diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index fb42bba9d01c9..abc632c1c07dd 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -2311,11 +2311,28 @@ in
 
     environment.etc = lib.mapAttrs' makePAMService enabledServices;
 
-    systemd = lib.optionalAttrs config.security.pam.services.login.updateWtmp {
-      tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf
-      services.lastlog2-import.enable = true;
-      packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service
-    };
+    systemd =
+      lib.optionalAttrs
+        (lib.any (service: service.updateWtmp) (lib.attrValues config.security.pam.services))
+        {
+          tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf
+          services.lastlog2-import = {
+            enable = true;
+            wantedBy = [ "default.target" ];
+            after = [
+              "local-fs.target"
+              "systemd-tmpfiles-setup.service"
+            ];
+            # TODO: ${pkgs.util-linux.lastlog}/lib/systemd/system/lastlog2-import.service
+            # uses unpatched /usr/bin/mv, needs to be fixed on staging
+            # in the meantime, use a service drop-in here
+            serviceConfig.ExecStartPost = [
+              ""
+              "${lib.getExe' pkgs.coreutils "mv"} /var/log/lastlog /var/log/lastlog.migrated"
+            ];
+          };
+          packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service
+        };
 
     security.pam.services = {
       other.text = ''
diff --git a/nixos/tests/pam/pam-lastlog.nix b/nixos/tests/pam/pam-lastlog.nix
index 837c84e1e601a..cefc8a3d4e450 100644
--- a/nixos/tests/pam/pam-lastlog.nix
+++ b/nixos/tests/pam/pam-lastlog.nix
@@ -13,9 +13,18 @@
     };
 
   testScript = ''
-    machine.wait_for_unit("multi-user.target")
-    machine.succeed("run0 --pty true") # perform full login
-    print(machine.succeed("lastlog2 --active --user root"))
-    machine.succeed("stat /var/lib/lastlog/lastlog2.db")
+    with subtest("Test legacy lastlog import"):
+      # create old lastlog file to test import
+      # empty = nothing will actually be imported, but the service will run
+      machine.succeed("touch /var/log/lastlog")
+      machine.wait_for_unit("lastlog2-import.service")
+      machine.succeed("journalctl -b --grep 'Starting Import lastlog data into lastlog2 database'")
+      machine.succeed("stat /var/log/lastlog.migrated")
+
+    with subtest("Test lastlog entries are created by logins"):
+      machine.wait_for_unit("multi-user.target")
+      machine.succeed("run0 --pty true") # perform full login
+      print(machine.succeed("lastlog2 --active --user root"))
+      machine.succeed("stat /var/lib/lastlog/lastlog2.db")
   '';
 }