commit ac89f6af47e0b2fdae9a835f942860aea34bb77c Author: xeovalyte Date: Thu Jan 9 22:43:51 2025 +0100 Initial configuration diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c3cb00e --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +secrets/ +.env diff --git a/README.md b/README.md new file mode 100644 index 0000000..cc5eca3 --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +# Configuration steps + +## 1. Install [NixOS](https://nixos.org/) + +Follow the steps from the [NixOS Manual Installation](https://nixos.org/manual/nixos/stable/#sec-installation-manual) + +> At the edit configuration.nix step you must: +> +> - Add a user to the configuration file and set a password +> - Enable openssh + +## 2. Configuring flake + +1. Clone this repository +2. Copy hardware configuration to host
+ `cp /etc/nixos/hardware-configuration.nix ~/nix/hosts//hardware-configuration.nix` +3. Rebuild system + `sudo nixos-rebuild switch --flake .#` +4. Rebuild home-manager + `home-manager switch --flake .#@` +5. Reboot + +## 3. Configuring docker containers + +1. Create proxy network
+ `docker network create proxy` + +2. Configure [Adguard](./adguard/README.md) +3. Configure [Caddy](./caddy/README.md) +4. Configure [Authelia](./authelia/README.md) +5. Configure the rest of the services + +# Services + +| Name | Use | Domain | Auth | +| ------- | -------------- | ----------------------------- | ------ | +| Adguard | DNS | https://adguard.timo.bmrs.nl/ | local | +| Caddy | Reverse proxy | - | - | +| Forgejo | Git | https://git.timo.bmrs.nl/ | Openid | +| Ldap | User directory | https://ldap.timo.bmrs.nl/ | - | + +# Services to try out + +- [Beszel](https://github.com/henrygd/beszel) diff --git a/adguard/README.md b/adguard/README.md new file mode 100644 index 0000000..24a0cbc --- /dev/null +++ b/adguard/README.md @@ -0,0 +1,7 @@ +# Adguard Home + +1. Temporaraly edit ports in docker-compose file to setup +2. Configuration screen
+ 1. Change listen interface to port 3000 +3. Add DNS rewrite for *.timo.bmrs.nl +4. Delete temporaraly port edit in docker-compose diff --git a/adguard/docker-compose.yml b/adguard/docker-compose.yml new file mode 100644 index 0000000..4ef6b7b --- /dev/null +++ b/adguard/docker-compose.yml @@ -0,0 +1,21 @@ +services: + adguardhome: + image: adguard/adguardhome:latest + container_name: adguardhome + restart: unless-stopped + ports: + - 53:53/tcp + - 53:53/udp + # - 80:3000 # Only use during setup + volumes: + - work:/opt/adguardhome/work + - conf:/opt/adguardhome/conf + +volumes: + work: + conf: + +networks: + default: + name: proxy + external: true diff --git a/authelia/.gitignore b/authelia/.gitignore new file mode 100644 index 0000000..81bbbae --- /dev/null +++ b/authelia/.gitignore @@ -0,0 +1 @@ +keys/ diff --git a/authelia/README.md b/authelia/README.md new file mode 100644 index 0000000..89b03a9 --- /dev/null +++ b/authelia/README.md @@ -0,0 +1,13 @@ +# Authelia + +1. Edit environment variables. + 1. For HMAC_SECRET, JWT_SECRET, ADMIN_PASSWORD, SESSION_SECRET, STORAGE_ENCRYPTION_KEY, LLDAP_KEY_SEED use an random alphanumeric string of at least 64 characters + 2. For CLIENT_SECRET, CLIEND_ID: [Generate client identifier](https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret) + 1. Use single quotes for the client secret + +2. Generate PAM file using and save it to the /config/keys directory: [Generating keypair](https://www.authelia.com/reference/guides/generating-secure-values/#generating-an-rsa-keypair) + 1. Save the random password + +3. Configure LLDAP + 1. Create a user in LLDAP with the group: lldap_password_manager + 2. Create groups: forgejo diff --git a/authelia/config/configuration.yml b/authelia/config/configuration.yml new file mode 100644 index 0000000..7fa7c5d --- /dev/null +++ b/authelia/config/configuration.yml @@ -0,0 +1,1320 @@ +# yamllint disable rule:comments-indentation +--- +############################################################################### +## Authelia Configuration ## +############################################################################### + +## +## Notes: +## +## - the default location of this file is assumed to be configuration.yml unless otherwise noted +## - when using docker the container expects this by default to be at /config/configuration.yml +## - the default location where this file is loaded from can be overridden with the X_AUTHELIA_CONFIG environment var +## - the comments in this configuration file are helpful but users should consult the official documentation on the +## website at https://www.authelia.com/ or https://www.authelia.com/configuration/prologue/introduction/ +## - this configuration file template is not automatically updated +## + +## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to +## the system certificates store. +## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem. +# certificates_directory: '/config/certificates/' + +## The theme to display: light, dark, grey, auto. +theme: 'dark' + +## Set the default 2FA method for new users and for when a user has a preferred method configured that has been +## disabled. This setting must be a method that is enabled. +## Options are totp, webauthn, mobile_push. +default_2fa_method: 'totp' + +## +## Server Configuration +## +server: + ## The address for the Main server to listen on in the address common syntax. + ## Formats: + ## - [://][:][/] + ## - [://][hostname]:[/] + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix'. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9091'. + ## If the path is specified this configures the router to handle both the `/` path and the configured path. + # address: 'tcp://:9091/' + + ## Set the path on disk to Authelia assets. + ## Useful to allow overriding of specific static assets. + # asset_path: '/config/assets/' + + ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0. + ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist. + # disable_healthcheck: false + + ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour. + # tls: + ## The path to the DER base64/PEM format private key. + # key: '' + + ## The path to the DER base64/PEM format public certificate. + # certificate: '' + + ## The list of certificates for client authentication. + # client_certificates: [] + + ## Server headers configuration/customization. + # headers: + + ## The CSP Template. Read the docs. + # csp_template: '' + + ## Server Buffers configuration. + # buffers: + + ## Buffers usually should be configured to be the same value. + ## Explanation at https://www.authelia.com/c/server#buffer-sizes + ## Read buffer size adjusts the server's max incoming request size in bytes. + ## Write buffer size does the same for outgoing responses. + + ## Read buffer. + # read: 4096 + + ## Write buffer. + # write: 4096 + + ## Server Timeouts configuration. + # timeouts: + + ## Read timeout in the duration common syntax. + # read: '6 seconds' + + ## Write timeout in the duration common syntax. + # write: '6 seconds' + + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' + + ## Server Endpoints configuration. + ## This section is considered advanced and it SHOULD NOT be configured unless you've read the relevant documentation. + endpoints: + ## Enables the pprof endpoint. + # enable_pprof: false + + ## Enables the expvars endpoint. + # enable_expvars: false + + ## Configure the authz endpoints. + authz: + forward-auth: + implementation: 'ForwardAuth' + # authn_strategies: [] + # ext-authz: + # implementation: 'ExtAuthz' + # authn_strategies: [] + # auth-request: + # implementation: 'AuthRequest' + # authn_strategies: [] + # legacy: + # implementation: 'Legacy' + # authn_strategies: [] + +## +## Log Configuration +## +# log: + ## Level of verbosity for logs: info, debug, trace. + # level: 'debug' + + ## Format the logs are written as: json, text. + # format: 'json' + + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: '/config/authelia.log' + + ## Whether to also log to stdout when a log_file_path is defined. + # keep_stdout: false + +## +## Telemetry Configuration +## +# telemetry: + + ## + ## Metrics Configuration + ## + # metrics: + ## Enable Metrics. + # enabled: false + + ## The address for the Metrics server to listen on in the address common syntax. + ## Formats: + ## - [://][:][/] + ## - [://][hostname]:[/] + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix'. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'. + ## If the path is not specified it defaults to `/metrics`. + # address: 'tcp://:9959/metrics' + + ## Metrics Server Buffers configuration. + # buffers: + + ## Read buffer. + # read: 4096 + + ## Write buffer. + # write: 4096 + + ## Metrics Server Timeouts configuration. + # timeouts: + + ## Read timeout in the duration common syntax. + # read: '6 seconds' + + ## Write timeout in the duration common syntax. + # write: '6 seconds' + + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' + +## +## TOTP Configuration +## +## Parameters used for TOTP generation. +# totp: + ## Disable TOTP. + # disable: false + + ## The issuer name displayed in the Authenticator application of your choice. + # issuer: 'authelia.com' + + ## The TOTP algorithm to use. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/c/totp#algorithm + # algorithm: 'SHA1' + + ## The number of digits a user has to input. Must either be 6 or 8. + ## Changing this option only affects newly generated TOTP configurations. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/c/totp#digits + # digits: 6 + + ## The period in seconds a Time-based One-Time Password is valid for. + ## Changing this option only affects newly generated TOTP configurations. + # period: 30 + + ## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid. + ## Warning: before changing skew read the docs link below. + # skew: 1 + ## See: https://www.authelia.com/c/totp#input-validation to read + ## the documentation. + + ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. + # secret_size: 32 + + ## The allowed algorithms for a user to pick from. + # allowed_algorithms: + # - 'SHA1' + + ## The allowed digits for a user to pick from. + # allowed_digits: + # - 6 + + ## The allowed periods for a user to pick from. + # allowed_periods: + # - 30 + + ## Disable the reuse security policy which prevents replays of one-time password code values. + # disable_reuse_security_policy: false + +## +## WebAuthn Configuration +## +## Parameters used for WebAuthn. +# webauthn: + ## Disable WebAuthn. + # disable: false + + ## The interaction timeout for WebAuthn dialogues in the duration common syntax. + # timeout: '60 seconds' + + ## The display name the browser should show the user for when using WebAuthn to login/register. + # display_name: 'Authelia' + + ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. + ## Options are none, indirect, direct. + # attestation_conveyance_preference: 'indirect' + + ## User verification controls if the user must make a gesture or action to confirm they are present. + ## Options are required, preferred, discouraged. + # user_verification: 'preferred' + +## +## Duo Push API Configuration +## +## Parameters used to contact the Duo API. Those are generated when you protect an application of type +## "Partner Auth API" in the management panel. +# duo_api: + # disable: false + # hostname: 'api-123456789.example.com' + # integration_key: 'ABCDEF' + ## Secret can also be set using a secret: https://www.authelia.com/c/secrets + # secret_key: '1234567890abcdefghifjkl' + # enable_self_enrollment: false + +## +## Identity Validation Configuration +## +## This configuration tunes the identity validation flows. +identity_validation: + + ## Reset Password flow. Adjusts how the reset password flow operates. + reset_password: + ## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax. + jwt_lifespan: '5 minutes' + + ## The algorithm used for the Reset Password JWT. + jwt_algorithm: 'HS256' + + ## The secret key used to sign and verify the JWT. + jwt_secret: '{{ env "JWT_SECRET" }}' + + ## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding, + ## removing, etc. + # elevated_session: + ## Maximum allowed lifetime after the One-Time Code is generated that it is considered valid. + # code_lifespan: '5 minutes' + + ## Maximum allowed lifetime after the user uses the One-Time Code and the user must perform the validation again in + ## the duration common syntax. + # elevation_lifespan: '10 minutes' + + ## Number of characters the one-time password contains. + # characters: 8 + + ## In addition to the One-Time Code requires the user performs a second factor authentication. + # require_second_factor: false + + ## Skips the elevation requirement and entry of the One-Time Code if the user has performed second factor + ## authentication. + # skip_second_factor: false + +## +## NTP Configuration +## +## This is used to validate the servers time is accurate enough to validate TOTP. +# ntp: + ## The address of the NTP server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'. + ## The default scheme is 'udp'. The default port is '123'. + # address: 'udp://time.cloudflare.com:123' + + ## NTP version. + # version: 4 + + ## Maximum allowed time offset between the host and the NTP server in the duration common syntax. + # max_desync: '3 seconds' + + ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you + ## set this to true, and can operate in a truly offline mode. + # disable_startup_check: false + + ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with + ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup + ## will continue regardless of results. + # disable_failure: false + +## +## Authentication Backend Provider Configuration +## +## Used for verifying user passwords and retrieve information such as email address and groups users belong to. +## +## The available providers are: `file`, `ldap`. You must use only one of these providers. +authentication_backend: + + ## Password Reset Options. + password_reset: + ## Disable both the HTML element and the API for reset password functionality. + disable: false + + ## External reset password url that redirects the user to an external reset portal. This disables the internal reset + ## functionality. + # custom_url: '' + + ## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval + # refresh_interval: '5 minutes' + + ## + ## LDAP (Authentication Provider) + ## + ## This is the recommended Authentication Provider in production + ## because it allows Authelia to offload the stateful operations + ## onto the LDAP service. + ldap: + ## The address of the directory server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`. + ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'. + ## The default port is '636', unless the scheme is 'ldap' in which case it's '389'. + address: 'ldap://lldap:3890' + + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - for Microsoft Active Directory. + ## - 'freeipa' - for FreeIPA. + ## - 'lldap' - for lldap. + ## - 'custom' - for custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/c/ldap#defaults + implementation: 'custom' + + ## The dial timeout for LDAP in the duration common syntax. + timeout: '5 seconds' + + ## Use StartTLS with the LDAP connection. + start_tls: false + + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'ldap.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## The distinguished name of the container searched for objects in the directory information tree. + ## See also: additional_users_dn, additional_groups_dn. + base_dn: 'dc=bmrs,dc=nl' + + ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. + ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users. + additional_users_dn: 'OU=people' + + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#users-filter-replacements + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + users_filter: '(&({username_attribute}={input})(objectClass=person))' + + ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups. + ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups. + additional_groups_dn: 'OU=groups' + + ## The groups filter used in search queries to find the groups based on relevant authenticated user. + ## Various placeholders are available in the groups filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#groups-filter-replacements + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) + groups_filter: '(member={dn})' + + ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to + ## use 'memberof'. Also 'filter' is the best choice for most use cases. + # group_search_mode: 'filter' + + ## Follow referrals returned by the server. + ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. + # permit_referrals: false + + ## The username and password of the admin user. + user: 'UID=admin,OU=people,DC=bmrs,DC=nl' + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password + + ## The attributes for users and objects from the directory server. + attributes: + + ## The distinguished name attribute if your directory server supports it. Users should read the docs before + ## configuring. Only used for the 'memberof' group search mode. + distinguished_name: 'distinguishedName' + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP + ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and + ## the configuration stored in database; therefore only single value attributes are allowed and the value must + ## never be changed once attributed to a user otherwise it would break the configuration for that user. + ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead + ## advise to use a filter to perform alternative lookups and the attributes mentioned above + ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307. + username: 'uid' + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + # display_name: 'displayName' + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only + ## the first one returned by the directory server is used. + mail: 'mail' + + ## The attribute which provides distinguished names of groups an object is a member of. + ## Only used for the 'memberof' group search mode. + member_of: 'memberOf' + + ## The attribute holding the name of the group. + group_name: 'cn' + + ## + ## File (Authentication Provider) + ## + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page below: + ## https://www.authelia.com/r/passwords#tuning + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + # file: + # path: '/config/users_database.yml' + # watch: false + # search: + # email: false + # case_insensitive: false + # password: + # algorithm: 'argon2' + # argon2: + # variant: 'argon2id' + # iterations: 3 + # memory: 65536 + # parallelism: 4 + # key_length: 32 + # salt_length: 16 + # scrypt: + # iterations: 16 + # block_size: 8 + # parallelism: 1 + # key_length: 32 + # salt_length: 16 + # pbkdf2: + # variant: 'sha512' + # iterations: 310000 + # salt_length: 16 + # sha2crypt: + # variant: 'sha512' + # iterations: 50000 + # salt_length: 16 + # bcrypt: + # variant: 'standard' + # cost: 12 + +## +## Password Policy Configuration. +## +# password_policy: + + ## The standard policy allows you to tune individual settings manually. + # standard: + # enabled: false + + ## Require a minimum length for passwords. + # min_length: 8 + + ## Require a maximum length for passwords. + # max_length: 0 + + ## Require uppercase characters. + # require_uppercase: true + + ## Require lowercase characters. + # require_lowercase: true + + ## Require numeric characters. + # require_number: true + + ## Require special characters. + # require_special: true + + ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. + # zxcvbn: + # enabled: false + + ## Configures the minimum score allowed. + # min_score: 3 + +## +## Privacy Policy Configuration +## +## Parameters used for displaying the privacy policy link and drawer. +# privacy_policy: + + ## Enables the display of the privacy policy using the policy_url. + # enabled: false + + ## Enables the display of the privacy policy drawer which requires users accept the privacy policy + ## on a per-browser basis. + # require_user_acceptance: false + + ## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme. + ## If the privacy policy enabled option is true, this MUST be provided. + # policy_url: '' + +## +## Access Control Configuration +## +## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. +## +## If 'access_control' is not defined, ACL rules are disabled and the 'deny' rule is applied, i.e., access is denied +## to everyone. Otherwise restrictions follow the rules defined. +## +## Note: One can use the wildcard * to match any subdomain. +## It must stand at the beginning of the pattern. (example: *.example.com) +## +## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. +## +## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. +## +## - 'domain' defines which domain or set of domains the rule applies to. +## +## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not +## provided. If provided, the parameter represents either a user or a group. It should be of the form +## 'user:' or 'group:'. +## +## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. +## +## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter +## is optional and matches any resource if not provided. +## +## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. +access_control: + ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any + ## resource if there is no policy to be applied to the user. + default_policy: 'deny' + + # networks: + # - name: 'internal' + # networks: + # - '10.10.0.0/16' + # - '192.168.2.0/24' + # - name: 'VPN' + # networks: '10.9.0.0/16' + + rules: + ## Rules applied to everyone + - domain: 'auth.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'adguard.timo.bmrs.nl' + policy: 'two_factor' + subject: 'group:adguard' + + - domain: 'bitwarden.timo.bmrs.nl' + policy: 'two_factor' + + - domain: 'cloud.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'dozzle.timo.bmrs.nl' + policy: 'one_factor' + + - domain: 'homeassistant.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'office.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'paperless.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'git.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'home.timo.bmrs.nl' + policy: 'one_factor' + + - domain: 'immich.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'ldap.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'search.timo.bmrs.nl' + policy: 'bypass' + + - domain: 'uptime.timo.bmrs.nl' + policy: 'bypass' + + + ## Domain Regex examples. Generally we recommend just using a standard domain. + # - domain_regex: '^(?P\w+)\.example\.com$' + # policy: 'one_factor' + # - domain_regex: '^(?P\w+)\.example\.com$' + # policy: 'one_factor' + # - domain_regex: + # - '^appgroup-.*\.example\.com$' + # - '^appgroup2-.*\.example\.com$' + # policy: 'one_factor' + # - domain_regex: '^.*\.example\.com$' + # policy: 'two_factor' + + # - domain: 'secure.example.com' + # policy: 'one_factor' + ## Network based rule, if not provided any network matches. + # networks: + # - 'internal' + # - 'VPN' + # - '192.168.1.0/24' + # - '10.0.0.1' + + # - domain: + # - 'secure.example.com' + # - 'private.example.com' + # policy: 'two_factor' + + # - domain: 'singlefactor.example.com' + # policy: 'one_factor' + + ## Rules applied to 'admins' group + # - domain: 'mx2.mail.example.com' + # subject: 'group:admins' + # policy: 'deny' + + # - domain: '*.example.com' + # subject: + # - 'group:admins' + # - 'group:moderators' + # policy: 'two_factor' + + ## Rules applied to 'dev' group + # - domain: 'dev.example.com' + # resources: + # - '^/groups/dev/.*$' + # subject: 'group:dev' + # policy: 'two_factor' + + ## Rules applied to user 'john' + # - domain: 'dev.example.com' + # resources: + # - '^/users/john/.*$' + # subject: 'user:john' + # policy: 'two_factor' + + ## Rules applied to user 'harry' + # - domain: 'dev.example.com' + # resources: + # - '^/users/harry/.*$' + # subject: 'user:harry' + # policy: 'two_factor' + + ## Rules applied to user 'bob' + # - domain: '*.mail.example.com' + # subject: 'user:bob' + # policy: 'two_factor' + # - domain: 'dev.example.com' + # resources: + # - '^/users/bob/.*$' + # subject: 'user:bob' + # policy: 'two_factor' + +## +## Session Provider Configuration +## +## The session cookies identify the user once logged in. +## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. +session: + ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. + ## Secret can also be set using a secret: https://www.authelia.com/c/secrets + secret: '{{ env "SESSION_SECRET" }}' + + ## Cookies configures the list of allowed cookie domains for sessions to be created on. + ## Undefined values will default to the values below. + cookies: + - + ## The name of the session cookie. + name: 'authelia_session' + + ## The domain to protect. + ## Note: the Authelia portal must also be in that domain. + domain: 'timo.bmrs.nl' + + ## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections. + ## Rules: + ## - MUST use the secure scheme 'https://' + ## - The above 'domain' option MUST either: + ## - Match the host portion of this URI. + ## - Match the suffix of the host portion when prefixed with '.'. + authelia_url: 'https://auth.timo.bmrs.nl' + + ## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not + ## configuring this option disables the automatic redirection behaviour. + ## + ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication + ## unless they were redirected to Authelia by the proxy. + ## + ## Rules: + ## - MUST use the secure scheme 'https://' + ## - MUST not match the 'authelia_url' option. + ## - The above 'domain' option MUST either: + ## - Match the host portion of this URI. + ## - Match the suffix of the host portion when prefixed with '.'. + default_redirection_url: 'https://www.timo.bmrs.nl' + + ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. + ## Please read https://www.authelia.com/c/session#same_site + # same_site: 'lax' + + ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. + ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure + ## because a stolen cookie will last longer giving attackers more time to spy or attack. + + ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user + ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last + ## time Authelia detected user activity. + # inactivity: '5 minutes' + + ## The time before the session cookie expires and the session is destroyed if remember me IS NOT selected by the + ## user. + # expiration: '1 hour' + + ## The time before the cookie expires and the session is destroyed if remember me IS selected by the user. Setting + ## this value to -1 disables remember me for this session cookie domain. If allowed and the user uses the remember + ## me checkbox this overrides the expiration option and disables the inactivity option. + # remember_me: '1 month' + + ## Cookie Session Domain default 'name' value. + # name: 'authelia_session' + + ## Cookie Session Domain default 'same_site' value. + # same_site: 'lax' + + ## Cookie Session Domain default 'inactivity' value. + # inactivity: '5m' + + ## Cookie Session Domain default 'expiration' value. + # expiration: '1h' + + ## Cookie Session Domain default 'remember_me' value. + # remember_me: '1M' + + ## + ## Redis Provider + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + # redis: + # host: '127.0.0.1' + # port: 6379 + ## Use a unix socket instead + # host: '/var/run/redis/redis.sock' + + ## Username used for redis authentication. This is optional and a new feature in redis 6.0. + # username: 'authelia' + + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'authelia' + + ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). + # database_index: 0 + + ## The maximum number of concurrent active connections to Redis. + # maximum_active_connections: 8 + + ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. + # minimum_idle_connections: 0 + + ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + # server_name: 'myredis.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## The Redis HA configuration options. + ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). + # high_availability: + ## Sentinel Name / Master Name. + # sentinel_name: 'mysentinel' + + ## Specific username for Redis Sentinel. The node username and password is configured above. + # sentinel_username: 'sentinel_specific_user' + + ## Specific password for Redis Sentinel. The node username and password is configured above. + # sentinel_password: 'sentinel_specific_pass' + + ## The additional nodes to pre-seed the redis provider with (for sentinel). + ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. + ## For high availability to be used you must have either defined; the host above or at least one node below. + # nodes: + # - host: 'sentinel-node1' + # port: 6379 + # - host: 'sentinel-node2' + # port: 6379 + + ## Choose the host with the lowest latency. + # route_by_latency: false + + ## Choose the host randomly. + # route_randomly: false + +## +## Regulation Configuration +## +## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made +## in a short period of time. +# regulation: + ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. + # max_retries: 3 + + ## The time range during which the user can attempt login before being banned in the duration common syntax. The user + ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. + # find_time: '2 minutes' + + ## The length of time before a banned user can login again in the duration common syntax. + # ban_time: '5 minutes' + +## +## Storage Provider Configuration +## +## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. +storage: + ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum + ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use + ## the CLI to change this in the database if you want to change it from a previously configured value. + encryption_key: '{{ env "STORAGE_ENCRYPTION_KEY" }}' + + ## + ## Local (Storage Provider) + ## + ## This stores the data in a SQLite3 Database. + ## This is only recommended for lightweight non-stateful installations. + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + local: + ## Path to the SQLite3 Database. + path: '/config/db.sqlite3' + + ## + ## MySQL / MariaDB (Storage Provider) + ## + # mysql: + ## The address of the MySQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '3306'. + # address: 'tcp://127.0.0.1:3306' + + ## The database name to use. + # database: 'authelia' + + ## The username used for SQL authentication. + # username: 'authelia' + + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## MySQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'mysql.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## + ## PostgreSQL (Storage Provider) + ## + # postgres: + ## The address of the PostgreSQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '5432'. + # address: 'tcp://127.0.0.1:5432' + + ## The database name to use. + # database: 'authelia' + + ## The schema name to use. + # schema: 'public' + + ## The username used for SQL authentication. + # username: 'authelia' + + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## PostgreSQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'postgres.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + +## +## Notification Provider +## +## Notifications are sent to users when they require a password reset, a WebAuthn registration or a TOTP registration. +## The available providers are: filesystem, smtp. You must use only one of these providers. +notifier: + ## You can disable the notifier startup check by setting this to true. + # disable_startup_check: false + + ## + ## File System (Notification Provider) + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + filesystem: + filename: '/config/notification.txt' + + ## + ## SMTP (Notification Provider) + ## + ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. + ## [Security] By default Authelia will: + ## - force all SMTP connections over TLS including unauthenticated connections + ## - use the disable_require_tls boolean value to disable this requirement + ## (only works for unauthenticated connections) + ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates + ## (configure in tls section) + # smtp: + ## The address of the SMTP server to connect to in the address common syntax. + # address: 'smtp://127.0.0.1:25' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## The username used for SMTP authentication. + # username: 'test' + + ## The password used for SMTP authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'password' + + ## The sender is used to is used for the MAIL FROM command and the FROM header. + ## If this is not defined and the username is an email, we use the username as this value. This can either be just + ## an email address or the RFC5322 'Name ' format. + # sender: 'Authelia ' + + ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. + # identifier: 'localhost' + + ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. + # subject: '[Authelia] {title}' + + ## This address is used during the startup check to verify the email configuration is correct. + ## It's not important what it is except if your email server only allows local delivery. + # startup_check_address: 'test@authelia.com' + + ## By default we require some form of TLS. This disables this check though is not advised. + # disable_require_tls: false + + ## Disables sending HTML formatted emails. + # disable_html_emails: false + + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'smtp.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + +## +## Identity Providers +## +identity_providers: + + ## + ## OpenID Connect (Identity Provider) + ## + ## It's recommended you read the documentation before configuration of this section: + ## https://www.authelia.com/c/oidc + oidc: + ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens). + ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets + hmac_secret: $HMAC_SECRET + + ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's + ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key. + jwks: + - + ## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters. + ## This value is automatically generated if not provided. It's recommended to not configure this. + # key_id: 'exmple' + + ## The key algorithm used with this key. + algorithm: 'RS256' + + ## The key use expected with this key. Currently only 'sig' is supported. + use: 'sig' + + ## Required Private Key in PEM DER form. + key: | + {{- fileContent "/keys/private.pem" | nindent 10 }} + ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain + ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## Enables additional debug messages. + enable_client_debug_messages: false + + ## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged. + minimum_parameter_entropy: 8 + + ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never' + ## for security reasons. + enforce_pkce: 'public_clients_only' + + ## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully + ## understanding it before enabling this option. + enable_jwt_access_token_stateless_introspection: false + + ## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching + ## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost. + # discovery_signed_response_alg: 'none' + + ## The signing key id used for signing the discovery and metadata responses. An issuer JWK with a matching key id + ## must be available when configured. Most clients completely ignore this and it has a performance cost. + # discovery_signed_response_key_id: '' + + ## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick + ## which is utilized as the value for the 'authorization_policy' on the client. + authorization_policies: + forgejo: + default_policy: 'deny' + rules: + - policy: 'two_factor' + subject: 'group:forgejo' + + paperless: + default_policy: 'deny' + rules: + - policy: 'two_factor' + subject: 'group:paperless' + + ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this + ## syntax the lifespans can be customized per-client. + lifespans: + ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all + ## grant types but you can override this behaviour using the custom lifespans. + access_token: '1 hour' + authorize_code: '1 minute' + id_token: '1 hour' + refresh_token: '90 minutes' + + ## Cross-Origin Resource Sharing (CORS) settings. + cors: + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + endpoints: + - 'authorization' + - 'pushed-authorization-request' + - 'token' + - 'revocation' + - 'introspection' + - 'userinfo' + + ## List of allowed origins. + ## Any origin with https is permitted unless this option is configured or the + ## allowed_origins_from_client_redirect_uris option is enabled. + allowed_origins: + - 'https://timo.bmrs.nl' + + ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, + ## provided they have the scheme http or https and do not have the hostname of localhost. + allowed_origins_from_client_redirect_uris: false + + ## Clients is a list of known clients and their configuration. + clients: + - client_id: '{{ env "CLIENT_ID_FORGEJO" }}' + client_name: 'Forgejo' + client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}' + public: false + redirect_uris: + - 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback' + scopes: + - 'openid' + - 'email' + - 'profile' + authorization_policy: 'forgejo' + token_endpoint_auth_method: 'client_secret_basic' + userinfo_signed_response_alg: 'none' + + - client_id: '{{ env "CLIENT_ID_PAPERLESS" }}' + client_name: 'Forgejo' + client_secret: '{{ env "CLIENT_SECRET_PAPERLESS" }}' + public: false + redirect_uris: + - 'https://paperless.timo.bmrs.nl/accounts/oidc/authelia/login/callback/' + scopes: + - 'openid' + - 'email' + - 'profile' + - 'groups' + authorization_policy: 'paperless' + token_endpoint_auth_method: 'client_secret_basic' + userinfo_signed_response_alg: 'none' + +... diff --git a/authelia/docker-compose.yml b/authelia/docker-compose.yml new file mode 100644 index 0000000..df70540 --- /dev/null +++ b/authelia/docker-compose.yml @@ -0,0 +1,44 @@ +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: unless-stopped + depends_on: + - lldap + volumes: + - ./config/configuration.yml:/config/configuration.yml + - ./config/keys:/keys + - data_authelia:/config + environment: + X_AUTHELIA_CONFIG_FILTERS: template + JWT_SECRET: ${AUTHELIA_JWT_SECRET} + SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} + STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD} + HMAC_SECRET: ${AUTHELIA_HMAC_SECRET} + CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO} + CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO} + CLIENT_SECRET_PAPERLESS: ${AUTHELIA_CLIENT_SECRET_PAPERLESS} + CLIENT_ID_PAPERLESS: ${AUTHELIA_CLIENT_ID_PAPERLESS} + + lldap: + image: lldap/lldap:latest + container_name: lldap + restart: unless-stopped + volumes: + - data_lldap:/data + environment: + LLDAP_JWT_SECRET: ${LLDAP_JWT_SECRET} + LLDAP_KEY_SEED: ${LLDAP_KEY_SEED} + LLDAP_LDAP_BASE_DN: dc=bmrs,dc=nl + LLDAP_LDAP_USER_PASS: ${LLDAP_ADMIN_PASSWORD} + +volumes: + data_lldap: + data_authelia: + +networks: + default: + name: proxy + external: true + diff --git a/caddy/Dockerfile b/caddy/Dockerfile new file mode 100644 index 0000000..64a4dc3 --- /dev/null +++ b/caddy/Dockerfile @@ -0,0 +1,8 @@ +FROM caddy:2.8-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/cloudflare + +FROM caddy:2.8 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/caddy/README.md b/caddy/README.md new file mode 100644 index 0000000..b69ae0f --- /dev/null +++ b/caddy/README.md @@ -0,0 +1,4 @@ +# Caddy reverse proxy + +1. Obtain cloudflare tokens: [Caddy Cloudflare](https://github.com/caddy-dns/cloudflare) +2. Set environment variables diff --git a/caddy/caddyfiles/Caddyfile b/caddy/caddyfiles/Caddyfile new file mode 100644 index 0000000..d343b35 --- /dev/null +++ b/caddy/caddyfiles/Caddyfile @@ -0,0 +1,21 @@ +localhost { + respond "Hello world!" +} + + +*.timo.bmrs.nl timo.bmrs.nl { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_TOKEN} + api_token {env.CF_API_TOKEN} + } + resolvers 1.1.1.1 + } + + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + + import routes/* +} diff --git a/caddy/caddyfiles/routes/adguard b/caddy/caddyfiles/routes/adguard new file mode 100644 index 0000000..b52ed3a --- /dev/null +++ b/caddy/caddyfiles/routes/adguard @@ -0,0 +1,4 @@ +@adguard host adguard.timo.bmrs.nl +handle @adguard { + reverse_proxy adguardhome:3000 +} diff --git a/caddy/caddyfiles/routes/authelia b/caddy/caddyfiles/routes/authelia new file mode 100644 index 0000000..3110a0d --- /dev/null +++ b/caddy/caddyfiles/routes/authelia @@ -0,0 +1,9 @@ +@ldap host ldap.timo.bmrs.nl +handle @ldap { + reverse_proxy lldap:17170 +} + +@authelia host auth.timo.bmrs.nl +handle @authelia { + reverse_proxy authelia:9091 +} diff --git a/caddy/caddyfiles/routes/dozzle b/caddy/caddyfiles/routes/dozzle new file mode 100644 index 0000000..62e8cf4 --- /dev/null +++ b/caddy/caddyfiles/routes/dozzle @@ -0,0 +1,9 @@ +@dozzle host dozzle.timo.bmrs.nl +handle @dozzle { + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } + + reverse_proxy dozzle:8080 +} diff --git a/caddy/caddyfiles/routes/forgejo b/caddy/caddyfiles/routes/forgejo new file mode 100644 index 0000000..b22bb15 --- /dev/null +++ b/caddy/caddyfiles/routes/forgejo @@ -0,0 +1,4 @@ +@forgejo host git.timo.bmrs.nl +handle @forgejo { + reverse_proxy forgejo:3000 +} diff --git a/caddy/caddyfiles/routes/homeassistant b/caddy/caddyfiles/routes/homeassistant new file mode 100644 index 0000000..85ed28b --- /dev/null +++ b/caddy/caddyfiles/routes/homeassistant @@ -0,0 +1,4 @@ +@homeassistant host homeassistant.timo.bmrs.nl +handle @homeassistant { + reverse_proxy homeassistant:8123 +} diff --git a/caddy/caddyfiles/routes/homepage b/caddy/caddyfiles/routes/homepage new file mode 100644 index 0000000..1a08251 --- /dev/null +++ b/caddy/caddyfiles/routes/homepage @@ -0,0 +1,4 @@ +@homepage host home.timo.bmrs.nl +handle @homepage { + reverse_proxy homepage:3000 +} diff --git a/caddy/caddyfiles/routes/immich b/caddy/caddyfiles/routes/immich new file mode 100644 index 0000000..1917d19 --- /dev/null +++ b/caddy/caddyfiles/routes/immich @@ -0,0 +1,4 @@ +@immich host immich.timo.bmrs.nl +handle @immich { + reverse_proxy immich:2283 +} diff --git a/caddy/caddyfiles/routes/nextcloud b/caddy/caddyfiles/routes/nextcloud new file mode 100644 index 0000000..54e6317 --- /dev/null +++ b/caddy/caddyfiles/routes/nextcloud @@ -0,0 +1,12 @@ +@nextcloud host cloud.timo.bmrs.nl +handle @nextcloud { + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + reverse_proxy nextcloud:80 +} + +@office host office.timo.bmrs.nl +handle @office { + reverse_proxy nextcloud-office:9980 +} diff --git a/caddy/caddyfiles/routes/paperless-ngx b/caddy/caddyfiles/routes/paperless-ngx new file mode 100644 index 0000000..578af1e --- /dev/null +++ b/caddy/caddyfiles/routes/paperless-ngx @@ -0,0 +1,4 @@ +@paperless-ngx host paperless.timo.bmrs.nl +handle @paperless-ngx { + reverse_proxy paperless-ngx:8000 +} diff --git a/caddy/caddyfiles/routes/searxng b/caddy/caddyfiles/routes/searxng new file mode 100644 index 0000000..fa6c22b --- /dev/null +++ b/caddy/caddyfiles/routes/searxng @@ -0,0 +1,4 @@ +@searxng host search.timo.bmrs.nl +handle @searxng { + reverse_proxy searxng:8080 +} diff --git a/caddy/caddyfiles/routes/uptime-kuma b/caddy/caddyfiles/routes/uptime-kuma new file mode 100644 index 0000000..9b7b7da --- /dev/null +++ b/caddy/caddyfiles/routes/uptime-kuma @@ -0,0 +1,4 @@ +@uptime-kuma host uptime.timo.bmrs.nl +handle @uptime-kuma { + reverse_proxy uptime-kuma:3001 +} diff --git a/caddy/caddyfiles/routes/vaultwarden b/caddy/caddyfiles/routes/vaultwarden new file mode 100644 index 0000000..5b7983e --- /dev/null +++ b/caddy/caddyfiles/routes/vaultwarden @@ -0,0 +1,4 @@ +@vaultwarden host bitwarden.timo.bmrs.nl +handle @vaultwarden { + reverse_proxy vaultwarden:80 +} diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml new file mode 100644 index 0000000..43a8ca9 --- /dev/null +++ b/caddy/docker-compose.yml @@ -0,0 +1,33 @@ +services: + caddy: + build: . + container_name: caddy + restart: unless-stopped + cap_add: + - NET_ADMIN + ports: + - 80:80 + - 443:443 + - 443:443/udp + volumes: + - data:/data + - config:/config + - ./caddyfiles:/etc/caddy/ + environment: + CF_ZONE_TOKEN: ${CF_ZONE_TOKEN} + CF_API_TOKEN: ${CF_API_TOKEN} + networks: + proxy: + aliases: + - auth.timo.bmrs.nl + - cloud.timo.bmrs.nl + - office.timo.bmrs.nl + +volumes: + data: + config: + +networks: + proxy: + name: proxy + external: true diff --git a/dozzle/docker-compose.yml b/dozzle/docker-compose.yml new file mode 100644 index 0000000..5a201b8 --- /dev/null +++ b/dozzle/docker-compose.yml @@ -0,0 +1,15 @@ +services: + dozzle: + image: amir20/dozzle:latest + container_name: dozzle + restart: unless-stopped + volumes: + - /run/user/1000/docker.sock:/var/run/docker.sock:ro + environment: + DOZZLE_ENABLE_ACTIONS: true + DOZZLE_AUTH_PROVIDER: forward-proxy + +networks: + default: + external: true + name: proxy diff --git a/forgejo/config/app.ini b/forgejo/config/app.ini new file mode 100644 index 0000000..1622aa2 --- /dev/null +++ b/forgejo/config/app.ini @@ -0,0 +1,2755 @@ +; This file lists the default values used by Forgejo +;; Copy required sections to your own app.ini (default is custom/conf/app.ini) +;; and modify as needed. +;; Do not copy the whole file as-is, as it contains some invalid sections for illustrative purposes. +;; If you don't know what a setting is you should not set it. +;; +;; see https://forgejo.org/docs/next/admin/config-cheat-sheet for additional documentation. + + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Default Configuration (non-`app.ini` configuration) +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; These values are environment-dependent but form the basis of a lot of values. They will be +;; reported as part of the default configuration when running `gitea help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up. +;; +;; - _`AppPath`_: This is the absolute path of the running gitea binary. +;; - _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy: +;; - The "WORK_PATH" option in "app.ini" file +;; - The `--work-path` flag passed to the binary +;; - The environment variable `$GITEA_WORK_DIR` +;; - A built-in value set at build time (see building from source) +;; - Otherwise it defaults to the directory of the _`AppPath`_ +;; - If any of the above are relative paths then they are made absolute against the directory of the _`AppPath`_ +;; - _`CustomPath`_: This is the base directory for custom templates and other options. It is determined by using the first set thing in the following hierarchy: +;; - The `--custom-path` flag passed to the binary +;; - The environment variable `$GITEA_CUSTOM` +;; - A built-in value set at build time (see building from source) +;; - Otherwise it defaults to _`AppWorkPath`_`/custom` +;; - If any of the above are relative paths then they are made absolute against the directory of the _`AppWorkPath`_ +;; - _`CustomConf`_: This is the path to the `app.ini` file. +;; - The `--config` flag passed to the binary +;; - A built-in value set at build time (see building from source) +;; - Otherwise it defaults to _`CustomPath`_`/conf/app.ini` +;; - If any of the above are relative paths then they are made absolute against the directory of the _`CustomPath`_ +;; +;; In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_ + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; General Settings +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; App name that shows in every page title +APP_NAME = ; Forgejo: Beyond coding. We Forge. +;; +;; APP_SLOGAN shows a slogan near the App name in every page title. +;APP_SLOGAN = +;; +;; APP_DISPLAY_NAME_FORMAT defines how the AppDisplayName should be presented +;; It is used only if APP_SLOGAN is set. +;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN} +;; +;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally +RUN_USER = ; git +;; +;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod" +;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use. +;RUN_MODE = prod +;; +;; The working directory, see the comment of AppWorkPath above +;WORK_PATH = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[server] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; The protocol the server listens on. One of 'http', 'https', 'http+unix', 'fcgi' or 'fcgi+unix'. Defaults to 'http' +;; Note: Value must be lowercase. +;PROTOCOL = http +;; +;; Expect PROXY protocol headers on connections +;USE_PROXY_PROTOCOL = false +;; +;; Use PROXY protocol in TLS Bridging mode +;PROXY_PROTOCOL_TLS_BRIDGING = false +;; +; Timeout to wait for PROXY protocol header (set to 0 to have no timeout) +;PROXY_PROTOCOL_HEADER_TIMEOUT=5s +;; +; Accept PROXY protocol headers with UNKNOWN type +;PROXY_PROTOCOL_ACCEPT_UNKNOWN=false +;; +;; Set the domain for the server +;DOMAIN = localhost +;; +;; Overwrite the automatically generated public URL. Necessary for proxies and docker. +;ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ +;; +;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL +;STATIC_URL_PREFIX = +;; +;; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. +;; If PROTOCOL is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use. +;; Relative paths will be made absolute against the _`AppWorkPath`_. +;HTTP_ADDR = 0.0.0.0 +;; +;; The port to listen on. Leave empty when using a unix socket. +;HTTP_PORT = 3000 +;; +;; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server +;; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main +;; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for +;; PORT_TO_REDIRECT. +;REDIRECT_OTHER_PORT = false +;PORT_TO_REDIRECT = 80 +;; +;; expect PROXY protocol header on connections to https redirector. +;REDIRECTOR_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s +;; Minimum and maximum supported TLS versions +;SSL_MIN_VERSION=TLSv1.2 +;SSL_MAX_VERSION= +;; +;; SSL Curve Preferences +;SSL_CURVE_PREFERENCES=X25519,P256 +;; +;; SSL Cipher Suites +;SSL_CIPHER_SUITES=; Will default to "ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305" if aes is supported by hardware, otherwise chacha will be first. +;; +;; Timeout for any write to the connection. (Set to -1 to disable all timeouts.) +;PER_WRITE_TIMEOUT = 30s +;; +;; Timeout per Kb written to connections. +;PER_WRITE_PER_KB_TIMEOUT = 30s +;; +;; Permission for unix socket +;UNIX_SOCKET_PERMISSION = 666 +;; +;; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. In +;; most cases you do not need to change the default value. Alter it only if +;; your SSH server node is not the same as HTTP node. For different protocol, the default +;; values are different. If `PROTOCOL` is `http+unix`, the default value is `http://unix/`. +;; If `PROTOCOL` is `fcgi` or `fcgi+unix`, the default value is `%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/`. +;; If listen on `0.0.0.0`, the default value is `%(PROTOCOL)s://localhost:%(HTTP_PORT)s/`, Otherwise the default +;; value is `%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/`. +;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ +;; +;; When making local connections pass the PROXY protocol header. +;LOCAL_USE_PROXY_PROTOCOL = %(USE_PROXY_PROTOCOL)s +;; +;; Disable SSH feature when not available +;DISABLE_SSH = false +;; +;; Whether to use the builtin SSH server or not. +;START_SSH_SERVER = false +;; +;; Expect PROXY protocol header on connections to the built-in SSH server +;SSH_SERVER_USE_PROXY_PROTOCOL = false +;; +;; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER. +;BUILTIN_SSH_SERVER_USER = %(RUN_USER)s +;; +;; Domain name to be exposed in clone URL +;SSH_DOMAIN = %(DOMAIN)s +;; +;; SSH username displayed in clone URLs. +;SSH_USER = %(BUILTIN_SSH_SERVER_USER)s +;; +;; The network interface the builtin SSH server should listen on +;SSH_LISTEN_HOST = +;; +;; Port number to be exposed in clone URL +;SSH_PORT = 22 +;; +;; The port number the builtin SSH server should listen on +;SSH_LISTEN_PORT = %(SSH_PORT)s +;; +;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. +;SSH_ROOT_PATH = +;; +;; Gitea will create a authorized_keys file by default when it is not using the internal ssh server +;; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off. +;SSH_CREATE_AUTHORIZED_KEYS_FILE = true +;; +;; Gitea will create a authorized_principals file by default when it is not using the internal ssh server +;; If you intend to use the AuthorizedPrincipalsCommand functionality then you should turn this off. +;SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE = true +;; +;; For the built-in SSH server, choose the ciphers to support for SSH connections, +;; for system SSH this setting has no effect +;SSH_SERVER_CIPHERS = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com +;; +;; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, +;; for system SSH this setting has no effect +;SSH_SERVER_KEY_EXCHANGES = curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 +;; +;; For the built-in SSH server, choose the MACs to support for SSH connections, +;; for system SSH this setting has no effect +;SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1 +;; +;; For the built-in SSH server, choose the keypair to offer as the host key +;; The private key should be at SSH_SERVER_HOST_KEY and the public SSH_SERVER_HOST_KEY.pub +;; relative paths are made absolute relative to the %(APP_DATA_PATH)s +;SSH_SERVER_HOST_KEYS=ssh/gitea.rsa, ssh/gogs.rsa +;; +;; Directory to create temporary files in when testing public keys using ssh-keygen, +;; default is the system temporary directory. +;SSH_KEY_TEST_PATH = +;; +;; Use `ssh-keygen` to parse public SSH keys. The value is passed to the shell. By default, Gitea does the parsing itself. +;SSH_KEYGEN_PATH = +;; +;; Enable SSH Authorized Key Backup when rewriting all keys, default is false +;SSH_AUTHORIZED_KEYS_BACKUP = false +;; +;; Determines which principals to allow +;; - empty: if SSH_TRUSTED_USER_CA_KEYS is empty this will default to off, otherwise will default to email, username. +;; - off: Do not allow authorized principals +;; - email: the principal must match the user's email +;; - username: the principal must match the user's username +;; - anything: there will be no checking on the content of the principal +;SSH_AUTHORIZED_PRINCIPALS_ALLOW = email, username +;; +;; Enable SSH Authorized Principals Backup when rewriting all keys, default is true +;SSH_AUTHORIZED_PRINCIPALS_BACKUP = true +;; +;; Specifies the public keys of certificate authorities that are trusted to sign user certificates for authentication. +;; Multiple keys should be comma separated. +;; E.g."ssh- ". or "ssh- , ssh- ". +;; For more information see "TrustedUserCAKeys" in the sshd config manpages. +;SSH_TRUSTED_USER_CA_KEYS = +;; Absolute path of the `TrustedUserCaKeys` file gitea will manage. +;; Default this `RUN_USER`/.ssh/gitea-trusted-user-ca-keys.pem +;; If you're running your own ssh server and you want to use the gitea managed file you'll also need to modify your +;; sshd_config to point to this file. The official docker image will automatically work without further configuration. +;SSH_TRUSTED_USER_CA_KEYS_FILENAME = +;; +;; Enable exposure of SSH clone URL to anonymous visitors, default is false +;SSH_EXPOSE_ANONYMOUS = false +;; +;; Command template for authorized keys entries +;SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE = {{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}} +;; +;; Timeout for any write to ssh connections. (Set to -1 to disable all timeouts.) +;; Will default to the PER_WRITE_TIMEOUT. +;SSH_PER_WRITE_TIMEOUT = 30s +;; +;; Timeout per Kb written to ssh connections. +;; Will default to the PER_WRITE_PER_KB_TIMEOUT. +;SSH_PER_WRITE_PER_KB_TIMEOUT = 30s +;; +;; Indicate whether to check minimum key size with corresponding type +;MINIMUM_KEY_SIZE_CHECK = false +;; +;; Disable CDN even in "prod" mode +;OFFLINE_MODE = true +;; +;; TLS Settings: Either ACME or manual +;; (Other common TLS configuration are found before) +;ENABLE_ACME = false +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; ACME automatic TLS settings +;; +;; ACME directory URL (e.g. LetsEncrypt's staging/testing URL: https://acme-staging-v02.api.letsencrypt.org/directory) +;; Leave empty to default to LetsEncrypt's (production) URL +;ACME_URL = +;; +;; Explicitly accept the ACME's TOS. The specific TOS cannot be retrieved at the moment. +;ACME_ACCEPTTOS = false +;; +;; If the ACME CA is not in your system's CA trust chain, it can be manually added here +;ACME_CA_ROOT = +;; +;; Email used for the ACME registration service +;; Can be left blank to initialize at first run and use the cached value +;ACME_EMAIL = +;; +;; ACME live directory (not to be confused with ACME directory URL: ACME_URL) +;; (Refer to caddy's ACME manager https://github.com/caddyserver/certmagic) +;ACME_DIRECTORY = https +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Manual TLS settings: (Only applicable if ENABLE_ACME=false) +;; +;; Generate steps: +;; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com +;; +;; Or from a .pfx file exported from the Windows certificate store (do +;; not forget to export the private key): +;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys +;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes +;; Paths are relative to CUSTOM_PATH +;CERT_FILE = https/cert.pem +;KEY_FILE = https/key.pem +;; +;; Root directory containing templates and static files. +;; default is the path where Gitea is executed +;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_ +;; +;; Default path for App data +;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_ +;; +;; Enable gzip compression for runtime-generated content, static resources excluded +;ENABLE_GZIP = false +;; +;; Application profiling (memory and cpu) +;; For "web" command it listens on localhost:6060 +;; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)__ +;ENABLE_PPROF = false +;; +;; PPROF_DATA_PATH, use an absolute path when you start gitea as service +;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_ +;; +;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com" +;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in. +;LANDING_PAGE = home +;; +;; Enables git-lfs support. true or false, default is false. +;LFS_START_SERVER = false +;; +;; +;; LFS authentication secret, change this yourself +;LFS_JWT_SECRET = +;; +;; Alternative location to specify LFS authentication secret. You cannot specify both this and LFS_JWT_SECRET, and must pick one +;LFS_JWT_SECRET_URI = file:/etc/gitea/lfs_jwt_secret +;; +;; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. +;LFS_HTTP_AUTH_EXPIRY = 24h +;; +;; Maximum allowed LFS file size in bytes (Set to 0 for no limit). +;LFS_MAX_FILE_SIZE = 0 +;; +;; Maximum number of locks returned per page +;LFS_LOCKS_PAGING_NUM = 50 +;; +;; Allow graceful restarts using SIGHUP to fork +;ALLOW_GRACEFUL_RESTARTS = true +;; +;; After a restart the parent will finish ongoing requests before +;; shutting down. Force shutdown if this process takes longer than this delay. +;; set to a negative value to disable +;GRACEFUL_HAMMER_TIME = 60s +;; +;; Allows the setting of a startup timeout and waithint for Windows as SVC service +;; 0 disables this. +;STARTUP_TIMEOUT = 0 +;; +;; Static resources, includes resources on custom/, public/ and all uploaded avatars web browser cache time. Note that this cache is disabled when RUN_MODE is "dev". Default is 6h +;STATIC_CACHE_TIME = 6h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[database] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3". +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; MySQL Configuration +;; +;DB_TYPE = mysql +;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock +;NAME = gitea +;USER = root +;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password. +;SSL_MODE = false ; either "false" (default), "true", or "skip-verify" +;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need. +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Postgres Configuration +;; +;DB_TYPE = postgres +;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/ +;NAME = gitea +;USER = root +;PASSWD = +;SCHEMA = +;SSL_MODE=disable ;either "disable" (default), "require", or "verify-full" +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; SQLite Configuration +;; +;DB_TYPE = sqlite3 +;PATH= ; defaults to data/forgejo.db +;SQLITE_TIMEOUT = ; Query timeout defaults to: 500 +;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; MSSQL Configuration +;; +;DB_TYPE = mssql +;HOST = 172.17.0.2:1433 +;NAME = gitea +;USER = SA +;PASSWD = MwantsaSecurePassword1 +;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need. +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Other settings +;; +;; For iterate buffer, default is 50 +;ITERATE_BUFFER_SIZE = 50 +;; +;; Show the database generated SQL +;LOG_SQL = false +;; +;; Maximum number of DB Connect retries +;DB_RETRIES = 10 +;; +;; Backoff time per DB retry (time.Duration) +;DB_RETRY_BACKOFF = 3s +;; +;; Max idle database connections on connection pool, default is 2 +;MAX_IDLE_CONNS = 2 +;; +;; Database connection max life time, default is 0 or 3s mysql (See #6804 & #7071 for reasoning) +;CONN_MAX_LIFETIME = 3s +;; +;; Database connection max idle time, 0 prevents closing due to idle time. +;CONN_MAX_IDLETIME = 0 +;; +;; Database maximum number of open connections, default is 100 which is the lowest default from Postgres (MariaDB + MySQL default to 151). Ensure you only increase the value if you configured your database server accordingly. +;MAX_OPEN_CONNS = 100 +;; +;; Whether execute database models migrations automatically +;AUTO_MIGRATION = true +;; +;; Threshold value (in seconds) beyond which query execution time is logged as a warning in the xorm logger +;; +;SLOW_QUERY_TRESHOLD = 5s + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[security] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Whether the installer is disabled (set to true to disable the installer) +INSTALL_LOCK = false +;; +;; Global secret key that will be used +;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore. +SECRET_KEY = +;; +;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one +;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore. +;SECRET_KEY_URI = file:/etc/gitea/secret_key +;; +;; Secret used to validate communication within Gitea binary. +INTERNAL_TOKEN = +;; +;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one +;INTERNAL_TOKEN_URI = file:/etc/gitea/internal_token +;; +;; How long to remember that a user is logged in before requiring relogin (in days) +;LOGIN_REMEMBER_DAYS = 31 +;; +;; Name of cookie used to store authentication information. +;COOKIE_REMEMBER_NAME = gitea_incredible +;; +;; Reverse proxy authentication header name of user name, email, and full name +;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER +;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL +;REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-WEBAUTH-FULLNAME +;; +;; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request +;REVERSE_PROXY_LIMIT = 1 +;; +;; List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all. +;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 +;; +;; The minimum password length for new Users +;MIN_PASSWORD_LENGTH = 8 +;; +;; Set to true to allow users to import local server paths +;IMPORT_LOCAL_PATHS = false +;; +;; Set to false to allow users with git hook privileges to create custom git hooks. +;; Custom git hooks can be used to perform arbitrary code execution on the host operating system. +;; This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service. +;; By modifying the Gitea database, users can gain Gitea administrator privileges. +;; It also enables them to access other resources available to the user on the operating system that is running the Gitea instance and perform arbitrary actions in the name of the Gitea OS user. +;; WARNING: This maybe harmful to you website or your operating system. +;; WARNING: Setting this to true does not change existing hooks in git repos; adjust it before if necessary. +;DISABLE_GIT_HOOKS = true +;; +;; Set to true to disable webhooks feature. +;DISABLE_WEBHOOKS = false +;; +;; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED +;ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true +;; +;;Comma separated list of character classes required to pass minimum complexity. +;;If left empty or no valid values are specified, the default is off (no checking) +;;Classes include "lower,upper,digit,spec" +;PASSWORD_COMPLEXITY = off +;; +;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt" +;PASSWORD_HASH_ALGO = pbkdf2_hi +;; +;; Set false to allow JavaScript to read CSRF cookie +;CSRF_COOKIE_HTTP_ONLY = true +;; +;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed +;PASSWORD_CHECK_PWN = false +;; +;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. +;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security. +;SUCCESSFUL_TOKENS_CACHE_SIZE = 20 +;; +;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities +;; stemming from cached/logged plain-text API tokens. +;; In future releases, this will become the default behavior +;DISABLE_QUERY_AUTH_TOKEN = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[camo] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; At the moment we only support images +;; +;; if the camo is enabled +;ENABLED = false +;; url to a camo image proxy, it **is required** if camo is enabled. +;SERVER_URL = +;; HMAC to encode urls with, it **is required** if camo is enabled. +;HMAC_KEY = +;; Set to true to use camo for https too lese only non https urls are proxyed +;; ALLWAYS is deprecated and will be removed in the future +;ALWAYS = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[oauth2] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Enables OAuth2 provider +ENABLED = true +;; +;; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, EdDSA +;JWT_SIGNING_ALGORITHM = RS256 +;; +;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH. +;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512. +;; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you. +;JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem +;; +;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate +;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512. +;JWT_SECRET = +;; +;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one +;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret +;; +;; Lifetime of an OAuth2 access token in seconds +;ACCESS_TOKEN_EXPIRATION_TIME = 3600 +;; +;; Lifetime of an OAuth2 refresh token in hours +;REFRESH_TOKEN_EXPIRATION_TIME = 730 +;; +;; Check if refresh token got already used +;INVALIDATE_REFRESH_TOKENS = false +;; +;; Maximum length of oauth2 token/cookie stored on server +;MAX_TOKEN_LENGTH = 32767 +;; +;; Pre-register OAuth2 applications for some universally useful services +;; * https://github.com/hickford/git-credential-oauth +;; * https://github.com/git-ecosystem/git-credential-manager +;; * https://gitea.com/gitea/tea +;DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager, tea + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[log] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log +;ROOT_PATH = +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Main Logger +;; +;; Either "console", "file" or "conn", default is "console" +;; Use comma to separate multiple modes, e.g. "console, file" +MODE = console +;; +;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info" +LEVEL = Info +;; +;; Print Stacktrace with logs (rarely helpful, do not set) Either "Trace", "Debug", "Info", "Warn", "Error", default is "None" +;STACKTRACE_LEVEL = None +;; +;; Buffer length of the channel, keep it as it is if you don't know what it is. +;BUFFER_LEN = 10000 +;; +;; Sub logger modes, a single comma means use default MODE above, empty means disable it +;logger.access.MODE= +;logger.router.MODE=, +;logger.xorm.MODE=, +;; +;; Collect SSH logs (Creates log from ssh git request) +;; +;ENABLE_SSH_LOG = false +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Access Logger (Creates log in NCSA common log format) +;; +;; Print request id which parsed from request headers in access log, when access log is enabled. +;; * E.g: +;; * In request Header: X-Request-ID: test-id-123 +;; * Configuration in app.ini: REQUEST_ID_HEADERS = X-Request-ID +;; * Print in log: 127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "test-id-123" +;; +;; If you configure more than one in the .ini file, it will match in the order of configuration, +;; and the first match will be finally printed in the log. +;; * E.g: +;; * In request Header: X-Trace-ID: trace-id-1q2w3e4r +;; * Configuration in app.ini: REQUEST_ID_HEADERS = X-Request-ID, X-Trace-ID, X-Req-ID +;; * Print in log: 127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "trace-id-1q2w3e4r" +;; +;REQUEST_ID_HEADERS = +;; +;; Sets the template used to create the access log. +;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteHost}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}" "{{.Ctx.Req.UserAgent}}" + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Log modes (aka log writers) +;; +;[log.%(WriterMode)] +;MODE=console/file/conn/... +;LEVEL= +;FLAGS = stdflags or journald +;EXPRESSION = +;PREFIX = +;COLORIZE = false +;; +;[log.console] +;STDERR = false +;; +;[log.file] +;; Set the file_name for the logger. If this is a relative path this will be relative to ROOT_PATH +;FILE_NAME = +;; This enables automated log rotate(switch of following options), default is true +;LOG_ROTATE = true +;; Max size shift of a single file, default is 28 means 1 << 28, 256MB +;MAX_SIZE_SHIFT = 28 +;; Segment log daily, default is true +;DAILY_ROTATE = true +;; delete the log file after n days, default is 7 +;MAX_DAYS = 7 +;; compress logs with gzip +;COMPRESS = true +;; compression level see godoc for compress/gzip +;COMPRESSION_LEVEL = -1 +;; +;[log.conn] +;; Reconnect host for every single message, default is false +;RECONNECT_ON_MSG = false +;; Try to reconnect when connection is lost, default is false +;RECONNECT = false +;; Either "tcp", "unix" or "udp", default is "tcp" +;PROTOCOL = tcp +;; Host address +;ADDR = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[git] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; The path of git executable. If empty, Gitea searches through the PATH environment. +;PATH = +;; +;; The HOME directory for Git +;HOME_PATH = %(APP_DATA_PATH)s/home +;; +;; Disables highlight of added and removed changes +;DISABLE_DIFF_HIGHLIGHT = false +;; +;; Max number of lines allowed in a single file in diff view +;MAX_GIT_DIFF_LINES = 1000 +;; +;; Max number of allowed characters in a line in diff view +;MAX_GIT_DIFF_LINE_CHARACTERS = 5000 +;; +;; Max number of files shown in diff view +;MAX_GIT_DIFF_FILES = 100 +;; +;; Set the default commits range size +;COMMITS_RANGE_SIZE = 50 +;; +;; Set the default branches range size +;BRANCHES_RANGE_SIZE = 20 +;; +;; Print out verbose infos on push to stdout +;VERBOSE_PUSH = true +;; +;; Delay before verbose push infos are printed to stdout +;VERBOSE_PUSH_DELAY = 5s +;; +;; Arguments for command 'git gc', e.g. "--aggressive --auto" +;; see more on http://git-scm.com/docs/git-gc/ +;GC_ARGS = +;; +;; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1 +;; To enable this for Git over SSH when using a OpenSSH server, add `AcceptEnv GIT_PROTOCOL` to your sshd_config file. +;ENABLE_AUTO_GIT_WIRE_PROTOCOL = true +;; +;; Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled) +;PULL_REQUEST_PUSH_MESSAGE = true +;; +;; (Go-Git only) Don't cache objects greater than this in memory. (Set to 0 to disable.) +;LARGE_OBJECT_THRESHOLD = 1048576 +;; Set to true to forcibly set core.protectNTFS=false +;DISABLE_CORE_PROTECT_NTFS=false +;; Disable the usage of using partial clones for git. +;DISABLE_PARTIAL_CLONE = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Git Operation timeout in seconds +;[git.timeout] +;DEFAULT = 360 +;MIGRATE = 600 +;MIRROR = 300 +;CLONE = 300 +;PULL = 300 +;GC = 60 +;GREP = 2 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Git config options +;; This section only does "set" config, a removed config key from this section won't be removed from git config automatically. The format is `some.configKey = value`. +;[git.config] +;diff.algorithm = histogram +;core.logAllRefUpdates = true +;gc.reflogExpire = 90 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[service] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Time limit to confirm account/email registration +;ACTIVE_CODE_LIVE_MINUTES = 180 +;; +;; Time limit to perform the reset of a forgotten password +;RESET_PASSWD_CODE_LIVE_MINUTES = 180 +;; +;; Whether a new user needs to confirm their email when registering. +;REGISTER_EMAIL_CONFIRM = false +;; +;; Whether a new user needs to be confirmed manually after registration. (Requires `REGISTER_EMAIL_CONFIRM` to be disabled.) +;REGISTER_MANUAL_CONFIRM = false +;; +;; List of domain names that are allowed to be used to register on a Gitea instance, wildcard is supported +;; eg: gitea.io,example.com,*.mydomain.com +;EMAIL_DOMAIN_ALLOWLIST = +;; +;; Comma-separated list of domain names that are not allowed to be used to register on a Gitea instance, wildcard is supported +;EMAIL_DOMAIN_BLOCKLIST = +;; +;; Disallow registration, only allow admins to create accounts. +DISABLE_REGISTRATION = false +;; +;; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false +;ALLOW_ONLY_INTERNAL_REGISTRATION = false +;; +;; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +;; +;; User must sign in to view anything. +;REQUIRE_SIGNIN_VIEW = false +;; +;; Mail notification +;ENABLE_NOTIFY_MAIL = false +;; +;; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password +;; If you set this to false you will not be able to access the tokens endpoints on the API with your password +;; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token +;ENABLE_BASIC_AUTHENTICATION = true +;; +;; More detail: https://github.com/gogits/gogs/issues/165 +;ENABLE_REVERSE_PROXY_AUTHENTICATION = false +; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible. +;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false +;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false +;ENABLE_REVERSE_PROXY_EMAIL = false +;ENABLE_REVERSE_PROXY_FULL_NAME = false +;; +;; Enable captcha validation for registration +;ENABLE_CAPTCHA = false +;; +;; Enable this to require captcha validation for login +;REQUIRE_CAPTCHA_FOR_LOGIN = false +;; +;; Requires captcha for external registrations +;REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA = false +;; Requires a password for external registrations +;REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = false +;; +;; Type of captcha you want to use. Options: image, recaptcha, hcaptcha, mcaptcha, cfturnstile. +;CAPTCHA_TYPE = image +;; +;; Change this to use recaptcha.net or other recaptcha service +;RECAPTCHA_URL = https://www.google.com/recaptcha/ +;; Enable recaptcha to use Google's recaptcha service +;; Go to https://www.google.com/recaptcha/admin to sign up for a key +;RECAPTCHA_SECRET = +;RECAPTCHA_SITEKEY = +;; +;; For hCaptcha, create an account at https://accounts.hcaptcha.com/login to get your keys +;HCAPTCHA_SECRET = +;HCAPTCHA_SITEKEY = +;; +;; Change this to use demo.mcaptcha.org or your self-hosted mcaptcha.org instance. +;MCAPTCHA_URL = https://demo.mcaptcha.org +;; +;; Go to your configured mCaptcha instance and register a sitekey +;; and use your account's secret. +;MCAPTCHA_SECRET = +;MCAPTCHA_SITEKEY = +;; +;; Go to https://dash.cloudflare.com/?to=/:account/turnstile to sign up for a key +;CF_TURNSTILE_SITEKEY = +;CF_TURNSTILE_SECRET = +;; +;; Default value for KeepEmailPrivate +;; Each new user will get the value of this setting copied into their profile +;DEFAULT_KEEP_EMAIL_PRIVATE = false +;; +;; Default value for AllowCreateOrganization +;; Every new user will have rights set to create organizations depending on this setting +;DEFAULT_ALLOW_CREATE_ORGANIZATION = true +;; Default value for IsRestricted +;; Every new user will have restricted permissions depending on this setting +;DEFAULT_USER_IS_RESTRICTED = false +;; +;; Users will be able to use dots when choosing their username. Disabling this is +;; helpful if your usersare having issues with e.g. RSS feeds or advanced third-party +;; extensions that use strange regex patterns. +; ALLOW_DOTS_IN_USERNAMES = true +;; +;; Either "public", "limited" or "private", default is "public" +;; Limited is for users visible only to signed users +;; Private is for users visible only to members of their organizations +;; Public is for users visible for everyone +;DEFAULT_USER_VISIBILITY = public +;; +;; Set which visibility modes a user can have +;ALLOWED_USER_VISIBILITY_MODES = public,limited,private +;; +;; Either "public", "limited" or "private", default is "public" +;; Limited is for organizations visible only to signed users +;; Private is for organizations visible only to members of the organization +;; Public is for organizations visible to everyone +;DEFAULT_ORG_VISIBILITY = public +;; +;; Default value for DefaultOrgMemberVisible +;; True will make the membership of the users visible when added to the organisation +;DEFAULT_ORG_MEMBER_VISIBLE = false +;; +;; Default value for EnableDependencies +;; Repositories will use dependencies by default depending on this setting +;DEFAULT_ENABLE_DEPENDENCIES = true +;; +;; Dependencies can be added from any repository where the user is granted access or only from the current repository depending on this setting. +;ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true +;; +;; Default map service. No external API support has been included. A service has to allow +;; searching using URL parameters, the location will be appended to the URL as escaped query parameter. +;; Some example values are: +;; - OpenStreetMap: https://www.openstreetmap.org/search?query= +;; - Google Maps: https://www.google.com/maps/place/ +;; - MapQuest: https://www.mapquest.com/search/ +;; - Bing Maps: https://www.bing.com/maps?where1= +; USER_LOCATION_MAP_URL = https://www.openstreetmap.org/search?query= +;; +;; Enable heatmap on users profiles. +;ENABLE_USER_HEATMAP = true +;; +;; Enable Timetracking +;ENABLE_TIMETRACKING = true +;; +;; Default value for EnableTimetracking +;; Repositories will use timetracking by default depending on this setting +;DEFAULT_ENABLE_TIMETRACKING = true +;; +;; Default value for AllowOnlyContributorsToTrackTime +;; Only users with write permissions can track time if this is true +;DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true +;; +;; Value for the domain part of the user's email address in the git log if user +;; has set KeepEmailPrivate to true. The user's email will be replaced with a +;; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS. Default +;; value is "noreply." + DOMAIN, where DOMAIN resolves to the value from server.DOMAIN +;; Note: do not use the notation below +;NO_REPLY_ADDRESS = ; noreply. +;; +;; Show Registration button +SHOW_REGISTRATION_BUTTON = false +;; +;; Show milestones dashboard page - a view of all the user's milestones +;SHOW_MILESTONES_DASHBOARD_PAGE = true +;; +;; Default value for AutoWatchNewRepos +;; When adding a repo to a team or creating a new repo all team members will watch the +;; repo automatically if enabled +;AUTO_WATCH_NEW_REPOS = true +;; +;; Default value for AutoWatchOnChanges +;; Make the user watch a repository When they commit for the first time +;AUTO_WATCH_ON_CHANGES = false +;; +;; Minimum amount of time a user must exist before comments are kept when the user is deleted. +;USER_DELETE_WITH_COMMENTS_MAX_TIME = 0 +;; Valid site url schemes for user profiles +;VALID_SITE_URL_SCHEMES=http,https + + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Other Settings +;; +;; Uncomment the [section.header] if you wish to +;; set the below settings. +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[badges] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Enable repository badges (via shields.io or a similar generator) +;ENABLED = true +;; Template for the badge generator. +;GENERATOR_URL_TEMPLATE = https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}} + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories. +;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s +;ROOT = +;; +;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available. +;SCRIPT_TYPE = bash +;; +;; DETECTED_CHARSETS_ORDER tie-break order for detected charsets. +;; If the charsets have equal confidence, tie-breaking will be done by order in this list +;; with charsets earlier in the list chosen in preference to those later. +;; Adding "defaults" will place the unused charsets at that position. +;DETECTED_CHARSETS_ORDER = UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr +;; +;; Default ANSI charset to override non-UTF-8 charsets to +;ANSI_CHARSET = +;; +;; Force every new repository to be private +;FORCE_PRIVATE = false +;; +;; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used. +;DEFAULT_PRIVATE = last +;; +;; Default private when using push-to-create +;DEFAULT_PUSH_CREATE_PRIVATE = true +;; +;; Global limit of repositories per user, applied at creation time. -1 means no limit +;MAX_CREATION_LIMIT = -1 +;; +;; Preferred Licenses to place at the top of the List +;; The name here must match the filename in options/license or custom/options/license +;PREFERRED_LICENSES = Apache-2.0,MIT +;; +;; Disable the ability to interact with repositories using the HTTP protocol +;DISABLE_HTTP_GIT = false +;; +;; Value for Access-Control-Allow-Origin header, default is not to present +;; WARNING: This may be harmful to your website if you do not give it a right value. +;ACCESS_CONTROL_ALLOW_ORIGIN = +;; +;; Force ssh:// clone url instead of scp-style uri when default SSH port is used +;USE_COMPAT_SSH_URI = true +;; +;; Value for the "go get" request returns the repository url as https or ssh, default is https +;GO_GET_CLONE_URL_PROTOCOL = https +;; +;; Close issues as long as a commit on any branch marks it as fixed +;DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false +;; +;; Allow users to push local repositories to Gitea and have them automatically created for a user or an org +;ENABLE_PUSH_CREATE_USER = false +;ENABLE_PUSH_CREATE_ORG = false +;; +;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects, repo.packages, repo.actions. +;DISABLED_REPO_UNITS = +;; +;; Comma separated list of default new repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects, repo.packages, repo.actions. +;; Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. +;; External wiki and issue tracker can't be enabled by default as it requires additional settings. +;; Disabled repo units will not be added to new repositories regardless if it is in the default list. +;DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions +;; +;; Comma separated list of default forked repo units. +;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS. +;DEFAULT_FORK_REPO_UNITS = repo.code,repo.pulls +;; +;; Prefix archive files by placing them in a directory named after the repository +;PREFIX_ARCHIVE_FILES = true +;; +;; Disable migrating feature. +;DISABLE_MIGRATIONS = false +;; +;; Disable stars feature. +;DISABLE_STARS = false +;; +;; Disable repository forking. +;DISABLE_FORKS = false +;; +;; The default branch name of new repositories +;DEFAULT_BRANCH = main +;; +;; Allow adoption of unadopted repositories +;ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES = false +;; +;; Allow deletion of unadopted repositories +;ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES = false + +;; Don't allow download source archive files from UI +;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false + +;; Allow fork repositories without maximum number limit +;ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.editor] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; List of file extensions for which lines should be wrapped in the Monaco editor +;; Separate extensions with a comma. To line wrap files without an extension, just put a comma +;LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd,.livemd, + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.local] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Path for local repository copy. Defaults to `tmp/local-repo` (content gets deleted on gitea restart) +;LOCAL_COPY_PATH = tmp/local-repo + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.upload] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Whether repository file uploads are enabled. Defaults to `true` +;ENABLED = true +;; +;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart) +;TEMP_PATH = data/tmp/uploads +;; +;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. +;ALLOWED_TYPES = +;; +;; Max size of each file in megabytes. Defaults to 50MB +;FILE_MAX_SIZE = 50 +;; +;; Max number of files per upload. Defaults to 5 +;MAX_FILES = 5 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.pull-request] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; List of prefixes used in Pull Request title to mark them as Work In Progress (matched in a case-insensitive manner) +;WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP] +;; +;; List of keywords used in Pull Request comments to automatically close a related issue +;CLOSE_KEYWORDS = close,closes,closed,fix,fixes,fixed,resolve,resolves,resolved +;; +;; List of keywords used in Pull Request comments to automatically reopen a related issue +;REOPEN_KEYWORDS = reopen,reopens,reopened +;; +;; Set default merge style for repository creating, valid options: merge, rebase, rebase-merge, squash, fast-forward-only +;DEFAULT_MERGE_STYLE = merge +;; +;; In the default merge message for squash commits include at most this many commits +;DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT = 50 +;; +;; In the default merge message for squash commits limit the size of the commit messages to this +;DEFAULT_MERGE_MESSAGE_SIZE = 5120 +;; +;; In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list +;DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = false +;; +;; In default merge messages limit the number of approvers listed as Reviewed-by: to this many +;DEFAULT_MERGE_MESSAGE_MAX_APPROVERS = 10 +;; +;; In default merge messages only include approvers who are official +;DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY = true +;; +;; If an squash commit's comment should be populated with the commit messages of the squashed commits +;POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES = false +;; +;; Add co-authored-by and co-committed-by trailers if committer does not match author +;ADD_CO_COMMITTER_TRAILERS = true +;; +;; In addition to testing patches using the three-way merge method, re-test conflicting patches with git apply +;TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY = false +;; +;; Retarget child pull requests to the parent pull request branch target on merge of parent pull request. It only works on merged PRs where the head and base branch target the same repo. +;RETARGET_CHILDREN_ON_MERGE = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.issue] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; List of reasons why a Pull Request or Issue can be locked +;LOCK_REASONS = Too heated,Off-topic,Spam,Resolved +;; Maximum number of pinned Issues per repo +;; Set to 0 to disable pinning Issues +;MAX_PINNED = 3 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.release] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. +;ALLOWED_TYPES = +;DEFAULT_PAGING_NUM = 10 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.signing] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey +;; run in the context of the RUN_USER +;; Switch to none to stop signing completely +;SIGNING_KEY = default +;; +;; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer. +;; These should match a publicized name and email address for the key. (When SIGNING_KEY is default these are set to +;; the results of git config --get user.name and git config --get user.email respectively and can only be overridden +;; by setting the SIGNING_KEY ID to the correct ID.) +;SIGNING_NAME = +;SIGNING_EMAIL = +;; +;; Sets the default trust model for repositories. Options are: collaborator, committer, collaboratorcommitter +;DEFAULT_TRUST_MODEL = collaborator +;; +;; Determines when gitea should sign the initial commit when creating a repository +;; Either: +;; - never +;; - pubkey: only sign if the user has a pubkey +;; - twofa: only sign if the user has logged in with twofa +;; - always +;; options other than none and always can be combined as comma separated list +;INITIAL_COMMIT = always +;; +;; Determines when to sign for CRUD actions +;; - as above +;; - parentsigned: requires that the parent commit is signed. +;CRUD_ACTIONS = pubkey, twofa, parentsigned +;; Determines when to sign Wiki commits +;; - as above +;WIKI = never +;; +;; Determines when to sign on merges +;; - basesigned: require that the parent of commit on the base repo is signed. +;; - commitssigned: require that all the commits in the head branch are signed. +;; - approved: only sign when merging an approved pr to a protected branch +;MERGES = pubkey, twofa, basesigned, commitssigned + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[repository.mimetype_mapping] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Custom MIME type mapping for downloadable files +;.apk=application/vnd.android.package-archive + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[project] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Default templates for project boards +;PROJECT_BOARD_BASIC_KANBAN_TYPE = To Do, In Progress, Done +;PROJECT_BOARD_BUG_TRIAGE_TYPE = Needs Triage, High Priority, Low Priority, Closed + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cors] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers +;; enable cors headers (disabled by default) +;ENABLED = false +;; +;; list of requesting origins that are allowed, eg: "https://*.example.com" +;ALLOW_DOMAIN = * +;; +;; list of methods allowed to request +;METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS +;; +;; max time to cache response +;MAX_AGE = 10m +;; +;; allow request with credentials +;ALLOW_CREDENTIALS = false +;; +;; headers to permit +;HEADERS = Content-Type,User-Agent +;; +;; set X-FRAME-OPTIONS header +;X_FRAME_OPTIONS = SAMEORIGIN + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Number of repositories that are displayed on one explore page +;EXPLORE_PAGING_NUM = 20 +;; +;; Number of issues that are displayed on one page +;ISSUE_PAGING_NUM = 20 +;; +;; Number of repositories that are displayed on one page when searching. +;REPO_SEARCH_PAGING_NUM = 20 +;; +;; Number of members that are displayed on one page +;MEMBERS_PAGING_NUM = 20 +;; +;; Number of maximum commits displayed in one activity feed +;FEED_MAX_COMMIT_NUM = 5 +;; +;; Number of items that are displayed in home feed +;FEED_PAGING_NUM = 20 +;; +;; Number of items that are displayed in a single subsitemap +;SITEMAP_PAGING_NUM = 20 +;; +;; Number of packages that are displayed on one page +;PACKAGES_PAGING_NUM = 20 +;; +;; Number of maximum commits displayed in commit graph. +;GRAPH_MAX_COMMIT_NUM = 100 +;; +;; Number of line of codes shown for a code comment +;CODE_COMMENT_LINES = 4 +;; +;; Max size of files to be displayed (default is 8MiB) +;MAX_DISPLAY_FILE_SIZE = 8388608 +;; +;; Detect ambiguous unicode characters in file contents and show warnings on the UI +;AMBIGUOUS_UNICODE_DETECTION = true +;; +;; Whether the email of the user should be shown in the Explore Users page +;SHOW_USER_EMAIL = true +;; +;; Set the default theme for the Gitea install +;DEFAULT_THEME = forgejo-auto +;; +;; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`. +;; By default available: +;; - forgejo-auto, forgejo-light, forgejo-dark +;; - gitea-auto, gitea-light, gitea-dark +;; - forgejo-auto-deuteranopia-protanopia, forgejo-light-deuteranopia-protanopia, forgejo-dark-deuteranopia-protanopia +;; - forgejo-auto-tritanopia, forgejo-light-tritanopia, forgejo-dark-tritanopia +;THEMES = gitea-auto,gitea-light,gitea-dark +;; +;; All available reactions users can choose on issues/prs and comments. +;; Values can be emoji alias (:smile:) or a unicode emoji. +;; For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png +;REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes +;; +;; Change the number of users that are displayed in reactions tooltip (triggered by mouse hover). +;REACTION_MAX_USER_NUM = 10 +;; +;; Additional Emojis not defined in the utf8 standard +;; By default we support gitea (:gitea:), to add more copy them to public/assets/img/emoji/emoji_name.png and add it to this config. +;; Dont mistake it for Reactions. +;CUSTOM_EMOJIS = gitea, codeberg, gitlab, git, github, gogs, forgejo +;; +;; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used. +;DEFAULT_SHOW_FULL_NAME = false +;; +;; Whether to search within description at repository search on explore page. +;SEARCH_REPO_DESCRIPTION = true +;; +;; Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used. +;; A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic). +;ONLY_SHOW_RELEVANT_REPOS = false +;; +;; Change the sort type of the explore pages. +;; Default is "recentupdate", but you also have "alphabetically", "reverselastlogin", "newest", "oldest". +;EXPLORE_PAGING_DEFAULT_SORT = recentupdate +;; +;; The tense all timestamps should be rendered in. Possible values are `absolute` time (i.e. 1970-01-01, 11:59) and `mixed`. +;; `mixed` means most timestamps are rendered in relative time (i.e. 2 days ago). +;PREFERRED_TIMESTAMP_TENSE = mixed + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui.admin] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Number of users that are displayed on one page +;USER_PAGING_NUM = 50 +;; +;; Number of repos that are displayed on one page +;REPO_PAGING_NUM = 50 +;; +;; Number of notices that are displayed on one page +;NOTICE_PAGING_NUM = 25 +;; +;; Number of organizations that are displayed on one page +;ORG_PAGING_NUM = 50 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui.user] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Number of repos that are displayed on one page +;REPO_PAGING_NUM = 15 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui.meta] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;AUTHOR = Forgejo – Beyond coding. We forge. +;DESCRIPTION = Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job. +;KEYWORDS = git,forge,forgejo + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui.notification] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Control how often the notification endpoint is polled to update the notification +;; The timeout will increase to MAX_TIMEOUT in TIMEOUT_STEPs if the notification count is unchanged +;; Set MIN_TIMEOUT to -1 to turn off +;MIN_TIMEOUT = 10s +;MAX_TIMEOUT = 60s +;TIMEOUT_STEP = 10s +;; +;; This setting determines how often the db is queried to get the latest notification counts. +;; If the browser client supports EventSource and SharedWorker, a SharedWorker will be used in preference to polling notification. Set to -1 to disable the EventSource +;EVENT_SOURCE_UPDATE_TIME = 10s + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui.svg] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Whether to render SVG files as images. If SVG rendering is disabled, SVG files are displayed as text and cannot be embedded in markdown files as images. +;ENABLE_RENDER = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ui.csv] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Maximum allowed file size in bytes to render CSV files as table. (Set to 0 for no limit). +;MAX_FILE_SIZE = 524288 +;; +;; Maximum allowed rows to render CSV files. (Set to 0 for no limit) +;MAX_ROWS = 2500 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[markdown] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Render soft line breaks as hard line breaks, which means a single newline character between +;; paragraphs will cause a line break and adding trailing whitespace to paragraphs is not +;; necessary to force a line break. +;; Render soft line breaks as hard line breaks for comments +;ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true +;; +;; Render soft line breaks as hard line breaks for markdown documents +;ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS = false +;; +;; Comma separated list of custom URL-Schemes that are allowed as links when rendering Markdown +;; for example git,magnet,ftp (more at https://en.wikipedia.org/wiki/List_of_URI_schemes) +;; URLs starting with http and https are always displayed, whatever is put in this entry. +;; If this entry is empty, all URL schemes are allowed. +;CUSTOM_URL_SCHEMES = +;; +;; List of file extensions that should be rendered/edited as Markdown +;; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma +;FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd,.livemd +;; +;; Enables math inline and block detection +;ENABLE_MATH = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[ssh.minimum_key_sizes] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Define allowed algorithms and their minimum key length (use -1 to disable a type) +;ED25519 = 256 +;ECDSA = 256 +;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length +;DSA = -1 ; set to 1024 to switch on + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[indexer] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Issue Indexer settings +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Issue indexer type, currently support: bleve, db, elasticsearch or meilisearch default is bleve +;ISSUE_INDEXER_TYPE = bleve +;; +;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve +;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_. +;; +;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700) +;ISSUE_INDEXER_CONN_STR = +;; +;; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch or meilisearch. +;ISSUE_INDEXER_NAME = gitea_issues +;; +;; Timeout the indexer if it takes longer than this to start. +;; Set to -1 to disable timeout. +;STARTUP_TIMEOUT = 30s +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Repository Indexer settings +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; repo indexer by default disabled, since it uses a lot of disk space +;REPO_INDEXER_ENABLED = false +;; +;; repo indexer units, the items to index, could be `sources`, `forks`, `mirrors`, `templates` or any combination of them separated by a comma. +;; If empty then it defaults to `sources` only, as if you'd like to disable fully please see REPO_INDEXER_ENABLED. +;REPO_INDEXER_REPO_TYPES = sources,forks,mirrors,templates +;; +;; Code search engine type, could be `bleve` or `elasticsearch`. +;REPO_INDEXER_TYPE = bleve +;; +;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve +;REPO_INDEXER_PATH = indexers/repos.bleve +;; +;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200 +;REPO_INDEXER_CONN_STR = +;; +;; Code indexer name, available when `REPO_INDEXER_TYPE` is elasticsearch +;REPO_INDEXER_NAME = gitea_codes +;; +;; A comma separated list of glob patterns (see https://github.com/gobwas/glob) to include +;; in the index; default is empty +;REPO_INDEXER_INCLUDE = +;; +;; A comma separated list of glob patterns to exclude from the index; ; default is empty +;REPO_INDEXER_EXCLUDE = +;; +;; If vendored files should be excluded. +;; See https://github.com/go-enry/go-enry for more details which files are considered to be vendored. +;REPO_INDEXER_EXCLUDE_VENDORED = true +;; +;; The maximum filesize to include for indexing +;MAX_FILE_SIZE = 1048576 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[queue] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Specific queues can be individually configured with [queue.name]. [queue] provides defaults +;; ([queue.issue_indexer] is special due to the old configuration described above) +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; General queue queue type, currently support: persistable-channel, channel, level, redis, dummy +;; default to persistable-channel +;TYPE = persistable-channel +;; +;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared. +;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`. +;; +;; Default queue length before a channel queue will block +;LENGTH = 100000 +;; +;; Batch size to send for batched queues +;BATCH_LENGTH = 20 +;; +;; Connection string for redis queues this will store the redis (or Redis cluster) connection string. +;; When `TYPE` is `persistable-channel`, this provides a directory for the underlying leveldb +;; or additional options of the form `leveldb://path/to/db?option=value&....`, and will override `DATADIR`. +;CONN_STR = "redis://127.0.0.1:6379/0" +;; +;; Provides the suffix of the default redis/disk queue name - specific queues can be overridden within in their [queue.name] sections. +;QUEUE_NAME = "_queue" +;; +;; Provides the suffix of the default redis/disk unique queue set name - specific queues can be overridden within in their [queue.name] sections. +;SET_NAME = "_unique" +;; +;; Maximum number of worker go-routines for the queue. Default value is "CpuNum/2" clipped to between 1 and 10. +;MAX_WORKERS = ; (dynamic) + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[admin] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Disallow regular (non-admin) users from creating organizations. +;DISABLE_REGULAR_ORG_CREATION = false +;; +;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled +;DEFAULT_EMAIL_NOTIFICATIONS = enabled +;; Send an email to all admins when a new user signs up to inform the admins about this act. Options: true, false +;SEND_NOTIFICATION_EMAIL_ON_NEW_USER = false +;; Disabled features for users, could be "deletion", "manage_ssh_keys","manage_gpg_keys" more features can be disabled in future +;; - deletion: a user cannot delete their own account +;; - manage_ssh_keys: a user cannot configure ssh keys +;; - manage_gpg_keys: a user cannot configure gpg keys +;USER_DISABLED_FEATURES = +;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be `deletion`, `manage_ssh_keys`, `manage_gpg_keys`. This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior. +;; - deletion: a user cannot delete their own account +;; - manage_ssh_keys: a user cannot configure ssh keys +;; - manage_gpg_keys: a user cannot configure gpg keys +;;EXTERNAL_USER_DISABLE_FEATURES = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +[openid] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; OpenID is an open, standard and decentralized authentication protocol. +;; Your identity is the address of a webpage you provide, which describes +;; how to prove you are in control of that page. +;; +;; For more info: https://en.wikipedia.org/wiki/OpenID +;; +;; Current implementation supports OpenID-2.0 +;; +;; Tested to work providers at the time of writing: +;; - Any GNUSocial node (your.hostname.tld/username) +;; - Any SimpleID provider (http://simpleid.koinic.net) +;; - http://openid.org.cn/ +;; - openid.stackexchange.com +;; - login.launchpad.net +;; - .livejournal.com +;; +;; Whether to allow signin in via OpenID +ENABLE_OPENID_SIGNIN = true +;; +;; Whether to allow registering via OpenID +;; Do not include to rely on rhw DISABLE_REGISTRATION setting +ENABLE_OPENID_SIGNUP = true +;; +;; Allowed URI patterns (POSIX regexp). +;; Space separated. +;; Only these would be allowed if non-blank. +;; Example value: trusted.domain.org trusted.domain.net +WHITELISTED_URIS = auth.timo.bmrs.nl +;; +;; Forbidden URI patterns (POSIX regexp). +;; Space separated. +;; Only used if WHITELISTED_URIS is blank. +;; Example value: loadaverage.org/badguy stackexchange.com/.*spammer +;BLACKLISTED_URIS = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[oauth2_client] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Whether a new auto registered oauth2 user needs to confirm their email. +;; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section. +;REGISTER_EMAIL_CONFIRM = +;; +;; Scopes for the openid connect oauth2 provider (separated by space, the openid scope is implicitly added). +;; Typical values are profile and email. +;; For more information about the possible values see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims +;OPENID_CONNECT_SCOPES = +;; +;; Automatically create user accounts for new oauth2 users. +;ENABLE_AUTO_REGISTRATION = false +;; +;; The source of the username for new oauth2 accounts: +;; userid = use the userid / sub attribute +;; nickname = use the nickname attribute +;; email = use the username part of the email attribute +;; Note: `nickname` and `email` options will normalize input strings using the following criteria: +;; - diacritics are removed +;; - the characters in the set `['´\x60]` are removed +;; - the characters in the set `[\s~+]` are replaced with `-` +;USERNAME = nickname +;; +;; Update avatar if available from oauth2 provider. +;; Update will be performed on each login. +;UPDATE_AVATAR = false +;; +;; How to handle if an account / email already exists: +;; disabled = show an error +;; login = show an account linking login +;; auto = link directly with the account +;ACCOUNT_LINKING = login + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[webhook] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Hook task queue length, increase if webhook shooting starts hanging +;QUEUE_LENGTH = 1000 +;; +;; Deliver timeout in seconds +;DELIVER_TIMEOUT = 5 +;; +;; Webhook can only call allowed hosts for security reasons. Comma separated list, eg: external, 192.168.1.0/24, *.mydomain.com +;; Built-in: loopback (for localhost), private (for LAN/intranet), external (for public hosts on internet), * (for all hosts) +;; CIDR list: 1.2.3.0/8, 2001:db8::/32 +;; Wildcard hosts: *.mydomain.com, 192.168.100.* +;; Since 1.15.7. Default to * for 1.15.x, external for 1.16 and later +;ALLOWED_HOST_LIST = external +;; +;; Allow insecure certification +;SKIP_TLS_VERIFY = false +;; +;; Number of history information in each page +;PAGING_NUM = 10 +;; +;; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy +;PROXY_URL = +;; +;; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. +;PROXY_HOSTS = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[mailer] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; NOTICE: this section is for Gitea 1.18 and later. If you are using Gitea 1.17 or older, +;; please refer to +;; https://github.com/go-gitea/gitea/blob/release/v1.17/custom/conf/app.example.ini +;; https://github.com/go-gitea/gitea/blob/release/v1.17/docs/content/doc/advanced/config-cheat-sheet.en-us.md +;; +;ENABLED = false +;; +;; Buffer length of channel, keep it as it is if you don't know what it is. +;SEND_BUFFER_LEN = 100 +;; +;; Prefix displayed before subject in mail +;SUBJECT_PREFIX = +;; +;; Mail server protocol. One of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy". +;; - sendmail: use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems. +;; - dummy: send email messages to the log as a testing phase. +;; If your provider does not explicitly say which protocol it uses but does provide a port, +;; you can set SMTP_PORT instead and this will be inferred. +;; (Before 1.18, see the notice, this was controlled via MAILER_TYPE and IS_TLS_ENABLED.) +;PROTOCOL = +;; +;; Mail server address, e.g. smtp.gmail.com. +;; For smtp+unix, this should be a path to a unix socket instead. +;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.) +;SMTP_ADDR = +;; +;; Mail server port. Common ports are: +;; 25: insecure SMTP +;; 465: SMTP Secure +;; 587: StartTLS +;; If no protocol is specified, it will be inferred by this setting. +;; (Before 1.18, this was combined with SMTP_ADDR as HOST.) +;SMTP_PORT = +;; +;; Enable HELO operation. Defaults to true. +;ENABLE_HELO = true +;; +;; Custom hostname for HELO operation. +;; If no value is provided, one is retrieved from system. +;HELO_HOSTNAME = +;; +;; If set to `true`, completely ignores server certificate validation errors. +;; This option is unsafe. Consider adding the certificate to the system trust store instead. +;FORCE_TRUST_SERVER_CERT = false +;; +;; Use client certificate in connection. +;USE_CLIENT_CERT = false +;CLIENT_CERT_FILE = custom/mailer/cert.pem +;CLIENT_KEY_FILE = custom/mailer/key.pem +;; +;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" ` format +;FROM = +;; +;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address. +;ENVELOPE_FROM = +;; +;; If gitea sends mails on behave of users, it will just use the name also displayed in the WebUI. If you want e.g. `Mister X (by CodeIt) `, +;; set it to `{{ .DisplayName }} (by {{ .AppName }})`. Available Variables: `.DisplayName`, `.AppName` and `.Domain`. +;FROM_DISPLAY_NAME_FORMAT = {{ .DisplayName }} +;; +;; Mailer user name and password, if required by provider. +;USER = +;; +;; Use PASSWD = `your password` for quoting if you use special characters in the password. +;PASSWD = +;; +;; Send mails only in plain text, without HTML alternative +;SEND_AS_PLAIN_TEXT = false +;; +;; Specify an alternative sendmail binary +;SENDMAIL_PATH = sendmail +;; +;; Specify any extra sendmail arguments +;; WARNING: if your sendmail program interprets options you should set this to "--" or terminate these args with "--" +;SENDMAIL_ARGS = +;; +;; Timeout for Sendmail +;SENDMAIL_TIMEOUT = 5m +;; +;; convert \r\n to \n for Sendmail +;SENDMAIL_CONVERT_CRLF = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[mailer.override_header] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; This is empty by default, use it only if you know what you need it for. +;Reply-To = test@example.com, test2@example.com +;Content-Type = text/html; charset=utf-8 +;In-Reply-To = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[email.incoming] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Enable handling of incoming emails. +;ENABLED = false +;; +;; The email address including the %{token} placeholder that will be replaced per user/action. +;; Example: incoming+%{token}@example.com +;; The placeholder must appear in the user part of the address (before the @). +;REPLY_TO_ADDRESS = +;; +;; IMAP server host +;HOST = +;; +;; IMAP server port +;PORT = +;; +;; Username of the receiving account +;USERNAME = +;; +;; Password of the receiving account +;PASSWORD = +;; +;; Whether the IMAP server uses TLS. +;USE_TLS = false +;; +;; If set to true, completely ignores server certificate validation errors. This option is unsafe. +;SKIP_TLS_VERIFY = true +;; +;; The mailbox name where incoming mail will end up. +;MAILBOX = INBOX +;; +;; Whether handled messages should be deleted from the mailbox. +;DELETE_HANDLED_MESSAGE = true +;; +;; Maximum size of a message to handle. Bigger messages are ignored. Set to 0 to allow every size. +;MAXIMUM_MESSAGE_SIZE = 10485760 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cache] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Either "memory", "redis", "memcache", or "twoqueue". default is "memory" +;ADAPTER = memory +;; +;; For "memory" only, GC interval in seconds, default is 60 +;INTERVAL = 60 +;; +;; For "redis" and "memcache", connection host address +;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster) +;; memcache: `127.0.0.1:11211` +;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` +;HOST = +;; +;; Time to keep items in cache if not used, default is 16 hours. +;; Setting it to -1 disables caching +;ITEM_TTL = 16h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Last commit cache +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cache.last_commit] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Time to keep items in cache if not used, default is 8760 hours. +;; Setting it to -1 disables caching +;ITEM_TTL = 8760h +;; +;; Only enable the cache when repository's commits count great than +;COMMITS_COUNT = 1000 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[session] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Either "memory", "file", "redis", "db", "mysql", "couchbase", "memcache" or "postgres" +;; Default is "memory". "db" will reuse the configuration in [database] +;PROVIDER = memory +;; +;; Provider config options +;; memory: doesn't have any config yet +;; file: session file path, e.g. `data/sessions` +;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster) +;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table` +;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_. +;; +;; Session cookie name +;COOKIE_NAME = i_like_gitea +;; +;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL. +;COOKIE_SECURE = +;; +;; Session GC time interval in seconds, default is 86400 (1 day) +;GC_INTERVAL_TIME = 86400 +;; +;; Session life time in seconds, default is 86400 (1 day) +;SESSION_LIFE_TIME = 86400 +;; +;; Cookie domain name. Default is empty +;DOMAIN = +;; +;; SameSite settings. Either "none", "lax", or "strict" +;SAME_SITE=lax + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[picture] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; How Gitea deals with missing repository avatars +;; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used +;REPOSITORY_AVATAR_FALLBACK = none +;REPOSITORY_AVATAR_FALLBACK_IMAGE = /img/repo_default.png +;; +;; Max Width and Height of uploaded avatars. +;; This is to limit the amount of RAM used when resizing the image. +;AVATAR_MAX_WIDTH = 4096 +;AVATAR_MAX_HEIGHT = 4096 +;; +;; The multiplication factor for rendered avatar images. +;; Larger values result in finer rendering on HiDPI devices. +;AVATAR_RENDERED_SIZE_FACTOR = 2 +;; +;; Maximum allowed file size for uploaded avatars. +;; This is to limit the amount of RAM used when resizing the image. +;AVATAR_MAX_FILE_SIZE = 1048576 +;; +;; If the uploaded file is not larger than this byte size, the image will be used as is, without resizing/converting. +;AVATAR_MAX_ORIGIN_SIZE = 262144 +;; +;; Chinese users can choose "duoshuo" +;; or a custom avatar source, like: http://cn.gravatar.com/avatar/ +;GRAVATAR_SOURCE = gravatar +;; +;; This value will always be true in offline mode. +;DISABLE_GRAVATAR = false +;; +;; Federated avatar lookup uses DNS to discover avatar associated +;; with emails, see https://www.libravatar.org +;; This value will always be false in offline mode or when Gravatar is disabled. +;ENABLE_FEDERATED_AVATAR = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[attachment] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Whether issue and pull request attachments are enabled. Defaults to `true` +;ENABLED = true +;; +;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. +;ALLOWED_TYPES = .cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip +;; +;; Max size of each file. Defaults to 2048MB +;MAX_SIZE = 2048 +;; +;; Max number of files per upload. Defaults to 5 +;MAX_FILES = 5 +;; +;; Storage type for attachments, `local` for local disk or `minio` for s3 compatible +;; object storage service, default is `local`. +;STORAGE_TYPE = local +;; +;; Allows the storage driver to redirect to authenticated URLs to serve files directly +;; Currently, only `minio` is supported. +;SERVE_DIRECT = false +;; +;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local` +;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}` +;PATH = attachments +;; +;; Minio endpoint to connect only available when STORAGE_TYPE is `minio` +;MINIO_ENDPOINT = localhost:9000 +;; +;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`. +;; If not provided and STORAGE_TYPE is `minio`, will search for credentials in known +;; environment variables (MINIO_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID), credentials files +;; (~/.mc/config.json, ~/.aws/credentials), and EC2 instance metadata. +;MINIO_ACCESS_KEY_ID = +;; +;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio` +;MINIO_SECRET_ACCESS_KEY = +;; +;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio` +;MINIO_BUCKET = gitea +;; +;; Url lookup for the minio bucket only available when STORAGE_TYPE is `minio` +;; Available values: auto, dns, path +;; If empty, it behaves the same as "auto" was set +;MINIO_BUCKET_LOOKUP = +;; +;; Minio location to create bucket only available when STORAGE_TYPE is `minio` +;MINIO_LOCATION = us-east-1 +;; +;; Minio base path on the bucket only available when STORAGE_TYPE is `minio` +;MINIO_BASE_PATH = attachments/ +;; +;; Minio enabled ssl only available when STORAGE_TYPE is `minio` +;MINIO_USE_SSL = false +;; +;; Minio skip SSL verification available when STORAGE_TYPE is `minio` +;MINIO_INSECURE_SKIP_VERIFY = false +;; +;; Minio checksum algorithm: default (for MinIO or AWS S3) or md5 (for Cloudflare or Backblaze) +;MINIO_CHECKSUM_ALGORITHM = default + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[time] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Location the UI time display i.e. Asia/Shanghai +;; Empty means server's location setting +;DEFAULT_UI_LOCATION = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Common settings +;; +;; Setting this to true will enable all cron tasks periodically with default settings. +;ENABLED = false +;; Setting this to true will run all enabled cron tasks when Gitea starts. +;RUN_AT_START = false +;; +;; Note: ``SCHEDULE`` accept formats +;; - Full crontab specs, e.g. "* * * * * ?" +;; - Descriptors, e.g. "@midnight", "@every 1h30m" +;; See more: https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Basic cron tasks - enabled by default +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Clean up old repository archives +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.archive_cleanup] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Whether to enable the job +;ENABLED = true +;; Whether to always run at least once at start up time (if ENABLED) +;RUN_AT_START = true +;; Whether to emit notice on successful execution too +;NOTICE_ON_SUCCESS = false +;; Time interval for job to run +;SCHEDULE = @midnight +;; Archives created more than OLDER_THAN ago are subject to deletion +;OLDER_THAN = 24h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Update mirrors +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.update_mirrors] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;SCHEDULE = @every 10m +;; Enable running Update mirrors task periodically. +;ENABLED = true +;; Run Update mirrors task when Gitea starts. +;RUN_AT_START = false +;; Notice if not success +;NOTICE_ON_SUCCESS = false +;; Limit the number of mirrors added to the queue to this number +;; (negative values mean no limit, 0 will result in no result in no mirrors being queued effectively disabling pull mirror updating.) +;PULL_LIMIT=50 +;; Limit the number of mirrors added to the queue to this number +;; (negative values mean no limit, 0 will result in no mirrors being queued effectively disabling push mirror updating) +;PUSH_LIMIT=50 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Repository health check +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.repo_health_check] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;SCHEDULE = @midnight +;; Enable running Repository health check task periodically. +;ENABLED = true +;; Run Repository health check task when Gitea starts. +;RUN_AT_START = false +;; Notice if not success +;NOTICE_ON_SUCCESS = false +;TIMEOUT = 60s +;; Arguments for command 'git fsck', e.g. "--unreachable --tags" +;; see more on http://git-scm.com/docs/git-fsck +;ARGS = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Check repository statistics +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.check_repo_stats] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Enable running check repository statistics task periodically. +;ENABLED = true +;; Run check repository statistics task when Gitea starts. +;RUN_AT_START = true +;; Notice if not success +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @midnight + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.update_migration_poster_id] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Update migrated repositories' issues and comments' posterid, it will always attempt synchronization when the instance starts. +;ENABLED = true +;; Update migrated repositories' issues and comments' posterid when starting server (default true) +;RUN_AT_START = true +;; Notice if not success +;NOTICE_ON_SUCCESS = false +;; Interval as a duration between each synchronization. (default every 24h) +;SCHEDULE = @midnight + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Synchronize external user data (only LDAP user synchronization is supported) +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.sync_external_users] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = true +;; Synchronize external user data when starting server (default false) +;RUN_AT_START = false +;; Notice if not success +;NOTICE_ON_SUCCESS = false +;; Interval as a duration between each synchronization (default every 24h) +;SCHEDULE = @midnight +;; Create new users, update existing user data and disable users that are not in external source anymore (default) +;; or only create new users if UPDATE_EXISTING is set to false +;UPDATE_EXISTING = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Cleanup expired actions assets +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.cleanup_actions] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = true +;RUN_AT_START = true +;SCHEDULE = @midnight + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Clean-up deleted branches +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.deleted_branches_cleanup] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = true +;; Clean-up deleted branches when starting server (default true) +;RUN_AT_START = true +;; Notice if not success +;NOTICE_ON_SUCCESS = false +;; Interval as a duration between each synchronization (default every 24h) +;SCHEDULE = @midnight +;; deleted branches than OLDER_THAN ago are subject to deletion +;OLDER_THAN = 24h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Cleanup hook_task table +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.cleanup_hook_task_table] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Whether to enable the job +;ENABLED = true +;; Whether to always run at start up time (if ENABLED) +;RUN_AT_START = false +;; Time interval for job to run +;SCHEDULE = @midnight +;; OlderThan or PerWebhook. How the records are removed, either by age (i.e. how long ago hook_task record was delivered) or by the number to keep per webhook (i.e. keep most recent x deliveries per webhook). +;CLEANUP_TYPE = OlderThan +;; If CLEANUP_TYPE is set to OlderThan, then any delivered hook_task records older than this expression will be deleted. +;OLDER_THAN = 168h +;; If CLEANUP_TYPE is set to PerWebhook, this is number of hook_task records to keep for a webhook (i.e. keep the most recent x deliveries). +;NUMBER_TO_KEEP = 10 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Cleanup expired packages +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.cleanup_packages] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Whether to enable the job +;ENABLED = true +;; Whether to always run at least once at start up time (if ENABLED) +;RUN_AT_START = true +;; Whether to emit notice on successful execution too +;NOTICE_ON_SUCCESS = false +;; Time interval for job to run +;SCHEDULE = @midnight +;; Unreferenced blobs created more than OLDER_THAN ago are subject to deletion +;OLDER_THAN = 24h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Extended cron task - not enabled by default +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Delete all unactivated accounts +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.delete_inactive_accounts] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @annually +;OLDER_THAN = 168h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Delete all repository archives +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.delete_repo_archives] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @annually; + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Garbage collect all repositories +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.git_gc_repos] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 72h +;TIMEOUT = 60s +;; Arguments for command 'git gc' +;; The default value is same with [git] -> GC_ARGS +;ARGS = + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Update the '.ssh/authorized_keys' file with Gitea SSH keys +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.resync_all_sshkeys] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 72h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Resynchronize pre-receive, update and post-receive hooks of all repositories. +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.resync_all_hooks] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 72h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Reinitialize all missing Git repositories for which records exist +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.reinit_missing_repos] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 72h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Delete all repositories missing their Git files +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.delete_missing_repos] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 72h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Delete generated repository avatars +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.delete_generated_repository_avatars] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 72h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Delete all old actions from database +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.delete_old_actions] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NOTICE_ON_SUCCESS = false +;SCHEDULE = @every 168h +;OLDER_THAN = 8760h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Check for new Gitea versions +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.update_checker] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = true +;RUN_AT_START = false +;ENABLE_SUCCESS_NOTICE = false +;SCHEDULE = @every 168h +;HTTP_ENDPOINT = https://dl.gitea.com/gitea/version.json +;DOMAIN_ENDPOINT = release.forgejo.org + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Delete all old system notices from database +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.delete_old_system_notices] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;RUN_AT_START = false +;NO_SUCCESS_NOTICE = false +;SCHEDULE = @every 168h +;OLDER_THAN = 8760h + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Garbage collect LFS pointers in repositories +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[cron.gc_lfs] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;ENABLED = false +;; Garbage collect LFS pointers in repositories (default false) +;RUN_AT_START = false +;; Interval as a duration between each gc run (default every 24h) +;SCHEDULE = @every 24h +;; Only attempt to garbage collect LFSMetaObjects older than this (default 7 days) +;OLDER_THAN = 168h +;; Only attempt to garbage collect LFSMetaObjects that have not been attempted to be garbage collected for this long (default 3 days) +;LAST_UPDATED_MORE_THAN_AGO = 72h +; Minimum number of stale LFSMetaObjects to check per repo. Set to `0` to always check all. +;NUMBER_TO_CHECK_PER_REPO = 100 +;Check at least this proportion of LFSMetaObjects per repo. (This may cause all stale LFSMetaObjects to be checked.) +;PROPORTION_TO_CHECK_PER_REPO = 0.6 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[mirror] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Enables the mirror functionality. Set to **false** to disable all mirrors. Pre-existing mirrors remain valid but won't be updated; may be converted to regular repo. +;ENABLED = true +;; Disable the creation of **new** pull mirrors. Pre-existing mirrors remain valid. Will be ignored if `mirror.ENABLED` is `false`. +;DISABLE_NEW_PULL = false +;; Disable the creation of **new** push mirrors. Pre-existing mirrors remain valid. Will be ignored if `mirror.ENABLED` is `false`. +;DISABLE_NEW_PUSH = false +;; Default interval as a duration between each check +;DEFAULT_INTERVAL = 8h +;; Min interval as a duration must be > 1m +;MIN_INTERVAL = 10m + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[api] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Enables the API documentation endpoints (/api/swagger, /api/v1/swagger, …). True or false. +;ENABLE_SWAGGER = true +;; Max number of items in a page +;MAX_RESPONSE_ITEMS = 50 +;; Default paging number of api +;DEFAULT_PAGING_NUM = 30 +;; Default and maximum number of items per page for git trees api +;DEFAULT_GIT_TREES_PER_PAGE = 1000 +;; Default max size of a blob returned by the blobs API (default is 10MiB) +;DEFAULT_MAX_BLOB_SIZE = 10485760 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[i18n] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; The first locale will be used as the default if user browser's language doesn't match any locale in the list. +;LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN +;NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Türkçe,Čeština,Српски,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia,മലയാളം + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[highlight.mapping] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Extension mapping to highlight class +;; e.g. .toml=ini + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[other] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Show version information about Gitea and Go in the footer +;SHOW_FOOTER_VERSION = true +;; Show template execution time in the footer +;SHOW_FOOTER_TEMPLATE_LOAD_TIME = true +;; Show the "powered by" text in the footer +;SHOW_FOOTER_POWERED_BY = true +;; Generate sitemap. Defaults to `true`. +;ENABLE_SITEMAP = true +;; Enable/Disable RSS/Atom feed +;ENABLE_FEED = true + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[markup] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Set the maximum number of characters in a mermaid source. (Set to -1 to disable limits) +;MERMAID_MAX_SOURCE_CHARACTERS = 5000 +;; Set the maximum number of lines allowed for a filepreview. (Set to -1 to disable limits; set to 0 to disable the feature) +;FILEPREVIEW_MAX_LINES = 50 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[markup.sanitizer.1] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; The following keys can appear once to define a sanitation policy rule. +;; This section can appear multiple times by adding a unique alphanumeric suffix to define multiple rules. +;; e.g., [markup.sanitizer.1] -> [markup.sanitizer.2] -> [markup.sanitizer.TeX] +;ELEMENT = span +;ALLOW_ATTR = class +;REGEXP = ^(info|warning|error)$ +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Other markup formats e.g. asciidoc +;; +;; uncomment and enable the below section. +;; (You can add other markup formats by copying the section and adjusting +;; the section name suffix "asciidoc" to something else.) +;[markup.asciidoc] +;ENABLED = false +;; List of file extensions that should be rendered by an external command +;FILE_EXTENSIONS = .adoc,.asciidoc +;; External command to render all matching extensions +;RENDER_COMMAND = "asciidoc --out-file=- -" +;; Don't pass the file on STDIN, pass the filename as argument instead. +;IS_INPUT_FILE = false +;; How the content will be rendered. +;; * sanitized: Sanitize the content and render it inside current page, default to only allow a few HTML tags and attributes. Customized sanitizer rules can be defined in [markup.sanitizer.*] . +;; * no-sanitizer: Disable the sanitizer and render the content inside current page. It's **insecure** and may lead to XSS attack if the content contains malicious code. +;; * iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page. +;RENDER_CONTENT_MODE=sanitized + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[metrics] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; Enables metrics endpoint. True or false; default is false. +;ENABLED = false +;; If you want to add authorization, specify a token here +;TOKEN = +;; Enable issue by label metrics; default is false +;ENABLED_ISSUE_BY_LABEL = false +;; Enable issue by repository metrics; default is false +;ENABLED_ISSUE_BY_REPOSITORY = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[migrations] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Max attempts per http/https request on migrations. +;MAX_ATTEMPTS = 3 +;; +;; Backoff time per http/https request retry (seconds) +;RETRY_BACKOFF = 3 +;; +;; Allowed domains for migrating, default is blank. Blank means everything will be allowed. +;; Multiple domains could be separated by commas. +;; Wildcard is supported: "github.com, *.github.com" +;ALLOWED_DOMAINS = +;; +;; Blocklist for migrating, default is blank. Multiple domains could be separated by commas. +;; When ALLOWED_DOMAINS is not blank, this option has a higher priority to deny domains. +;; Wildcard is supported. +;BLOCKED_DOMAINS = +;; +;; Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291 (false by default) +;; If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored. +;ALLOW_LOCALNETWORKS = false +;; +;; If set to true, completely ignores server certificate validation errors. This option is unsafe. +;SKIP_TLS_VERIFY = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[F3] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Enable/Disable Friendly Forge Format (F3) +;ENABLED = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[federation] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Enable/Disable federation capabilities +;ENABLED = false +;; +;; Enable/Disable user statistics for nodeinfo if federation is enabled +;SHARE_USER_STATISTICS = true +;; +;; Maximum federation request and response size (MB) +;MAX_SIZE = 4 +;; +;; WARNING: Changing the settings below can break federation. +;; +;; HTTP signature algorithms +;ALGORITHMS = rsa-sha256, rsa-sha512, ed25519 +;; +;; HTTP signature digest algorithm +;DIGEST_ALGORITHM = SHA-256 +;; +;; GET headers for federation requests +;GET_HEADERS = (request-target), Date +;; +;; POST headers for federation requests +;POST_HEADERS = (request-target), Date, Digest + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[packages] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; +;; Enable/Disable package registry capabilities +;ENABLED = true +;; +;STORAGE_TYPE = local +;; override the minio base path if storage type is minio +;MINIO_BASE_PATH = packages/ +;; +;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload` +;CHUNKED_UPLOAD_PATH = tmp/package-upload +;; +;; Maximum count of package versions a single owner can have (`-1` means no limits) +;LIMIT_TOTAL_OWNER_COUNT = -1 +;; Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_TOTAL_OWNER_SIZE = -1 +;; Maximum size of an Alpine upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_ALPINE = -1 +;; Maximum size of a Cargo upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_CARGO = -1 +;; Maximum size of a Chef upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_CHEF = -1 +;; Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_COMPOSER = -1 +;; Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_CONAN = -1 +;; Maximum size of a Conda upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_CONDA = -1 +;; Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_CONTAINER = -1 +;; Maximum size of a CRAN upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_CRAN = -1 +;; Maximum size of a Debian upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_DEBIAN = -1 +;; Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_GENERIC = -1 +;; Maximum size of a Go upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_GO = -1 +;; Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_HELM = -1 +;; Maximum size of a Maven upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_MAVEN = -1 +;; Maximum size of a npm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_NPM = -1 +;; Maximum size of a NuGet upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_NUGET = -1 +;; Maximum size of a Pub upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_PUB = -1 +;; Maximum size of a PyPI upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_PYPI = -1 +;; Maximum size of a RPM upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_RPM = -1 +;; Maximum size of a RubyGems upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_RUBYGEMS = -1 +;; Maximum size of a Swift upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_SWIFT = -1 +;; Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`) +;LIMIT_SIZE_VAGRANT = -1 +;; Enable RPM re-signing by default. (It will overwrite the old signature ,using v4 format, not compatible with CentOS 6 or older) +;DEFAULT_RPM_SIGN_ENABLED = false + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; default storage for attachments, lfs and avatars +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[storage] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; storage type +;STORAGE_TYPE = local + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; repo-archive storage will override storage +;; +;[repo-archive] +;STORAGE_TYPE = local +;; +;; Where your lfs files reside, default is data/lfs. +;PATH = data/repo-archive +;; +;; override the minio base path if storage type is minio +;MINIO_BASE_PATH = repo-archive/ + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; settings for repository archives, will override storage setting +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[storage.repo-archive] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; storage type +;STORAGE_TYPE = local + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; lfs storage will override storage +;; +;[lfs] +;STORAGE_TYPE = local +;; +;; Where your lfs files reside, default is data/lfs. +;PATH = data/lfs +;; +;; override the minio base path if storage type is minio +;MINIO_BASE_PATH = lfs/ + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; settings for packages, will override storage setting +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[storage.packages] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; storage type +;STORAGE_TYPE = local + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; customize storage +;[storage.my_minio] +;STORAGE_TYPE = minio +;; +;; Minio endpoint to connect only available when STORAGE_TYPE is `minio` +;MINIO_ENDPOINT = localhost:9000 +;; +;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`. +;; If not provided and STORAGE_TYPE is `minio`, will search for credentials in known +;; environment variables (MINIO_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID), credentials files +;; (~/.mc/config.json, ~/.aws/credentials), and EC2 instance metadata. +;MINIO_ACCESS_KEY_ID = +;; +;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio` +;MINIO_SECRET_ACCESS_KEY = +;; +;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio` +;MINIO_BUCKET = gitea +;; +;; Url lookup for the minio bucket only available when STORAGE_TYPE is `minio` +;; Available values: auto, dns, path +;; If empty, it behaves the same as "auto" was set +;MINIO_BUCKET_LOOKUP = +;; +;; Minio location to create bucket only available when STORAGE_TYPE is `minio` +;MINIO_LOCATION = us-east-1 +;; +;; Minio enabled ssl only available when STORAGE_TYPE is `minio` +;MINIO_USE_SSL = false +;; +;; Minio skip SSL verification available when STORAGE_TYPE is `minio` +;MINIO_INSECURE_SKIP_VERIFY = false + +;[proxy] +;; Enable the proxy, all requests to external via HTTP will be affected +;PROXY_ENABLED = false +;; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy/no_proxy +;PROXY_URL = +;; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. +;PROXY_HOSTS = + +; [actions] +;; Enable/Disable actions capabilities +;ENABLED = true +;; Default address to get action plugins, e.g. the default value means downloading from "https://code.forgejo.org/actions/checkout" for "uses: actions/checkout@v3" +;DEFAULT_ACTIONS_URL = https://code.forgejo.org +;; Logs retention time in days. Old logs will be deleted after this period. +;LOG_RETENTION_DAYS = 365 +;; Log compression type, `none` for no compression, `zstd` for zstd compression. +;; Other compression types like `gzip` are NOT supported, since seekable stream is required for log view. +;; It's always recommended to use compression when using local disk as log storage if CPU or memory is not a bottleneck. +;; And for object storage services like S3, which is billed for requests, it would cause extra 2 times of get requests for each log view. +;; But it will save storage space and network bandwidth, so it's still recommended to use compression. +;LOG_COMPRESSION = zstd +;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step. +;ARTIFACT_RETENTION_DAYS = 90 +;; Timeout to stop the task which have running status, but haven't been updated for a long time +;ZOMBIE_TASK_TIMEOUT = 10m +;; Timeout to stop the tasks which have running status and continuous updates, but don't end for a long time +;ENDLESS_TASK_TIMEOUT = 3h +;; Timeout to cancel the jobs which have waiting status, but haven't been picked by a runner for a long time +;ABANDONED_JOB_TIMEOUT = 24h +;; Strings committers can place inside a commit message or PR title to skip executing the corresponding actions workflow +;SKIP_WORKFLOW_STRINGS = [skip ci],[ci skip],[no ci],[skip actions],[actions skip] +;; Limit on inputs for manual / workflow_dispatch triggers, default is 10 +;LIMIT_DISPATCH_INPUTS = 10 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; settings for action logs, will override storage setting +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[storage.actions_log] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; storage type +;STORAGE_TYPE = local + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; settings for action artifacts, will override storage setting +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;[storage.actions_artifacts] +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;; storage type +;STORAGE_TYPE = local + diff --git a/forgejo/docker-compose.yml b/forgejo/docker-compose.yml new file mode 100644 index 0000000..1838b55 --- /dev/null +++ b/forgejo/docker-compose.yml @@ -0,0 +1,40 @@ +services: + forgejo: + image: codeberg.org/forgejo/forgejo:9 + container_name: forgejo + restart: unless-stopped + depends_on: + - db + ports: + - 222:22 + volumes: + - data:/data + - ./config/app.ini:/etc/forgejo/app.ini + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + environment: + FORGEJO__database__DB_TYPE: postgres + FORGEJO__database__HOST: "forgejo-db" + FORGEJO__database__NAME: forgejo + FORGEJO__database__USER: forgejo + FORGEJO__database__PASSWD: ${DB_PASSWORD} + + db: + image: postgres:14 + container_name: forgejo-db + restart: unless-stopped + volumes: + - data_db:/var/lib/postgresql/data + environment: + POSTGRES_USER: forgejo + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGES_DB: forgejo + +volumes: + data: + data_db: + +networks: + default: + name: proxy + external: true diff --git a/homeassistant/config/configuration.yaml b/homeassistant/config/configuration.yaml new file mode 100644 index 0000000..71e0937 --- /dev/null +++ b/homeassistant/config/configuration.yaml @@ -0,0 +1,15 @@ +# Loads default set of integrations. Do not remove. +default_config: + +# Load frontend themes from the themes folder +frontend: + themes: !include_dir_merge_named themes + +automation: !include automations.yaml +script: !include scripts.yaml +scene: !include scenes.yaml + +http: + use_x_forwarded_for: true + trusted_proxies: + - 172.18.0.0/24 diff --git a/homeassistant/docker-compose.yml b/homeassistant/docker-compose.yml new file mode 100644 index 0000000..6b247f1 --- /dev/null +++ b/homeassistant/docker-compose.yml @@ -0,0 +1,17 @@ +services: + homeassistant: + image: ghcr.io/home-assistant/home-assistant:stable + container_name: homeassistant + restart: unless-stopped + volumes: + - config:/config + - ./config/configuration.yaml:/config/configuration.yaml + - /etc/localtime:/etc/localtime:ro + +volumes: + config: + +networks: + default: + name: proxy + external: true diff --git a/homepage/config/.gitignore b/homepage/config/.gitignore new file mode 100644 index 0000000..333c1e9 --- /dev/null +++ b/homepage/config/.gitignore @@ -0,0 +1 @@ +logs/ diff --git a/homepage/config/bookmarks.yaml b/homepage/config/bookmarks.yaml new file mode 100644 index 0000000..f737f52 --- /dev/null +++ b/homepage/config/bookmarks.yaml @@ -0,0 +1,3 @@ +--- +# For configuration options and examples, please see: +# https://gethomepage.dev/configs/bookmarks diff --git a/homepage/config/custom.css b/homepage/config/custom.css new file mode 100644 index 0000000..e69de29 diff --git a/homepage/config/custom.js b/homepage/config/custom.js new file mode 100644 index 0000000..e69de29 diff --git a/homepage/config/docker.yaml b/homepage/config/docker.yaml new file mode 100644 index 0000000..ca5e598 --- /dev/null +++ b/homepage/config/docker.yaml @@ -0,0 +1,10 @@ +--- +# For configuration options and examples, please see: +# https://gethomepage.dev/configs/docker/ + +# my-docker: +# host: 127.0.0.1 +# port: 2375 + +docker: + socket: /var/run/docker.sock diff --git a/homepage/config/kubernetes.yaml b/homepage/config/kubernetes.yaml new file mode 100644 index 0000000..aca6e82 --- /dev/null +++ b/homepage/config/kubernetes.yaml @@ -0,0 +1,2 @@ +--- +# sample kubernetes config diff --git a/homepage/config/services.yaml b/homepage/config/services.yaml new file mode 100644 index 0000000..36bd6a2 --- /dev/null +++ b/homepage/config/services.yaml @@ -0,0 +1,56 @@ +--- +# For configuration options and examples, please see: +# https://gethomepage.dev/configs/services + +- Primary Services: + - Adguard: + href: https://adguard.timo.bmrs.nl/ + description: DNS + icon: adguard-home + server: docker + container: adguardhome + widget: + type: adguard + url: http://adguardhome:3000 + username: xeovalyte + password: {{HOMEPAGE_VAR_ADGUARD_PASSWORD}} + + - Forgejo: + href: https://git.timo.bmrs.nl/ + description: Git + icon: forgejo + server: docker + container: forgejo + + - Uptime Kuma: + href: https://uptime.timo.bmrs.nl/ + description: Uptime monitoring + icon: uptime-kuma + server: docker + container: uptime-kuma + + - Vaultwarden: + href: https://bitwarden.timo.bmrs.nl/ + description: Password manager + icon: bitwarden + server: docker + container: vaultwarden + +- Backend Services: + - Authelia: + description: SSO + icon: authelia + server: docker + container: authelia + + - Caddy: + description: Reverse proxy + icon: caddy + server: docker + container: caddy + + - LLDAP: + description: Active directory + href: https://ldap.timo.bmrs.nl/ + server: docker + container: lldap diff --git a/homepage/config/settings.yaml b/homepage/config/settings.yaml new file mode 100644 index 0000000..84efa90 --- /dev/null +++ b/homepage/config/settings.yaml @@ -0,0 +1,21 @@ +--- +# For configuration options and examples, please see: +# https://gethomepage.dev/configs/settings + +providers: + openweathermap: openweathermapapikey + weatherapi: weatherapiapikey + +title: Xeovalyte's Dashboard +color: slate + +headerStyle: boxedWidgets + +layout: + Primary Services: + style: row + columns: 3 + + Backend Services: + style: row + columns: 4 diff --git a/homepage/config/widgets.yaml b/homepage/config/widgets.yaml new file mode 100644 index 0000000..23c8d61 --- /dev/null +++ b/homepage/config/widgets.yaml @@ -0,0 +1,12 @@ +--- +# For configuration options and examples, please see: +# https://gethomepage.dev/configs/service-widgets + +- resources: + cpu: true + memory: true + disk: / + +- search: + provider: duckduckgo + target: _blank diff --git a/homepage/docker-compose.yml b/homepage/docker-compose.yml new file mode 100644 index 0000000..759fb6c --- /dev/null +++ b/homepage/docker-compose.yml @@ -0,0 +1,19 @@ +services: + homepage: + image: ghcr.io/gethomepage/homepage:latest + container_name: homepage + restart: unless-stopped + volumes: + - ./config:/app/config + - logs:/app/config/logs + - /run/user/1000/docker.sock:/var/run/docker.sock + environment: + HOMEPAGE_VAR_ADGUARD_PASSWORD: $ADGUARD_PASSWORD + +volumes: + logs: + +networks: + default: + name: proxy + external: true diff --git a/immich/docker-compose.yml b/immich/docker-compose.yml new file mode 100644 index 0000000..41a0af1 --- /dev/null +++ b/immich/docker-compose.yml @@ -0,0 +1,78 @@ +services: + immich: + image: ghcr.io/immich-app/immich-server:release + container_name: immich + restart: unless-stopped + volumes: + - data:/usr/src/app/upload + - /etc/localtime:/etc/localtime:ro + environment: + DB_HOSTNAME: "immich-db" + env_file: + - .env + depends_on: + - redis + - db + + immich-machine-learning: + image: ghcr.io/immich-app/immich-machine-learning:release + container_name: immich-machine-learning + restart: unless-stopped + volumes: + - cache:/cache + env_file: + - .env + + redis: + image: docker.io/redis:6.2-alpine@sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5 + container_name: immich-redis + restart: unless-stopped + healthcheck: + test: redis-cli ping || exit 1 + volumes: + - data_redis:/data + + db: + image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 + container_name: immich-db + restart: unless-stopped + volumes: + # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file + - data_db:/var/lib/postgresql/data + healthcheck: + test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1 + interval: 5m + start_interval: 30s + start_period: 5m + command: + [ + 'postgres', + '-c', + 'shared_preload_libraries=vectors.so', + '-c', + 'search_path="$$user", public, vectors', + '-c', + 'logging_collector=on', + '-c', + 'max_wal_size=2GB', + '-c', + 'shared_buffers=512MB', + '-c', + 'wal_compression=on', + ] + environment: + POSTGRES_PASSWORD: ${DB_PASSWORD} + POSTGRES_USER: ${DB_USERNAME} + POSTGRES_DB: ${DB_DATABASE_NAME} + POSTGRES_INITDB_ARGS: '--data-checksums' + +volumes: + data: + data_db: + data_redis: + cache: + +networks: + default: + name: proxy + external: true diff --git a/nextcloud/README.md b/nextcloud/README.md new file mode 100644 index 0000000..5895975 --- /dev/null +++ b/nextcloud/README.md @@ -0,0 +1,4 @@ +# Nextcloud + +1. Configure environment variables +2. Update office configuration diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml new file mode 100644 index 0000000..c770010 --- /dev/null +++ b/nextcloud/docker-compose.yml @@ -0,0 +1,54 @@ +services: + nextcloud: + image: nextcloud:apache + container_name: nextcloud + restart: unless-stopped + volumes: + - data:/var/www/html + environment: + POSTGRES_HOST: nextcloud-db + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + POSTGRES_DB: nextcloud + POSTGRES_USER: nextcloud + REDIS_HOST: nextcloud-redis + TRUSTED_PROXIES: "172.23.0.0/24" + depends_on: + - db + - redis + + db: + image: postgres:16 + container_name: nextcloud-db + restart: unless-stopped + volumes: + - data_db:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + POSTGRES_DB: nextcloud + POSTGRES_USER: nextcloud + + redis: + image: redis:alpine + container_name: nextcloud-redis + restart: unless-stopped + volumes: + - data_redis:/data + + office: + image: collabora/code + container_name: nextcloud-office + restart: unless-stopped + environment: + DOMAIN: "cloud.timo.bmrs.nl" + extra_params: "--o:ssl.enable=false --o:ssl.termination=true" + + +volumes: + data: + data_db: + data_redis: + +networks: + default: + name: proxy + external: true diff --git a/paperless-ngx/README.md b/paperless-ngx/README.md new file mode 100644 index 0000000..ee4f7ec --- /dev/null +++ b/paperless-ngx/README.md @@ -0,0 +1,3 @@ +# Paperless NGX +- Create super user: `docker compose exec paperless-ngx python3 manage.py createsuperuser` +- Follow [Paperless wiki](https://www.authelia.com/integration/openid-connect/paperless/) for configuring oauth diff --git a/paperless-ngx/docker-compose.yml b/paperless-ngx/docker-compose.yml new file mode 100644 index 0000000..571e87c --- /dev/null +++ b/paperless-ngx/docker-compose.yml @@ -0,0 +1,50 @@ +services: + paperless-ngx: + image: ghcr.io/paperless-ngx/paperless-ngx:latest + container_name: paperless-ngx + restart: unless-stopped + depends_on: + - broker + - db + volumes: + - data:/usr/src/paperless/data + - media:/usr/src/paperless/media + environment: + PAPERLESS_REDIS: redis://paperless-ngx-broker:6379 + PAPERLESS_DBHOST: paperless-ngx-db + PAPERLESS_DBPASS: ${POSTGRES_PASSWORD} + PAPERLESS_URL: https://paperless.timo.bmrs.nl + + PAPERLESS_DISABLE_REGULAR_LOGIN: true + PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect + PAPERLESS_SOCIALACCOUNT_PROVIDERS: ${PAPERLESS_SOCIALACCOUNT_PROVIDERS} + + broker: + image: docker.io/library/redis:7 + container_name: paperless-ngx-broker + restart: unless-stopped + volumes: + - data_redis:/data + + db: + image: docker.io/library/postgres:16 + container_name: paperless-ngx-db + restart: unless-stopped + volumes: + - data_db:/var/lib/postgresql/data + environment: + POSTGRES_DB: paperless + POSTGRES_USER: paperless + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + + +volumes: + data: + data_db: + data_redis: + media: + +networks: + default: + name: proxy + external: true diff --git a/searxng/config/settings.yml b/searxng/config/settings.yml new file mode 100644 index 0000000..9c7004c --- /dev/null +++ b/searxng/config/settings.yml @@ -0,0 +1,2493 @@ +general: + # Debug mode, only for development. Is overwritten by ${SEARXNG_DEBUG} + debug: false + # displayed name + instance_name: "searxng" + # For example: https://example.com/privacy + privacypolicy_url: false + # use true to use your own donation page written in searx/info/en/donate.md + # use false to disable the donation link + donation_url: false + # mailto:contact@example.com + contact_url: false + # record stats + enable_metrics: true + +brand: + new_issue_url: https://github.com/searxng/searxng/issues/new + docs_url: https://docs.searxng.org/ + public_instances: https://searx.space + wiki_url: https://github.com/searxng/searxng/wiki + issue_url: https://github.com/searxng/searxng/issues + # custom: + # maintainer: "Jon Doe" + # # Custom entries in the footer: [title]: [link] + # links: + # Uptime: https://uptime.searxng.org/history/darmarit-org + # About: "https://searxng.org" + +search: + # Filter results. 0: None, 1: Moderate, 2: Strict + safe_search: 0 + # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "yandex", "mwmbl", + # "seznam", "startpage", "stract", "swisscows", "qwant", "wikipedia" - leave blank to turn it off + # by default. + autocomplete: "duckduckgo" + # minimun characters to type before autocompleter starts + autocomplete_min: 4 + # backend for the favicon near URL in search results. + # Available resolvers: "allesedv", "duckduckgo", "google", "yandex" - leave blank to turn it off by default. + favicon_resolver: "" + # Default search language - leave blank to detect from browser information or + # use codes from 'languages.py' + default_lang: "auto" + # max_page: 0 # if engine supports paging, 0 means unlimited numbers of pages + # Available languages + languages: + - en-US + - nl-NL + # ban time in seconds after engine errors + ban_time_on_fail: 5 + # max ban time in seconds after engine errors + max_ban_time_on_fail: 120 + suspended_times: + # Engine suspension time after error (in seconds; set to 0 to disable) + # For error "Access denied" and "HTTP error [402, 403]" + SearxEngineAccessDenied: 86400 + # For error "CAPTCHA" + SearxEngineCaptcha: 86400 + # For error "Too many request" and "HTTP error 429" + SearxEngineTooManyRequests: 3600 + # Cloudflare CAPTCHA + cf_SearxEngineCaptcha: 1296000 + cf_SearxEngineAccessDenied: 86400 + # ReCAPTCHA + recaptcha_SearxEngineCaptcha: 604800 + + # remove format to deny access, use lower case. + # formats: [html, csv, json, rss] + formats: + - html + +server: + # Is overwritten by ${SEARXNG_PORT} and ${SEARXNG_BIND_ADDRESS} + port: 8888 + bind_address: "127.0.0.1" + # public URL of the instance, to ensure correct inbound links. Is overwritten + # by ${SEARXNG_URL}. + base_url: https://search.timo.bmrs.nl/ # "http://example.com/location" + # rate limit the number of request on the instance, block some bots. + # Is overwritten by ${SEARXNG_LIMITER} + limiter: false + # enable features designed only for public instances. + # Is overwritten by ${SEARXNG_PUBLIC_INSTANCE} + public_instance: false + + # If your instance owns a /etc/searxng/settings.yml file, then set the following + # values there. + + secret_key: "" # Is overwritten by ${SEARXNG_SECRET} + # Proxy image results through SearXNG. Is overwritten by ${SEARXNG_IMAGE_PROXY} + image_proxy: false + # 1.0 and 1.1 are supported + http_protocol_version: "1.0" + # POST queries are more secure as they don't show up in history but may cause + # problems when using Firefox containers + method: "POST" + default_http_headers: + X-Content-Type-Options: nosniff + X-Download-Options: noopen + X-Robots-Tag: noindex, nofollow + Referrer-Policy: no-referrer + +redis: + # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}. + # https://docs.searxng.org/admin/settings/settings_redis.html#settings-redis + url: false + +ui: + # Custom static path - leave it blank if you didn't change + static_path: "" + # Is overwritten by ${SEARXNG_STATIC_USE_HASH}. + static_use_hash: false + # Custom templates path - leave it blank if you didn't change + templates_path: "" + # query_in_title: When true, the result page's titles contains the query + # it decreases the privacy, since the browser can records the page titles. + query_in_title: false + # infinite_scroll: When true, automatically loads the next page when scrolling to bottom of the current page. + infinite_scroll: false + # ui theme + default_theme: simple + # center the results ? + center_alignment: false + # URL prefix of the internet archive, don't forget trailing slash (if needed). + # cache_url: "https://webcache.googleusercontent.com/search?q=cache:" + # Default interface locale - leave blank to detect from browser information or + # use codes from the 'locales' config section + default_locale: "" + # Open result links in a new tab by default + # results_on_new_tab: false + theme_args: + # style of simple theme: auto, light, dark + simple_style: auto + # Perform search immediately if a category selected. + # Disable to select multiple categories at once and start the search manually. + search_on_category_select: true + # Hotkeys: default or vim + hotkeys: default + +# Lock arbitrary settings on the preferences page. To find the ID of the user +# setting you want to lock, check the ID of the form on the page "preferences". +# +# preferences: +# lock: +# - language +# - autocomplete +# - method +# - query_in_title + +# searx supports result proxification using an external service: +# https://github.com/asciimoo/morty uncomment below section if you have running +# morty proxy the key is base64 encoded (keep the !!binary notation) +# Note: since commit af77ec3, morty accepts a base64 encoded key. +# +# result_proxy: +# url: http://127.0.0.1:3000/ +# # the key is a base64 encoded string, the YAML !!binary prefix is optional +# key: !!binary "your_morty_proxy_key" +# # [true|false] enable the "proxy" button next to each result +# proxify_results: true + +# communication with search engines +# +outgoing: + # default timeout in seconds, can be override by engine + request_timeout: 3.0 + # the maximum timeout in seconds + # max_request_timeout: 10.0 + # suffix of searx_useragent, could contain information like an email address + # to the administrator + useragent_suffix: "" + # The maximum number of concurrent connections that may be established. + pool_connections: 100 + # Allow the connection pool to maintain keep-alive connections below this + # point. + pool_maxsize: 20 + # See https://www.python-httpx.org/http2/ + enable_http2: true + # uncomment below section if you want to use a custom server certificate + # see https://www.python-httpx.org/advanced/#changing-the-verification-defaults + # and https://www.python-httpx.org/compatibility/#ssl-configuration + # verify: ~/.mitmproxy/mitmproxy-ca-cert.cer + # + # uncomment below section if you want to use a proxyq see: SOCKS proxies + # https://2.python-requests.org/en/latest/user/advanced/#proxies + # are also supported: see + # https://2.python-requests.org/en/latest/user/advanced/#socks + # + # proxies: + # all://: + # - http://proxy1:8080 + # - http://proxy2:8080 + # + # using_tor_proxy: true + # + # Extra seconds to add in order to account for the time taken by the proxy + # + # extra_proxy_timeout: 10 + # + # uncomment below section only if you have more than one network interface + # which can be the source of outgoing search requests + # + # source_ips: + # - 1.1.1.1 + # - 1.1.1.2 + # - fe80::/126 + +# External plugin configuration, for more details see +# https://docs.searxng.org/dev/plugins.html +# +# plugins: +# - plugin1 +# - plugin2 +# - ... + +# Comment or un-comment plugin to activate / deactivate by default. +# +# enabled_plugins: +# # these plugins are enabled if nothing is configured .. +# - 'Basic Calculator' +# - 'Hash plugin' +# - 'Self Information' +# - 'Tracker URL remover' +# - 'Ahmia blacklist' # activation depends on outgoing.using_tor_proxy +# # these plugins are disabled if nothing is configured .. +# - 'Hostnames plugin' # see 'hostnames' configuration below +# - 'Open Access DOI rewrite' +# - 'Tor check plugin' +# # Read the docs before activate: auto-detection of the language could be +# # detrimental to users expectations / users can activate the plugin in the +# # preferences if they want. +# - 'Autodetect search language' + +# Configuration of the "Hostnames plugin": +# +# hostnames: +# replace: +# '(.*\.)?youtube\.com$': 'invidious.example.com' +# '(.*\.)?youtu\.be$': 'invidious.example.com' +# '(.*\.)?reddit\.com$': 'teddit.example.com' +# '(.*\.)?redd\.it$': 'teddit.example.com' +# '(www\.)?twitter\.com$': 'nitter.example.com' +# remove: +# - '(.*\.)?facebook.com$' +# low_priority: +# - '(.*\.)?google(\..*)?$' +# high_priority: +# - '(.*\.)?wikipedia.org$' +# +# Alternatively you can use external files for configuring the "Hostnames plugin": +# +# hostnames: +# replace: 'rewrite-hosts.yml' +# +# Content of 'rewrite-hosts.yml' (place the file in the same directory as 'settings.yml'): +# '(.*\.)?youtube\.com$': 'invidious.example.com' +# '(.*\.)?youtu\.be$': 'invidious.example.com' +# + +checker: + # disable checker when in debug mode + off_when_debug: true + + # use "scheduling: false" to disable scheduling + # scheduling: interval or int + + # to activate the scheduler: + # * uncomment "scheduling" section + # * add "cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1" + # to your uwsgi.ini + + # scheduling: + # start_after: [300, 1800] # delay to start the first run of the checker + # every: [86400, 90000] # how often the checker runs + + # additional tests: only for the YAML anchors (see the engines section) + # + additional_tests: + rosebud: &test_rosebud + matrix: + query: rosebud + lang: en + result_container: + - not_empty + - ['one_title_contains', 'citizen kane'] + test: + - unique_results + + android: &test_android + matrix: + query: ['android'] + lang: ['en', 'de', 'fr', 'zh-CN'] + result_container: + - not_empty + - ['one_title_contains', 'google'] + test: + - unique_results + + # tests: only for the YAML anchors (see the engines section) + tests: + infobox: &tests_infobox + infobox: + matrix: + query: ["linux", "new york", "bbc"] + result_container: + - has_infobox + +categories_as_tabs: + general: + images: + videos: + news: + map: + music: + it: + science: + files: + social media: + +engines: + - name: 9gag + engine: 9gag + shortcut: 9g + disabled: true + + - name: alpine linux packages + engine: alpinelinux + disabled: true + shortcut: alp + + - name: annas archive + engine: annas_archive + disabled: true + shortcut: aa + + # - name: annas articles + # engine: annas_archive + # shortcut: aaa + # # https://docs.searxng.org/dev/engines/online/annas_archive.html + # aa_content: 'magazine' # book_fiction, book_unknown, book_nonfiction, book_comic + # aa_ext: 'pdf' # pdf, epub, .. + # aa_sort: oldest' # newest, oldest, largest, smallest + + - name: apk mirror + engine: apkmirror + timeout: 4.0 + shortcut: apkm + disabled: true + + - name: apple app store + engine: apple_app_store + shortcut: aps + disabled: true + + # Requires Tor + - name: ahmia + engine: ahmia + categories: onions + enable_http: true + shortcut: ah + + - name: anaconda + engine: xpath + paging: true + first_page_num: 0 + search_url: https://anaconda.org/search?q={query}&page={pageno} + results_xpath: //tbody/tr + url_xpath: ./td/h5/a[last()]/@href + title_xpath: ./td/h5 + content_xpath: ./td[h5]/text() + categories: it + timeout: 6.0 + shortcut: conda + disabled: true + + - name: arch linux wiki + engine: archlinux + shortcut: al + + - name: artic + engine: artic + shortcut: arc + timeout: 4.0 + + - name: arxiv + engine: arxiv + shortcut: arx + timeout: 4.0 + + - name: ask + engine: ask + shortcut: ask + disabled: true + + # tmp suspended: dh key too small + # - name: base + # engine: base + # shortcut: bs + + - name: bandcamp + engine: bandcamp + shortcut: bc + categories: music + + - name: wikipedia + engine: wikipedia + shortcut: wp + # add "list" to the array to get results in the results list + display_type: ["infobox"] + base_url: 'https://{language}.wikipedia.org/' + categories: [general] + + - name: bilibili + engine: bilibili + shortcut: bil + disabled: true + + - name: bing + engine: bing + shortcut: bi + disabled: true + + - name: bing images + engine: bing_images + shortcut: bii + + - name: bing news + engine: bing_news + shortcut: bin + + - name: bing videos + engine: bing_videos + shortcut: biv + + - name: bitbucket + engine: xpath + paging: true + search_url: https://bitbucket.org/repo/all/{pageno}?name={query} + url_xpath: //article[@class="repo-summary"]//a[@class="repo-link"]/@href + title_xpath: //article[@class="repo-summary"]//a[@class="repo-link"] + content_xpath: //article[@class="repo-summary"]/p + categories: [it, repos] + timeout: 4.0 + disabled: true + shortcut: bb + about: + website: https://bitbucket.org/ + wikidata_id: Q2493781 + official_api_documentation: https://developer.atlassian.com/bitbucket + use_official_api: false + require_api_key: false + results: HTML + + - name: bpb + engine: bpb + shortcut: bpb + disabled: true + + - name: btdigg + engine: btdigg + shortcut: bt + disabled: true + + - name: openverse + engine: openverse + categories: images + shortcut: opv + + - name: media.ccc.de + engine: ccc_media + shortcut: c3tv + # We don't set language: de here because media.ccc.de is not just + # for a German audience. It contains many English videos and many + # German videos have English subtitles. + disabled: true + + - name: chefkoch + engine: chefkoch + shortcut: chef + # to show premium or plus results too: + # skip_premium: false + + - name: cloudflareai + engine: cloudflareai + shortcut: cfai + # get api token and accont id from https://developers.cloudflare.com/workers-ai/get-started/rest-api/ + cf_account_id: 'your_cf_accout_id' + cf_ai_api: 'your_cf_api' + # create your ai gateway by https://developers.cloudflare.com/ai-gateway/get-started/creating-gateway/ + cf_ai_gateway: 'your_cf_ai_gateway_name' + # find the model name from https://developers.cloudflare.com/workers-ai/models/#text-generation + cf_ai_model: 'ai_model_name' + # custom your preferences + # cf_ai_model_display_name: 'Cloudflare AI' + # cf_ai_model_assistant: 'prompts_for_assistant_role' + # cf_ai_model_system: 'prompts_for_system_role' + timeout: 30 + disabled: true + + # - name: core.ac.uk + # engine: core + # categories: science + # shortcut: cor + # # get your API key from: https://core.ac.uk/api-keys/register/ + # api_key: 'unset' + + - name: cppreference + engine: cppreference + shortcut: cpp + paging: false + disabled: true + + - name: crossref + engine: crossref + shortcut: cr + timeout: 30 + disabled: true + + - name: crowdview + engine: json_engine + shortcut: cv + categories: general + paging: false + search_url: https://crowdview-next-js.onrender.com/api/search-v3?query={query} + results_query: results + url_query: link + title_query: title + content_query: snippet + disabled: true + about: + website: https://crowdview.ai/ + + - name: yep + engine: yep + shortcut: yep + categories: general + search_type: web + timeout: 5 + disabled: true + + - name: yep images + engine: yep + shortcut: yepi + categories: images + search_type: images + disabled: true + + - name: yep news + engine: yep + shortcut: yepn + categories: news + search_type: news + disabled: true + + - name: curlie + engine: xpath + shortcut: cl + categories: general + disabled: true + paging: true + lang_all: '' + search_url: https://curlie.org/search?q={query}&lang={lang}&start={pageno}&stime=92452189 + page_size: 20 + results_xpath: //div[@id="site-list-content"]/div[@class="site-item"] + url_xpath: ./div[@class="title-and-desc"]/a/@href + title_xpath: ./div[@class="title-and-desc"]/a/div + content_xpath: ./div[@class="title-and-desc"]/div[@class="site-descr"] + about: + website: https://curlie.org/ + wikidata_id: Q60715723 + use_official_api: false + require_api_key: false + results: HTML + + - name: currency + engine: currency_convert + categories: general + shortcut: cc + + - name: deezer + engine: deezer + shortcut: dz + disabled: true + + - name: destatis + engine: destatis + shortcut: destat + disabled: true + + - name: deviantart + engine: deviantart + shortcut: da + timeout: 3.0 + + - name: ddg definitions + engine: duckduckgo_definitions + shortcut: ddd + weight: 2 + disabled: true + tests: *tests_infobox + + # cloudflare protected + # - name: digbt + # engine: digbt + # shortcut: dbt + # timeout: 6.0 + # disabled: true + + - name: docker hub + engine: docker_hub + shortcut: dh + categories: [it, packages] + + - name: encyclosearch + engine: json_engine + shortcut: es + categories: general + paging: true + search_url: https://encyclosearch.org/encyclosphere/search?q={query}&page={pageno}&resultsPerPage=15 + results_query: Results + url_query: SourceURL + title_query: Title + content_query: Description + disabled: true + about: + website: https://encyclosearch.org + official_api_documentation: https://encyclosearch.org/docs/#/rest-api + use_official_api: true + require_api_key: false + results: JSON + + - name: erowid + engine: xpath + paging: true + first_page_num: 0 + page_size: 30 + search_url: https://www.erowid.org/search.php?q={query}&s={pageno} + url_xpath: //dl[@class="results-list"]/dt[@class="result-title"]/a/@href + title_xpath: //dl[@class="results-list"]/dt[@class="result-title"]/a/text() + content_xpath: //dl[@class="results-list"]/dd[@class="result-details"] + categories: [] + shortcut: ew + disabled: true + about: + website: https://www.erowid.org/ + wikidata_id: Q1430691 + official_api_documentation: + use_official_api: false + require_api_key: false + results: HTML + + # - name: elasticsearch + # shortcut: es + # engine: elasticsearch + # base_url: http://localhost:9200 + # username: elastic + # password: changeme + # index: my-index + # # available options: match, simple_query_string, term, terms, custom + # query_type: match + # # if query_type is set to custom, provide your query here + # #custom_query_json: {"query":{"match_all": {}}} + # #show_metadata: false + # disabled: true + + - name: wikidata + engine: wikidata + shortcut: wd + timeout: 3.0 + weight: 2 + # add "list" to the array to get results in the results list + display_type: ["infobox"] + tests: *tests_infobox + categories: [general] + + - name: duckduckgo + engine: duckduckgo + shortcut: ddg + + - name: duckduckgo images + engine: duckduckgo_extra + categories: [images, web] + ddg_category: images + shortcut: ddi + disabled: true + + - name: duckduckgo videos + engine: duckduckgo_extra + categories: [videos, web] + ddg_category: videos + shortcut: ddv + disabled: true + + - name: duckduckgo news + engine: duckduckgo_extra + categories: [news, web] + ddg_category: news + shortcut: ddn + disabled: true + + - name: duckduckgo weather + engine: duckduckgo_weather + shortcut: ddw + disabled: true + + - name: apple maps + engine: apple_maps + shortcut: apm + disabled: true + timeout: 5.0 + + - name: emojipedia + engine: emojipedia + timeout: 4.0 + shortcut: em + disabled: true + + - name: tineye + engine: tineye + shortcut: tin + timeout: 9.0 + disabled: true + + - name: etymonline + engine: xpath + paging: true + search_url: https://etymonline.com/search?page={pageno}&q={query} + url_xpath: //a[contains(@class, "word__name--")]/@href + title_xpath: //a[contains(@class, "word__name--")] + content_xpath: //section[contains(@class, "word__defination")] + first_page_num: 1 + shortcut: et + categories: [dictionaries] + about: + website: https://www.etymonline.com/ + wikidata_id: Q1188617 + official_api_documentation: + use_official_api: false + require_api_key: false + results: HTML + + # - name: ebay + # engine: ebay + # shortcut: eb + # base_url: 'https://www.ebay.com' + # disabled: true + # timeout: 5 + + - name: 1x + engine: www1x + shortcut: 1x + timeout: 3.0 + disabled: true + + - name: fdroid + engine: fdroid + shortcut: fd + disabled: true + + - name: findthatmeme + engine: findthatmeme + shortcut: ftm + disabled: true + + - name: flickr + categories: images + shortcut: fl + # You can use the engine using the official stable API, but you need an API + # key, see: https://www.flickr.com/services/apps/create/ + # engine: flickr + # api_key: 'apikey' # required! + # Or you can use the html non-stable engine, activated by default + engine: flickr_noapi + + - name: free software directory + engine: mediawiki + shortcut: fsd + categories: [it, software wikis] + base_url: https://directory.fsf.org/ + search_type: title + timeout: 5.0 + disabled: true + about: + website: https://directory.fsf.org/ + wikidata_id: Q2470288 + + # - name: freesound + # engine: freesound + # shortcut: fnd + # disabled: true + # timeout: 15.0 + # API key required, see: https://freesound.org/docs/api/overview.html + # api_key: MyAPIkey + + - name: frinkiac + engine: frinkiac + shortcut: frk + disabled: true + + - name: fyyd + engine: fyyd + shortcut: fy + timeout: 8.0 + disabled: true + + - name: geizhals + engine: geizhals + shortcut: geiz + disabled: true + + - name: genius + engine: genius + shortcut: gen + + - name: gentoo + engine: mediawiki + shortcut: ge + categories: ["it", "software wikis"] + base_url: "https://wiki.gentoo.org/" + api_path: "api.php" + search_type: text + timeout: 10 + + - name: gitlab + engine: gitlab + base_url: https://gitlab.com + shortcut: gl + disabled: true + about: + website: https://gitlab.com/ + wikidata_id: Q16639197 + + # - name: gnome + # engine: gitlab + # base_url: https://gitlab.gnome.org + # shortcut: gn + # about: + # website: https://gitlab.gnome.org + # wikidata_id: Q44316 + + - name: github + engine: github + shortcut: gh + + - name: codeberg + # https://docs.searxng.org/dev/engines/online/gitea.html + engine: gitea + base_url: https://codeberg.org + shortcut: cb + disabled: true + + - name: gitea.com + engine: gitea + base_url: https://gitea.com + shortcut: gitea + disabled: true + + - name: goodreads + engine: goodreads + shortcut: good + timeout: 4.0 + disabled: true + + - name: google + engine: google + shortcut: go + # additional_tests: + # android: *test_android + + - name: google images + engine: google_images + shortcut: goi + # additional_tests: + # android: *test_android + # dali: + # matrix: + # query: ['Dali Christ'] + # lang: ['en', 'de', 'fr', 'zh-CN'] + # result_container: + # - ['one_title_contains', 'Salvador'] + + - name: google news + engine: google_news + shortcut: gon + # additional_tests: + # android: *test_android + + - name: google videos + engine: google_videos + shortcut: gov + # additional_tests: + # android: *test_android + + - name: google scholar + engine: google_scholar + shortcut: gos + + - name: google play apps + engine: google_play + categories: [files, apps] + shortcut: gpa + play_categ: apps + disabled: true + + - name: google play movies + engine: google_play + categories: videos + shortcut: gpm + play_categ: movies + disabled: true + + - name: material icons + engine: material_icons + categories: images + shortcut: mi + disabled: true + + - name: habrahabr + engine: xpath + paging: true + search_url: https://habr.com/en/search/page{pageno}/?q={query} + results_xpath: //article[contains(@class, "tm-articles-list__item")] + url_xpath: .//a[@class="tm-title__link"]/@href + title_xpath: .//a[@class="tm-title__link"] + content_xpath: .//div[contains(@class, "article-formatted-body")] + categories: it + timeout: 4.0 + disabled: true + shortcut: habr + about: + website: https://habr.com/ + wikidata_id: Q4494434 + official_api_documentation: https://habr.com/en/docs/help/api/ + use_official_api: false + require_api_key: false + results: HTML + + - name: hackernews + engine: hackernews + shortcut: hn + disabled: true + + - name: hex + engine: hex + shortcut: hex + disabled: true + # Valid values: name inserted_at updated_at total_downloads recent_downloads + sort_criteria: "recent_downloads" + page_size: 10 + + - name: crates.io + engine: crates + shortcut: crates + disabled: true + timeout: 6.0 + + - name: hoogle + engine: xpath + search_url: https://hoogle.haskell.org/?hoogle={query} + results_xpath: '//div[@class="result"]' + title_xpath: './/div[@class="ans"]//a' + url_xpath: './/div[@class="ans"]//a/@href' + content_xpath: './/div[@class="from"]' + page_size: 20 + categories: [it, packages] + shortcut: ho + about: + website: https://hoogle.haskell.org/ + wikidata_id: Q34010 + official_api_documentation: https://hackage.haskell.org/api + use_official_api: false + require_api_key: false + results: JSON + + - name: imdb + engine: imdb + shortcut: imdb + timeout: 6.0 + disabled: true + + - name: imgur + engine: imgur + shortcut: img + disabled: true + + - name: ina + engine: ina + shortcut: in + timeout: 6.0 + disabled: true + + - name: invidious + engine: invidious + # Instanes will be selected randomly, see https://api.invidious.io/ for + # instances that are stable (good uptime) and close to you. + base_url: + - https://invidious.io.lol + - https://invidious.fdn.fr + - https://yt.artemislena.eu + - https://invidious.tiekoetter.com + - https://invidious.flokinet.to + - https://vid.puffyan.us + - https://invidious.privacydev.net + - https://inv.tux.pizza + shortcut: iv + timeout: 3.0 + disabled: true + + - name: jisho + engine: jisho + shortcut: js + timeout: 3.0 + disabled: true + + - name: kickass + engine: kickass + base_url: + - https://kickasstorrents.to + - https://kickasstorrents.cr + - https://kickasstorrent.cr + - https://kickass.sx + - https://kat.am + shortcut: kc + timeout: 4.0 + + - name: lemmy communities + engine: lemmy + lemmy_type: Communities + shortcut: leco + + - name: lemmy users + engine: lemmy + network: lemmy communities + lemmy_type: Users + shortcut: leus + + - name: lemmy posts + engine: lemmy + network: lemmy communities + lemmy_type: Posts + shortcut: lepo + + - name: lemmy comments + engine: lemmy + network: lemmy communities + lemmy_type: Comments + shortcut: lecom + + - name: library genesis + engine: xpath + # search_url: https://libgen.is/search.php?req={query} + search_url: https://libgen.rs/search.php?req={query} + url_xpath: //a[contains(@href,"book/index.php?md5")]/@href + title_xpath: //a[contains(@href,"book/")]/text()[1] + content_xpath: //td/a[1][contains(@href,"=author")]/text() + categories: files + timeout: 7.0 + disabled: true + shortcut: lg + about: + website: https://libgen.fun/ + wikidata_id: Q22017206 + official_api_documentation: + use_official_api: false + require_api_key: false + results: HTML + + - name: z-library + engine: zlibrary + shortcut: zlib + categories: files + timeout: 7.0 + + - name: library of congress + engine: loc + shortcut: loc + categories: images + + - name: libretranslate + engine: libretranslate + # https://github.com/LibreTranslate/LibreTranslate?tab=readme-ov-file#mirrors + base_url: + - https://translate.terraprint.co + - https://trans.zillyhuhn.com + # api_key: abc123 + shortcut: lt + disabled: true + + - name: lingva + engine: lingva + shortcut: lv + # set lingva instance in url, by default it will use the official instance + # url: https://lingva.thedaviddelta.com + + - name: lobste.rs + engine: xpath + search_url: https://lobste.rs/search?q={query}&what=stories&order=relevance + results_xpath: //li[contains(@class, "story")] + url_xpath: .//a[@class="u-url"]/@href + title_xpath: .//a[@class="u-url"] + content_xpath: .//a[@class="domain"] + categories: it + shortcut: lo + timeout: 5.0 + disabled: true + about: + website: https://lobste.rs/ + wikidata_id: Q60762874 + official_api_documentation: + use_official_api: false + require_api_key: false + results: HTML + + - name: mastodon users + engine: mastodon + mastodon_type: accounts + base_url: https://mastodon.social + shortcut: mau + + - name: mastodon hashtags + engine: mastodon + mastodon_type: hashtags + base_url: https://mastodon.social + shortcut: mah + + # - name: matrixrooms + # engine: mrs + # # https://docs.searxng.org/dev/engines/online/mrs.html + # # base_url: https://mrs-api-host + # shortcut: mtrx + # disabled: true + + - name: mdn + shortcut: mdn + engine: json_engine + categories: [it] + paging: true + search_url: https://developer.mozilla.org/api/v1/search?q={query}&page={pageno} + results_query: documents + url_query: mdn_url + url_prefix: https://developer.mozilla.org + title_query: title + content_query: summary + about: + website: https://developer.mozilla.org + wikidata_id: Q3273508 + official_api_documentation: null + use_official_api: false + require_api_key: false + results: JSON + + - name: metacpan + engine: metacpan + shortcut: cpan + disabled: true + number_of_results: 20 + + # - name: meilisearch + # engine: meilisearch + # shortcut: mes + # enable_http: true + # base_url: http://localhost:7700 + # index: my-index + + - name: mixcloud + engine: mixcloud + shortcut: mc + + # MongoDB engine + # Required dependency: pymongo + # - name: mymongo + # engine: mongodb + # shortcut: md + # exact_match_only: false + # host: '127.0.0.1' + # port: 27017 + # enable_http: true + # results_per_page: 20 + # database: 'business' + # collection: 'reviews' # name of the db collection + # key: 'name' # key in the collection to search for + + - name: mozhi + engine: mozhi + base_url: + - https://mozhi.aryak.me + - https://translate.bus-hit.me + - https://nyc1.mz.ggtyler.dev + # mozhi_engine: google - see https://mozhi.aryak.me for supported engines + timeout: 4.0 + shortcut: mz + disabled: true + + - name: mwmbl + engine: mwmbl + # api_url: https://api.mwmbl.org + shortcut: mwm + disabled: true + + - name: npm + engine: npm + shortcut: npm + timeout: 5.0 + disabled: true + + - name: nyaa + engine: nyaa + shortcut: nt + disabled: true + + - name: mankier + engine: json_engine + search_url: https://www.mankier.com/api/v2/mans/?q={query} + results_query: results + url_query: url + title_query: name + content_query: description + categories: it + shortcut: man + about: + website: https://www.mankier.com/ + official_api_documentation: https://www.mankier.com/api + use_official_api: true + require_api_key: false + results: JSON + + # read https://docs.searxng.org/dev/engines/online/mullvad_leta.html + # - name: mullvadleta + # engine: mullvad_leta + # leta_engine: google # choose one of the following: google, brave + # use_cache: true # Only 100 non-cache searches per day, suggested only for private instances + # search_url: https://leta.mullvad.net + # categories: [general, web] + # shortcut: ml + + - name: odysee + engine: odysee + shortcut: od + disabled: true + + - name: openairedatasets + engine: json_engine + paging: true + search_url: https://api.openaire.eu/search/datasets?format=json&page={pageno}&size=10&title={query} + results_query: response/results/result + url_query: metadata/oaf:entity/oaf:result/children/instance/webresource/url/$ + title_query: metadata/oaf:entity/oaf:result/title/$ + content_query: metadata/oaf:entity/oaf:result/description/$ + content_html_to_text: true + categories: "science" + shortcut: oad + timeout: 5.0 + about: + website: https://www.openaire.eu/ + wikidata_id: Q25106053 + official_api_documentation: https://api.openaire.eu/ + use_official_api: false + require_api_key: false + results: JSON + + - name: openairepublications + engine: json_engine + paging: true + search_url: https://api.openaire.eu/search/publications?format=json&page={pageno}&size=10&title={query} + results_query: response/results/result + url_query: metadata/oaf:entity/oaf:result/children/instance/webresource/url/$ + title_query: metadata/oaf:entity/oaf:result/title/$ + content_query: metadata/oaf:entity/oaf:result/description/$ + content_html_to_text: true + categories: science + shortcut: oap + timeout: 5.0 + about: + website: https://www.openaire.eu/ + wikidata_id: Q25106053 + official_api_documentation: https://api.openaire.eu/ + use_official_api: false + require_api_key: false + results: JSON + + - name: openlibrary + engine: openlibrary + shortcut: ol + timeout: 5 + disabled: true + + - name: openmeteo + engine: open_meteo + shortcut: om + disabled: true + + # - name: opensemanticsearch + # engine: opensemantic + # shortcut: oss + # base_url: 'http://localhost:8983/solr/opensemanticsearch/' + + - name: openstreetmap + engine: openstreetmap + shortcut: osm + + - name: openrepos + engine: xpath + paging: true + search_url: https://openrepos.net/search/node/{query}?page={pageno} + url_xpath: //li[@class="search-result"]//h3[@class="title"]/a/@href + title_xpath: //li[@class="search-result"]//h3[@class="title"]/a + content_xpath: //li[@class="search-result"]//div[@class="search-snippet-info"]//p[@class="search-snippet"] + categories: files + timeout: 4.0 + disabled: true + shortcut: or + about: + website: https://openrepos.net/ + wikidata_id: + official_api_documentation: + use_official_api: false + require_api_key: false + results: HTML + + - name: packagist + engine: json_engine + paging: true + search_url: https://packagist.org/search.json?q={query}&page={pageno} + results_query: results + url_query: url + title_query: name + content_query: description + categories: [it, packages] + disabled: true + timeout: 5.0 + shortcut: pack + about: + website: https://packagist.org + wikidata_id: Q108311377 + official_api_documentation: https://packagist.org/apidoc + use_official_api: true + require_api_key: false + results: JSON + + - name: pdbe + engine: pdbe + shortcut: pdb + # Hide obsolete PDB entries. Default is not to hide obsolete structures + # hide_obsolete: false + + - name: photon + engine: photon + shortcut: ph + + - name: pinterest + engine: pinterest + shortcut: pin + + - name: piped + engine: piped + shortcut: ppd + categories: videos + piped_filter: videos + timeout: 3.0 + + # URL to use as link and for embeds + frontend_url: https://srv.piped.video + # Instance will be selected randomly, for more see https://piped-instances.kavin.rocks/ + backend_url: + - https://pipedapi.kavin.rocks + - https://pipedapi-libre.kavin.rocks + - https://pipedapi.adminforge.de + + - name: piped.music + engine: piped + network: piped + shortcut: ppdm + categories: music + piped_filter: music_songs + timeout: 3.0 + + - name: piratebay + engine: piratebay + shortcut: tpb + # You may need to change this URL to a proxy if piratebay is blocked in your + # country + url: https://thepiratebay.org/ + timeout: 3.0 + + - name: pixiv + shortcut: pv + engine: pixiv + disabled: true + inactive: true + pixiv_image_proxies: + - https://pximg.example.org + # A proxy is required to load the images. Hosting an image proxy server + # for Pixiv: + # --> https://pixivfe.pages.dev/hosting-image-proxy-server/ + # Proxies from public instances. Ask the public instances owners if they + # agree to receive traffic from SearXNG! + # --> https://codeberg.org/VnPower/PixivFE#instances + # --> https://github.com/searxng/searxng/pull/3192#issuecomment-1941095047 + # image proxy of https://pixiv.cat + # - https://i.pixiv.cat + # image proxy of https://www.pixiv.pics + # - https://pximg.cocomi.eu.org + # image proxy of https://pixivfe.exozy.me + # - https://pximg.exozy.me + # image proxy of https://pixivfe.ducks.party + # - https://pixiv.ducks.party + # image proxy of https://pixiv.perennialte.ch + # - https://pximg.perennialte.ch + + - name: podcastindex + engine: podcastindex + shortcut: podcast + + # Required dependency: psychopg2 + # - name: postgresql + # engine: postgresql + # database: postgres + # username: postgres + # password: postgres + # limit: 10 + # query_str: 'SELECT * from my_table WHERE my_column = %(query)s' + # shortcut : psql + + - name: presearch + engine: presearch + search_type: search + categories: [general, web] + shortcut: ps + timeout: 4.0 + disabled: true + + - name: presearch images + engine: presearch + network: presearch + search_type: images + categories: [images, web] + timeout: 4.0 + shortcut: psimg + disabled: true + + - name: presearch videos + engine: presearch + network: presearch + search_type: videos + categories: [general, web] + timeout: 4.0 + shortcut: psvid + disabled: true + + - name: presearch news + engine: presearch + network: presearch + search_type: news + categories: [news, web] + timeout: 4.0 + shortcut: psnews + disabled: true + + - name: pub.dev + engine: xpath + shortcut: pd + search_url: https://pub.dev/packages?q={query}&page={pageno} + paging: true + results_xpath: //div[contains(@class,"packages-item")] + url_xpath: ./div/h3/a/@href + title_xpath: ./div/h3/a + content_xpath: ./div/div/div[contains(@class,"packages-description")]/span + categories: [packages, it] + timeout: 3.0 + disabled: true + first_page_num: 1 + about: + website: https://pub.dev/ + official_api_documentation: https://pub.dev/help/api + use_official_api: false + require_api_key: false + results: HTML + + - name: pubmed + engine: pubmed + shortcut: pub + timeout: 3.0 + + - name: pypi + shortcut: pypi + engine: pypi + + - name: qwant + qwant_categ: web + engine: qwant + shortcut: qw + categories: [general, web] + additional_tests: + rosebud: *test_rosebud + + - name: qwant news + qwant_categ: news + engine: qwant + shortcut: qwn + categories: news + network: qwant + + - name: qwant images + qwant_categ: images + engine: qwant + shortcut: qwi + categories: [images, web] + network: qwant + + - name: qwant videos + qwant_categ: videos + engine: qwant + shortcut: qwv + categories: [videos, web] + network: qwant + + # - name: library + # engine: recoll + # shortcut: lib + # base_url: 'https://recoll.example.org/' + # search_dir: '' + # mount_prefix: /export + # dl_prefix: 'https://download.example.org' + # timeout: 30.0 + # categories: files + # disabled: true + + # - name: recoll library reference + # engine: recoll + # base_url: 'https://recoll.example.org/' + # search_dir: reference + # mount_prefix: /export + # dl_prefix: 'https://download.example.org' + # shortcut: libr + # timeout: 30.0 + # categories: files + # disabled: true + + - name: radio browser + engine: radio_browser + shortcut: rb + + - name: reddit + engine: reddit + shortcut: re + page_size: 25 + disabled: true + + - name: right dao + engine: xpath + paging: true + page_size: 12 + search_url: https://rightdao.com/search?q={query}&start={pageno} + results_xpath: //div[contains(@class, "description")] + url_xpath: ../div[contains(@class, "title")]/a/@href + title_xpath: ../div[contains(@class, "title")] + content_xpath: . + categories: general + shortcut: rd + disabled: true + about: + website: https://rightdao.com/ + use_official_api: false + require_api_key: false + results: HTML + + - name: rottentomatoes + engine: rottentomatoes + shortcut: rt + disabled: true + + # Required dependency: redis + # - name: myredis + # shortcut : rds + # engine: redis_server + # exact_match_only: false + # host: '127.0.0.1' + # port: 6379 + # enable_http: true + # password: '' + # db: 0 + + # tmp suspended: bad certificate + # - name: scanr structures + # shortcut: scs + # engine: scanr_structures + # disabled: true + + - name: searchmysite + engine: xpath + shortcut: sms + categories: general + paging: true + search_url: https://searchmysite.net/search/?q={query}&page={pageno} + results_xpath: //div[contains(@class,'search-result')] + url_xpath: .//a[contains(@class,'result-link')]/@href + title_xpath: .//span[contains(@class,'result-title-txt')]/text() + content_xpath: ./p[@id='result-hightlight'] + disabled: true + about: + website: https://searchmysite.net + + - name: sepiasearch + engine: sepiasearch + shortcut: sep + + - name: soundcloud + engine: soundcloud + shortcut: sc + + - name: stackoverflow + engine: stackexchange + shortcut: st + api_site: 'stackoverflow' + categories: [it, q&a] + + - name: askubuntu + engine: stackexchange + shortcut: ubuntu + api_site: 'askubuntu' + categories: [it, q&a] + + - name: internetarchivescholar + engine: internet_archive_scholar + shortcut: ias + timeout: 15.0 + + - name: superuser + engine: stackexchange + shortcut: su + api_site: 'superuser' + categories: [it, q&a] + + - name: discuss.python + engine: discourse + shortcut: dpy + base_url: 'https://discuss.python.org' + categories: [it, q&a] + disabled: true + + - name: caddy.community + engine: discourse + shortcut: caddy + base_url: 'https://caddy.community' + categories: [it, q&a] + disabled: true + + - name: pi-hole.community + engine: discourse + shortcut: pi + categories: [it, q&a] + base_url: 'https://discourse.pi-hole.net' + disabled: true + + - name: searchcode code + engine: searchcode_code + shortcut: scc + disabled: true + + # - name: searx + # engine: searx_engine + # shortcut: se + # instance_urls : + # - http://127.0.0.1:8888/ + # - ... + # disabled: true + + - name: semantic scholar + engine: semantic_scholar + disabled: true + shortcut: se + + # Spotify needs API credentials + # - name: spotify + # engine: spotify + # shortcut: stf + # api_client_id: ******* + # api_client_secret: ******* + + # - name: solr + # engine: solr + # shortcut: slr + # base_url: http://localhost:8983 + # collection: collection_name + # sort: '' # sorting: asc or desc + # field_list: '' # comma separated list of field names to display on the UI + # default_fields: '' # default field to query + # query_fields: '' # query fields + # enable_http: true + + # - name: springer nature + # engine: springer + # # get your API key from: https://dev.springernature.com/signup + # # working API key, for test & debug: "a69685087d07eca9f13db62f65b8f601" + # api_key: 'unset' + # shortcut: springer + # timeout: 15.0 + + - name: startpage + engine: startpage + shortcut: sp + timeout: 6.0 + disabled: true + additional_tests: + rosebud: *test_rosebud + + - name: tokyotoshokan + engine: tokyotoshokan + shortcut: tt + timeout: 6.0 + disabled: true + + - name: solidtorrents + engine: solidtorrents + shortcut: solid + timeout: 4.0 + base_url: + - https://solidtorrents.to + - https://bitsearch.to + + # For this demo of the sqlite engine download: + # https://liste.mediathekview.de/filmliste-v2.db.bz2 + # and unpack into searx/data/filmliste-v2.db + # Query to test: "!demo concert" + # + # - name: demo + # engine: sqlite + # shortcut: demo + # categories: general + # result_template: default.html + # database: searx/data/filmliste-v2.db + # query_str: >- + # SELECT title || ' (' || time(duration, 'unixepoch') || ')' AS title, + # COALESCE( NULLIF(url_video_hd,''), NULLIF(url_video_sd,''), url_video) AS url, + # description AS content + # FROM film + # WHERE title LIKE :wildcard OR description LIKE :wildcard + # ORDER BY duration DESC + + - name: tagesschau + engine: tagesschau + # when set to false, display URLs from Tagesschau, and not the actual source + # (e.g. NDR, WDR, SWR, HR, ...) + use_source_url: true + shortcut: ts + disabled: true + + - name: tmdb + engine: xpath + paging: true + categories: movies + search_url: https://www.themoviedb.org/search?page={pageno}&query={query} + results_xpath: //div[contains(@class,"movie") or contains(@class,"tv")]//div[contains(@class,"card")] + url_xpath: .//div[contains(@class,"poster")]/a/@href + thumbnail_xpath: .//img/@src + title_xpath: .//div[contains(@class,"title")]//h2 + content_xpath: .//div[contains(@class,"overview")] + shortcut: tm + disabled: true + + # Requires Tor + - name: torch + engine: xpath + paging: true + search_url: + http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5aygthi7d6rplyvk3noyd.onion/cgi-bin/omega/omega?P={query}&DEFAULTOP=and + results_xpath: //table//tr + url_xpath: ./td[2]/a + title_xpath: ./td[2]/b + content_xpath: ./td[2]/small + categories: onions + enable_http: true + shortcut: tch + + # torznab engine lets you query any torznab compatible indexer. Using this + # engine in combination with Jackett opens the possibility to query a lot of + # public and private indexers directly from SearXNG. More details at: + # https://docs.searxng.org/dev/engines/online/torznab.html + # + # - name: Torznab EZTV + # engine: torznab + # shortcut: eztv + # base_url: http://localhost:9117/api/v2.0/indexers/eztv/results/torznab + # enable_http: true # if using localhost + # api_key: xxxxxxxxxxxxxxx + # show_magnet_links: true + # show_torrent_files: false + # # https://github.com/Jackett/Jackett/wiki/Jackett-Categories + # torznab_categories: # optional + # - 2000 + # - 5000 + + # tmp suspended - too slow, too many errors + # - name: urbandictionary + # engine : xpath + # search_url : https://www.urbandictionary.com/define.php?term={query} + # url_xpath : //*[@class="word"]/@href + # title_xpath : //*[@class="def-header"] + # content_xpath: //*[@class="meaning"] + # shortcut: ud + + - name: unsplash + engine: unsplash + shortcut: us + + - name: yandex + engine: yandex + categories: general + search_type: web + shortcut: yd + disabled: true + inactive: true + + - name: yandex images + engine: yandex + categories: images + search_type: images + shortcut: ydi + disabled: true + inactive: true + + - name: yandex music + engine: yandex_music + shortcut: ydm + disabled: true + # https://yandex.com/support/music/access.html + inactive: true + + - name: yahoo + engine: yahoo + shortcut: yh + disabled: true + + - name: yahoo news + engine: yahoo_news + shortcut: yhn + + - name: youtube + shortcut: yt + # You can use the engine using the official stable API, but you need an API + # key See: https://console.developers.google.com/project + # + # engine: youtube_api + # api_key: 'apikey' # required! + # + # Or you can use the html non-stable engine, activated by default + engine: youtube_noapi + + - name: dailymotion + engine: dailymotion + shortcut: dm + + - name: vimeo + engine: vimeo + shortcut: vm + + - name: wiby + engine: json_engine + paging: true + search_url: https://wiby.me/json/?q={query}&p={pageno} + url_query: URL + title_query: Title + content_query: Snippet + categories: [general, web] + shortcut: wib + disabled: true + about: + website: https://wiby.me/ + + - name: wikibooks + engine: mediawiki + weight: 0.5 + shortcut: wb + categories: [general, wikimedia] + base_url: "https://{language}.wikibooks.org/" + search_type: text + disabled: true + about: + website: https://www.wikibooks.org/ + wikidata_id: Q367 + + - name: wikinews + engine: mediawiki + shortcut: wn + categories: [news, wikimedia] + base_url: "https://{language}.wikinews.org/" + search_type: text + srsort: create_timestamp_desc + about: + website: https://www.wikinews.org/ + wikidata_id: Q964 + + - name: wikiquote + engine: mediawiki + weight: 0.5 + shortcut: wq + categories: [general, wikimedia] + base_url: "https://{language}.wikiquote.org/" + search_type: text + disabled: true + additional_tests: + rosebud: *test_rosebud + about: + website: https://www.wikiquote.org/ + wikidata_id: Q369 + + - name: wikisource + engine: mediawiki + weight: 0.5 + shortcut: ws + categories: [general, wikimedia] + base_url: "https://{language}.wikisource.org/" + search_type: text + disabled: true + about: + website: https://www.wikisource.org/ + wikidata_id: Q263 + + - name: wikispecies + engine: mediawiki + shortcut: wsp + categories: [general, science, wikimedia] + base_url: "https://species.wikimedia.org/" + search_type: text + disabled: true + about: + website: https://species.wikimedia.org/ + wikidata_id: Q13679 + tests: + wikispecies: + matrix: + query: "Campbell, L.I. et al. 2011: MicroRNAs" + lang: en + result_container: + - not_empty + - ['one_title_contains', 'Tardigrada'] + test: + - unique_results + + - name: wiktionary + engine: mediawiki + shortcut: wt + categories: [dictionaries, wikimedia] + base_url: "https://{language}.wiktionary.org/" + search_type: text + about: + website: https://www.wiktionary.org/ + wikidata_id: Q151 + + - name: wikiversity + engine: mediawiki + weight: 0.5 + shortcut: wv + categories: [general, wikimedia] + base_url: "https://{language}.wikiversity.org/" + search_type: text + disabled: true + about: + website: https://www.wikiversity.org/ + wikidata_id: Q370 + + - name: wikivoyage + engine: mediawiki + weight: 0.5 + shortcut: wy + categories: [general, wikimedia] + base_url: "https://{language}.wikivoyage.org/" + search_type: text + disabled: true + about: + website: https://www.wikivoyage.org/ + wikidata_id: Q373 + + - name: wikicommons.images + engine: wikicommons + shortcut: wc + categories: images + search_type: images + number_of_results: 10 + + - name: wikicommons.videos + engine: wikicommons + shortcut: wcv + categories: videos + search_type: videos + number_of_results: 10 + + - name: wikicommons.audio + engine: wikicommons + shortcut: wca + categories: music + search_type: audio + number_of_results: 10 + + - name: wikicommons.files + engine: wikicommons + shortcut: wcf + categories: files + search_type: files + number_of_results: 10 + + - name: wolframalpha + shortcut: wa + # You can use the engine using the official stable API, but you need an API + # key. See: https://products.wolframalpha.com/api/ + # + # engine: wolframalpha_api + # api_key: '' + # + # Or you can use the html non-stable engine, activated by default + engine: wolframalpha_noapi + timeout: 6.0 + categories: general + disabled: true + + - name: dictzone + engine: dictzone + shortcut: dc + + - name: mymemory translated + engine: translated + shortcut: tl + timeout: 5.0 + # You can use without an API key, but you are limited to 1000 words/day + # See: https://mymemory.translated.net/doc/usagelimits.php + # api_key: '' + + # Required dependency: mysql-connector-python + # - name: mysql + # engine: mysql_server + # database: mydatabase + # username: user + # password: pass + # limit: 10 + # query_str: 'SELECT * from mytable WHERE fieldname=%(query)s' + # shortcut: mysql + + # Required dependency: mariadb + # - name: mariadb + # engine: mariadb_server + # database: mydatabase + # username: user + # password: pass + # limit: 10 + # query_str: 'SELECT * from mytable WHERE fieldname=%(query)s' + # shortcut: mdb + + - name: 1337x + engine: 1337x + shortcut: 1337x + disabled: true + + - name: duden + engine: duden + shortcut: du + disabled: true + + - name: seznam + shortcut: szn + engine: seznam + disabled: true + + # - name: deepl + # engine: deepl + # shortcut: dpl + # # You can use the engine using the official stable API, but you need an API key + # # See: https://www.deepl.com/pro-api?cta=header-pro-api + # api_key: '' # required! + # timeout: 5.0 + # disabled: true + + - name: mojeek + shortcut: mjk + engine: mojeek + categories: [general, web] + disabled: true + + - name: mojeek images + shortcut: mjkimg + engine: mojeek + categories: [images, web] + search_type: images + paging: false + disabled: true + + - name: mojeek news + shortcut: mjknews + engine: mojeek + categories: [news, web] + search_type: news + paging: false + disabled: true + + - name: moviepilot + engine: moviepilot + shortcut: mp + disabled: true + + - name: naver + shortcut: nvr + categories: [general, web] + engine: xpath + paging: true + search_url: https://search.naver.com/search.naver?where=webkr&sm=osp_hty&ie=UTF-8&query={query}&start={pageno} + url_xpath: //a[@class="link_tit"]/@href + title_xpath: //a[@class="link_tit"] + content_xpath: //div[@class="total_dsc_wrap"]/a + first_page_num: 1 + page_size: 10 + disabled: true + about: + website: https://www.naver.com/ + wikidata_id: Q485639 + official_api_documentation: https://developers.naver.com/docs/nmt/examples/ + use_official_api: false + require_api_key: false + results: HTML + language: ko + + - name: rubygems + shortcut: rbg + engine: xpath + paging: true + search_url: https://rubygems.org/search?page={pageno}&query={query} + results_xpath: /html/body/main/div/a[@class="gems__gem"] + url_xpath: ./@href + title_xpath: ./span/h2 + content_xpath: ./span/p + suggestion_xpath: /html/body/main/div/div[@class="search__suggestions"]/p/a + first_page_num: 1 + categories: [it, packages] + disabled: true + about: + website: https://rubygems.org/ + wikidata_id: Q1853420 + official_api_documentation: https://guides.rubygems.org/rubygems-org-api/ + use_official_api: false + require_api_key: false + results: HTML + + - name: peertube + engine: peertube + shortcut: ptb + paging: true + # alternatives see: https://instances.joinpeertube.org/instances + # base_url: https://tube.4aem.com + categories: videos + disabled: true + timeout: 6.0 + + - name: mediathekviewweb + engine: mediathekviewweb + shortcut: mvw + disabled: true + + - name: yacy + # https://docs.searxng.org/dev/engines/online/yacy.html + engine: yacy + categories: general + search_type: text + base_url: + - https://yacy.searchlab.eu + # see https://github.com/searxng/searxng/pull/3631#issuecomment-2240903027 + # - https://search.kyun.li + # - https://yacy.securecomcorp.eu + # - https://yacy.myserv.ca + # - https://yacy.nsupdate.info + # - https://yacy.electroncash.de + shortcut: ya + disabled: true + # if you aren't using HTTPS for your local yacy instance disable https + # enable_http: false + search_mode: 'global' + # timeout can be reduced in 'local' search mode + timeout: 5.0 + + - name: yacy images + engine: yacy + network: yacy + categories: images + search_type: image + shortcut: yai + disabled: true + # timeout can be reduced in 'local' search mode + timeout: 5.0 + + - name: rumble + engine: rumble + shortcut: ru + base_url: https://rumble.com/ + paging: true + categories: videos + disabled: true + + - name: livespace + engine: livespace + shortcut: ls + categories: videos + disabled: true + timeout: 5.0 + + - name: wordnik + engine: wordnik + shortcut: def + base_url: https://www.wordnik.com/ + categories: [dictionaries] + timeout: 5.0 + + - name: woxikon.de synonyme + engine: xpath + shortcut: woxi + categories: [dictionaries] + timeout: 5.0 + disabled: true + search_url: https://synonyme.woxikon.de/synonyme/{query}.php + url_xpath: //div[@class="upper-synonyms"]/a/@href + content_xpath: //div[@class="synonyms-list-group"] + title_xpath: //div[@class="upper-synonyms"]/a + no_result_for_http_status: [404] + about: + website: https://www.woxikon.de/ + wikidata_id: # No Wikidata ID + use_official_api: false + require_api_key: false + results: HTML + language: de + + - name: seekr news + engine: seekr + shortcut: senews + categories: news + seekr_category: news + disabled: true + + - name: seekr images + engine: seekr + network: seekr news + shortcut: seimg + categories: images + seekr_category: images + disabled: true + + - name: seekr videos + engine: seekr + network: seekr news + shortcut: sevid + categories: videos + seekr_category: videos + disabled: true + + - name: sjp.pwn + engine: sjp + shortcut: sjp + base_url: https://sjp.pwn.pl/ + timeout: 5.0 + disabled: true + + - name: stract + engine: stract + shortcut: str + disabled: true + + - name: svgrepo + engine: svgrepo + shortcut: svg + timeout: 10.0 + disabled: true + + - name: tootfinder + engine: tootfinder + shortcut: toot + + - name: voidlinux + engine: voidlinux + shortcut: void + disabled: true + + - name: wallhaven + engine: wallhaven + # api_key: abcdefghijklmnopqrstuvwxyz + shortcut: wh + + # wikimini: online encyclopedia for children + # The fulltext and title parameter is necessary for Wikimini because + # sometimes it will not show the results and redirect instead + - name: wikimini + engine: xpath + shortcut: wkmn + search_url: https://fr.wikimini.org/w/index.php?search={query}&title=Sp%C3%A9cial%3ASearch&fulltext=Search + url_xpath: //li/div[@class="mw-search-result-heading"]/a/@href + title_xpath: //li//div[@class="mw-search-result-heading"]/a + content_xpath: //li/div[@class="searchresult"] + categories: general + disabled: true + about: + website: https://wikimini.org/ + wikidata_id: Q3568032 + use_official_api: false + require_api_key: false + results: HTML + language: fr + + - name: wttr.in + engine: wttr + shortcut: wttr + timeout: 9.0 + + - name: yummly + engine: yummly + shortcut: yum + disabled: true + + - name: brave + engine: brave + shortcut: br + time_range_support: true + paging: true + categories: [general, web] + brave_category: search + # brave_spellcheck: true + + - name: brave.images + engine: brave + network: brave + shortcut: brimg + categories: [images, web] + brave_category: images + + - name: brave.videos + engine: brave + network: brave + shortcut: brvid + categories: [videos, web] + brave_category: videos + + - name: brave.news + engine: brave + network: brave + shortcut: brnews + categories: news + brave_category: news + + # - name: brave.goggles + # engine: brave + # network: brave + # shortcut: brgog + # time_range_support: true + # paging: true + # categories: [general, web] + # brave_category: goggles + # Goggles: # required! This should be a URL ending in .goggle + + - name: lib.rs + shortcut: lrs + engine: lib_rs + disabled: true + + - name: sourcehut + shortcut: srht + engine: xpath + paging: true + search_url: https://sr.ht/projects?page={pageno}&search={query} + results_xpath: (//div[@class="event-list"])[1]/div[@class="event"] + url_xpath: ./h4/a[2]/@href + title_xpath: ./h4/a[2] + content_xpath: ./p + first_page_num: 1 + categories: [it, repos] + disabled: true + about: + website: https://sr.ht + wikidata_id: Q78514485 + official_api_documentation: https://man.sr.ht/ + use_official_api: false + require_api_key: false + results: HTML + + - name: goo + shortcut: goo + engine: xpath + paging: true + search_url: https://search.goo.ne.jp/web.jsp?MT={query}&FR={pageno}0 + url_xpath: //div[@class="result"]/p[@class='title fsL1']/a/@href + title_xpath: //div[@class="result"]/p[@class='title fsL1']/a + content_xpath: //p[contains(@class,'url fsM')]/following-sibling::p + first_page_num: 0 + categories: [general, web] + disabled: true + timeout: 4.0 + about: + website: https://search.goo.ne.jp + wikidata_id: Q249044 + use_official_api: false + require_api_key: false + results: HTML + language: ja + + - name: bt4g + engine: bt4g + shortcut: bt4g + + - name: pkg.go.dev + engine: pkg_go_dev + shortcut: pgo + disabled: true + +# Doku engine lets you access to any Doku wiki instance: +# A public one or a privete/corporate one. +# - name: ubuntuwiki +# engine: doku +# shortcut: uw +# base_url: 'https://doc.ubuntu-fr.org' + +# Be careful when enabling this engine if you are +# running a public instance. Do not expose any sensitive +# information. You can restrict access by configuring a list +# of access tokens under tokens. +# - name: git grep +# engine: command +# command: ['git', 'grep', '{{QUERY}}'] +# shortcut: gg +# tokens: [] +# disabled: true +# delimiter: +# chars: ':' +# keys: ['filepath', 'code'] + +# Be careful when enabling this engine if you are +# running a public instance. Do not expose any sensitive +# information. You can restrict access by configuring a list +# of access tokens under tokens. +# - name: locate +# engine: command +# command: ['locate', '{{QUERY}}'] +# shortcut: loc +# tokens: [] +# disabled: true +# delimiter: +# chars: ' ' +# keys: ['line'] + +# Be careful when enabling this engine if you are +# running a public instance. Do not expose any sensitive +# information. You can restrict access by configuring a list +# of access tokens under tokens. +# - name: find +# engine: command +# command: ['find', '.', '-name', '{{QUERY}}'] +# query_type: path +# shortcut: fnd +# tokens: [] +# disabled: true +# delimiter: +# chars: ' ' +# keys: ['line'] + +# Be careful when enabling this engine if you are +# running a public instance. Do not expose any sensitive +# information. You can restrict access by configuring a list +# of access tokens under tokens. +# - name: pattern search in files +# engine: command +# command: ['fgrep', '{{QUERY}}'] +# shortcut: fgr +# tokens: [] +# disabled: true +# delimiter: +# chars: ' ' +# keys: ['line'] + +# Be careful when enabling this engine if you are +# running a public instance. Do not expose any sensitive +# information. You can restrict access by configuring a list +# of access tokens under tokens. +# - name: regex search in files +# engine: command +# command: ['grep', '{{QUERY}}'] +# shortcut: gr +# tokens: [] +# disabled: true +# delimiter: +# chars: ' ' +# keys: ['line'] + +doi_resolvers: + oadoi.org: 'https://oadoi.org/' + doi.org: 'https://doi.org/' + doai.io: 'https://dissem.in/' + sci-hub.se: 'https://sci-hub.se/' + sci-hub.st: 'https://sci-hub.st/' + sci-hub.ru: 'https://sci-hub.ru/' + +default_doi_resolver: 'oadoi.org' diff --git a/searxng/config/uwsgi.ini b/searxng/config/uwsgi.ini new file mode 100644 index 0000000..9db3d76 --- /dev/null +++ b/searxng/config/uwsgi.ini @@ -0,0 +1,54 @@ +[uwsgi] +# Who will run the code +uid = searxng +gid = searxng + +# Number of workers (usually CPU count) +# default value: %k (= number of CPU core, see Dockerfile) +workers = %k + +# Number of threads per worker +# default value: 4 (see Dockerfile) +threads = 4 + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpreter config +single-interpreter = true +master = true +plugin = python3 +lazy-apps = true +enable-threads = 4 + +# Module to import +module = searx.webapp + +# Virtualenv and python path +pythonpath = /usr/local/searxng/ +chdir = /usr/local/searxng/searx/ + +# automatically set processes name to something meaningful +auto-procname = true + +# Disable request logging for privacy +disable-logging = true +log-5xx = true + +# Set the max size of a request (request-body excluded) +buffer-size = 8192 + +# No keep alive +# See https://github.com/searx/searx-docker/issues/24 +add-header = Connection: close + +# Follow SIGTERM convention +# See https://github.com/searxng/searxng/issues/3427 +die-on-term + +# uwsgi serves the static files +static-map = /static=/usr/local/searxng/searx/static +# expires set to one day +static-expires = /* 86400 +static-gzip-all = True +offload-threads = 4 diff --git a/searxng/docker-compose.yml b/searxng/docker-compose.yml new file mode 100644 index 0000000..9bef43b --- /dev/null +++ b/searxng/docker-compose.yml @@ -0,0 +1,15 @@ +services: + searxng: + image: searxng/searxng + container_name: searxng + restart: unless-stopped + volumes: + - ./config:/etc/searxng + environment: + BASE_URL: "https://search.timo.bmrs.nl/" + SEARXNG_SECRET: "PO8rO5ZW7K67sroemisMS8wpiq5pXEHecvXzGs4CdAgTQIQvAI09m65vFKGVVkZW" + +networks: + default: + external: true + name: proxy diff --git a/uptime-kuma/docker-compose.yml b/uptime-kuma/docker-compose.yml new file mode 100644 index 0000000..fbed424 --- /dev/null +++ b/uptime-kuma/docker-compose.yml @@ -0,0 +1,15 @@ +services: + uptime-kuma: + image: louislam/uptime-kuma:1 + container_name: uptime-kuma + restart: unless-stopped + volumes: + - data:/app/data + +volumes: + data: + +networks: + default: + name: proxy + external: true diff --git a/vaultwarden/docker-compose.yml b/vaultwarden/docker-compose.yml new file mode 100644 index 0000000..fe41fe9 --- /dev/null +++ b/vaultwarden/docker-compose.yml @@ -0,0 +1,17 @@ +services: + vaultwarden: + image: vaultwarden/server:latest + container_name: vaultwarden + restart: unless-stopped + volumes: + - data:/data + environment: + SIGNUPS_ALLOWED: "true" + +volumes: + data: + +networks: + default: + name: proxy + external: true