diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
index 2093797..3df9a5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 *.qcow2
 /result
+/.direnv
diff --git a/flake.lock b/flake.lock
index 93ba03d..274f880 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1718371084,
+        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -24,6 +45,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -88,7 +131,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -126,6 +169,27 @@
         "type": "github"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "home-manager-stable": {
       "inputs": {
         "nixpkgs": [
@@ -203,6 +267,22 @@
         "type": "github"
       }
     },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1719426051,
@@ -237,6 +317,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "fsh": "fsh",
         "home-manager-stable": "home-manager-stable",
         "home-manager-unstable": "home-manager-unstable",
@@ -288,6 +369,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "vscode-extensions": {
       "inputs": {
         "flake-compat": "flake-compat_2",
diff --git a/flake.nix b/flake.nix
index 1119780..c31e135 100644
--- a/flake.nix
+++ b/flake.nix
@@ -32,9 +32,11 @@
       url = "github:nix-community/nix-vscode-extensions";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
+
+    agenix.url = "github:ryantm/agenix";
   };
 
-  outputs = { self, nixpkgs-stable, nixpkgs-unstable, fsh, home-manager-stable, home-manager-unstable, nixos-generators, vscode-extensions, ... }:
+  outputs = { self, nixpkgs-stable, nixpkgs-unstable, fsh, home-manager-stable, home-manager-unstable, nixos-generators, vscode-extensions, agenix, ... }:
   let
     home-manager = home-manager-unstable;
     overlays = [
@@ -142,10 +144,12 @@
       system = "x86_64-linux";
       modules = [
         overlays-module
+        agenix.nixosModules.default
         ./hosts/amy/configuration.nix
         ./roles/conduit.nix
         ./roles/coredns
         ./roles/iceshrimp.nix
+        ./roles/keycloak.nix
         ./roles/podman.nix
         ./roles/postgres.nix
         home-manager-stable.nixosModules.home-manager
@@ -167,6 +171,7 @@
       modules = [
         overlays-module
         ./hosts/emira/configuration.nix
+        agenix.nixosModules.default
         ./common/generic-qemu.nix
       ];
     };
@@ -181,5 +186,16 @@
         format = "qcow";
       };
     };
+
+    devShells.x86_64-linux.default = let
+      pkgs = import nixpkgs-unstable {
+        system = "x86_64-linux";
+      };
+    in
+      pkgs.mkShell {
+      nativeBuildInputs = with pkgs; [
+        agenix.packages.${system}.default
+      ];
+    };
   };
 }
diff --git a/roles/keycloak.nix b/roles/keycloak.nix
new file mode 100644
index 0000000..c75ac73
--- /dev/null
+++ b/roles/keycloak.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }: {
+  age.secrets.keycloakPostgres.file = ../secrets/keycloakPostgres.age;
+
+  services.keycloak = {
+    enable = true;
+    themes = {
+      shorks = pkgs.fetchgit {
+        rev = "e6c1edaf61d39227b765b873aaef126691b51d2d";
+        url = "https://git.ashhhleyyy.dev/shorks-gay/shorks-keycloak.git";
+        hash = "sha256-M5PHrqN+OneWMklr4TDg2qeX0f1b8puNVduofsr24EA=";
+      };
+    };
+    plugins = [
+      ((pkgs.fetchMavenArtifact {
+        groupId = "gay.shorks";
+        artifactId = "icecloak";
+        version = "1.0.0+kc.24";
+        repos = ["https://maven.ashhhleyyy.dev/releases/"];
+        hash = "sha256-xlyq1f12HFgVLe+RPJeo0pxIBculWgu4zODEzlRErB0=";
+      }).passthru.jar)
+    ];
+    settings = {
+      hostname = "account.shorks.gay";
+      http-port = 8008;
+      http-enabled = true;
+      proxy-headers = "xforwarded";
+    };
+    database.passwordFile = config.age.secrets.keycloakPostgres.path;
+  };
+}
diff --git a/secrets/keycloakPostgres.age b/secrets/keycloakPostgres.age
new file mode 100644
index 0000000..ddfc33f
--- /dev/null
+++ b/secrets/keycloakPostgres.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CEw3Tw tZyGaQBbQuNTd6EcGRcDwwN/YYpWyFPP2iFz6u8Hw3w
+gYYVVvLGCFV1Hi8gZUT8UyWQVQxZ+ODw51LtCtQG3ko
+-> ssh-ed25519 8o9woQ XfrYBTG8Fq12k5ddCnJQmJ4mkstyHvtwaYUQx5KD3Ek
+YR7jJFsbKMZfduY4Buwspr8kWM8WzDvJOiaf5zsdxPQ
+--- LZWrS2TO7yGzg/joF81T+zJ8xo9gAtc2GqgYK54MElg
+”@ß}0…Þºf¶D]ðt¯{}åî-èÂªVt¾¹¯âNÄ!ß“WêæÔØ„#d }Œ4&’´Üó—Ò‹»f~¶YÓªK+…-–9tW
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..a973486
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,11 @@
+let
+  ash_fern =  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGLHqRBcN584SXXa7snrOs89Wy5Jjvsq+GlFXTTBYfp ash@ash-pc";
+  # ash_loona = "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBEhKflJMcER95s4I+c8Q6zC45LK0ztpXOR2+QWKQVYHEcElxh45hrlUXwVP1nr+OT9AQPhhs+IjNEndRHoSiqxIAAAAEc3NoOg== ash@loona";
+  users = [ ash_fern ];
+  
+  amy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsGEdyz3h9Xn6bmp3v8/SlinWpm7oHtljdScCYJ5iun root@amy";
+  systems = [ amy ];
+in
+{
+  "keycloakPostgres.age".publicKeys = users ++ systems;
+}