diff --git a/pp-keycloak.nix b/pp-keycloak.nix
index f7e8455..050d626 100644
--- a/pp-keycloak.nix
+++ b/pp-keycloak.nix
@@ -34,8 +34,8 @@ in
       proxy = "edge"; # TODO: change to reencrypt or passthrough
       hostname-strict-backchannel = true;
     };
-    initialAdminPassword = cfg.initialAdminPassword;
-    database.passwordFile = cfg.dbPasswordFile;
+    services.keycloak.initialAdminPassword = cfg.initialAdminPassword;
+    services.keycloak.database.passwordFile = cfg.dbPasswordFile;
     # Set the permittions for the db file
     system.activationScripts = {
       keycloakDbFilePermission.text =
@@ -44,7 +44,7 @@ in
         chown keycloak ${cfg.dbPasswordFile}
       '';
     };
-    database.createLocally = true;
+    services.keycloak.database.createLocally = true;
     # TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
 
     # NGINX