diff --git a/.sops.yaml b/.sops.yaml
index bccc2bd..7ef9c1a 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -26,6 +26,12 @@ creation_rules:
           - *mail-01
         pgp:
           - *lander
+  - path_regex: hosts/hosting-01/secrets.yam?l$
+    key_groups:
+      - age:
+          - *hosting-01
+        pgp:
+          - *lander
   - path_regex: hosts/mail-01/secrets.yam?l$
     key_groups:
       - age:
diff --git a/hosts/hosting-01/auth/default.nix b/hosts/hosting-01/auth/default.nix
new file mode 100644
index 0000000..fb3cf91
--- /dev/null
+++ b/hosts/hosting-01/auth/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./lldap.nix
+  ];
+}
diff --git a/hosts/hosting-01/auth/lldap.nix b/hosts/hosting-01/auth/lldap.nix
new file mode 100644
index 0000000..40cbc57
--- /dev/null
+++ b/hosts/hosting-01/auth/lldap.nix
@@ -0,0 +1,49 @@
+{ config, ... }:
+{
+  services = {
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=escapeangle,dc=com";
+        ldap_user_email = "lander@escapeangle.com";
+        database_url = "postgresql://lldap@db-01.tailnet.escapeangle.com/lldap";
+      };
+      environment = {
+        LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
+        LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
+        LLDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."users.escapeangle.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.lldap.settings.http_port}";
+    };
+  };
+
+  users = {
+    users.lldap = {
+      group = "lldap";
+      isSystemUser = true;
+    };
+    groups.lldap = { };
+  };
+
+  sops.secrets = {
+    "lldap/jwt_secret" = {
+      owner = "lldap";
+      sopsFile = ../secrets.yaml;
+    };
+    "lldap/key_seed" = {
+      owner = "lldap";
+      sopsFile = ../secrets.yaml;
+    };
+    "lldap/admin_password" = {
+      owner = "lldap";
+      sopsFile = ../secrets.yaml;
+    };
+  };
+}
diff --git a/hosts/hosting-01/default.nix b/hosts/hosting-01/default.nix
index 7674dc2..93e63ea 100644
--- a/hosts/hosting-01/default.nix
+++ b/hosts/hosting-01/default.nix
@@ -26,6 +26,8 @@ in
     inputs.headplane.nixosModules.headplane
 
     ../common/servers
+
+    ./auth
   ];
 
   time.timeZone = "Europe/Berlin";
diff --git a/hosts/hosting-01/secrets.yaml b/hosts/hosting-01/secrets.yaml
new file mode 100644
index 0000000..416b9da
--- /dev/null
+++ b/hosts/hosting-01/secrets.yaml
@@ -0,0 +1,31 @@
+lldap:
+    jwt_secret: ENC[AES256_GCM,data:9h7XljbIrLxK3ekcAP8dZTAwlx8u/2eLqdfRHhHn+Lwj/sav3QNmqgfee9pyHhaoLvgZKWwKr7I+ijLZtOpIgQ==,iv:+VZUqDTy9EOm65ATJ6fPGeyA6aR043VmvXTzVmeMH+o=,tag:8nyYCrwoZADmt05EgldymA==,type:str]
+    key_seed: ENC[AES256_GCM,data:gt3jgAk4upREudd1HYXCSsqg6E3Vuq0WbiDSTjYZF+QJXa7cdq0Ke8XrjJVCAokbp7ZZsf1MMo/wEkr47HXggg==,iv:7xrMZrWNpsAtBoOx4p3RjaEJru9jXrdXkR/Z8rA4vwI=,tag:oLbli5vAw8X00eiD87sSCA==,type:str]
+    admin_password: ENC[AES256_GCM,data:RBibqepGrtX8hKVzdcAtTbsVZg==,iv:RLu3JkhtmCfXVwZA8EX/dVgqqu7hWURIWNSywlW/8ew=,tag:jQXYo2a+Idh1AIfr1687gg==,type:str]
+sops:
+    age:
+        - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcjltUDdJL2lrMEZvRk5Q
+            TFErTFYrYTlvbTc3OHd0SWZEQTNuQzFIZ2dJClNhcWRmWkh4MXlaeklJdEh0K3lp
+            MG9hMHU1OWcybUhKM1QrclBBeGpOaWcKLS0tIEZMYVNKN1ZxQmxHcFRUQ1BVUUtq
+            NW9CUkJQbis1NmpyU0xrb3J4UVNKTDgKsPFnlQBa8LGm6s8uZsUXq9RIt4WzzROc
+            mz9dEVq/R54xvjMRltgzZyu54BWWOQYgkZUEhOnDoqwVnA7XwGGYtA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-06T18:36:06Z"
+    mac: ENC[AES256_GCM,data:WoRdw4Vv8aHFz3dlyu28e/KSu+bKCKiNRV2JYLGZDxgl/fV0CLunhY3/jc+zddAJOd8Q8pO750mvAmgQ6wzTd90N8hQg4kP5Uqjajoi4iUTbWiPr6CGWwhqcl6HZ1M4Ei35MyQ/NXOECk4Ma9mMG9TyDxkd2jEQwpL2Wpus3uBg=,iv:N5UYoT1Zqznwgyrf3L4YESnX7/iLAXDuBW6+k39VHMc=,tag:nlBlAnoU3fFTU4Nf0njpLA==,type:str]
+    pgp:
+        - created_at: "2025-07-06T18:28:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DARdpY4woM6wSAQdAzqZHVo7/A+jPwSx63zOXGJ9tCF7qYDvu/Eg7HxCxhFYw
+            P277CjIB3imnRHCms18b+ze9Bv3A2wNdBGlbqhG/Z1R10NPx3nJydnYCUdZtbKFk
+            0lwBTahORz3Ha2RqKTiuUGhncNtz+4U5i08sbLCzp/1Vc32RAwEGtfbMFosS4Uf2
+            qCFsnEICj2MuXgBtub5Mw2zpDIFkjaIRGLPohiJy+Yrp9J14hWuZmC79lwGRgQ==
+            =umk4
+            -----END PGP MESSAGE-----
+          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2