gitea: update configuration from upstream example file

nodiscc · nodiscc · commit b7b9a76fdffd · 2024-01-12T19:51:48.000+01:00
- fixes /bin/sh: 1: Syntax error: ( unexpected on 'register the runner on the gitea instance' task- ref. go-gitea/gitea#28758
diff --git a/roles/gitea/templates/etc_gitea_app.ini b/roles/gitea/templates/etc_gitea_app.ini
@@ -4,7 +4,7 @@
 ;; Do not copy the whole file as-is, as it contains some invalid sections for illustrative purposes.
 ;; If you don't know what a setting is you should not set it.
 ;;
-;; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.
+;; see https://docs.gitea.com/administration/config-cheat-sheet for additional documentation.
 
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -463,6 +463,11 @@ PASSWORD_COMPLEXITY = {{ gitea_password_complexity }}
 ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
 ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
 ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
+;;
+;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities
+;; stemming from cached/logged plain-text API tokens.
+;; In future releases, this will become the default behavior
+;DISABLE_QUERY_AUTH_TOKEN = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -516,6 +521,11 @@ JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
 ;;
 ;; Maximum length of oauth2 token/cookie stored on server
 ;MAX_TOKEN_LENGTH = 32767
+;;
+;; Pre-register OAuth2 applications for some universally useful services
+;; * https://github.com/hickford/git-credential-oauth
+;; * https://github.com/git-ecosystem/git-credential-manager
+;DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -570,7 +580,7 @@ logger.router.MODE=
 ;REQUEST_ID_HEADERS =
 ;;
 ;; Sets the template used to create the access log.
-;ACCESS_LOG_TEMPLATE = {% raw %}{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"{% endraw %}
+;ACCESS_LOG_TEMPLATE = {% raw %}{{.Ctx.RemoteHost}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"{% endraw %}
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -726,6 +736,8 @@ ENABLE_NOTIFY_MAIL = true
 ;;
 ;; More detail: https://github.com/gogits/gogs/issues/165
 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible.
+;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false
 ;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
 ;ENABLE_REVERSE_PROXY_EMAIL = false
 ;ENABLE_REVERSE_PROXY_FULL_NAME = false
@@ -799,6 +811,15 @@ DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea_default_allow_create_organization }
 ;; Dependencies can be added from any repository where the user is granted access or only from the current repository depending on this setting.
 ;ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
 ;;
+;; Default map service. No external API support has been included. A service has to allow
+;; searching using URL parameters, the location will be appended to the URL as escaped query parameter.
+;; Disabled by default, some example values are:
+;; - OpenStreetMap: https://www.openstreetmap.org/search?query=
+;; - Google Maps: https://www.google.com/maps/place/
+;; - MapQuest: https://www.mapquest.com/search/
+;; - Bing Maps: https://www.bing.com/maps?where1=
+; USER_LOCATION_MAP_URL =
+;;
 ;; Enable heatmap on users profiles.
 ;ENABLE_USER_HEATMAP = true
 ;;
@@ -970,8 +991,8 @@ MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES =
 ;;
-;; Max size of each file in megabytes. Defaults to 3MB
-;FILE_MAX_SIZE = 3
+;; Max size of each file in megabytes. Defaults to 50MB
+;FILE_MAX_SIZE = 50 
 ;;
 ;; Max number of files per upload. Defaults to 5
 ;MAX_FILES = 5
@@ -1107,15 +1128,9 @@ MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
 ;; enable cors headers (disabled by default)
 ;ENABLED = false
 ;;
-;; scheme of allowed requests
-;SCHEME = http
-;;
-;; list of requesting domains that are allowed
+;; list of requesting origins that are allowed, eg: "https://*.example.com"
 ;ALLOW_DOMAIN = *
 ;;
-;; allow subdomains of headers listed above to request
-;ALLOW_SUBDOMAIN = false
-;;
 ;; list of methods allowed to request
 ;METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
 ;;
@@ -1161,6 +1176,9 @@ ISSUE_PAGING_NUM = {{ gitea_issue_paging_num }}
 ;; Max size of files to be displayed (default is 8MiB)
 ;MAX_DISPLAY_FILE_SIZE = 8388608
 ;;
+;; Detect ambiguous unicode characters in file contents and show warnings on the UI
+;AMBIGUOUS_UNICODE_DETECTION = true
+;;
 ;; Whether the email of the user should be shown in the Explore Users page
 SHOW_USER_EMAIL = {{ gitea_show_user_email }}
 ;;
@@ -1172,9 +1190,12 @@ SHOW_USER_EMAIL = {{ gitea_show_user_email }}
 ;;
 ;; All available reactions users can choose on issues/prs and comments.
 ;; Values can be emoji alias (:smile:) or a unicode emoji.
-;; For custom reactions, add a tightly cropped square image to public/img/emoji/reaction_name.png
+;; For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png
 ;REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes
 ;;
+;; Change the number of users that are displayed in reactions tooltip (triggered by mouse hover).
+;REACTION_MAX_USER_NUM = 10
+;;
 ;; Additional Emojis not defined in the utf8 standard
 ;; By default we support gitea (:gitea:), to add more copy them to public/img/emoji/emoji_name.png and add it to this config.
 ;; Dont mistake it for Reactions.
@@ -1297,7 +1318,7 @@ SHOW_USER_EMAIL = {{ gitea_show_user_email }}
 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 ;ED25519 = 256
 ;ECDSA = 256
-;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
+;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length
 ;DSA = -1 ; set to 1024 to switch on
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1315,10 +1336,10 @@ SHOW_USER_EMAIL = {{ gitea_show_user_email }}
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
 ;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
-;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch or meilisearch
-;ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200
+;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
+;ISSUE_INDEXER_CONN_STR =
 ;;
-;; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
+;; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch or meilisearch.
 ;ISSUE_INDEXER_NAME = gitea_issues
 ;;
 ;; Timeout the indexer if it takes longer than this to start.
@@ -1380,7 +1401,7 @@ REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude|join(', ') }}
 ;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 ;;
 ;; Default queue length before a channel queue will block
-;LENGTH = 100
+;LENGTH = 100000
 ;;
 ;; Batch size to send for batched queues
 ;BATCH_LENGTH = 20
@@ -1396,8 +1417,8 @@ REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude|join(', ') }}
 ;; Provides the suffix of the default redis/disk unique queue set name - specific queues can be overridden within in their [queue.name] sections.
 ;SET_NAME = "_unique"
 ;;
-;; Dynamically scale the worker pool to at this many workers
-;MAX_WORKERS = 10
+;; Maximum number of worker go-routines for the queue. Default value is "CpuNum/2" clipped to between 1 and 10.
+;MAX_WORKERS = ; (dynamic)
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1712,8 +1733,8 @@ PASSWD = {{ gitea_mail_password }}
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
 ;;
-;; If you use session in https only, default is false
-;COOKIE_SECURE = false
+;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
+;COOKIE_SECURE =
 ;;
 ;; Session GC time interval in seconds, default is 86400 (1 day)
 ;GC_INTERVAL_TIME = 86400
@@ -1778,8 +1799,8 @@ DISABLE_GRAVATAR = {{ gitea_disable_gravatar }}
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
 ;;
-;; Max size of each file. Defaults to 4MB
-;MAX_SIZE = 4
+;; Max size of each file. Defaults to 2048MB
+;MAX_SIZE = 2048
 ;;
 ;; Max number of files per upload. Defaults to 5
 ;MAX_FILES = 5
@@ -1792,8 +1813,9 @@ DISABLE_GRAVATAR = {{ gitea_disable_gravatar }}
 ;; Currently, only `minio` is supported.
 ;SERVE_DIRECT = false
 ;;
-;; Path for attachments. Defaults to `data/attachments` only available when STORAGE_TYPE is `local`
-;PATH = data/attachments
+;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
+;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
+;PATH = attachments
 ;;
 ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ENDPOINT = localhost:9000
@@ -2532,6 +2554,14 @@ ENABLED = true
 ;;
 ;; Default platform to get action plugins, `github` for `https://github.com`, `self` for the current Gitea instance.
 ;DEFAULT_ACTIONS_URL = github
+;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
+;ARTIFACT_RETENTION_DAYS = 90
+;; Timeout to stop the task which have running status, but haven't been updated for a long time
+;ZOMBIE_TASK_TIMEOUT = 10m
+;; Timeout to stop the tasks which have running status and continuous updates, but don't end for a long time
+;ENDLESS_TASK_TIMEOUT = 3h
+;; Timeout to cancel the jobs which have waiting status, but haven't been picked by a runner for a long time
+;ABANDONED_JOB_TIMEOUT = 24h
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
