diff --git a/authentik-container.nix b/authentik-container.nix
index e2e18f1..c9a4215 100644
--- a/authentik-container.nix
+++ b/authentik-container.nix
@@ -104,22 +104,26 @@ in {
       };
     };
 
-    users.users = {
-      authentik = {
-        isSystemUser = true;
-        group = "authentik";
-        uid = cfg.uids.authentik;
-      };
-      authentik-postgres = {
-        isSystemUser = true;
-        group = "authentik";
-        uid = cfg.uids.postgres;
-      };
-      authentik-redis = {
-        isSystemUser = true;
-        group = "authentik";
-        uid = cfg.uids.redis;
+    users = {
+      users = {
+        authentik = {
+          isSystemUser = true;
+          group = "authentik";
+          uid = cfg.uids.authentik;
+        };
+        authentik-postgres = {
+          isSystemUser = true;
+          group = "authentik";
+          uid = cfg.uids.postgres;
+        };
+        authentik-redis = {
+          isSystemUser = true;
+          group = "authentik";
+          uid = cfg.uids.redis;
+        };
       };
+      groups.authentik.members =
+        [ "authentik" "authentik-postgres" "authentik-redis" ];
     };
 
     fudo.secrets.host-secrets."${hostname}" = {