diff --git a/config-paths-needed.json b/config-paths-needed.json
index 8eab25f..6e7a735 100644
--- a/config-paths-needed.json
+++ b/config-paths-needed.json
@@ -11,6 +11,8 @@
   [ "services", "mastodon", "package" ],
   [ "services", "mastodon", "user" ],
   [ "services", "mastodon", "group" ],
+  [ "services", "mastodon", "database" ],
   [ "services", "postfix", "user" ],
-  [ "services", "postfix", "group" ]
+  [ "services", "postfix", "group" ],
+  [ "services", "kanidm", "serverSettings", "origin" ]
 ]
diff --git a/give-roles.py b/give-roles.py
new file mode 100644
index 0000000..9ff1fb1
--- /dev/null
+++ b/give-roles.py
@@ -0,0 +1,62 @@
+import os
+import time
+import json
+import requests
+import psycopg2 as ps
+
+def read_file(path):
+    with open(path, "r", encoding="utf-8") as f:
+        return f.read()
+
+
+def getenv(name):
+    try:
+        return os.environ[name]
+    except KeyError:
+        print(f"Missing environment variable {name}. You should NOT run this script by hand, please use systemd mastodon-kanidm-sync.service.")
+        exit(1)
+
+
+KANIDM_URL = getenv("KANIDM_URL")
+KANIDM_TOKEN = read_file(getenv("KANIDM_TOKEN_PATH")).strip()
+# USERDATA = read_file(getenv("USERDATA_FILE_PATH")).strip()
+
+conn = ps.connect(
+    dbname=getenv("POSTGRES_DBNAME"),
+    user=getenv("POSTGRES_USER"),
+    host=getenv("POSTGRES_HOST")
+)
+
+cur = conn.cursor()
+cur.execute('''
+    SELECT identities.uid, users.id, user_roles.name
+    FROM users
+    JOIN identities 
+      ON users.id = identities.id 
+    LEFT JOIN user_roles 
+      ON users.role_id = user_roles.id;
+    '''
+)
+
+state = cur.fetchall()
+print(state) # DEBUG
+print(type(state)) # DEBUG
+
+kanidm_users_raw = requests.get(
+    f"{KANIDM_URL}/v1/person",
+    headers={
+        "Authorization": f"Bearer {KANIDM_TOKEN}",
+        "Content-Type": "application/json",
+    },
+    timeout=5,
+).json()
+
+for i in kanidm_users_raw:
+    i = i["attrs"]
+    uid = i["name"]
+    # if uid in db_users:
+    #   print(uid)
+    print(uid)
+
+cur.close()
+conn.close()
diff --git a/module.nix b/module.nix
index 553185d..0f819ac 100644
--- a/module.nix
+++ b/module.nix
@@ -150,6 +150,41 @@ in
         };
       };
 
+      services.mastodon-kanidm-sync = {
+        after = [
+          # "mastodon.service" # TODO: ??
+          "postgres.service"
+          "kanidm.service"
+        ];
+        requires = [
+          "kanidm.service"
+          "postgres.service"
+        ];
+        wantedBy = [ "multi-user.target" ];
+        environment = let db = config.services.mastodon.database;
+        in {
+          KANIDM_URL = config.services.kanidm.serverSettings.origin;
+          KANIDM_TOKEN_PATH = serviceAccountFP;
+          POSTGRES_DBNAME = db.name;
+          POSTGRES_USER = db.user;
+          POSTGRES_HOST = db.host;
+        };
+        serviceConfig = {
+          Slice = "mastodon.slice";
+          User = "mastodon";
+          Group = "mastodon";
+          LoadCredential = [ "kanidm-token:${serviceAccountFP}" ];
+          ExecStart = pkgs.writers.writePython3 "mas-kanidm-sync" {
+            doCheck = false;
+            libraries = with pkgs.python3Packages; [
+              requests
+              psycopg
+              python-ulid
+            ];
+          } (builtins.readFile ./mas-kanidm-sync.py);
+        };
+      };
+
       services.mastodon-web = {
         unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/mastodon";
         serviceConfig = {