#!/bin/bash

UNIXERS_GROUP = {{ unixers }}

/etc/kanidm/config
<<<
uri = "https://{{ idm_domain }}"
verify_ca = true
verify_hostnames = true
>>>

/etc/kanidm/unixd
<<<
version = '2'

default_shell = "/bin/zsh"

home_attr = "uuid"
home_alias = "name"
home_prefix = "/home/"

[kanidm]
pam_allowed_login_groups = ["{{ unixers }}"]

[[kanidm.map_group]]
local = "admins"
with = "coffee_admins"
>>>

/etc/sudo
<<<
%admins ALL=(ALL:ALL) ALL
>>>

systemctl enable --now kanidm-unixd
systemctl enable --now kanidm-unixd-tasks

add_line /etc/nsswitch.conf
<<<
passwd: kanidm files systemd
group:  kanidm [SUCCESS=merge] files systemd
>>>

add_line /etc/ssh/sshd_config.d/10-kanidm-keys.conf
<<<
PubkeyAuthentication yes
UsePAM yes

Match Group {{ unixers_group }}
	AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
	AuthorizedKeysCommandUser nobody
>>>

# PAM
add_line /etc/pam.d/common-account
<<<