From 64dc10c6cdc0ca31818ca319c85cc8e3ba1b1f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 14:00:55 +0100
Subject: [PATCH] system: fix kanidm unixd config structure for v1.8

Kanidm 1.8 requires:
- version = "2" at top level
- pam_allowed_login_groups inside [kanidm] section

The NixOS module also requires pam_allowed_login_groups at top level,
so we provide it at both places.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 system/kanidm-client.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/system/kanidm-client.nix b/system/kanidm-client.nix
index c5921de..bdb92e2 100644
--- a/system/kanidm-client.nix
+++ b/system/kanidm-client.nix
@@ -29,10 +29,16 @@ in
       };
 
       unixSettings = {
-        pam_allowed_login_groups = cfg.allowedLoginGroups;
+        version = "2";
         # Use short names (e.g., "torjus") instead of SPN (e.g., "torjus@home.2rjus.net")
         uid_attr_map = "name";
         gid_attr_map = "name";
+        # Required by NixOS module (will be in TOML but kanidm section is what matters)
+        pam_allowed_login_groups = cfg.allowedLoginGroups;
+        # Kanidm provider section (this is what unixd actually reads)
+        kanidm = {
+          pam_allowed_login_groups = cfg.allowedLoginGroups;
+        };
       };
     };
   };