diff --git a/keycloak/.env.example b/keycloak/.env.example
new file mode 100644
index 0000000..7842a30
--- /dev/null
+++ b/keycloak/.env.example
@@ -0,0 +1,8 @@
+TAILSCALE_OAUTH_KEY=
+TAILSCALE_TAGS=
+POSTGRES_DB=
+POSTGRES_USER=
+POSTGRES_PASS=
+KEYCLOAK_ADMIN=
+KEYCLOAK_ADMIN_PASSWORD=
+KC_HOSTNAME=
\ No newline at end of file
diff --git a/keycloak/docker-compose.yml b/keycloak/docker-compose.yml
new file mode 100644
index 0000000..fdc955c
--- /dev/null
+++ b/keycloak/docker-compose.yml
@@ -0,0 +1,65 @@
+---
+services:
+  ts-keycloak:
+    image: tailscale/tailscale:latest
+    container_name: ts-keycloak
+    hostname: sso
+    environment:
+      - TS_AUTHKEY=${TAILSCALE_OAUTH_KEY}
+      - TS_EXTRA_ARGS=--advertise-tags=${TAILSCALE_TAGS}
+      - TS_SERVE_CONFIG=/config/keycloak.json
+      - TS_STATE_DIR=/var/lib/tailscale
+    volumes:
+      - ts-keycloak-state:/var/lib/tailscale
+      - ${PWD}/ts-keycloak/config:/config
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    restart: unless-stopped
+
+  postgres:
+    image: postgres:15
+    restart: unless-stopped
+    ports:
+      - 5432:5432
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASS}
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+      - ./postgres/initscripts:/docker-entrypoint-initdb.d
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $POSTGRES_USER -d $POSTGRES_DB"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  keycloak:
+    depends_on:
+      postgres:
+        condition: service_healthy
+    container_name: keycloak
+    environment:
+      KC_DB: postgres
+      KC_DB_URL_HOST: postgres
+      KC_DB_URL_PORT: 5432
+      KC_DB_SCHEMA: ${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASS}
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_HOSTNAME: ${KC_HOSTNAME}
+      KC_HTTP_ENABLED: true
+      KC_PROXY_HEADERS: xforwarded
+      KC_HOSTNAME_STRICT: false
+    image: quay.io/keycloak/keycloak:latest
+    restart: unless-stopped
+    command: start
+  
+volumes:
+  ts-keycloak-state:
+    driver: local
+  postgres-data:
+    driver: local
\ No newline at end of file
diff --git a/keycloak/postgres/initscripts/create-keycloack-schema.sql b/keycloak/postgres/initscripts/create-keycloack-schema.sql
new file mode 100644
index 0000000..131316d
--- /dev/null
+++ b/keycloak/postgres/initscripts/create-keycloack-schema.sql
@@ -0,0 +1 @@
+CREATE SCHEMA IF NOT EXISTS keycloak;
\ No newline at end of file
diff --git a/keycloak/ts-keycloak/config/keycloak.json b/keycloak/ts-keycloak/config/keycloak.json
new file mode 100644
index 0000000..84809fc
--- /dev/null
+++ b/keycloak/ts-keycloak/config/keycloak.json
@@ -0,0 +1,20 @@
+{
+    "TCP": {
+      "443": {
+        "HTTPS": true
+      }
+    },
+    "Web": {
+      "${TS_CERT_DOMAIN}:443": {
+        "Handlers": {
+          "/": {
+            "Proxy": "http://keycloak:8080"
+          }
+        }
+      }
+    },
+    "AllowFunnel": {
+      "${TS_CERT_DOMAIN}:443": true
+    }
+  }
+