diff --git a/paris-container.nix b/paris-container.nix
index f7c7f0e..c052e6f 100644
--- a/paris-container.nix
+++ b/paris-container.nix
@@ -19,6 +19,7 @@ in {
       image = mkOption {
         type = str;
         description = "Authentik LDAP outpost Docker image.";
+        default = "ghcr.io/goauthentik/ldap:latest";
       };
 
       domain = mkOption {
@@ -33,9 +34,10 @@ in {
         default = "authentik.${toplevel.config.fudo.mail.primary-domain}";
       };
 
-      outpost-token = mkOption {
+      outpost-token-file = mkOption {
         type = str;
-        description = "Token with which to authenticate to the Authentik host.";
+        description =
+          "File containing token with which to authenticate to the Authentik host.";
       };
 
       bind-dn = mkOption {
@@ -117,7 +119,7 @@ in {
         source-file = pkgs.writeText "paris-ldap-proxy.env"
           (concatStringsSep "\n" [
             "AUTHENTIK_HOST=${cfg.ldap.authentik-host}"
-            "AUTHENTIK_TOKEN=${cfg.ldap.outpost-token}"
+            "AUTHENTIK_TOKEN=${readFile cfg.ldap.outpost-token-file}"
             "AUTHENTIK_INSECURE=false"
           ]);
         target-file = "/run/paris/ldap.env";