3 files changed, 1410 insertions, 0 deletions
diff --git a/images/forgejo/Dockerfile b/images/forgejo/Dockerfile
new file mode 100644
index 0000000..614954c
--- /dev/null
+++ b/images/forgejo/Dockerfile
@@ -0,0 +1,13 @@
+# TODO: Add proper metadata.
+
+FROM debian:bookworm-slim
+
+COPY app.ini /etc/forgejo/app.ini
+COPY secrets/internal_token /etc/forgejo/internal_token
+COPY secrets/lfs_jwt_secret /etc/forgejo/lfs_jwt_secret
+COPY secrets/oauth2_jwt_secret /etc/forgejo/oauth2_jwt_secret
+COPY secrets/secret_key /etc/forgejo/secret_key
+COPY setup.sh /tmp/setup.sh
+RUN ./tmp/setup.sh
+USER git
+CMD ["/usr/local/bin/forgejo", "-w", "/var/lib/forgejo", "-c", "/etc/forgejo/app.ini"]
diff --git a/images/forgejo/app.ini b/images/forgejo/app.ini
new file mode 100644
index 0000000..da8f5d6
--- /dev/null
+++ b/images/forgejo/app.ini
@@ -0,0 +1,1348 @@
+; This file lists the default values used by Gitea
+; ; Copy required sections to your own app.ini (default is custom/conf/app.ini)
+; ; and modify as needed.
+; ; Do not copy the whole file as-is, as it contains some invalid sections for illustrative purposes.
+; ; If you don't know what a setting is you should not set it.
+; ;
+; ; see https://docs.gitea.com/administration/config-cheat-sheet for additional documentatin.
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Default Configuration (non-`app.ini` configuration)
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; These values are environment-dependent but form the basis of a lot of values. They will be
+; ; reported as part of the default configuration when running `gitea help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+; ;
+; ; - _`AppPath`_: This is the absolute path of the running gitea binary.
+; ; - _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
+; ;   - The "WORK_PATH" option in "app.ini" file
+; ;   - The `--work-path` flag passed to the binary
+; ;   - The environment variable `$GITEA_WORK_DIR`
+; ;   - A built-in value set at build time (see building from source)
+; ;   - Otherwise it defaults to the directory of the _`AppPath`_
+; ;   - If any of the above are relative paths then they are made absolute against the directory of the _`AppPath`_
+; ; - _`CustomPath`_: This is the base directory for custom templates and other options. It is determined by using the first set thing in the following hierarchy:
+; ;   - The `--custom-path` flag passed to the binary
+; ;   - The environment variable `$GITEA_CUSTOM`
+; ;   - A built-in value set at build time (see building from source)
+; ;   - Otherwise it defaults to _`AppWorkPath`_`/custom`
+; ;   - If any of the above are relative paths then they are made absolute against the directory of the _`AppWorkPath`_
+; ; - _`CustomConf`_: This is the path to the `app.ini` file.
+; ;   - The `--config` flag passed to the binary
+; ;   - A built-in value set at build time (see building from source)
+; ;   - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
+; ;   - If any of the above are relative paths then they are made absolute against the directory of the _`CustomPath`_
+; ;
+; ; In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; General Settings
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; App name that shows in every page title
+APP_NAME = git.shione.net
+; ;
+; ; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
+; git
+RUN_USER = git
+WORK_PATH = /var/lib/forgejo
+RUN_MODE = prod
+
+; ;
+; ; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
+; ; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
+; ; RUN_MODE = prod
+; ;
+; ; The working directory, see the comment of AppWorkPath above
+; WORK_PATH =
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[server]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; The protocol the server listens on. One of 'http', 'https', 'http+unix', 'fcgi' or 'fcgi+unix'. Defaults to 'http'
+; ; Note: Value must be lowercase.
+; PROTOCOL = http
+; ;
+; ; Expect PROXY protocol headers on connections
+; USE_PROXY_PROTOCOL = false
+; ;
+; ; Use PROXY protocol in TLS Bridging mode
+; PROXY_PROTOCOL_TLS_BRIDGING = false
+; ;
+; Timeout to wait for PROXY protocol header (set to 0 to have no timeout)
+; PROXY_PROTOCOL_HEADER_TIMEOUT=5s
+; ;
+; Accept PROXY protocol headers with UNKNOWN type
+; PROXY_PROTOCOL_ACCEPT_UNKNOWN=false
+; ;
+; ; Set the domain for the server
+; DOMAIN = localhost
+; ;
+; ; Overwrite the automatically generated public URL. Necessary for proxies and docker.
+; ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
+; ;
+; ; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
+; STATIC_URL_PREFIX =
+; ;
+; ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
+; ; If PROTOCOL is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use.
+; ; Relative paths will be made absolute against the _`AppWorkPath`_.
+; HTTP_ADDR = 0.0.0.0
+; ;
+; ; The port to listen on. Leave empty when using a unix socket.
+; HTTP_PORT = 3000
+; ;
+; ; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server
+; ; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main
+; ; ROOT_URL.  Defaults are false for REDIRECT_OTHER_PORT and 80 for
+; ; PORT_TO_REDIRECT.
+; REDIRECT_OTHER_PORT = false
+; PORT_TO_REDIRECT = 80
+; ;
+; ; expect PROXY protocol header on connections to https redirector.
+; REDIRECTOR_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s
+; ; Minimum and maximum supported TLS versions
+; SSL_MIN_VERSION=TLSv1.2
+; SSL_MAX_VERSION=
+; ;
+; ; SSL Curve Preferences
+; SSL_CURVE_PREFERENCES=X25519,P256
+; ;
+; ; SSL Cipher Suites
+; SSL_CIPHER_SUITES=; Will default to "ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305" if aes is supported by hardware, otherwise chacha will be first.
+; ;
+; ; Timeout for any write to the connection. (Set to -1 to disable all timeouts.)
+; PER_WRITE_TIMEOUT = 30s
+; ;
+; ; Timeout per Kb written to connections.
+; PER_WRITE_PER_KB_TIMEOUT = 30s
+; ;
+; ; Permission for unix socket
+; UNIX_SOCKET_PERMISSION = 666
+; ;
+; ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. In
+; ; most cases you do not need to change the default value. Alter it only if
+; ; your SSH server node is not the same as HTTP node. For different protocol, the default
+; ; values are different. If `PROTOCOL` is `http+unix`, the default value is `http://unix/`.
+; ; If `PROTOCOL` is `fcgi` or `fcgi+unix`, the default value is `%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/`.
+; ; If listen on `0.0.0.0`, the default value is `%(PROTOCOL)s://localhost:%(HTTP_PORT)s/`, Otherwise the default
+; ; value is `%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/`.
+; LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
+; ;
+; ; When making local connections pass the PROXY protocol header.
+; LOCAL_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s
+; ;
+; ; Disable SSH feature when not available
+; DISABLE_SSH = false
+; ;
+; ; Whether to use the builtin SSH server or not.
+; START_SSH_SERVER = false
+; ;
+; ; Expect PROXY protocol header on connections to the built-in SSH server
+; SSH_SERVER_USE_PROXY_PROTOCOL = false
+; ;
+; ; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
+; BUILTIN_SSH_SERVER_USER = %(RUN_USER)s
+; ;
+; ; Domain name to be exposed in clone URL
+; SSH_DOMAIN = %(DOMAIN)s
+; ;
+; ; SSH username displayed in clone URLs.
+; SSH_USER = %(BUILTIN_SSH_SERVER_USER)s
+; ;
+; ; The network interface the builtin SSH server should listen on
+; SSH_LISTEN_HOST =
+; ;
+; ; Port number to be exposed in clone URL
+; SSH_PORT = 22
+; ;
+; ; The port number the builtin SSH server should listen on
+; SSH_LISTEN_PORT = %(SSH_PORT)s
+; ;
+; ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
+; SSH_ROOT_PATH =
+; ;
+; ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
+; ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
+; SSH_CREATE_AUTHORIZED_KEYS_FILE = true
+; ;
+; ; Gitea will create a authorized_principals file by default when it is not using the internal ssh server
+; ; If you intend to use the AuthorizedPrincipalsCommand functionality then you should turn this off.
+; SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE = true
+; ;
+; ; For the built-in SSH server, choose the ciphers to support for SSH connections,
+; ; for system SSH this setting has no effect
+; SSH_SERVER_CIPHERS = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+; ;
+; ; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections,
+; ; for system SSH this setting has no effect
+; SSH_SERVER_KEY_EXCHANGES = curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+; ;
+; ; For the built-in SSH server, choose the MACs to support for SSH connections,
+; ; for system SSH this setting has no effect
+; SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1
+; ;
+; ; For the built-in SSH server, choose the keypair to offer as the host key
+; ; The private key should be at SSH_SERVER_HOST_KEY and the public SSH_SERVER_HOST_KEY.pub
+; ; relative paths are made absolute relative to the %(APP_DATA_PATH)s
+; SSH_SERVER_HOST_KEYS=ssh/gitea.rsa, ssh/gogs.rsa
+; ;
+; ; Directory to create temporary files in when testing public keys using ssh-keygen,
+; ; default is the system temporary directory.
+; SSH_KEY_TEST_PATH =
+; ;
+; ; Use `ssh-keygen` to parse public SSH keys. The value is passed to the shell. By default, Gitea does the parsing itself.
+; SSH_KEYGEN_PATH =
+; ;
+; ; Enable SSH Authorized Key Backup when rewriting all keys, default is false
+; SSH_AUTHORIZED_KEYS_BACKUP = false
+; ;
+; ; Determines which principals to allow
+; ; - empty: if SSH_TRUSTED_USER_CA_KEYS is empty this will default to off, otherwise will default to email, username.
+; ; - off: Do not allow authorized principals
+; ; - email: the principal must match the user's email
+; ; - username: the principal must match the user's username
+; ; - anything: there will be no checking on the content of the principal
+; SSH_AUTHORIZED_PRINCIPALS_ALLOW = email, username
+; ;
+; ; Enable SSH Authorized Principals Backup when rewriting all keys, default is true
+; SSH_AUTHORIZED_PRINCIPALS_BACKUP = true
+; ;
+; ; Specifies the public keys of certificate authorities that are trusted to sign user certificates for authentication.
+; ; Multiple keys should be comma separated.
+; ; E.g."ssh-<algorithm> <key>". or "ssh-<algorithm> <key1>, ssh-<algorithm> <key2>".
+; ; For more information see "TrustedUserCAKeys" in the sshd config manpages.
+; SSH_TRUSTED_USER_CA_KEYS =
+; ; Absolute path of the `TrustedUserCaKeys` file gitea will manage.
+; ; Default this `RUN_USER`/.ssh/gitea-trusted-user-ca-keys.pem
+; ; If you're running your own ssh server and you want to use the gitea managed file you'll also need to modify your
+; ; sshd_config to point to this file. The official docker image will automatically work without further configuration.
+; SSH_TRUSTED_USER_CA_KEYS_FILENAME =
+; ;
+; ; Enable exposure of SSH clone URL to anonymous visitors, default is false
+; SSH_EXPOSE_ANONYMOUS = false
+; ;
+; ; Timeout for any write to ssh connections. (Set to -1 to disable all timeouts.)
+; ; Will default to the PER_WRITE_TIMEOUT.
+; SSH_PER_WRITE_TIMEOUT = 30s
+; ;
+; ; Timeout per Kb written to ssh connections.
+; ; Will default to the PER_WRITE_PER_KB_TIMEOUT.
+; SSH_PER_WRITE_PER_KB_TIMEOUT = 30s
+; ;
+; ; Indicate whether to check minimum key size with corresponding type
+; MINIMUM_KEY_SIZE_CHECK = false
+; ;
+; ; Disable CDN even in "prod" mode
+; OFFLINE_MODE = true
+; ;
+; ; TLS Settings: Either ACME or manual
+; ; (Other common TLS configuration are found before)
+; ENABLE_ACME = false
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; ACME automatic TLS settings
+; ;
+; ; ACME directory URL (e.g. LetsEncrypt's staging/testing URL: https://acme-staging-v02.api.letsencrypt.org/directory)
+; ; Leave empty to default to LetsEncrypt's (production) URL
+; ACME_URL =
+; ;
+; ; Explicitly accept the ACME's TOS. The specific TOS cannot be retrieved at the moment.
+; ACME_ACCEPTTOS = false
+; ;
+; ; If the ACME CA is not in your system's CA trust chain, it can be manually added here
+; ACME_CA_ROOT =
+; ;
+; ; Email used for the ACME registration service
+; ; Can be left blank to initialize at first run and use the cached value
+; ACME_EMAIL =
+; ;
+; ; ACME live directory (not to be confused with ACME directory URL: ACME_URL)
+; ; (Refer to caddy's ACME manager https://github.com/caddyserver/certmagic)
+; ACME_DIRECTORY = https
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ;  Manual TLS settings: (Only applicable if ENABLE_ACME=false)
+; ;
+; ; Generate steps:
+; ; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
+; ;
+; ; Or from a .pfx file exported from the Windows certificate store (do
+; ; not forget to export the private key):
+; ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
+; ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
+; ; Paths are relative to CUSTOM_PATH
+; CERT_FILE = https/cert.pem
+; KEY_FILE = https/key.pem
+; ;
+; ; Root directory containing templates and static files.
+; ; default is the path where Gitea is executed
+; STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
+; ;
+; ; Default path for App data
+; APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
+; ;
+; ; Enable gzip compression for runtime-generated content, static resources excluded
+; ENABLE_GZIP = false
+; ;
+; ; Application profiling (memory and cpu)
+; ; For "web" command it listens on localhost:6060
+; ; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)_<username>_<temporary id>
+; ENABLE_PPROF = false
+; ;
+; ; PPROF_DATA_PATH, use an absolute path when you start gitea as service
+; PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
+; ;
+; ; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
+; ; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
+LANDING_PAGE = explore
+SSH_DOMAIN = localhost
+DOMAIN = localhost
+HTTP_PORT = 3000
+ROOT_URL = http://localhost:3000/
+APP_DATA_PATH = /var/lib/forgejo/data
+DISABLE_SSH = false
+SSH_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET_URI = file:/etc/forgejo/lfs_jwt_secret
+OFFLINE_MODE = true
+
+; ;
+; ; Enables git-lfs support. true or false, default is false.
+; LFS_START_SERVER = false
+; ;
+; ;
+; ; LFS authentication secret, change this yourself
+; LFS_JWT_SECRET =
+; ;
+; ; Alternative location to specify LFS authentication secret. You cannot specify both this and LFS_JWT_SECRET, and must pick one
+; LFS_JWT_SECRET_URI = file:/etc/gitea/lfs_jwt_secret
+; ;
+; ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
+; LFS_HTTP_AUTH_EXPIRY = 24h
+; ;
+; ; Maximum allowed LFS file size in bytes (Set to 0 for no limit).
+; LFS_MAX_FILE_SIZE = 0
+; ;
+; ; Maximum number of locks returned per page
+; LFS_LOCKS_PAGING_NUM = 50
+; ;
+; ; Allow graceful restarts using SIGHUP to fork
+; ALLOW_GRACEFUL_RESTARTS = true
+; ;
+; ; After a restart the parent will finish ongoing requests before
+; ; shutting down. Force shutdown if this process takes longer than this delay.
+; ; set to a negative value to disable
+; GRACEFUL_HAMMER_TIME = 60s
+; ;
+; ; Allows the setting of a startup timeout and waithint for Windows as SVC service
+; ; 0 disables this.
+; STARTUP_TIMEOUT = 0
+; ;
+; ; Static resources, includes resources on custom/, public/ and all uploaded avatars web browser cache time. Note that this cache is disabled when RUN_MODE is "dev". Default is 6h
+; STATIC_CACHE_TIME = 6h
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[database]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; MySQL Configuration
+; ;
+; DB_TYPE = mysql
+; HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+; NAME = gitea
+; USER = root
+; PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
+; SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
+; CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Postgres Configuration
+; ;
+; DB_TYPE = postgres
+; HOST = postgres:5432 ; can use socket e.g. /var/run/postgresql/
+; NAME = gitea
+; USER = gitea
+; PASSWD = POSTGRES_PASSWD
+; SCHEMA =
+; SSL_MODE=disable ;either "disable" (default), "require", or "verify-full"
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; SQLite Configuration
+; ;
+DB_TYPE = sqlite3
+; PATH= ; defaults to data/forgejo.db
+PATH = /var/lib/forgejo/forgejo.db
+HOST = 
+NAME = 
+USER = 
+PASSWD = 
+SCHEMA = 
+SSL_MODE = disable
+LOG_SQL = false
+
+; SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+; SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; MSSQL Configuration
+; ;
+; DB_TYPE = mssql
+; HOST = 172.17.0.2:1433
+; NAME = gitea
+; USER = SA
+; PASSWD = MwantsaSecurePassword1
+; CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Other settings
+; ;
+; ; For iterate buffer, default is 50
+; ITERATE_BUFFER_SIZE = 50
+; ;
+; ; Show the database generated SQL
+; LOG_SQL = false
+; ;
+; ; Maximum number of DB Connect retries
+; DB_RETRIES = 10
+; ;
+; ; Backoff time per DB retry (time.Duration)
+; DB_RETRY_BACKOFF = 3s
+; ;
+; ; Max idle database connections on connection pool, default is 2
+; MAX_IDLE_CONNS = 2
+; ;
+; ; Database connection max life time, default is 0 or 3s mysql (See #6804 & #7071 for reasoning)
+; CONN_MAX_LIFETIME = 3s
+; ;
+; ; Database maximum number of open connections, default is 100 which is the lowest default from Postgres (MariaDB + MySQL default to 151). Ensure you only increase the value if you configured your database server accordingly.
+; MAX_OPEN_CONNS = 100
+; ;
+; ; Whether execute database models migrations automatically
+; AUTO_MIGRATION = true
+; ;
+; ; Threshold value (in seconds) beyond which query execution time is logged as a warning in the xorm logger
+; ;
+; SLOW_QUERY_TRESHOLD = 5s
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[security]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Whether the installer is disabled (set to true to disable the installer)
+INSTALL_LOCK = true
+; ;
+; ; Global secret key that will be used
+; ; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
+; SECRET_KEY = 
+; ;
+; ; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
+; ; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
+SECRET_KEY_URI = file:/etc/forgejo/secret_key
+; ;
+; ; Secret used to validate communication within Gitea binary.
+;INTERNAL_TOKEN = 
+PASSWORD_HASH_ALGO = pbkdf2_hi
+
+; ;
+; ; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
+INTERNAL_TOKEN_URI = file:/etc/forgejo/internal_token
+; ;
+; ; How long to remember that a user is logged in before requiring relogin (in days)
+; LOGIN_REMEMBER_DAYS = 31
+; ;
+; ; Name of the cookie used to store the current username.
+; COOKIE_USERNAME = gitea_awesome
+; ;
+; ; Name of cookie used to store authentication information.
+; COOKIE_REMEMBER_NAME = gitea_incredible
+; ;
+; ; Reverse proxy authentication header name of user name, email, and full name
+; REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
+; REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
+; REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-WEBAUTH-FULLNAME
+; ;
+; ; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
+; REVERSE_PROXY_LIMIT = 1
+; ;
+; ; List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
+; REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
+; ;
+; ; The minimum password length for new Users
+; MIN_PASSWORD_LENGTH = 8
+; ;
+; ; Set to true to allow users to import local server paths
+; IMPORT_LOCAL_PATHS = false
+; ;
+; ; Set to false to allow users with git hook privileges to create custom git hooks.
+; ; Custom git hooks can be used to perform arbitrary code execution on the host operating system.
+; ; This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.
+; ; By modifying the Gitea database, users can gain Gitea administrator privileges.
+; ; It also enables them to access other resources available to the user on the operating system that is running the Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
+; ; WARNING: This maybe harmful to you website or your operating system.
+; ; WARNING: Setting this to true does not change existing hooks in git repos; adjust it before if necessary.
+; DISABLE_GIT_HOOKS = true
+; ;
+; ; Set to true to disable webhooks feature.
+; DISABLE_WEBHOOKS = false
+; ;
+; ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
+; ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
+; ;
+; ;Comma separated list of character classes required to pass minimum complexity.
+; ;If left empty or no valid values are specified, the default is off (no checking)
+; ;Classes include "lower,upper,digit,spec"
+; PASSWORD_COMPLEXITY = off
+; ;
+; ; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt"
+; PASSWORD_HASH_ALGO = pbkdf2_hi
+; ;
+; ; Set false to allow JavaScript to read CSRF cookie
+; CSRF_COOKIE_HTTP_ONLY = true
+; ;
+; ; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
+; PASSWORD_CHECK_PWN = false
+; ;
+; ; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
+; ; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
+; SUCCESSFUL_TOKENS_CACHE_SIZE = 20
+; ;
+; ; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities
+; ; stemming from cached/logged plain-text API tokens.
+; ; In future releases, this will become the default behavior
+; DISABLE_QUERY_AUTH_TOKEN = false
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[camo]
+
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; At the moment we only support images
+; ;
+; ; if the camo is enabled
+; ENABLED = false
+; ; url to a camo image proxy, it **is required** if camo is enabled.
+; SERVER_URL =
+; ; HMAC to encode urls with, it **is required** if camo is enabled.
+; HMAC_KEY =
+; ; Set to true to use camo for https too lese only non https urls are proxyed
+; ALLWAYS = false
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[oauth2]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Enables OAuth2 provider
+ENABLED = true
+;JWT_SECRET = 
+
+; ;
+; ; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, EdDSA
+; JWT_SIGNING_ALGORITHM = RS256
+; ;
+; ; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH.
+; ; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512.
+; ; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
+; JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem
+; ;
+; ; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
+; ; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
+; JWT_SECRET =
+; ;
+; ; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
+JWT_SECRET_URI = file:/etc/forgejo/oauth2_jwt_secret
+; ;
+; ; Lifetime of an OAuth2 access token in seconds
+; ACCESS_TOKEN_EXPIRATION_TIME = 3600
+; ;
+; ; Lifetime of an OAuth2 refresh token in hours
+; REFRESH_TOKEN_EXPIRATION_TIME = 730
+; ;
+; ; Check if refresh token got already used
+; INVALIDATE_REFRESH_TOKENS = false
+; ;
+; ; Maximum length of oauth2 token/cookie stored on server
+; MAX_TOKEN_LENGTH = 32767
+; ;
+; ; Pre-register OAuth2 applications for some universally useful services
+; ; * https://github.com/hickford/git-credential-oauth
+; ; * https://github.com/git-ecosystem/git-credential-manager
+; ; * https://gitea.com/gitea/tea
+; DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager, tea
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[log]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
+; ROOT_PATH =
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Main Logger
+; ;
+; ; Either "console", "file" or "conn", default is "console"
+; ; Use comma to separate multiple modes, e.g. "console, file"
+MODE = console
+; ;
+; ; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
+LEVEL = info
+ROOT_PATH = /var/lib/forgejo/log
+
+; ;
+; ; Print Stacktrace with logs (rarely helpful, do not set) Either "Trace", "Debug", "Info", "Warn", "Error", default is "None"
+; STACKTRACE_LEVEL = None
+; ;
+; ; Buffer length of the channel, keep it as it is if you don't know what it is.
+; BUFFER_LEN = 10000
+; ;
+; ; Sub logger modes, a single comma means use default MODE above, empty means disable it
+; logger.access.MODE=
+; logger.router.MODE=,
+; logger.xorm.MODE=,
+; ;
+; ; Collect SSH logs (Creates log from ssh git request)
+; ;
+; ENABLE_SSH_LOG = false
+; ;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Access Logger (Creates log in NCSA common log format)
+; ;
+; ; Print request id which parsed from request headers in access log, when access log is enabled.
+; ; * E.g:
+; ; * In request Header:         X-Request-ID: test-id-123
+; ; * Configuration in app.ini:  REQUEST_ID_HEADERS = X-Request-ID
+; ; * Print in log:              127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "test-id-123"
+; ;
+; ; If you configure more than one in the .ini file, it will match in the order of configuration,
+; ; and the first match will be finally printed in the log.
+; ; * E.g:
+; ; * In request Header:         X-Trace-ID: trace-id-1q2w3e4r
+; ; * Configuration in app.ini:  REQUEST_ID_HEADERS = X-Request-ID, X-Trace-ID, X-Req-ID
+; ; * Print in log:              127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "trace-id-1q2w3e4r"
+; ;
+; REQUEST_ID_HEADERS =
+; ;
+; ; Sets the template used to create the access log.
+; ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteHost}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}" "{{.Ctx.Req.UserAgent}}"
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Log modes (aka log writers)
+; ;
+; [log.%(WriterMode)]
+; MODE=console/file/conn/...
+; LEVEL=
+; FLAGS = stdflags
+; EXPRESSION =
+; PREFIX =
+; COLORIZE = false
+; ;
+; [log.console]
+; STDERR = false
+; ;
+; [log.file]
+; ; Set the file_name for the logger. If this is a relative path this will be relative to ROOT_PATH
+; FILE_NAME =
+; ; This enables automated log rotate(switch of following options), default is true
+; LOG_ROTATE = true
+; ; Max size shift of a single file, default is 28 means 1 << 28, 256MB
+; MAX_SIZE_SHIFT = 28
+; ; Segment log daily, default is true
+; DAILY_ROTATE = true
+; ; delete the log file after n days, default is 7
+; MAX_DAYS = 7
+; ; compress logs with gzip
+; COMPRESS = true
+; ; compression level see godoc for compress/gzip
+; COMPRESSION_LEVEL = -1
+; ;
+; [log.conn]
+; ; Reconnect host for every single message, default is false
+; RECONNECT_ON_MSG = false
+; ; Try to reconnect when connection is lost, default is false
+; RECONNECT = false
+; ; Either "tcp", "unix" or "udp", default is "tcp"
+; PROTOCOL = tcp
+; ; Host address
+; ADDR =
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[git]
+
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; The path of git executable. If empty, Gitea searches through the PATH environment.
+; PATH =
+; ;
+; ; The HOME directory for Git
+; HOME_PATH = %(APP_DATA_PATH)s/home
+; ;
+; ; Disables highlight of added and removed changes
+; DISABLE_DIFF_HIGHLIGHT = false
+; ;
+; ; Max number of lines allowed in a single file in diff view
+; MAX_GIT_DIFF_LINES = 1000
+; ;
+; ; Max number of allowed characters in a line in diff view
+; MAX_GIT_DIFF_LINE_CHARACTERS = 5000
+; ;
+; ; Max number of files shown in diff view
+; MAX_GIT_DIFF_FILES = 100
+; ;
+; ; Set the default commits range size
+; COMMITS_RANGE_SIZE = 50
+; ;
+; ; Set the default branches range size
+; BRANCHES_RANGE_SIZE = 20
+; ;
+; ; Arguments for command 'git gc', e.g. "--aggressive --auto"
+; ; see more on http://git-scm.com/docs/git-gc/
+; GC_ARGS =
+; ;
+; ; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
+; ; To enable this for Git over SSH when using a OpenSSH server, add `AcceptEnv GIT_PROTOCOL` to your sshd_config file.
+; ENABLE_AUTO_GIT_WIRE_PROTOCOL = true
+; ;
+; ; Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
+; PULL_REQUEST_PUSH_MESSAGE = true
+; ;
+; ; (Go-Git only) Don't cache objects greater than this in memory. (Set to 0 to disable.)
+; LARGE_OBJECT_THRESHOLD = 1048576
+; ; Set to true to forcibly set core.protectNTFS=false
+; DISABLE_CORE_PROTECT_NTFS=false
+; ; Disable the usage of using partial clones for git.
+; DISABLE_PARTIAL_CLONE = false
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Git Operation timeout in seconds
+; [git.timeout]
+; DEFAULT = 360
+; MIGRATE = 600
+; MIRROR = 300
+; CLONE = 300
+; PULL = 300
+; GC = 60
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Git config options
+; ; This section only does "set" config, a removed config key from this section won't be removed from git config automatically. The format is `some.configKey = value`.
+; [git.config]
+; diff.algorithm = histogram
+; core.logAllRefUpdates = true
+; gc.reflogExpire = 90
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[service]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Time limit to confirm account/email registration
+; ACTIVE_CODE_LIVE_MINUTES = 180
+; ;
+; ; Time limit to perform the reset of a forgotten password
+; RESET_PASSWD_CODE_LIVE_MINUTES = 180
+; ;
+; ; Whether a new user needs to confirm their email when registering.
+; REGISTER_EMAIL_CONFIRM = false
+; ;
+; ; Whether a new user needs to be confirmed manually after registration. (Requires `REGISTER_EMAIL_CONFIRM` to be disabled.)
+; REGISTER_MANUAL_CONFIRM = false
+; ;
+; ; List of domain names that are allowed to be used to register on a Gitea instance, wildcard is supported
+; ; eg: gitea.io,example.com,*.mydomain.com
+; EMAIL_DOMAIN_ALLOWLIST =
+; ;
+; ; Comma-separated list of domain names that are not allowed to be used to register on a Gitea instance, wildcard is supported
+; EMAIL_DOMAIN_BLOCKLIST =
+; ;
+; ; Disallow registration, only allow admins to create accounts.
+; DISABLE_REGISTRATION = false
+; ;
+; ; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
+; ALLOW_ONLY_INTERNAL_REGISTRATION = false
+; ;
+; ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
+; ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+; ;
+; ; User must sign in to view anything.
+; REQUIRE_SIGNIN_VIEW = false
+; ;
+; ; Mail notification
+; ENABLE_NOTIFY_MAIL = false
+; ;
+; ; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password
+; ; If you set this to false you will not be able to access the tokens endpoints on the API with your password
+; ; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token
+; ENABLE_BASIC_AUTHENTICATION = true
+; ;
+; ; More detail: https://github.com/gogits/gogs/issues/165
+; ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible.
+; ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false
+; ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
+; ENABLE_REVERSE_PROXY_EMAIL = false
+; ENABLE_REVERSE_PROXY_FULL_NAME = false
+; ;
+; ; Enable captcha validation for registration
+; ENABLE_CAPTCHA = false
+; ;
+; ; Enable this to require captcha validation for login
+; REQUIRE_CAPTCHA_FOR_LOGIN = false
+; ;
+; ; Type of captcha you want to use. Options: image, recaptcha, hcaptcha, mcaptcha, cfturnstile.
+; CAPTCHA_TYPE = image
+; ;
+; ; Change this to use recaptcha.net or other recaptcha service
+; RECAPTCHA_URL = https://www.google.com/recaptcha/
+; ; Enable recaptcha to use Google's recaptcha service
+; ; Go to https://www.google.com/recaptcha/admin to sign up for a key
+; RECAPTCHA_SECRET =
+; RECAPTCHA_SITEKEY =
+; ;
+; ; For hCaptcha, create an account at https://accounts.hcaptcha.com/login to get your keys
+; HCAPTCHA_SECRET =
+; HCAPTCHA_SITEKEY =
+; ;
+; ; Change this to use demo.mcaptcha.org or your self-hosted mcaptcha.org instance.
+; MCAPTCHA_URL = https://demo.mcaptcha.org
+; ;
+; ; Go to your configured mCaptcha instance and register a sitekey
+; ; and use your account's secret.
+; MCAPTCHA_SECRET =
+; MCAPTCHA_SITEKEY =
+; ;
+; ; Go to https://dash.cloudflare.com/?to=/:account/turnstile to sign up for a key
+; CF_TURNSTILE_SITEKEY =
+; CF_TURNSTILE_SECRET =
+; ;
+; ; Default value for KeepEmailPrivate
+; ; Each new user will get the value of this setting copied into their profile
+; DEFAULT_KEEP_EMAIL_PRIVATE = false
+; ;
+; ; Default value for AllowCreateOrganization
+; ; Every new user will have rights set to create organizations depending on this setting
+; DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+; ; Default value for IsRestricted
+; ; Every new user will have restricted permissions depending on this setting
+; DEFAULT_USER_IS_RESTRICTED = false
+; ;
+; ; Users will be able to use dots when choosing their username. Disabling this is
+; ; helpful if your usersare having issues with e.g. RSS feeds or advanced third-party
+; ; extensions that use strange regex patterns.
+; ALLOW_DOTS_IN_USERNAMES = true
+; ;
+; ; Either "public", "limited" or "private", default is "public"
+; ; Limited is for users visible only to signed users
+; ; Private is for users visible only to members of their organizations
+; ; Public is for users visible for everyone
+; DEFAULT_USER_VISIBILITY = public
+; ;
+; ; Set which visibility modes a user can have
+; ALLOWED_USER_VISIBILITY_MODES = public,limited,private
+; ;
+; ; Either "public", "limited" or "private", default is "public"
+; ; Limited is for organizations visible only to signed users
+; ; Private is for organizations visible only to members of the organization
+; ; Public is for organizations visible to everyone
+; DEFAULT_ORG_VISIBILITY = public
+; ;
+; ; Default value for DefaultOrgMemberVisible
+; ; True will make the membership of the users visible when added to the organisation
+; DEFAULT_ORG_MEMBER_VISIBLE = false
+; ;
+; ; Default value for EnableDependencies
+; ; Repositories will use dependencies by default depending on this setting
+; DEFAULT_ENABLE_DEPENDENCIES = true
+; ;
+; ; Dependencies can be added from any repository where the user is granted access or only from the current repository depending on this setting.
+; ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
+; ;
+; ; Default map service. No external API support has been included. A service has to allow
+; ; searching using URL parameters, the location will be appended to the URL as escaped query parameter.
+; ; Some example values are:
+; ; - OpenStreetMap: https://www.openstreetmap.org/search?query=
+; ; - Google Maps: https://www.google.com/maps/place/
+; ; - MapQuest: https://www.mapquest.com/search/
+; ; - Bing Maps: https://www.bing.com/maps?where1=
+; USER_LOCATION_MAP_URL = https://www.openstreetmap.org/search?query=
+; ;
+; ; Enable heatmap on users profiles.
+; ENABLE_USER_HEATMAP = true
+; ;
+; ; Enable Timetracking
+; ENABLE_TIMETRACKING = true
+; ;
+; ; Default value for EnableTimetracking
+; ; Repositories will use timetracking by default depending on this setting
+; DEFAULT_ENABLE_TIMETRACKING = true
+; ;
+; ; Default value for AllowOnlyContributorsToTrackTime
+; ; Only users with write permissions can track time if this is true
+; DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true
+; ;
+; ; Value for the domain part of the user's email address in the git log if user
+; ; has set KeepEmailPrivate to true. The user's email will be replaced with a
+; ; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS. Default
+; ; value is "noreply." + DOMAIN, where DOMAIN resolves to the value from server.DOMAIN
+; ; Note: do not use the <DOMAIN> notation below
+; NO_REPLY_ADDRESS = ; noreply.<DOMAIN>
+; ;
+; ; Show Registration button
+; SHOW_REGISTRATION_BUTTON = true
+; ;
+; ; Show milestones dashboard page - a view of all the user's milestones
+; SHOW_MILESTONES_DASHBOARD_PAGE = true
+; ;
+; ; Default value for AutoWatchNewRepos
+; ; When adding a repo to a team or creating a new repo all team members will watch the
+; ; repo automatically if enabled
+; AUTO_WATCH_NEW_REPOS = true
+; ;
+; ; Default value for AutoWatchOnChanges
+; ; Make the user watch a repository When they commit for the first time
+; AUTO_WATCH_ON_CHANGES = false
+; ;
+; ; Minimum amount of time a user must exist before comments are kept when the user is deleted.
+; USER_DELETE_WITH_COMMENTS_MAX_TIME = 0
+; ; Valid site url schemes for user profiles
+; VALID_SITE_URL_SCHEMES=http,https
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Other Settings
+; ;
+; ; Uncomment the [section.header] if you wish to
+; ; set the below settings.
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [badges]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Enable repository badges (via shields.io or a similar generator)
+; ENABLED = true
+; ; Template for the badge generator.
+; GENERATOR_URL_TEMPLATE = https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
+; ; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
+; ROOT =
+; ;
+; ; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
+; SCRIPT_TYPE = bash
+; ;
+; ; DETECTED_CHARSETS_ORDER tie-break order for detected charsets.
+; ; If the charsets have equal confidence, tie-breaking will be done by order in this list
+; ; with charsets earlier in the list chosen in preference to those later.
+; ; Adding "defaults" will place the unused charsets at that position.
+; DETECTED_CHARSETS_ORDER = UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr
+; ;
+; ; Default ANSI charset to override non-UTF-8 charsets to
+; ANSI_CHARSET =
+; ;
+; ; Force every new repository to be private
+; FORCE_PRIVATE = false
+; ;
+; ; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
+; DEFAULT_PRIVATE = last
+; ;
+; ; Default private when using push-to-create
+; DEFAULT_PUSH_CREATE_PRIVATE = true
+; ;
+; ; Global limit of repositories per user, applied at creation time. -1 means no limit
+; MAX_CREATION_LIMIT = -1
+; ;
+; ; Preferred Licenses to place at the top of the List
+; ; The name here must match the filename in options/license or custom/options/license
+; PREFERRED_LICENSES = Apache License 2.0,MIT License
+; ;
+; ; Disable the ability to interact with repositories using the HTTP protocol
+; DISABLE_HTTP_GIT = false
+; ;
+; ; Value for Access-Control-Allow-Origin header, default is not to present
+; ; WARNING: This may be harmful to your website if you do not give it a right value.
+; ACCESS_CONTROL_ALLOW_ORIGIN =
+; ;
+; ; Force ssh:// clone url instead of scp-style uri when default SSH port is used
+; USE_COMPAT_SSH_URI = false
+; ;
+; ; Value for the "go get" request returns the repository url as https or ssh, default is https
+; GO_GET_CLONE_URL_PROTOCOL = https
+; ;
+; ; Close issues as long as a commit on any branch marks it as fixed
+; DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false
+; ;
+; ; Allow users to push local repositories to Gitea and have them automatically created for a user or an org
+; ENABLE_PUSH_CREATE_USER = false
+; ENABLE_PUSH_CREATE_ORG = false
+; ;
+; ; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects, repo.packages, repo.actions.
+; DISABLED_REPO_UNITS =
+; ;
+; ; Comma separated list of default new repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects, repo.packages, repo.actions.
+; ; Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility.
+; ; External wiki and issue tracker can't be enabled by default as it requires additional settings.
+; ; Disabled repo units will not be added to new repositories regardless if it is in the default list.
+; DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions
+; ;
+; ; Comma separated list of default forked repo units.
+; ; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
+; DEFAULT_FORK_REPO_UNITS = repo.code,repo.pulls
+; ;
+; ; Prefix archive files by placing them in a directory named after the repository
+; PREFIX_ARCHIVE_FILES = true
+; ;
+; ; Disable migrating feature.
+; DISABLE_MIGRATIONS = false
+; ;
+; ; Disable stars feature.
+; DISABLE_STARS = false
+; ;
+; ; Disable repository forking.
+; DISABLE_FORKS = false
+; ;
+; ; The default branch name of new repositories
+; DEFAULT_BRANCH = main
+; ;
+; ; Allow adoption of unadopted repositories
+; ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES = false
+; ;
+; ; Allow deletion of unadopted repositories
+; ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES = false
+; ; Don't allow download source archive files from UI
+; DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false
+; ; Allow fork repositories without maximum number limit
+; ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT = true
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.editor]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; List of file extensions for which lines should be wrapped in the Monaco editor
+; ; Separate extensions with a comma. To line wrap files without an extension, just put a comma
+; LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd,.livemd,
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.local]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Path for local repository copy. Defaults to `tmp/local-repo` (content gets deleted on gitea restart)
+; LOCAL_COPY_PATH = tmp/local-repo
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.upload]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Whether repository file uploads are enabled. Defaults to `true`
+; ENABLED = true
+; ;
+; ; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
+; TEMP_PATH = data/tmp/uploads
+; ;
+; ; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+; ALLOWED_TYPES =
+; ;
+; ; Max size of each file in megabytes. Defaults to 50MB
+; FILE_MAX_SIZE = 50
+; ;
+; ; Max number of files per upload. Defaults to 5
+; MAX_FILES = 5
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.pull-request]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; List of prefixes used in Pull Request title to mark them as Work In Progress (matched in a case-insensitive manner)
+; WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP]
+; ;
+; ; List of keywords used in Pull Request comments to automatically close a related issue
+; CLOSE_KEYWORDS = close,closes,closed,fix,fixes,fixed,resolve,resolves,resolved
+; ;
+; ; List of keywords used in Pull Request comments to automatically reopen a related issue
+; REOPEN_KEYWORDS = reopen,reopens,reopened
+; ;
+; ; Set default merge style for repository creating, valid options: merge, rebase, rebase-merge, squash, fast-forward-only
+; DEFAULT_MERGE_STYLE = merge
+; ;
+; ; In the default merge message for squash commits include at most this many commits
+; DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT = 50
+; ;
+; ; In the default merge message for squash commits limit the size of the commit messages to this
+; DEFAULT_MERGE_MESSAGE_SIZE = 5120
+; ;
+; ; In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list
+; DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = false
+; ;
+; ; In default merge messages limit the number of approvers listed as Reviewed-by: to this many
+; DEFAULT_MERGE_MESSAGE_MAX_APPROVERS = 10
+; ;
+; ; In default merge messages only include approvers who are official
+; DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY = true
+; ;
+; ; Add co-authored-by and co-committed-by trailers if committer does not match author
+; ADD_CO_COMMITTER_TRAILERS = true
+; ;
+; ; In addition to testing patches using the three-way merge method, re-test conflicting patches with git apply
+; TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY = false
+; ;
+; ; Retarget child pull requests to the parent pull request branch target on merge of parent pull request. It only works on merged PRs where the head and base branch target the same repo.
+; RETARGET_CHILDREN_ON_MERGE = true
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.issue]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; List of reasons why a Pull Request or Issue can be locked
+; LOCK_REASONS = Too heated,Off-topic,Resolved,Spam
+; ; Maximum number of pinned Issues per repo
+; ; Set to 0 to disable pinning Issues
+; MAX_PINNED = 3
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.release]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+; ALLOWED_TYPES =
+; DEFAULT_PAGING_NUM = 10
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.signing]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey
+; ; run in the context of the RUN_USER
+; ; Switch to none to stop signing completely
+; SIGNING_KEY = default
+; ;
+; ; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer.
+; ; These should match a publicized name and email address for the key. (When SIGNING_KEY is default these are set to
+; ; the results of git config --get user.name and git config --get user.email respectively and can only be overridden
+; ; by setting the SIGNING_KEY ID to the correct ID.)
+; SIGNING_NAME =
+; SIGNING_EMAIL =
+; ;
+; ; Sets the default trust model for repositories. Options are: collaborator, committer, collaboratorcommitter
+; DEFAULT_TRUST_MODEL = collaborator
+; ;
+; ; Determines when gitea should sign the initial commit when creating a repository
+; ; Either:
+; ; - never
+; ; - pubkey: only sign if the user has a pubkey
+; ; - twofa: only sign if the user has logged in with twofa
+; ; - always
+; ; options other than none and always can be combined as comma separated list
+; INITIAL_COMMIT = always
+; ;
+; ; Determines when to sign for CRUD actions
+; ; - as above
+; ; - parentsigned: requires that the parent commit is signed.
+; CRUD_ACTIONS = pubkey, twofa, parentsigned
+; ; Determines when to sign Wiki commits
+; ; - as above
+; WIKI = never
+; ;
+; ; Determines when to sign on merges
+; ; - basesigned: require that the parent of commit on the base repo is signed.
+; ; - commitssigned: require that all the commits in the head branch are signed.
+; ; - approved: only sign when merging an approved pr to a protected branch
+; MERGES = pubkey, twofa, basesigned, commitssigned
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [repository.mimetype_mapping]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Custom MIME type mapping for downloadable files
+; .apk=application/vnd.android.package-archive
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [project]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Default templates for project boards
+; PROJECT_BOARD_BASIC_KANBAN_TYPE = To Do, In Progress, Done
+; PROJECT_BOARD_BUG_TRIAGE_TYPE = Needs Triage, High Priority, Low Priority, Closed
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [cors]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers
+; ; enable cors headers (disabled by default)
+; ENABLED = false
+; ;
+; ; list of requesting origins that are allowed, eg: "https://*.example.com"
+; ALLOW_DOMAIN = *
+; ;
+; ; list of methods allowed to request
+; METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
+; ;
+; ; max time to cache response
+; MAX_AGE = 10m
+; ;
+; ; allow request with credentials
+; ALLOW_CREDENTIALS = false
+; ;
+; ; headers to permit
+; HEADERS = Content-Type,User-Agent
+; ;
+; ; set X-FRAME-OPTIONS header
+; X_FRAME_OPTIONS = SAMEORIGIN
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [ui]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Number of repositories that are displayed on one explore page
+; EXPLORE_PAGING_NUM = 20
+; ;
+; ; Number of issues that are displayed on one page
+; ISSUE_PAGING_NUM = 20
+; ;
+; ; Number of maximum commits displayed in one activity feed
+; FEED_MAX_COMMIT_NUM = 5
+; ;
+; ; Number of items that are displayed in home feed
+; FEED_PAGING_NUM = 20
+; ;
+; ; Number of items that are displayed in a single subsitemap
+; SITEMAP_PAGING_NUM = 20
+; ;
+; ; Number of maximum commits displayed in commit graph.
+; GRAPH_MAX_COMMIT_NUM = 100
+; ;
+; ; Number of line of codes shown for a code comment
+; CODE_COMMENT_LINES = 4
+; ;
+; ; Max size of files to be displayed (default is 8MiB)
+; MAX_DISPLAY_FILE_SIZE = 8388608
+; ;
+; ; Detect ambiguous unicode characters in file contents and show warnings on the UI
+; AMBIGUOUS_UNICODE_DETECTION = true
+; ;
+; ; Whether the email of the user should be shown in the Explore Users page
+; SHOW_USER_EMAIL = true
+; ;
+; ; Set the default theme for the Gitea install
+; DEFAULT_THEME = gitea-auto
+; ;
+; ; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`.
+; THEMES = gitea-auto,gitea-light,gitea-dark
+; ;
+; ; All available reactions users can choose on issues/prs and comments.
+; ; Values can be emoji alias (:smile:) or a unicode emoji.
+; ; For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png
+; REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes
+; ;
+; ; Change the number of users that are displayed in reactions tooltip (triggered by mouse hover).
+; REACTION_MAX_USER_NUM = 10
+; ;
+; ; Additional Emojis not defined in the utf8 standard
+; ; By default we support gitea (:gitea:), to add more copy them to public/assets/img/emoji/emoji_name.png and add it to this config.
+; ; Dont mistake it for Reactions.
+; CUSTOM_EMOJIS = gitea, codeberg, gitlab, git, github, gogs
+; ;
+; ; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
+; DEFAULT_SHOW_FULL_NAME = false
+; ;
+; ; Whether to search within description at repository search on explore page.
+; SEARCH_REPO_DESCRIPTION = true
+; ;
+; ; Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used.
+; ; A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic).
+; ONLY_SHOW_RELEVANT_REPOS = false
+; ;
+; ; Change the sort type of the explore pages.
+; ; Default is "recentupdate", but you also have "alphabetically", "reverselastlogin", "newest", "oldest".
+; EXPLORE_PAGING_DEFAULT_SORT = recentupdate
+; ;
+; ; The tense all timestamps should be rendered in. Possible values are `absolute` time (i.e. 1970-01-01, 11:59) and `mixed`.
+; ; `mixed` means most timestamps are rendered in relative time (i.e. 2 days ago).
+; PREFERRED_TIMESTAMP_TENSE = mixed
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [ui.admin]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;
+; ; Number of users that are displayed on one page
+; USER_PAGING_NUM = 50
+; ;
+; ; Number of repos that are displayed on one page
+; REPO_PAGING_NUM = 50
+; ;
+; ; Number of notices that are displayed on one page
+; NOTICE_PAGING_NUM = 25
+; ;
+; ; Number of organizations that are displayed on one page
+; ORG_PAGING_NUM = 50
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [ui.user]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ; Number of repos that are displayed on one page
+; REPO_PAGING_NUM = 15
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; [ui.meta]
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+AUTHOR = renken
+DESCRIPTION = unfinished projects, unfinished thoughts
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DISABLE_REGISTRATION = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[repository]
+ROOT = /var/lib/forgejo/data/forgejo-repositories
+
+[lfs]
+PATH = /var/lib/forgejo/data/lfs
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[cron.update_checker]
+ENABLED = true
+
+[session]
+PROVIDER = file
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
diff --git a/images/forgejo/setup.sh b/images/forgejo/setup.sh
new file mode 100755
index 0000000..af46ac5
--- /dev/null
+++ b/images/forgejo/setup.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+set -eux
+
+# Secure forgejo files before anything.
+adduser \
+  --system \
+  --shell /bin/bash \
+  --gecos 'Git Version Control' \
+  --group \
+  --disabled-password \
+  --home /home/git git
+
+mkdir -p /var/lib/forgejo
+chown git:git /var/lib/forgejo 
+chmod 750 /var/lib/forgejo
+
+mkdir -p /etc/forgejo
+chown -R root:git /etc/forgejo
+
+for file in app.ini lfs_jwt_secret secret_key internal_token oauth2_jwt_secret; do
+  chmod 0640 /etc/forgejo/"$file"
+done
+
+apt-get update -y
+
+apt-get upgrade -y
+
+apt-get --no-install-recommends install -y \
+  ca-certificates \
+  dirmngr \
+  gpg \
+  gpg-agent \
+  curl \
+  git \
+  git-lfs \
+  systemd
+
+version=7.0.3
+curl -LO \
+  "https://codeberg.org/forgejo/forgejo/releases/download/v$version/forgejo-$version-linux-amd64"
+gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+curl -LO \
+  "https://codeberg.org/forgejo/forgejo/releases/download/v$version/forgejo-$version-linux-amd64.asc"
+gpg --verify forgejo-$version-linux-amd64.asc forgejo-$version-linux-amd64
+
+
+chmod +x "forgejo-$version-linux-amd64"
+mv "forgejo-$version-linux-amd64" /usr/local/bin/forgejo