diff --git a/share/organisation/check.rhai b/share/organisation/check.rhai
index 45642cb..382e17e 100644
--- a/share/organisation/check.rhai
+++ b/share/organisation/check.rhai
@@ -20,9 +20,11 @@ fn conditions() {
         let password = base64_decode(gitea.data.password);
         let headers = http_header_basic(username,password);
         let response = http_get_json(`http://gitea-http.${global::DOMAIN}-ci.svc:3000/api/v1/orgs/${org}/repos`, headers);
-        repos += response.json.map(|p| p.name);
-        repos.sort();
-        log_info(`Found ${repos.len} repos`);
+        if (response.code>=200&&response.code<300) {
+            repos += response.json.map(|p| p.name);
+            repos.sort();
+            log_info(`Found ${repos.len} repos`);
+        }
     }
     json_encode(#{
         repos: repos,
diff --git a/share/organisation/gitea-user.tf b/share/organisation/gitea-user.tf
index 482fc9d..2bbba1b 100644
--- a/share/organisation/gitea-user.tf
+++ b/share/organisation/gitea-user.tf
@@ -89,11 +89,17 @@ resource "random_password" "password" {
 
 resource "gitea_user" "user-ci" {
   count = local.needKnownHost?1:0
-  username             = "${var.instance}-ci"
-  login_name           = "${var.instance}-ci"
-  password             = local.ci-user-password
-  email                = "${var.instance}-ci@${var.domain_name}"
-  must_change_password = false
+  username                  = "${var.instance}-ci"
+  login_name                = "${var.instance}-ci"
+  password                  = local.ci-user-password
+  email                     = "${var.instance}-ci@${var.domain_name}"
+  active                    = true
+  admin                     = false
+  allow_create_organization = false
+  must_change_password      = false
+  force_password_change     = false
+  send_notification         = false
+  visibility                = "limited"
 }
 
 resource "gitea_public_key" "user-ci-keys" {