diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix
index 07e83caf..323c64e7 100644
--- a/nixos/mirai/services/default.nix
+++ b/nixos/mirai/services/default.nix
@@ -14,6 +14,7 @@
     ./flaresolverr.nix
     ./searxng.nix
     ./immich.nix
+    ./ldap.nix
 
     # ./home-assistant.nix
     # ./jellyfin.nix
diff --git a/nixos/mirai/services/ldap.nix b/nixos/mirai/services/ldap.nix
index c486d8a4..1bcf9cdc 100644
--- a/nixos/mirai/services/ldap.nix
+++ b/nixos/mirai/services/ldap.nix
@@ -9,10 +9,10 @@
       ldap_user_dn = "admin";
       ldap_base_dn = "dc=darksailor,dc=dev";
       ldap_user_email = "admin@darksailor.dev";
-      http_host = "0.0.0.0";
+      http_host = "127.0.0.1";
       http_port = 5090;
       ldap_port = 389;
-      ldap_host = "0.0.0.0";
+      ldap_host = "::";
       environment = {
         LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path;
         LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path;
diff --git a/nixos/mirai/services/lldap.nix b/nixos/mirai/services/lldap.nix
new file mode 100644
index 00000000..0c91b25e
--- /dev/null
+++ b/nixos/mirai/services/lldap.nix
@@ -0,0 +1,24 @@
+{config, ...}: {
+  sops = {
+    secrets = let
+      user = config.systemd.services.lldap.serviceConfig.User;
+    in {
+      "ldap/aaa".owner = user;
+    };
+  };
+  services = {
+    lldap = {
+      enable = true;
+      settings = {
+        http_host = "/var/run/lldb/lldb.sock";
+        ldap_user_dn = "admin";
+        ldap_base_dn = "dc=darksailor,dc=dev";
+      };
+    };
+    caddy = {
+      virtualHosts."ldap.darksailor.dev".extraConfig = ''
+        reverse_proxy unix//var/run/lldb/lldb.sock
+      '';
+    };
+  };
+}