diff --git a/flake.lock b/flake.lock
index 65d7a41..37b6da6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -216,11 +216,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713789879,
-        "narHash": "sha256-4Wt3Bg6uOnvwZcECBZaFEdzlWRlGLgd8DqLL4ugLdxg=",
+        "lastModified": 1714042918,
+        "narHash": "sha256-4AItZA3EQIiSNAxliuYEJumw/LaVfrMv84gYyrs0r3U=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "46833c3115e8858370880d892748f0927d8193c3",
+        "rev": "0c5704eceefcb7bb238a958f532a86e3b59d76db",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713668931,
-        "narHash": "sha256-rVlwWQlgFGGK3aPVcKmtYqWgjYnPah5FOIsYAqrMN2w=",
+        "lastModified": 1713869268,
+        "narHash": "sha256-o3CMQeu/S8/4zU0pMtYg51rd1FWdJsI2Xohzng1Ysdg=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "07ece11b22217b8459df589f858e92212b74f1a1",
+        "rev": "dcb6ac44922858ce3a5b46f77a36d6030181460c",
         "type": "github"
       },
       "original": {
@@ -332,11 +332,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713714899,
-        "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=",
+        "lastModified": 1713895582,
+        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6143fc5eeb9c4f00163267708e26191d1e918932",
+        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
         "type": "github"
       },
       "original": {
diff --git a/hosts/falkenstein/modules/networks/default.nix b/hosts/falkenstein/modules/networks/default.nix
index 33dc1d7..7cacf9b 100644
--- a/hosts/falkenstein/modules/networks/default.nix
+++ b/hosts/falkenstein/modules/networks/default.nix
@@ -87,8 +87,15 @@
     };
     networks."30-dorm" = {
       matchConfig.Name = "wg0";
+      addresses = [
+        {
+          addressConfig = {
+            Address = "192.168.43.4/24";
+            AddPrefixRoute = false;
+          };
+        }
+      ];
       networkConfig = {
-        Address = "192.168.43.4/32";
         DNS = "192.168.43.1";
         Domains = [
           "~vpn.rfive.de"
diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index 624fd75..3de6f87 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -7,6 +7,7 @@
       ./modules/networks
       ./modules/adguard
       ./modules/backup
+      ./modules/keycloak
       ./modules/cache
       ./modules/matrix
       ./modules/mautrix-telegram
diff --git a/hosts/nuc/modules/keycloak/default.nix b/hosts/nuc/modules/keycloak/default.nix
new file mode 100644
index 0000000..0ace24b
--- /dev/null
+++ b/hosts/nuc/modules/keycloak/default.nix
@@ -0,0 +1,43 @@
+{ config, ... }:
+let
+  domain = "auth.${config.networking.domain}";
+in
+{
+  age.secrets.keycloak = {
+    file = ../../../../secrets/nuc/keycloak/db.age;
+  };
+  services.keycloak = {
+    enable = true;
+    settings = {
+      http-port = 8084;
+      https-port = 19000;
+      hostname = domain;
+      # proxy-headers = "forwarded";
+      proxy = "edge";
+    };
+    database = {
+      # host = "/var/run/postgresql/.s.PGSQL.5432";
+      # useSSL = false;
+      # createLocally = false;
+      passwordFile = config.age.secrets.keycloak.path;
+    };
+    initialAdminPassword = "plschangeme";
+  };
+  # services.postgresql = {
+  #   enable = true;
+  #   ensureUsers = [
+  #     {
+  #       name = "keycloak";
+  #       ensureDBOwnership = true;
+  #     }
+  #   ];
+  #   ensureDatabases = [ "keycloak" ];
+  # };
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
+    };
+  };
+}
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index adfaf20..61290b4 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -163,8 +163,15 @@
     networks."30-wg0" = {
       matchConfig.Name = "wg0";
       linkConfig.RequiredForOnline = false;
+      addresses = [
+        {
+          addressConfig = {
+            Address = "192.168.43.3/24";
+            AddPrefixRoute = false;
+          };
+        }
+      ];
       networkConfig = {
-        Address = "192.168.43.3/32";
         DNS = "192.168.43.1";
         Domains = [
           "~vpn.rfive.de"
diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix
index 7c86553..0b4855e 100644
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@@ -95,7 +95,7 @@
   systemd.services = {
     openfortivpn-agdsn = {
       description = "AG DSN Fortinet VPN";
-      script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert bbbe0df79764c5f1bd4b332e449e43a40e43eec57c983a1e75a1896e6eae4da5";
+      script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password)";
       requires = [ "network-online.target" ];
       after = [ "network.target" "network-online.target" ];
       serviceConfig = {
diff --git a/hosts/thinkpad/modules/printing/default.nix b/hosts/thinkpad/modules/printing/default.nix
index 5285585..de2c4ad 100644
--- a/hosts/thinkpad/modules/printing/default.nix
+++ b/hosts/thinkpad/modules/printing/default.nix
@@ -1,13 +1,17 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = with pkgs; [ cups ];
-  #   services.printing = {
-  #   enable = true;
-  #   stateless = true;
-  #   browsedConf = ''
-  #     BrowsePoll cups.agdsn.network
-  #     LocalQueueNamingRemoteCUPS RemoteName
-  #   '';
-  #   drivers = with pkgs; [ cups-kyocera ];
-  # };
+  # environment.systemPackages = with pkgs; [ cups ];
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+  };
+  services.printing = {
+    enable = true;
+    stateless = true;
+    browsedConf = ''
+      BrowsePoll cups.agdsn.network
+      LocalQueueNamingRemoteCUPS RemoteName
+    '';
+    drivers = with pkgs; [ cups-kyocera ];
+  };
 }
diff --git a/secrets.nix b/secrets.nix
index afcde6c..f73f67b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,7 @@ in
   "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/keycloak/db.age b/secrets/nuc/keycloak/db.age
new file mode 100644
index 0000000..1093a5b
Binary files /dev/null and b/secrets/nuc/keycloak/db.age differ
diff --git a/shared/zsh.nix b/shared/zsh.nix
index 61b2d18..08e66c3 100644
--- a/shared/zsh.nix
+++ b/shared/zsh.nix
@@ -45,6 +45,8 @@
         export MCFLY_RESULTS=30
         export MCFLY_INTERFACE_VIEW=BOTTOM
         export MCFLY_PROMPT="❯"
+        # fix for networkctl
+        zstyle ':completion:*:complete:networkctl:*' list-grouped true
         source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc
         source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh
         unsetopt extendedglob