nult/roles/gitea/defaults/main.yml

---
# =============================================================================
# Gitea Role Defaults
# =============================================================================
#
# Default values for Gitea role variables.
# These have the LOWEST precedence and can be overridden by:
#   - group_vars/all/vars.yml
#   - inventory host_vars
#   - command line --extra-vars
#
# Reference: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
# Reference: https://docs.gitea.com/administration/config-cheat-sheet
# =============================================================================

# -----------------------------------------------------------------------------
# Version Configuration
# -----------------------------------------------------------------------------
# Using major.minor pinning for automatic security patch updates.
# Reference: https://hub.docker.com/r/gitea/gitea
# Reference: https://hub.docker.com/_/postgres

gitea_version: "1.25"
gitea_postgres_version: "17-alpine"

# -----------------------------------------------------------------------------
# Container Configuration
# -----------------------------------------------------------------------------
# Service names for docker compose commands
gitea_service_name: "server"
gitea_db_service_name: "db"

# Container names for docker exec commands (may differ from service names)
gitea_container_name: "gitea"
gitea_db_container_name: "gitea-db-1"

# User/Group IDs for container processes
# These should match existing volume ownership
gitea_user_uid: 1002
gitea_user_gid: 1004

# -----------------------------------------------------------------------------
# Database Configuration
# -----------------------------------------------------------------------------

gitea_db_type: "postgres"
gitea_db_host: "db:5432"
gitea_db_name: "gitea"
gitea_db_user: "gitea"
# gitea_db_password: MUST be set via vault mapping in group_vars/all/vars.yml

# -----------------------------------------------------------------------------
# Network Configuration
# -----------------------------------------------------------------------------

# HTTP port inside container (external 443 maps to this via ACME)
gitea_http_port: 3000

# SSH port configuration
gitea_ssh_port: 22
gitea_ssh_listen_port: 22
gitea_ssh_external_port: 2222

# -----------------------------------------------------------------------------
# Security Hardening - Password & Authentication
# -----------------------------------------------------------------------------
# Reference: https://docs.gitea.com/administration/config-cheat-sheet#security-security
# Reference: https://onappsec.com/gitea-configuration-hardening/

# Password hashing algorithm
# Options: argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt
# argon2 is the strongest and recommended choice
gitea_password_hash_algo: "argon2"

# Password complexity requirements
# Options: off, lower, upper, digit, spec (comma-separated)
gitea_password_complexity: "lower,upper,digit,spec"

# Minimum password length (NIST SP 800-63B recommends 8+)
gitea_min_password_length: 12

# Check passwords against HaveIBeenPwned database
gitea_password_check_pwn: true

# Two-factor authentication is enabled by default in Gitea 1.25+
# No configuration needed - users can enable 2FA in their account settings

# -----------------------------------------------------------------------------
# Security Hardening - API & Features
# -----------------------------------------------------------------------------

# Disable Git hooks (prevents arbitrary code execution via hooks)
gitea_disable_git_hooks: true

# Reject API tokens passed in URL query strings (header-based only)
# Prevents token leakage in server logs and browser history
gitea_disable_query_auth_token: true

# Webhook allowed destination hosts
# Options: loopback, private, external, *, or CIDR list
gitea_webhook_allowed_hosts: "external"

# -----------------------------------------------------------------------------
# Security Hardening - Session & Cookies
# -----------------------------------------------------------------------------

# Force HTTPS for session cookies
gitea_cookie_secure: true

# SameSite cookie policy (strict prevents CSRF)
# Options: lax, strict, none
gitea_same_site: "strict"

# -----------------------------------------------------------------------------
# Security Hardening - TLS
# -----------------------------------------------------------------------------

# Minimum TLS version (disable older vulnerable protocols)
gitea_ssl_min_version: "TLSv1.2"

# ACME/Let's Encrypt automatic certificate provisioning
gitea_enable_acme: true
gitea_acme_accept_tos: true
gitea_acme_directory: "https"
# gitea_acme_email: SHOULD be set via vault mapping in group_vars/all/vars.yml

# -----------------------------------------------------------------------------
# Service Configuration
# -----------------------------------------------------------------------------

# Disable public registration (admin-only account creation)
gitea_disable_registration: true

# Require sign-in to view any content
gitea_require_signin_view: false

# LFS (Large File Storage) support
gitea_lfs_enabled: true

# Offline mode (don't fetch external resources like Gravatar)
gitea_offline_mode: true

# -----------------------------------------------------------------------------
# Backup Configuration
# -----------------------------------------------------------------------------

# Backup directory (relative to gitea_install_dir)
gitea_backup_dir: "backups"

# Number of backup sets to retain
gitea_backup_retention: 5