diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..53b93d4
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,39 @@
+# Keycloak SSO Rollout (Server)
+
+## Compatible services to cover (assume up-to-date versions)
+- Gitea (OAuth2/OIDC)
+- Nextcloud (Social Login app)
+- Paperless-ngx (OIDC)
+- Mealie (OIDC v1+)
+- Jellyfin (OIDC plugin)
+- Kavita (OIDC-capable builds)
+- Readeck (OIDC-capable builds)
+- Audiobookshelf (OIDC-capable builds)
+- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
+
+## Explicit exclusions (no SSO for now)
+- Syncplay
+- Matrix/Synapse
+- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
+- qbittorrent
+- sabnzbd
+- metube
+- multi-scrobbler
+- microbin
+- ryot
+- maloja
+- plex
+- atticd
+
+## Phased rollout plan
+1) Base identity
+   - Add Keycloak deployment/module and realm/client defaults.
+2) Gateway/proxy auth
+   - Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
+3) Native OIDC wiring
+   - Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
+4) Per-service rollout
+   - Enable per app in priority order; document client IDs/secrets and callback URLs.
+5) Verification
+   - Smoke-test login flows and cache any needed public keys/metadata.
+
diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix
new file mode 100644
index 0000000..33cfe85
--- /dev/null
+++ b/modules/servers/keycloak.nix
@@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.keycloak;
+in
+{
+  options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets."keycloak/admin_password" = {
+      sopsFile = ../../secrets/secrets.yaml;
+      owner = "keycloak";
+      group = "keycloak";
+    };
+    services.keycloak = {
+      inherit (cfg) enable;
+      database = {
+        type = "postgresql";
+        host = config.my.postgresSocket;
+        username = "keycloak";
+        database = "keycloak";
+      };
+      initialAdmin = {
+        user = "admin";
+        passwordFile = config.sops.secrets."keycloak/admin_password".path;
+      };
+      settings = {
+        hostname = cfg.host;
+        "hostname-strict" = true;
+        "hostname-strict-https" = false;
+        "http-enabled" = true;
+        "http-port" = cfg.port;
+        "proxy" = "edge";
+        "frontend-url" = cfg.url;
+      };
+    };
+    services.nginx.virtualHosts.${cfg.host} =
+      lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg);
+  };
+}
\ No newline at end of file
diff --git a/modules/servers/postgres.nix b/modules/servers/postgres.nix
index 4978528..188ea56 100644
--- a/modules/servers/postgres.nix
+++ b/modules/servers/postgres.nix
@@ -40,6 +40,7 @@ let
     "sonarqube"
     "gitea"
     "atticd"
+    "keycloak"
   ];
 in
 {