diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index e3264e13..0dcda1d6 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -5,6 +5,7 @@ let
   domain = config.networking.domain;
   passwordManagerDomain = "pass.${domain}";
   codeForgeDomain = "code.${domain}";
+  identityDomain = "identity.${domain}";
   dbDomain = "db.${domain}";
 
   # This should be set from service module from nixpkgs.
@@ -66,6 +67,7 @@ in
         "vaultwarden/env".owner = vaultwardenUserGroup;
         "borg/patterns/keys" = { };
         "borg/password" = { };
+        "keycloak/db/password" = { };
       }
     );
 
@@ -150,6 +152,15 @@ in
           proxyPass = "http://localhost:${toString config.services.gitea.httpPort}";
         };
       };
+
+      # Keycloak instance.
+      "${identityDomain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.keycloak.settings.https-port}";
+        };
+      };
     };
 
     streamConfig = ''
@@ -230,6 +241,30 @@ in
     ];
   };
 
+  # Hey, the hub for your application sign-in.
+  services.keycloak = {
+    enable = true;
+
+    # Pls change at first login.
+    initialAdminPassword = "wow what is this thing";
+
+    database = {
+      type = "postgresql";
+      createLocally = true;
+      passwordFile = config.sops.secrets."plover/keycloak/db/password".path;
+      caCert = "${config.security.acme.certs."${dbDomain}".directory}/chain.pem";
+    };
+
+    settings = {
+      hostname = identityDomain;
+      hostname-strict-backchannel = true;
+      proxy = "reencrypt";
+    };
+
+    sslCertificate = "${config.security.acme.certs."${identityDomain}".directory}/fullchain.pem";
+    sslCertificateKey = "${config.security.acme.certs."${identityDomain}".directory}/key.pem";
+  };
+
   # With a database comes a dumping.
   services.postgresqlBackup = {
     enable = true;
diff --git a/hosts/plover/secrets/secrets.yaml b/hosts/plover/secrets/secrets.yaml
index 1344b4c6..e3134d2c 100644
--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@@ -19,6 +19,9 @@ borg:
     password: ENC[AES256_GCM,data:Fxz36DGpjl5brWRPlzkqmhgwuDAw4BrqlHazjFkV,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:74IJEGAQ+PiHsw1RKb+iJg==,type:str]
     patterns:
         keys: ENC[AES256_GCM,data:rv1I75M+3Y4vR65aloXyPgD594n2U9zcOFg4853yeA/+jUpDUC+Is9SaKVo1AB90LgnPl5yhGNzQbM5q9INaq9SL,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:sgkrWI/PtxZjw70lQfD8Jg==,type:str]
+keycloak:
+    db:
+        password: ENC[AES256_GCM,data:oTqbholsgs6mcxNPTgq6Flk1yRlYHaHkiw3VtCcAAw==,iv:5f8nXJYylG4Px5YuFXFYbNpW4GzOK58TYxLTEuzfMuQ=,tag:/1ydKBAklDRIrqtKs2hOqw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -34,8 +37,8 @@ sops:
             ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
             miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-11T00:10:04Z"
-    mac: ENC[AES256_GCM,data:QWn93hgGSmsapwQjd0yLz/b572NcHs78UJ8hCUKbuJl1tsHslQ2/lwTuBJafN05ZtsVcFoscDYmJcrezHwfDMDy1/swH/7PXRPDkIsOkq3ibIJXLA+MpA/zAN9h4m93zDrEP8ee14ulQCIx4Z+0Sx6dfPdakln/augOLuPXI0wc=,iv:SkwDx//eKPeYnDXX+POS72BgIfp1JgDEtZAz8B9+++E=,tag:uZznBjp5sL85m2WZ1lGGIQ==,type:str]
+    lastmodified: "2022-12-12T09:57:34Z"
+    mac: ENC[AES256_GCM,data:O8RVX5ibpttPlVbZ8DDFMXbGIGU1p5R30uOn5bNVtYoVJvTCmMUKYgbsddM5IJH7dDm7JIAROYkI2p+V0F0GwdKL95hFxbKDIjNmHzeWNVGXhpp960sDP3QZ2UdrhZr+njlaVR1NLaT3w9xvZ49XYIDrRDHSythVceJdymkIGzg=,iv:E9jvkXXw/ctvbiGPEvho0kuMrYkOPKnaCfkObBIy8vQ=,tag:v85Rlx7+8xH4tN88y27OYw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3