diff --git a/system/kanidm-client.nix b/system/kanidm-client.nix
index c5921de..bdb92e2 100644
--- a/system/kanidm-client.nix
+++ b/system/kanidm-client.nix
@@ -29,10 +29,16 @@ in
       };
 
       unixSettings = {
-        pam_allowed_login_groups = cfg.allowedLoginGroups;
+        version = "2";
         # Use short names (e.g., "torjus") instead of SPN (e.g., "torjus@home.2rjus.net")
         uid_attr_map = "name";
         gid_attr_map = "name";
+        # Required by NixOS module (will be in TOML but kanidm section is what matters)
+        pam_allowed_login_groups = cfg.allowedLoginGroups;
+        # Kanidm provider section (this is what unixd actually reads)
+        kanidm = {
+          pam_allowed_login_groups = cfg.allowedLoginGroups;
+        };
       };
     };
   };