diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix
index f7f2f7d7..d85f49bd 100644
--- a/hosts/gitea/default.nix
+++ b/hosts/gitea/default.nix
@@ -1,10 +1,12 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, libS, ... }:
 
 {
   c3d2.deployment.server = "server10";
 
   microvm.mem = 4 * 1024;
 
+  environment.systemPackages = with pkgs; [ postgresql unzip ]; # used to restore database dumps
+
   networking = {
     hostName = "gitea";
     firewall.allowedTCPPorts = [ 2222 ];
@@ -14,20 +16,23 @@
     gitea = rec {
       enable = true;
       appName = "Gitea: with a cup of Kolle Mate";
-      domain = "gitea.c3d2.de";
-      rootUrl = "https://${domain}/";
-
       database.type = "postgres";
-
-      repositoryRoot = "/var/lib/gitea/repositories";
-
+      domain = "gitea.c3d2.de";
       lfs.enable = true;
+      repositoryRoot = "/var/lib/gitea/repositories";
+      rootUrl = "https://${domain}/";
 
       dump = {
         # Is a nice feature once we have a dedicated backup storage.
         # For now it is disabled, since it delays `nixos-rebuild switch`.
         enable = false;
-        backupDir = "/var/lib/gitea/dump";
+        backupDir = "/var/backup/gitea/";
+      };
+
+      ldap = {
+        enable = true;
+        adminGroup = "gitea-admins";
+        bindPasswordFile = config.sops.secrets."gitea/ldapSearchUserPassword".path;
       };
 
       settings = {
@@ -124,6 +129,11 @@
     };
   };
 
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";
+  };
+
   programs.msmtp = {
     enable = true;
     accounts.default = {
@@ -137,7 +147,5 @@
     };
   };
 
-  environment.systemPackages = with pkgs; [ postgresql unzip ]; # used to restore database dumps
-
   system.stateVersion = "21.11";
 }