diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index 670f0ea..14f4e11 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -8,7 +8,8 @@
       ./modules/backup
       ./modules/cache
       # ./modules/grafana
-      ./modules/hydra
+      # ./modules/hydra
+      ./modules/keycloak
       # ./modules/prometheus
       ./modules/matrix
       ./modules/mautrix-telegram
@@ -69,8 +70,6 @@
   programs.mosh.enable = true;
 
 
-  # firmware updates
-  services.fwupd.enable = true;
   users.users.root.initialHashedPassword = "$y$j9T$hYM7FT2hn3O7OWBn9uz8e0$XquxONcPSke6YjdRGwOzGxC0/92hgP7PIB0y0K.Qdr/";
   users.users.root.openssh.authorizedKeys.keyFiles = [
     ../../keys/ssh/rouven-thinkpad
diff --git a/hosts/nuc/modules/keycloak/default.nix b/hosts/nuc/modules/keycloak/default.nix
new file mode 100644
index 0000000..0ace24b
--- /dev/null
+++ b/hosts/nuc/modules/keycloak/default.nix
@@ -0,0 +1,43 @@
+{ config, ... }:
+let
+  domain = "auth.${config.networking.domain}";
+in
+{
+  age.secrets.keycloak = {
+    file = ../../../../secrets/nuc/keycloak/db.age;
+  };
+  services.keycloak = {
+    enable = true;
+    settings = {
+      http-port = 8084;
+      https-port = 19000;
+      hostname = domain;
+      # proxy-headers = "forwarded";
+      proxy = "edge";
+    };
+    database = {
+      # host = "/var/run/postgresql/.s.PGSQL.5432";
+      # useSSL = false;
+      # createLocally = false;
+      passwordFile = config.age.secrets.keycloak.path;
+    };
+    initialAdminPassword = "plschangeme";
+  };
+  # services.postgresql = {
+  #   enable = true;
+  #   ensureUsers = [
+  #     {
+  #       name = "keycloak";
+  #       ensureDBOwnership = true;
+  #     }
+  #   ];
+  #   ensureDatabases = [ "keycloak" ];
+  # };
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index afcde6c..f73f67b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,7 @@ in
   "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/keycloak/db.age b/secrets/nuc/keycloak/db.age
new file mode 100644
index 0000000..1093a5b
Binary files /dev/null and b/secrets/nuc/keycloak/db.age differ