diff --git a/keycloak/hooks/post_deploy b/keycloak/hooks/post_deploy
new file mode 100755
index 0000000..fa3546b
--- /dev/null
+++ b/keycloak/hooks/post_deploy
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+## Init is run on host
+## For now it is run every time the script is launched, but
+## it should be launched only once after build.
+
+## Accessible variables are:
+## - SERVICE_NAME        Name of current service
+## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
+## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
+## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
+
+PASSWORD_SET_CONTROL="$SERVICE_CONFIGSTORE/.password-set-control"
+
+set -e
+
+if [ -e "$PASSWORD_SET_CONTROL" ]; then
+    exit 0
+fi
+
+containers=($(get_running_containers_for_service "$SERVICE_NAME"))
+if [ "${#containers[@]}" == 0 ]; then
+    err "no containers found for service ${DARKYELLOW}$SERVICE_NAME${NORMAL}"
+    exit 1
+fi
+
+## It is not possible at first glance to reset password, so we decided
+## to set to admin/admin. This means it is important to change the
+## admin password as soon as possible.
+
+## XXXvlab: taking the first container
+container_id="${containers[0]}"
+docker exec "$container_id" \
+       /opt/jboss/keycloak/bin/add-user-keycloak.sh \
+       -u "admin" -p "admin"
+docker restart "$container_id"
+mkdir -p "${PASSWORD_SET_CONTROL%/*}" && touch "$PASSWORD_SET_CONTROL"