diff --git a/hosts/architect/keycloak.nix b/hosts/architect/keycloak.nix
new file mode 100644
index 0000000..563c683
--- /dev/null
+++ b/hosts/architect/keycloak.nix
@@ -0,0 +1,48 @@
+{ pkgs, config, ... }:
+
+let
+  network = import ./network.nix;
+  domain = "auth.giugl.io";
+in {
+  services = {
+    keycloak = {
+      enable = true;
+      initialAdminPassword = "giulio";
+      database.passwordFile = "/secrets/keycloak/database.key";
+      settings = {
+        hostname = domain;
+        proxy = "edge";
+        http-port = 6654;
+        https-port = 6655;
+        hostname-strict-backchannel = true;
+      };
+    };
+
+    postgresql = {
+      ensureDatabases =
+        [ "${toString config.services.keycloak.database.name}" ];
+      ensureUsers = [{
+        name = "${toString config.services.keycloak.database.username}";
+        ensurePermissions = {
+          "DATABASE ${toString config.services.keycloak.database.name}" =
+            "ALL PRIVILEGES";
+        };
+      }];
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${
+            toString config.services.keycloak.settings.http-port
+          }";
+      };
+    };
+  };
+
+  networking.extraHosts = ''
+    ${network.architect-lan} ${domain}
+    ${network.architect-wg} ${domain}
+  '';
+}