diff --git a/.forgejo/workflows/example-docker-compose.yml b/.forgejo/workflows/example-docker-compose.yml
index f1089ec..4e2f547 100644
--- a/.forgejo/workflows/example-docker-compose.yml
+++ b/.forgejo/workflows/example-docker-compose.yml
@@ -67,4 +67,4 @@ jobs:
         if: always()
         run: |
           cd examples/docker-compose
-          docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml logs
\ No newline at end of file
+          docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml logs
diff --git a/Dockerfile b/Dockerfile
index ed94063..af507da 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,6 +38,8 @@ LABEL maintainer="contact@forgejo.org" \
 
 ENV HOME=/data
 
+USER 1000:1000
+
 COPY --chmod=555 entrypoint.sh /entrypoint.sh
 
 WORKDIR /data
diff --git a/entrypoint.sh b/entrypoint.sh
index bb72004..64ec4f7 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,28 +2,13 @@
 
 set -e
 
+# Technically not nessecary but it cleans up the logs from having token/secret values
 run_command() {
   local cmd="$1"
-
   # Replace any --token <value> or --secret <value> with [REDACTED]
   local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g')
-
   decho "Running command: $safe_cmd"
-
-  if [[ "$ISROOT" == true ]]; then
-    decho "Running as forgejo-runner"
-    su -c "$cmd" forgejo-runner
-  else
-    decho "Running as $(whoami)"
-    eval "$cmd"
-  fi
-}
-
-makeUser() {
-  adduser -u ${RUNNER_USER} -h /data -s /bin/bash -D forgejo-runner
-}
-makeGroup() {
-  addgroup -g ${RUNNER_USER} forgejo-runner
+  eval "$cmd"
 }
 
 decho() {
@@ -32,49 +17,10 @@ decho() {
   fi
 }
 
-# Initial setup
-cd /data
-
-decho "RUNNER_USER: ${RUNNER_USER}"
-RUNNER_USER="${RUNNER_USER:-1000}"
 # Check if the script is running as root
 if [[ $(id -u) -eq 0 ]]; then
   ISROOT=true
-  decho "Running as root"
-fi
-
-if [[ "$ISROOT" == true ]]; then
-  # Check if the forgejo-runner user exists, if not, create it
-  if ! id -u forgejo-runner >/dev/null 2>&1; then
-    decho "Creating user forgejo-runner with UID ${RUNNER_USER}"
-    makeUser
-  else
-      CURRENT_UID=$(id -u forgejo-runner)
-      if [[ "${CURRENT_UID}" -ne "${RUNNER_USER}" ]]; then
-        decho "Changing UID of forgejo-runner from ${CURRENT_UID} to ${RUNNER_USER}"
-        deluser forgejo-runner
-        makeUser
-      fi
-  fi
-
-  # Check if the forgejo-runner group exists, if not, create it
-  if ! getent group forgejo-runner >/dev/null 2>&1; then
-    decho "Creating group forgejo-runner with GID ${RUNNER_USER}"
-    makeGroup
-  else
-    CURRENT_GID=$(getent group forgejo-runner | cut -d: -f3)
-    if [[ "${CURRENT_GID}" -ne "${RUNNER_USER}" ]]; then
-      decho "Changing GID of forgejo-runner from ${CURRENT_GID} to ${RUNNER_USER}"
-      delgroup forgejo-runner
-      makeGroup
-    fi
-  fi
-
-  # Ensure /data is owned by the runner user
-  # yes this can slow things down but is 100% nessecary for the runner to function
-  # when running as a root user, because for some reason the runner create files as
-  # root and then cant access them
-  chown -R forgejo-runner:forgejo-runner /data
+  decho "[WARNING] Running as root user"
 fi
 
 # Handle and alter the config file
@@ -85,9 +31,9 @@ fi
 CONFIG_ARG="--config ${CONFIG_FILE}"
 decho "CONFIG: ${CONFIG_ARG}"
 
-DOCKER_HOST=${DOCKER_HOST:-docker}
+DOCKER_HOST=${DOCKER_HOST:-"tcp://docker:2367"}
 DOCKER_CERT_PATH=${DOCKER_CERT_PATH:-"/certs/client"}
-DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-0}
+DOCKER_TLS_VERIFY=${DOCKER_TLS_VERIFY:-1}
 decho "DOCKER_HOST: ${DOCKER_HOST}"
 decho "DOCKER_CERT_PATH: ${DOCKER_CERT_PATH}"
 decho "DOCKER_TLS_VERIFY: ${DOCKER_TLS_VERIFY}"
@@ -102,18 +48,7 @@ if [[ ! -f "${CONFIG_FILE}" ]]; then
   # Apply default values for docker
   sed -i "/^  labels:/c\  labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE}
   sed -i "/^  network:/c\  network: host" ${CONFIG_FILE}
-  sed -i "/^  privileged:/c\  privileged: true" ${CONFIG_FILE}
 
-
-  if [[ "${DOCKER_TLS_VERIFY}" -ne 1 ]]; then
-    decho "Docker TLS diabled"
-    sed -i "/^  docker_host:/c\  docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
-  else
-    decho "Docker TLS enabled"
-    sed -i "/^  docker_host:/c\  docker_host: ${DOCKER_HOST}" ${CONFIG_FILE}
-    sed -i "/^  valid_volumes:/c\  valid_volumes:\n    - ${DOCKER_CERT_PATH}" ${CONFIG_FILE}
-    sed -i "/^  options:/c\  options: -v ${DOCKER_CERT_PATH}:${DOCKER_CERT_PATH}" ${CONFIG_FILE}
-  fi
 fi
 
 ENV_FILE=${ENV_FILE:-"/data/.env"}
@@ -135,9 +70,7 @@ fi
 decho "EXTRA_ARGS: ${EXTRA_ARGS}"
 
 # Set the runner file
-if [[ -z "${RUNNER_FILE}" ]]; then
-  RUNNER_FILE="runner.json" # use json so editors know how to highlight
-fi
+RUNNER_FILE=${RUNNER_FILE:-"runner.json"} # use json so editors know how to highlight
 decho "RUNNER_FILE: ${RUNNER_FILE}"
 sed -i "/^  file:/c\  file: ${RUNNER_FILE}" ${CONFIG_FILE}
 
@@ -157,22 +90,22 @@ if [[ ! -s "${RUNNER_FILE}" ]]; then
   # the context of a single docker-compose, something similar could be done via healthchecks, but
   # this is more flexible.
   while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do
-  if [[ ! -z "${FORGEJO_SECRET}" ]]; then
-    run_command "forgejo-runner create-runner-file --connect \
+    if [[ ! -z "${FORGEJO_SECRET}" ]]; then
+      run_command "forgejo-runner create-runner-file --connect \
     --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
     --name \"${RUNNER_NAME:-$(hostname)}\" \
     --secret \"${FORGEJO_SECRET}\" \
     ${CONFIG_ARG}\
     ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
-  else
-    run_command "forgejo-runner register \
+    else
+      run_command "forgejo-runner register \
     --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \
     --name \"${RUNNER_NAME:-$(hostname)}\" \
     --token \"${RUNNER_TOKEN}\" \
     --no-interactive \
     ${CONFIG_ARG}\
     ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log"
-  fi
+    fi
     cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null
     if [[ $? -eq 0 ]]; then
       echo "SUCCESS"
diff --git a/examples/docker-compose/.gitignore b/examples/docker-compose/.gitignore
index 294fcad..94bf3ec 100644
--- a/examples/docker-compose/.gitignore
+++ b/examples/docker-compose/.gitignore
@@ -1,2 +1 @@
-forgejo/
-forgejo-runner/
+srv
diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml
index a2d1fa5..6431893 100644
--- a/examples/docker-compose/compose-forgejo-and-runner.yml
+++ b/examples/docker-compose/compose-forgejo-and-runner.yml
@@ -13,7 +13,8 @@
 #
 # Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
 #
-
+# Replace ROOT_PASSWORD with a secure password.
+#
 networks:
   forgejo:
 
@@ -24,12 +25,13 @@ services:
   docker-in-docker:
     image: code.forgejo.org/oci/docker:dind
     hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
+    restart: unless-stopped
     privileged: true
     networks:
       - forgejo
     environment:
       DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
-      DOCKER_HOST: "docker"        # remove aswell to disable TLS
+      DOCKER_HOST: "docker" # remove aswell to disable TLS
     volumes:
       - docker_certs:/certs
 
@@ -42,25 +44,27 @@ services:
       - /srv/forgejo-data:/data
     ports:
       - 8080:3000
+    environment:
+      FORGEJO__security__INSTALL_LOCK: "true" # remove in production
     command: >-
       bash -c '
       /bin/s6-svscan /etc/s6 &
       sleep 10 ;
-      su -c "forgejo admin user create --admin --username root --password examplepassword --email root@example.com" git ;
+      su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
       su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
       sleep infinity
       '
 
   # all values that have defaults listed are optional
-  # only FORGEJO_SECRET or RUNNER_TOKEN is required
-  # FORGEJO_URL is required if forgejo is in this compose file or docker network
+  # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
+  # FORGEJO_URL is required if forgejo is not in this compose file or docker network
   runner-daemon:
     ## TODO: Update image to the the release
     ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283
 
     # image: code.forgejo.org/forgejo/runner:3.4.1
     build: ../../
-    # user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership
+    user: "1000" # defaults to 1000,
     restart: unless-stopped # needed for fixing file ownership on restart
     volumes:
       - /srv/runner-data:/data
@@ -75,7 +79,7 @@ services:
 
       DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
       DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
-      DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS
+      DOCKER_TLS_VERIFY: "1" # defaults to 1
 
       FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
       FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
@@ -83,7 +87,6 @@ services:
       RUNNER_FILE: .runner # defaults to /data/runner.json
       RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
       RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
-      RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership
 
       DEBUG: "true" # defaults to false, set to true to enable debug logging
       SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start