diff --git a/README.md b/README.md
index 55f7cc74..c393db7f 100644
--- a/README.md
+++ b/README.md
@@ -113,10 +113,12 @@ See [here][] for additional information on profiles.
 | [filehost][]       | I sling things in here via SSH/SCP.                                      |
 | [fusionpbx][]      | FusionPBX. Fancy PBX.                                                    |
 | [gitea][]          | Self-hosted git with mail support.                                       |
+| [glauth][]         | LDAP server.                                                             |
 | [jellyfin][]       | HTPC/NAS stuff.                                                          |
 | [katsplash][]      | A splash screen for some hosts.                                          |
 | [kattv-ingest][]   | Takes data from kattv, slings to RTMP.                                   |
 | [kattv][]          | Takes data from a webcam, slings to kattv-ingest.                        |
+| [keycloak][]       | Fancy identity stuffs.                                                   |
 | [knot][]           | Knot DNS, authoritative DNS server.                                      |
 | [logrotate][]      | Rotates logs!                                                            |
 | [mail][]           | [nixos-mailserver][].                                                    |
@@ -255,10 +257,12 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
   [filehost]: config/services/filehost/default.nix
   [fusionpbx]: config/services/fusionpbx/default.nix
   [gitea]: config/services/gitea/default.nix
+  [glauth]: config/services/glauth
   [jellyfin]: config/services/jellyfin/default.nix
   [katsplash]: config/services/katsplash/default.nix
   [kattv-ingest]: config/services/kattv-ingest/default.nix
   [kattv]: config/services/kattv/default.nix
+  [keycloak]: config/services/keycloak
   [knot]: config/services/knot/default.nix
   [logrotate]: config/services/logrotate/default.nix
   [mail]: config/services/mail/default.nix
diff --git a/config/modules/nixos/glauth.nix b/config/modules/nixos/glauth.nix
index e3156a6f..13afade4 100644
--- a/config/modules/nixos/glauth.nix
+++ b/config/modules/nixos/glauth.nix
@@ -154,6 +154,7 @@ in
               shopt -s inherit_errexit
               umask u=rwx,g=,o=
               mkdir -p /run/glauth/secrets
+              chown -R glauth:glauth /run/glauth/
               install -T -m 0400 -o glauth -g glauth '${dbcfg.passwordFile}' /run/glauth/secrets/db_password
             '';
             startPre = ''
diff --git a/config/services/glauth/default.nix b/config/services/glauth/default.nix
index 803a979e..d15d75b1 100644
--- a/config/services/glauth/default.nix
+++ b/config/services/glauth/default.nix
@@ -1,6 +1,10 @@
 { config, tf, lib, ... }: with lib; {
   network.firewall.public.tcp.ports = singleton 3984;
 
+  network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
+  users.groups.domain-auth.members = [ "nginx" "glauth" ];
+  security.acme.certs.domain-auth.group = "domain-auth";
+
   services.glauth = {
     enable = true;
     configFile = config.secrets.files.glauth-config-file.path;
@@ -19,8 +23,8 @@
       ldaps = {
         enabled = true;
         listen = "0.0.0.0:3894";
-        cert = "/var/lib/acme/auth.kittywit.ch/fullchain.pem";
-        key = "/var/lib/acme/auth.kittywit.ch/key.pem";
+        cert = "/var/lib/acme/domain-auth/fullchain.pem";
+        key = "/var/lib/acme/domain-auth/key.pem";
       };
       backend = {
         baseDN = "dc=kittywitch,dc=com";
diff --git a/config/services/keycloak/default.nix b/config/services/keycloak/default.nix
index d1e59f3b..30396aad 100644
--- a/config/services/keycloak/default.nix
+++ b/config/services/keycloak/default.nix
@@ -29,7 +29,7 @@
   };
 
   services.nginx.virtualHosts."auth.${config.network.dns.domain}" = {
-    enableACME = true;
+    useACMEHost = "domain-auth";
     forceSSL = true;
     locations = { "/".proxyPass = "http://127.0.0.1:8089"; };
   };