diff --git a/flake.nix b/flake.nix
index f609aaa7..501ba98f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -657,15 +657,6 @@
           ];
         };
 
-        # TODO: requires config cleanup for nixos-22.05
-        # keycloak = nixosSystem' {
-        #   modules = [
-        #     ./config/lxc-container.nix
-        #     ./hosts/containers/keycloak
-        #     { nixpkgs.overlays = with secrets.overlays; [ keycloak ]; }
-        #   ];
-        # };
-
         c3d2-web = nixosSystem' {
           modules = [
             { _module.args = { inherit nixpkgs; }; }
diff --git a/hosts/containers/keycloak/default.nix b/hosts/containers/keycloak/default.nix
deleted file mode 100644
index c722ee2b..00000000
--- a/hosts/containers/keycloak/default.nix
+++ /dev/null
@@ -1,58 +0,0 @@
-{ zentralwerk, config, pkgs, ... }:
-let
-  frontendDomain = "keycloak.c3d2.de";
-in
-{
-  networking = {
-    hostName = "keycloak";
-    useDHCP = false;
-    useNetworkd = true;
-    interfaces.eth0 = {
-      useDHCP = false;
-      ipv4.addresses = [{
-        address = config.c3d2.hosts."${config.networking.hostName}".ip4;
-        prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
-        }
-      ];
-    };
-    defaultGateway = "172.20.73.1";
-    nameservers = [ "172.20.73.8" "9.9.9.9" ];
-  };
-
-  # http https
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."keycloak.c3d2.de" = {
-      default = true;
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:8080";
-        # proxyWebsockets = true;
-      };
-      locations."/auth" = {
-        proxyPass = "http://127.0.0.1:8080/auth";
-        # proxyWebsockets = true;
-      };
-    };
-  };
-
- # noXlibs breaks cairo:
- environment.noXlibs = false;
- services.keycloak = let
-    inherit (pkgs.keycloak-secrets) dbPassword;
-  in {
-    enable = true;
-    inherit (pkgs.keycloak-secrets) initialAdminPassword;
-    frontendUrl = "https://${frontendDomain}/auth";
-    forceBackendUrlToFrontendUrl = true;
-    httpPort = "\${jboss.http.port:8080}";
-    bindAddress = "\${jboss.bind.address:127.0.0.1}";
-    # sslCertificate = "/var/lib/acme/${frontendDomain}/fullchain.pem";
-    # sslCertificateKey = "/var/lib/acme/${frontendDomain}/key.pem";
-    database.passwordFile = builtins.toFile "db_password" dbPassword;
-  };
-  systemd.services.keycloak.requires = [ "acme-${frontendDomain}.service" ];
-}