diff --git a/gitea/application.yaml b/gitea/application.yaml
index 9e6aa85..144c5e5 100644
--- a/gitea/application.yaml
+++ b/gitea/application.yaml
@@ -71,9 +71,16 @@ spec:
         app.kubernetes.io/name: gitea
     spec:
       enableServiceLinks: false
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
       containers:
         - name: gitea
-          image: gitea/gitea:1.20.2
+          image: gitea/gitea:1.20.2-rootless
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
               value: "true"
@@ -85,8 +92,8 @@ spec:
               value: "/cert/tls.crt"
             - name: GITEA__SERVER__KEY_FILE
               value: "/cert/tls.key"
-            - name: GITEA__SERVER__SSH_LISTEN_PORT
-              value: "2222"
+            - name: GITEA__SERVER__SSH_PORT
+              value: "22"
             - name: GITEA__SERVER__PROTOCOL
               value: https
             - name: GITEA__SERVER__REDIRECT_OTHER_PORT
@@ -174,11 +181,19 @@ spec:
             - containerPort: 2222
               name: ssh
           volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /etc/gitea
+              name: etc
             - mountPath: /cert
               name: cert
-            - mountPath: /data
+            - mountPath: /var/lib/gitea
               name: data
       volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: etc
+          emptyDir: {}
         - name: cert
           secret:
             secretName: git-tls