[Unit]
Description=Keycloak server
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/current/bin/kc.sh start
WorkingDirectory=/opt/keycloak/current
ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
SuccessExitStatus=0 143

TimeoutStartSec=600
TimeoutStopSec=600
Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
Environment="KC_HOSTNAME={{ inventory_hostname }}"
Environment="KC_DB=postgres"
Environment="KC_DB_USERNAME={{ keycloak_postgresql_username }}"
Environment="KC_DB_PASSWORD={{ keycloak_postgresql_password }}"
Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
Environment="KC_DB_URL_HOST=localhost"
Environment="KC_PROXY=edge"
Environment="KC_HTTP_RELATIVE_PATH=auth"

# Hardening options
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
LockPersonality=true

[Install]
WantedBy=multi-user.target