diff --git a/deploy.yml b/deploy.yml
index 08da3a6..e0f422d 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -110,3 +110,19 @@
     - name: autoupgrade
       ansible.builtin.include_role:
         name: anyops_autoupgrade
+
+    # kanidm
+    - name: Add kanidm GPG apt key
+      ansible.builtin.get_url:
+        url: https://kanidm.github.io/kanidm_ppa/kanidm_ppa.asc
+        dest: /etc/apt/keyrings/kanidm_ppa.asc
+    - name: Add kanidm repo
+      apt_repository:
+        repo: "deb [signed-by=/etc/apt/keyrings/kanidm_ppa.asc] https://kanidm.github.io/kanidm_ppa {{ ansible_distribution_release }} stable"
+        state: present
+
+    - name: install kanidm
+      apt:
+        name:
+          - kanidm
+          - kanidm-unixd