diff --git a/main.tf b/main.tf
index bc3ec61..05bf958 100644
--- a/main.tf
+++ b/main.tf
@@ -37,3 +37,7 @@ module "home-assistant" {
 module "forgejo" {
   source = "./modules/forgejo"
 }
+
+module "keycloak" {
+  source = "./modules/keycloak"
+}
diff --git a/modules/keycloak/jobspec.nomad.hcl b/modules/keycloak/jobspec.nomad.hcl
new file mode 100644
index 0000000..267834c
--- /dev/null
+++ b/modules/keycloak/jobspec.nomad.hcl
@@ -0,0 +1,121 @@
+job "keycloak" {
+
+  group "keycloak" {
+
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 8080
+      }
+      port "envoy_metrics" {
+        to = 9102
+      }
+    }
+
+    service {
+      provider = "consul"
+      port     = "8080"
+
+      meta {
+        envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
+      }
+
+      connect {
+        sidecar_service {
+          proxy {
+            config {
+              protocol = "http"
+            }
+            expose {
+              path {
+                path            = "/metrics"
+                protocol        = "http"
+                local_path_port = 9102
+                listener_port   = "envoy_metrics"
+              }
+            }
+            transparent_proxy {}
+          }
+        }
+      }
+    }
+
+    task "keycloak" {
+      driver = "docker"
+
+      config {
+        image = "quay.io/keycloak/keycloak:26.1.2"
+
+        args = ["start"]
+      }
+
+      env = {
+        KC_DB = "postgres"
+        KC_DB_USERNAME = "keycloak"
+        KC_DB_URL_HOST = "martinibar.lan"
+        KC_DB_URL_PORT = "5433"
+        KC_DB_URL_PROPERTIES = "?sslmode=disable"
+        KC_DB_URL_DATABASE = "keycloak"
+        KC_HTTP_ENABLED = "true"
+        KC_PROXY_HEADERS = "xforwarded"
+        KC_HTTP_HOST = "127.0.0.1"
+        KC_HOSTNAME = "keycloak.brmartin.co.uk"
+      }
+
+      resources {
+        cpu        = 500
+        memory     = 512
+      }
+
+      template {
+        data = <<-EOF
+          {{ with nomadVar "nomad/jobs/keycloak/keycloak/keycloak" }}
+          KC_DB_PASSWORD={{.keycloak_db_password}}
+          {{ end }}
+          EOF
+
+        destination = "secrets/file.env"
+        env         = true
+      }
+    }
+
+    meta = {
+      "service.name" = "keycloak"
+    }
+  }
+
+  group "keycloak-ingress-group" {
+
+    network {
+      mode = "bridge"
+      port "inbound" {
+        to = 8080
+      }
+    }
+
+    service {
+      port = "inbound"
+      tags = [
+        "traefik.enable=true",
+
+        "traefik.http.routers.keycloak.rule=Host(`keycloak.brmartin.co.uk`)",
+        "traefik.http.routers.keycloak.entrypoints=websecure",
+      ]
+
+      connect {
+        gateway {
+          ingress {
+            listener {
+              port     = 8080
+              protocol = "http"
+              service {
+                name  = "keycloak-keycloak"
+                hosts = ["*"]
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/keycloak/main.tf b/modules/keycloak/main.tf
new file mode 100644
index 0000000..5c6f841
--- /dev/null
+++ b/modules/keycloak/main.tf
@@ -0,0 +1,3 @@
+resource "nomad_job" "keycloak" {
+  jobspec = file("${path.module}/jobspec.nomad.hcl")
+}