diff --git a/files/server-snippet b/files/server-snippet
new file mode 100644
index 0000000..1e365c4
--- /dev/null
+++ b/files/server-snippet
@@ -0,0 +1,93 @@
+deny 102.165.0.11;
+deny 102.165.0.112;
+deny 102.165.0.183;
+deny 102.165.0.186;
+deny 102.165.0.187;
+deny 102.165.0.210;
+deny 102.165.0.222;
+deny 102.165.0.46;
+deny 102.165.0.52;
+deny 102.165.0.61;
+deny 102.165.1.101;
+deny 102.165.1.152;
+deny 102.165.1.211;
+deny 102.165.1.241;
+deny 102.165.1.245;
+deny 102.165.1.250;
+deny 102.165.1.34;
+deny 102.165.1.43;
+deny 102.165.1.97;
+deny 102.165.1.99;
+deny 102.165.5.111;
+deny 102.165.5.113;
+deny 102.165.5.149;
+deny 102.165.5.203;
+deny 102.165.5.36;
+deny 102.165.5.90;
+deny 185.176.207.186;
+deny 185.176.207.32;
+deny 185.176.207.8;
+deny 185.176.207.90;
+deny 185.176.207.98;
+deny 185.213.245.121;
+deny 185.213.245.150;
+deny 185.213.245.160;
+deny 185.213.245.59;
+deny 185.213.246.15;
+deny 185.213.246.178;
+deny 185.213.246.186;
+deny 185.213.246.57;
+deny 185.213.247.103;
+deny 185.213.247.250;
+deny 185.213.247.40;
+deny 185.213.247.43;
+deny 193.58.104.14;
+deny 193.58.104.19;
+deny 193.58.104.215;
+deny 193.58.104.224;
+deny 193.58.104.242;
+deny 193.58.104.93;
+deny 194.53.140.121;
+deny 194.53.140.123;
+deny 194.53.140.154;
+deny 194.53.140.189;
+deny 194.53.140.72;
+deny 2.57.23.109;
+deny 2.57.23.206;
+deny 2.57.23.215;
+deny 2.57.23.97;
+deny 45.133.170.106;
+deny 45.133.170.185;
+deny 45.133.170.202;
+deny 45.133.170.203;
+deny 45.133.170.210;
+deny 45.133.170.237;
+deny 45.133.170.240;
+deny 45.133.170.250;
+deny 45.133.170.60;
+deny 45.133.170.63;
+deny 45.8.255.105;
+deny 45.8.255.122;
+deny 45.8.255.141;
+deny 45.8.255.207;
+deny 45.8.255.254;
+deny 45.8.255.44;
+deny 45.8.255.47;
+deny 45.89.241.135;
+deny 45.89.241.203;
+deny 45.89.241.225;
+deny 45.89.241.232;
+deny 5.181.131.117;
+deny 5.181.131.226;
+deny 5.181.131.240;
+deny 5.181.131.41;
+deny 5.181.131.78;
+deny 5.45.36.170;
+deny 5.45.37.136;
+deny 5.45.37.155;
+deny 86.105.185.182;
+deny 86.105.185.187;
+deny 86.105.185.47;
+deny 86.105.185.48;
+deny 86.105.185.64;
+allow all;
diff --git a/tasks/.gitea.yaml.swp b/tasks/.gitea.yaml.swp
deleted file mode 100644
index d757d4e..0000000
Binary files a/tasks/.gitea.yaml.swp and /dev/null differ
diff --git a/tasks/.main.yml.swp b/tasks/.main.yml.swp
deleted file mode 100644
index f2fdf23..0000000
Binary files a/tasks/.main.yml.swp and /dev/null differ
diff --git a/tasks/gitea.yaml b/tasks/gitea.yaml
index 31d7495..aa48d7c 100644
--- a/tasks/gitea.yaml
+++ b/tasks/gitea.yaml
@@ -18,7 +18,7 @@
     create_namespace: true
     values:
       image:
-        pullPolicy: IfNotPresent
+        pullPolicy: Always
       service:
         ssh:
           type: LoadBalancer
@@ -27,6 +27,9 @@
         className: nginx
         annotations:
           cert-manager.io/cluster-issuer: ca-issuer
+          nginx.ingress.kubernetes.io/enable-cors: "true"
+          nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
+          nginx.ingress.kubernetes.io/server-snippet: "{{ lookup('file', 'server-snippet') }}"
         hosts:
           - host: gitea.eom.dev
             paths:
@@ -66,6 +69,9 @@
             DEFAULT_ALLOW_CREATE_ORGANIZATION: false
             ALLOW_ONLY_EXTERNAL_REGISTRATION: false
             ENABLE_NOTIFY_MAIL: true
+            EMAIL_DOMAIN_BLOCKLIST: "spammer.com,mailinator.com,tempmail.com,10minutemail.com,guerrillamail.com,dispostable.com,fakemail.com,maildrop.cc,trashmail.com,yopmail.com,techstrategylab.com,timminsgoldminetour.com,claxyn.org,sise.claxyn.org,blyxen.com,seti.blyxen.com,tute.blyxen.com,tula.blyxen.com,sise.blyxen.org,ivolix.com,seti.lyvix.org,tute.lyvix.org,seti.ivolix.org,semo.ivolix.com,elyquin.org,simu.elyquin.org,semo.claxyn.com,sise.oxilv.com,simu.glinxy.org,simu.hivoltz.org,semo.elyquin.com,prisite.online,sise.dravix.org,dravix.org,semo.glinxy.com,glinxy.com,dark-webmarket.com,seti.juxal.org,juxal.org,9e5d.getir.space,getir.space,topcompanygroup.com,6d43.getir.space,9e2d.mikrowellen-tests.com,verifiedlinklist.com,xylzen.com,tapi.xylzen.com,ylixo.com,tapi.ylixo.com,tute.ylixo.com"
+            ENABLE_CAPTCHA: true
+            REGISTER_EMAIL_CONFIRM: true
           oauth2_client:
             ENABLE_AUTO_REGISTRATION: true
             UPDATE_AVATAR: true
@@ -90,7 +96,7 @@
       postgresql:
         enabled: true
         image:
-          tag: 16.4.0-debian-12-r9
+          pullPolicy: Always
         global:
           postgresql:
             auth:
diff --git a/tasks/main.yml b/tasks/main.yml
index 07803e6..7f085fd 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,4 +5,3 @@
   include_tasks: "{{ item }}"
   loop:
     - gitea.yaml
-    - actions.yaml
diff --git a/tasks/mcp.yaml b/tasks/mcp.yaml
index 9d740d3..6ff3dc4 100644
--- a/tasks/mcp.yaml
+++ b/tasks/mcp.yaml
@@ -23,7 +23,7 @@
                   - name: GITEA_HOST
                     value: https://gitea.eom.dev
                   - name: GITEA_INSECURE
-                    value: false
+                    value: "false"
                   - name: GITEA_ACCESS_TOKEN
                     value: "{{ localai_gitea_access_token }}"
                   - name: MCP_MODE