system: fix kanidm unixd config structure for v1.8

Kanidm 1.8 requires:
- version = "2" at top level
- pam_allowed_login_groups inside [kanidm] section

The NixOS module also requires pam_allowed_login_groups at top level,
so we provide it at both places.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

system/kanidm-client.nix

@@ -29,10 +29,16 @@ in
       };
 
       unixSettings = {
-        pam_allowed_login_groups = cfg.allowedLoginGroups;
+        version = "2";
         # Use short names (e.g., "torjus") instead of SPN (e.g., "torjus@home.2rjus.net")
         uid_attr_map = "name";
         gid_attr_map = "name";
+        # Required by NixOS module (will be in TOML but kanidm section is what matters)
+        pam_allowed_login_groups = cfg.allowedLoginGroups;
+        # Kanidm provider section (this is what unixd actually reads)
+        kanidm = {
+          pam_allowed_login_groups = cfg.allowedLoginGroups;
+        };
       };
     };
   };