fix: SECURITY: disable kanidm anonymous account

2025-07-09 15:11:04 +03:00
parent 71e4aa7960
commit 66cbd47d77
1 changed files with 3 additions and 0 deletions
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -81,6 +81,9 @@ let
            fi
        fi

+        # disable anonymous account because it allows to freely iterate over all users on kanidm instance.
+        $KANIDM service-account validity expire-at anonymous epoch
+
        # create a new token for kanidm
        if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
        then