diff --git a/modules/nixos/nginx/vouch.nix b/modules/nixos/nginx/vouch.nix
index e20dfba8..70be6ff9 100644
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@@ -21,7 +21,7 @@
         };
         authUrl = mkOption {
           type = str;
-          default = "https://id.${networking.domain}";
+          default = "https://sso.${networking.domain}/realms/${networking.domain}";
         };
         url = mkOption {
           type = str;
diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix
index 59059d55..35e9c3a3 100644
--- a/nixos/access/vouch.nix
+++ b/nixos/access/vouch.nix
@@ -40,7 +40,7 @@ in {
           then "localhost"
           else listen;
       in
-        mkOptionDefault "http://${host}:${toString cfg.port}";
+        mkOptionDefault "http://${host}:${toString cfg.settings.vouch.port}";
     };
     virtualHosts = let
       locations = {
@@ -68,7 +68,7 @@ in {
       };
       localLocations = kanidmDomain: {
         "/".extraConfig = ''
-          proxy_redirect $scheme://${nginx.access.kanidm.domain or "id.${networking.domain}"}/ $scheme://${kanidmDomain}/;
+          proxy_redirect $scheme://sso.${networking.domain}/ $scheme://${kanidmDomain}/;
         '';
       };
     in {
@@ -76,7 +76,6 @@ in {
         local.enable = true;
         locations = mkMerge [
           locations
-          (localLocations nginx.access.kanidm.localDomain or "id.local.${networking.domain}")
         ];
         useACMEHost = mkDefault access.useACMEHost;
         forceSSL = true;
@@ -85,7 +84,6 @@ in {
         local.enable = true;
         locations = mkMerge [
           locations
-          (localLocations nginx.access.kanidm.tailDomain or "id.tail.${networking.domain}")
         ];
         useACMEHost = mkDefault access.useACMEHost;
         addSSL = mkIf (access.useACMEHost != null) (mkDefault true);
diff --git a/nixos/keycloak.nix b/nixos/keycloak.nix
index 66ad494a..013c3f8f 100644
--- a/nixos/keycloak.nix
+++ b/nixos/keycloak.nix
@@ -1,5 +1,5 @@
 {config, lib, ...}: let
-    inherit (lib.modules) mkForce;
+  inherit (lib.modules) mkForce;
 in {
   sops.secrets = let
     commonSecret = {
@@ -9,14 +9,14 @@ in {
   in {
     keycloak_db_password = commonSecret;
   };
-users.users.keycloak = {
+  users.users.keycloak = {
     isSystemUser = true;
     group = "keycloak";
-};
+  };
 
-networking.firewall.allowedTCPPorts = [ 80 ];
-users.groups.keycloak = {};
-systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
+  networking.firewall.interfaces.local.allowedTCPPorts = [ 80 ];
+  users.groups.keycloak = {};
+  systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
 
   services.keycloak = {
     enable = true;
@@ -29,8 +29,8 @@ systemd.services.keycloak.serviceConfig.DynamicUser = mkForce false;
     };
 
     settings = {
-        hostname = "sso.gensokyo.zone";
-        proxy = "edge";
+      hostname = "sso.${config.networking.domain}";
+      proxy = "edge";
     };
   };
 }
diff --git a/nixos/vouch.nix b/nixos/vouch.nix
index 61fa7ddf..80f04228 100644
--- a/nixos/vouch.nix
+++ b/nixos/vouch.nix
@@ -3,17 +3,30 @@
   config,
   ...
 }: let
-  inherit (lib) mkDefault;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
   cfg = config.services.vouch-proxy;
   sopsFile = mkDefault ./secrets/vouch.yaml;
+  enableKeycloak = true;
 in {
   services.vouch-proxy = {
     enable = mkDefault true;
     domain = mkDefault "login.${config.networking.domain}";
-    settings = {
-      vouch.listen = mkDefault "0.0.0.0";
-      vouch.cookie.secure = mkDefault false;
-    };
+    authUrl = mkIf enableKeycloak (
+      mkDefault "https://sso.${config.networking.domain}/realms/${config.networking.domain}"
+    );
+    settings = mkMerge [
+      {
+        vouch.listen = mkDefault "0.0.0.0";
+        vouch.cookie.secure = mkDefault false;
+      }
+      (mkIf enableKeycloak {
+        oauth = {
+          auth_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/auth";
+          token_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/token";
+          user_info_url = mkDefault "${cfg.authUrl}/protocol/openid-connect/userinfo";
+        };
+      })
+    ];
     enableSettingsSecrets = mkDefault true;
     extraSettings = {
       oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 4b70f1c2..6f6e9854 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -6,6 +6,7 @@
   ...
 }: let
   inherit (lib.modules) mkIf mkMerge;
+  keycloak = access.nixosFor "keycloak";
   mediabox = access.nixosFor "mediabox";
   tei = access.nixosFor "tei";
   inherit (mediabox.services) plex;
@@ -158,6 +159,9 @@ in {
         ])
       ];
     };
+    "sso.${config.networking.domain}" = {
+      inherit (nginx) group;
+    };
   };
 
   services.nginx = let
@@ -196,6 +200,11 @@ in {
       url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
     };
     virtualHosts = {
+      "sso.${config.networking.domain}" = {
+        useACMEHost = "sso.${config.networking.domain}";
+        locations."/".proxyPass = "http://${keycloak.lib.access.hostnameForNetwork.local}:80";
+        forceSSL = true;
+      };
       ${access.kanidm.domain} = {
         useACMEHost = access.kanidm.domain;
       };