diff --git a/flakes/de_plasma/de_plasma.nix b/flakes/de_plasma/de_plasma.nix
index 63b4bf0c..f5874a63 100644
--- a/flakes/de_plasma/de_plasma.nix
+++ b/flakes/de_plasma/de_plasma.nix
@@ -169,6 +169,11 @@ in
         };
       };
 
+      # `keyd` drops privileges via `setgid(2)`, but the upstream unit
+      # uses `RestrictSUIDSGID=yes`, which blocks that and causes:
+      # "setgid: Operation not permitted".
+      systemd.services.keyd.serviceConfig.RestrictSUIDSGID = mkIf (!cfg.disableKeyd) false;
+
       # Home Manager modules (plasma-manager + our HM layer)
       home-manager.sharedModules = [
         plasma-manager.homeModules.plasma-manager