diff --git a/flake.lock b/flake.lock
index 1c47c14f..09f5b99d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719079655,
-        "narHash": "sha256-FsiySRMULRlNPfP7s/FRj/V6GI+Y4Te4xvUAniaLXqQ=",
+        "lastModified": 1719854708,
+        "narHash": "sha256-EUjNXcLW6cN0UY89kkfncC/cVO0CY6qIUfKmlse/gLg=",
         "owner": "arcnmx",
         "repo": "nixexprs",
-        "rev": "3b861e91acd3ea56d3eb26bf17f1d3e3acb5b304",
+        "rev": "5165118a5c43addcaace24579f0e62f5d1a792a7",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719677234,
-        "narHash": "sha256-qO9WZsj/0E6zcK4Ht1y/iJ8XfwbBzq7xdqhBh44OP/M=",
+        "lastModified": 1719827439,
+        "narHash": "sha256-tneHOIv1lEavZ0vQ+rgz67LPNCgOZVByYki3OkSshFU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "36317d4d38887f7629876b0e43c8d9593c5cc48d",
+        "rev": "59ce796b2563e19821361abbe2067c3bb4143a7d",
         "type": "github"
       },
       "original": {
@@ -190,11 +190,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719506693,
-        "narHash": "sha256-C8e9S7RzshSdHB7L+v9I51af1gDM5unhJ2xO1ywxNH8=",
+        "lastModified": 1719848872,
+        "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b2852eb9365c6de48ffb0dc2c9562591f652242a",
+        "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
         "type": "github"
       },
       "original": {
@@ -267,11 +267,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1719716556,
-        "narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=",
+        "lastModified": 1719873517,
+        "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6",
+        "rev": "a11224af8d824935f363928074b4717ca2e280db",
         "type": "github"
       },
       "original": {
diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix
index 1d59bc11..9b0d2077 100644
--- a/nixos/keycloak.nix
+++ b/nixos/keycloak.nix
@@ -1,27 +1,17 @@
 {
-  systemConfig,
   access,
   config,
-  gensokyo-zone,
   lib,
   ...
 }: let
   inherit (lib.modules) mkIf mkForce mkDefault;
-  inherit (lib.lists) optional;
   cfg = config.services.keycloak;
   cert = access.mkSnakeOil {
     name = "keycloak-selfsigned";
     domain = hostname;
   };
   hostname = "sso.${config.networking.domain}";
-  hostname-strict = false;
-  inherit (gensokyo-zone.self.legacyPackages.${systemConfig.system}) patchedNixpkgs;
-  keycloakModulePath = "services/web-apps/keycloak.nix";
 in {
-  # upstream keycloak makes an incorrect assumption in its assertions, so we patch it
-  disabledModules = optional (!hostname-strict) keycloakModulePath;
-  imports = optional (!hostname-strict) (patchedNixpkgs + "/nixos/modules/${keycloakModulePath}");
-
   sops.secrets = let
     commonSecret = {
       sopsFile = ./secrets/keycloak.yaml;
@@ -61,9 +51,11 @@ in {
       useSSL = postgresql.ports.default.ssl;
     };
 
-    settings = {
+    settings = let
+      hostname-strict = false;
+    in {
       hostname = mkDefault (
-        if hostname-strict
+        if cfg.settings.hostname-strict
         then hostname
         else null
       );
diff --git a/outputs.nix b/outputs.nix
index 19918822..957b5536 100644
--- a/outputs.nix
+++ b/outputs.nix
@@ -32,7 +32,7 @@
           pkgs.__withSubBuilders;
         patchedNixpkgs = let
           patches = [
-            ./packages/nixpkgs-keycloak-nullhostname.patch
+            # XXX: no pending nixpkgs patches atm
           ];
           patchedNixpkgs = pkgs.applyPatches {
             name = "nixpkgs";
diff --git a/packages/nixpkgs-keycloak-nullhostname.patch b/packages/nixpkgs-keycloak-nullhostname.patch
deleted file mode 100644
index f7c43a70..00000000
--- a/packages/nixpkgs-keycloak-nullhostname.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix
---- a/nixos/modules/services/web-apps/keycloak.nix
-+++ b/nixos/modules/services/web-apps/keycloak.nix
-@@ -328,7 +328,7 @@ in
-             };
- 
-             hostname = mkOption {
--              type = str;
-+              type = nullOr str;
-               example = "keycloak.example.com";
-               description = ''
-                 The hostname part of the public URL used as base for
-@@ -477,6 +477,10 @@ in
-             assertion = createLocalPostgreSQL -> config.services.postgresql.settings.standard_conforming_strings or true;
-             message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably";
-           }
-+          {
-+            assertion = cfg.settings.hostname != null || ! cfg.settings.hostname-strict or true;
-+            message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`";
-+          }
-           {
-             assertion = cfg.settings.hostname-url or null == null;
-             message = ''