Rough notes for the moment:

• Hosted on idp1.hackeriet.no
• Authentication realm is idp.hackeriet.no
• Public portal and API on https://idp.hackeriet.no
• Internal services (SSH, LDAP, RADIUS etc.) will be exposed on int-idp.hackeriet.no
  • We won't be able to get LDAP certs for the right hostname on the internal interface… If this turns out to be a dealbreaker it might be better to solve this using NAT rather than moving the host entirely onto VLAN 130
• Located in /srv/kanidm
  • One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
  • Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
  • Created user and group “kanidm” in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
• Kanidm includes built-in backup solution and replication
  • No mirroring of the backups has been configured yet