diff --git a/CLAUDE.md b/CLAUDE.md
index 67687db..82ed044 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -102,6 +102,11 @@ kubectl --context=minikube-indri logs -n <namespace> <pod>  # View logs
 
 Note: The user has fish abbreviations `ki` for `kubectl --context=minikube-indri` and `k9i` for `k9s --context=minikube-indri`, but these only work in interactive shells.
 
+**ArgoCD login (when token expires):**
+```fish
+argocd login argocd.tail8d86e.ts.net --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)"
+```
+
 ### Indri Services (via Ansible)
 
 Some services remain on indri outside of Kubernetes:
diff --git a/argocd/manifests/forgejo-runner/configmap.yaml b/argocd/manifests/forgejo-runner/configmap.yaml
index 1728edb..584efe0 100644
--- a/argocd/manifests/forgejo-runner/configmap.yaml
+++ b/argocd/manifests/forgejo-runner/configmap.yaml
@@ -11,16 +11,3 @@ data:
       file: /data/.runner
       capacity: 1
       timeout: 3h
-    container:
-      # Use Kubernetes to run job pods
-      backend: kubernetes
-      kubernetes:
-        namespace: forgejo-runner
-        # Job pods use these resource limits
-        resources:
-          requests:
-            cpu: "100m"
-            memory: "256Mi"
-          limits:
-            cpu: "1000m"
-            memory: "1Gi"
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 4c02da8..d0939de 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -38,7 +38,7 @@ spec:
                   --instance "$FORGEJO_INSTANCE_URL" \
                   --token "$RUNNER_TOKEN" \
                   --name "$RUNNER_NAME" \
-                  --labels "ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://ubuntu:22.04" \
+                  --labels "ubuntu-latest:host,ubuntu-22.04:host" \
                   --no-interactive
               fi
               # Start the runner daemon with config
diff --git a/argocd/manifests/forgejo-runner/kustomization.yaml b/argocd/manifests/forgejo-runner/kustomization.yaml
index eb3839e..332c49c 100644
--- a/argocd/manifests/forgejo-runner/kustomization.yaml
+++ b/argocd/manifests/forgejo-runner/kustomization.yaml
@@ -4,6 +4,5 @@ namespace: forgejo-runner
 resources:
   - namespace.yaml
   - serviceaccount.yaml
-  - rbac.yaml
   - configmap.yaml
   - deployment.yaml
diff --git a/argocd/manifests/forgejo-runner/rbac.yaml b/argocd/manifests/forgejo-runner/rbac.yaml
deleted file mode 100644
index 9f25bca..0000000
--- a/argocd/manifests/forgejo-runner/rbac.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-# RBAC for Forgejo runner to create job pods
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: forgejo-runner
-  namespace: forgejo-runner
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "create", "delete", "watch"]
-  - apiGroups: [""]
-    resources: ["pods/log"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: forgejo-runner
-  namespace: forgejo-runner
-subjects:
-  - kind: ServiceAccount
-    name: forgejo-runner
-    namespace: forgejo-runner
-roleRef:
-  kind: Role
-  name: forgejo-runner
-  apiGroup: rbac.authorization.k8s.io