diff --git a/flake.lock b/flake.lock
index 314bbc2..32226ed 100644
--- a/flake.lock
+++ b/flake.lock
@@ -387,11 +387,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1762099877,
-        "narHash": "sha256-aRDSsfVrwyvPxAlZQAH0bYTMRtDnE6dZZ7U8rakTuxo=",
+        "lastModified": 1762101890,
+        "narHash": "sha256-k7/cK8/6dA4V0qxXflpUgtsRg0gsdyUlPJlC5s3gsYA=",
         "ref": "refs/heads/master",
-        "rev": "9e38f0a51ad341ad6a1367897d6f143730994839",
-        "revCount": 143,
+        "rev": "a394862e50d0a26e25a247457ad6d739af18a105",
+        "revCount": 145,
         "type": "git",
         "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets"
       },
diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix
index 4e02cd6..d1eadf4 100644
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@@ -9,7 +9,8 @@
   lib,
   pkgs,
   ...
-}: {
+}:
+{
   imports = lib.flatten [
     # Hardware
     ./hardware-configuration.nix
@@ -53,6 +54,7 @@
       "modules/services/fail2ban"
       "modules/services/ntfy-sh"
       "modules/services/mesh/client.nix"
+      "modules/services/auth-provider"
       "modules/services/ollama/proxy.nix" # Just host the proxy path back to Parzival
       "modules/services/netbox"
       "modules/services/matrix"
@@ -71,7 +73,10 @@
     networkmanager.enable = true;
     enableIPv6 = false;
     firewall = {
-      allowedTCPPorts = [80 443];
+      allowedTCPPorts = [
+        80
+        443
+      ];
     };
   };
 
diff --git a/modules/services/auth-provider/default.nix b/modules/services/auth-provider/default.nix
index a23c8f7..4a9648b 100644
--- a/modules/services/auth-provider/default.nix
+++ b/modules/services/auth-provider/default.nix
@@ -1,17 +1,49 @@
-{config, ...}: {
+{ inputs, config, ... }:
+let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
+{
   services.caddy = {
     enable = true;
     virtualHosts."auth.wanderingcrow.net".extraConfig = ''
       reverse_proxy http://localhost:5555
     '';
   };
+
+  sops.secrets = {
+    "authentik/secret-key" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/host" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/port" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/user" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+    "authentik/smtp/pass" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
+  };
+
   sops.templates.authentik-env.content = ''
-    AUTHENTIK_SECRET_KEY=qwerasvvbkuhjbn235987@!$
+    AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret-key"}
     AUTHENTIK_LISTEN__HTTP=127.0.0.1:5555
     AUTHENTIK_LISTEN__HTTPS=127.0.0.1:5443
+    AUTHENTIK_EMAIL__HOST=${config.sops.placeholder."authentik/smtp/host"}
+    AUTHENTIK_EMAIL__PORT=${config.sops.placeholder."authentik/smtp/port"}
+    AUTHENTIK_EMAIL__USERNAME=${config.sops.placeholder."authentik/smtp/user"}
+    AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/smtp/pass"}
+    AUTHENTIK_EMAIL__FROM=${config.sops.placeholder."authentik/smtp/user"}
   '';
   services.authentik = {
     enable = true;
     environmentFile = config.sops.templates.authentik-env.path;
+    settings.email = {
+      use_tls = true;
+      use_ssl = true;
+    };
   };
 }