diff --git a/nixos/access/keycloak.nix b/nixos/access/keycloak.nix
index 6a900754..e1371a79 100644
--- a/nixos/access/keycloak.nix
+++ b/nixos/access/keycloak.nix
@@ -3,38 +3,21 @@
   lib,
   ...
 }: let
-  inherit (lib.options) mkOption;
   inherit (lib.modules) mkIf mkDefault;
   cfg = config.services.keycloak;
-  inherit (config) networking;
   inherit (config.services) nginx;
-  access = nginx.access.keycloak;
-  locations = {
-    "/" = {
-      proxyPass = mkDefault access.url;
-    };
-  };
 in {
-  options.services.nginx.access.keycloak = with lib.types; {
-    host = mkOption {
-      type = str;
-      default = "keycloak.local.${networking.domain}";
-    };
-    url = mkOption {
-      type = str;
-      default = "https://${access.host}";
-    };
-  };
   config.services.nginx = {
-    access.keycloak = mkIf cfg.enable {
-      host = mkDefault "localhost";
-      url = mkDefault (if cfg.sslCertificate != null then "https://${access.host}" else "http://${access.host}");
-    };
     virtualHosts = {
       keycloak = {
         name.shortServer = mkDefault "sso";
         ssl.force = mkDefault true;
-        inherit locations;
+        locations."/".proxyPass = let
+          url = mkDefault (if cfg.sslCertificate != null
+            then "https://localhost:${toString cfg.settings.https-port}"
+            else "http://localhost:${toString cfg.settings.http-port}"
+          );
+        in mkIf cfg.enable (mkDefault url);
       };
       keycloak'local = {
         name.shortServer = mkDefault "sso";
@@ -43,14 +26,7 @@ in {
           cert.copyFromVhost = "keycloak";
         };
         local.enable = true;
-        inherit locations;
-        extraConfig = mkIf false ''
-          set $vouch_local_url ${nginx.vouch.localUrl};
-          #if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
-          #  set $vouch_local_url $x_scheme://${nginx.vouch.tailDomain};
-          #}
-          proxy_redirect ${nginx.vouch.url}/ $vouch_local_url/;
-        '';
+        locations."/".proxyPass = mkDefault nginx.virtualHosts.keycloak.locations."/".proxyPass;
       };
     };
   };
diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix
index 347512e4..4ef4ec07 100644
--- a/nixos/keycloak.nix
+++ b/nixos/keycloak.nix
@@ -21,7 +21,7 @@ in {
       sopsFile = ./secrets/keycloak.yaml;
       owner = "keycloak";
     };
-  in {
+  in mkIf cfg.enable {
     keycloak_db_password = commonSecret;
   };
   users = mkIf cfg.enable {
@@ -33,10 +33,12 @@ in {
     };
   };
 
-  networking.firewall.interfaces.local.allowedTCPPorts = mkIf cfg.enable [
-    (if cfg.sslCertificate != null then 443 else 80)
+  networking.firewall.interfaces.int.allowedTCPPorts = mkIf cfg.enable [
+    (if cfg.sslCertificate != null then cfg.settings.https-port else cfg.settings.http-port)
   ];
-  systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
+  systemd.services.keycloak = mkIf cfg.enable {
+    serviceConfig.DynamicUser = mkForce false;
+  };
 
   services.keycloak = {
     enable = true;
@@ -54,6 +56,8 @@ in {
       hostname-strict = mkDefault hostname-strict;
       hostname-strict-https = mkDefault hostname-strict;
       proxy-headers = mkDefault "xforwarded";
+      http-port = mkDefault 8080;
+      https-port = mkDefault 8443;
     };
 
     sslCertificate = mkDefault "${cert}/fullchain.pem";
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 56b40ad5..8bdbe41d 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -230,6 +230,7 @@ in {
         # we're not the real sso record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
+        locations."/".proxyPass = "https://${getHostnameFor "keycloak" "lan"}:8443";
       };
       vouch = let
         inherit (keycloak.services) vouch-proxy;