diff --git a/.sops.yaml b/.sops.yaml
index fd76726..66644ad 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,38 +1,17 @@
-# SOPS configuration for StuRa HTW Dresden infrastructure
-#
-# This file defines which keys can decrypt which secrets.
-# Add GPG public keys (.asc files) or age keys to keys/hosts/ and keys/users/
-# to grant decryption access to hosts and users respectively.
-
 keys:
-  # Admin/user keys - add GPG public keys here
-  # Example:
-  # - &user_admin_key age1... or pgp fingerprint
+  - &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
+  - &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
+  - &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
 
-  # Host keys - add host-specific keys here
-  # Example:
-  # - &host_proxy_key age1... or pgp fingerprint
-  # - &host_git_key age1... or pgp fingerprint
 
-# Define which keys can access which files
 creation_rules:
-  # Default rule: all secrets can be decrypted by admin keys
-  - path_regex: secrets/.*\.yaml$
-    # key_groups:
-    # - pgp:
-    #   - *user_admin_key
-    # - age:
-    #   - *user_admin_key
-
-  # Host-specific secrets (example)
-  # - path_regex: secrets/proxy/.*\.yaml$
-  #   key_groups:
-  #   - pgp:
-  #     - *user_admin_key
-  #     - *host_proxy_key
-
-  # - path_regex: secrets/git/.*\.yaml$
-  #   key_groups:
-  #   - pgp:
-  #     - *user_admin_key
-  #     - *host_git_key
+  - path_regex: hosts/mail/secrets.sops.yml$
+    key_groups:
+    - age:
+      - *mail
+      - *goeranh
+  - path_regex: hosts/auth/secrets.sops.yml$
+    key_groups:
+    - age:
+      - *auth
+      - *goeranh
diff --git a/flake.nix b/flake.nix
index 2d1426d..53bdc81 100644
--- a/flake.nix
+++ b/flake.nix
@@ -196,6 +196,7 @@
                 disko.nixosModules.disko
                 authentik.nixosModules.default
                 mailserver.nixosModules.mailserver
+                sops.nixosModules.default
                 {
                   _module.args = { inherit self modulesPath; };
                 }
diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix
index 3df3a1d..0d135dc 100644
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@@ -6,6 +6,13 @@
   ...
 }:
 {
+  sops = {
+    defaultSopsFile = ./secrets.sops.yml;
+    secrets = {
+      "auth/env-file".owner = "authentik";
+      "auth/ldap-env-file".owner = "authentik";
+    };
+  };
   imports = [
     "${modulesPath}/virtualisation/proxmox-lxc.nix"
     ./authentik.nix
diff --git a/hosts/auth/secrets.sops.yml b/hosts/auth/secrets.sops.yml
new file mode 100644
index 0000000..45c456a
--- /dev/null
+++ b/hosts/auth/secrets.sops.yml
@@ -0,0 +1,27 @@
+auth:
+    env-file: ENC[AES256_GCM,data:WDJ3daYCxybublm8VWO8W5HHmYYWKOcw81f+fQ0Vz78EOvbYI+SgEwnuAd/0/eeGkTPEJPSCfbymArs+YRTdibgO5y/34jdN0DOVQetZLPXrDbcZ/Sg=,iv:bykKdvkgmxwgptkGHKH4rnFknPA0PTrW+mEqIzIYERk=,tag:8UKhLz/VoPiXckcIEBfrLg==,type:str]
+    ldap-env-file: ENC[AES256_GCM,data:CpgiiUin3hj8+aykcSU2rasaCFt/CAC5lK3Ek7zxzw6hYCkhwxIc9a4Xfy9SxSQtASJ5dOOrOaa8gA1ahf4Z1g/1981fhxlQPeJd9PlJFgdL4CP5P6ZrPBKZKgygnreUo6HC7Rfc9x2CRmnDhQvMVUmQL9akZRNYasX+9IlRyKmLSFmi35IuryFhVLwfjfECmq51/Xo2WYzjWrayfFuOpS0jHWicQxXvXq6QcLvqmbk5euXiHDkFXOXcwMRr6mAompDAKa9BKXqcRDbxOWqzJ1gflEJvOJi249PeYFo+poTK1CUtBCTejFo=,iv:P1xN6wq5oeba1LSEn6UiArOka37alV/PhI5kOmpfDG0=,tag:Xisd5elHQ8mhvE6YEbCuLg==,type:str]
+sops:
+    age:
+        - recipient: age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRmV2dGt1UXZ3M2RKd24y
+            V0x4MzZyYUh0aDVwQ1NmOCtyOHR6Z1c0R1ZNCi80Nk9PZFVTcVFIQjlZVXJNeXBN
+            TC9td05ZeWVVTCtFSWhqazN6bFF3akkKLS0tIEV3YzdRUDA5Q2dBd2JWUWNqOTU4
+            SnZtdVd4Q3lCaStJTnV4U2cvZUZEMlkK85XYSh6VbDFPKPIhKBKtkErGtgsHjXxy
+            kq14EXwfZnnBlR76JMQgPvSLrDLdj+4tDIVcuE4JplCoSvbGKckGww==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQm5nUHkzZExKOXNzNjk4
+            Y1JURVJwNXhFUGZJak8vbEtCNnE2dHFuNVVNClJHQ3E2RGJkbUtlMDNwcy9Ib01Q
+            dG9nRTVJejkySTdlb2IrbHF4Z3ZMTmcKLS0tIHUwNndGdW9EaWwyNmRUb2NQU2Vs
+            MC9VSmVqVlVHRlJ4NXozUkQ4ZDVEVlkKbfVoBNsral3n7rG7ujUgdQXF68EVB+4G
+            MKMuOiY05QGBViLYyKh1jioHv6nds1hCuc2vpLNB3J0KT3I2q/a0VQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-21T16:42:34Z"
+    mac: ENC[AES256_GCM,data:i9hTUqbrmc2mD8PAbCe2gWern4ArMIkTQWN7eaJcsjZ9m6LZjOQFpnrpgPg6fj3hazgnFn86veNvQGe/J50NLnwj2FCyF3jKG3xkc7rKa9fyD0Yz0XnpbNKtDb2YGxwyBmLsnnyl6sdpyvPipZYCfwM+bhB8OERIXVXKwbZOn1A=,iv:dKI/NsMcVBNBOw0kYEQqrgfdvLKDg4NM/yRBYDqXIxU=,tag:xkg0z7IUy2m4ivosB925vQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix
index fa90494..6d3c388 100644
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@@ -25,6 +25,12 @@ let
 
 in
 {
+  sops = {
+    defaultSopsFile = ./secrets.sops.yml;
+    secrets = {
+      "ldap_passwd".owner = "dovecot2";
+    };
+  };
   imports = [
     "${modulesPath}/virtualisation/proxmox-lxc.nix"
   ];
diff --git a/hosts/mail/secrets.sops.yml b/hosts/mail/secrets.sops.yml
new file mode 100644
index 0000000..8a51068
--- /dev/null
+++ b/hosts/mail/secrets.sops.yml
@@ -0,0 +1,25 @@
+ldap_passwd: ENC[AES256_GCM,data:wAtRF+7QNgkHAKoQVYZeepshAo/dHuGBC3L15svZ5NVpqaTAtWKIVz/tT/SkjxjC2OXTkzUxin4JMGS6,iv:RELJtuCRLPyqzxUqN2KYTI5/P4fiQALRVtr+xZmKUOY=,tag:2ZS1jmAxw3dohAC6zJLUCQ==,type:str]
+sops:
+    age:
+        - recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsenVrS0tkTWZRY2xDZklO
+            WTcwaENIY2I1bTFGMEZZVzBoeUNrT2RESmhFCnZXU2M1SjlGQWo0OEp0TzI0c21u
+            UkNuNEdQQldQdy9uSzhveEM2eFZrRUkKLS0tIGV4S3lreHJPVS96VUZ6SXRaSklW
+            MUE4eXN0bkNkU0dCckppdldvV2V4dHcKdKh6ekq6hB5pCUAEPdASqsxqAKZDwzCv
+            NyS2jitHo9XBtMQVJg4PmNcoRs5XLdqy2tP8upnGelj0B/Q9D+dhag==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVlVrdXhGMDRxMjhPb3Nv
+            c3lBS25OKzJIaWhHWHpKQXo0N1dFTnZLaHdnClVFVTFPVE1rNFVEclFVc3VjQVhu
+            SjF6Nnp6dE9oRUJYUVVnOWVpVE11WVkKLS0tIEJ0aVJzejROMHFPK1JQbkJjbUdi
+            bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5
+            SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-21T16:02:33Z"
+    mac: ENC[AES256_GCM,data:FCxkzhMTplghsBfPMSR1LeIKcVRZ4o6sfmZjTQFvgJyecHM81zytxisUCGLqJb4/80Im+eUhHw8Pq+UrF3N7R/YtPsVWTaVzCguS4A0WVpEiOPmikTAekV0/6pyYJcYlnuIi9xQ55+ud1lE9Iq0u+S58MvcpdsRhh/SH+jbTFlc=,iv:HrC5aEwJZka9uYFhfS7MPnqlwHzI9CMpUipXbOlenDY=,tag:tNzURnfJ9+9+UJsn92YUXg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1