Apply pam_loginuid before pam_systemd

As recommended by the pam_systemd manpage.

nixos/modules/security/pam.nix

@@ -187,6 +187,8 @@ let
 
           # Session management.
           session required pam_unix.so
+          ${optionalString cfg.setLoginUid
+              "session required pam_loginuid.so"}
           ${optionalString cfg.updateWtmp
               "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
           ${optionalString config.users.ldap.enable
@@ -197,8 +199,6 @@ let
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
           ${optionalString cfg.startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
-          ${optionalString cfg.setLoginUid
-              "session required pam_loginuid.so"}
           ${optionalString cfg.forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
           ${optionalString (cfg.limits != [])