diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix
index 45e5d93..95fb030 100644
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@@ -24,6 +24,18 @@ in {
     group = "kanidm";
   };
 
+  age.secrets.kanidm-admin-password = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-idm-admin-password = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "kanidm";
+  };
+
   age.secrets.kanidm-oauth2-grafana = {
     generator.script = "alnum";
     generator.tags = ["oauth2"];
@@ -89,6 +101,9 @@ in {
 
     provision = {
       enable = true;
+      adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
+      idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
+
       inherit (config.repo.secrets.global.kanidm) persons;
 
       # Grafana
@@ -118,8 +133,6 @@ in {
         scopeMaps.forgejo = ["openid" "email" "profile"];
         supplementaryScopeMaps = {
           "forgejo.admins" = ["admin"];
-          "forgejo.editors" = ["editor"];
-          "forgejo.server-admins" = ["server_admin"];
         };
       };
 
diff --git a/secrets/generated/ward-kanidm/kanidm-admin-password.age b/secrets/generated/ward-kanidm/kanidm-admin-password.age
new file mode 100644
index 0000000..db05e9e
--- /dev/null
+++ b/secrets/generated/ward-kanidm/kanidm-admin-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Pa1maG/sVPFgPgYoY9mYlSlgF+LpxMPtVBaZjspGnmI
+GjxSVHYk00fe4fAMRI3ExouOIxY8LhO47UdyaaJMRdY
+-> piv-p256 xqSe8Q AqZGyc/hxOLcXlvfnNv06XKQ7wr1VFek4m4gLRcvFovu
+Zbi7RmxtAAhScnDvvHIpGYK/L4NJiJtRL//sWexTxCI
+-> _l-grease WJ^vd2 SdlP# q:5_( L?
+HczWfqUi9D6ffAgaJk6M4xC3C6sxh7sl4KSdUNrAjwK+G7KIJ8us0q7QDzPZABYl
+vhq0nDCtc9ORwhD3wYChZYVN0tvIXDVB/93s9DKVnKfEsMaVtO8WFJSMtfCN1Q
+--- XCTs/Ut+/yqc8nt99hO6XgkAbhmG8Z2QRTr6qv3PTDg
+{MšéÆžE§~'Ã-ºr…èý~YŽóQ~w8Þ_P¼#Ú!'T†Ã=ápËÂár‘æb>;ÀYgù‡4ê!óD—!GO&aW
\ No newline at end of file
diff --git a/secrets/generated/ward-kanidm/kanidm-idm-admin-password.age b/secrets/generated/ward-kanidm/kanidm-idm-admin-password.age
new file mode 100644
index 0000000..c46977c
--- /dev/null
+++ b/secrets/generated/ward-kanidm/kanidm-idm-admin-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 RY9Ye6G9jctqyZE1RprOtWUjyDr6tTNGmkr/Y/kB2lg
+SX5CaRve3o3dnqb8YhCYjZ2xLfoDHzmoItL8TS7D2c0
+-> piv-p256 xqSe8Q A5FvsOyQY1LMBQ2Zpvx3Ji1VdY1BjnzlBgVzW59J/cHQ
+Yjlk27rJdGRKu3gy9UUhX/cD4/3a2xzo1gVSXWOxq5Q
+-> ~qYtwg-grease yxf&b" ){+ 0=h&BHx
+M914CxJc1173PdoPCyfxO6WhskKW4NIZeqqwYUcVkqM4SUBIpX2E5A+wdMvYSM37
+Utlel4OCoAQ5/g
+--- 7j5sDr9MMiQhq/q9zhOjsI/ETsUlYOZF8LWgTU0gJZM
+¸YCð!êVŸ0C¦!ê‚«¸cììÁWc?ähC¦­FþÕ±süŸFt‰D=MÞ1æÐ©†œR‰Ã„e„R,}‰˜^ò+.ñ©ºò£¥öä3Ÿ¡²
\ No newline at end of file