diff --git a/ansible/roles/gitea-actions/tasks/user.yml b/ansible/roles/gitea-actions/tasks/user.yml
index 0926744..cccce1f 100644
--- a/ansible/roles/gitea-actions/tasks/user.yml
+++ b/ansible/roles/gitea-actions/tasks/user.yml
@@ -32,3 +32,42 @@
     state: directory
     mode: "0755"
   tags: gitea-actions
+
+- name: create .ssh directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ gitea_runner_home }}/.ssh"
+    state: directory
+    owner: "{{ gitea_runner_user }}"
+    group: "{{ gitea_runner_user }}"
+    mode: "0700"
+  tags: gitea-actions
+
+- name: generate SSH key for gitea-runner
+  become: true
+  become_user: "{{ gitea_runner_user }}"
+  ansible.builtin.command:
+    cmd: ssh-keygen -t ed25519 -f {{ gitea_runner_home }}/.ssh/id_ed25519 -N "" -C "gitea-runner@galactica"
+    creates: "{{ gitea_runner_home }}/.ssh/id_ed25519"
+  tags: gitea-actions
+
+- name: add Gitea SSH host keys to known_hosts
+  become: true
+  become_user: "{{ gitea_runner_user }}"
+  ansible.builtin.shell:
+    cmd: ssh-keyscan -p 2222 {{ item }} >> {{ gitea_runner_home }}/.ssh/known_hosts 2>/dev/null
+  args:
+    creates: "{{ gitea_runner_home }}/.ssh/known_hosts"
+  loop:
+    - git.skudak.com
+    - git.debyl.io
+  tags: gitea-actions
+
+- name: set known_hosts permissions
+  become: true
+  ansible.builtin.file:
+    path: "{{ gitea_runner_home }}/.ssh/known_hosts"
+    owner: "{{ gitea_runner_user }}"
+    group: "{{ gitea_runner_user }}"
+    mode: "0644"
+  tags: gitea-actions