diff --git a/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
index 61ecbaf6..f930f18b 100755
--- a/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
+++ b/django-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -60,7 +60,7 @@ done
 echo "${DJANGO_USER}:${DJANGO_USER_PASSWORD}" | chpasswd -
 
 # Set up postgres user and database
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "postgresql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "postgresql" ]; then
   # grab all the data from the dbaas credentials file
   DJANGO_POSTGRESS_HOST=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   DJANGO_POSTGRESS_PORT=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/keycloak-22-04/files/etc/nginx/sites-available/keycloak b/keycloak-22-04/files/etc/nginx/sites-available/keycloak
new file mode 100644
index 00000000..208cb22d
--- /dev/null
+++ b/keycloak-22-04/files/etc/nginx/sites-available/keycloak
@@ -0,0 +1,33 @@
+server {
+    listen 80;
+    server_name _;
+
+    location ~ /.well-known {
+        allow all;
+    }
+
+    location / {
+        proxy_pass https://localhost:8443;
+        proxy_set_header Host $host:8443;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 9001;
+    server_name _;
+
+    location ~ /.well-known {
+        allow all;
+    }
+
+    location / {
+        proxy_pass https://localhost:9000;
+        proxy_set_header Host $host:9000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/keycloak-22-04/files/etc/update-motd.d/99-one-click b/keycloak-22-04/files/etc/update-motd.d/99-one-click
new file mode 100755
index 00000000..5e7ec02e
--- /dev/null
+++ b/keycloak-22-04/files/etc/update-motd.d/99-one-click
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Configured as part of the DigitalOcean 1-Click Image build process
+
+# Read in the passwords....
+. /root/.digitalocean_passwords
+
+dbaas_text=""
+if [ -f "/root/.digitalocean_dbaas_credentials" ]; then
+    . /root/.digitalocean_dbaas_credentials
+    dbaas_text="Keycloak is configured to use managed database. Use the following credentials to manage the database:
+    Database: keycloak
+    Host:     ${db_host}
+    Port:     ${db_port}
+    User:     keycloak
+    Pass:     ${KEYCLOAK_DATABASE_PASSWORD}"
+else
+    dbaas_text="Keycloak is configured to use local Postgres as its database. Use the following credentials to manage the database:
+    Database: keycloak
+    User:     keycloak
+    Pass:     ${KEYCLOAK_DATABASE_PASSWORD}"
+fi
+
+myip=$(hostname -I | awk '{print$1}')
+cat <<EOF
+********************************************************************************
+
+Welcome to DigitalOcean's 1-Click Keycloak Droplet.
+To keep this Droplet secure, the UFW firewall is enabled.
+All ports are BLOCKED except 22 (SSH), 80 (HTTP), 443 (HTTPS), 8443 and 9000 (Keycloak ports).
+
+Access the Keycloak dashboard
+    URL: https://${myip}
+    User: admin
+    Pass: ${KEYCLOAK_ADMIN_PASSWORD}
+
+${dbaas_text}
+
+On the server:
+  * The Keycloak application is served as Docker container
+  * To check Keycloak logs use:
+    $ docker logs keycloak
+  * The Keycloak admin and database passwords are saved in /root/.digitalocean_passwords
+  * Certbot is preinstalled. Run it to configure HTTPS.
+
+********************************************************************************
+To delete this message of the day: rm -rf $(readlink -f ${0})
+EOF
diff --git a/keycloak-22-04/files/var/digitalocean/Dockerfile b/keycloak-22-04/files/var/digitalocean/Dockerfile
new file mode 100644
index 00000000..c7b94ee3
--- /dev/null
+++ b/keycloak-22-04/files/var/digitalocean/Dockerfile
@@ -0,0 +1,26 @@
+FROM quay.io/keycloak/keycloak:25.0 as builder
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+
+# Configure a database vendor
+ENV KC_DB=postgres
+
+ARG STORE_PASS
+
+WORKDIR /opt/keycloak
+
+RUN keytool -genkeypair -storepass $STORE_PASS -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
+
+RUN /opt/keycloak/bin/kc.sh build
+
+
+
+FROM quay.io/keycloak/keycloak:25.0
+
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+
+ENV KC_DB=postgres
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
diff --git a/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
new file mode 100755
index 00000000..f8b3a782
--- /dev/null
+++ b/keycloak-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+DB_USER=keycloak
+DB_TYPE=postgres
+DB_HOST=localhost
+DB_PORT=5432
+
+KEYSTORE_PASSWORD=$(openssl rand -hex 16)
+KEYCLOAK_ADMIN_PASSWD=$(openssl rand -hex 16)
+DB_PASS=$(openssl rand -hex 16)
+
+cat > /root/.digitalocean_passwords <<EOM
+KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWD}
+KEYCLOAK_DATABASE_PASSWORD=${DB_PASS}
+KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+EOM
+
+DROPLET_IP=$(hostname -I | awk '{print$1}')
+
+if [ -f "/root/.digitalocean_dbaas_credentials" ]; then
+  DB_HOST=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DB_PORT=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DB_TYPE=$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+
+  DBAAS_DB_USER=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DBAAS_DB_NAME=$(sed -n "s/^db_database=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+  DBAAS_DB_PASS=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
+
+  # Convert postgresql into postgres
+  if [ "${DB_TYPE}" == "postgresql" ]; then
+    DB_TYPE=postgres
+  fi
+
+  # Wait for db to become available
+  while ! pg_isready -h "$DB_HOST" -p "$DB_PORT"; do
+     printf .
+     sleep 2
+  done
+
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE USER keycloak PASSWORD '${DB_PASS}';" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "CREATE DATABASE keycloak WITH ENCODING 'UTF8';" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d ${DBAAS_DB_NAME} -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" --set=sslmode=require
+  PGPASSWORD=${DBAAS_DB_PASS} psql -h ${DB_HOST} -p ${DB_PORT} -U ${DBAAS_DB_USER} -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;" --set=sslmode=require
+
+  systemctl stop postgresql.service
+  systemctl disable postgresql.service
+  rm -rf /etc/postgresql
+
+else
+  setuid postgres psql -U postgres -d postgres -c "CREATE USER keycloak PASSWORD '${DB_PASS}';"
+  setuid postgres createdb keycloak
+  setuid postgres psql -U postgres -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;"
+  setuid postgres psql -U postgres -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;"
+fi
+
+# Build keycloak image with randomized keystore password
+docker build --build-arg="STORE_PASS=${KEYSTORE_PASSWORD}" /var/digitalocean/. -t local-keycloak >> /var/temp.log
+
+# Run keycloak image with network mode set to host,
+# so Keycloak connects to the Postgres as localhost, not docker internal host
+docker run -d --network=host \
+  --name keycloak \
+  -e KEYCLOAK_ADMIN=admin \
+  -e KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWD} \
+  -e KC_DB=${DB_TYPE} \
+  -e KC_DB_URL=jdbc:postgresql://${DB_HOST}:${DB_PORT}/keycloak \
+  -e KC_DB_USERNAME=${DB_USER} \
+  -e KC_DB_PASSWORD=${DB_PASS} \
+  -e KC_HOSTNAME=${DROPLET_IP} \
+  local-keycloak \
+  start \
+  --https-key-store-password=${KEYSTORE_PASSWORD} \
+  --optimized >> /var/temp.log
+
+
+# Allow ports used by keycloak for redirecting
+ufw allow 8443
+ufw allow 9000
+
+# Remove the ssh force logout command
+sed -e '/Match User root/d' \
+    -e '/.*ForceCommand.*droplet.*/d' \
+    -i /etc/ssh/sshd_config
+
+systemctl restart ssh
diff --git a/keycloak-22-04/scripts/01-keycloak.sh b/keycloak-22-04/scripts/01-keycloak.sh
new file mode 100644
index 00000000..d0449efd
--- /dev/null
+++ b/keycloak-22-04/scripts/01-keycloak.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# non-interactive install
+export DEBIAN_FRONTEND=noninteractive
+
+sudo apt -y install postgresql docker.io docker-compose super
+systemctl start docker
+systemctl enable docker
+
+# Set up nginx
+ln -s /etc/nginx/sites-available/keycloak /etc/nginx/sites-enabled/keycloak
+unlink /etc/nginx/sites-enabled/default
+service nginx restart
diff --git a/keycloak-22-04/template.json b/keycloak-22-04/template.json
new file mode 100644
index 00000000..0295cdff
--- /dev/null
+++ b/keycloak-22-04/template.json
@@ -0,0 +1,81 @@
+{
+  "variables": {
+    "do_api_token": "{{env `DIGITALOCEAN_API_TOKEN`}}",
+    "image_name": "keycloak-22-04-snapshot-{{timestamp}}",
+    "apt_packages": "postgresql-16 docker.io docker-compose super nginx python3 python3-certbot python3-certbot-nginx",
+    "application_name": "Keycloak",
+    "application_version": "latest"
+  },
+  "sensitive-variables": [
+    "do_api_token"
+  ],
+  "builders": [
+    {
+      "type": "digitalocean",
+      "api_token": "{{user `do_api_token`}}",
+      "image": "ubuntu-22-04-x64",
+      "region": "nyc3",
+      "size": "s-1vcpu-1gb",
+      "ssh_username": "root",
+      "snapshot_name": "{{user `image_name`}}"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "inline": [
+        "cloud-init status --wait"
+      ]
+    },
+    {
+      "type": "file",
+      "source": "common/files/var/",
+      "destination": "/var/"
+    },
+    {
+      "type": "file",
+      "source": "keycloak-22-04/files/etc/",
+      "destination": "/etc/"
+    },
+    {
+      "type": "file",
+      "source": "keycloak-22-04/files/var/",
+      "destination": "/var/"
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "DEBIAN_FRONTEND=noninteractive",
+        "LC_ALL=C",
+        "LANG=en_US.UTF-8",
+        "LC_CTYPE=en_US.UTF-8"
+      ],
+      "inline": [
+        "sh -c 'echo \"deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main\" > /etc/apt/sources.list.d/pgdg.list'",
+        "wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -",
+        "apt -qqy update",
+        "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' full-upgrade",
+        "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install {{user `apt_packages`}}",
+        "apt-get -qqy clean"
+      ]
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "application_name={{user `application_name`}}",
+        "application_version={{user `application_version`}}",
+        "DEBIAN_FRONTEND=noninteractive",
+        "LC_ALL=C",
+        "LANG=en_US.UTF-8",
+        "LC_CTYPE=en_US.UTF-8"
+      ],
+      "scripts": [
+        "keycloak-22-04/scripts/01-keycloak.sh",
+        "common/scripts/018-force-ssh-logout.sh",
+        "common/scripts/014-ufw-nginx.sh",
+        "common/scripts/020-application-tag.sh",
+        "common/scripts/900-cleanup.sh"
+      ]
+    }
+  ]
+}
diff --git a/lamp-18-04/scripts/011-lamp.sh b/lamp-18-04/scripts/011-lamp.sh
index 49b65529..bc660ac5 100755
--- a/lamp-18-04/scripts/011-lamp.sh
+++ b/lamp-18-04/scripts/011-lamp.sh
@@ -6,7 +6,7 @@ chown -R www-data: /var/www
 chown -R www-data: /var/www/html
 
 # if applicable, configure lamp to use & wait for a mysql dbaas instance.
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab host & port to block until database connection is ready
   host=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   port=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/lamp-20-04/scripts/011-lamp.sh b/lamp-20-04/scripts/011-lamp.sh
index 49b65529..bc660ac5 100755
--- a/lamp-20-04/scripts/011-lamp.sh
+++ b/lamp-20-04/scripts/011-lamp.sh
@@ -6,7 +6,7 @@ chown -R www-data: /var/www
 chown -R www-data: /var/www/html
 
 # if applicable, configure lamp to use & wait for a mysql dbaas instance.
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab host & port to block until database connection is ready
   host=$(sed -n "s/^db_host=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   port=$(sed -n "s/^db_port=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-18-04/files/opt/digitalocean/wp_setup.sh b/wordpress-18-04/files/opt/digitalocean/wp_setup.sh
index 2c91781c..b184e0af 100755
--- a/wordpress-18-04/files/opt/digitalocean/wp_setup.sh
+++ b/wordpress-18-04/files/opt/digitalocean/wp_setup.sh
@@ -15,7 +15,7 @@ fi
 chown -Rf www-data:www-data /var/www/html
 
 # if applicable, configure wordpress to use mysql dbaas
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab all the data from the password file
   username=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   password=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-20-04/files/root/wp_setup.sh b/wordpress-20-04/files/root/wp_setup.sh
index e4b5421c..e9d38fbb 100755
--- a/wordpress-20-04/files/root/wp_setup.sh
+++ b/wordpress-20-04/files/root/wp_setup.sh
@@ -15,7 +15,7 @@ fi
 chown -Rf www-data:www-data /var/www/html
 
 # if applicable, configure wordpress to use mysql dbaas
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab all the data from the password file
   username=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   password=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-22-04/files/root/wp_setup.sh b/wordpress-22-04/files/root/wp_setup.sh
index e4b5421c..e9d38fbb 100755
--- a/wordpress-22-04/files/root/wp_setup.sh
+++ b/wordpress-22-04/files/root/wp_setup.sh
@@ -15,7 +15,7 @@ fi
 chown -Rf www-data:www-data /var/www/html
 
 # if applicable, configure wordpress to use mysql dbaas
-if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\([^:]*\):.*\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
+if [ -f "/root/.digitalocean_dbaas_credentials" ] && [ "$(sed -n "s/^db_protocol=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)" = "mysql" ]; then
   # grab all the data from the password file
   username=$(sed -n "s/^db_username=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
   password=$(sed -n "s/^db_password=\"\(.*\)\"$/\1/p" /root/.digitalocean_dbaas_credentials)
diff --git a/wordpress-22-04/template.json b/wordpress-22-04/template.json
index 020037f4..681a3dc5 100644
--- a/wordpress-22-04/template.json
+++ b/wordpress-22-04/template.json
@@ -56,6 +56,8 @@
         "LC_CTYPE=en_US.UTF-8"
       ],
       "inline": [
+        "gpg --keyserver keyserver.ubuntu.com --recv B7B3B788A8D3785C",
+        "gpg --export --armor B7B3B788A8D3785C | apt-key add -",
         "add-apt-repository -y ppa:ondrej/php",
         "wget -c https://dev.mysql.com/get/mysql-apt-config_0.8.22-1_all.deb",
         "dpkg -i mysql-apt-config_0.8.22-1_all.deb",