[Unit]
Description=Keycloak server
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/keycloak-{{ keycloak_version }}/bin/kc.sh start
WorkingDirectory=/opt/keycloak/keycloak-{{ keycloak_version }}
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/conf
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/data
ReadWritePaths=/opt/keycloak/keycloak-{{ keycloak_version }}/lib/quarkus
SuccessExitStatus=0 143

TimeoutStartSec=600
TimeoutStopSec=600
Environment="KC_HTTP_HOST={{ keycloak_http_host }}"
Environment="KC_HOSTNAME=https://{{ inventory_hostname }}"
Environment="KC_DB=postgres"
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
Environment="KC_DB_URL_HOST=localhost"
#Environment="KC_HTTP_RELATIVE_PATH=auth"
Environment="KC_HTTP_ENABLED=true"
Environment="KC_PROXY_HEADERS=forwarded"
Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"
Environment="KC_PROXY_TRUSTED_ADDRESSES=127.0.0.0/8"

# Hardening options
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
LockPersonality=true

[Install]
WantedBy=multi-user.target