diff --git a/modules/nixos/kanidm/client.toml b/modules/nixos/kanidm/client.toml
new file mode 100644
index 0000000..1ea48a5
--- /dev/null
+++ b/modules/nixos/kanidm/client.toml
@@ -0,0 +1,2 @@
+uri = "https://idm.foxtrot.hare-cod.ts.net:8443"
+ca_path = "/tmp/cert.pem"
diff --git a/modules/nixos/kanidm/kanidm.db b/modules/nixos/kanidm/kanidm.db
new file mode 100644
index 0000000..2a0e7c7
Binary files /dev/null and b/modules/nixos/kanidm/kanidm.db differ
diff --git a/modules/nixos/kanidm/server.toml b/modules/nixos/kanidm/server.toml
new file mode 100644
index 0000000..3e35d9e
--- /dev/null
+++ b/modules/nixos/kanidm/server.toml
@@ -0,0 +1,10 @@
+bindaddress = "[::]:8443"
+db_path = "/home/daniel/code/nix/modules/nixos/kanidm/kanidm.db"
+tls_chain = "/tmp/cert.pem"
+tls_key = "/tmp/key.pem"
+domain = "idm.foxtrot.hare-cod.ts.net"
+origin = "https://idm.foxtrot.hare-cod.ts.net:8443"
+
+[online_backup]
+path = "/tmp/kanidm/backups/"
+schedule = "00 22 * * *"
diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix
index 0583aea..0f520ed 100644
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@@ -999,6 +999,38 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
         26966
       ];
     }
+    {
+      # kanidm
+      services.kanidm = {
+        enableClient = true;
+        enablePam = true;
+        enableServer = true;
+
+        serverSettings = {
+          bindaddress = "[::]:8443";
+          db_path = "/storage/kanidm/data/kanidm.db";
+          # TODO: these will need permissions?
+          tls_chain = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.crt";
+          tls_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev.key";
+          domain = "idm.foxtrot.hare-cod.ts.net";
+          origin = "https://idm.h.lyte.dev:8443";
+
+          online_backup = {
+            path = "/storage/kanidm/backups/";
+            schedule = "00 22 * * *";
+          };
+        };
+
+        clientSettings = {
+          uri = "https://idm.h.lyte.dev";
+          # ca_path = "/tmp/cert.pem";
+        };
+      };
+
+      services.caddy.virtualHosts."idm.h.lyte.dev" = {
+        extraConfig = ''reverse_proxy :8443'';
+      };
+    }
   ];
 
   # TODO: non-root processes and services that access secrets need to be part of
diff --git a/nixos/router.nix b/nixos/router.nix
index 1931dad..f1c7cd1 100644
--- a/nixos/router.nix
+++ b/nixos/router.nix
@@ -46,6 +46,7 @@
       additionalHosts = [
         ".beefcake.lan"
         "nix.h.lyte.dev"
+        "idm.h.lyte.dev"
         "git.lyte.dev"
         "video.lyte.dev"
         "a.lyte.dev"
diff --git a/templates/rust/flake.nix b/templates/rust/flake.nix
index f7c6efa..d1b1f18 100644
--- a/templates/rust/flake.nix
+++ b/templates/rust/flake.nix
@@ -52,6 +52,8 @@
         src = ./.;
         hash = pkgs.lib.fakeHash;
         cargoHash = "sha256-W7VQlMktGsRPQL9VGVmxYV6C5u2eJ48S7eTpOM+3n8U=";
+
+        RUSTFLAGS = pkgs.lib.optionalString pkgs.stdenv.isLinux "-C link-arg=-fuse-ld=mold";
       };
 
       default = outputs.packages.${pkgs.system}.my-package;