--- # ============================================================================= # Gitea Role Defaults # ============================================================================= # # Default values for Gitea role variables. # These have the LOWEST precedence and can be overridden by: # - group_vars/all/vars.yml # - inventory host_vars # - command line --extra-vars # # Reference: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable # Reference: https://docs.gitea.com/administration/config-cheat-sheet # ============================================================================= # ----------------------------------------------------------------------------- # Version Configuration # ----------------------------------------------------------------------------- # Using major.minor pinning for automatic security patch updates. # Reference: https://hub.docker.com/r/gitea/gitea # Reference: https://hub.docker.com/_/postgres gitea_version: "1.25" gitea_postgres_version: "17-alpine" # ----------------------------------------------------------------------------- # Container Configuration # ----------------------------------------------------------------------------- # Service names for docker compose commands gitea_service_name: "server" gitea_db_service_name: "db" # Container names for docker exec commands (may differ from service names) gitea_container_name: "gitea" gitea_db_container_name: "gitea-db-1" # User/Group IDs for container processes # These should match existing volume ownership gitea_user_uid: 1002 gitea_user_gid: 1004 # ----------------------------------------------------------------------------- # Database Configuration # ----------------------------------------------------------------------------- gitea_db_type: "postgres" gitea_db_host: "db:5432" gitea_db_name: "gitea" gitea_db_user: "gitea" # gitea_db_password: MUST be set via vault mapping in group_vars/all/vars.yml # ----------------------------------------------------------------------------- # Network Configuration # ----------------------------------------------------------------------------- # HTTP port inside container (external 443 maps to this via ACME) gitea_http_port: 3000 # SSH port configuration gitea_ssh_port: 22 gitea_ssh_listen_port: 22 gitea_ssh_external_port: 2222 # ----------------------------------------------------------------------------- # Security Hardening - Password & Authentication # ----------------------------------------------------------------------------- # Reference: https://docs.gitea.com/administration/config-cheat-sheet#security-security # Reference: https://onappsec.com/gitea-configuration-hardening/ # Password hashing algorithm # Options: argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt # argon2 is the strongest and recommended choice gitea_password_hash_algo: "argon2" # Password complexity requirements # Options: off, lower, upper, digit, spec (comma-separated) gitea_password_complexity: "lower,upper,digit,spec" # Minimum password length (NIST SP 800-63B recommends 8+) gitea_min_password_length: 12 # Check passwords against HaveIBeenPwned database gitea_password_check_pwn: true # Two-factor authentication is enabled by default in Gitea 1.25+ # No configuration needed - users can enable 2FA in their account settings # ----------------------------------------------------------------------------- # Security Hardening - API & Features # ----------------------------------------------------------------------------- # Disable Git hooks (prevents arbitrary code execution via hooks) gitea_disable_git_hooks: true # Reject API tokens passed in URL query strings (header-based only) # Prevents token leakage in server logs and browser history gitea_disable_query_auth_token: true # Webhook allowed destination hosts # Options: loopback, private, external, *, or CIDR list gitea_webhook_allowed_hosts: "external" # ----------------------------------------------------------------------------- # Security Hardening - Session & Cookies # ----------------------------------------------------------------------------- # Force HTTPS for session cookies gitea_cookie_secure: true # SameSite cookie policy (strict prevents CSRF) # Options: lax, strict, none gitea_same_site: "strict" # ----------------------------------------------------------------------------- # Security Hardening - TLS # ----------------------------------------------------------------------------- # Minimum TLS version (disable older vulnerable protocols) gitea_ssl_min_version: "TLSv1.2" # ACME/Let's Encrypt automatic certificate provisioning gitea_enable_acme: true gitea_acme_accept_tos: true gitea_acme_directory: "https" # gitea_acme_email: SHOULD be set via vault mapping in group_vars/all/vars.yml # ----------------------------------------------------------------------------- # Service Configuration # ----------------------------------------------------------------------------- # Disable public registration (admin-only account creation) gitea_disable_registration: true # Require sign-in to view any content gitea_require_signin_view: false # LFS (Large File Storage) support gitea_lfs_enabled: true # Offline mode (don't fetch external resources like Gravatar) gitea_offline_mode: true # ----------------------------------------------------------------------------- # Backup Configuration # ----------------------------------------------------------------------------- # Backup directory (relative to gitea_install_dir) gitea_backup_dir: "backups" # Number of backup sets to retain gitea_backup_retention: 5