diff --git a/.gitignore b/.gitignore
index e03d9cf..594fa7c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 
 *.db
 *.sqlite
+/config.toml
diff --git a/config.toml.example b/config.toml.example
new file mode 100644
index 0000000..554359f
--- /dev/null
+++ b/config.toml.example
@@ -0,0 +1,4 @@
+padlock_secret = ""
+
+[database]
+connection_string = "sqlite://sqlite.db"
diff --git a/src/config.rs b/src/config.rs
new file mode 100644
index 0000000..03d7410
--- /dev/null
+++ b/src/config.rs
@@ -0,0 +1,29 @@
+use serde::Deserialize;
+
+use crate::secrets::PadlockGenerationSecret;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct Config {
+    database: DatabaseConfig,
+    #[serde(default)]
+    auth_backends: Vec<AuthBackend>,
+    #[serde(with = "hex::serde")]
+    padlock_secret: PadlockGenerationSecret,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct DatabaseConfig {
+    connection_string: String,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+#[serde(tag = "type")]
+pub enum AuthBackend {
+    #[serde(rename = "LDAP")]
+    Ldap(LdapBackendConfig),
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct LdapBackendConfig {
+    server_address: String,
+}
diff --git a/src/main.rs b/src/main.rs
index 88314bf..df0ba48 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -20,11 +20,15 @@
 #![forbid(unsafe_code)]
 
 mod auth;
+mod config;
 mod db;
 mod secrets;
 mod server;
 
+use std::path::Path;
+
 use color_eyre::Result;
+use config::Config;
 use tracing::{event, instrument, Level};
 use tracing_error::ErrorLayer;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
@@ -47,6 +51,15 @@ fn init() -> Result<()> {
     Ok(())
 }
 
+#[instrument]
+async fn load_config(path: &str) -> Result<Config> {
+    event!(Level::DEBUG, "Loading config");
+
+    let content = tokio::fs::read_to_string(path).await?;
+
+    Ok(toml::from_str(&content)?)
+}
+
 #[tokio::main]
 #[instrument]
 async fn main() -> Result<()> {
@@ -54,6 +67,8 @@ async fn main() -> Result<()> {
 
     event!(Level::INFO, "Hello, world!");
 
+    let config = load_config("config.toml").await?;
+
     tokio::spawn(server::run()).await??;
 
     Ok(())
diff --git a/src/secrets.rs b/src/secrets.rs
index f65adcd..ec09860 100644
--- a/src/secrets.rs
+++ b/src/secrets.rs
@@ -1,5 +1,6 @@
-use std::fmt::Debug;
+use std::{convert::Infallible, fmt::Debug};
 
+use hex::FromHex;
 use secrecy::{ExposeSecret, SecretString, SecretVec};
 use serde::{Deserialize, Serialize};
 
@@ -50,6 +51,7 @@ impl From<String> for ServerPadlock {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ServerHash(pub Vec<u8>);
 
+#[derive(Deserialize)]
 pub struct PadlockGenerationSecret(pub SecretVec<u8>);
 impl Debug for PadlockGenerationSecret {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -63,3 +65,11 @@ impl Clone for PadlockGenerationSecret {
         PadlockGenerationSecret(self.0.expose_secret().clone().into())
     }
 }
+
+impl FromHex for PadlockGenerationSecret {
+    type Error = Infallible;
+
+    fn from_hex<T: AsRef<[u8]>>(hex: T) -> Result<Self, Self::Error> {
+        Ok(Self(hex.as_ref().to_vec().into()))
+    }
+}