diff --git a/docs/automated-account-deletion.md b/docs/automated-account-deletion.md
new file mode 100644
index 0000000..b7c2cb7
--- /dev/null
+++ b/docs/automated-account-deletion.md
@@ -0,0 +1,14 @@
+# Automated account deletion
+
+Per GDPR legislation, accounts should be automatically deleted after a period of inactivity. We discern between two different types of accounts:
+
+1. Without verified email: should be deleted after 30 days without being activated
+2. With verified email: should be deleted after 2 years of inactivity
+
+Some services hold on to a session for a very long time. We'll have to query their APIs to see if the account is still in use:
+
+* Matrix via the admin api: https://matrix-org.github.io/synapse/v1.48/admin_api/user_admin_api.html#query-current-sessions-for-a-user
+* Mastodon via the admin api: https://docs.joinmastodon.org/methods/admin/accounts/#200-ok
+* Nextcloud only gives the last login, not the last active time like a sync via `nextcloud-occ user:lastseen`
+* Keycloak 
+* We can ignore Forgejo, since the sessions there are valid for a maximum of one year, regardless of how they got created
diff --git a/flake.lock b/flake.lock
index c7304f3..536e3eb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -52,6 +52,25 @@
     "devshell": {
       "inputs": {
         "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1713532798,
+        "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "devshell_2": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "keycloak-theme-pub-solar",
           "nixpkgs"
@@ -122,6 +141,24 @@
         "type": "github"
       }
     },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_2"
+      },
+      "locked": {
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems_3"
@@ -144,6 +181,24 @@
       "inputs": {
         "systems": "systems_4"
       },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_5"
+      },
       "locked": {
         "lastModified": 1705309234,
         "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
@@ -158,7 +213,7 @@
         "type": "github"
       }
     },
-    "flake-utils_3": {
+    "flake-utils_4": {
       "locked": {
         "lastModified": 1653893745,
         "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
@@ -194,10 +249,33 @@
         "type": "github"
       }
     },
-    "keycloak-theme-pub-solar": {
+    "keycloak-event-listener": {
       "inputs": {
         "devshell": "devshell",
-        "flake-utils": "flake-utils_2",
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1714263025,
+        "narHash": "sha256-Uesrz49RwbG7sHgiHkkb5o364BN9WbuwroWxVXdcfvo=",
+        "ref": "main",
+        "rev": "fb569f474698b5711c208fd5b4b5880d64863587",
+        "revCount": 2,
+        "type": "git",
+        "url": "https://git.pub.solar/pub-solar/keycloak-event-listener"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pub.solar/pub-solar/keycloak-event-listener"
+      }
+    },
+    "keycloak-theme-pub-solar": {
+      "inputs": {
+        "devshell": "devshell_2",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -255,16 +333,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713995372,
-        "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
-        "owner": "nixos",
+        "lastModified": 1704161960,
+        "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+        "rev": "63143ac2c9186be6d9da6035fa22620018c85932",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-23.11",
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -303,6 +381,40 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib_2": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1711703276,
+        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1713995372,
+        "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -310,10 +422,11 @@
         "element-themes": "element-themes",
         "flake-parts": "flake-parts",
         "home-manager": "home-manager",
+        "keycloak-event-listener": "keycloak-event-listener",
         "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
         "nix-darwin": "nix-darwin",
         "nixos-flake": "nixos-flake",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-2205": "nixpkgs-2205",
         "triton-vmtools": "triton-vmtools",
         "unstable": "unstable"
@@ -379,9 +492,24 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "triton-vmtools": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": [
           "nixpkgs"
         ]
diff --git a/flake.nix b/flake.nix
index 32e9c60..712fe99 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,6 +26,9 @@
     keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
     keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs";
 
+    keycloak-event-listener.url = "git+https://git.pub.solar/pub-solar/keycloak-event-listener?ref=main";
+    keycloak-event-listener.inputs.nixpkgs.follows = "unstable";
+
     triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools";
     triton-vmtools.inputs.nixpkgs.follows = "nixpkgs";
 
diff --git a/hosts/nachtigall/apps/keycloak.nix b/hosts/nachtigall/apps/keycloak.nix
index 81b46ec..413041f 100644
--- a/hosts/nachtigall/apps/keycloak.nix
+++ b/hosts/nachtigall/apps/keycloak.nix
@@ -44,6 +44,9 @@
     themes = {
       "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
     };
+		plugins = [
+			flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener
+		];
   };
 
   services.restic.backups.keycloak-droppie = {