diff --git a/flake.lock b/flake.lock
index 262ee6d9..073cb907 100644
--- a/flake.lock
+++ b/flake.lock
@@ -127,11 +127,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1634253643,
-        "narHash": "sha256-uX2zviwxBDWPnacMfLWpmsddJR5zLKfhqdxs04+UakM=",
+        "lastModified": 1634323852,
+        "narHash": "sha256-I1lEPlHhSPURU8InOR7zZ7xDXj40HG/TnP4fa5N7hKc=",
         "ref": "master",
-        "rev": "3b337a981efaca600fc268d31a553522a578d7dd",
-        "revCount": 103,
+        "rev": "909211887311b6319b68384749abe430b0d8d532",
+        "revCount": 104,
         "type": "git",
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index 0f4a8cae..c973f274 100644
--- a/flake.nix
+++ b/flake.nix
@@ -404,6 +404,11 @@
         keycloak = nixosSystem' {
           modules = [
             ./lib/lxc-container.nix
+            ({ ... }: {
+              nixpkgs.overlays = with secrets.overlays; [
+                keycloak
+              ];
+            })
             ./hosts/containers/keycloak
           ];
           system = "x86_64-linux";
diff --git a/hosts/containers/keycloak/default.nix b/hosts/containers/keycloak/default.nix
index 904f511e..3b290cc3 100644
--- a/hosts/containers/keycloak/default.nix
+++ b/hosts/containers/keycloak/default.nix
@@ -1,4 +1,7 @@
-{ hostRegistry, config, ... }:
+{ hostRegistry, config, pkgs, ... }:
+let
+  frontendDomain = "keycloak.c3d2.de";
+in
 {
   networking.hostName = "keycloak";
   networking.useNetworkd = true;
@@ -7,4 +10,35 @@
     prefixLength = 26;
   }];
   networking.defaultGateway = "172.20.73.1";
+
+  # http https
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."keycloak.c3d2.de" = {
+      default = true;
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        # proxyPass = "http://localhost:8073";
+        # proxyWebsockets = true;
+      };
+    };
+  };
+
+ # noXlibs breaks cairo:
+ environment.noXlibs = false;
+ services.keycloak = let
+    inherit (pkgs.keycloak-secrets) dbPassword;
+  in {
+    enable = true;
+    inherit (pkgs.keycloak-secrets) initialAdminPassword;
+    frontendUrl = "https://${frontendDomain}/auth";
+    forceBackendUrlToFrontendUrl = true;
+    # sslCertificate = "/var/lib/acme/${frontendDomain}/fullchain.pem";
+    # sslCertificateKey = "/var/lib/acme/${frontendDomain}/key.pem";
+    database.passwordFile = builtins.toFile "db_password" dbPassword;
+  };
+  systemd.services.keycloak.requires = [ "acme-${frontendDomain}.service" ];
 }
diff --git a/secrets b/secrets
index 3b337a98..90921188 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 3b337a981efaca600fc268d31a553522a578d7dd
+Subproject commit 909211887311b6319b68384749abe430b0d8d532