diff --git a/ansible.cfg b/ansible.cfg
index 084b1ec..7c22aeb 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,2 +1,5 @@
 [defaults]
 inventory = ./inventories/z9/hosts.yaml
+
+[passwordstore_lookup]
+backend = pass
diff --git a/inventories/z9/host_vars/keycloak.yaml b/inventories/z9/host_vars/keycloak.yaml
index 9c0131f..117b263 100644
--- a/inventories/z9/host_vars/keycloak.yaml
+++ b/inventories/z9/host_vars/keycloak.yaml
@@ -1,4 +1,4 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/compose.yaml') }}"
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}"
 docker_compose__configuration_files: [ ]
 
 cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
diff --git a/playbooks/files/configs/keycloak/compose.yaml b/playbooks/templates/configs/keycloak/compose.yaml.j2
similarity index 83%
rename from playbooks/files/configs/keycloak/compose.yaml
rename to playbooks/templates/configs/keycloak/compose.yaml.j2
index 5a06002..5f68180 100644
--- a/playbooks/files/configs/keycloak/compose.yaml
+++ b/playbooks/templates/configs/keycloak/compose.yaml.j2
@@ -46,11 +46,11 @@ services:
       - keycloak
     environment:
       KEYCLOAK_ADMIN: admin
-      # KEYCLOAK_ADMIN_PASSWORD: in secrets file
+      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
       KC_DB: postgres
       KC_DB_URL_HOST: db
       KC_DB_USERNAME: keycloak
-      # KC_DB_PASSWORD: in secrets file
+      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
       KC_HOSTNAME: id.ccchh.net
       KC_HOSTNAME_STRICT_BACKCHANNEL: true
       KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
@@ -69,7 +69,7 @@ services:
       - "./database:/var/lib/postgresql/data"
     environment:
       POSTGRES_USER: keycloak
-      # POSTGRES_PASSWORD: in secrets file
+      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
       POSTGRES_DB: keycloak
     env_file:
       - db_secrets.env  # Must be managed by the admin manually. Not managed by Ansible.