diff --git a/hosts/server/toggles.nix b/hosts/server/toggles.nix
index 5ebea53..6698e8b 100644
--- a/hosts/server/toggles.nix
+++ b/hosts/server/toggles.nix
@@ -76,6 +76,7 @@ in
     "mealie"
     "metube"
     "atticd"
+    "keycloak"
   ]
   // enableList mkEnabledIp [
     "audiobookshelf"
diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix
index 1a74a2f..70a4758 100644
--- a/modules/servers/keycloak.nix
+++ b/modules/servers/keycloak.nix
@@ -31,12 +31,14 @@ in
         name = "keycloak";
         passwordFile = config.sops.secrets."keycloak/db_password".path;
       };
-      settings.hostname = cfg.host;
-      "hostname-strict" = true;
-      "hostname-strict-https" = false;
-      "http-enabled" = true;
-      "http-port" = cfg.port;
-      "proxy" = "edge";
+      settings = {
+        hostname = cfg.host;
+        hostname-strict = true;
+        hostname-strict-https = false;
+        http-enabled = true;
+        http-port = cfg.port;
+        proxy = "edge";
+      };
     };
     systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
     services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) (