diff --git a/.sops.yaml b/.sops.yaml
index 539c83b..8cd66ef 100755
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,18 +1,25 @@
 keys:
-  - &birne age1jyxk2z69pm8hpz5zlf5lh05vrws2sprum3ucx2xjpq8efctcfdaq0jhs3w
+  - &bennofs B8E1727497FC48AA14158BDF947F769D7B95EC2B
+  - &felix F8634A1CFF7D61608503A70B24363525EA0E8A99
   - &revol-xut 91EBE87016391323642A6803B966009D57E69CC6
+  - &durian age18g49g3hv0lvck9k767qevnyuzzwc7fnzcvun4e453vruv5zmufjscwep3q
+
    # private key stored in repo, used for test VM
   - &test age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh 
 creation_rules:
-  - path_regex: secrets/birne\.yaml$
+  - path_regex: secrets/durian\.yaml$
     key_groups:
       - pgp:
+        - *bennofs
         - *revol-xut
+        - *felix
         age:
-        - *birne
-  - path_regex: secrets/birne\.test\.yaml$
+        - *durian
+  - path_regex: secrets\.test\.yaml$
     key_groups:
       - pgp:
+        - *bennofs
         - *revol-xut
+        - *felix
         age:
         - *test
diff --git a/flake.nix b/flake.nix
index f352a84..0244f23 100755
--- a/flake.nix
+++ b/flake.nix
@@ -9,11 +9,11 @@
   outputs = { self, nixpkgs, sops-nix, fsr-infoscreen, ... }@inputs:  
   let 
   in {
-    packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
-    packages."x86_64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
+    #packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
+    #packages."x86_64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
 
     nixosConfigurations = {
-      birne = nixpkgs.lib.nixosSystem {
+      /*birne = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/birne/configuration.nix
@@ -51,6 +51,7 @@
           }
         ];
       };
+      */
       durian = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
new file mode 100644
index 0000000..03e4e1a
--- /dev/null
+++ b/modules/keycloak.nix
@@ -0,0 +1,34 @@
+{pkgs, conifg, lib}: {
+  
+  sops.secrets.postgres_keycloak.owner = config.systemd.services.keycloak.serviceConfig.User;
+
+  services = {
+    keycloak = {
+      enable = true;
+
+      settings = {
+        hostname = "keycloak.durian.tassilo-tanneberger.de";
+      };
+
+      database = {
+        username = "keycloak";
+        type = "postgresql";
+        passwordFile = ;
+        name = "keycloak";
+        host = "localhost";
+      };
+    };
+    postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "keycloak";
+          ensurePermissions = {
+            "DATABASE keycloak" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+      ensureDatabases = [ "keycloak" ];
+    };
+  };
+}
diff --git a/secrets/durian.yaml b/secrets/durian.yaml
new file mode 100644
index 0000000..be24dc6
--- /dev/null
+++ b/secrets/durian.yaml
@@ -0,0 +1,72 @@
+postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18g49g3hv0lvck9k767qevnyuzzwc7fnzcvun4e453vruv5zmufjscwep3q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSFRzSkp2VWFEaVJJNVR0
+            eXVWV2V5cGxxeHYvZWN3QktQUUdmc1J6a2tZCjVMUS9QWC9RejNVN21hNG40TnVm
+            c2xZZEJjODVjSGFVaVVwOVpQb1VtdnMKLS0tIHpuelNDRW5DRGdhNTFISDFYQ0Fs
+            bzNnbFZnZnZiY0xsbVlvUStBblBMWGcK7HSz9iFQiH0BJ3etF09opJreBoBtiBZ0
+            L74EBGuEV4+dNWqY3QwAASmDYJJ8ocQMuAgctjsgstKBKUeOrkhDRg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-08-16T13:03:32Z"
+    mac: ENC[AES256_GCM,data:2exwH5VVfOOZ4SCwOcwFhg8Pwtmm936Cfn6A91YfyWu7tTkFq3vzFj0P3mG7RI0CyCTg1ptHt9j2zGKzy+mSO8Cb5ohPAJE/cuVkI998+D84uPkjLHHOq1wJRZxza9RHFiENPK0AOx3jSlAeFZqmIQPExX3gVRyJManU32OVu4o=,iv:xUXek6g9ayI5E7Exxq9EapesSfkD+AM3LWSVHPv2rLM=,tag:MpfvDuNse4UvOmcXASga0A==,type:str]
+    pgp:
+        - created_at: "2022-08-16T13:01:34Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DntlvaG5T7wcSAQdAEzag/uoOQ96pEYOCJWCACCc0cBwukhtoBnuVh9QruRMw
+            WqRCcL5rAyspKhNZLR/DZHVI+hvtuLfQ5e1gIo8nVGja5SNAYzipbOtk1PQ8izmb
+            0l4BD8y26ciJfKLKp/aj50pSpIOuzJc1gdp6AeYie3exOQE3uSa3TQdH7LombzCe
+            fbCDg7/3lF44uGOOS6zOt8Mve5in1K4hASZvPlJbL4gdyX5rXwtBBe8sI18lKI5c
+            =E6ms
+            -----END PGP MESSAGE-----
+          fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B
+        - created_at: "2022-08-16T13:01:34Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA/YLzOYaRIJJARAA12cCgMfAvv9p/g7AGdHIDRNZ3SGrIc56D+JMMC7gwobX
+            bpCPwW0RMUGkU32bX9S3k/Yz6ZO10xa5mnG3zz0y2QpF9lNAK5mzgH02eQ/BHYSX
+            e9L5mXgyT73L3dfOBHZ+GEn6RvHdEgPc0hISwXt93MP36nR5ycCZHS10uZ4U7nc4
+            RkLJ//OIiwHo6jJguUFHeUyTXwIt+soLDLFz6LHdoNHZFoHw/MJatSD55dBMxn9W
+            rrW9gwaF+cz3/NdfIE1EC8zZ7tq8FaHfPQCnMSobjiy+s0UnYWE9Z0GZhFPk0DH5
+            uj1DZEi2WMxgPzeOXBZVN48WtcLXEs97VHIu367Y0fr3ORmX7J8ve3Uq9A2rupW6
+            1vImLdmrnpFr2WDOBoXJ6LjFGgl/NWaz9eim10cQ9fCrFcSppFSIFvt/PHNH5QFo
+            JAIhba/NbQAl7GbQ93nph3UO6mpy4X+mDXvTQWgmz7pkhgzauX0Sx49OQ+LCYU8q
+            j2EKMnej4IMzrhkRUKtmgJROTIDXxAzwrFVW3Ai/dggDHCxXEXWCswHu+/z+HQWq
+            uwR/Ec9ex7TNoYckW1W2+S1taDq0FEZFjzKNe7qnQfP/tTtdGIv+PKjm0XFzHnsz
+            zG4O4D5uXtvjTVSXY+xLhtrzb0BKbDNWDAM8OYWnb+iecohH+cNI1srK5iOdlC/S
+            XgHY34k4nvxISZ0FSSI6YJiuRPBJgtF8dR3AFSlW2isZU9JpXy2MNCDJG0JLgd3o
+            JHGAUUDGxYFQb1sDRnTzftH4mhR82QofFt6fBHhqU/syzl+Ivkb5qcS1RYCCBiw=
+            =3CbS
+            -----END PGP MESSAGE-----
+          fp: 91EBE87016391323642A6803B966009D57E69CC6
+        - created_at: "2022-08-16T13:01:34Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8uqUsBLHj6XARAAiaL3S9KgG5un21PoAC12o5lCFAe6vYfZNJw3JHadUblJ
+            gWkSreWQ4L3XXux7MrsCADhzwxzC76v8oaDz8EpFvubENSYUw2TFoL+Xo7OFKpg2
+            oem4mjEu4m/DNzPlWa1PYNpW/bIfgMwXjQ+TQ/PvYS5spFvfiQevsxKZYocDQpyP
+            a5u+vJDyhlr5QDXdnfBJyUsgwPRl3bj/zegYQEzEb19o/tux2JUKEgFFzh9ZQdkU
+            fL4A4qp5CYtG8Rly9Sv1pX5JpNDDoi1wM7VMcsDtQqNA1aWGrqcXhMQeZLNYXugA
+            pAcvuIMq3Z+ER4xYSoosw7YTaXhC7HZU3/g3y5WVYPiQR7xhQt3M+u7ZU1Uhqz5P
+            u7XSKzygicJchFiH5WXQfIE3uQU5M6h651dOckFuagIzLwU7Mrqsi9M+hVSc6zIa
+            9g/23M8TCMgGWx7lNsaZqsRLDOYTr2wXaXczajxe3zLFJSDMU+NmXAJ8iYmrXAlJ
+            ZNqyqpBS/1Az8BgabFuORvwvPdJMovCTXOoUvZdupyPbqArI1/yUSg21lL+R7L+p
+            gwmh5qU0W1VhMNTD8sL5VrwlIpOedPBva28XpdGSyeL7IQsmWbmMrIrYnzl6i6UN
+            lYG76j3mVcwWXWsD8cCiVHXGV6cINrwTBAXqfl1xpJM3WDu2iFUzJK6yFy5sYRDS
+            XgHmYBVuuyQsBkUBIDyiTx2g/t9lXNBHL+uGQZneVr9cilBPUZtqv1w+KXlZTdz2
+            7KXfK7KXF5rYyibw7qB0ODQYkYpGQkFEY2cMqlO9RbRkeQMrwgXV4kO2SlW2dPE=
+            =nLwG
+            -----END PGP MESSAGE-----
+          fp: F8634A1CFF7D61608503A70B24363525EA0E8A99
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3