diff --git a/.gitignore b/.gitignore
index 8ccc75b..c249811 100644
--- a/.gitignore
+++ b/.gitignore
@@ -36,3 +36,4 @@ report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
 /data/
 
 /cloudflare.yaml
+/secret.*.yaml
diff --git a/charts/apps/charts/gitea/templates/_runner-deployment.yaml b/charts/apps/charts/gitea/templates/_runner-deployment.yaml
new file mode 100644
index 0000000..9973799
--- /dev/null
+++ b/charts/apps/charts/gitea/templates/_runner-deployment.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}-runner'
+  labels:
+    app: '{{ .Release.Name }}-runner'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}-runner'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}-runner'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}-runner'
+          image: docker.io/gitea/act_runner:latest-dind-rootless
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: '{{ .Release.Name }}'
+            - name: GITEA_RUNNER_NAME
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-runner'
+                  key: registration_token
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+            - name: DOCKER_TLS_VERIFY
+              value: '1'
+          securityContext:
+            privileged: true
diff --git a/charts/apps/charts/gitea/templates/deployment.yaml b/charts/apps/charts/gitea/templates/deployment.yaml
index bf65af1..5225374 100644
--- a/charts/apps/charts/gitea/templates/deployment.yaml
+++ b/charts/apps/charts/gitea/templates/deployment.yaml
@@ -22,6 +22,9 @@ spec:
             - name: http
               containerPort: 3000
               protocol: TCP
+            - name: ssh
+              containerPort: 22
+              protocol: TCP
           livenessProbe:
             tcpSocket:
               port: http
@@ -40,8 +43,8 @@ spec:
               value: '1000'
             - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD
               value: 'true'
-            - name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
-              value: 'true'
+            #- name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
+            #  value: 'true'
             - name: GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM
               value: 'false'
             - name: GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE
diff --git a/charts/apps/charts/gitea/templates/service.yaml b/charts/apps/charts/gitea/templates/service.yaml
index f1ca183..61eac02 100644
--- a/charts/apps/charts/gitea/templates/service.yaml
+++ b/charts/apps/charts/gitea/templates/service.yaml
@@ -13,3 +13,20 @@ spec:
       name: http
   selector:
     app: '{{ .Release.Name }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}-ssh'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 2202
+      targetPort: 22
+      protocol: TCP
+      name: ssh
+  selector:
+    app: '{{ .Release.Name }}'