diff --git a/roles/ihmgit_back/tasks/main.yml b/roles/ihmgit_back/tasks/main.yml
index 4e8f774..0de1380 100644
--- a/roles/ihmgit_back/tasks/main.yml
+++ b/roles/ihmgit_back/tasks/main.yml
@@ -48,6 +48,16 @@
   become: true
   become_user: postgres
 
+- name: make sure the Gitea user owns its work-directories
+  file:
+    path: '{{item}}'
+    state: directory
+    owner: git
+    recurse: true
+  with_items:
+    - /var/lib/gitea
+    - /var/log/gitea
+
 - name: configure Gitea
   ini_file:
     path: /etc/gitea/app.ini
@@ -80,6 +90,7 @@
     - {s: database, o: LOG_SQL, v: 'false'}
     - {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'}
     - {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
+    - {s: security, o: INSTALL_LOCK, v: 'true'}
     - {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
     - {s: security, o: REVERSE_PROXY_AUTHENTICATION_USER, v: Remote-User}
     - {s: service, o: REGISTER_EMAIL_CONFIRM, v: 'true'}
@@ -127,6 +138,8 @@
   copy:
     content: |
       [Service]
+      User=git
+      Environment=USER=git
       CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
       PrivateDevices=true
       PrivateTmp=true