diff --git a/configuration/default.nix b/configuration/default.nix
index 2231af5..3c572e0 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -13,7 +13,7 @@
     "${modulesPath}/profiles/minimal.nix"
     (import ../modules)
 
-    ./services/authelia.nix
+    ./services/auth
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit
diff --git a/configuration/services/authelia.nix b/configuration/services/auth/authelia.nix
similarity index 52%
rename from configuration/services/authelia.nix
rename to configuration/services/auth/authelia.nix
index e47f101..e9043c0 100644
--- a/configuration/services/authelia.nix
+++ b/configuration/services/auth/authelia.nix
@@ -1,26 +1,29 @@
 { config, ... }:
 {
+  systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
+
   services = {
     authelia.instances.tlaternet = {
       enable = true;
 
-      environmentVariables = {
-        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
-          config.sops.secrets."authelia/lldap-password".path;
-        AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
-      };
+      environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.sops.secrets."authelia/lldap-password".path;
 
       settings = {
-        authentication_backend.ldap = {
-          # TODO(tlater): Enable when authelia has a webhook notifier:
-          # https://github.com/authelia/authelia/issues/7695
-          password_reset.disable = true;
-          refresh_interval = "1m";
-          address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
-          implementation = "lldap";
-          base_dn = config.services.lldap.settings.ldap_base_dn;
-          user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
-        };
+        authentication_backend.ldap =
+          let
+            cfglldap = config.services.lldap.settings;
+          in
+          {
+            # TODO(tlater): Enable when authelia has a webhook notifier:
+            # https://github.com/authelia/authelia/issues/7695
+            password_reset.disable = true;
+            refresh_interval = "1m";
+            address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
+            implementation = "lldap";
+            base_dn = cfglldap.ldap_base_dn;
+            user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
+          };
 
         password_policy.zxcvbn.enabled = true;
 
@@ -86,38 +89,5 @@
       enable = true;
       user = config.services.authelia.instances.tlaternet.user;
     };
-
-    lldap = {
-      enable = true;
-      settings = {
-        ldap_base_dn = "dc=tlater,dc=net";
-        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
-        ldap_host = "127.0.0.1";
-
-        http_host = "127.0.0.1";
-        http_url = "https://lldap.${config.services.nginx.domain}";
-
-        force_ldap_user_pass_reset = "always";
-
-        smtp_options.enable_password_reset = false;
-
-        environment = {
-          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
-          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
-          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
-        };
-      };
-    };
-
-    nginx.virtualHosts = {
-      "lldap.${config.services.nginx.domain}" = {
-        useACMEHost = "tlater.net";
-        forceSSL = true;
-        enableHSTS = true;
-
-        locations."/".proxyPass =
-          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
-      };
-    };
   };
 }
diff --git a/configuration/services/auth/default.nix b/configuration/services/auth/default.nix
new file mode 100644
index 0000000..bbfa1b6
--- /dev/null
+++ b/configuration/services/auth/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./authelia.nix
+    ./lldap.nix
+  ];
+}
diff --git a/configuration/services/auth/lldap-provisioning.nu b/configuration/services/auth/lldap-provisioning.nu
new file mode 100644
index 0000000..a2f93f0
--- /dev/null
+++ b/configuration/services/auth/lldap-provisioning.nu
@@ -0,0 +1,44 @@
+#!/usr/bin/env nushell
+
+let groups = [{
+
+}]
+
+let users = [
+
+]
+
+let settings = open $env.LLDAP_CONFIG
+let url = (
+  'http://' |
+  $in + ($settings | get http_host | default '127.0.0.1') |
+  $in + ':' |
+  $in + ($settings | get http_port | default '17170' | into string))
+let user = $settings | get ldap_user_dn | default admin
+let pass = open $env.LLDAP_LDAP_USER_PASS_FILE
+
+let token = { username: $user, password: $pass } | to json | http post $'($url)/auth/simple/login' | get token
+
+def query [operation: string, query: string, variables: list<string>] {
+  let body = {
+    query: $query,
+    operationName: $operation,
+    variables: $variables
+  }
+
+  let res = $body | to json | http post --headers [Authorization $'Bearer ($token)'] $'($url)/api/graphql'
+
+  if ("errors" in $res) {
+    let msg = "GraphQL query to LLDAP failed:\n" + ($res.errors | each {|e| $'- ($e)' | str join (char newline)})
+
+    error make {
+      msg: $msg,
+      label: {
+          text: "Query defined here",
+          span: (metadata $query).span
+      }
+    }
+  } else {
+    $res.data
+  }
+}
diff --git a/configuration/services/auth/lldap.nix b/configuration/services/auth/lldap.nix
new file mode 100644
index 0000000..250a395
--- /dev/null
+++ b/configuration/services/auth/lldap.nix
@@ -0,0 +1,64 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  services = {
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=tlater,dc=net";
+        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
+        ldap_host = "127.0.0.1";
+
+        http_host = "127.0.0.1";
+        http_url = "https://lldap.${config.services.nginx.domain}";
+
+        force_ldap_user_pass_reset = "always";
+
+        smtp_options.enable_password_reset = false;
+
+        environment = {
+          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
+          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
+        };
+      };
+    };
+
+    nginx.virtualHosts = {
+      "lldap.${config.services.nginx.domain}" = {
+        useACMEHost = "tlater.net";
+        forceSSL = true;
+        enableHSTS = true;
+
+        locations."/".proxyPass =
+          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
+      };
+    };
+  };
+
+  systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
+
+  systemd.services.lldap-provisioning = {
+    requisite = [ config.systemd.services.lldap.name ];
+    wantedBy = [ config.systemd.services.lldap.name ];
+    after = [ config.systemd.services.lldap.name ];
+
+    path = [
+      pkgs.nushell
+      pkgs.lldap-cli
+    ];
+
+    script = "exec nu ${./lldap-provisioning.nu}";
+
+    environment = {
+      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+      # LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
+    };
+
+    serviceConfig.Type = "oneshot";
+  };
+}
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 94692c6..8ba5f45 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -2,6 +2,7 @@ authelia:
     storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
     jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
     session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
+    lldap-password: ENC[AES256_GCM,data:cafjSRCUXAg=,iv:vZM/6efEhWjjTKNnDuS+Kj2i/eOkn20vT2JmtcHGcSU=,tag:P1GscnNwMoWCMMDbMVMPqA==,type:str]
 porkbun:
     api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
     secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -39,8 +40,8 @@ turn:
     #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
     ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
 sops:
-    lastmodified: "2025-05-25T18:42:33Z"
-    mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str]
+    lastmodified: "2025-05-26T19:48:08Z"
+    mac: ENC[AES256_GCM,data:dIuIJlkz6yUKt1MrOgwQTYm8DzwldN4o2E0B89p8c0WeCxgHwWVMtIHt8QsrIet9X7aHDx97/S67XzYEGSXI/9Btc+GCEFNcoVsgZzXy+d7r3io2gQxNrQ6yJwJvStW+ZeWPujg5nJ6NNfhcweLFdquwNwNJ4DC1sGvCl5/m/QY=,iv:n5f8urvZVLfIp46nysSJh3ngx+H8qxLuycmDZVYDOCk=,tag:5ccJtPdIRZmFXDVO1V6y3w==,type:str]
     pgp:
         - created_at: "2025-01-21T17:55:30Z"
           enc: |-