diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json
new file mode 100644
index 0000000..58900aa
--- /dev/null
+++ b/config/portunus_seeds.json
@@ -0,0 +1,34 @@
+{
+	"groups": [
+		{
+			"name": "admins",
+			"long-name": "Portunus Admins",
+			"members": [],
+			"permissions": {
+				"portunus": { "is-admin": true },
+				"ldap": { "can-read": true }
+			}
+		},
+		{
+			"name": "ifsr",
+			"long-name": "Mitglieder des ifsr",
+			"members": [],
+			"permissions": {
+				"portunus": { "is-admin": false },
+				"ldap": { "can-read": false }
+			}
+		},
+		{
+			"name": "strukturer",
+			"long-name": "Strukturer des ifsr",
+			"members": [],
+			"permissions": {
+				"portunus": { "is-admin": false },
+				"ldap": { "can-read": false }
+			}
+		}
+	],
+	"users": [
+		{}
+	]
+}
diff --git a/modules/ldap.nix b/modules/ldap.nix
index 697bca1..edbdc14 100644
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@@ -50,15 +50,7 @@ in
       tls = true;
     };
 
-    # TODO: wohin seed file?
-    seedPath = "";
-
-    # falls wir das brauchen
-    # dex = {
-    #   enable = true;
-    #   ...
-    # };
-    # searchUserName = "xxx";
+    seedPath = "../config/portunus_seeds.json";
   };
 
   users.ldap = {
@@ -68,7 +60,6 @@ in
     # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen
   };
 
-  # TODO: acme/letsencrypt oder andere lösung?
   services.nginx = {
     enable = true;
     virtualHosts."${config.services.portunus.domain}" = {