diff --git a/cluster/services/idm/default.nix b/cluster/services/idm/default.nix
index f57e284..e9c111d 100644
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@@ -11,6 +11,7 @@
     nodes = {
       server = [ "VEGAS" ];
       client = [ "checkmate" "VEGAS" "prophet" "soda" "thunderskin" ];
+      client-soda = [ "soda" ];
     };
     nixos = {
       server = ./server.nix;
@@ -18,6 +19,9 @@
         ./client.nix
         ./policies/infra-admins.nix
       ];
+      client-soda = [
+        ./policies/soda.nix
+      ];
     };
   };
 }
diff --git a/cluster/services/idm/policies/soda.nix b/cluster/services/idm/policies/soda.nix
new file mode 100644
index 0000000..2b6f2e9
--- /dev/null
+++ b/cluster/services/idm/policies/soda.nix
@@ -0,0 +1,8 @@
+{
+  services.kanidm.unixSettings = {
+    pam_allowed_login_groups = [
+      "soda"
+      "soda-admins"
+    ];
+  };
+}