diff --git a/base.nix b/base.nix
index 4a622c8..856b01c 100644
--- a/base.nix
+++ b/base.nix
@@ -12,8 +12,13 @@ in {
     domainName = mkOption {
       type = types.str;
       example = "example.com";
-      description = "Name of the machine, use for hostname";
+      description = "Domain of the machine, use for hostname";
     };
+    admin_email = mkOption {
+      type = types.str;
+      example = "example@example.com";
+      description = "Email of the admin, use for ACME and stuff";
+    }
   };
   config = {
     swapDevices = [
diff --git a/pp-keycloak.nix b/pp-keycloak.nix
new file mode 100644
index 0000000..7ed9ffd
--- /dev/null
+++ b/pp-keycloak.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfgBase = config.base;
+  cfg = config.services.ppKeycloak;
+in
+{
+  options.services.ppKeycloak = {
+    domain = mkOption {
+      type = types.str;
+      default = "auth.${cfgBase.domainName}";
+      example = "auth.example.com";
+      description = "The domain of the server";
+    };
+    initialAdminPassword = mkOption {
+      type = types.str;
+      description = "Change on first login, the initial password for the keycloak admin";
+    };
+    dbPasswordFile = mkOption {
+      type = types.str;
+      default = "/etc/kc_db_pwd";
+      description = "The file containing the database password. Be sure to secure it.";
+    };
+    
+  };
+
+  config = {
+    enable = true;
+    settings = {
+      hostname = cfg.domain;
+      http-host = "127.0.0.1";
+      http-port = 8080;
+      https-port = 8443;
+      proxy = "edge"; # TODO: change to reencrypt or passthrough
+      hostname-strict-backchannel = true;
+    };
+    initialAdminPassword = cfg.initialAdminPassword;
+    database.passwordFile = cfg.dbPasswordFile;
+    database.createLocally = true;
+    # TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
+
+    # NGINX
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = cfgBase.admin_email;
+   
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "${cfg.domain}" = {
+          forceSSL = true;
+          enableACME = true;
+          # TODO: reduce attack surface https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8080";
+            extraConfig = ''
+              proxy_set_header X-Forwarded-Host $host;
+              proxy_set_header X-Forwarded-Server $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header Host $host;
+              proxy_pass_request_headers on;
+            '';
+          };
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}