diff --git a/configuration/default.nix b/configuration/default.nix
index 3c572e0..2231af5 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -13,7 +13,7 @@
     "${modulesPath}/profiles/minimal.nix"
     (import ../modules)
 
-    ./services/auth
+    ./services/authelia.nix
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit
diff --git a/configuration/services/auth/default.nix b/configuration/services/auth/default.nix
deleted file mode 100644
index bbfa1b6..0000000
--- a/configuration/services/auth/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  imports = [
-    ./authelia.nix
-    ./lldap.nix
-  ];
-}
diff --git a/configuration/services/auth/lldap-provisioning.nu b/configuration/services/auth/lldap-provisioning.nu
deleted file mode 100644
index a2f93f0..0000000
--- a/configuration/services/auth/lldap-provisioning.nu
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env nushell
-
-let groups = [{
-
-}]
-
-let users = [
-
-]
-
-let settings = open $env.LLDAP_CONFIG
-let url = (
-  'http://' |
-  $in + ($settings | get http_host | default '127.0.0.1') |
-  $in + ':' |
-  $in + ($settings | get http_port | default '17170' | into string))
-let user = $settings | get ldap_user_dn | default admin
-let pass = open $env.LLDAP_LDAP_USER_PASS_FILE
-
-let token = { username: $user, password: $pass } | to json | http post $'($url)/auth/simple/login' | get token
-
-def query [operation: string, query: string, variables: list<string>] {
-  let body = {
-    query: $query,
-    operationName: $operation,
-    variables: $variables
-  }
-
-  let res = $body | to json | http post --headers [Authorization $'Bearer ($token)'] $'($url)/api/graphql'
-
-  if ("errors" in $res) {
-    let msg = "GraphQL query to LLDAP failed:\n" + ($res.errors | each {|e| $'- ($e)' | str join (char newline)})
-
-    error make {
-      msg: $msg,
-      label: {
-          text: "Query defined here",
-          span: (metadata $query).span
-      }
-    }
-  } else {
-    $res.data
-  }
-}
diff --git a/configuration/services/auth/lldap.nix b/configuration/services/auth/lldap.nix
deleted file mode 100644
index 250a395..0000000
--- a/configuration/services/auth/lldap.nix
+++ /dev/null
@@ -1,64 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-{
-  services = {
-    lldap = {
-      enable = true;
-      settings = {
-        ldap_base_dn = "dc=tlater,dc=net";
-        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
-        ldap_host = "127.0.0.1";
-
-        http_host = "127.0.0.1";
-        http_url = "https://lldap.${config.services.nginx.domain}";
-
-        force_ldap_user_pass_reset = "always";
-
-        smtp_options.enable_password_reset = false;
-
-        environment = {
-          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
-          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
-          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
-        };
-      };
-    };
-
-    nginx.virtualHosts = {
-      "lldap.${config.services.nginx.domain}" = {
-        useACMEHost = "tlater.net";
-        forceSSL = true;
-        enableHSTS = true;
-
-        locations."/".proxyPass =
-          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
-      };
-    };
-  };
-
-  systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
-
-  systemd.services.lldap-provisioning = {
-    requisite = [ config.systemd.services.lldap.name ];
-    wantedBy = [ config.systemd.services.lldap.name ];
-    after = [ config.systemd.services.lldap.name ];
-
-    path = [
-      pkgs.nushell
-      pkgs.lldap-cli
-    ];
-
-    script = "exec nu ${./lldap-provisioning.nu}";
-
-    environment = {
-      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
-      # LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
-    };
-
-    serviceConfig.Type = "oneshot";
-  };
-}
diff --git a/configuration/services/auth/authelia.nix b/configuration/services/authelia.nix
similarity index 52%
rename from configuration/services/auth/authelia.nix
rename to configuration/services/authelia.nix
index e9043c0..e47f101 100644
--- a/configuration/services/auth/authelia.nix
+++ b/configuration/services/authelia.nix
@@ -1,29 +1,26 @@
 { config, ... }:
 {
-  systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
-
   services = {
     authelia.instances.tlaternet = {
       enable = true;
 
-      environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
-        config.sops.secrets."authelia/lldap-password".path;
+      environmentVariables = {
+        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+          config.sops.secrets."authelia/lldap-password".path;
+        AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
+      };
 
       settings = {
-        authentication_backend.ldap =
-          let
-            cfglldap = config.services.lldap.settings;
-          in
-          {
-            # TODO(tlater): Enable when authelia has a webhook notifier:
-            # https://github.com/authelia/authelia/issues/7695
-            password_reset.disable = true;
-            refresh_interval = "1m";
-            address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
-            implementation = "lldap";
-            base_dn = cfglldap.ldap_base_dn;
-            user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
-          };
+        authentication_backend.ldap = {
+          # TODO(tlater): Enable when authelia has a webhook notifier:
+          # https://github.com/authelia/authelia/issues/7695
+          password_reset.disable = true;
+          refresh_interval = "1m";
+          address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
+          implementation = "lldap";
+          base_dn = config.services.lldap.settings.ldap_base_dn;
+          user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
+        };
 
         password_policy.zxcvbn.enabled = true;
 
@@ -89,5 +86,38 @@
       enable = true;
       user = config.services.authelia.instances.tlaternet.user;
     };
+
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=tlater,dc=net";
+        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
+        ldap_host = "127.0.0.1";
+
+        http_host = "127.0.0.1";
+        http_url = "https://lldap.${config.services.nginx.domain}";
+
+        force_ldap_user_pass_reset = "always";
+
+        smtp_options.enable_password_reset = false;
+
+        environment = {
+          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
+          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
+        };
+      };
+    };
+
+    nginx.virtualHosts = {
+      "lldap.${config.services.nginx.domain}" = {
+        useACMEHost = "tlater.net";
+        forceSSL = true;
+        enableHSTS = true;
+
+        locations."/".proxyPass =
+          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
+      };
+    };
   };
 }
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 8ba5f45..94692c6 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -2,7 +2,6 @@ authelia:
     storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
     jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
     session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
-    lldap-password: ENC[AES256_GCM,data:cafjSRCUXAg=,iv:vZM/6efEhWjjTKNnDuS+Kj2i/eOkn20vT2JmtcHGcSU=,tag:P1GscnNwMoWCMMDbMVMPqA==,type:str]
 porkbun:
     api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
     secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -40,8 +39,8 @@ turn:
     #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
     ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
 sops:
-    lastmodified: "2025-05-26T19:48:08Z"
-    mac: ENC[AES256_GCM,data:dIuIJlkz6yUKt1MrOgwQTYm8DzwldN4o2E0B89p8c0WeCxgHwWVMtIHt8QsrIet9X7aHDx97/S67XzYEGSXI/9Btc+GCEFNcoVsgZzXy+d7r3io2gQxNrQ6yJwJvStW+ZeWPujg5nJ6NNfhcweLFdquwNwNJ4DC1sGvCl5/m/QY=,iv:n5f8urvZVLfIp46nysSJh3ngx+H8qxLuycmDZVYDOCk=,tag:5ccJtPdIRZmFXDVO1V6y3w==,type:str]
+    lastmodified: "2025-05-25T18:42:33Z"
+    mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str]
     pgp:
         - created_at: "2025-01-21T17:55:30Z"
           enc: |-