diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8353f25..e2766bc 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -21,7 +21,7 @@ repos:
     hooks:
     -   id: reorder-python-imports
 -   repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.4.7
+    rev: v0.5.4
     hooks:
     -   id: ruff
         args: [--fix, --exit-non-zero-on-fix]
diff --git a/inventory.py b/inventory.py
index 0dd7604..09a4eb0 100644
--- a/inventory.py
+++ b/inventory.py
@@ -15,7 +15,7 @@ servers = [
             "ssh_user": "root",
             "web_server": True,
             "services": [
-                "nginx", "immich", "nodered",
+                "nginx", "immich", "nodered", "keycloak",
             ],
         },
     ),
diff --git a/services/keycloak/.env.template b/services/keycloak/.env.template
new file mode 100644
index 0000000..b374c80
--- /dev/null
+++ b/services/keycloak/.env.template
@@ -0,0 +1,22 @@
+HOST=auth.katuwoss.dev
+
+POSTGRES_USER={{ username['38493af8-18b7-409a-b3ba-84b1b2070873'] }}
+POSTGRES_PASSWORD={{ password['38493af8-18b7-409a-b3ba-84b1b2070873'] }}
+POSTGRES_DATABASE=keycloak
+
+KEYCLOAK_ADMIN={{ username['fc557059-7c93-4851-8eae-888a664e5594'] }}
+KEYCLOAK_ADMIN_PASSWORD={{ password['fc557059-7c93-4851-8eae-888a664e5594'] }}
+
+KC_HTTP_ENABLED=true
+KC_HOSTNAME=https://auth.katuwoss.dev
+KC_HOSTNAME_ADMIN=https://auth.katuwoss.dev
+KC_PROXY_HEADERS=xforwarded
+
+KC_DB=postgres
+KC_DB_URL_HOST=db
+KC_DB_URL_DATABASE=keycloak
+KC_DB_USERNAME={{ username['38493af8-18b7-409a-b3ba-84b1b2070873'] }}
+KC_DB_PASSWORD={{ password['38493af8-18b7-409a-b3ba-84b1b2070873'] }}
+
+# DEBUG
+KC_LOG_LEVEL=DEBUG
diff --git a/services/keycloak/docker-compose.yml b/services/keycloak/docker-compose.yml
new file mode 100644
index 0000000..992d788
--- /dev/null
+++ b/services/keycloak/docker-compose.yml
@@ -0,0 +1,57 @@
+networks:
+  traefik-net:
+    name: traefik-net
+    external: true
+
+volumes:
+  keycloak-pg-data:
+    name: keycloak-pg-data
+  keycloak-pg-backup:
+    name: keycloak-pg-backup
+
+services:
+  backup:
+    image: prodrigestivill/postgres-backup-local:15
+    depends_on:
+      - db
+    volumes:
+      - keycloak-pg-backup:/backups
+    environment:
+      - POSTGRES_EXTRA_OPTS=-Z 6 -F c
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_DB=${POSTGRES_DATABASE}
+      - POSTGRES_HOST=db
+
+  db:
+    image: postgres:15
+    volumes:
+      - keycloak-pg-data:/var/lib/postgresql/data
+    restart: unless-stopped
+    networks:
+      - default
+    environment:
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_DB=${POSTGRES_DATABASE}
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:25.0.2
+    depends_on:
+      - db
+    restart: unless-stopped
+    command:
+      - start
+    networks:
+      - traefik-net
+      - default
+    env_file:
+      - .env
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik-net
+        - traefik.http.routers.keycloak.rule=Host(`${HOST}`)
+        - traefik.http.routers.keycloak.entrypoints=websecure
+        - traefik.http.routers.keycloak.tls.certresolver=le
+        - traefik.http.services.keycloak.loadbalancer.server.port=8080