From 66cbd47d77fd9f7cccbe650a473c07ce20b04a00 Mon Sep 17 00:00:00 2001
From: nhnn <nhnn@nhnn.dev>
Date: Wed, 9 Jul 2025 15:11:04 +0300
Subject: [PATCH] fix: SECURITY: disable kanidm anonymous account

---
 auth/auth-module.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/auth/auth-module.nix b/auth/auth-module.nix
index e85a768..ddb3c2b 100644
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -81,6 +81,9 @@ let
             fi
         fi
 
+        # disable anonymous account because it allows to freely iterate over all users on kanidm instance.
+        $KANIDM service-account validity expire-at anonymous epoch
+
         # create a new token for kanidm
         if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
         then