Users and identities

Users are declared once in etc/config.yaml, then attached to the hosts where they need to log in. The same account can exist on multiple machines.

Declaring a user

users:
  alice:
    uid: 1000
    name: "Alice Martin"
    email: "alice@domain.tld"
    profile: "advanced"
    groups: ["global", "idm-devs"]

Field	Role
(key)	Account login (e.g. `alice`)
`uid`	Stable numeric identifier
`name`	Display name
`email`	Address (also used for SSO identity)
`profile`	User profile (environment)
`groups`	Groups (network and service access)

Attaching to a host

Under a host, users lists the existing logins allowed to connect to it:

hosts:
  poste-alice:
    profile: "desktop"
    users: ["alice"]

Deploying changes

Any modification to etc/config.yaml follows the same cycle: describe, regenerate, commit to git, then deploy.

Describe the change

Create or modify the user and their workstations in etc/config.yaml.

Regenerate and clean code

just clean       # generate + fix + format

Commit to git
Fenêtre de terminal
```
just commit "user(new): alice"
```

Deploy

just apply poste-alice     # creates the account on the host

Setting the password

Set the hash
Fenêtre de terminal
```
just passwd alice
```
Commit to git
Fenêtre de terminal
```
just commit "user(passwd): alice"
```
Deploy
Fenêtre de terminal
```
just apply @user-alice
```

Identities and SSO

Beyond the system account, the user has a single identity (Kanidm) that provides access to network services.

groups control service access.
idm-admins / idm-devs are the administration and development groups.
For details: SSO and identities.

Disable an account

On one host: remove the login from the host’s users list.
Everywhere: remove the entry under users:.
Service access: removing the user from groups cuts SSO access.

In all cases, then apply the just clean → just commit → just apply cycle on the affected hosts.