From c9bb61dcc02d78da7f6255654dcbd78b368a5062 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Sat, 23 Mar 2024 14:08:35 -0400
Subject: [PATCH] basic people playbook

---
 TODO.md                 |  1 -
 docs/PEOPLE_PLAYBOOK.md | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 docs/PEOPLE_PLAYBOOK.md

diff --git a/TODO.md b/TODO.md
index 83feb2d..906fc5b 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,3 +1,2 @@
 - [ ] nameservers for users
 - [ ] create dmarc.report, postmaster email users, give access to infra users
-- [ ] figure oute mailbox permissions, ensure users can't just set random senders and stuff, domain fixing
diff --git a/docs/PEOPLE_PLAYBOOK.md b/docs/PEOPLE_PLAYBOOK.md
new file mode 100644
index 0000000..958baf9
--- /dev/null
+++ b/docs/PEOPLE_PLAYBOOK.md
@@ -0,0 +1,15 @@
+obviously, don't let people have usernames that would conflict with anything internal (i.e. "email", "infra*", etc.) and are only alphanumeric
+
+```sh
+kanidm login --name idm_admin
+kanidm person create --name idm_admin <username> "<display name>"
+kanidm person credential create-reset-token <username> --name idm_admin
+
+# allow them to set a unix/ldap password
+kanidm person posix set --name idm_admin <username>
+kanidm person posix set --name idm_admin <username> --shell /bin/zsh
+
+# give them email access (need unix access)
+kanidm person update <username> --legalname "<display name>" --mail <username>@hatecomputers.club
+kanidm group add-members mail <username>
+```