diff --git a/README.adoc b/README.adoc
index 1ea0011..2823f1c 100644
--- a/README.adoc
+++ b/README.adoc
@@ -14,6 +14,9 @@ homelab.
 
 * NGINX
 * Jellyfin
+* OpenLDAP
+* PostgreSQL
+* Keycloak
 
 === Testing
 To run locally, specify the inventory file with `-i hosts`.
diff --git a/playbook.yml b/playbook.yml
index f2ddd81..b2079c2 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -5,5 +5,8 @@
     - nginx
     - jellyfin
     - openldap
+    - postgres
+    - keycloak
   vars_files:
     - vault/certs/{{ base_domain }}.yml
+    - vault/passwords.yml
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
new file mode 100644
index 0000000..066db09
--- /dev/null
+++ b/roles/keycloak/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: run container
+  docker_container:
+    name: "keycloak"
+    image: "quay.io/keycloak/keycloak"
+    ports:
+      - "8080:8080"
+    networks:
+      - name: postgres
+      - name: nginx-internal
+    env:
+      "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
+      "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
+      "DB_VENDOR": POSTGRES
+      "DB_ADDR": postgres
+      "DB_DATABASE": keycloak
+      "DB_USER": keycloak
+      "DB_SCHEMA": public
+      "DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
+      "PROXY_ADDRESS_FORWARDING": "true"
+- name: copy nginx conf
+  template:
+    src: "keycloak.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx
\ No newline at end of file
diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2
new file mode 100644
index 0000000..e16765c
--- /dev/null
+++ b/roles/keycloak/templates/keycloak.conf.j2
@@ -0,0 +1,26 @@
+server {
+  listen 80;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name "keycloak.{{ base_domain }}";
+  set $keycloak keycloak;
+
+  # Security/XSS Mitigation Headers
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+
+  location / {
+    proxy_pass http://$keycloak:8080;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_buffering off;
+  }
+}
\ No newline at end of file
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index f5dd228..8b2dc3d 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -6,44 +6,22 @@
   loop:
     - "{{ data_folder }}/openldap"
     - "{{ data_folder }}/openldap/data"
-    - "{{ data_folder }}/openldap/slapd.d"
-    - "{{ data_folder }}/openldap/ldifs"
-# - name: copy slapd.conf
-#   template:
-#     src: slapd.conf.j2
-#     dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
-#     mode: '0755'
-- name: copy user ldif
-  template:
-    src: lukas.ldif.j2
-    dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
-    mode: '0755'
 - name: run container
   docker_container:
     name: "openldap"
     image: osixia/openldap
-    command: "--loglevel debug"
-    hostname: ldap.dev.local
+    hostname: openldap
     networks:
-      # - name: bridge
       - name: nginx-internal
     ports:
       - "389:389"
       - "636:636"
     volumes:
       - "{{ data_folder }}/openldap/data:/var/lib/ldap"
-      - "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
-      - "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
     env:
       LDAP_ORGANISATION: "Homelab"
       LDAP_DOMAIN: "kucharczyk.xyz"
+      LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
       LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
-      LDAP_ADMIN_PASSWORD: !vault |
-        $ANSIBLE_VAULT;1.1;AES256
-        35623735376134353839323136623133393035343162363366643632376262393539653736326431
-        6635373265313033653861393463633835333639346239650a303463323063373866316162616131
-        66356335346631386265363462353034393735366430636634643466376435313638303938363363
-        3838396139663964300a633931303135376566633363303336373937373138643564636263656233
-        6239
     state: started
     restart: yes
\ No newline at end of file
diff --git a/roles/openldap/templates/lukas.ldif.j2 b/roles/openldap/templates/lukas.ldif.j2
deleted file mode 100644
index f0325cd..0000000
--- a/roles/openldap/templates/lukas.ldif.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-dn: uid=lukas,dc=kucharczyk,dc=xyz
-uid: lukas
-cn: lukas
-givenName: Lukas
-sn: Kucharczyk
-objectClass: top
-objectClass: posixAccount
-objectClass: inetOrgPerson
-loginShell: /bin/bash
-homeDirectory: /home/lukas
-uidNumber: 1000
-gidNumber: 1000
-userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
-mail: lukas@kucharczyk.xyz
\ No newline at end of file
diff --git a/roles/openldap/templates/slapd.conf.j2 b/roles/openldap/templates/slapd.conf.j2
deleted file mode 100644
index 215ba5d..0000000
--- a/roles/openldap/templates/slapd.conf.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-# default config from /etc/openldap/slapd.conf
-include /etc/openldap/schema/core.schema
-pidfile /run/openldap/slapd.pid
-argsfile  /run/openldap/slapd.args
-
-# custom config
-allow bind_anon_dn
-access to attrs=userPassword by * auth
-access to * by * read
-loglevel 256
-
-database mdb
-suffix "dc=kucharczyk, dc=xyz"
-rootdn "cn=admin, dc=kucharczyk, dc=xyz"
-rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
-directory /var/lib/ldap
\ No newline at end of file
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
new file mode 100644
index 0000000..00d9130
--- /dev/null
+++ b/roles/postgres/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: install psycopg2
+  pip:
+    name: psycopg2-binary
+    state: present
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ data_folder }}/postgres/data"
+    - "{{ data_folder }}/postgres/init"
+- name: copy init sql files
+  template:
+    src: "{{ item }}"
+    dest: "{{ data_folder }}/postgres/init/{{ item | basename | regex_replace('.j2$', '') }}"
+  with_fileglob:
+    - "../templates/*.sql.j2"
+- name: create network
+  docker_network:
+    name: postgres
+    attachable: true
+    internal: true
+    state: present
+- name: run container
+  docker_container:
+    name: "postgres"
+    image: "postgres:13"
+    networks:
+      - name: postgres
+    volumes:
+      - "{{ data_folder }}/postgres/data:/var/lib/postgresql/data"
+      - "{{ data_folder }}/postgres/init:/docker-entrypoint-initdb.d"
+    env:
+      POSTGRES_PASSWORD: "{{ vault_postgres_password }}"
+    state: started
\ No newline at end of file
diff --git a/roles/postgres/templates/keycloak.sql.j2 b/roles/postgres/templates/keycloak.sql.j2
new file mode 100644
index 0000000..05bc40a
--- /dev/null
+++ b/roles/postgres/templates/keycloak.sql.j2
@@ -0,0 +1,3 @@
+CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
+CREATE DATABASE keycloak;
+GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
\ No newline at end of file
diff --git a/vault/passwords.yml b/vault/passwords.yml
new file mode 100644
index 0000000..f31064e
--- /dev/null
+++ b/vault/passwords.yml
@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+65653231333939666430306463383836633664623438373661666234343165633864353934663563
+3335396466623862353633363264373666353036623134360a356438636230613139633264373265
+36643231356335653261616238613266306165616363643763356234363537616138353831383064
+3436353361333263330a313361306236626164343261363432343762313361636338333165376238
+38666336356361613930316536323338653338353666666162666333636261373866653934626536
+31643931343338383039616261616130613763383737313037303163366263623066633031646630
+35373436646635613665343038363931396630653264633964646434346534393531333163643836
+62323634643537363365313662363766373436633262336339643734613732663832326133363434
+38643434326266373638366262386162666661383232383965613536663239336361623861613161
+32313439653132353434316563633638353164626236633766313864343036353562303163373335
+39653437623132623635363266353636613130666363353633366134663638346263643134383762
+37316631313437646232326237313436353732333065363666316364373336396135396238363562
+39633163316532616564366632303965316362653066613536316461643237373834316136383865
+64353238643638623832656463333563633838633931636166323335336662636362643466303566
+31333962656530326664636562343738393864613561333734333134386263356533373664666666
+66373538393037373761