diff --git a/README.md b/README.md
index 6821ea1..f762307 100644
--- a/README.md
+++ b/README.md
@@ -7,8 +7,9 @@ Needs: https://github.com/AlexanderGabriel/ansible-role-acme.sh to get certs fro
 Hint: Use variables use_local_ca: yes and acme_sh_server: https://host:port/acme/acme/directory to use your own intranet step-ca or acme-compatible CA for local certs
 
 All vars:
-* keycloak_initial_admin_password initial admin user password
-* use_local_ca: yes or no
-* acme_sh_server: url to acme-compatible ca, if not provided, use letsencrypt
-* acme_sh_email: your email-address
-
+* keycloak_postgresql_database: keycloak
+* keycloak_postgresql_username: keycloak
+* keycloak_postgresql_password: keycloak
+* keycloak_initial_admin_name: keycloak
+* keycloak_initial_admin_password: keycloak
+* keycloak_http_host: 127.0.0.1
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..3c50535
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+keycloak_postgresql_database: keycloak
+keycloak_postgresql_username: keycloak
+keycloak_postgresql_password: keycloak
+keycloak_initial_admin_name: keycloak
+keycloak_initial_admin_password: keycloak
+keycloak_http_host: 127.0.0.1
diff --git a/tasks/main.yml b/tasks/main.yml
index c5397c5..1a88710 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,6 +7,31 @@
       - apache2
     update_cache: yes
 
+##install database
+- name: include role for postgresql
+  include_role:
+    name: postgresql
+  vars:
+    postgresql_database: "{{ keycloak_postgresql_database }}"
+    postgresql_username: "{{ keycloak_postgresql_username }}"
+    postgresql_password: "{{ keycloak_postgresql_password }}"
+
+- name: include role for website
+  include_role:
+    name: website
+  vars:
+    domainname: "{{ inventory_hostname }}"
+    docroot: "/var/www/html"
+    optionalDirectives: |
+      ProxyPreserveHost On
+      SSLProxyEngine On
+      SSLProxyCheckPeerCN on
+      SSLProxyCheckPeerExpire on
+      RequestHeader set X-Forwarded-Proto "https"
+      RequestHeader set X-Forwarded-Port "443"
+      ProxyPass / http://127.0.0.1:8080/
+      ProxyPassReverse / http://127.0.0.1:8080/
+
 - name: create user for keycloak
   user:
     name: keycloak
@@ -18,23 +43,50 @@
 
 - name: check if keycloak-dir exists
   stat:
-    path: /opt/keycloak/keycloak-13.0.1
+    path: /opt/keycloak/keycloak-21.0.1
   register: keycloak_exists
 
-- name: Extract keycloak-13.0.1.tar.gz to /opt/keycloak
+- name: Extract keycloak-21.0.1.zip to /opt/keycloak
   unarchive:
-    src: keycloak-13.0.1.tar.gz
+    src: keycloak-21.0.1.zip
     dest: /opt/keycloak
     owner: keycloak
     group: keycloak
   when: not keycloak_exists.stat.exists or redeploy is defined
 
-- name: link /opt/keycloak/keycloak-13.0.1 to /opt/keycloak/current
+- name: link /opt/keycloak/keycloak-21.0.1 to /opt/keycloak/current
   file:
     state: link
-    src: /opt/keycloak/keycloak-13.0.1
+    src: /opt/keycloak/keycloak-21.0.1
     dest: /opt/keycloak/current
 
+##build once
+- name: check if /opt/keycloak/current/builtonce.txt exists
+  stat:
+    path: /opt/keycloak/current/builtonce.txt
+  register: builtonce_exists
+
+- name: build keycloak
+  command: sudo -u keycloak /opt/keycloak/current/bin/kc.sh build --db=postgres
+  when: not builtonce_exists.stat.exists
+
+- name: create file to track build
+  ansible.builtin.file:
+    path: /opt/keycloak/current/builtonce.txt
+    owner: keycloak
+    group: keycloak
+    mode: '0770'
+    state: touch
+  when: not builtonce_exists.stat.exists
+
+- name: set permissions correct
+  file:
+    dest: /opt/keycloak
+    owner: keycloak
+    group: keycloak
+    mode: "0770"
+    recurse: yes
+
 - name: generate /etc/systemd/system/keycloak.service
   template:
     src: keycloak.service.j2
@@ -45,27 +97,6 @@
   notify:
     - reload systemd
 
-- name: generate /opt/keycloak/current/standalone/configuration/standalone.xml
-  template:
-    src: standalone.xml.j2
-    dest: /opt/keycloak/current/standalone/configuration/standalone.xml
-  notify:
-    - restart keycloak
-
-- name: enable keycloak
-  systemd:
-    name: keycloak
-    enabled: yes
-    masked: no
-
-- name: set permissions correct
-  file:
-    dest: /opt/keycloak
-    owner: keycloak
-    group: keycloak
-    mode: "0770"
-    recurse: yes
-
 - name: Flush handlers
   meta: flush_handlers
 
@@ -80,143 +111,80 @@
 - name: Flush handlers
   meta: flush_handlers
 
+##add admin user once
 - name: check if /opt/keycloak/current/adminuseradded.txt exists
   stat:
-    path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json 
+    path: /opt/keycloak/current/adminuseradded.txt
   register: adminuseradded_exists
 
-- name: check if /opt/keycloak/current/standalone/configuration/keycloak-add-user.json exists
-  stat:
-    path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json 
+- name: stop keycloak
+  ansible.builtin.service:
+    name: keycloak
+    state: stopped
   when: not adminuseradded_exists.stat.exists
-  register: keycloak_add_user_exists
 
-- name: check if user exists
-  shell: "grep username /opt/keycloak/current/standalone/configuration/keycloak-add-user.json | grep admin"
-  register: userexists
-  when: not adminuseradded_exists.stat.exists and keycloak_add_user_exists.stat.exists
-
-- name: create initial admin user
-  command: sudo -u keycloak /opt/keycloak/current/bin/add-user-keycloak.sh -u admin -p {{ keycloak_initial_admin_password }} -r master
-  when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
+- name: generate /etc/systemd/system/keycloak.service
+  template:
+    src: keycloak.service_init.j2
+    dest: /etc/systemd/system/keycloak.service
+    owner: root
+    group: root
+    mode: "0644"
+  when: not adminuseradded_exists.stat.exists
   notify:
-    restart keycloak
+    - reload systemd
 
-- name: create initial admin user
-  command: sudo -u keycloak touch /opt/keycloak/current/adminuseradded.txt
-  when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: start keycloak
+  ansible.builtin.service:
+    name: keycloak
+    state: started
+  when: not adminuseradded_exists.stat.exists
+
+- name: Sleep 60 seconds
+  ansible.builtin.wait_for:
+    timeout: 60
+  delegate_to: localhost
+  when: not adminuseradded_exists.stat.exists
+
+- name: stop keycloak
+  ansible.builtin.service:
+    name: keycloak
+    state: stopped
+  when: not adminuseradded_exists.stat.exists
+
+- name: generate /etc/systemd/system/keycloak.service
+  template:
+    src: keycloak.service.j2
+    dest: /etc/systemd/system/keycloak.service
+    owner: root
+    group: root
+    mode: "0644"
+  when: not adminuseradded_exists.stat.exists
   notify:
-    restart keycloak
+    - reload systemd
 
-- name: set permissions correct again
-  file:
-    dest: /opt/keycloak
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: start keycloak
+  ansible.builtin.service:
+    name: keycloak
+    state: started
+  when: not adminuseradded_exists.stat.exists
+
+- name: create file to track user creation
+  ansible.builtin.file:
+    path: /opt/keycloak/current/adminuseradded.txt
     owner: keycloak
     group: keycloak
-    mode: "0770"
-    recurse: yes
-
-- name: enable apache module proxy
-  command: a2enmod proxy
-  args:
-    creates: /etc/apache2/mods-enabled/proxy.load
-  notify:
-    restart apache2
-
-- name: enable apache module proxy_html
-  command: a2enmod proxy_html
-  args:
-    creates: /etc/apache2/mods-enabled/proxy_html.load
-  notify:
-    restart apache2
-
-- name: enable apache module proxy_http
-  command: a2enmod proxy_http
-  args:
-    creates: /etc/apache2/mods-enabled/proxy_http.load
-  notify:
-    restart apache2
-
-- name: enable apache module proxy_http2
-  command: a2enmod proxy_http2
-  args:
-    creates: /etc/apache2/mods-enabled/proxy_http2.load
-  notify:
-    restart apache2
-
-- name: enable apache module ssl
-  command: a2enmod ssl
-  args:
-    creates: /etc/apache2/mods-enabled/ssl.load
-  notify:
-    restart apache2
-
-- name: enable apache module headers
-  command: a2enmod headers
-  args:
-    creates: /etc/apache2/mods-enabled/headers.load
-  notify:
-    restart apache2
-
-- name: enable apache module rewrite
-  command: a2enmod rewrite
-  args:
-    creates: /etc/apache2/mods-enabled/rewrite.load
-  notify:
-    restart apache2
-
-- name: install acme.sh
-  include_role:
-    name: acmesh
-
-- name: set amce server url
-  set_fact:
-    acmeshserver: "--server {{ acme_sh_server }} --insecure --force --days 1"
-  when: acme_sh_server is defined
-
-- name: set amce server url
-  set_fact:
-    acmeshserver: ""
-  when: not acme_sh_server is defined
-  
-- name: get certificates
-  command: /root/.acme.sh/acme.sh --issue --apache {{ acmeshserver }} -d {{ inventory_hostname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ inventory_hostname }}.key --fullchain-file /etc/ssl/certs/{{ inventory_hostname }}.pem --reloadcmd "service apache2 reload"
-  args:
-    creates: /etc/ssl/private/{{ inventory_hostname }}.key
-
-- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
-  template:
-    src: apache.conf.j2
-    dest: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
-    owner: root
-    group: root
-    mode: "0644"
-  notify:
-    - reload apache2
-
-- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
-  template:
-    src: apache-ssl.conf.j2
-    dest: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
-    owner: root
-    group: root
-    mode: "0644"
-  notify:
-    - reload apache2
-
-- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
-  file:
-    state: link
-    src: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
-    dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}.conf
-  notify:
-    - reload apache2
-
-- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
-  file:
-    state: link
-    src: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
-    dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}-ssl.conf
-  notify:
-    - reload apache2
+    mode: '0770'
+    state: touch
+  when: not adminuseradded_exists.stat.exists
 
+- name: start keycloak
+  ansible.builtin.service:
+    name: keycloak
+    state: started
diff --git a/templates/apache-ssl.conf.j2 b/templates/apache-ssl.conf.j2
deleted file mode 100644
index 05382d3..0000000
--- a/templates/apache-ssl.conf.j2
+++ /dev/null
@@ -1,31 +0,0 @@
-<IfModule mod_ssl.c>
-        <VirtualHost _default_:443>
-                ServerName {{ inventory_hostname }}
-                ServerAdmin webmaster@{{ inventory_hostname }}
-
-                DocumentRoot /var/www/html
-
-                ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
-                CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
-
-                SSLEngine on
-                SSLCertificateFile      /etc/ssl/certs/{{ inventory_hostname }}.pem
-                SSLCertificateKeyFile /etc/ssl/private/{{ inventory_hostname }}.key
-
-                <FilesMatch "\.(cgi|shtml|phtml|php)$">
-                                SSLOptions +StdEnvVars
-                </FilesMatch>
-                <Directory /usr/lib/cgi-bin>
-                                SSLOptions +StdEnvVars
-                </Directory>
-                ProxyPreserveHost On
-                SSLProxyEngine On
-                SSLProxyCheckPeerCN on
-                SSLProxyCheckPeerExpire on
-                RequestHeader set X-Forwarded-Proto "https"
-                RequestHeader set X-Forwarded-Port "443"
-                ProxyPass / http://127.0.0.1:8080/
-                ProxyPassReverse / http://127.0.0.1:8080/
-
-        </VirtualHost>
-</IfModule>
diff --git a/templates/apache.conf.j2 b/templates/apache.conf.j2
deleted file mode 100644
index c93f206..0000000
--- a/templates/apache.conf.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-<VirtualHost *:80>
-        ServerName {{ inventory_hostname }}
-
-        ServerAdmin webmaster@{{ inventory_hostname }}
-        DocumentRoot /var/www/html
-
-        ErrorLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.error.log
-        CustomLog ${APACHE_LOG_DIR}/{{ inventory_hostname }}.access.log combined
-
-        #rewrite transparent to https, keep uri 
-        RewriteEngine On
-        RewriteCond %{HTTPS} off
-        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
-</VirtualHost>
diff --git a/templates/keycloak.service.j2 b/templates/keycloak.service.j2
index b958045..8a12893 100644
--- a/templates/keycloak.service.j2
+++ b/templates/keycloak.service.j2
@@ -6,9 +6,16 @@ After=network.target
 Type=idle
 User=keycloak
 Group=keycloak
-ExecStart=/opt/keycloak/current/bin/standalone.sh
+ExecStart=/opt/keycloak/current/bin/kc.sh start
 TimeoutStartSec=600
 TimeoutStopSec=600
+Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
+Environment="KC_HOSTNAME={{ inventory_hostname }}"
+Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
+Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
+Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
+Environment="KC_DB_URL_HOST={{ inventory_hostname }}"
+Environment="KC_PROXY=edge"
 
 [Install]
-WantedBy=multi-user.target
\ No newline at end of file
+WantedBy=multi-user.target
diff --git a/templates/keycloak.service_init.j2 b/templates/keycloak.service_init.j2
new file mode 100644
index 0000000..e64c3d1
--- /dev/null
+++ b/templates/keycloak.service_init.j2
@@ -0,0 +1,23 @@
+[Unit]
+Description=Keycloak
+After=network.target
+
+[Service]
+Type=idle
+User=keycloak
+Group=keycloak
+ExecStart=/opt/keycloak/current/bin/kc.sh start
+TimeoutStartSec=600
+TimeoutStopSec=600
+Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
+Environment="KC_HOSTNAME={{ inventory_hostname }}"
+Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
+Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
+Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
+Environment="KC_DB_URL_HOST={{ inventory_hostname }}"
+Environment="KC_PROXY=edge"
+Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
+Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/standalone.xml.j2 b/templates/standalone.xml.j2
deleted file mode 100644
index c50fd33..0000000
--- a/templates/standalone.xml.j2
+++ /dev/null
@@ -1,613 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-
-<server xmlns="urn:jboss:domain:16.0">
-    <extensions>
-        <extension module="org.jboss.as.clustering.infinispan"/>
-        <extension module="org.jboss.as.connector"/>
-        <extension module="org.jboss.as.deployment-scanner"/>
-        <extension module="org.jboss.as.ee"/>
-        <extension module="org.jboss.as.ejb3"/>
-        <extension module="org.jboss.as.jaxrs"/>
-        <extension module="org.jboss.as.jmx"/>
-        <extension module="org.jboss.as.jpa"/>
-        <extension module="org.jboss.as.logging"/>
-        <extension module="org.jboss.as.mail"/>
-        <extension module="org.jboss.as.naming"/>
-        <extension module="org.jboss.as.remoting"/>
-        <extension module="org.jboss.as.security"/>
-        <extension module="org.jboss.as.transactions"/>
-        <extension module="org.jboss.as.weld"/>
-        <extension module="org.keycloak.keycloak-server-subsystem"/>
-        <extension module="org.wildfly.extension.bean-validation"/>
-        <extension module="org.wildfly.extension.core-management"/>
-        <extension module="org.wildfly.extension.elytron"/>
-        <extension module="org.wildfly.extension.health"/>
-        <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.metrics"/>
-        <extension module="org.wildfly.extension.request-controller"/>
-        <extension module="org.wildfly.extension.security.manager"/>
-        <extension module="org.wildfly.extension.undertow"/>
-    </extensions>
-    <management>
-        <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-            <security-realm name="ApplicationRealm">
-                <server-identities>
-                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-                    </ssl>
-                </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-        </security-realms>
-        <audit-log>
-            <formatters>
-                <json-formatter name="json-formatter"/>
-            </formatters>
-            <handlers>
-                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
-            </handlers>
-            <logger log-boot="true" log-read-only="false" enabled="false">
-                <handlers>
-                    <handler name="file"/>
-                </handlers>
-            </logger>
-        </audit-log>
-        <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true"/>
-                <socket-binding http="management-http"/>
-            </http-interface>
-        </management-interfaces>
-        <access-control provider="simple">
-            <role-mapping>
-                <role name="SuperUser">
-                    <include>
-                        <user name="$local"/>
-                    </include>
-                </role>
-            </role-mapping>
-        </access-control>
-    </management>
-    <profile>
-        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
-            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:6.0">
-            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
-            <concurrent>
-                <context-services>
-                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
-                </context-services>
-                <managed-thread-factories>
-                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
-                </managed-thread-factories>
-                <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
-                </managed-executor-services>
-                <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
-                </managed-scheduled-executor-services>
-            </concurrent>
-            <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
-            <session-bean>
-                <stateless>
-                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
-                </stateless>
-                <stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
-                <singleton default-access-timeout="5000"/>
-            </session-bean>
-            <pools>
-                <bean-instance-pools>
-                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
-                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
-                </bean-instance-pools>
-            </pools>
-            <caches>
-                <cache name="simple"/>
-                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
-            </caches>
-            <passivation-stores>
-                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
-            </passivation-stores>
-            <async thread-pool-name="default"/>
-            <timer-service thread-pool-name="default" default-data-store="default-file-store">
-                <data-stores>
-                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
-                </data-stores>
-            </timer-service>
-            <remote cluster="ejb" connectors="http-remoting-connector" thread-pool-name="default">
-                <channel-creation-options>
-                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
-                </channel-creation-options>
-            </remote>
-            <thread-pools>
-                <thread-pool name="default">
-                    <max-threads count="10"/>
-                    <keepalive-time time="60" unit="seconds"/>
-                </thread-pool>
-            </thread-pools>
-            <default-security-domain value="other"/>
-            <default-missing-method-permissions-deny-access value="true"/>
-            <statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
-            <log-system-exceptions value="true"/>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
-        <subsystem xmlns="urn:jboss:domain:io:3.0">
-            <worker name="default"/>
-            <buffer-pool name="default"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
-        <subsystem xmlns="urn:jboss:domain:jca:5.0">
-            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
-            <bean-validation enabled="true"/>
-            <default-workmanager>
-                <short-running-threads>
-                    <core-threads count="50"/>
-                    <queue-length count="50"/>
-                    <max-threads count="50"/>
-                    <keepalive-time time="10" unit="seconds"/>
-                </short-running-threads>
-                <long-running-threads>
-                    <core-threads count="50"/>
-                    <queue-length count="50"/>
-                    <max-threads count="50"/>
-                    <keepalive-time time="10" unit="seconds"/>
-                </long-running-threads>
-            </default-workmanager>
-            <cached-connection-manager/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
-            <expose-resolved-model/>
-            <expose-expression-model/>
-            <remoting-connector/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
-            <jpa default-extended-persistence-inheritance="DEEP"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
-                <local-cache name="realms">
-                    <heap-memory size="10000"/>
-                </local-cache>
-                <local-cache name="users">
-                    <heap-memory size="10000"/>
-                </local-cache>
-                <local-cache name="sessions"/>
-                <local-cache name="authenticationSessions"/>
-                <local-cache name="offlineSessions"/>
-                <local-cache name="clientSessions"/>
-                <local-cache name="offlineClientSessions"/>
-                <local-cache name="loginFailures"/>
-                <local-cache name="work"/>
-                <local-cache name="authorization">
-                    <heap-memory size="10000"/>
-                </local-cache>
-                <local-cache name="keys">
-                    <heap-memory size="1000"/>
-                    <expiration max-idle="3600000"/>
-                </local-cache>
-                <local-cache name="actionTokens">
-                    <heap-memory size="-1"/>
-                    <expiration max-idle="-1" interval="300000"/>
-                </local-cache>
-            </cache-container>
-            <cache-container name="server" default-cache="default" modules="org.wildfly.clustering.server">
-                <local-cache name="default">
-                    <transaction mode="BATCH"/>
-                </local-cache>
-            </cache-container>
-            <cache-container name="web" default-cache="passivation" modules="org.wildfly.clustering.web.infinispan">
-                <local-cache name="passivation">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
-                <local-cache name="sso">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                </local-cache>
-                <local-cache name="routing"/>
-            </cache-container>
-            <cache-container name="ejb" aliases="sfsb" default-cache="passivation" modules="org.wildfly.clustering.ejb.infinispan">
-                <local-cache name="passivation">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                    <file-store passivation="true" purge="false"/>
-                </local-cache>
-            </cache-container>
-            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
-                <local-cache name="entity">
-                    <heap-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
-                <local-cache name="local-query">
-                    <heap-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
-                <local-cache name="timestamps"/>
-            </cache-container>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
-            <web-context>auth</web-context>
-            <providers>
-                <provider>classpath:${jboss.home.dir}/providers/*</provider>
-            </providers>
-            <master-realm-name>master</master-realm-name>
-            <scheduled-task-interval>900</scheduled-task-interval>
-            <theme>
-                <staticMaxAge>2592000</staticMaxAge>
-                <cacheThemes>true</cacheThemes>
-                <cacheTemplates>true</cacheTemplates>
-                <dir>${jboss.home.dir}/themes</dir>
-            </theme>
-            <spi name="eventsStore">
-                <provider name="jpa" enabled="true">
-                    <properties>
-                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="userCache">
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="userSessionPersister">
-                <default-provider>jpa</default-provider>
-            </spi>
-            <spi name="timer">
-                <default-provider>basic</default-provider>
-            </spi>
-            <spi name="connectionsHttpClient">
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="connectionsJpa">
-                <provider name="default" enabled="true">
-                    <properties>
-                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
-                        <property name="initializeEmpty" value="true"/>
-                        <property name="migrationStrategy" value="update"/>
-                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="realmCache">
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="connectionsInfinispan">
-                <default-provider>default</default-provider>
-                <provider name="default" enabled="true">
-                    <properties>
-                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="jta-lookup">
-                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
-                <provider name="jboss" enabled="true"/>
-            </spi>
-            <spi name="publicKeyStorage">
-                <provider name="infinispan" enabled="true">
-                    <properties>
-                        <property name="minTimeBetweenRequests" value="10"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="x509cert-lookup">
-                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="hostname">
-                <default-provider>default</default-provider>
-                <provider name="default" enabled="true">
-                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
-                    </properties>
-                </provider>
-            </spi>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
-            <buffer-cache name="default"/>
-            <server name="default-server">
-                <http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
-                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
-                <host name="default-host" alias="localhost">
-                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
-                </host>
-            </server>
-            <servlet-container name="default">
-                <jsp-config/>
-                <websockets/>
-            </servlet-container>
-            <handlers>
-                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
-            </handlers>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:logging:8.0">
-            <console-handler name="CONSOLE">
-                <level name="INFO"/>
-                <formatter>
-                    <named-formatter name="COLOR-PATTERN"/>
-                </formatter>
-            </console-handler>
-            <periodic-rotating-file-handler name="FILE" autoflush="true">
-                <formatter>
-                    <named-formatter name="PATTERN"/>
-                </formatter>
-                <file relative-to="jboss.server.log.dir" path="server.log"/>
-                <suffix value=".yyyy-MM-dd"/>
-                <append value="true"/>
-            </periodic-rotating-file-handler>
-            <logger category="com.arjuna">
-                <level name="WARN"/>
-            </logger>
-            <logger category="io.jaegertracing.Configuration">
-                <level name="WARN"/>
-            </logger>
-            <logger category="org.jboss.as.config">
-                <level name="DEBUG"/>
-            </logger>
-            <logger category="sun.rmi">
-                <level name="WARN"/>
-            </logger>
-            <root-logger>
-                <level name="INFO"/>
-                <handlers>
-                    <handler name="CONSOLE"/>
-                    <handler name="FILE"/>
-                </handlers>
-            </root-logger>
-            <formatter name="PATTERN">
-                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
-            </formatter>
-            <formatter name="COLOR-PATTERN">
-                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
-            </formatter>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:mail:4.0">
-            <mail-session name="default" jndi-name="java:jboss/mail/Default">
-                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
-            </mail-session>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
-        <subsystem xmlns="urn:jboss:domain:naming:2.0">
-            <remote-naming/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
-            <deployment-permissions>
-                <maximum-set>
-                    <permission class="java.security.AllPermission"/>
-                </maximum-set>
-            </deployment-permissions>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-            </security-domains>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
-            <datasources>
-                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
-                    <driver>h2</driver>
-                    <security>
-                        <user-name>sa</user-name>
-                        <password>sa</password>
-                    </security>
-                </datasource>
-                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-                    <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
-                    <driver>h2</driver>
-                    <security>
-                        <user-name>sa</user-name>
-                        <password>sa</password>
-                    </security>
-                </datasource>
-                <drivers>
-                    <driver name="h2" module="com.h2database.h2">
-                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
-                    </driver>
-                </drivers>
-            </datasources>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
-            <providers>
-                <aggregate-providers name="combined-providers">
-                    <providers name="elytron"/>
-                    <providers name="openssl"/>
-                </aggregate-providers>
-                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
-                <provider-loader name="openssl" module="org.wildfly.openssl"/>
-            </providers>
-            <audit-logging>
-                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
-            </audit-logging>
-            <security-domains>
-                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
-                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
-                    <realm name="local"/>
-                </security-domain>
-                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
-                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
-                    <realm name="local" role-mapper="super-user-mapper"/>
-                </security-domain>
-            </security-domains>
-            <security-realms>
-                <identity-realm name="local" identity="$local"/>
-                <properties-realm name="ApplicationRealm">
-                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
-                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </properties-realm>
-                <properties-realm name="ManagementRealm">
-                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
-                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </properties-realm>
-            </security-realms>
-            <mappers>
-                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
-                    <permission-mapping>
-                        <principal name="anonymous"/>
-                        <permission-set name="default-permissions"/>
-                    </permission-mapping>
-                    <permission-mapping match-all="true">
-                        <permission-set name="login-permission"/>
-                        <permission-set name="default-permissions"/>
-                    </permission-mapping>
-                </simple-permission-mapper>
-                <constant-realm-mapper name="local" realm-name="local"/>
-                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
-                <constant-role-mapper name="super-user-mapper">
-                    <role name="SuperUser"/>
-                </constant-role-mapper>
-            </mappers>
-            <permission-sets>
-                <permission-set name="login-permission">
-                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
-                </permission-set>
-                <permission-set name="default-permissions">
-                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
-                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
-                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
-                </permission-set>
-            </permission-sets>
-            <http>
-                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
-                    <mechanism-configuration>
-                        <mechanism mechanism-name="DIGEST">
-                            <mechanism-realm realm-name="ManagementRealm"/>
-                        </mechanism>
-                    </mechanism-configuration>
-                </http-authentication-factory>
-                <provider-http-server-mechanism-factory name="global"/>
-            </http>
-            <sasl>
-                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
-                    <mechanism-configuration>
-                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
-                        <mechanism mechanism-name="DIGEST-MD5">
-                            <mechanism-realm realm-name="ApplicationRealm"/>
-                        </mechanism>
-                    </mechanism-configuration>
-                </sasl-authentication-factory>
-                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
-                    <mechanism-configuration>
-                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
-                        <mechanism mechanism-name="DIGEST-MD5">
-                            <mechanism-realm realm-name="ManagementRealm"/>
-                        </mechanism>
-                    </mechanism-configuration>
-                </sasl-authentication-factory>
-                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
-                    <properties>
-                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
-                    </properties>
-                </configurable-sasl-server-factory>
-                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
-                    <filters>
-                        <filter provider-name="WildFlyElytron"/>
-                    </filters>
-                </mechanism-provider-filtering-sasl-server-factory>
-                <provider-sasl-server-factory name="global"/>
-            </sasl>
-            <tls>
-                <key-stores>
-                    <key-store name="applicationKS">
-                        <credential-reference clear-text="password"/>
-                        <implementation type="JKS"/>
-                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
-                    </key-store>
-                </key-stores>
-                <key-managers>
-                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
-                        <credential-reference clear-text="password"/>
-                    </key-manager>
-                </key-managers>
-                <server-ssl-contexts>
-                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
-                </server-ssl-contexts>
-            </tls>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
-            <core-environment node-identifier="${jboss.tx.node.id:1}">
-                <process-id>
-                    <uuid/>
-                </process-id>
-            </core-environment>
-            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
-            <coordinator-environment statistics-enabled="${wildfly.transactions.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
-            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
-    </profile>
-    <interfaces>
-        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
-        </interface>
-        <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
-        </interface>
-    </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="proxy-https" port="443"/>
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
-        <socket-binding name="txn-recovery-environment" port="4712"/>
-        <socket-binding name="txn-status-manager" port="4713"/>
-        <outbound-socket-binding name="mail-smtp">
-            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
-        </outbound-socket-binding>
-    </socket-binding-group>
-</server>