try and fail to reduce acces to the private key

roles/install_gitea/tasks/main.yml

@@ -4,12 +4,11 @@
      path: /var/local/gitea
      state: directory
 
-- name: Ensure the user gitea exist
+- name: Ensure the user gitea exists
   user:
     name: gitea
     create_home: no
     password_lock: yes
-  register: gitea_user
 
 - name: Retrieve info about users
   getent:

roles/install_keycloak/tasks/main.yml

@@ -4,6 +4,16 @@
      path: /var/local/keycloak
      state: directory
 
+- name: Ensure the user keycloak exists
+  user:
+    name: keycloak
+    create_home: no
+    password_lock: yes
+
+- name: Retrieve info about users
+  getent:
+    database: passwd
+
 - name: Warning
   debug:
     msg: This is a test server, do not use in production
@@ -26,12 +36,21 @@
     src: /var/certificates/{{ server_hostname }}_privkey.pem
     dest: /var/local/keycloak/certificates/tls.key
     remote_src: yes
+    owner: keycloak
+    group: keycloak
+    mode: 0644 # 0600 
+# I wanted to limite read access to the private key to one "keycloak" user,
+# but It doesn't works because the user running some script inside the container
+# has a fix uid (1000) and obviously this uid is taken on the host by the first
+# user created... I hope you're serveur is well protected...
 
 - name: Copy certificate
   copy:
     src: /var/certificates/{{ server_hostname }}_cert.pem
     dest: /var/local/keycloak/certificates/tls.crt
     remote_src: yes
+    owner: keycloak
+    group: keycloak
 
 - name: Copy docker-compose.yml
   template:

roles/install_keycloak/templates/docker-compose.yml.j2

@@ -7,6 +7,8 @@ services:
     container_name: keycloak
     restart: always
     environment:
+      - USER_UID={{ getent_passwd["keycloak"].1 }}
+      - USER_GID={{ getent_passwd["keycloak"].2 }}
       - "KEYCLOAK_USER=${USERNAME}"
       - "KEYCLOAK_PASSWORD=${PASSWORD}"
     volumes: