diff --git a/cluster/services/sso/default.nix b/cluster/services/sso/default.nix
index 5171ff9..3fe4f52 100644
--- a/cluster/services/sso/default.nix
+++ b/cluster/services/sso/default.nix
@@ -1,4 +1,4 @@
-{ depot, ... }:
+{ config, depot, ... }:
 
 {
   services.sso = {
@@ -18,4 +18,12 @@
     login.target = ssoAddr;
     account.target = ssoAddr;
   };
+
+  patroni = config.lib.forService "sso" {
+    databases.keycloak = {};
+    users.keycloak.locksmith = {
+      nodes = config.services.sso.nodes.host;
+      format = "raw";
+    };
+  };
 }
diff --git a/cluster/services/sso/host.nix b/cluster/services/sso/host.nix
index 0b3bf25..31628b8 100644
--- a/cluster/services/sso/host.nix
+++ b/cluster/services/sso/host.nix
@@ -8,12 +8,10 @@ in
 {
   links.keycloak.protocol = "http";
 
-  age.secrets.keycloak-dbpass = {
-    file = ../../../secrets/keycloak-dbpass.age;
-    owner = "root";
-    group = "root";
-    mode = "0400";
-  };
+  services.locksmith.waitForSecrets.keycloak = [
+    "patroni-keycloak"
+  ];
+
   services.nginx.virtualHosts = { 
     "${login}" = lib.recursiveUpdate (vhosts.proxy kc.url) {
       locations = {
@@ -36,7 +34,7 @@ in
       host = patroni.ipv4;
       inherit (patroni) port;
       useSSL = false;
-      passwordFile = config.age.secrets.keycloak-dbpass.path;
+      passwordFile = "/run/locksmith/patroni-keycloak";
     };
     settings = {
       http-host = kc.ipv4;
diff --git a/secrets/keycloak-dbpass.age b/secrets/keycloak-dbpass.age
deleted file mode 100644
index 6d23747..0000000
Binary files a/secrets/keycloak-dbpass.age and /dev/null differ