[Unit]
Description=keycloak daemon
After=syslog.target
After=network.target

[Service]
Type=simple
ExecStart=/opt/keycloak-bin/bin/kc.sh start --optimized
Restart=always
RestartSec=5

# Optional security enhancements
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/keycloak
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target