diff --git a/apps/code-server/deploy.tf b/apps/code-server/deploy.tf
index a64474f..2ffbe44 100644
--- a/apps/code-server/deploy.tf
+++ b/apps/code-server/deploy.tf
@@ -38,8 +38,15 @@ resource "kubectl_manifest" "deploy" {
               privileged: true
               procMount: unmasked
             env:
-            - name: USER
+            - name: DOCKER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: "${var.component}-${var.instance}"
+            - name: DOCKER_USER
               value: coder
+            - name: IS_CONSOLE
+              value: "${var.no-editor?"shellinabox":"code-server"}"
             - name: TZ
               value: "${var.timezone}"
             - name: ENTRYPOINTD
diff --git a/apps/code-server/forward.tf b/apps/code-server/forward.tf
index 39a0d80..6b677b2 100644
--- a/apps/code-server/forward.tf
+++ b/apps/code-server/forward.tf
@@ -14,7 +14,6 @@ locals {
   access-token-validity = "hours=10" // ;minutes=10
 }
 
-
 data "authentik_flow" "default-authorization-flow" {
   depends_on = [authentik_group.prj_users]
   slug = "default-provider-authorization-implicit-consent"
diff --git a/apps/code-server/index.yaml b/apps/code-server/index.yaml
index cd9fbc2..5ebfb53 100644
--- a/apps/code-server/index.yaml
+++ b/apps/code-server/index.yaml
@@ -6,78 +6,6 @@ metadata:
   name: code-server
   description: null
 options:
-  sub-domain:
-    default: code
-    examples:
-    - code
-    type: string
-  timezone:
-    default: Europe/Paris
-    examples:
-    - Europe/Paris
-    type: string
-  storage:
-    default:
-      accessMode: ReadWriteOnce
-      size: 20Gi
-      type: Filesystem
-    examples:
-    - accessMode: ReadWriteOnce
-      size: 20Gi
-      type: Filesystem
-    properties:
-      accessMode:
-        default: ReadWriteOnce
-        enum:
-        - ReadWriteOnce
-        - ReadOnlyMany
-        - ReadWriteMany
-        type: string
-      size:
-        default: 20Gi
-        type: string
-      type:
-        default: Filesystem
-        enum:
-        - Filesystem
-        - block
-        type: string
-    type: object
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  admin:
-    default:
-      cluster: false
-      namespace: false
-    examples:
-    - cluster: false
-      namespace: false
-    properties:
-      cluster:
-        default: false
-        type: boolean
-      namespace:
-        default: false
-        type: boolean
-    type: object
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
   images:
     default:
       codeserver:
@@ -117,6 +45,83 @@ options:
             type: number
         type: object
     type: object
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
+    type: string
+  no-editor:
+    default: false
+    examples:
+    - false
+    type: boolean
+  admin:
+    default:
+      cluster: false
+      namespace: false
+    examples:
+    - cluster: false
+      namespace: false
+    properties:
+      cluster:
+        default: false
+        type: boolean
+      namespace:
+        default: false
+        type: boolean
+    type: object
+  storage:
+    default:
+      accessMode: ReadWriteOnce
+      size: 20Gi
+      type: Filesystem
+    examples:
+    - accessMode: ReadWriteOnce
+      size: 20Gi
+      type: Filesystem
+    properties:
+      accessMode:
+        default: ReadWriteOnce
+        enum:
+        - ReadWriteOnce
+        - ReadOnlyMany
+        - ReadWriteMany
+        type: string
+      size:
+        default: 20Gi
+        type: string
+      type:
+        default: Filesystem
+        enum:
+        - Filesystem
+        - block
+        type: string
+    type: object
+  sub-domain:
+    default: code
+    examples:
+    - code
+    type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  timezone:
+    default: Europe/Paris
+    examples:
+    - Europe/Paris
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
 dependencies:
 - dist: null
   category: share
diff --git a/apps/code-server/secret.tf b/apps/code-server/secret.tf
new file mode 100644
index 0000000..ed556ca
--- /dev/null
+++ b/apps/code-server/secret.tf
@@ -0,0 +1,19 @@
+
+resource "kubectl_manifest" "gitea_secret" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${var.component}-${var.instance}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      forceRegenerate: false
+      data:
+        username: "coder"
+      fields:
+      - fieldName: "password"
+        length: "16"
+  EOF
+}