Rough notes for the moment:

• Hosted on idp1.hackeriet.no
• Authentication realm is idp.hackeriet.no
• Public portal and API on https://idp.hackeriet.no
• Internal services (SSH, LDAP, RADIUS etc.) will be exposed on int-idp.hackeriet.no
• Located in /srv/kanidm
  • One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
  • Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
• Kanidm includes built-in backup solution and replication
  • No mirroring of the backups has been configured yet