diff --git a/profiles/indico.nix b/profiles/indico.nix
index dda3b6d..9189718 100644
--- a/profiles/indico.nix
+++ b/profiles/indico.nix
@@ -4,6 +4,7 @@
   pkgs,
   ...
 }:
+
 {
   imports = [
     ../modules/indico.nix
@@ -11,6 +12,26 @@
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  age.secrets = {
+    indico-ldap-bind-password = {
+      file = ../secrets/indico-ldap-bind-password.age;
+      owner = config.services.indico.user;
+      group = config.services.indico.group;
+    };
+
+    indico-mail-password = {
+      file = ../secrets/indico-mail-password.age;
+      owner = config.services.indico.user;
+      group = config.services.indico.group;
+    };
+
+    indico-secret-key = {
+      file = ../secrets/indico-secret-key.age;
+      owner = config.services.indico.user;
+      group = config.services.indico.group;
+    };
+  };
+
   services.indico = {
     enable = true;
     nginx.domain = "events.federez.net";
@@ -21,9 +42,20 @@
       smtp = {
         host = "dodecagon.federez.net";
         login = "indico";
-        password = "xxx";
+        passwordFile = config.age.secrets.indico-mail-password.path;
       };
     };
-    secretKey = "lQsViT9292sIkObP9ptQADGJ16bk58n7"; # FIXME: dev only
+    ldap = {
+      uri = "ldaps://ldap.federez.net";
+      bindDN = "cn=indico,ou=service-users,dc=federez,dc=net";
+      bindPasswordFile = config.age.secrets.indico-ldap-bind-password.path;
+      userBaseDN = "cn=Utilisateurs,dc=federez,dc=net";
+      userFilter = "(objectClass=inetOrgPerson)";
+      groupBaseDN = "ou=posix,ou=groups,dc=federez,dc=net";
+      groupFilter = "(objectClass=posixGroup)";
+      memberOf = "manualMemberOf";
+      gid = "cn";
+    };
+    secretKeyFile = config.age.secrets.indico-secret-key.path;
   };
 }