diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index a34cbd3..65a0ced 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -28,7 +28,6 @@ in
 
   randomcat.services.zfs.datasets = {
     "rpool_kalessin/state" = { mountpoint = "none"; };
-    "rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; };
   };
 
   services.sanoid.datasets."rpool_kalessin/state" = {
@@ -37,10 +36,5 @@ in
     process_children_only = true;
   };
 
-  fountain.services.kanidm = {
-    enable = true;
-    domain = "auth.unspecified.systems";
-  };
-
   system.stateVersion = "23.11";
 }
diff --git a/services/default.nix b/services/default.nix
index f60119c..9a3f8cb 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -5,7 +5,6 @@
     ./distributed-builds.nix
     ./forgejo.nix
     ./jellyfin.nix
-    ./kanidm.nix
     ./navidrome.nix
     ./remote-builder.nix
     ./web-redirect.nix
diff --git a/services/kanidm.nix b/services/kanidm.nix
deleted file mode 100644
index 6bb891c..0000000
--- a/services/kanidm.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (lib) mkIf mkOption mkEnableOption types;
-  cfg = config.fountain.services.kanidm;
-in
-{
-  options.fountain.services.kanidm = {
-    enable = mkEnableOption "Kanidm";
-    domain = mkOption {
-      type = types.str;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services = {
-      nginx = {
-        enable = true;
-        virtualHosts = {
-          ${cfg.domain} = {
-            forceSSL = true;
-            useACMEHost = cfg.domain;
-            locations."/".proxyPass = "https://[::1]:8443/";
-          };
-        };
-      };
-
-      kanidm = {
-        enableClient = true; # needed for admin configuration
-        enableServer = true;
-        package = pkgs.kanidm_1_5;
-        serverSettings = {
-          bindaddress = "[::1]:8443";
-          ldapbindaddress = "[::1]:636";
-          origin = "https://${cfg.domain}";
-          domain = cfg.domain;
-          tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem";
-          tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
-          online_backup.versions = 7;
-          trust_x_forward_for = true;
-        };
-        clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match
-      };
-    };
-
-    security.acme.certs.${cfg.domain} = {
-      webroot = "/var/lib/acme/acme-challenge";
-      group = "acme_${cfg.domain}";
-      reloadServices = [ "kanidm.service" ];
-    };
-
-    users.groups."acme_${cfg.domain}".members = [
-      "kanidm"
-      config.services.nginx.user
-    ];
-
-    networking.firewall.allowedTCPPorts = [ 80 443 636 ];
-  };
-}