diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml
index b34eaec..90f56ad 100644
--- a/.deploy-infra/deploy-prod.yaml
+++ b/.deploy-infra/deploy-prod.yaml
@@ -189,6 +189,24 @@ services:
         parallelism: 1
         order: start-first
 
+  keycloak:
+    image: quay.io/keycloak/keycloak
+    ports:
+      - "3000:8443"
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://0.0.0.0:5432/keycloak
+      KC_DB_USERNAME: postgres
+      KC_DB_PASSWORD: $DB_PASSWORD_PROD
+      KC_HOSTNAME: keycloak.sprinthub.ru
+    deploy:
+      mode: replicated
+      restart_policy:
+        condition: any
+      update_config:
+        parallelism: 1
+        order: start-first
+
 volumes:
   minio_data:
     driver: local
diff --git a/nginx/nginx-prod/nginx-prod.conf b/nginx/nginx-prod/nginx-prod.conf
index 27e5175..91852d0 100644
--- a/nginx/nginx-prod/nginx-prod.conf
+++ b/nginx/nginx-prod/nginx-prod.conf
@@ -164,6 +164,25 @@ http {
         }
     }
 
+    server {
+        listen      443 ssl http2;
+        listen      [::]:443 ssl http2;
+        server_name keycloak.sprinthub.ru;
+
+        ssl_certificate     /etc/nginx/fullchain.pem;
+        ssl_certificate_key /etc/nginx/privkey.pem;
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-refferer-when-downgrade" always;
+        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
+        location / {
+            proxy_pass http://dev.sprinthub.ru:8443/;
+        }
+    }
+
     server {
         listen      443 ssl http2;
         listen      [::]:443 ssl http2;