diff --git a/README.md b/README.md
index 8d2a595..2a4ea9e 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,23 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
 
 
 
+```nix
+{
+  services.kanidm.provision = {
+    persons.myuser = {
+      legalname = "Full Name";
+      mail = "mail@example.com";
+      groups = ["grafana-access" "grafana-server-admins"];
+    };
+
+    groups.grafana-access = {};
+    groups.grafana-server-admins = {};
+
+    systems.oauth2.grafana = {
+    };
+  };
+}
+```
 
 
 
diff --git a/modules/meta/kanidm.nix b/modules/meta/kanidm.nix
index 2cc1513..4adb7e8 100644
--- a/modules/meta/kanidm.nix
+++ b/modules/meta/kanidm.nix
@@ -18,9 +18,69 @@
     ;
 in {
   options.services.kanidm.provision = {
-    enable = mkEnableOption "provisioning of systems, groups and users";
+    enable = mkEnableOption "provisioning of systems (oauth2), groups and users";
 
-    systems = {
+    persons = mkOption {
+      description = "Provisioning of kanidm persons";
+      default = {};
+      type = types.attrsOf (types.submodule (personSubmod: {
+        options = {
+          present = mkOption {
+            description = "Whether to ensure that this person is present or absent.";
+            type = types.bool;
+            default = true;
+          };
+        };
+      }));
+    };
+
+    groups = mkOption {
+      description = "Provisioning of kanidm groups";
+      default = {};
+      type = types.attrsOf (types.submodule (groupSubmod: {
+        options = {
+          present = mkOption {
+            description = "Whether to ensure that this group is present or absent.";
+            type = types.bool;
+            default = true;
+          };
+        };
+      }));
+    };
+
+    systems.oauth2 = mkOption {
+      description = "Provisioning of oauth2 systems";
+      default = {};
+      type = types.attrsOf (types.submodule (oauth2Submod: {
+        options = {
+          present = mkOption {
+            description = "Whether to ensure that this oauth2 system is present or absent.";
+            type = types.bool;
+            default = true;
+          };
+
+          url =
+            mkOption {
+            };
+
+          basicSecretFile = mkOption {
+            description = "The basic secret to use for this service. If null, the random secret generated by kanidm will not be touched. Do NOT use a path from the nix store here!";
+            type = types.nullOr types.path;
+            example = "/run/secrets/some-oauth2-basic-secret";
+            default = null;
+          };
+
+          scopeMap = mkOption {
+            type = types.listOf types.str;
+            default = [];
+          };
+
+          supScopeMaps = mkOption {
+            type = types.attrsOf types.str;
+            default = {};
+          };
+        };
+      }));
     };
   };