diff --git a/argocd/manifests/forgejo-runner/configmap.yaml b/argocd/manifests/forgejo-runner/configmap.yaml
new file mode 100644
index 0000000..1728edb
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/configmap.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: forgejo-runner-config
+  namespace: forgejo-runner
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: /data/.runner
+      capacity: 1
+      timeout: 3h
+    container:
+      # Use Kubernetes to run job pods
+      backend: kubernetes
+      kubernetes:
+        namespace: forgejo-runner
+        # Job pods use these resource limits
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "256Mi"
+          limits:
+            cpu: "1000m"
+            memory: "1Gi"
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index aaca92a..4c02da8 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -41,13 +41,13 @@ spec:
                   --labels "ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://ubuntu:22.04" \
                   --no-interactive
               fi
-              # Start the runner daemon
-              forgejo-runner daemon
+              # Start the runner daemon with config
+              forgejo-runner daemon --config /config/config.yaml
           volumeMounts:
             - name: runner-data
               mountPath: /data
-            - name: docker-sock
-              mountPath: /var/run/docker.sock
+            - name: runner-config
+              mountPath: /config
           resources:
             requests:
               memory: "256Mi"
@@ -58,7 +58,6 @@ spec:
       volumes:
         - name: runner-data
           emptyDir: {}
-        - name: docker-sock
-          hostPath:
-            path: /var/run/docker.sock
-            type: Socket
+        - name: runner-config
+          configMap:
+            name: forgejo-runner-config
diff --git a/argocd/manifests/forgejo-runner/kustomization.yaml b/argocd/manifests/forgejo-runner/kustomization.yaml
index 558b9ff..eb3839e 100644
--- a/argocd/manifests/forgejo-runner/kustomization.yaml
+++ b/argocd/manifests/forgejo-runner/kustomization.yaml
@@ -4,4 +4,6 @@ namespace: forgejo-runner
 resources:
   - namespace.yaml
   - serviceaccount.yaml
+  - rbac.yaml
+  - configmap.yaml
   - deployment.yaml
diff --git a/argocd/manifests/forgejo-runner/rbac.yaml b/argocd/manifests/forgejo-runner/rbac.yaml
new file mode 100644
index 0000000..9f25bca
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/rbac.yaml
@@ -0,0 +1,27 @@
+# RBAC for Forgejo runner to create job pods
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: forgejo-runner
+  namespace: forgejo-runner
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: forgejo-runner
+  namespace: forgejo-runner
+subjects:
+  - kind: ServiceAccount
+    name: forgejo-runner
+    namespace: forgejo-runner
+roleRef:
+  kind: Role
+  name: forgejo-runner
+  apiGroup: rbac.authorization.k8s.io