diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml
index 0be6a85..17517b8 100644
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@@ -2,7 +2,6 @@
 - name: Converge
   hosts: all
   vars:
-    keycloak_admin_password: "remembertochangeme"
     keycloak_quarkus_admin_pass: "remembertochangeme"
     keycloak_realm: TestRealm
     keycloak_quarkus_log: file
@@ -38,3 +37,5 @@
     - role: keycloak_quarkus
     - role: keycloak_realm
       keycloak_realm: TestRealm
+      keycloak_admin_password: "remembertochangeme"
+      keycloak_context: ''
diff --git a/molecule/debian/verify.yml b/molecule/debian/verify.yml
index 040558a..59bf483 100644
--- a/molecule/debian/verify.yml
+++ b/molecule/debian/verify.yml
@@ -16,18 +16,6 @@
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
 
-    - name: Verify we are running on requested JAVA_HOME # noqa blocked_modules command-instead-of-module
-      ansible.builtin.shell: |
-        set -o pipefail
-        ps -ef | grep '/opt/openjdk' | grep -v grep
-      args:
-        executable: /bin/bash
-      changed_when: False
-
-    - name: Set internal envvar
-      ansible.builtin.set_fact:
-        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
-
     - name: Verify openid config
       block:
         - name: Fetch openID config # noqa blocked_modules command-instead-of-module
diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml
index 6658774..cfa9a3f 100644
--- a/roles/keycloak/defaults/main.yml
+++ b/roles/keycloak/defaults/main.yml
@@ -8,8 +8,6 @@ keycloak_installdir: "{{ keycloak_dest }}/keycloak-{{ keycloak_version }}"
 keycloak_offline_install: false
 
 ### Install location and service settings
-keycloak_jvm_package: "{{ 'java-1.8.0-openjdk-headless' if ansible_facts.os_family == 'RedHat' else 'openjdk-8-jdk-headless' }}"
-
 keycloak_java_home:
 keycloak_dest: /opt/keycloak
 keycloak_jboss_home: "{{ keycloak_installdir }}"
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index 284900b..a21f359 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -5,15 +5,8 @@
   tags:
     - prereqs
 
-- name: Debian specific tasks
-  ansible.builtin.include_tasks: debian.yml
-  when: ansible_facts.os_family == "Debian"
-  tags:
-    - unbound
-
-- name: RedHat specific tasks 
-  ansible.builtin.include_tasks: redhat.yml
-  when: ansible_facts.os_family == "RedHat"
+- name: Distro specific tasks
+  ansible.builtin.include_tasks: "{{ ansible_os_family | lower }}.yml"
   tags:
     - unbound
 
diff --git a/roles/keycloak/tasks/prereqs.yml b/roles/keycloak/tasks/prereqs.yml
index 565931b..c92bb1c 100644
--- a/roles/keycloak/tasks/prereqs.yml
+++ b/roles/keycloak/tasks/prereqs.yml
@@ -36,12 +36,20 @@
     success_msg: "Configuring JDBC persistence using {{ keycloak_jdbc_engine }} database"
   when: keycloak_db_enabled
 
+- name: Validate OS family
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family in ["RedHat", "Debian"]
+    quiet: true
+    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
+    success_msg: "Installing on {{ ansible_os_family }}"
+
+- name: Load OS specific variables
+  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
+  tags:
+    - always
+
 - name: Ensure required packages are installed
   ansible.builtin.include_tasks: fastpackages.yml
   vars:
-    packages_list:
-      - "{{ keycloak_jvm_package }}"
-      - unzip
-      - "{{ 'procps-ng' if ansible_facts.os_family == 'RedHat' else 'procps' }}"
-      - "{{ 'initscripts' if ansible_facts.os_family == 'RedHat' else 'apt' }}"
-      - "{{ 'tzdata-java' if ansible_facts.os_family == 'RedHat' else 'tzdata' }}" 
+    packages_list: "{{ keycloak_prereq_package_list }}"
diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml
index cf84c32..40fa6b8 100644
--- a/roles/keycloak/tasks/systemd.yml
+++ b/roles/keycloak/tasks/systemd.yml
@@ -26,29 +26,10 @@
   become: true
   ansible.builtin.template:
     src: keycloak-sysconfig.j2
-    dest: /etc/default/keycloak
+    dest: "{{ keycloak_sysconf_file }}"
     owner: root
     group: root
     mode: 0644
-  vars:
-    keycloak_rpm_java_home: "{{ rpm_java_home }}"
-  when:
-    - ansible_facts.os_family == "Debian"
-  notify:
-    - restart keycloak
-
-- name: "Configure sysconfig file for {{ keycloak.service_name }} service"
-  become: true
-  ansible.builtin.template:
-    src: keycloak-sysconfig.j2
-    dest: /etc/sysconfig/keycloak
-    owner: root
-    group: root
-    mode: 0644
-  vars:
-    keycloak_rpm_java_home: "{{ rpm_java_home }}"
-  when:
-    - ansible_facts.os_family == "RedHat"
   notify:
     - restart keycloak
 
diff --git a/roles/keycloak/templates/keycloak-sysconfig.j2 b/roles/keycloak/templates/keycloak-sysconfig.j2
index 4c38522..33889df 100644
--- a/roles/keycloak/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak/templates/keycloak-sysconfig.j2
@@ -1,6 +1,6 @@
 {{ ansible_managed | comment }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
-JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
+JAVA_HOME={{ keycloak_java_home | default(keycloak_pkg_java_home, true) }}
 JBOSS_HOME={{ keycloak.home }}
 KEYCLOAK_BIND_ADDRESS={{ keycloak_bind_address }}
 KEYCLOAK_HTTP_PORT={{ keycloak_http_port }}
diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2
index eea3ba1..9a04e88 100644
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@@ -11,7 +11,7 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}
 User={{ keycloak_service_user }}
 Group={{ keycloak_service_group }}
 {% endif -%}
-EnvironmentFile=-/etc/sysconfig/keycloak
+EnvironmentFile=-{{ keycloak_sysconf_file }}
 PIDFile={{ keycloak_service_pidfile }}
 ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
 WorkingDirectory={{ keycloak.home }}
diff --git a/roles/keycloak/vars/debian.yml b/roles/keycloak/vars/debian.yml
new file mode 100644
index 0000000..ac3df14
--- /dev/null
+++ b/roles/keycloak/vars/debian.yml
@@ -0,0 +1,11 @@
+---
+keycloak_jvm_package: openjdk-11-jdk-headless
+keycloak_prereq_package_list:
+      - "{{ keycloak_jvm_package }}"
+      - unzip
+      - procps
+      - apt
+      - tzdata
+keycloak_configure_iptables: True
+keycloak_sysconf_file: /etc/default/keycloak
+keycloak_pkg_java_home: "/usr/lib/jvm/java-{{ keycloak_jvm_package | regex_search('(?!:openjdk-)[0-9.]+') }}-openjdk-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
diff --git a/roles/keycloak/vars/redhat.yml b/roles/keycloak/vars/redhat.yml
new file mode 100644
index 0000000..206251e
--- /dev/null
+++ b/roles/keycloak/vars/redhat.yml
@@ -0,0 +1,11 @@
+---
+keycloak_jvm_package: java-1.8.0-openjdk-headless
+keycloak_prereq_package_list:
+      - "{{ keycloak_jvm_package }}"
+      - unzip
+      - procps-ng
+      - initscripts
+      - tzdata-java
+keycloak_configure_iptables: False
+keycloak_sysconf_file: /etc/sysconfig/keycloak
+keycloak_pkg_java_home: "/etc/alternatives/jre_{{ keycloak_jvm_package | regex_search('(?<=java-)[0-9.]+') }}"