:32:08 -0700
Subject: ideas that aren't done yet

---
 setup_kanidm.sh | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 setup_kanidm.sh

(limited to 'setup_kanidm.sh')

diff --git a/setup_kanidm.sh b/setup_kanidm.sh
new file mode 100644
index 0000000..d6d50ab
--- /dev/null
+++ b/setup_kanidm.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+UNIXERS_GROUP = {{ unixers }}
+
+/etc/kanidm/config
+<<<
+uri = "https://{{ idm_domain }}"
+verify_ca = true
+verify_hostnames = true
+>>>
+
+/etc/kanidm/unixd
+<<<
+version = '2'
+
+default_shell = "/bin/zsh"
+
+home_attr = "uuid"
+home_alias = "name"
+home_prefix = "/home/"
+
+[kanidm]
+pam_allowed_login_groups = ["{{ unixers }}"]
+
+[[kanidm.map_group]]
+local = "admins"
+with = "coffee_admins"
+>>>
+
+/etc/sudo
+<<<
+%admins ALL=(ALL:ALL) ALL
+>>>
+
+systemctl enable --now kanidm-unixd
+systemctl enable --now kanidm-unixd-tasks
+
+add_line /etc/nsswitch.conf
+<<<
+passwd: kanidm files systemd
+group:  kanidm [SUCCESS=merge] files systemd
+>>>
+
+add_line /etc/ssh/sshd_config.d/10-kanidm-keys.conf
+<<<
+PubkeyAuthentication yes
+UsePAM yes
+
+Match Group {{ unixers_group }}
+	AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
+	AuthorizedKeysCommandUser nobody
+>>>
+
+# PAM
+add_line /etc/pam.d/common-account
+<<< 
-- 
cgit v1.2.3-70-g09d2