diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml
index b7c15e1..cb3b9f8 100644
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -23,6 +23,9 @@
     keycloak_quarkus_systemd_wait_for_delay: 2
     keycloak_quarkus_systemd_wait_for_log: true
     keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
     keycloak_quarkus_providers:
       - id: http-client
         spi: connections
diff --git a/roles/keycloak_quarkus/tasks/rebuild_config.yml b/roles/keycloak_quarkus/tasks/rebuild_config.yml
index ac78504..1d43127 100644
--- a/roles/keycloak_quarkus/tasks/rebuild_config.yml
+++ b/roles/keycloak_quarkus/tasks/rebuild_config.yml
@@ -2,9 +2,6 @@
 # cf. https://www.keycloak.org/server/configuration#_optimize_the_keycloak_startup
 - name: "Rebuild {{ keycloak.service_name }} config"
   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
-    {{ keycloak.home }}/bin/kc.sh build
-  environment:
-    PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-    JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
+    env -i bash -c "set -a ; source {{ keycloak_quarkus_sysconf_file }} ; {{ keycloak.home }}/bin/kc.sh build "
   become: true
   changed_when: true
diff --git a/roles/keycloak_quarkus/tasks/systemd.yml b/roles/keycloak_quarkus/tasks/systemd.yml
index 47f0570..e22b9fe 100644
--- a/roles/keycloak_quarkus/tasks/systemd.yml
+++ b/roles/keycloak_quarkus/tasks/systemd.yml
@@ -22,4 +22,5 @@
   become: true
   register: systemdunit
   notify:
+    - rebuild keycloak config
     - restart keycloak
diff --git a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
index 244d9aa..c1b1c7b 100644
--- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@@ -7,7 +7,7 @@ KC_BOOTSTRAP_ADMIN_PASSWORD='{{ keycloak_quarkus_bootstrap_admin_password }}'
 {% endif %}
 PATH={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 JAVA_HOME={{ keycloak_quarkus_java_home | default(keycloak_sys_pkg_java_home, true) }}
-JAVA_OPTS={{ keycloak_quarkus_java_opts }}
+JAVA_OPTS='{{ keycloak_quarkus_java_opts }}'
 
 # Custom ENV variables
 {% for env in keycloak_quarkus_additional_env_vars %}