diff --git a/all-packages.nix b/all-packages.nix
index ccd35d5..3bece31 100644
--- a/all-packages.nix
+++ b/all-packages.nix
@@ -29,6 +29,8 @@ let
 
     mkKeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;};
 
+    keycloak = callPackage ./keycloak {inherit utils customPkgs;};
+
     ttrss = callPackage ./ttrss {inherit utils customPkgs;};
     vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;};
   };
diff --git a/keycloak/default.nix b/keycloak/default.nix
new file mode 100644
index 0000000..d043b9b
--- /dev/null
+++ b/keycloak/default.nix
@@ -0,0 +1,35 @@
+{ customPkgs
+, pkgs
+, utils
+}:
+{ serviceName ? "Keycloak"
+, subdomain ? "keycloak"
+
+, database ?
+  {
+    name = subdomain;
+    username = "keycloak";
+    # TODO: use passwordFile
+    password = "keycloak";
+  }
+}:
+rec {
+  inherit subdomain;
+  inherit database;
+
+  db = customPkgs.mkPostgresDB {
+    name = "KeycloakPostgresDB";
+    database = database.name;
+    username = database.username;
+    # TODO: use passwordFile
+    password = database.password;
+  };
+
+  services = {
+    ${db.name} = db;
+  };
+
+  distribute = on: {
+    ${db.name} = on;
+  };
+}