WOW THIS IS BAD:
https://kanidm.github.io/kanidm/stable/accounts/anonymous.html
```shell
kanidm service-account update --entry-managed-by idm_admins anonymous
kanidm service-account validity expire-at anonymous epoch
```

obviously, don't let people have usernames that would conflict with anything internal (i.e. "email", "infra*", etc.) and are only alphanumeric

```sh
kanidm login --name idm_admin
kanidm person create --name idm_admin <username> "<display name>"
kanidm person credential create-reset-token <username> --name idm_admin

# allow them to set a unix/ldap password
kanidm person posix set --name idm_admin <username>
kanidm person posix set --name idm_admin <username> --shell /bin/zsh

# give them email access (need unix access)
kanidm person update <username> --legalname "<display name>" --mail <username>@hatecomputers.club
kanidm group add-members mail <username>
```

groups you'll probably want to add people:
+ gitea-access
+ mail