summaryrefslogtreecommitdiffstats
path: root/docs/content/doc/administration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/content/doc/administration')
-rw-r--r--docs/content/doc/administration/adding-legal-pages.en-us.md38
-rw-r--r--docs/content/doc/administration/backup-and-restore.en-us.md170
-rw-r--r--docs/content/doc/administration/backup-and-restore.zh-cn.md66
-rw-r--r--docs/content/doc/administration/backup-and-restore.zh-tw.md66
-rw-r--r--docs/content/doc/administration/cmd-embedded.en-us.md121
-rw-r--r--docs/content/doc/administration/command-line.en-us.md553
-rw-r--r--docs/content/doc/administration/config-cheat-sheet.en-us.md1395
-rw-r--r--docs/content/doc/administration/config-cheat-sheet.zh-cn.md487
-rw-r--r--docs/content/doc/administration/customizing-gitea.en-us.md372
-rw-r--r--docs/content/doc/administration/customizing-gitea.zh-cn.md88
-rw-r--r--docs/content/doc/administration/email-setup.en-us.md90
-rw-r--r--docs/content/doc/administration/environment-variables.en-us.md63
-rw-r--r--docs/content/doc/administration/environment-variables.zh-cn.md55
-rw-r--r--docs/content/doc/administration/external-renderers.en-us.md196
-rw-r--r--docs/content/doc/administration/fail2ban-setup.en-us.md125
-rw-r--r--docs/content/doc/administration/fail2ban-setup.zh-cn.md92
-rw-r--r--docs/content/doc/administration/git-lfs-support.en-us.md30
-rw-r--r--docs/content/doc/administration/https-support.en-us.md102
-rw-r--r--docs/content/doc/administration/logging-documentation.en-us.md522
-rw-r--r--docs/content/doc/administration/mail-templates.en-us.md280
-rw-r--r--docs/content/doc/administration/repo-indexer.en-us.md62
-rw-r--r--docs/content/doc/administration/reverse-proxies.en-us.md387
-rw-r--r--docs/content/doc/administration/reverse-proxies.zh-cn.md138
-rw-r--r--docs/content/doc/administration/search-engines-indexation.en-us.md38
-rw-r--r--docs/content/doc/administration/signing.en-us.md177
25 files changed, 5713 insertions, 0 deletions
diff --git a/docs/content/doc/administration/adding-legal-pages.en-us.md b/docs/content/doc/administration/adding-legal-pages.en-us.md
new file mode 100644
index 0000000000..9ba8c4fd81
--- /dev/null
+++ b/docs/content/doc/administration/adding-legal-pages.en-us.md
@@ -0,0 +1,38 @@
+---
+date: "2019-12-28"
+title: "Adding Legal Pages"
+slug: adding-legal-pages
+weight: 9
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Adding Legal Pages"
+ identifier: "adding-legal-pages"
+ weight: 110
+---
+
+Some jurisdictions (such as EU), requires certain legal pages (e.g. Privacy Policy) to be added to website. Follow these steps to add them to your Gitea instance.
+
+## Getting Pages
+
+Gitea source code ships with sample pages, available in `contrib/legal` directory. Copy them to `custom/public/`. For example, to add Privacy Policy:
+
+```
+wget -O /path/to/custom/public/privacy.html https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/legal/privacy.html.sample
+```
+
+Now you need to edit the page to meet your requirements. In particular you must change the email addresses, web addresses and references to "Your Gitea Instance" to match your situation.
+
+You absolutely must not place a general ToS or privacy statement that implies that the Gitea project is responsible for your server.
+
+## Make it Visible
+
+Create or append to `/path/to/custom/templates/custom/extra_links_footer.tmpl`:
+
+```go
+<a class="item" href="{{AppSubUrl}}/assets/privacy.html">Privacy Policy</a>
+```
+
+Restart Gitea to see the changes.
diff --git a/docs/content/doc/administration/backup-and-restore.en-us.md b/docs/content/doc/administration/backup-and-restore.en-us.md
new file mode 100644
index 0000000000..16e8654b74
--- /dev/null
+++ b/docs/content/doc/administration/backup-and-restore.en-us.md
@@ -0,0 +1,170 @@
+---
+date: "2017-01-01T16:00:00+02:00"
+title: "Usage: Backup and Restore"
+slug: "backup-and-restore"
+weight: 11
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Backup and Restore"
+ weight: 11
+ identifier: "backup-and-restore"
+---
+
+# Backup and Restore
+
+Gitea currently has a `dump` command that will save the installation to a ZIP file. This
+file can be unpacked and used to restore an instance.
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Backup Consistency
+
+To ensure the consistency of the Gitea instance, it must be shutdown during backup.
+
+Gitea consists of a database, files and git repositories, all of which change when it is used. For instance, when a migration is in progress, a transaction is created in the database while the git repository is being copied over. If the backup happens in the middle of the migration, the git repository may be incomplete although the database claims otherwise because it was dumped afterwards. The only way to avoid such race conditions is by stopping the Gitea instance during the backups.
+
+## Backup Command (`dump`)
+
+Switch to the user running Gitea: `su git`. Run `./gitea dump -c /path/to/app.ini` in the Gitea installation
+directory. There should be some output similar to the following:
+
+```none
+2016/12/27 22:32:09 Creating tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:09 Dumping local repositories.../home/git/gitea-repositories
+2016/12/27 22:32:22 Dumping database...
+2016/12/27 22:32:22 Packing dump files...
+2016/12/27 22:32:34 Removing tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:34 Finish dumping in file gitea-dump-1482906742.zip
+```
+
+Inside the `gitea-dump-1482906742.zip` file, will be the following:
+
+- `app.ini` - Optional copy of configuration file if originally stored outside of the default `custom/` directory
+- `custom` - All config or customization files in `custom/`.
+- `data` - Data directory in <GITEA_WORK_DIR>, except sessions if you are using file session. This directory includes `attachments`, `avatars`, `lfs`, `indexers`, SQLite file if you are using SQLite.
+- `gitea-db.sql` - SQL dump of database
+- `gitea-repo.zip` - Complete copy of the repository directory.
+- `log/` - Various logs. They are not needed for a recovery or migration.
+
+Intermediate backup files are created in a temporary directory specified either with the
+`--tempdir` command-line parameter or the `TMPDIR` environment variable.
+
+## Backup the database
+
+The SQL dump created by `gitea dump` uses XORM and Gitea admins may prefer to use the native the MySQL and PostgreSQL dump tools instead. There are still open issues when using XORM for dumping the database that may cause problems when attempting to restore it.
+
+```sh
+# mysql
+mysqldump -u$USER -p$PASS --database $DATABASE > gitea-db.sql
+# postgres
+pg_dump -U $USER $DATABASE > gitea-db.sql
+```
+
+### Using Docker (`dump`)
+
+There are a few caveats for using the `dump` command with Docker.
+
+The command has to be executed with the `RUN_USER = <OS_USERNAME>` specified in `gitea/conf/app.ini`; and, for the zipping of the backup folder to occur without permission error the command `docker exec` must be executed inside of the `--tempdir`.
+
+Example:
+
+```none
+docker exec -u <OS_USERNAME> -it -w <--tempdir> $(docker ps -qf 'name=^<NAME_OF_DOCKER_CONTAINER>$') bash -c '/usr/local/bin/gitea dump -c </path/to/app.ini>'
+```
+
+\*Note: `--tempdir` refers to the temporary directory of the docker environment used by Gitea; if you have not specified a custom `--tempdir`, then Gitea uses `/tmp` or the `TMPDIR` environment variable of the docker container. For `--tempdir` adjust your `docker exec` command options accordingly.
+
+The result should be a file, stored in the `--tempdir` specified, along the lines of: `gitea-dump-1482906742.zip`
+
+## Restore Command (`restore`)
+
+There is currently no support for a recovery command. It is a manual process that mostly
+involves moving files to their correct locations and restoring a database dump.
+
+Example:
+
+```sh
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+mv data/conf/app.ini /etc/gitea/conf/app.ini
+mv data/* /var/lib/gitea/data/
+mv log/* /var/lib/gitea/log/
+mv repos/* /var/lib/gitea/repositories/
+chown -R gitea:gitea /etc/gitea/conf/app.ini /var/lib/gitea
+
+# mysql
+mysql --default-character-set=utf8mb4 -u$USER -p$PASS $DATABASE <gitea-db.sql
+# sqlite3
+sqlite3 $DATABASE_PATH <gitea-db.sql
+# postgres
+psql -U $USER -d $DATABASE < gitea-db.sql
+
+service gitea restart
+```
+
+Repository Git Hooks should be regenerated if installation method is changed (eg. binary -> Docker), or if Gitea is installed to a different directory than the previous installation.
+
+With Gitea running, and from the directory Gitea's binary is located, execute: `./gitea admin regenerate hooks`
+
+This ensures that application and configuration file paths in repository Git Hooks are consistent and applicable to the current installation. If these paths are not updated, repository `push` actions will fail.
+
+### Using Docker (`restore`)
+
+There is also no support for a recovery command in a Docker-based gitea instance. The restore process contains the same steps as described in the previous section but with different paths.
+
+Example:
+
+```sh
+# open bash session in container
+docker exec --user git -it 2a83b293548e bash
+# unzip your backup file within the container
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+# restore the gitea data
+mv data/* /data/gitea
+# restore the repositories itself
+mv repos/* /data/git/repositories/
+# adjust file permissions
+chown -R git:git /data
+# Regenerate Git Hooks
+/usr/local/bin/gitea -c '/data/gitea/conf/app.ini' admin regenerate hooks
+```
+
+The default user in the gitea container is `git` (1000:1000). Please replace `2a83b293548e` with your gitea container id or name.
+
+These are the default paths used in the container:
+
+```text
+DEFAULT CONFIGURATION:
+ CustomPath: /data/gitea (GITEA_CUSTOM)
+ CustomConf: /data/gitea/conf/app.ini
+ AppPath: /usr/local/bin/gitea
+ AppWorkPath: /usr/local/bin
+```
+
+### Using Docker-rootless (`restore`)
+
+The restore workflow in Docker-rootless containers differs only in the directories to be used:
+
+```sh
+# open bash session in container
+docker exec --user git -it 2a83b293548e bash
+# unzip your backup file within the container
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+# restore the app.ini
+mv data/conf/app.ini /etc/gitea/app.ini
+# restore the gitea data
+mv data/* /var/lib/gitea
+# restore the repositories itself
+mv repos/* /var/lib/gitea/git/repositories
+# adjust file permissions
+chown -R git:git /etc/gitea/app.ini /var/lib/gitea
+# Regenerate Git Hooks
+/usr/local/bin/gitea -c '/etc/gitea/app.ini' admin regenerate hooks
+```
diff --git a/docs/content/doc/administration/backup-and-restore.zh-cn.md b/docs/content/doc/administration/backup-and-restore.zh-cn.md
new file mode 100644
index 0000000000..602657f419
--- /dev/null
+++ b/docs/content/doc/administration/backup-and-restore.zh-cn.md
@@ -0,0 +1,66 @@
+---
+date: "2018-06-06T09:33:00+08:00"
+title: "使用:备份与恢复"
+slug: "backup-and-restore"
+weight: 11
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "备份与恢复"
+ weight: 11
+ identifier: "backup-and-restore"
+---
+
+# 备份与恢复
+
+Gitea 已经实现了 `dump` 命令可以用来备份所有需要的文件到一个zip压缩文件。该压缩文件可以被用来进行数据恢复。
+
+## 备份命令 (`dump`)
+
+先转到git用户的权限: `su git`. 再Gitea目录运行 `./gitea dump`。一般会显示类似如下的输出:
+
+```
+2016/12/27 22:32:09 Creating tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:09 Dumping local repositories.../home/git/gitea-repositories
+2016/12/27 22:32:22 Dumping database...
+2016/12/27 22:32:22 Packing dump files...
+2016/12/27 22:32:34 Removing tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:34 Finish dumping in file gitea-dump-1482906742.zip
+```
+
+最后生成的 `gitea-dump-1482906742.zip` 文件将会包含如下内容:
+
+* `custom` - 所有保存在 `custom/` 目录下的配置和自定义的文件。
+* `data` - 数据目录下的所有内容不包含使用文件session的文件。该目录包含 `attachments`, `avatars`, `lfs`, `indexers`, 如果使用sqlite 还会包含 sqlite 数据库文件。
+* `gitea-db.sql` - 数据库dump出来的 SQL。
+* `gitea-repo.zip` - Git仓库压缩文件。
+* `log/` - Logs文件,如果用作迁移不是必须的。
+
+中间备份文件将会在临时目录进行创建,如果您要重新指定临时目录,可以用 `--tempdir` 参数,或者用 `TMPDIR` 环境变量。
+
+## Restore Command (`restore`)
+
+当前还没有恢复命令,恢复需要人工进行。主要是把文件和数据库进行恢复。
+
+例如:
+
+```sh
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+mv data/conf/app.ini /etc/gitea/conf/app.ini
+mv data/* /var/lib/gitea/data/
+mv log/* /var/lib/gitea/log/
+mv repos/* /var/lib/gitea/repositories/
+chown -R gitea:gitea /etc/gitea/conf/app.ini /var/lib/gitea
+
+# mysql
+mysql --default-character-set=utf8mb4 -u$USER -p$PASS $DATABASE <gitea-db.sql
+# sqlite3
+sqlite3 $DATABASE_PATH <gitea-db.sql
+# postgres
+psql -U $USER -d $DATABASE < gitea-db.sql
+
+service gitea restart
+```
diff --git a/docs/content/doc/administration/backup-and-restore.zh-tw.md b/docs/content/doc/administration/backup-and-restore.zh-tw.md
new file mode 100644
index 0000000000..cab95217a3
--- /dev/null
+++ b/docs/content/doc/administration/backup-and-restore.zh-tw.md
@@ -0,0 +1,66 @@
+---
+date: "2017-01-01T16:00:00+02:00"
+title: "用法: 備份與還原"
+slug: "backup-and-restore"
+weight: 11
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "備份與還原"
+ weight: 11
+ identifier: "backup-and-restore"
+---
+
+# 備份與還原
+
+Gitea 目前支援 `dump` 指令,用來將資料備份成 zip 檔案,後續會提供還原指令,讓你可以輕易的將備份資料及還原到另外一台機器。
+
+## 備份指令 (`dump`)
+
+首先,切換到執行 Gitea 的使用者: `su git` (請修改成您指定的使用者),並在安裝目錄內執行 `./gitea dump` 指令,你可以看到 console 畫面如下:
+
+```
+2016/12/27 22:32:09 Creating tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:09 Dumping local repositories.../home/git/gitea-repositories
+2016/12/27 22:32:22 Dumping database...
+2016/12/27 22:32:22 Packing dump files...
+2016/12/27 22:32:34 Removing tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:34 Finish dumping in file gitea-dump-1482906742.zip
+```
+
+備份出來的 `gitea-dump-1482906742.zip` 檔案,檔案內會包含底下內容:
+
+* `custom/conf/app.ini` - 伺服器設定檔。
+* `gitea-db.sql` - SQL 備份檔案。
+* `gitea-repo.zip` - 此 zip 檔案為全部的 repo 目錄。
+ 請參考 Config -> repository -> `ROOT` 所設定的路徑。
+* `log/` - 全部 logs 檔案,如果你要 migrate 到其他伺服器,此目錄不用保留。
+
+你可以透過設定 `--tempdir` 指令參數來指定備份檔案目錄,或者是設定 `TMPDIR` 環境變數來達到此功能。
+
+## 還原指令 (`restore`)
+
+持續更新中: 此文件尚未完成.
+
+例:
+
+```sh
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+mv data/conf/app.ini /etc/gitea/conf/app.ini
+mv data/* /var/lib/gitea/data/
+mv log/* /var/lib/gitea/log/
+mv repos/* /var/lib/gitea/repositories/
+chown -R gitea:gitea /etc/gitea/conf/app.ini /var/lib/gitea
+
+# mysql
+mysql --default-character-set=utf8mb4 -u$USER -p$PASS $DATABASE <gitea-db.sql
+# sqlite3
+sqlite3 $DATABASE_PATH <gitea-db.sql
+# postgres
+psql -U $USER -d $DATABASE < gitea-db.sql
+
+service gitea restart
+```
diff --git a/docs/content/doc/administration/cmd-embedded.en-us.md b/docs/content/doc/administration/cmd-embedded.en-us.md
new file mode 100644
index 0000000000..cad0de9787
--- /dev/null
+++ b/docs/content/doc/administration/cmd-embedded.en-us.md
@@ -0,0 +1,121 @@
+---
+date: "2020-01-25T21:00:00-03:00"
+title: "Embedded data extraction tool"
+slug: "cmd-embedded"
+weight: 40
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Embedded data extraction tool"
+ weight: 20
+ identifier: "cmd-embedded"
+---
+
+# Embedded data extraction tool
+
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea's executable contains all the resources required to run: templates, images, style-sheets
+and translations. Any of them can be overridden by placing a replacement in a matching path
+inside the `custom` directory (see [Customizing Gitea]({{< relref "doc/administration/customizing-gitea.en-us.md" >}})).
+
+To obtain a copy of the embedded resources ready for editing, the `embedded` command from the CLI
+can be used from the OS shell interface.
+
+**NOTE:** The embedded data extraction tool is included in Gitea versions 1.12 and above.
+
+## Listing resources
+
+To list resources embedded in Gitea's executable, use the following syntax:
+
+```sh
+gitea embedded list [--include-vendored] [patterns...]
+```
+
+The `--include-vendored` flag makes the command include vendored files, which are
+normally excluded; that is, files from external libraries that are required for Gitea
+(e.g. [font-awesome](https://fontawesome.com/), [octicons](https://octicons.github.com/), etc).
+
+A list of file search patterns can be provided. Gitea uses [gobwas/glob](https://github.com/gobwas/glob)
+for its glob syntax. Here are some examples:
+
+- List all template files, in any virtual directory: `**.tmpl`
+- List all mail template files: `templates/mail/**.tmpl`
+- List all files inside `public/img`: `public/img/**`
+
+Don't forget to use quotes for the patterns, as spaces, `*` and other characters might have
+a special meaning for your command shell.
+
+If no pattern is provided, all files are listed.
+
+### Example
+
+Listing all embedded files with `openid` in their path:
+
+```sh
+$ gitea embedded list '**openid**'
+public/img/auth/openid_connect.svg
+public/img/openid-16x16.png
+templates/user/auth/finalize_openid.tmpl
+templates/user/auth/signin_openid.tmpl
+templates/user/auth/signup_openid_connect.tmpl
+templates/user/auth/signup_openid_navbar.tmpl
+templates/user/auth/signup_openid_register.tmpl
+templates/user/settings/security_openid.tmpl
+```
+
+## Extracting resources
+
+To extract resources embedded in Gitea's executable, use the following syntax:
+
+```sh
+gitea [--config {file}] embedded extract [--destination {dir}|--custom] [--overwrite|--rename] [--include-vendored] {patterns...}
+```
+
+The `--config` option tells Gitea the location of the `app.ini` configuration file if
+it's not in its default location. This option is only used with the `--custom` flag.
+
+The `--destination` option tells Gitea the directory where the files must be extracted to.
+The default is the current directory.
+
+The `--custom` flag tells Gitea to extract the files directly into the `custom` directory.
+For this to work, the command needs to know the location of the `app.ini` configuration
+file (`--config`) and, depending of the configuration, be ran from the directory where
+Gitea normally starts. See [Customizing Gitea]({{< relref "doc/administration/customizing-gitea.en-us.md" >}}) for details.
+
+The `--overwrite` flag allows any existing files in the destination directory to be overwritten.
+
+The `--rename` flag tells Gitea to rename any existing files in the destination directory
+as `filename.bak`. Previous `.bak` files are overwritten.
+
+At least one file search pattern must be provided; see `list` subcomand above for pattern
+syntax and examples.
+
+### Important notice
+
+Make sure to **only extract those files that require customization**. Files that
+are present in the `custom` directory are not upgraded by Gitea's upgrade process.
+When Gitea is upgraded to a new version (by replacing the executable), many of the
+embedded files will suffer changes. Gitea will honor and use any files found
+in the `custom` directory, even if they are old and incompatible.
+
+### Example
+
+Extracting mail templates to a temporary directory:
+
+```sh
+$ mkdir tempdir
+$ gitea embedded extract --destination tempdir 'templates/mail/**.tmpl'
+Extracting to tempdir:
+tempdir/templates/mail/auth/activate.tmpl
+tempdir/templates/mail/auth/activate_email.tmpl
+tempdir/templates/mail/auth/register_notify.tmpl
+tempdir/templates/mail/auth/reset_passwd.tmpl
+tempdir/templates/mail/issue/assigned.tmpl
+tempdir/templates/mail/issue/default.tmpl
+tempdir/templates/mail/notify/collaborator.tmpl
+```
diff --git a/docs/content/doc/administration/command-line.en-us.md b/docs/content/doc/administration/command-line.en-us.md
new file mode 100644
index 0000000000..3dfad62f3d
--- /dev/null
+++ b/docs/content/doc/administration/command-line.en-us.md
@@ -0,0 +1,553 @@
+---
+date: "2017-01-01T16:00:00+02:00"
+title: "Usage: Command Line"
+slug: "command-line"
+weight: 10
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Command Line"
+ weight: 1
+ identifier: "command-line"
+---
+
+# Command Line
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Usage
+
+`gitea [global options] command [command or global options] [arguments...]`
+
+## Global options
+
+All global options can be placed at the command level.
+
+- `--help`, `-h`: Show help text and exit. Optional.
+- `--version`, `-v`: Show version and exit. Optional. (example: `Gitea version 1.1.0+218-g7b907ed built with: bindata, sqlite`).
+- `--custom-path path`, `-C path`: Location of the Gitea custom folder. Optional. (default: `AppWorkPath`/custom or `$GITEA_CUSTOM`).
+- `--config path`, `-c path`: Gitea configuration file path. Optional. (default: `custom`/conf/app.ini).
+- `--work-path path`, `-w path`: Gitea `AppWorkPath`. Optional. (default: LOCATION_OF_GITEA_BINARY or `$GITEA_WORK_DIR`)
+
+NB: The defaults custom-path, config and work-path can also be
+changed at build time (if preferred).
+
+## Commands
+
+### web
+
+Starts the server:
+
+- Options:
+ - `--port number`, `-p number`: Port number. Optional. (default: 3000). Overrides configuration file.
+ - `--install-port number`: Port number to run the install page on. Optional. (default: 3000). Overrides configuration file.
+ - `--pid path`, `-P path`: Pidfile path. Optional.
+ - `--quiet`, `-q`: Only emit Fatal logs on the console for logs emitted before logging set up.
+ - `--verbose`: Emit tracing logs on the console for logs emitted before logging is set-up.
+- Examples:
+ - `gitea web`
+ - `gitea web --port 80`
+ - `gitea web --config /etc/gitea.ini --pid /some/custom/gitea.pid`
+- Notes:
+ - Gitea should not be run as root. To bind to a port below 1024, you can use setcap on
+ Linux: `sudo setcap 'cap_net_bind_service=+ep' /path/to/gitea`. This will need to be
+ redone every time you update Gitea.
+
+### admin
+
+Admin operations:
+
+- Commands:
+ - `user`:
+ - `list`:
+ - Options:
+ - `--admin`: List only admin users. Optional.
+ - Description: lists all users that exist
+ - Examples:
+ - `gitea admin user list`
+ - `delete`:
+ - Options:
+ - `--email`: Email of the user to be deleted.
+ - `--username`: Username of user to be deleted.
+ - `--id`: ID of user to be deleted.
+ - One of `--id`, `--username` or `--email` is required. If more than one is provided then all have to match.
+ - Examples:
+ - `gitea admin user delete --id 1`
+ - `create`:
+ - Options:
+ - `--name value`: Username. Required. As of Gitea 1.9.0, use the `--username` flag instead.
+ - `--username value`: Username. Required. New in Gitea 1.9.0.
+ - `--password value`: Password. Required.
+ - `--email value`: Email. Required.
+ - `--admin`: If provided, this makes the user an admin. Optional.
+ - `--access-token`: If provided, an access token will be created for the user. Optional. (default: false).
+ - `--must-change-password`: If provided, the created user will be required to choose a newer password after the
+ initial login. Optional. (default: true).
+ - `--random-password`: If provided, a randomly generated password will be used as the password of the created
+ user. The value of `--password` will be discarded. Optional.
+ - `--random-password-length`: If provided, it will be used to configure the length of the randomly generated
+ password. Optional. (default: 12)
+ - Examples:
+ - `gitea admin user create --username myname --password asecurepassword --email me@example.com`
+ - `change-password`:
+ - Options:
+ - `--username value`, `-u value`: Username. Required.
+ - `--password value`, `-p value`: New password. Required.
+ - Examples:
+ - `gitea admin user change-password --username myname --password asecurepassword`
+ - `must-change-password`:
+ - Args:
+ - `[username...]`: Users that must change their passwords
+ - Options:
+ - `--all`, `-A`: Force a password change for all users
+ - `--exclude username`, `-e username`: Exclude the given user. Can be set multiple times.
+ - `--unset`: Revoke forced password change for the given users
+ - `regenerate`
+ - Options:
+ - `hooks`: Regenerate Git Hooks for all repositories
+ - `keys`: Regenerate authorized_keys file
+ - Examples:
+ - `gitea admin regenerate hooks`
+ - `gitea admin regenerate keys`
+ - `auth`:
+ - `list`:
+ - Description: lists all external authentication sources that exist
+ - Examples:
+ - `gitea admin auth list`
+ - `delete`:
+ - Options:
+ - `--id`: ID of source to be deleted. Required.
+ - Examples:
+ - `gitea admin auth delete --id 1`
+ - `add-oauth`:
+ - Options:
+ - `--name`: Application Name.
+ - `--provider`: OAuth2 Provider.
+ - `--key`: Client ID (Key).
+ - `--secret`: Client Secret.
+ - `--auto-discover-url`: OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider).
+ - `--use-custom-urls`: Use custom URLs for GitLab/GitHub OAuth endpoints.
+ - `--custom-tenant-id`: Use custom Tenant ID for OAuth endpoints.
+ - `--custom-auth-url`: Use a custom Authorization URL (option for GitLab/GitHub).
+ - `--custom-token-url`: Use a custom Token URL (option for GitLab/GitHub).
+ - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
+ - `--custom-email-url`: Use a custom Email URL (option for GitHub).
+ - `--icon-url`: Custom icon URL for OAuth2 login source.
+ - `--skip-local-2fa`: Allow source to override local 2FA. (Optional)
+ - `--scopes`: Additional scopes to request for this OAuth2 source. (Optional)
+ - `--required-claim-name`: Claim name that has to be set to allow users to login with this source. (Optional)
+ - `--required-claim-value`: Claim value that has to be set to allow users to login with this source. (Optional)
+ - `--group-claim-name`: Claim name providing group names for this source. (Optional)
+ - `--admin-group`: Group Claim value for administrator users. (Optional)
+ - `--restricted-group`: Group Claim value for restricted users. (Optional)
+ - `--group-team-map`: JSON mapping between groups and org teams. (Optional)
+ - `--group-team-map-removal`: Activate automatic team membership removal depending on groups. (Optional)
+ - Examples:
+ - `gitea admin auth add-oauth --name external-github --provider github --key OBTAIN_FROM_SOURCE --secret OBTAIN_FROM_SOURCE`
+ - `update-oauth`:
+ - Options:
+ - `--id`: ID of source to be updated. Required.
+ - `--name`: Application Name.
+ - `--provider`: OAuth2 Provider.
+ - `--key`: Client ID (Key).
+ - `--secret`: Client Secret.
+ - `--auto-discover-url`: OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider).
+ - `--use-custom-urls`: Use custom URLs for GitLab/GitHub OAuth endpoints.
+ - `--custom-tenant-id`: Use custom Tenant ID for OAuth endpoints.
+ - `--custom-auth-url`: Use a custom Authorization URL (option for GitLab/GitHub).
+ - `--custom-token-url`: Use a custom Token URL (option for GitLab/GitHub).
+ - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
+ - `--custom-email-url`: Use a custom Email URL (option for GitHub).
+ - `--icon-url`: Custom icon URL for OAuth2 login source.
+ - `--skip-local-2fa`: Allow source to override local 2FA. (Optional)
+ - `--scopes`: Additional scopes to request for this OAuth2 source.
+ - `--required-claim-name`: Claim name that has to be set to allow users to login with this source. (Optional)
+ - `--required-claim-value`: Claim value that has to be set to allow users to login with this source. (Optional)
+ - `--group-claim-name`: Claim name providing group names for this source. (Optional)
+ - `--admin-group`: Group Claim value for administrator users. (Optional)
+ - `--restricted-group`: Group Claim value for restricted users. (Optional)
+ - Examples:
+ - `gitea admin auth update-oauth --id 1 --name external-github-updated`
+ - `add-smtp`:
+ - Options:
+ - `--name`: Application Name. Required.
+ - `--auth-type`: SMTP Authentication Type (PLAIN/LOGIN/CRAM-MD5). Default to PLAIN.
+ - `--host`: SMTP host. Required.
+ - `--port`: SMTP port. Required.
+ - `--force-smtps`: SMTPS is always used on port 465. Set this to force SMTPS on other ports.
+ - `--skip-verify`: Skip TLS verify.
+ - `--helo-hostname`: Hostname sent with HELO. Leave blank to send current hostname.
+ - `--disable-helo`: Disable SMTP helo.
+ - `--allowed-domains`: Leave empty to allow all domains. Separate multiple domains with a comma (',').
+ - `--skip-local-2fa`: Skip 2FA to log on.
+ - `--active`: This Authentication Source is Activated.
+ Remarks:
+ `--force-smtps`, `--skip-verify`, `--disable-helo`, `--skip-loca-2fs` and `--active` options can be used in form:
+ - `--option`, `--option=true` to enable
+ - `--option=false` to disable
+ If those options are not specified value would not be changed in `update-smtp` or would use default `false` value in `add-smtp`
+ - Examples:
+ - `gitea admin auth add-smtp --name ldap --host smtp.mydomain.org --port 587 --skip-verify --active`
+ - `update-smtp`:
+ - Options:
+ - `--id`: ID of source to be updated. Required.
+ - other options are shared with `add-smtp`
+ - Examples:
+ - `gitea admin auth update-smtp --id 1 --host smtp.mydomain.org --port 587 --skip-verify=false`
+ - `gitea admin auth update-smtp --id 1 --active=false`
+ - `add-ldap`: Add new LDAP (via Bind DN) authentication source
+ - Options:
+ - `--name value`: Authentication name. Required.
+ - `--not-active`: Deactivate the authentication source.
+ - `--security-protocol value`: Security protocol name. Required.
+ - `--skip-tls-verify`: Disable TLS verification.
+ - `--host value`: The address where the LDAP server can be reached. Required.
+ - `--port value`: The port to use when connecting to the LDAP server. Required.
+ - `--user-search-base value`: The LDAP base at which user accounts will be searched for. Required.
+ - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate. Required.
+ - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+ - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+ - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+ - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+ - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+ - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
+ - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+ - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+ - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
+ - `--bind-password value`: The password for the Bind DN, if any.
+ - `--attributes-in-bind`: Fetch attributes in bind DN context.
+ - `--synchronize-users`: Enable user synchronization.
+ - `--page-size value`: Search page size.
+ - Examples:
+ - `gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-search-base "ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(uid=%s))" --email-attribute mail`
+ - `update-ldap`: Update existing LDAP (via Bind DN) authentication source
+ - Options:
+ - `--id value`: ID of authentication source. Required.
+ - `--name value`: Authentication name.
+ - `--not-active`: Deactivate the authentication source.
+ - `--security-protocol value`: Security protocol name.
+ - `--skip-tls-verify`: Disable TLS verification.
+ - `--host value`: The address where the LDAP server can be reached.
+ - `--port value`: The port to use when connecting to the LDAP server.
+ - `--user-search-base value`: The LDAP base at which user accounts will be searched for.
+ - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate.
+ - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+ - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+ - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+ - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+ - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+ - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
+ - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+ - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+ - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
+ - `--bind-password value`: The password for the Bind DN, if any.
+ - `--attributes-in-bind`: Fetch attributes in bind DN context.
+ - `--synchronize-users`: Enable user synchronization.
+ - `--page-size value`: Search page size.
+ - Examples:
+ - `gitea admin auth update-ldap --id 1 --name "my ldap auth source"`
+ - `gitea admin auth update-ldap --id 1 --username-attribute uid --firstname-attribute givenName --surname-attribute sn`
+ - `add-ldap-simple`: Add new LDAP (simple auth) authentication source
+ - Options:
+ - `--name value`: Authentication name. Required.
+ - `--not-active`: Deactivate the authentication source.
+ - `--security-protocol value`: Security protocol name. Required.
+ - `--skip-tls-verify`: Disable TLS verification.
+ - `--host value`: The address where the LDAP server can be reached. Required.
+ - `--port value`: The port to use when connecting to the LDAP server. Required.
+ - `--user-search-base value`: The LDAP base at which user accounts will be searched for.
+ - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate. Required.
+ - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+ - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+ - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+ - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+ - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+ - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
+ - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+ - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+ - `--user-dn value`: The user’s DN. Required.
+ - Examples:
+ - `gitea admin auth add-ldap-simple --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-dn "cn=%s,ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(cn=%s))" --email-attribute mail`
+ - `update-ldap-simple`: Update existing LDAP (simple auth) authentication source
+ - Options:
+ - `--id value`: ID of authentication source. Required.
+ - `--name value`: Authentication name.
+ - `--not-active`: Deactivate the authentication source.
+ - `--security-protocol value`: Security protocol name.
+ - `--skip-tls-verify`: Disable TLS verification.
+ - `--host value`: The address where the LDAP server can be reached.
+ - `--port value`: The port to use when connecting to the LDAP server.
+ - `--user-search-base value`: The LDAP base at which user accounts will be searched for.
+ - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate.
+ - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+ - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+ - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+ - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+ - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+ - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
+ - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+ - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+ - `--user-dn value`: The user’s DN.
+ - Examples:
+ - `gitea admin auth update-ldap-simple --id 1 --name "my ldap auth source"`
+ - `gitea admin auth update-ldap-simple --id 1 --username-attribute uid --firstname-attribute givenName --surname-attribute sn`
+
+### cert
+
+Generates a self-signed SSL certificate. Outputs to `cert.pem` and `key.pem` in the current
+directory and will overwrite any existing files.
+
+- Options:
+ - `--host value`: Comma separated hostnames and ips which this certificate is valid for.
+ Wildcards are supported. Required.
+ - `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
+ are P224, P256, P384, P521.
+ - `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
+ set. (default: 2048).
+ - `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
+ - `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
+ - `--ca`: If provided, this cert generates it's own certificate authority. Optional.
+- Examples:
+ - `gitea cert --host git.example.com,example.com,www.example.com --ca`
+
+### dump
+
+Dumps all files and databases into a zip file. Outputs into a file like `gitea-dump-1482906742.zip`
+in the current directory.
+
+- Options:
+ - `--file name`, `-f name`: Name of the dump file with will be created. Optional. (default: gitea-dump-[timestamp].zip).
+ - `--tempdir path`, `-t path`: Path to the temporary directory used. Optional. (default: /tmp).
+ - `--skip-repository`, `-R`: Skip the repository dumping. Optional.
+ - `--skip-custom-dir`: Skip dumping of the custom dir. Optional.
+ - `--skip-lfs-data`: Skip dumping of LFS data. Optional.
+ - `--skip-attachment-data`: Skip dumping of attachment data. Optional.
+ - `--skip-package-data`: Skip dumping of package data. Optional.
+ - `--skip-log`: Skip dumping of log data. Optional.
+ - `--database`, `-d`: Specify the database SQL syntax. Optional.
+ - `--verbose`, `-V`: If provided, shows additional details. Optional.
+ - `--type`: Set the dump output format. Optional. (default: zip)
+- Examples:
+ - `gitea dump`
+ - `gitea dump --verbose`
+
+### generate
+
+Generates random values and tokens for usage in configuration file. Useful for generating values
+for automatic deployments.
+
+- Commands:
+ - `secret`:
+ - Options:
+ - `INTERNAL_TOKEN`: Token used for an internal API call authentication.
+ - `JWT_SECRET`: LFS & OAUTH2 JWT authentication secret (LFS_JWT_SECRET is aliased to this option for backwards compatibility).
+ - `SECRET_KEY`: Global secret key.
+ - Examples:
+ - `gitea generate secret INTERNAL_TOKEN`
+ - `gitea generate secret JWT_SECRET`
+ - `gitea generate secret SECRET_KEY`
+
+### keys
+
+Provides an SSHD AuthorizedKeysCommand. Needs to be configured in the sshd config file:
+
+```ini
+...
+# The value of -e and the AuthorizedKeysCommandUser should match the
+# username running Gitea
+AuthorizedKeysCommandUser git
+AuthorizedKeysCommand /path/to/gitea keys -e git -u %u -t %t -k %k
+```
+
+The command will return the appropriate authorized_keys line for the
+provided key. You should also set the value
+`SSH_CREATE_AUTHORIZED_KEYS_FILE=false` in the `[server]` section of
+`app.ini`.
+
+NB: opensshd requires the Gitea program to be owned by root and not
+writable by group or others. The program must be specified by an absolute
+path.
+NB: Gitea must be running for this command to succeed.
+
+### migrate
+
+Migrates the database. This command can be used to run other commands before starting the server for the first time.
+This command is idempotent.
+
+### convert
+
+Converts an existing MySQL database from utf8 to utf8mb4.
+
+### doctor
+
+Diagnose the problems of current Gitea instance according the given configuration.
+Currently there are a check list below:
+
+- Check if OpenSSH authorized_keys file id correct
+ When your Gitea instance support OpenSSH, your Gitea instance binary path will be written to `authorized_keys`
+ when there is any public key added or changed on your Gitea instance.
+ Sometimes if you moved or renamed your Gitea binary when upgrade and you haven't run `Update the '.ssh/authorized_keys' file with Gitea SSH keys. (Not needed for the built-in SSH server.)` on your Admin Panel. Then all pull/push via SSH will not be work.
+ This check will help you to check if it works well.
+
+For contributors, if you want to add more checks, you can write a new function like `func(ctx *cli.Context) ([]string, error)` and
+append it to `doctor.go`.
+
+```go
+var checklist = []check{
+ {
+ title: "Check if OpenSSH authorized_keys file id correct",
+ f: runDoctorLocationMoved,
+ },
+ // more checks please append here
+}
+```
+
+This function will receive a command line context and return a list of details about the problems or error.
+
+#### doctor recreate-table
+
+Sometimes when there are migrations the old columns and default values may be left
+unchanged in the database schema. This may lead to warning such as:
+
+```
+2020/08/02 11:32:29 ...rm/session_schema.go:360:Sync2() [W] Table user Column keep_activity_private db default is , struct default is 0
+```
+
+You can cause Gitea to recreate these tables and copy the old data into the new table
+with the defaults set appropriately by using:
+
+```
+gitea doctor recreate-table user
+```
+
+You can ask Gitea to recreate multiple tables using:
+
+```
+gitea doctor recreate-table table1 table2 ...
+```
+
+And if you would like Gitea to recreate all tables simply call:
+
+```
+gitea doctor recreate-table
+```
+
+It is highly recommended to back-up your database before running these commands.
+
+### manager
+
+Manage running server operations:
+
+- Commands:
+ - `shutdown`: Gracefully shutdown the running process
+ - `restart`: Gracefully restart the running process - (not implemented for windows servers)
+ - `flush-queues`: Flush queues in the running process
+ - Options:
+ - `--timeout value`: Timeout for the flushing process (default: 1m0s)
+ - `--non-blocking`: Set to true to not wait for flush to complete before returning
+ - `logging`: Adjust logging commands
+ - Commands:
+ - `pause`: Pause logging
+ - Notes:
+ - The logging level will be raised to INFO temporarily if it is below this level.
+ - Gitea will buffer logs up to a certain point and will drop them after that point.
+ - `resume`: Resume logging
+ - `release-and-reopen`: Cause Gitea to release and re-open files and connections used for logging (Equivalent to sending SIGUSR1 to Gitea.)
+ - `remove name`: Remove the named logger
+ - Options:
+ - `--group group`, `-g group`: Set the group to remove the sublogger from. (defaults to `default`)
+ - `add`: Add a logger
+ - Commands:
+ - `console`: Add a console logger
+ - Options:
+ - `--group value`, `-g value`: Group to add logger to - will default to "default"
+ - `--name value`, `-n value`: Name of the new logger - will default to mode
+ - `--level value`, `-l value`: Logging level for the new logger
+ - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+ - `--flags value`, `-F value`: Flags for the logger
+ - `--expression value`, `-e value`: Matching expression for the logger
+ - `--prefix value`, `-p value`: Prefix for the logger
+ - `--color`: Use color in the logs
+ - `--stderr`: Output console logs to stderr - only relevant for console
+ - `file`: Add a file logger
+ - Options:
+ - `--group value`, `-g value`: Group to add logger to - will default to "default"
+ - `--name value`, `-n value`: Name of the new logger - will default to mode
+ - `--level value`, `-l value`: Logging level for the new logger
+ - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+ - `--flags value`, `-F value`: Flags for the logger
+ - `--expression value`, `-e value`: Matching expression for the logger
+ - `--prefix value`, `-p value`: Prefix for the logger
+ - `--color`: Use color in the logs
+ - `--filename value`, `-f value`: Filename for the logger -
+ - `--rotate`, `-r`: Rotate logs
+ - `--max-size value`, `-s value`: Maximum size in bytes before rotation
+ - `--daily`, `-d`: Rotate logs daily
+ - `--max-days value`, `-D value`: Maximum number of daily logs to keep
+ - `--compress`, `-z`: Compress rotated logs
+ - `--compression-level value`, `-Z value`: Compression level to use
+ - `conn`: Add a network connection logger
+ - Options:
+ - `--group value`, `-g value`: Group to add logger to - will default to "default"
+ - `--name value`, `-n value`: Name of the new logger - will default to mode
+ - `--level value`, `-l value`: Logging level for the new logger
+ - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+ - `--flags value`, `-F value`: Flags for the logger
+ - `--expression value`, `-e value`: Matching expression for the logger
+ - `--prefix value`, `-p value`: Prefix for the logger
+ - `--color`: Use color in the logs
+ - `--reconnect-on-message`, `-R`: Reconnect to host for every message
+ - `--reconnect`, `-r`: Reconnect to host when connection is dropped
+ - `--protocol value`, `-P value`: Set protocol to use: tcp, unix, or udp (defaults to tcp)
+ - `--address value`, `-a value`: Host address and port to connect to (defaults to :7020)
+ - `smtp`: Add an SMTP logger
+ - Options:
+ - `--group value`, `-g value`: Group to add logger to - will default to "default"
+ - `--name value`, `-n value`: Name of the new logger - will default to mode
+ - `--level value`, `-l value`: Logging level for the new logger
+ - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+ - `--flags value`, `-F value`: Flags for the logger
+ - `--expression value`, `-e value`: Matching expression for the logger
+ - `--prefix value`, `-p value`: Prefix for the logger
+ - `--color`: Use color in the logs
+ - `--username value`, `-u value`: Mail server username
+ - `--password value`, `-P value`: Mail server password
+ - `--host value`, `-H value`: Mail server host (defaults to: 127.0.0.1:25)
+ - `--send-to value`, `-s value`: Email address(es) to send to
+ - `--subject value`, `-S value`: Subject header of sent emails
+ - `processes`: Display Gitea processes and goroutine information
+ - Options:
+ - `--flat`: Show processes as flat table rather than as tree
+ - `--no-system`: Do not show system processes
+ - `--stacktraces`: Show stacktraces for goroutines associated with processes
+ - `--json`: Output as json
+ - `--cancel PID`: Send cancel to process with PID. (Only for non-system processes.)
+
+### dump-repo
+
+Dump-repo dumps repository data from Git/GitHub/Gitea/GitLab:
+
+- Options:
+ - `--git_service service` : Git service, it could be `git`, `github`, `gitea`, `gitlab`, If clone_addr could be recognized, this could be ignored.
+ - `--repo_dir dir`, `-r dir`: Repository dir path to store the data
+ - `--clone_addr addr`: The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL. i.e. https://github.com/lunny/tango.git
+ - `--auth_username lunny`: The username to visit the clone_addr
+ - `--auth_password <password>`: The password to visit the clone_addr
+ - `--auth_token <token>`: The personal token to visit the clone_addr
+ - `--owner_name lunny`: The data will be stored on a directory with owner name if not empty
+ - `--repo_name tango`: The data will be stored on a directory with repository name if not empty
+ - `--units <units>`: Which items will be migrated, one or more units should be separated as comma. wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.
+
+### restore-repo
+
+Restore-repo restore repository data from disk dir:
+
+- Options:
+ - `--repo_dir dir`, `-r dir`: Repository dir path to restore from
+ - `--owner_name lunny`: Restore destination owner name
+ - `--repo_name tango`: Restore destination repository name
+ - `--units <units>`: Which items will be restored, one or more units should be separated as comma. wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.
diff --git a/docs/content/doc/administration/config-cheat-sheet.en-us.md b/docs/content/doc/administration/config-cheat-sheet.en-us.md
new file mode 100644
index 0000000000..886aa11186
--- /dev/null
+++ b/docs/content/doc/administration/config-cheat-sheet.en-us.md
@@ -0,0 +1,1395 @@
+---
+date: "2016-12-26T16:00:00+02:00"
+title: "Config Cheat Sheet"
+slug: "config-cheat-sheet"
+weight: 20
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Config Cheat Sheet"
+ weight: 30
+ identifier: "config-cheat-sheet"
+---
+
+# Configuration Cheat Sheet
+
+This is a cheat sheet for the Gitea configuration file. It contains most of the settings
+that can be configured as well as their default values.
+
+Any changes to the Gitea configuration file should be made in `custom/conf/app.ini`
+or any corresponding location. When installing from a distribution, this will
+typically be found at `/etc/gitea/conf/app.ini`.
+
+The defaults provided here are best-effort (not built automatically). They are
+accurately recorded in [app.example.ini](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)
+(s/main/\<tag|release\>). Any string in the format `%(X)s` is a feature powered
+by [ini](https://github.com/go-ini/ini/#recursive-values), for reading values recursively.
+
+In the default values below, a value in the form `$XYZ` refers to an environment variable. (However, see `environment-to-ini`.) Values in the form _`XxYyZz`_ refer to values listed as part of the default configuration. These notation forms will not work in your own `app.ini` file and are only listed here as documentation.
+
+Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
+
+**Note:** A full restart is required for Gitea configuration changes to take effect.
+
+{{< toc >}}
+
+## Default Configuration (non-`app.ini` configuration)
+
+These values are environment-dependent but form the basis of a lot of values. They will be
+reported as part of the default configuration when running `gitea --help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+
+- _`AppPath`_: This is the absolute path of the running gitea binary.
+- _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
+ - The `--work-path` flag passed to the binary
+ - The environment variable `$GITEA_WORK_DIR`
+ - A built-in value set at build time (see building from source)
+ - Otherwise it defaults to the directory of the _`AppPath`_
+ - If any of the above are relative paths then they are made absolute against
+the directory of the _`AppPath`_
+- _`CustomPath`_: This is the base directory for custom templates and other options.
+It is determined by using the first set thing in the following hierarchy:
+ - The `--custom-path` flag passed to the binary
+ - The environment variable `$GITEA_CUSTOM`
+ - A built-in value set at build time (see building from source)
+ - Otherwise it defaults to _`AppWorkPath`_`/custom`
+ - If any of the above are relative paths then they are made absolute against the
+the directory of the _`AppWorkPath`_
+- _`CustomConf`_: This is the path to the `app.ini` file.
+ - The `--config` flag passed to the binary
+ - A built-in value set at build time (see building from source)
+ - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
+ - If any of the above are relative paths then they are made absolute against the
+the directory of the _`CustomPath`_
+
+In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_
+
+## Overall (`DEFAULT`)
+
+- `APP_NAME`: **Gitea: Git with a cup of tea**: Application name, used in the page title.
+- `RUN_USER`: **_current OS username_/`$USER`/`$USERNAME` e.g. git**: The user Gitea will run as.
+ This should be a dedicated system (non-user) account. Setting this incorrectly will cause Gitea
+ to not start.
+- `RUN_MODE`: **prod**: Application run mode, affects performance and debugging. Either "dev", "prod" or "test".
+
+## Repository (`repository`)
+
+- `ROOT`: **%(APP_DATA_PATH)s/gitea-repositories**: Root path for storing all repository data.
+ A relative path is interpreted as **_`AppWorkPath`_/%(ROOT)s**.
+- `SCRIPT_TYPE`: **bash**: The script type this server supports. Usually this is `bash`,
+ but some users report that only `sh` is available.
+- `DETECTED_CHARSETS_ORDER`: **UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr**: Tie-break order of detected charsets - if the detected charsets have equal confidence, charsets earlier in the list will be chosen in preference to those later. Adding `defaults` will place the unnamed charsets at that point.
+- `ANSI_CHARSET`: **\<empty\>**: Default ANSI charset to override non-UTF-8 charsets to.
+- `FORCE_PRIVATE`: **false**: Force every new repository to be private.
+- `DEFAULT_PRIVATE`: **last**: Default private when creating a new repository.
+ \[last, private, public\]
+- `DEFAULT_PUSH_CREATE_PRIVATE`: **true**: Default private when creating a new repository with push-to-create.
+- `MAX_CREATION_LIMIT`: **-1**: Global maximum creation limit of repositories per user,
+ `-1` means no limit.
+- `PULL_REQUEST_QUEUE_LENGTH`: **1000**: Length of pull request patch test queue, make it. **DEPRECATED** use `LENGTH` in `[queue.pr_patch_checker]`.
+ as large as possible. Use caution when editing this value.
+- `MIRROR_QUEUE_LENGTH`: **1000**: Patch test queue length, increase if pull request patch
+ testing starts hanging. **DEPRECATED** use `LENGTH` in `[queue.mirror]`.
+- `PREFERRED_LICENSES`: **Apache License 2.0,MIT License**: Preferred Licenses to place at
+ the top of the list. Name must match file name in options/license or custom/options/license.
+- `DISABLE_HTTP_GIT`: **false**: Disable the ability to interact with repositories over the
+ HTTP protocol.
+- `USE_COMPAT_SSH_URI`: **false**: Force ssh:// clone url instead of scp-style uri when
+ default SSH port is used.
+- `ACCESS_CONTROL_ALLOW_ORIGIN`: **\<empty\>**: Value for Access-Control-Allow-Origin header,
+ default is not to present. **WARNING**: This maybe harmful to you website if you do not
+ give it a right value.
+- `DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH`: **false**: Close an issue if a commit on a non default branch marks it as closed.
+- `ENABLE_PUSH_CREATE_USER`: **false**: Allow users to push local repositories to Gitea and have them automatically created for a user.
+- `ENABLE_PUSH_CREATE_ORG`: **false**: Allow users to push local repositories to Gitea and have them automatically created for an org.
+- `DISABLED_REPO_UNITS`: **_empty_**: Comma separated list of globally disabled repo units. Allowed values: \[repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects\]
+- `DEFAULT_REPO_UNITS`: **repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages**: Comma separated list of default new repo units. Allowed values: \[repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects\]. Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. External wiki and issue tracker can't be enabled by default as it requires additional settings. Disabled repo units will not be added to new repositories regardless if it is in the default list.
+- `DEFAULT_FORK_REPO_UNITS`: **repo.code,repo.pulls**: Comma separated list of default forked repo units. The set of allowed values and rules is the same as `DEFAULT_REPO_UNITS`.
+- `PREFIX_ARCHIVE_FILES`: **true**: Prefix archive files by placing them in a directory named after the repository.
+- `DISABLE_MIGRATIONS`: **false**: Disable migrating feature.
+- `DISABLE_STARS`: **false**: Disable stars feature.
+- `DEFAULT_BRANCH`: **main**: Default branch name of all repositories.
+- `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
+- `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
+- `DISABLE_DOWNLOAD_SOURCE_ARCHIVES`: **false**: Don't allow download source archive files from UI
+- `ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT`: **true**: Allow fork repositories without maximum number limit
+
+### Repository - Editor (`repository.editor`)
+
+- `LINE_WRAP_EXTENSIONS`: **.txt,.md,.markdown,.mdown,.mkd,**: List of file extensions for which lines should be wrapped in the Monaco editor. Separate extensions with a comma. To line wrap files without an extension, just put a comma
+- `PREVIEWABLE_FILE_MODES`: **markdown**: Valid file modes that have a preview API associated with them, such as `api/v1/markdown`. Separate the values by commas. The preview tab in edit mode won't be displayed if the file extension doesn't match.
+
+### Repository - Pull Request (`repository.pull-request`)
+
+- `WORK_IN_PROGRESS_PREFIXES`: **WIP:,\[WIP\]**: List of prefixes used in Pull Request
+ title to mark them as Work In Progress. These are matched in a case-insensitive manner.
+- `CLOSE_KEYWORDS`: **close**, **closes**, **closed**, **fix**, **fixes**, **fixed**, **resolve**, **resolves**, **resolved**: List of
+ keywords used in Pull Request comments to automatically close a related issue
+- `REOPEN_KEYWORDS`: **reopen**, **reopens**, **reopened**: List of keywords used in Pull Request comments to automatically reopen
+ a related issue
+- `DEFAULT_MERGE_STYLE`: **merge**: Set default merge style for repository creating, valid options: `merge`, `rebase`, `rebase-merge`, `squash`
+- `DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT`: **50**: In the default merge message for squash commits include at most this many commits. Set to `-1` to include all commits
+- `DEFAULT_MERGE_MESSAGE_SIZE`: **5120**: In the default merge message for squash commits limit the size of the commit messages. Set to `-1` to have no limit. Only used if `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES` is `true`.
+- `DEFAULT_MERGE_MESSAGE_ALL_AUTHORS`: **false**: In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list
+- `DEFAULT_MERGE_MESSAGE_MAX_APPROVERS`: **10**: In default merge messages limit the number of approvers listed as `Reviewed-by:`. Set to `-1` to include all.
+- `DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY`: **true**: In default merge messages only include approvers who are officially allowed to review.
+- `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES`: **false**: In default squash-merge messages include the commit message of all commits comprising the pull request.
+- `ADD_CO_COMMITTER_TRAILERS`: **true**: Add co-authored-by and co-committed-by trailers to merge commit messages if committer does not match author.
+- `TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY`: **false**: PR patches are tested using a three-way merge method to discover if there are conflicts. If this setting is set to **true**, conflicting patches will be retested using `git apply` - This was the previous behaviour in 1.18 (and earlier) but is somewhat inefficient. Please report if you find that this setting is required.
+
+### Repository - Issue (`repository.issue`)
+
+- `LOCK_REASONS`: **Too heated,Off-topic,Resolved,Spam**: A list of reasons why a Pull Request or Issue can be locked
+
+### Repository - Upload (`repository.upload`)
+
+- `ENABLED`: **true**: Whether repository file uploads are enabled
+- `TEMP_PATH`: **data/tmp/uploads**: Path for uploads (content gets deleted on Gitea restart)
+- `ALLOWED_TYPES`: **\<empty\>**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+- `FILE_MAX_SIZE`: **3**: Max size of each file in megabytes.
+- `MAX_FILES`: **5**: Max number of files per upload
+
+### Repository - Release (`repository.release`)
+
+- `ALLOWED_TYPES`: **\<empty\>**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+- `DEFAULT_PAGING_NUM`: **10**: The default paging number of releases user interface
+- For settings related to file attachments on releases, see the `attachment` section.
+
+### Repository - Signing (`repository.signing`)
+
+- `SIGNING_KEY`: **default**: \[none, KEYID, default \]: Key to sign with.
+- `SIGNING_NAME` &amp; `SIGNING_EMAIL`: if a KEYID is provided as the `SIGNING_KEY`, use these as the Name and Email address of the signer. These should match publicized name and email address for the key.
+- `INITIAL_COMMIT`: **always**: \[never, pubkey, twofa, always\]: Sign initial commit.
+ - `never`: Never sign
+ - `pubkey`: Only sign if the user has a public key
+ - `twofa`: Only sign if the user is logged in with twofa
+ - `always`: Always sign
+ - Options other than `never` and `always` can be combined as a comma separated list.
+- `DEFAULT_TRUST_MODEL`: **collaborator**: \[collaborator, committer, collaboratorcommitter\]: The default trust model used for verifying commits.
+ - `collaborator`: Trust signatures signed by keys of collaborators.
+ - `committer`: Trust signatures that match committers (This matches GitHub and will force Gitea signed commits to have Gitea as the committer).
+ - `collaboratorcommitter`: Trust signatures signed by keys of collaborators which match the committer.
+- `WIKI`: **never**: \[never, pubkey, twofa, always, parentsigned\]: Sign commits to wiki.
+- `CRUD_ACTIONS`: **pubkey, twofa, parentsigned**: \[never, pubkey, twofa, parentsigned, always\]: Sign CRUD actions.
+ - Options as above, with the addition of:
+ - `parentsigned`: Only sign if the parent commit is signed.
+- `MERGES`: **pubkey, twofa, basesigned, commitssigned**: \[never, pubkey, twofa, approved, basesigned, commitssigned, always\]: Sign merges.
+ - `approved`: Only sign approved merges to a protected branch.
+ - `basesigned`: Only sign if the parent commit in the base repo is signed.
+ - `headsigned`: Only sign if the head commit in the head branch is signed.
+ - `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.
+
+## Repository - Local (`repository.local`)
+
+- `LOCAL_COPY_PATH`: **tmp/local-repo**: Path for temporary local repository copies. Defaults to `tmp/local-repo` (content gets deleted on Gitea restart)
+
+## Repository - MIME type mapping (`repository.mimetype_mapping`)
+
+Configuration for set the expected MIME type based on file extensions of downloadable files. Configuration presents in key-value pairs and file extensions starts with leading `.`.
+
+The following configuration set `Content-Type: application/vnd.android.package-archive` header when downloading files with `.apk` file extension.
+
+```ini
+.apk=application/vnd.android.package-archive
+```
+
+## CORS (`cors`)
+
+- `ENABLED`: **false**: enable cors headers (disabled by default)
+- `SCHEME`: **http**: scheme of allowed requests
+- `ALLOW_DOMAIN`: **\***: list of requesting domains that are allowed
+- `ALLOW_SUBDOMAIN`: **false**: allow subdomains of headers listed above to request
+- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
+- `MAX_AGE`: **10m**: max time to cache response
+- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
+- `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests
+- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
+
+## UI (`ui`)
+
+- `EXPLORE_PAGING_NUM`: **20**: Number of repositories that are shown in one explore page.
+- `ISSUE_PAGING_NUM`: **20**: Number of issues that are shown in one page (for all pages that list issues, milestones, projects).
+- `MEMBERS_PAGING_NUM`: **20**: Number of members that are shown in organization members.
+- `FEED_MAX_COMMIT_NUM`: **5**: Number of maximum commits shown in one activity feed.
+- `FEED_PAGING_NUM`: **20**: Number of items that are displayed in home feed.
+- `SITEMAP_PAGING_NUM`: **20**: Number of items that are displayed in a single subsitemap.
+- `GRAPH_MAX_COMMIT_NUM`: **100**: Number of maximum commits shown in the commit graph.
+- `CODE_COMMENT_LINES`: **4**: Number of line of codes shown for a code comment.
+- `DEFAULT_THEME`: **auto**: \[auto, gitea, arc-green\]: Set the default theme for the Gitea install.
+- `SHOW_USER_EMAIL`: **true**: Whether the email of the user should be shown in the Explore Users page.
+- `THEMES`: **auto,gitea,arc-green**: All available themes. Allow users select personalized themes.
+ regardless of the value of `DEFAULT_THEME`.
+- `THEME_COLOR_META_TAG`: **#6cc644**: Value of `theme-color` meta tag, used by Android >= 5.0. An invalid color like "none" or "disable" will have the default style. More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
+- `MAX_DISPLAY_FILE_SIZE`: **8388608**: Max size of files to be displayed (default is 8MiB)
+- `REACTIONS`: All available reactions users can choose on issues/prs and comments
+ Values can be emoji alias (:smile:) or a unicode emoji.
+ For custom reactions, add a tightly cropped square image to public/img/emoji/reaction_name.png
+- `CUSTOM_EMOJIS`: **gitea, codeberg, gitlab, git, github, gogs**: Additional Emojis not defined in the utf8 standard.
+ By default we support Gitea (:gitea:), to add more copy them to public/img/emoji/emoji_name.png and
+ add it to this config.
+- `DEFAULT_SHOW_FULL_NAME`: **false**: Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
+- `SEARCH_REPO_DESCRIPTION`: **true**: Whether to search within description at repository search on explore page.
+- `USE_SERVICE_WORKER`: **false**: Whether to enable a Service Worker to cache frontend assets.
+
+### UI - Admin (`ui.admin`)
+
+- `USER_PAGING_NUM`: **50**: Number of users that are shown in one page.
+- `REPO_PAGING_NUM`: **50**: Number of repos that are shown in one page.
+- `NOTICE_PAGING_NUM`: **25**: Number of notices that are shown in one page.
+- `ORG_PAGING_NUM`: **50**: Number of organizations that are shown in one page.
+
+### UI - User (`ui.user`)
+
+- `REPO_PAGING_NUM`: **15**: Number of repos that are shown in one page.
+
+### UI - Metadata (`ui.meta`)
+
+- `AUTHOR`: **Gitea - Git with a cup of tea**: Author meta tag of the homepage.
+- `DESCRIPTION`: **Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go**: Description meta tag of the homepage.
+- `KEYWORDS`: **go,git,self-hosted,gitea**: Keywords meta tag of the homepage.
+
+### UI - Notification (`ui.notification`)
+
+- `MIN_TIMEOUT`: **10s**: These options control how often notification endpoint is polled to update the notification count. On page load the notification count will be checked after `MIN_TIMEOUT`. The timeout will increase to `MAX_TIMEOUT` by `TIMEOUT_STEP` if the notification count is unchanged. Set MIN_TIMEOUT to -1 to turn off.
+- `MAX_TIMEOUT`: **60s**.
+- `TIMEOUT_STEP`: **10s**.
+- `EVENT_SOURCE_UPDATE_TIME`: **10s**: This setting determines how often the database is queried to update notification counts. If the browser client supports `EventSource` and `SharedWorker`, a `SharedWorker` will be used in preference to polling notification endpoint. Set to **-1** to disable the `EventSource`.
+
+### UI - SVG Images (`ui.svg`)
+
+- `ENABLE_RENDER`: **true**: Whether to render SVG files as images. If SVG rendering is disabled, SVG files are displayed as text and cannot be embedded in markdown files as images.
+
+### UI - CSV Files (`ui.csv`)
+
+- `MAX_FILE_SIZE`: **524288** (512kb): Maximum allowed file size in bytes to render CSV files as table. (Set to 0 for no limit).
+
+## Markdown (`markdown`)
+
+- `ENABLE_HARD_LINE_BREAK_IN_COMMENTS`: **true**: Render soft line breaks as hard line breaks in comments, which
+ means a single newline character between paragraphs will cause a line break and adding
+ trailing whitespace to paragraphs is not necessary to force a line break.
+- `ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS`: **false**: Render soft line breaks as hard line breaks in documents, which
+ means a single newline character between paragraphs will cause a line break and adding
+ trailing whitespace to paragraphs is not necessary to force a line break.
+- `CUSTOM_URL_SCHEMES`: Use a comma separated list (ftp,git,svn) to indicate additional
+ URL hyperlinks to be rendered in Markdown. URLs beginning in http and https are
+ always displayed
+- `ENABLE_MATH`: **true**: Enables detection of `\(...\)`, `\[...\]`, `$...$` and `$$...$$` blocks as math blocks.
+
+## Server (`server`)
+
+- `APP_DATA_PATH`: **_`AppWorkPath`_/data**: This is the default root path for storing data.
+- `PROTOCOL`: **http**: \[http, https, fcgi, http+unix, fcgi+unix\]
+- `USE_PROXY_PROTOCOL`: **false**: Expect PROXY protocol headers on connections
+- `PROXY_PROTOCOL_TLS_BRIDGING`: **false**: When protocol is https, expect PROXY protocol headers after TLS negotiation.
+- `PROXY_PROTOCOL_HEADER_TIMEOUT`: **5s**: Timeout to wait for PROXY protocol header (set to 0 to have no timeout)
+- `PROXY_PROTOCOL_ACCEPT_UNKNOWN`: **false**: Accept PROXY protocol headers with Unknown type.
+- `DOMAIN`: **localhost**: Domain name of this server.
+- `ROOT_URL`: **%(PROTOCOL)s://%(DOMAIN)s:%(HTTP\_PORT)s/**:
+ Overwrite the automatically generated public URL.
+ This is useful if the internal and the external URL don't match (e.g. in Docker).
+- `STATIC_URL_PREFIX`: **\<empty\>**:
+ Overwrite this option to request static resources from a different URL.
+ This includes CSS files, images, JS files and web fonts.
+ Avatar images are dynamic resources and still served by Gitea.
+ The option can be just a different path, as in `/static`, or another domain, as in `https://cdn.example.com`.
+ Requests are then made as `%(ROOT_URL)s/static/assets/css/index.css` or `https://cdn.example.com/assets/css/index.css` respectively.
+ The static files are located in the `public/` directory of the Gitea source repository.
+ You can proxy the STATIC_URL_PREFIX requests to Gitea server to serve the static
+ assets, or copy the manually built Gitea assets from `$GITEA_BUILD/public` to
+ the assets location, eg: `/var/www/assets`, make sure `$STATIC_URL_PREFIX/assets/css/index.css`
+ points to `/var/www/assets/css/index.css`.
+
+- `HTTP_ADDR`: **0.0.0.0**: HTTP listen address.
+ - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
+ defined by `HTTP_ADDR` and `HTTP_PORT` configuration settings.
+ - If `PROTOCOL` is set to `http+unix` or `fcgi+unix`, this should be the name of the Unix socket file to use. Relative paths will be made absolute against the _`AppWorkPath`_.
+- `HTTP_PORT`: **3000**: HTTP listen port.
+ - If `PROTOCOL` is set to `fcgi`, Gitea will listen for FastCGI requests on TCP socket
+ defined by `HTTP_ADDR` and `HTTP_PORT` configuration settings.
+- `UNIX_SOCKET_PERMISSION`: **666**: Permissions for the Unix socket.
+- `LOCAL_ROOT_URL`: **%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/**: Local
+ (DMZ) URL for Gitea workers (such as SSH update) accessing web service. In
+ most cases you do not need to change the default value. Alter it only if
+ your SSH server node is not the same as HTTP node. Do not set this variable
+ if `PROTOCOL` is set to `http+unix`.
+- `LOCAL_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)s**: When making local connections pass the PROXY protocol header.
+ This should be set to false if the local connection will go through the proxy.
+- `PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the connection. (Set to -1 to
+ disable all timeouts.)
+- `PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to connections.
+
+- `DISABLE_SSH`: **false**: Disable SSH feature when it's not available.
+- `START_SSH_SERVER`: **false**: When enabled, use the built-in SSH server.
+- `SSH_SERVER_USE_PROXY_PROTOCOL`: **false**: Expect PROXY protocol header on connections to the built-in SSH Server.
+- `BUILTIN_SSH_SERVER_USER`: **%(RUN_USER)s**: Username to use for the built-in SSH Server.
+- `SSH_USER`: **%(BUILTIN_SSH_SERVER_USER)s**: SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify the `BUILTIN_SSH_SERVER_USER`.
+- `SSH_DOMAIN`: **%(DOMAIN)s**: Domain name of this server, used for displayed clone URL.
+- `SSH_PORT`: **22**: SSH port displayed in clone URL.
+- `SSH_LISTEN_HOST`: **0.0.0.0**: Listen address for the built-in SSH server.
+- `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server.
+- `SSH_ROOT_PATH`: **~/.ssh**: Root path of SSH directory.
+- `SSH_CREATE_AUTHORIZED_KEYS_FILE`: **true**: Gitea will create a authorized_keys file by default when it is not using the internal ssh server. If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
+- `SSH_AUTHORIZED_KEYS_BACKUP`: **true**: Enable SSH Authorized Key Backup when rewriting all keys, default is true.
+- `SSH_TRUSTED_USER_CA_KEYS`: **\<empty\>**: Specifies the public keys of certificate authorities that are trusted to sign user certificates for authentication. Multiple keys should be comma separated. E.g.`ssh-<algorithm> <key>` or `ssh-<algorithm> <key1>, ssh-<algorithm> <key2>`. For more information see `TrustedUserCAKeys` in the sshd config man pages. When empty no file will be created and `SSH_AUTHORIZED_PRINCIPALS_ALLOW` will default to `off`.
+- `SSH_TRUSTED_USER_CA_KEYS_FILENAME`: **`RUN_USER`/.ssh/gitea-trusted-user-ca-keys.pem**: Absolute path of the `TrustedUserCaKeys` file Gitea will manage. If you're running your own ssh server and you want to use the Gitea managed file you'll also need to modify your sshd_config to point to this file. The official docker image will automatically work without further configuration.
+- `SSH_AUTHORIZED_PRINCIPALS_ALLOW`: **off** or **username, email**: \[off, username, email, anything\]: Specify the principals values that users are allowed to use as principal. When set to `anything` no checks are done on the principal string. When set to `off` authorized principal are not allowed to be set.
+- `SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE`: **false/true**: Gitea will create a authorized_principals file by default when it is not using the internal ssh server and `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
+- `SSH_AUTHORIZED_PRINCIPALS_BACKUP`: **false/true**: Enable SSH Authorized Principals Backup when rewriting all keys, default is true if `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
+- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}**: Set the template for the command to passed on authorized keys. Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath, Key - where Key is a `models/asymkey.PublicKey` and the others are strings which are shellquoted.
+- `SSH_SERVER_CIPHERS`: **chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com**: For the built-in SSH server, choose the ciphers to support for SSH connections, for system SSH this setting has no effect.
+- `SSH_SERVER_KEY_EXCHANGES`: **curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1**: For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, for system SSH this setting has no effect.
+- `SSH_SERVER_MACS`: **hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1**: For the built-in SSH server, choose the MACs to support for SSH connections, for system SSH this setting has no effect
+- `SSH_SERVER_HOST_KEYS`: **ssh/gitea.rsa, ssh/gogs.rsa**: For the built-in SSH server, choose the keypairs to offer as the host key. The private key should be at `SSH_SERVER_HOST_KEY` and the public `SSH_SERVER_HOST_KEY.pub`. Relative paths are made absolute relative to the `APP_DATA_PATH`. If no key exists a 4096 bit RSA key will be created for you.
+- `SSH_KEY_TEST_PATH`: **/tmp**: Directory to create temporary files in when testing public keys using ssh-keygen, default is the system temporary directory.
+- `SSH_KEYGEN_PATH`: **ssh-keygen**: Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
+- `SSH_EXPOSE_ANONYMOUS`: **false**: Enable exposure of SSH clone URL to anonymous visitors, default is false.
+- `SSH_PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the SSH connections. (Set to
+ -1 to disable all timeouts.)
+- `SSH_PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to SSH connections.
+- `MINIMUM_KEY_SIZE_CHECK`: **true**: Indicate whether to check minimum key size with corresponding type.
+
+- `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
+- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if `ENABLE_ACME=true`. Paths are relative to `CUSTOM_PATH`.
+- `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. This is ignored if `ENABLE_ACME=true`. Paths are relative to `CUSTOM_PATH`.
+- `STATIC_ROOT_PATH`: **_`StaticRootPath`_**: Upper level of template and static files path.
+- `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data. Relative paths will be made absolute against _`AppWorkPath`_.
+- `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. Note that this cache is disabled when `RUN_MODE` is "dev".
+- `ENABLE_GZIP`: **false**: Enable gzip compression for runtime-generated content, static resources excluded.
+- `ENABLE_PPROF`: **false**: Application profiling (memory and cpu). For "web" command it listens on `localhost:6060`. For "serv" command it dumps to disk at `PPROF_DATA_PATH` as `(cpuprofile|memprofile)_<username>_<temporary id>`
+- `PPROF_DATA_PATH`: **_`AppWorkPath`_/data/tmp/pprof**: `PPROF_DATA_PATH`, use an absolute path when you start Gitea as service
+- `LANDING_PAGE`: **home**: Landing page for unauthenticated users \[home, explore, organizations, login, **custom**\]. Where custom would instead be any URL such as "/org/repo" or even `https://anotherwebsite.com`
+- `LFS_START_SERVER`: **false**: Enables Git LFS support.
+- `LFS_CONTENT_PATH`: **%(APP_DATA_PATH)s/lfs**: Default LFS content path. (if it is on local storage.) **DEPRECATED** use settings in `[lfs]`.
+- `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
+- `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
+- `LFS_MAX_FILE_SIZE`: **0**: Maximum allowed LFS file size in bytes (Set to 0 for no limit).
+- `LFS_LOCKS_PAGING_NUM`: **50**: Maximum number of LFS Locks returned per page.
+
+- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
+- `REDIRECTOR_USE_PROXY_PROTOCOL`: **%(USE_PROXY_PROTOCOL)s**: expect PROXY protocol header on connections to https redirector.
+- `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
+- `SSL_MIN_VERSION`: **TLSv1.2**: Set the minimum version of ssl support.
+- `SSL_MAX_VERSION`: **\<empty\>**: Set the maximum version of ssl support.
+- `SSL_CURVE_PREFERENCES`: **X25519,P256**: Set the preferred curves,
+- `SSL_CIPHER_SUITES`: **ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305**: Set the preferred cipher suites.
+ - If there is no hardware support for AES suites, by default the ChaCha suites will be preferred over the AES suites.
+ - supported suites as of Go 1.18 are:
+ - TLS 1.0 - 1.2 cipher suites
+ - "rsa_with_rc4_128_sha"
+ - "rsa_with_3des_ede_cbc_sha"
+ - "rsa_with_aes_128_cbc_sha"
+ - "rsa_with_aes_256_cbc_sha"
+ - "rsa_with_aes_128_cbc_sha256"
+ - "rsa_with_aes_128_gcm_sha256"
+ - "rsa_with_aes_256_gcm_sha384"
+ - "ecdhe_ecdsa_with_rc4_128_sha"
+ - "ecdhe_ecdsa_with_aes_128_cbc_sha"
+ - "ecdhe_ecdsa_with_aes_256_cbc_sha"
+ - "ecdhe_rsa_with_rc4_128_sha"
+ - "ecdhe_rsa_with_3des_ede_cbc_sha"
+ - "ecdhe_rsa_with_aes_128_cbc_sha"
+ - "ecdhe_rsa_with_aes_256_cbc_sha"
+ - "ecdhe_ecdsa_with_aes_128_cbc_sha256"
+ - "ecdhe_rsa_with_aes_128_cbc_sha256"
+ - "ecdhe_rsa_with_aes_128_gcm_sha256"
+ - "ecdhe_ecdsa_with_aes_128_gcm_sha256"
+ - "ecdhe_rsa_with_aes_256_gcm_sha384"
+ - "ecdhe_ecdsa_with_aes_256_gcm_sha384"
+ - "ecdhe_rsa_with_chacha20_poly1305_sha256"
+ - "ecdhe_ecdsa_with_chacha20_poly1305_sha256"
+ - TLS 1.3 cipher suites
+ - "aes_128_gcm_sha256"
+ - "aes_256_gcm_sha384"
+ - "chacha20_poly1305_sha256"
+ - Aliased names
+ - "ecdhe_rsa_with_chacha20_poly1305" is an alias for "ecdhe_rsa_with_chacha20_poly1305_sha256"
+ - "ecdhe_ecdsa_with_chacha20_poly1305" is alias for "ecdhe_ecdsa_with_chacha20_poly1305_sha256"
+- `ENABLE_ACME`: **false**: Flag to enable automatic certificate management via an ACME capable Certificate Authority (CA) server (default: Lets Encrypt). If enabled, `CERT_FILE` and `KEY_FILE` are ignored, and the CA must resolve `DOMAIN` to this gitea server. Ensure that DNS records are set and either port `80` or port `443` are accessible by the CA server (the public internet by default), and redirected to the appropriate ports `PORT_TO_REDIRECT` or `HTTP_PORT` respectively.
+- `ACME_URL`: **\<empty\>**: The CA's ACME directory URL, e.g. for a self-hosted [smallstep CA server](https://github.com/smallstep/certificates), it can look like `https://ca.example.com/acme/acme/directory`. If left empty, it defaults to using Let's Encerypt's production CA (check `LETSENCRYPT_ACCEPTTOS` as well).
+- `ACME_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service of the ACME provider. The default is Lets Encrypt [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
+- `ACME_DIRECTORY`: **https**: Directory that the certificate manager will use to cache information such as certs and private keys.
+- `ACME_EMAIL`: **\<empty\>**: Email used for the ACME registration. Usually it is to notify about problems with issued certificates.
+- `ACME_CA_ROOT`: **\<empty\>**: The CA's root certificate. If left empty, it defaults to using the system's trust chain.
+- `ALLOW_GRACEFUL_RESTARTS`: **true**: Perform a graceful restart on SIGHUP
+- `GRACEFUL_HAMMER_TIME`: **60s**: After a restart the parent process will stop accepting new connections and will allow requests to finish before stopping. Shutdown will be forced if it takes longer than this time.
+- `STARTUP_TIMEOUT`: **0**: Shutsdown the server if startup takes longer than the provided time. On Windows setting this sends a waithint to the SVC host to tell the SVC host startup may take some time. Please note startup is determined by the opening of the listeners - HTTP/HTTPS/SSH. Indexers may take longer to startup and can have their own timeouts.
+
+## Database (`database`)
+
+- `DB_TYPE`: **mysql**: The database type in use \[mysql, postgres, mssql, sqlite3\].
+- `HOST`: **127.0.0.1:3306**: Database host address and port or absolute path for unix socket \[mysql, postgres\] (ex: /var/run/mysqld/mysqld.sock).
+- `NAME`: **gitea**: Database name.
+- `USER`: **root**: Database username.
+- `PASSWD`: **\<empty\>**: Database user password. Use \`your password\` or """your password""" for quoting if you use special characters in the password.
+- `SCHEMA`: **\<empty\>**: For PostgreSQL only, schema to use if different from "public". The schema must exist beforehand,
+ the user must have creation privileges on it, and the user search path must be set to the look into the schema first
+ (e.g. `ALTER USER user SET SEARCH_PATH = schema_name,"$user",public;`).
+- `SSL_MODE`: **disable**: SSL/TLS encryption mode for connecting to the database. This option is only applied for PostgreSQL and MySQL.
+ - Valid values for MySQL:
+ - `true`: Enable TLS with verification of the database server certificate against its root certificate. When selecting this option make sure that the root certificate required to validate the database server certificate (e.g. the CA certificate) is on the system certificate store of both the database and Gitea servers. See your system documentation for instructions on how to add a CA certificate to the certificate store.
+ - `false`: Disable TLS.
+ - `disable`: Alias for `false`, for compatibility with PostgreSQL.
+ - `skip-verify`: Enable TLS without database server certificate verification. Use this option if you have self-signed or invalid certificate on the database server.
+ - `prefer`: Enable TLS with fallback to non-TLS connection.
+ - Valid values for PostgreSQL:
+ - `disable`: Disable TLS.
+ - `require`: Enable TLS without any verifications.
+ - `verify-ca`: Enable TLS with verification of the database server certificate against its root certificate.
+ - `verify-full`: Enable TLS and verify the database server name matches the given certificate in either the `Common Name` or `Subject Alternative Name` fields.
+- `SQLITE_TIMEOUT`: **500**: Query timeout for SQLite3 only.
+- `SQLITE_JOURNAL_MODE`: **""**: Change journal mode for SQlite3. Can be used to enable [WAL mode](https://www.sqlite.org/wal.html) when high load causes write congestion. See [SQlite3 docs](https://www.sqlite.org/pragma.html#pragma_journal_mode) for possible values. Defaults to the default for the database file, often DELETE.
+- `ITERATE_BUFFER_SIZE`: **50**: Internal buffer size for iterating.
+- `CHARSET`: **utf8mb4**: For MySQL only, either "utf8" or "utf8mb4". NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
+- `PATH`: **data/gitea.db**: For SQLite3 only, the database file path.
+- `LOG_SQL`: **true**: Log the executed SQL.
+- `DB_RETRIES`: **10**: How many ORM init / DB connect attempts allowed.
+- `DB_RETRY_BACKOFF`: **3s**: time.Duration to wait before trying another ORM init / DB connect attempt, if failure occurred.
+- `MAX_OPEN_CONNS` **0**: Database maximum open connections - default is 0, meaning there is no limit.
+- `MAX_IDLE_CONNS` **2**: Max idle database connections on connection pool, default is 2 - this will be capped to `MAX_OPEN_CONNS`.
+- `CONN_MAX_LIFETIME` **0 or 3s**: Sets the maximum amount of time a DB connection may be reused - default is 0, meaning there is no limit (except on MySQL where it is 3s - see #6804 & #7071).
+- `AUTO_MIGRATION` **true**: Whether execute database models migrations automatically.
+
+Please see #8540 & #8273 for further discussion of the appropriate values for `MAX_OPEN_CONNS`, `MAX_IDLE_CONNS` & `CONN_MAX_LIFETIME` and their
+relation to port exhaustion.
+
+## Indexer (`indexer`)
+
+- `ISSUE_INDEXER_TYPE`: **bleve**: Issue indexer type, currently supported: `bleve`, `db` or `elasticsearch`.
+- `ISSUE_INDEXER_CONN_STR`: ****: Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch. i.e. http://elastic:changeme@localhost:9200
+- `ISSUE_INDEXER_NAME`: **gitea_issues**: Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
+- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch. Relative paths will be made absolute against _`AppWorkPath`_.
+- The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility:
+- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`. Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
+- `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of the form `leveldb://path/to/db?option=value&....`, and overrides `ISSUE_INDEXER_QUEUE_DIR`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+
+- `REPO_INDEXER_ENABLED`: **false**: Enables code search (uses a lot of disk space, about 6 times more than the repository size).
+- `REPO_INDEXER_TYPE`: **bleve**: Code search engine type, could be `bleve` or `elasticsearch`.
+- `REPO_INDEXER_PATH`: **indexers/repos.bleve**: Index file used for code search.
+- `REPO_INDEXER_CONN_STR`: ****: Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
+- `REPO_INDEXER_NAME`: **gitea_codes**: Code indexer name, available when `REPO_INDEXER_TYPE` is elasticsearch
+
+- `REPO_INDEXER_INCLUDE`: **empty**: A comma separated list of glob patterns (see https://github.com/gobwas/glob) to **include** in the index. Use `**.txt` to match any files with .txt extension. An empty list means include all files.
+- `REPO_INDEXER_EXCLUDE`: **empty**: A comma separated list of glob patterns (see https://github.com/gobwas/glob) to **exclude** from the index. Files that match this list will not be indexed, even if they match in `REPO_INDEXER_INCLUDE`.
+- `REPO_INDEXER_EXCLUDE_VENDORED`: **true**: Exclude vendored files from index.
+- `UPDATE_BUFFER_LEN`: **20**: Buffer length of index request. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `MAX_FILE_SIZE`: **1048576**: Maximum size in bytes of files to be indexed.
+- `STARTUP_TIMEOUT`: **30s**: If the indexer takes longer than this timeout to start - fail. (This timeout will be added to the hammer time above for child processes - as bleve will not start until the previous parent is shutdown.) Set to -1 to never timeout.
+
+## Queue (`queue` and `queue.*`)
+
+Configuration at `[queue]` will set defaults for queues with overrides for individual queues at `[queue.*]`. (However see below.)
+
+- `TYPE`: **persistable-channel**: General queue type, currently support: `persistable-channel` (uses a LevelDB internally), `channel`, `level`, `redis`, `dummy`
+- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.) Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
+- `LENGTH`: **20**: Maximal queue size before channel queues block
+- `BATCH_LENGTH`: **20**: Batch data before passing to the handler
+- `CONN_STR`: **redis://127.0.0.1:6379/0**: Connection string for the redis queue type. Options can be set using query params. Similarly LevelDB options can also be set using: **leveldb://relative/path?option=value** or **leveldb:///absolute/path?option=value**, and will override `DATADIR`
+- `QUEUE_NAME`: **_queue**: The suffix for default redis and disk queue name. Individual queues will default to **`name`**`QUEUE_NAME` but can be overridden in the specific `queue.name` section.
+- `SET_NAME`: **_unique**: The suffix that will be added to the default redis and disk queue `set` name for unique queues. Individual queues will default to
+ **`name`**`QUEUE_NAME`_`SET_NAME`_ but can be overridden in the specific `queue.name` section.
+- `WRAP_IF_NECESSARY`: **true**: Will wrap queues with a timeoutable queue if the selected queue is not ready to be created - (Only relevant for the level queue.)
+- `MAX_ATTEMPTS`: **10**: Maximum number of attempts to create the wrapped queue
+- `TIMEOUT`: **GRACEFUL_HAMMER_TIME + 30s**: Timeout the creation of the wrapped queue if it takes longer than this to create.
+- Queues by default come with a dynamically scaling worker pool. The following settings configure this:
+- `WORKERS`: **0**: Number of initial workers for the queue.
+- `MAX_WORKERS`: **10**: Maximum number of worker go-routines for the queue.
+- `BLOCK_TIMEOUT`: **1s**: If the queue blocks for this time, boost the number of workers - the `BLOCK_TIMEOUT` will then be doubled before boosting again whilst the boost is ongoing.
+- `BOOST_TIMEOUT`: **5m**: Boost workers will timeout after this long.
+- `BOOST_WORKERS`: **1**: This many workers will be added to the worker pool if there is a boost.
+
+Gitea creates the following non-unique queues:
+
+- `code_indexer`
+- `issue_indexer`
+- `notification-service`
+- `task`
+- `mail`
+- `push_update`
+
+And the following unique queues:
+
+- `repo_stats_update`
+- `repo-archive`
+- `mirror`
+- `pr_patch_checker`
+
+Certain queues have defaults that override the defaults set in `[queue]` (this occurs mostly to support older configuration):
+
+- `[queue.issue_indexer]`
+ - `TYPE` this will default to `[queue]` `TYPE` if it is set but if not it will appropriately convert `[indexer]` `ISSUE_INDEXER_QUEUE_TYPE` if that is set.
+ - `LENGTH` will default to `[indexer]` `UPDATE_BUFFER_LEN` if that is set.
+ - `BATCH_LENGTH` will default to `[indexer]` `ISSUE_INDEXER_QUEUE_BATCH_NUMBER` if that is set.
+ - `DATADIR` will default to `[indexer]` `ISSUE_INDEXER_QUEUE_DIR` if that is set.
+ - `CONN_STR` will default to `[indexer]` `ISSUE_INDEXER_QUEUE_CONN_STR` if that is set.
+- `[queue.mailer]`
+ - `LENGTH` will default to **100** or whatever `[mailer]` `SEND_BUFFER_LEN` is.
+- `[queue.pr_patch_checker]`
+ - `LENGTH` will default to **1000** or whatever `[repository]` `PULL_REQUEST_QUEUE_LENGTH` is.
+- `[queue.mirror]`
+ - `LENGTH` will default to **1000** or whatever `[repository]` `MIRROR_QUEUE_LENGTH` is.
+
+## Admin (`admin`)
+
+- `DEFAULT_EMAIL_NOTIFICATIONS`: **enabled**: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
+- `DISABLE_REGULAR_ORG_CREATION`: **false**: Disallow regular (non-admin) users from creating organizations.
+
+## Security (`security`)
+
+- `INSTALL_LOCK`: **false**: Controls access to the installation page. When set to "true", the installation page is not accessible.
+- `SECRET_KEY`: **\<random at every install\>**: Global secret key. This key is VERY IMPORTANT, if you lost it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
+- `SECRET_KEY_URI`: **<empty>**: Instead of defining SECRET_KEY, this option can be used to use the key stored in a file (example value: `file:/etc/gitea/secret_key`). It shouldn't be lost like SECRET_KEY.
+- `LOGIN_REMEMBER_DAYS`: **7**: Cookie lifetime, in days.
+- `COOKIE_USERNAME`: **gitea\_awesome**: Name of the cookie used to store the current username.
+- `COOKIE_REMEMBER_NAME`: **gitea\_incredible**: Name of cookie used to store authentication
+ information.
+- `REVERSE_PROXY_AUTHENTICATION_USER`: **X-WEBAUTH-USER**: Header name for reverse proxy
+ authentication.
+- `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
+ authentication provided email.
+- `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`: **X-WEBAUTH-FULLNAME**: Header name for reverse proxy
+ authentication provided full name.
+- `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
+ Number of trusted proxy count. Set to zero to not use these headers.
+- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
+- `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with Git Hook privilege to create custom Git Hooks.
+ WARNING: Custom Git Hooks can be used to perform arbitrary code execution on the host operating system.
+ This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.
+ By modifying the Gitea database, users can gain Gitea administrator privileges.
+ It also enables them to access other resources available to the user on the operating system that is running the
+ Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
+ This maybe harmful to you website or your operating system.
+ Setting this to true does not change existing hooks in git repos; adjust it before if necessary.
+- `DISABLE_WEBHOOKS`: **false**: Set to `true` to disable webhooks feature.
+- `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to Gitea repositories you should set the environment appropriately.
+- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
+- `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
+- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining INTERNAL_TOKEN in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
+- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt\], argon2 and scrypt will spend significant amounts of memory.
+ - Note: The default parameters for `pbkdf2` hashing have changed - the previous settings are available as `pbkdf2_v1` but are not recommended.
+ - The hash functions may be tuned by using `$` after the algorithm:
+ - `argon2$<time>$<memory>$<threads>$<key-length>`
+ - `bcrypt$<cost>`
+ - `pbkdf2$<iterations>$<key-length>`
+ - `scrypt$<n>$<r>$<p>$<key-length>`
+ - The defaults are:
+ - `argon2`: `argon2$2$65536$8$50`
+ - `bcrypt`: `bcrypt$10`
+ - `pbkdf2`: `pbkdf2$50000$50`
+ - `pbkdf2_v1`: `pbkdf2$10000$50`
+ - `pbkdf2_v2`: `pbkdf2$50000$50`
+ - `pbkdf2_hi`: `pbkdf2$320000$50`
+ - `scrypt`: `scrypt$65536$16$2$50`
+ - Adjusting the algorithm parameters using this functionality is done at your own risk.
+- `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
+- `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
+- `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
+ - lower - use one or more lower latin characters
+ - upper - use one or more upper latin characters
+ - digit - use one or more digits
+ - spec - use one or more special characters as ``!"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~``
+ - off - do not check password complexity
+- `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed.
+- `SUCCESSFUL_TOKENS_CACHE_SIZE`: **20**: Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations. This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
+
+## Camo (`camo`)
+
+- `ENABLED`: **false**: Enable media proxy, we support images only at the moment.
+- `SERVER_URL`: **<empty>**: URL of camo server, it **is required** if camo is enabled.
+- `HMAC_KEY`: **<empty>**: Provide the HMAC key for encoding URLs, it **is required** if camo is enabled.
+- `ALLWAYS`: **false**: Set to true to use camo for both HTTP and HTTPS content, otherwise only non-HTTPS URLs are proxied
+
+## OpenID (`openid`)
+
+- `ENABLE_OPENID_SIGNIN`: **false**: Allow authentication in via OpenID.
+- `ENABLE_OPENID_SIGNUP`: **! DISABLE\_REGISTRATION**: Allow registering via OpenID.
+- `WHITELISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching
+ OpenID URI's to permit.
+- `BLACKLISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching
+ OpenID URI's to block.
+
+## OAuth2 Client (`oauth2_client`)
+
+- `REGISTER_EMAIL_CONFIRM`: _[service]_ **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
+- `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added)
+- `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users.
+- `USERNAME`: **nickname**: The source of the username for new oauth2 accounts:
+ - userid - use the userid / sub attribute
+ - nickname - use the nickname attribute
+ - email - use the username part of the email attribute
+- `UPDATE_AVATAR`: **false**: Update avatar if available from oauth2 provider. Update will be performed on each login.
+- `ACCOUNT_LINKING`: **login**: How to handle if an account / email already exists:
+ - disabled - show an error
+ - login - show an account linking login
+ - auto - automatically link with the account (Please be aware that this will grant access to an existing account just because the same username or email is provided. You must make sure that this does not cause issues with your authentication providers.)
+
+## Service (`service`)
+
+- `ACTIVE_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm account/email registration.
+- `RESET_PASSWD_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm forgot password reset
+ process.
+- `REGISTER_EMAIL_CONFIRM`: **false**: Enable this to ask for mail confirmation of registration.
+ Requires `Mailer` to be enabled.
+- `REGISTER_MANUAL_CONFIRM`: **false**: Enable this to manually confirm new registrations.
+ Requires `REGISTER_EMAIL_CONFIRM` to be disabled.
+- `DISABLE_REGISTRATION`: **false**: Disable registration, after which only admin can create
+ accounts for users.
+- `REQUIRE_EXTERNAL_REGISTRATION_PASSWORD`: **false**: Enable this to force externally created
+ accounts (via GitHub, OpenID Connect, etc) to create a password. Warning: enabling this will
+ decrease security, so you should only enable it if you know what you're doing.
+- `REQUIRE_SIGNIN_VIEW`: **false**: Enable this to force users to log in to view any page or to use API.
+- `ENABLE_NOTIFY_MAIL`: **false**: Enable this to send e-mail to watchers of a repository when
+ something happens, like creating issues. Requires `Mailer` to be enabled.
+- `ENABLE_BASIC_AUTHENTICATION`: **true**: Disable this to disallow authenticaton using HTTP
+ BASIC and the user's password. Please note if you disable this you will not be able to access the
+ tokens API endpoints using a password. Further, this only disables BASIC authentication using the
+ password - not tokens or OAuth Basic.
+- `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication.
+- `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration
+ for reverse authentication.
+- `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a
+ provided email rather than a generated email.
+- `ENABLE_REVERSE_PROXY_FULL_NAME`: **false**: Enable this to allow to auto-registration with a
+ provided full name for the user.
+- `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: Enable this to require captcha validation for login. You also must enable `ENABLE_CAPTCHA`.
+- `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
+ even for External Accounts (i.e. GitHub, OpenID Connect, etc). You also must enable `ENABLE_CAPTCHA`.
+- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha, cfturnstile\]
+- `RECAPTCHA_SECRET`: **""**: Go to https://www.google.com/recaptcha/admin to get a secret for recaptcha.
+- `RECAPTCHA_SITEKEY`: **""**: Go to https://www.google.com/recaptcha/admin to get a sitekey for recaptcha.
+- `RECAPTCHA_URL`: **https://www.google.com/recaptcha/**: Set the recaptcha url - allows the use of recaptcha net.
+- `HCAPTCHA_SECRET`: **""**: Sign up at https://www.hcaptcha.com/ to get a secret for hcaptcha.
+- `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
+- `MCAPTCHA_SECRET`: **""**: Go to your mCaptcha instance to get a secret for mCaptcha.
+- `MCAPTCHA_SITEKEY`: **""**: Go to your mCaptcha instance to get a sitekey for mCaptcha.
+- `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: Set the mCaptcha URL.
+- `CF_TURNSTILE_SECRET` **""**: Go to https://dash.cloudflare.com/?to=/:account/turnstile to get a secret for cloudflare turnstile.
+- `CF_TURNSTILE_SITEKEY` **""**: Go to https://dash.cloudflare.com/?to=/:account/turnstile to get a sitekey for cloudflare turnstile.
+- `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
+- `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
+- `DEFAULT_USER_IS_RESTRICTED`: **false**: Give new users restricted permissions by default
+- `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default.
+- `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access.
+- `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles.
+- `ENABLE_TIMETRACKING`: **true**: Enable Timetracking feature.
+- `DEFAULT_ENABLE_TIMETRACKING`: **true**: Allow repositories to use timetracking by default.
+- `DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME`: **true**: Only allow users with write permissions to track time.
+- `EMAIL_DOMAIN_WHITELIST`: **\<empty\>**: If non-empty, list of domain names that can only be used to register
+ on this instance.
+- `EMAIL_DOMAIN_BLOCKLIST`: **\<empty\>**: If non-empty, list of domain names that cannot be used to register on this instance
+- `SHOW_REGISTRATION_BUTTON`: **! DISABLE\_REGISTRATION**: Show Registration Button
+- `SHOW_MILESTONES_DASHBOARD_PAGE`: **true** Enable this to show the milestones dashboard page - a view of all the user's milestones
+- `AUTO_WATCH_NEW_REPOS`: **true**: Enable this to let all organisation users watch new repos when they are created
+- `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
+- `DEFAULT_USER_VISIBILITY`: **public**: Set default visibility mode for users, either "public", "limited" or "private".
+- `ALLOWED_USER_VISIBILITY_MODES`: **public,limited,private**: Set which visibility modes a user can have
+- `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
+- `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
+- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via Gitea.
+- `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
+- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the Git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
+ The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
+- `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
+- `VALID_SITE_URL_SCHEMES`: **http, https**: Valid site url schemes for user profiles
+
+### Service - Explore (`service.explore`)
+
+- `REQUIRE_SIGNIN_VIEW`: **false**: Only allow signed in users to view the explore pages.
+- `DISABLE_USERS_PAGE`: **false**: Disable the users explore page.
+
+## SSH Minimum Key Sizes (`ssh.minimum_key_sizes`)
+
+Define allowed algorithms and their minimum key length (use -1 to disable a type):
+
+- `ED25519`: **256**
+- `ECDSA`: **256**
+- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length.
+- `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider
+
+## Webhook (`webhook`)
+
+- `QUEUE_LENGTH`: **1000**: Hook task queue length. Use caution when editing this value.
+- `DELIVER_TIMEOUT`: **5**: Delivery timeout (sec) for shooting webhooks.
+- `ALLOWED_HOST_LIST`: **external**: Webhook can only call allowed hosts for security reasons. Comma separated list.
+ - Built-in networks:
+ - `loopback`: 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
+ - `private`: RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
+ - `external`: A valid non-private unicast IP, you can access all hosts on public internet.
+ - `*`: All hosts are allowed.
+ - CIDR list: `1.2.3.0/8` for IPv4 and `2001:db8::/32` for IPv6
+ - Wildcard hosts: `*.mydomain.com`, `192.168.100.*`
+- `SKIP_TLS_VERIFY`: **false**: Allow insecure certification.
+- `PAGING_NUM`: **10**: Number of webhook history events that are shown in one page.
+- `PROXY_URL`: **\<empty\>**: Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy. If not given, will use global proxy setting.
+- `PROXY_HOSTS`: **\<empty\>`**: Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. If not given, will use global proxy setting.
+
+## Mailer (`mailer`)
+
+⚠️ This section is for Gitea 1.18 and later. If you are using Gitea 1.17 or older,
+please refer to
+[Gitea 1.17 app.ini example](https://github.com/go-gitea/gitea/blob/release/v1.17/custom/conf/app.example.ini)
+and
+[Gitea 1.17 configuration document](https://github.com/go-gitea/gitea/blob/release/v1.17/docs/content/doc/advanced/config-cheat-sheet.en-us.md)
+
+- `ENABLED`: **false**: Enable to use a mail service.
+- `PROTOCOL`: **\<empty\>**: Mail server protocol. One of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy". _Before 1.18, this was inferred from a combination of `MAILER_TYPE` and `IS_TLS_ENABLED`._
+ - SMTP family, if your provider does not explicitly say which protocol it uses but does provide a port, you can set SMTP_PORT instead and this will be inferred.
+ - **sendmail** Use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems.
+ - **dummy** Send email messages to the log as a testing phase.
+ - Note that enabling sendmail will ignore all other `mailer` settings except `ENABLED`, `FROM`, `SUBJECT_PREFIX` and `SENDMAIL_PATH`.
+ - Enabling dummy will ignore all settings except `ENABLED`, `SUBJECT_PREFIX` and `FROM`.
+- `SMTP_ADDR`: **\<empty\>**: Mail server address. e.g. smtp.gmail.com. For smtp+unix, this should be a path to a unix socket instead. _Before 1.18, this was combined with `SMTP_PORT` under the name `HOST`._
+- `SMTP_PORT`: **\<empty\>**: Mail server port. If no protocol is specified, it will be inferred by this setting. Common ports are listed below. _Before 1.18, this was combined with `SMTP_ADDR` under the name `HOST`._
+ - 25: insecure SMTP
+ - 465: SMTP Secure
+ - 587: StartTLS
+- `USE_CLIENT_CERT`: **false**: Use client certificate for TLS/SSL.
+- `CLIENT_CERT_FILE`: **custom/mailer/cert.pem**: Client certificate file.
+- `CLIENT_KEY_FILE`: **custom/mailer/key.pem**: Client key file.
+- `FORCE_TRUST_SERVER_CERT`: **false**: If set to `true`, completely ignores server certificate validation errors. This option is unsafe. Consider adding the certificate to the system trust store instead.
+- `USER`: **\<empty\>**: Username of mailing user (usually the sender's e-mail address).
+- `PASSWD`: **\<empty\>**: Password of mailing user. Use \`your password\` for quoting if you use special characters in the password.
+ - Please note: authentication is only supported when the SMTP server communication is encrypted with TLS (this can be via `STARTTLS`) or SMTP host is localhost. See [Email Setup]({{< relref "doc/administration/email-setup.en-us.md" >}}) for more information.
+- `ENABLE_HELO`: **true**: Enable HELO operation.
+- `HELO_HOSTNAME`: **(retrieved from system)**: HELO hostname.
+- `FROM`: **\<empty\>**: Mail from address, RFC 5322. This can be just an email address, or the "Name" \<email@example.com\> format.
+- `ENVELOPE_FROM`: **\<empty\>**: Address set as the From address on the SMTP mail envelope. Set to `<>` to send an empty address.
+- `SUBJECT_PREFIX`: **\<empty\>**: Prefix to be placed before e-mail subject lines.
+- `SENDMAIL_PATH`: **sendmail**: The location of sendmail on the operating system (can be command or full path).
+- `SENDMAIL_ARGS`: **\<empty\>**: Specify any extra sendmail arguments. (NOTE: you should be aware that email addresses can look like options - if your `sendmail` command takes options you must set the option terminator `--`)
+- `SENDMAIL_TIMEOUT`: **5m**: default timeout for sending email through sendmail
+- `SENDMAIL_CONVERT_CRLF`: **true**: Most versions of sendmail prefer LF line endings rather than CRLF line endings. Set this to false if your version of sendmail requires CRLF line endings.
+- `SEND_BUFFER_LEN`: **100**: Buffer length of mailing queue. **DEPRECATED** use `LENGTH` in `[queue.mailer]`
+- `SEND_AS_PLAIN_TEXT`: **false**: Send mails only in plain text, without HTML alternative.
+
+## Incoming Email (`email.incoming`)
+
+- `ENABLED`: **false**: Enable handling of incoming emails.
+- `REPLY_TO_ADDRESS`: **\<empty\>**: The email address including the `%{token}` placeholder that will be replaced per user/action. Example: `incoming+%{token}@example.com`. The placeholder must appear in the user part of the address (before the `@`).
+- `HOST`: **\<empty\>**: IMAP server host.
+- `PORT`: **\<empty\>**: IMAP server port.
+- `USERNAME`: **\<empty\>**: Username of the receiving account.
+- `PASSWORD`: **\<empty\>**: Password of the receiving account.
+- `USE_TLS`: **false**: Whether the IMAP server uses TLS.
+- `SKIP_TLS_VERIFY`: **false**: If set to `true`, completely ignores server certificate validation errors. This option is unsafe.
+- `MAILBOX`: **INBOX**: The mailbox name where incoming mail will end up.
+- `DELETE_HANDLED_MESSAGE`: **true**: Whether handled messages should be deleted from the mailbox.
+- `MAXIMUM_MESSAGE_SIZE`: **10485760**: Maximum size of a message to handle. Bigger messages are ignored. Set to 0 to allow every size.
+
+## Cache (`cache`)
+
+- `ENABLED`: **true**: Enable the cache.
+- `ADAPTER`: **memory**: Cache engine adapter, either `memory`, `redis`, `twoqueue` or `memcache`. (`twoqueue` represents a size limited LRU cache.)
+- `INTERVAL`: **60**: Garbage Collection interval (sec), for memory and twoqueue cache only.
+- `HOST`: **\<empty\>**: Connection string for `redis` and `memcache`. For `twoqueue` sets configuration for the queue.
+ - Redis: `redis://:macaron@127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+ - Memcache: `127.0.0.1:9090;127.0.0.1:9091`
+ - TwoQueue LRU cache: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` representing the maximum number of objects stored in the cache.
+- `ITEM_TTL`: **16h**: Time to keep items in cache if not used, Setting it to -1 disables caching.
+
+## Cache - LastCommitCache settings (`cache.last_commit`)
+
+- `ENABLED`: **true**: Enable the cache.
+- `ITEM_TTL`: **8760h**: Time to keep items in cache if not used, Setting it to -1 disables caching.
+- `COMMITS_COUNT`: **1000**: Only enable the cache when repository's commits count great than.
+
+## Session (`session`)
+
+- `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]`
+- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_.
+- `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access.
+- `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
+- `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
+- `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day)
+- `DOMAIN`: **\<empty\>**: Sets the cookie Domain
+- `SAME_SITE`: **lax** \[strict, lax, none\]: Set the SameSite setting for the cookie.
+
+## Picture (`picture`)
+
+- `GRAVATAR_SOURCE`: **gravatar**: Can be `gravatar`, `duoshuo` or anything like
+ `http://cn.gravatar.com/avatar/`.
+- `DISABLE_GRAVATAR`: **false**: Enable this to use local avatars only. **DEPRECATED [v1.18+]** moved to database. Use admin panel to configure.
+- `ENABLE_FEDERATED_AVATAR`: **false**: Enable support for federated avatars (see
+ [http://www.libravatar.org](http://www.libravatar.org)). **DEPRECATED [v1.18+]** moved to database. Use admin panel to configure.
+
+- `AVATAR_STORAGE_TYPE`: **default**: Storage type defined in `[storage.xxx]`. Default is `default` which will read `[storage]` if no section `[storage]` will be a type `local`.
+- `AVATAR_UPLOAD_PATH`: **data/avatars**: Path to store user avatar image files.
+- `AVATAR_MAX_WIDTH`: **4096**: Maximum avatar image width in pixels.
+- `AVATAR_MAX_HEIGHT`: **3072**: Maximum avatar image height in pixels.
+- `AVATAR_MAX_FILE_SIZE`: **1048576** (1Mb): Maximum avatar image file size in bytes.
+- `AVATAR_RENDERED_SIZE_FACTOR`: **3**: The multiplication factor for rendered avatar images. Larger values result in finer rendering on HiDPI devices.
+
+- `REPOSITORY_AVATAR_STORAGE_TYPE`: **default**: Storage type defined in `[storage.xxx]`. Default is `default` which will read `[storage]` if no section `[storage]` will be a type `local`.
+- `REPOSITORY_AVATAR_UPLOAD_PATH`: **data/repo-avatars**: Path to store repository avatar image files.
+- `REPOSITORY_AVATAR_FALLBACK`: **none**: How Gitea deals with missing repository avatars
+ - none = no avatar will be displayed
+ - random = random avatar will be generated
+ - image = default image will be used (which is set in `REPOSITORY_AVATAR_FALLBACK_IMAGE`)
+- `REPOSITORY_AVATAR_FALLBACK_IMAGE`: **/img/repo_default.png**: Image used as default repository avatar (if `REPOSITORY_AVATAR_FALLBACK` is set to image and none was uploaded)
+
+## Project (`project`)
+
+Default templates for project boards:
+
+- `PROJECT_BOARD_BASIC_KANBAN_TYPE`: **To Do, In Progress, Done**
+- `PROJECT_BOARD_BUG_TRIAGE_TYPE`: **Needs Triage, High Priority, Low Priority, Closed**
+
+## Issue and pull request attachments (`attachment`)
+
+- `ENABLED`: **true**: Whether issue and pull request attachments are enabled.
+- `ALLOWED_TYPES`: **.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+- `MAX_SIZE`: **4**: Maximum size (MB).
+- `MAX_FILES`: **5**: Maximum number of attachments that can be uploaded at once.
+- `STORAGE_TYPE`: **local**: Storage type for attachments, `local` for local disk or `minio` for s3 compatible object storage service, default is `local` or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **data/attachments**: Path to store attachments only available when STORAGE_TYPE is `local`
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when STORAGE_TYPE is `minio`
+- `MINIO_BASE_PATH`: **attachments/**: Minio base path on the bucket only available when STORAGE_TYPE is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when STORAGE_TYPE is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`
+
+## Log (`log`)
+
+- `ROOT_PATH`: **\<empty\>**: Root path for log files.
+- `MODE`: **console**: Logging mode. For multiple modes, use a comma to separate values. You can configure each mode in per mode log subsections `\[log.modename\]`. By default the file mode will log to `$ROOT_PATH/gitea.log`.
+- `LEVEL`: **Info**: General log level. \[Trace, Debug, Info, Warn, Error, Critical, Fatal, None\]
+- `STACKTRACE_LEVEL`: **None**: Default log level at which to log create stack traces. \[Trace, Debug, Info, Warn, Error, Critical, Fatal, None\]
+- `ENABLE_SSH_LOG`: **false**: save ssh log to log file
+- `ENABLE_XORM_LOG`: **true**: Set whether to perform XORM logging. Please note SQL statement logging can be disabled by setting `LOG_SQL` to false in the `[database]` section.
+
+### Router Log (`log`)
+
+- `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log.
+- `ROUTER`: **console**: The mode or name of the log the router should log to. (If you set this to `,` it will log to default Gitea logger.)
+ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.
+
+### Access Log (`log`)
+
+- `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template
+- `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default Gitea logger.)
+- `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log.
+ - The following variables are available:
+ - `Ctx`: the `context.Context` of the request.
+ - `Identity`: the SignedUserName or `"-"` if not logged in.
+ - `Start`: the start time of the request.
+ - `ResponseWriter`: the responseWriter from the request.
+ - `RequestID`: the value matching REQUEST_ID_HEADERS(default: `-`, if not matched).
+ - You must be very careful to ensure that this template does not throw errors or panics as this template runs outside of the panic/recovery script.
+- `REQUEST_ID_HEADERS`: **\<empty\>**: You can configure multiple values that are splited by comma here. It will match in the order of configuration, and the first match will be finally printed in the access log.
+ - e.g.
+ - In the Request Header: X-Request-ID: **test-id-123**
+ - Configuration in app.ini: REQUEST_ID_HEADERS = X-Request-ID
+ - Print in log: 127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "**test-id-123**" ...
+
+### Log subsections (`log.name`, `log.name.*`)
+
+- `LEVEL`: **log.LEVEL**: Sets the log-level of this sublogger. Defaults to the `LEVEL` set in the global `[log]` section.
+- `STACKTRACE_LEVEL`: **log.STACKTRACE_LEVEL**: Sets the log level at which to log stack traces.
+- `MODE`: **name**: Sets the mode of this sublogger - Defaults to the provided subsection name. This allows you to have two different file loggers at different levels.
+- `EXPRESSION`: **""**: A regular expression to match either the function name, file or message. Defaults to empty. Only log messages that match the expression will be saved in the logger.
+- `FLAGS`: **stdflags**: A comma separated string representing the log flags. Defaults to `stdflags` which represents the prefix: `2009/01/23 01:23:23 ...a/b/c/d.go:23:runtime.Caller() [I]: message`. `none` means don't prefix log lines. See `modules/log/flags.go` for more information.
+- `PREFIX`: **""**: An additional prefix for every log line in this logger. Defaults to empty.
+- `COLORIZE`: **false**: Whether to colorize the log lines
+
+### Console log mode (`log.console`, `log.console.*`, or `MODE=console`)
+
+- For the console logger `COLORIZE` will default to `true` if not on windows or the terminal is determined to be able to color.
+- `STDERR`: **false**: Use Stderr instead of Stdout.
+
+### File log mode (`log.file`, `log.file.*` or `MODE=file`)
+
+- `FILE_NAME`: Set the file name for this logger. Defaults as described above. If relative will be relative to the `ROOT_PATH`
+- `LOG_ROTATE`: **true**: Rotate the log files.
+- `MAX_SIZE_SHIFT`: **28**: Maximum size shift of a single file, 28 represents 256Mb.
+- `DAILY_ROTATE`: **true**: Rotate logs daily.
+- `MAX_DAYS`: **7**: Delete the log file after n days
+- `COMPRESS`: **true**: Compress old log files by default with gzip
+- `COMPRESSION_LEVEL`: **-1**: Compression level
+
+### Conn log mode (`log.conn`, `log.conn.*` or `MODE=conn`)
+
+- `RECONNECT_ON_MSG`: **false**: Reconnect host for every single message.
+- `RECONNECT`: **false**: Try to reconnect when connection is lost.
+- `PROTOCOL`: **tcp**: Set the protocol, either "tcp", "unix" or "udp".
+- `ADDR`: **:7020**: Sets the address to connect to.
+
+### SMTP log mode (`log.smtp`, `log.smtp.*` or `MODE=smtp`)
+
+- `USER`: User email address to send from.
+- `PASSWD`: Password for the smtp server.
+- `HOST`: **127.0.0.1:25**: The SMTP host to connect to.
+- `RECEIVERS`: Email addresses to send to.
+- `SUBJECT`: **Diagnostic message from Gitea**
+
+## Cron (`cron`)
+
+- `ENABLED`: **false**: Enable to run all cron tasks periodically with default settings.
+- `RUN_AT_START`: **false**: Run cron tasks at application start-up.
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+
+- `SCHEDULE` accept formats
+ - Full crontab specs, e.g. `* * * * * ?`
+ - Descriptors, e.g. `@midnight`, `@every 1h30m` ...
+ - See more: [cron documentation](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+
+### Basic cron tasks - enabled by default
+
+#### Cron - Cleanup old repository archives (`cron.archive_cleanup`)
+
+- `ENABLED`: **true**: Enable service.
+- `RUN_AT_START`: **true**: Run tasks at start up time (if ENABLED).
+- `SCHEDULE`: **@midnight**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+- `OLDER_THAN`: **24h**: Archives created more than `OLDER_THAN` ago are subject to deletion, e.g. `12h`.
+
+#### Cron - Update Mirrors (`cron.update_mirrors`)
+
+- `SCHEDULE`: **@every 10m**: Cron syntax for scheduling update mirrors, e.g. `@every 3h`.
+- `PULL_LIMIT`: **50**: Limit the number of mirrors added to the queue to this number (negative values mean no limit, 0 will result in no mirrors being queued effectively disabling pull mirror updating).
+- `PUSH_LIMIT`: **50**: Limit the number of mirrors added to the queue to this number (negative values mean no limit, 0 will result in no mirrors being queued effectively disabling push mirror updating).
+
+#### Cron - Repository Health Check (`cron.repo_health_check`)
+
+- `SCHEDULE`: **@midnight**: Cron syntax for scheduling repository health check.
+- `TIMEOUT`: **60s**: Time duration syntax for health check execution timeout.
+- `ARGS`: **\<empty\>**: Arguments for command `git fsck`, e.g. `--unreachable --tags`. See more on http://git-scm.com/docs/git-fsck
+
+#### Cron - Repository Statistics Check (`cron.check_repo_stats`)
+
+- `RUN_AT_START`: **true**: Run repository statistics check at start time.
+- `SCHEDULE`: **@midnight**: Cron syntax for scheduling repository statistics check.
+
+#### Cron - Cleanup hook_task Table (`cron.cleanup_hook_task_table`)
+
+- `ENABLED`: **true**: Enable cleanup hook_task job.
+- `RUN_AT_START`: **false**: Run cleanup hook_task at start time (if ENABLED).
+- `SCHEDULE`: **@midnight**: Cron syntax for cleaning hook_task table.
+- `CLEANUP_TYPE` **OlderThan** OlderThan or PerWebhook Method to cleanup hook_task, either by age (i.e. how long ago hook_task record was delivered) or by the number to keep per webhook (i.e. keep most recent x deliveries per webhook).
+- `OLDER_THAN`: **168h**: If CLEANUP_TYPE is set to OlderThan, then any delivered hook_task records older than this expression will be deleted.
+- `NUMBER_TO_KEEP`: **10**: If CLEANUP_TYPE is set to PerWebhook, this is number of hook_task records to keep for a webhook (i.e. keep the most recent x deliveries).
+
+#### Cron - Cleanup expired packages (`cron.cleanup_packages`)
+
+- `ENABLED`: **true**: Enable cleanup expired packages job.
+- `RUN_AT_START`: **true**: Run job at start time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Notify every time this job runs.
+- `SCHEDULE`: **@midnight**: Cron syntax for the job.
+- `OLDER_THAN`: **24h**: Unreferenced package data created more than OLDER_THAN ago is subject to deletion.
+
+#### Cron - Update Migration Poster ID (`cron.update_migration_poster_id`)
+
+- `SCHEDULE`: **@midnight** : Interval as a duration between each synchronization, it will always attempt synchronization when the instance starts.
+
+#### Cron - Sync External Users (`cron.sync_external_users`)
+
+- `SCHEDULE`: **@midnight** : Interval as a duration between each synchronization, it will always attempt synchronization when the instance starts.
+- `UPDATE_EXISTING`: **true**: Create new users, update existing user data and disable users that are not in external source anymore (default) or only create new users if UPDATE_EXISTING is set to false.
+
+### Extended cron tasks (not enabled by default)
+
+#### Cron - Garbage collect all repositories ('cron.git_gc_repos')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+- `TIMEOUT`: **60s**: Time duration syntax for garbage collection execution timeout.
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. The default value is same with [git] -> GC_ARGS
+
+#### Cron - Update the '.ssh/authorized_keys' file with Gitea SSH keys ('cron.resync_all_sshkeys')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Resynchronize pre-receive, update and post-receive hooks of all repositories ('cron.resync_all_hooks')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Reinitialize all missing Git repositories for which records exist ('cron.reinit_missing_repos')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Delete all repositories missing their Git files ('cron.delete_missing_repos')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Delete generated repository avatars ('cron.delete_generated_repository_avatars')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Delete all old actions from database ('cron.delete_old_actions')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NOTICE_ON_SUCCESS`: **false**: Set to true to switch on success notices.
+- `SCHEDULE`: **@every 168h**: Cron syntax to set how often to check.
+- `OLDER_THAN`: **@every 8760h**: any action older than this expression will be deleted from database, suggest using `8760h` (1 year) because that's the max length of heatmap.
+
+#### Cron - Check for new Gitea versions ('cron.update_checker')
+
+- `ENABLED`: **true**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `ENABLE_SUCCESS_NOTICE`: **true**: Set to false to switch off success notices.
+- `SCHEDULE`: **@every 168h**: Cron syntax for scheduling a work, e.g. `@every 168h`.
+- `HTTP_ENDPOINT`: **https://dl.gitea.io/gitea/version.json**: the endpoint that Gitea will check for newer versions
+
+#### Cron - Delete all old system notices from database ('cron.delete_old_system_notices')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 168h**: Cron syntax to set how often to check.
+- `OLDER_THAN`: **@every 8760h**: any system notice older than this expression will be deleted from database.
+
+#### Cron - Garbage collect LFS pointers in repositories ('cron.gc_lfs')
+
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `SCHEDULE`: **@every 24h**: Cron syntax to set how often to check.
+- `OLDER_THAN`: **168h**: Only attempt to garbage collect LFSMetaObjects older than this (default 7 days)
+- `LAST_UPDATED_MORE_THAN_AGO`: **72h**: Only attempt to garbage collect LFSMetaObjects that have not been attempted to be garbage collected for this long (default 3 days)
+- `NUMBER_TO_CHECK_PER_REPO`: **100**: Minimum number of stale LFSMetaObjects to check per repo. Set to `0` to always check all.
+- `PROPORTION_TO_CHECK_PER_REPO`: **0.6**: Check at least this proportion of LFSMetaObjects per repo. (This may cause all stale LFSMetaObjects to be checked.)
+
+## Git (`git`)
+
+- `PATH`: **""**: The path of Git executable. If empty, Gitea searches through the PATH environment.
+- `HOME_PATH`: **%(APP_DATA_PATH)s/home**: The HOME directory for Git.
+ This directory will be used to contain the `.gitconfig` and possible `.gnupg` directories that Gitea's git calls will use. If you can confirm Gitea is the only application running in this environment, you can set it to the normal home directory for Gitea user.
+- `DISABLE_DIFF_HIGHLIGHT`: **false**: Disables highlight of added and removed changes.
+- `MAX_GIT_DIFF_LINES`: **1000**: Max number of lines allowed of a single file in diff view.
+- `MAX_GIT_DIFF_LINE_CHARACTERS`: **5000**: Max character count per line highlighted in diff view.
+- `MAX_GIT_DIFF_FILES`: **100**: Max number of files shown in diff view.
+- `COMMITS_RANGE_SIZE`: **50**: Set the default commits range size
+- `BRANCHES_RANGE_SIZE`: **20**: Set the default branches range size
+- `GC_ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. See more on http://git-scm.com/docs/git-gc/
+- `ENABLE_AUTO_GIT_WIRE_PROTOCOL`: **true**: If use Git wire protocol version 2 when Git version >= 2.18, default is true, set to false when you always want Git wire protocol version 1.
+ To enable this for Git over SSH when using a OpenSSH server, add `AcceptEnv GIT_PROTOCOL` to your sshd_config file.
+- `PULL_REQUEST_PUSH_MESSAGE`: **true**: Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
+- `VERBOSE_PUSH`: **true**: Print status information about pushes as they are being processed.
+- `VERBOSE_PUSH_DELAY`: **5s**: Only print verbose information if push takes longer than this delay.
+- `LARGE_OBJECT_THRESHOLD`: **1048576**: (Go-Git only), don't cache objects greater than this in memory. (Set to 0 to disable.)
+- `DISABLE_CORE_PROTECT_NTFS`: **false** Set to true to forcibly set `core.protectNTFS` to false.
+- `DISABLE_PARTIAL_CLONE`: **false** Disable the usage of using partial clones for git.
+
+## Git - Reflog settings (`git.reflog`)
+
+- `ENABLED`: **true** Set to true to enable Git to write changes to reflogs in each repo.
+- `EXPIRATION`: **90** Reflog entry lifetime, in days. Entries are removed opportunistically by Git.
+
+## Git - Timeout settings (`git.timeout`)
+
+- `DEFAULT`: **360**: Git operations default timeout seconds.
+- `MIGRATE`: **600**: Migrate external repositories timeout seconds.
+- `MIRROR`: **300**: Mirror external repositories timeout seconds.
+- `CLONE`: **300**: Git clone from internal repositories timeout seconds.
+- `PULL`: **300**: Git pull from internal repositories timeout seconds.
+- `GC`: **60**: Git repository GC timeout seconds.
+
+## Metrics (`metrics`)
+
+- `ENABLED`: **false**: Enables /metrics endpoint for prometheus.
+- `ENABLED_ISSUE_BY_LABEL`: **false**: Enable issue by label metrics with format `gitea_issues_by_label{label="bug"} 2`.
+- `ENABLED_ISSUE_BY_REPOSITORY`: **false**: Enable issue by repository metrics with format `gitea_issues_by_repository{repository="org/repo"} 5`.
+- `TOKEN`: **\<empty\>**: You need to specify the token, if you want to include in the authorization the metrics . The same token need to be used in prometheus parameters `bearer_token` or `bearer_token_file`.
+
+## API (`api`)
+
+- `ENABLE_SWAGGER`: **true**: Enables the API documentation endpoints (`/api/swagger`, `/api/v1/swagger`, …). True or false.
+- `MAX_RESPONSE_ITEMS`: **50**: Max number of items in a page.
+- `DEFAULT_PAGING_NUM`: **30**: Default paging number of API.
+- `DEFAULT_GIT_TREES_PER_PAGE`: **1000**: Default and maximum number of items per page for Git trees API.
+- `DEFAULT_MAX_BLOB_SIZE`: **10485760** (10MiB): Default max size of a blob that can be returned by the blobs API.
+
+## OAuth2 (`oauth2`)
+
+- `ENABLE`: **true**: Enables OAuth2 provider.
+- `ACCESS_TOKEN_EXPIRATION_TIME`: **3600**: Lifetime of an OAuth2 access token in seconds
+- `REFRESH_TOKEN_EXPIRATION_TIME`: **730**: Lifetime of an OAuth2 refresh token in hours
+- `INVALIDATE_REFRESH_TOKENS`: **false**: Check if refresh token has already been used
+- `JWT_SIGNING_ALGORITHM`: **RS256**: Algorithm used to sign OAuth2 tokens. Valid values: \[`HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`\]
+- `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this to a unique string. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `HS256`, `HS384` or `HS512`.
+- `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
+- `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider
+
+## i18n (`i18n`)
+
+- `LANGS`: **en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID,ml-IN**:
+ List of locales shown in language selector. The first locale will be used as the default if user browser's language doesn't match any locale in the list.
+- `NAMES`: **English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Türkçe,Čeština,Српски,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia,മലയാളം**: Visible names corresponding to the locales
+
+## Markup (`markup`)
+
+- `MERMAID_MAX_SOURCE_CHARACTERS`: **5000**: Set the maximum size of a Mermaid source. (Set to -1 to disable)
+
+Gitea can support Markup using external tools. The example below will add a markup named `asciidoc`.
+
+```ini
+[markup.asciidoc]
+ENABLED = true
+NEED_POSTPROCESS = true
+FILE_EXTENSIONS = .adoc,.asciidoc
+RENDER_COMMAND = "asciidoc --out-file=- -"
+IS_INPUT_FILE = false
+```
+
+- ENABLED: **false** Enable markup support; set to **true** to enable this renderer.
+- NEED\_POSTPROCESS: **true** set to **true** to replace links / sha1 and etc.
+- FILE\_EXTENSIONS: **\<empty\>** List of file extensions that should be rendered by an external
+ command. Multiple extensions needs a comma as splitter.
+- RENDER\_COMMAND: External command to render all matching extensions.
+- IS\_INPUT\_FILE: **false** Input is not a standard input but a file param followed `RENDER_COMMAND`.
+- RENDER_CONTENT_MODE: **sanitized** How the content will be rendered.
+ - sanitized: Sanitize the content and render it inside current page, default to only allow a few HTML tags and attributes. Customized sanitizer rules can be defined in `[markup.sanitizer.*]`.
+ - no-sanitizer: Disable the sanitizer and render the content inside current page. It's **insecure** and may lead to XSS attack if the content contains malicious code.
+ - iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page.
+
+Two special environment variables are passed to the render command:
+
+- `GITEA_PREFIX_SRC`, which contains the current URL prefix in the `src` path tree. To be used as prefix for links.
+- `GITEA_PREFIX_RAW`, which contains the current URL prefix in the `raw` path tree. To be used as prefix for image paths.
+
+If `RENDER_CONTENT_MODE` is `sanitized`, Gitea supports customizing the sanitization policy for rendered HTML. The example below will support KaTeX output from pandoc.
+
+```ini
+[markup.sanitizer.TeX]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+ALLOW_DATA_URI_IMAGES = true
+```
+
+- `ELEMENT`: The element this policy applies to. Must be non-empty.
+- `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty.
+- `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute.
+- `ALLOW_DATA_URI_IMAGES`: **false** Allow data uri images (`<img src="data:image/png;base64,..."/>`).
+
+Multiple sanitisation rules can be defined by adding unique subsections, e.g. `[markup.sanitizer.TeX-2]`.
+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`.
+If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.
+
+## Highlight Mappings (`highlight.mapping`)
+
+- `file_extension e.g. .toml`: **language e.g. ini**. File extension to language mapping overrides.
+
+- Gitea will highlight files using the `linguist-language` or `gitlab-language` attribute from the `.gitattributes` file
+if available. If this is not set or the language is unavailable, the file extension will be looked up
+in this mapping or the filetype using heuristics.
+
+## Time (`time`)
+
+- `FORMAT`: Time format to display on UI. i.e. RFC1123 or 2006-01-02 15:04:05
+- `DEFAULT_UI_LOCATION`: Default location of time on the UI, so that we can display correct user's time on UI. i.e. Asia/Shanghai
+
+## Task (`task`)
+
+Task queue configuration has been moved to `queue.task`. However, the below configuration values are kept for backwards compatibility:
+
+- `QUEUE_TYPE`: **channel**: Task queue type, could be `channel` or `redis`.
+- `QUEUE_LENGTH`: **1000**: Task queue length, available only when `QUEUE_TYPE` is `channel`.
+- `QUEUE_CONN_STR`: **redis://127.0.0.1:6379/0**: Task queue connection string, available only when `QUEUE_TYPE` is `redis`. If redis needs a password, use `redis://123@127.0.0.1:6379/0`.
+
+## Migrations (`migrations`)
+
+- `MAX_ATTEMPTS`: **3**: Max attempts per http/https request on migrations.
+- `RETRY_BACKOFF`: **3**: Backoff time per http/https request retry (seconds)
+- `ALLOWED_DOMAINS`: **\<empty\>**: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas. Wildcard is supported: `github.com, *.github.com`.
+- `BLOCKED_DOMAINS`: **\<empty\>**: Domains blocklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When `ALLOWED_DOMAINS` is not blank, this option has a higher priority to deny domains. Wildcard is supported.
+- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291. If a domain is allowed by `ALLOWED_DOMAINS`, this option will be ignored.
+- `SKIP_TLS_VERIFY`: **false**: Allow skip tls verify
+
+## Federation (`federation`)
+
+- `ENABLED`: **false**: Enable/Disable federation capabilities
+- `SHARE_USER_STATISTICS`: **true**: Enable/Disable user statistics for nodeinfo if federation is enabled
+- `MAX_SIZE`: **4**: Maximum federation request and response size (MB)
+
+ WARNING: Changing the settings below can break federation.
+
+- `ALGORITHMS`: **rsa-sha256, rsa-sha512, ed25519**: HTTP signature algorithms
+- `DIGEST_ALGORITHM`: **SHA-256**: HTTP signature digest algorithm
+- `GET_HEADERS`: **(request-target), Date**: GET headers for federation requests
+- `POST_HEADERS`: **(request-target), Date, Digest**: POST headers for federation requests
+
+## Packages (`packages`)
+
+- `ENABLED`: **true**: Enable/Disable package registry capabilities
+- `CHUNKED_UPLOAD_PATH`: **tmp/package-upload**: Path for chunked uploads. Defaults to `APP_DATA_PATH` + `tmp/package-upload`
+- `LIMIT_TOTAL_OWNER_COUNT`: **-1**: Maximum count of package versions a single owner can have (`-1` means no limits)
+- `LIMIT_TOTAL_OWNER_SIZE`: **-1**: Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CARGO`: **-1**: Maximum size of a Cargo upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CHEF`: **-1**: Maximum size of a Chef upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_COMPOSER`: **-1**: Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONAN`: **-1**: Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONDA`: **-1**: Maximum size of a Conda upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONTAINER`: **-1**: Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_GENERIC`: **-1**: Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_HELM`: **-1**: Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_MAVEN`: **-1**: Maximum size of a Maven upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_NPM`: **-1**: Maximum size of a npm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_NUGET`: **-1**: Maximum size of a NuGet upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_PUB`: **-1**: Maximum size of a Pub upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_PYPI`: **-1**: Maximum size of a PyPI upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_RUBYGEMS`: **-1**: Maximum size of a RubyGems upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_SWIFT`: **-1**: Maximum size of a Swift upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_VAGRANT`: **-1**: Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+
+## Mirror (`mirror`)
+
+- `ENABLED`: **true**: Enables the mirror functionality. Set to **false** to disable all mirrors. Pre-existing mirrors remain valid but won't be updated; may be converted to regular repo.
+- `DISABLE_NEW_PULL`: **false**: Disable the creation of **new** pull mirrors. Pre-existing mirrors remain valid. Will be ignored if `mirror.ENABLED` is `false`.
+- `DISABLE_NEW_PUSH`: **false**: Disable the creation of **new** push mirrors. Pre-existing mirrors remain valid. Will be ignored if `mirror.ENABLED` is `false`.
+- `DEFAULT_INTERVAL`: **8h**: Default interval between each check
+- `MIN_INTERVAL`: **10m**: Minimum interval for checking. (Must be >1m).
+
+## LFS (`lfs`)
+
+Storage configuration for lfs data. It will be derived from default `[storage]` or
+`[storage.xxx]` when set `STORAGE_TYPE` to `xxx`. When derived, the default of `PATH`
+is `data/lfs` and the default of `MINIO_BASE_PATH` is `lfs/`.
+
+- `STORAGE_TYPE`: **local**: Storage type for lfs, `local` for local disk or `minio` for s3 compatible object storage service or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **./data/lfs**: Where to store LFS files, only available when `STORAGE_TYPE` is `local`. If not set it fall back to deprecated LFS_CONTENT_PATH value in [server] section.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the lfs only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_BASE_PATH`: **lfs/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`
+
+## Storage (`storage`)
+
+Default storage configuration for attachments, lfs, avatars and etc.
+
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the data only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`
+
+And you can also define a customize storage like below:
+
+```ini
+[storage.my_minio]
+STORAGE_TYPE = minio
+; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+MINIO_ENDPOINT = localhost:9000
+; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
+MINIO_ACCESS_KEY_ID =
+; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
+MINIO_SECRET_ACCESS_KEY =
+; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
+MINIO_BUCKET = gitea
+; Minio location to create bucket only available when STORAGE_TYPE is `minio`
+MINIO_LOCATION = us-east-1
+; Minio enabled ssl only available when STORAGE_TYPE is `minio`
+MINIO_USE_SSL = false
+; Minio skip SSL verification available when STORAGE_TYPE is `minio`
+MINIO_INSECURE_SKIP_VERIFY = false
+```
+
+And used by `[attachment]`, `[lfs]` and etc. as `STORAGE_TYPE`.
+
+## Repository Archive Storage (`storage.repo-archive`)
+
+Configuration for repository archive storage. It will inherit from default `[storage]` or
+`[storage.xxx]` when set `STORAGE_TYPE` to `xxx`. The default of `PATH`
+is `data/repo-archive` and the default of `MINIO_BASE_PATH` is `repo-archive/`.
+
+- `STORAGE_TYPE`: **local**: Storage type for repo archive, `local` for local disk or `minio` for s3 compatible object storage service or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **./data/repo-archive**: Where to store archive files, only available when `STORAGE_TYPE` is `local`.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the lfs only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_BASE_PATH`: **repo-archive/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+- `MINIO_INSECURE_SKIP_VERIFY`: **false**: Minio skip SSL verification available when STORAGE_TYPE is `minio`
+
+## Proxy (`proxy`)
+
+- `PROXY_ENABLED`: **false**: Enable the proxy if true, all requests to external via HTTP will be affected, if false, no proxy will be used even environment http_proxy/https_proxy
+- `PROXY_URL`: **\<empty\>**: Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy
+- `PROXY_HOSTS`: **\<empty\>**: Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
+
+i.e.
+
+```ini
+PROXY_ENABLED = true
+PROXY_URL = socks://127.0.0.1:1080
+PROXY_HOSTS = *.github.com
+```
+
+## Actions (`actions`)
+
+- `ENABLED`: **false**: Enable/Disable actions capabilities
+- `DEFAULT_ACTIONS_URL`: **https://gitea.com**: Default address to get action plugins, e.g. the default value means downloading from "<https://gitea.com/actions/checkout>" for "uses: actions/checkout@v3"
+
+`DEFAULT_ACTIONS_URL` indicates where should we find the relative path action plugin. i.e. when use an action in a workflow file like
+
+```yaml
+name: versions
+on:
+ push:
+ branches:
+ - main
+ - releases/*
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+```
+
+Now we need to know how to get actions/checkout, this configuration is the default git server to get it. That means we will get the repository via git clone ${DEFAULT_ACTIONS_URL}/actions/checkout and fetch tag v3.
+
+To help people who don't want to mirror these actions in their git instances, the default value is https://gitea.com
+To help people run actions totally in their network, they can change the value and copy all necessary action repositories into their git server.
+
+Of course we should support the form in future PRs like
+
+```yaml
+steps:
+ - uses: gitea.com/actions/checkout@v3
+```
+
+although Github don't support this form.
+
+## Other (`other`)
+
+- `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
+- `SHOW_FOOTER_VERSION`: **true**: Show Gitea and Go version information in the footer.
+- `SHOW_FOOTER_TEMPLATE_LOAD_TIME`: **true**: Show time of template execution in the footer.
+- `ENABLE_SITEMAP`: **true**: Generate sitemap.
+- `ENABLE_FEED`: **true**: Enable/Disable RSS/Atom feed.
diff --git a/docs/content/doc/administration/config-cheat-sheet.zh-cn.md b/docs/content/doc/administration/config-cheat-sheet.zh-cn.md
new file mode 100644
index 0000000000..9a32238c1a
--- /dev/null
+++ b/docs/content/doc/administration/config-cheat-sheet.zh-cn.md
@@ -0,0 +1,487 @@
+---
+date: "2016-12-26T16:00:00+02:00"
+title: "配置说明"
+slug: "config-cheat-sheet"
+weight: 20
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "配置说明"
+ weight: 30
+ identifier: "config-cheat-sheet"
+---
+
+# 配置说明
+
+这是针对Gitea配置文件的说明,你可以了解Gitea的强大配置。需要说明的是,你的所有改变请修改 `custom/conf/app.ini` 文件而不是源文件。
+所有默认值可以通过 [app.example.ini](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.example.ini) 查看到。
+如果你发现 `%(X)s` 这样的内容,请查看 [ini](https://github.com/go-ini/ini/#recursive-values) 这里的说明。
+标注了 :exclamation: 的配置项表明除非你真的理解这个配置项的意义,否则最好使用默认值。
+
+## ⚠️时效性警告⚠️
+
+此文档的内容可能过于陈旧或者错误,请参考英文文档。
+
+{{< toc >}}
+
+## Overall (`DEFAULT`)
+
+- `APP_NAME`: 应用名称,改成你希望的名字。
+- `RUN_USER`: 运行Gitea的用户,推荐使用 `git`;如果在你自己的个人电脑使用改成你自己的用户名。如果设置不正确,Gitea可能崩溃。
+- `RUN_MODE`: 从性能考虑,如果在产品级的服务上改成 `prod`。如果您使用安装向导安装的那么会自动设置为 `prod`。
+
+## Repository (`repository`)
+
+- `ROOT`: 存放git工程的根目录。这里必须填绝对路径,默认值是 `~/<username>/gitea-repositories`。
+- `SCRIPT_TYPE`: 服务器支持的Shell类型,通常是 `bash`,但有些服务器也有可能是 `sh`。
+- `ANSI_CHARSET`: 默认字符编码。
+- `FORCE_PRIVATE`: 强制所有git工程必须私有。
+- `DEFAULT_PRIVATE`: 默认创建的git工程为私有。 可以是`last`, `private` 或 `public`。默认值是 `last`表示用户最后创建的Repo的选择。
+- `DEFAULT_PUSH_CREATE_PRIVATE`: **true**: 通过 ``push-to-create`` 方式创建的仓库是否默认为私有仓库.
+- `MAX_CREATION_LIMIT`: 全局最大每个用户创建的git工程数目, `-1` 表示没限制。
+- `PULL_REQUEST_QUEUE_LENGTH`: 小心:合并请求测试队列的长度,尽量放大。
+
+### Repository - Release (`repository.release`)
+
+- `ALLOWED_TYPES`: **\<empty\>**: 允许扩展名的列表,用逗号分隔 (`.zip`), mime 类型 (`text/plain`) 或者匹配符号 (`image/*`, `audio/*`, `video/*`). 空值或者 `*/*` 允许所有类型。
+- `DEFAULT_PAGING_NUM`: **10**: 默认的发布版本页面分页。
+
+## UI (`ui`)
+
+- `EXPLORE_PAGING_NUM`: 探索页面每页显示的仓库数量。
+- `ISSUE_PAGING_NUM`: 工单页面每页显示的工单数量。
+- `MEMBERS_PAGING_NUM`: **20**: 组织成员页面每页显示的成员数量。
+- `FEED_MAX_COMMIT_NUM`: 活动流页面显示的最大提交数量。
+
+### UI - Admin (`ui.admin`)
+
+- `USER_PAGING_NUM`: 用户管理页面每页显示的用户数量。
+- `REPO_PAGING_NUM`: 仓库管理页面每页显示的仓库数量。
+- `NOTICE_PAGING_NUM`: 系统提示页面每页显示的提示数量。
+- `ORG_PAGING_NUM`: 组织管理页面每页显示的组织数量。
+
+## Markdown (`markdown`)
+
+- `ENABLE_HARD_LINE_BREAK`: 是否启用硬换行扩展。
+
+## Server (`server`)
+
+- `PROTOCOL`: 可选 `http` 或 `https`。
+- `DOMAIN`: 服务器域名。
+- `ROOT_URL`: Gitea服务器的对外 URL。
+- `HTTP_ADDR`: HTTP 监听地址。
+- `HTTP_PORT`: HTTP 监听端口。
+- `DISABLE_SSH`: 是否禁用SSH。
+- `START_SSH_SERVER`: 是否启用内部SSH服务器。
+- `SSH_PORT`: SSH端口,默认为 `22`。
+- `OFFLINE_MODE`: 针对静态和头像文件禁用 CDN。
+- `DISABLE_ROUTER_LOG`: 关闭日志中的路由日志。
+- `CERT_FILE`: 启用HTTPS的证书文件。
+- `KEY_FILE`: 启用HTTPS的密钥文件。
+- `STATIC_ROOT_PATH`: 存放模板和静态文件的根目录,默认是 Gitea 的根目录。
+- `STATIC_CACHE_TIME`: **6h**: 静态资源文件,包括 `custom/`, `public/` 和所有上传的头像的浏览器缓存时间。
+- `ENABLE_GZIP`: 启用实时生成的数据启用 GZIP 压缩,不包括静态资源。
+- `LANDING_PAGE`: 未登录用户的默认页面,可选 `home` 或 `explore`。
+
+- `LFS_START_SERVER`: 是否启用 git-lfs 支持. 可以为 `true` 或 `false`, 默认是 `false`。
+- `LFS_JWT_SECRET`: LFS 认证密钥,改成自己的。
+- `LFS_CONTENT_PATH`: **已废弃**, 存放 lfs 命令上传的文件的地方,默认是 `data/lfs`。**废弃** 请使用 `[lfs]` 的设置。
+
+## Database (`database`)
+
+- `DB_TYPE`: 数据库类型,可选 `mysql`, `postgres`, `mssql` 或 `sqlite3`。
+- `HOST`: 数据库服务器地址和端口。
+- `NAME`: 数据库名称。
+- `USER`: 数据库用户名。
+- `PASSWD`: 数据库用户密码。
+- `SSL_MODE`: MySQL 或 PostgreSQL数据库是否启用SSL模式。
+- `CHARSET`: **utf8mb4**: 仅当数据库为 MySQL 时有效, 可以为 "utf8" 或 "utf8mb4"。注意:如果使用 "utf8mb4",你的 MySQL InnoDB 版本必须在 5.6 以上。
+- `PATH`: SQLite3 数据文件存放路径。
+- `LOG_SQL`: **true**: 显示生成的SQL,默认为真。
+- `MAX_IDLE_CONNS` **0**: 最大空闲数据库连接
+- `CONN_MAX_LIFETIME` **3s**: 数据库连接最大存活时间
+
+## Indexer (`indexer`)
+
+- `ISSUE_INDEXER_TYPE`: **bleve**: 工单索引类型,当前支持 `bleve`, `db` 和 `elasticsearch`,当为 `db` 时其它工单索引项可不用设置。
+- `ISSUE_INDEXER_CONN_STR`: ****: 工单索引连接字符串,仅当 ISSUE_INDEXER_TYPE 为 `elasticsearch` 时有效。例如: http://elastic:changeme@localhost:9200
+- `ISSUE_INDEXER_NAME`: **gitea_issues**: 工单索引名称,仅当 ISSUE_INDEXER_TYPE 为 `elasticsearch` 时有效。
+- `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: 工单索引文件存放路径,当索引类型为 `bleve` 时有效。
+- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: 工单索引队列类型,当前支持 `channel`, `levelqueue` 或 `redis`。
+- `ISSUE_INDEXER_QUEUE_DIR`: **indexers/issues.queue**: 当 `ISSUE_INDEXER_QUEUE_TYPE` 为 `levelqueue` 时,保存索引队列的磁盘路径。
+- `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: 当 `ISSUE_INDEXER_QUEUE_TYPE` 为 `redis` 时,保存Redis队列的连接字符串。
+- `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: 队列处理中批量提交数量。
+
+- `REPO_INDEXER_ENABLED`: **false**: 是否启用代码搜索(启用后会占用比较大的磁盘空间,如果是bleve可能需要占用约6倍存储空间)。
+- `REPO_INDEXER_TYPE`: **bleve**: 代码搜索引擎类型,可以为 `bleve` 或者 `elasticsearch`。
+- `REPO_INDEXER_PATH`: **indexers/repos.bleve**: 用于代码搜索的索引文件路径。
+- `REPO_INDEXER_CONN_STR`: ****: 代码搜索引擎连接字符串,当 `REPO_INDEXER_TYPE` 为 `elasticsearch` 时有效。例如: http://elastic:changeme@localhost:9200
+- `REPO_INDEXER_NAME`: **gitea_codes**: 代码搜索引擎的名字,当 `REPO_INDEXER_TYPE` 为 `elasticsearch` 时有效。
+
+- `UPDATE_BUFFER_LEN`: **20**: 代码索引请求的缓冲区长度。
+- `MAX_FILE_SIZE`: **1048576**: 进行解析的源代码文件的最大长度,小于该值时才会索引。
+
+## Security (`security`)
+
+- `INSTALL_LOCK`: 是否允许运行安装向导,(跟管理员账号有关,十分重要)。
+- `SECRET_KEY`: 全局服务器安全密钥 **最好改成你自己的** (当你运行安装向导的时候会被设置为一个随机值)。
+- `LOGIN_REMEMBER_DAYS`: Cookie 保存时间,单位天。
+- `COOKIE_USERNAME`: 保存用户名的 cookie 名称。
+- `COOKIE_REMEMBER_NAME`: 保存自动登录信息的 cookie 名称。
+- `REVERSE_PROXY_AUTHENTICATION_USER`: 反向代理认证的 HTTP 头名称。
+
+## Service (`service`)
+
+- `ACTIVE_CODE_LIVE_MINUTES`: 登录验证码失效时间,单位分钟。
+- `RESET_PASSWD_CODE_LIVE_MINUTES`: 重置密码失效时间,单位分钟。
+- `REGISTER_EMAIL_CONFIRM`: 启用注册邮件激活,前提是 `Mailer` 已经启用。
+- `REGISTER_MANUAL_CONFIRM`: **false**: 新注册用户必须由管理员手动激活,启用此选项需取消`REGISTER_EMAIL_CONFIRM`.
+- `DISABLE_REGISTRATION`: 禁用注册,启用后只能用管理员添加用户。
+- `SHOW_REGISTRATION_BUTTON`: 是否显示注册按钮。
+- `REQUIRE_SIGNIN_VIEW`: 是否所有页面都必须登录后才可访问。
+- `ENABLE_CACHE_AVATAR`: 是否缓存来自 Gravatar 的头像。
+- `ENABLE_NOTIFY_MAIL`: 是否发送工单创建等提醒邮件,需要 `Mailer` 被激活。
+- `ENABLE_REVERSE_PROXY_AUTHENTICATION`: 允许反向代理认证,更多细节见:https://github.com/gogits/gogs/issues/165
+- `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: 允许通过反向认证做自动注册。
+- `ENABLE_CAPTCHA`: **false**: 注册时使用图片验证码。
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: 登录时需要图片验证码。需要同时开启 `ENABLE_CAPTCHA`。
+- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha, cfturnstile\],人机验证类型,分别表示图片认证、 recaptcha 、 hcaptcha 、mcaptcha 、和 cloudlfare 的 turnstile。
+- `RECAPTCHA_SECRET`: **""**: recaptcha 服务的密钥,可在 https://www.google.com/recaptcha/admin 获取。
+- `RECAPTCHA_SITEKEY`: **""**: recaptcha 服务的网站密钥 ,可在 https://www.google.com/recaptcha/admin 获取。
+- `RECAPTCHA_URL`: **https://www.google.com/recaptcha/**: 设置 recaptcha 的 url 。
+- `HCAPTCHA_SECRET`: **""**: hcaptcha 服务的密钥,可在 https://www.hcaptcha.com/ 获取。
+- `HCAPTCHA_SITEKEY`: **""**: hcaptcha 服务的网站密钥,可在 https://www.hcaptcha.com/ 获取。
+- `MCAPTCHA_SECRET`: **""**: mCaptcha 服务的密钥。
+- `MCAPTCHA_SITEKEY`: **""**: mCaptcha 服务的网站密钥。
+- `MCAPTCHA_URL` **https://demo.mcaptcha.org/**: 设置 remCaptchacaptcha 的 url 。
+- `CF_TURNSTILE_SECRET` **""**: cloudlfare turnstile 服务的密钥,可在 https://dash.cloudflare.com/?to=/:account/turnstile 获取。
+- `CF_TURNSTILE_SITEKEY` **""**: cloudlfare turnstile 服务的网站密钥 ,可在 https://www.google.com/recaptcha/admin 获取。
+
+### Service - Expore (`service.explore`)
+
+- `REQUIRE_SIGNIN_VIEW`: **false**: 仅允许已登录的用户查看探索页面。
+- `DISABLE_USERS_PAGE`: **false**: 不显示用户探索页面。
+
+## Webhook (`webhook`)
+
+- `QUEUE_LENGTH`: 说明: Hook 任务队列长度。
+- `DELIVER_TIMEOUT`: 请求webhooks的超时时间,单位秒。
+- `SKIP_TLS_VERIFY`: 是否允许不安全的证书。
+- `PAGING_NUM`: 每页显示的Webhook 历史数量。
+- `PROXY_URL`: ****: 代理服务器网址,支持 http://, https//, socks://, 为空将使用环境变量中的 http_proxy/https_proxy 设置。
+- `PROXY_HOSTS`: ****: 逗号分隔的需要代理的域名或IP地址。支持 * 号匹配符,使用 ** 匹配所有域名和IP地址。
+
+## Mailer (`mailer`)
+
+- `ENABLED`: 是否启用邮件服务。
+- `DISABLE_HELO`: 禁用 HELO 命令。
+- `HELO_HOSTNAME`: 自定义主机名来回应 HELO 命令。
+- `HOST`: SMTP 主机地址和端口 (例如:smtp.gitea.io:587)。
+- `FROM`: 邮件发送地址,RFC 5322. 这里可以填一个邮件地址或者 "Name" \<email@example.com\> 格式。
+- `USER`: 用户名(通常就是邮件地址)。
+- `PASSWD`: 密码。
+- `SKIP_VERIFY`: 忽略证书验证。
+
+说明:实际上 Gitea 仅仅支持基于 STARTTLS 的 SMTP。
+
+## Cache (`cache`)
+
+- `ENABLED`: **true**: 是否启用。
+- `ADAPTER`: **memory**: 缓存引擎,可以为 `memory`, `redis` 或 `memcache`。
+- `INTERVAL`: **60**: 只对内存缓存有效,GC间隔,单位秒。
+- `HOST`: **\<empty\>**: 针对redis和memcache有效,主机地址和端口。
+ - Redis: `network=tcp,addr=127.0.0.1:6379,password=macaron,db=0,pool_size=100,idle_timeout=180`
+ - Memache: `127.0.0.1:9090;127.0.0.1:9091`
+- `ITEM_TTL`: **16h**: 缓存项目失效时间,设置为 -1 则禁用缓存。
+
+## Cache - LastCommitCache settings (`cache.last_commit`)
+
+- `ENABLED`: **true**: 是否启用。
+- `ITEM_TTL`: **8760h**: 缓存项目失效时间,设置为 -1 则禁用缓存。
+- `COMMITS_COUNT`: **1000**: 仅当仓库的提交数大于时才启用缓存。
+
+## Session (`session`)
+
+- `PROVIDER`: Session 内容存储方式,可选 `memory`, `file`, `redis` 或 `mysql`。
+- `PROVIDER_CONFIG`: 如果是文件,那么这里填根目录;其他的要填主机地址和端口。
+- `COOKIE_SECURE`: 强制使用 HTTPS 作为session访问。
+- `GC_INTERVAL_TIME`: Session失效时间。
+
+## Picture (`picture`)
+
+- `GRAVATAR_SOURCE`: 头像来源,可以是 `gravatar`, `duoshuo` 或者类似 `http://cn.gravatar.com/avatar/` 的来源
+- `DISABLE_GRAVATAR`: 开启则只使用内部头像。
+- `ENABLE_FEDERATED_AVATAR`: 启用头像联盟支持 (参见 http://www.libravatar.org)
+
+- `AVATAR_STORAGE_TYPE`: **local**: 头像存储类型,可以为 `local` 或 `minio`,分别支持本地文件系统和 minio 兼容的API。
+- `AVATAR_UPLOAD_PATH`: **data/avatars**: 存储头像的文件系统路径。
+- `AVATAR_MAX_WIDTH`: **4096**: 头像最大宽度,单位像素。
+- `AVATAR_MAX_HEIGHT`: **3072**: 头像最大高度,单位像素。
+- `AVATAR_MAX_FILE_SIZE`: **1048576** (1Mb): 头像最大大小。
+
+- `REPOSITORY_AVATAR_STORAGE_TYPE`: **local**: 仓库头像存储类型,可以为 `local` 或 `minio`,分别支持本地文件系统和 minio 兼容的API。
+- `REPOSITORY_AVATAR_UPLOAD_PATH`: **data/repo-avatars**: 存储仓库头像的路径。
+- `REPOSITORY_AVATAR_FALLBACK`: **none**: 当头像丢失时的处理方式
+ - none = 不显示头像
+ - random = 显示随机生成的头像
+ - image = 显示默认头像,通过 `REPOSITORY_AVATAR_FALLBACK_IMAGE` 设置
+- `REPOSITORY_AVATAR_FALLBACK_IMAGE`: **/img/repo_default.png**: 默认仓库头像
+
+## Attachment (`attachment`)
+
+- `ENABLED`: 是否允许用户上传附件。
+- `ALLOWED_TYPES`: 允许上传的附件类型。比如:`image/jpeg|image/png`,用 `*/*` 表示允许任何类型。
+- `MAX_SIZE`: 附件最大限制,单位 MB,比如: `4`。
+- `MAX_FILES`: 一次最多上传的附件数量,比如: `5`。
+- `STORAGE_TYPE`: **local**: 附件存储类型,`local` 将存储到本地文件夹, `minio` 将存储到 s3 兼容的对象存储服务中。
+- `PATH`: **data/attachments**: 附件存储路径,仅当 `STORAGE_TYPE` 为 `local` 时有效。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 终端,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID ,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the attachments,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_BASE_PATH`: **attachments/**: Minio base path on the bucket,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+
+关于 `ALLOWED_TYPES`, 在 (*)unix 系统中可以使用`file -I <filename>` 来快速获得对应的 `MIME type`。
+
+```shell
+$ file -I test00.tar.xz
+test00.tar.xz: application/x-xz; charset=binary
+
+$ file --mime test00.xlsx
+test00.xlsx: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; charset=binary
+
+file -I test01.xls
+test01.xls: application/vnd.ms-excel; charset=binary
+```
+
+## Log (`log`)
+
+- `ROOT_PATH`: 日志文件根目录。
+- `MODE`: 日志记录模式,默认是为 `console`。如果要写到多个通道,用逗号分隔
+- `LEVEL`: 日志级别,默认为 `Trace`。
+- `DISABLE_ROUTER_LOG`: 关闭日志中的路由日志。
+- `ENABLE_ACCESS_LOG`: 是否开启 Access Log, 默认为 false。
+- `ACCESS_LOG_TEMPLATE`: `access.log` 输出内容的模板,默认模板:**`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**
+ 模板支持以下参数:
+ - `Ctx`: 请求上下文。
+ - `Identity`: 登录用户名,默认: “`-`”。
+ - `Start`: 请求开始时间。
+ - `ResponseWriter`:
+ - `RequestID`: 从请求头中解析得到的与 `REQUEST_ID_HEADERS` 匹配的值,默认: “`-`”。
+ - 一定要谨慎配置该模板,否则可能会引起panic.
+- `REQUEST_ID_HEADERS`: 从 Request Header 中匹配指定 Key,并将匹配到的值输出到 `access.log` 中(需要在 `ACCESS_LOG_TEMPLATE` 中指定输出位置)。如果在该参数中配置多个 Key, 请用逗号分割,程序将按照配置的顺序进行匹配。
+ - 示例:
+ - 请求头: X-Request-ID: **test-id-123**
+ - 配置文件: REQUEST_ID_HEADERS = X-Request-ID
+ - 日志输出: 127.0.0.1:58384 - - [14/Feb/2023:16:33:51 +0800] "**test-id-123**" ...
+
+## Cron (`cron`)
+
+- `ENABLED`: 是否在后台运行定期任务。
+- `RUN_AT_START`: 是否启动时自动运行。
+- `SCHEDULE` 所接受的格式
+ - 完整 crontab 控制, 例如 `* * * * * ?`
+ - 描述符, 例如 `@midnight`, `@every 1h30m` ...
+ - 更多细节参见 [cron api文档](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+
+### Cron - Update Mirrors (`cron.update_mirrors`)
+
+- `SCHEDULE`: 自动同步镜像仓库的Cron语法,比如:`@every 1h`。
+
+### Cron - Repository Health Check (`cron.repo_health_check`)
+
+- `SCHEDULE`: 仓库健康监测的Cron语法,比如:`@midnight`。
+- `TIMEOUT`: 仓库健康监测的超时时间,比如:`60s`.
+- `ARGS`: 执行 `git fsck` 命令的参数,比如:`--unreachable --tags`。
+
+### Cron - Repository Statistics Check (`cron.check_repo_stats`)
+
+- `RUN_AT_START`: 是否启动时自动运行仓库统计。
+- `SCHEDULE`: 仓库统计时的Cron 语法,比如:`@midnight`.
+
+### Cron - Update Migration Poster ID (`cron.update_migration_poster_id`)
+
+- `SCHEDULE`: **@midnight** : 每次同步的间隔时间。此任务总是在启动时自动进行。
+
+## Git (`git`)
+
+- `MAX_GIT_DIFF_LINES`: 比较视图中,一个文件最多显示行数。
+- `MAX_GIT_DIFF_LINE_CHARACTERS`: 比较视图中一行最大字符数。
+- `MAX_GIT_DIFF_FILES`: 比较视图中的最大现实文件数目。
+- `GC_ARGS`: 执行 `git gc` 命令的参数, 比如: `--aggressive --auto`。
+
+## Git - 超时设置 (`git.timeout`)
+
+- `DEFAUlT`: **360**: Git操作默认超时时间,单位秒
+- `MIGRATE`: **600**: 迁移外部仓库时的超时时间,单位秒
+- `MIRROR`: **300**: 镜像外部仓库的超时时间,单位秒
+- `CLONE`: **300**: 内部仓库间克隆的超时时间,单位秒
+- `PULL`: **300**: 内部仓库间拉取的超时时间,单位秒
+- `GC`: **60**: git仓库GC的超时时间,单位秒
+- `ENABLE_AUTO_GIT_WIRE_PROTOCOL`: **true**: 是否根据 Git Wire Protocol协议支持情况自动切换版本,当 git 版本在 2.18 及以上时会自动切换到版本2。为 `false` 则不切换。
+
+## API (`api`)
+
+- `ENABLE_SWAGGER`: **true**: 是否启用swagger路由 /api/swagger, /api/v1/swagger etc. endpoints. True 或 false.
+- `MAX_RESPONSE_ITEMS`: **50**: 一个页面最大的项目数。
+- `DEFAULT_PAGING_NUM`: **30**: API中默认分页条数。
+- `DEFAULT_GIT_TREES_PER_PAGE`: **1000**: GIT TREES API每页的默认最大项数.
+- `DEFAULT_MAX_BLOB_SIZE`: **10485760**: BLOBS API默认最大大小.
+
+## Markup (`markup`)
+
+外部渲染工具支持,你可以用你熟悉的文档渲染工具. 比如一下将新增一个名字为 `asciidoc` 的渲染工具which is followed `markup.` ini section. And there are some config items below.
+
+```ini
+[markup.asciidoc]
+ENABLED = false
+NEED_POSTPROCESS = true
+FILE_EXTENSIONS = .adoc,.asciidoc
+RENDER_COMMAND = "asciidoc --out-file=- -"
+IS_INPUT_FILE = false
+```
+
+- ENABLED: 是否启用,默认为false。
+- NEED\_POSTPROCESS: **true** 设置为 true 则会替换渲染文件中的内部链接和Commit ID 等。
+- FILE_EXTENSIONS: 关联的文档的扩展名,多个扩展名用都好分隔。
+- RENDER_COMMAND: 工具的命令行命令及参数。
+- IS_INPUT_FILE: 输入方式是最后一个参数为文件路径还是从标准输入读取。
+- RENDER_CONTENT_MODE: **sanitized** 内容如何被渲染。
+ - sanitized: 对内容进行净化并渲染到当前页面中,仅有一部分 HTML 标签和属性是被允许的。
+ - no-sanitizer: 禁用净化器,把内容渲染到当前页面中。此模式是**不安全**的,如果内容中含有恶意代码,可能会导致 XSS 攻击。
+ - iframe: 把内容渲染在一个独立的页面中并使用 iframe 嵌入到当前页面中。使用的 iframe 工作在沙箱模式并禁用了同源请求,JS 代码被安全的从父页面中隔离出去。
+
+以下两个环境变量将会被传递给渲染命令:
+
+- `GITEA_PREFIX_SRC`:包含当前的`src`路径的URL前缀,可以被用于链接的前缀。
+- `GITEA_PREFIX_RAW`:包含当前的`raw`路径的URL前缀,可以被用于图片的前缀。
+
+如果 `RENDER_CONTENT_MODE` 为 `sanitized`,则 Gitea 支持自定义渲染 HTML 的净化策略。以下例子将用 pandoc 支持 KaTeX 输出。
+
+```ini
+[markup.sanitizer.TeX]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+ALLOW_DATA_URI_IMAGES = true
+```
+
+- `ELEMENT`: 将要被应用到该策略的 HTML 元素,不能为空。
+- `ALLOW_ATTR`: 将要被应用到该策略的属性,不能为空。
+- `REGEXP`: 正则表达式,用来匹配属性的内容。如果为空,则跟属性内容无关。
+- `ALLOW_DATA_URI_IMAGES`: **false** 允许 data uri 图片 (`<img src="data:image/png;base64,..."/>`)。
+
+多个净化规则可以被同时定义,只要section名称最后一位不重复即可。如: `[markup.sanitizer.TeX-2]`。
+为了针对一种渲染类型进行一个特殊的净化策略,必须使用形如 `[markup.sanitizer.asciidoc.rule-1]` 的方式来命名 section。
+如果此规则没有匹配到任何渲染类型,它将会被应用到所有的渲染类型。
+
+## Time (`time`)
+
+- `FORMAT`: 显示在界面上的时间格式。比如: RFC1123 或者 2006-01-02 15:04:05
+- `DEFAULT_UI_LOCATION`: 默认显示在界面上的时区,默认为本地时区。比如: Asia/Shanghai
+
+## Task (`task`)
+
+- `QUEUE_TYPE`: **channel**: 任务队列类型,可以为 `channel` 或 `redis`。
+- `QUEUE_LENGTH`: **1000**: 任务队列长度,当 `QUEUE_TYPE` 为 `channel` 时有效。
+- `QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: 任务队列连接字符串,当 `QUEUE_TYPE` 为 `redis` 时有效。如果redis有密码,则可以 `addrs=127.0.0.1:6379 password=123 db=0`。
+
+## Migrations (`migrations`)
+
+- `MAX_ATTEMPTS`: **3**: 在迁移过程中的 http/https 请求重试次数。
+- `RETRY_BACKOFF`: **3**: 等待下一次重试的时间,单位秒。
+- `ALLOWED_DOMAINS`: **\<empty\>**: 迁移仓库的域名白名单,默认为空,表示允许从任意域名迁移仓库,多个域名用逗号分隔。
+- `BLOCKED_DOMAINS`: **\<empty\>**: 迁移仓库的域名黑名单,默认为空,多个域名用逗号分隔。如果 `ALLOWED_DOMAINS` 不为空,此选项有更高的优先级拒绝这里的域名。
+- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918
+- `SKIP_TLS_VERIFY`: **false**: 允许忽略 TLS 认证
+
+## LFS (`lfs`)
+
+LFS 的存储配置。 如果 `STORAGE_TYPE` 为空,则此配置将从 `[storage]` 继承。如果不为 `local` 或者 `minio` 而为 `xxx`, 则从 `[storage.xxx]` 继承。当继承时, `PATH` 默认为 `data/lfs`,`MINIO_BASE_PATH` 默认为 `lfs/`。
+
+- `STORAGE_TYPE`: **local**: LFS 的存储类型,`local` 将存储到磁盘,`minio` 将存储到 s3 兼容的对象服务。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前,仅 Minio/S3 是支持的。
+- `PATH`: 存放 lfs 命令上传的文件的地方,默认是 `data/lfs`。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 地址,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location ,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BASE_PATH`: **lfs/**: Minio base path ,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio 是否启用 ssl ,仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+
+## Storage (`storage`)
+
+Attachments, lfs, avatars and etc 的默认存储配置。
+
+- `STORAGE_TYPE`: **local**: 附件存储类型,`local` 将存储到本地文件夹, `minio` 将存储到 s3 兼容的对象存储服务中。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前,仅 Minio/S3 是支持的。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 终端,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID ,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the attachments,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl,仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+
+你也可以自定义一个存储的名字如下:
+
+```ini
+[storage.my_minio]
+STORAGE_TYPE = minio
+; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+MINIO_ENDPOINT = localhost:9000
+; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
+MINIO_ACCESS_KEY_ID =
+; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
+MINIO_SECRET_ACCESS_KEY =
+; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
+MINIO_BUCKET = gitea
+; Minio location to create bucket only available when STORAGE_TYPE is `minio`
+MINIO_LOCATION = us-east-1
+; Minio enabled ssl only available when STORAGE_TYPE is `minio`
+MINIO_USE_SSL = false
+; Minio skip SSL verification available when STORAGE_TYPE is `minio`
+MINIO_INSECURE_SKIP_VERIFY = false
+```
+
+然后你在 `[attachment]`, `[lfs]` 等中可以把这个名字用作 `STORAGE_TYPE` 的值。
+
+## Repository Archive Storage (`storage.repo-archive`)
+
+Repository archive 的存储配置。 如果 `STORAGE_TYPE` 为空,则此配置将从 `[storage]` 继承。如果不为 `local` 或者 `minio` 而为 `xxx`, 则从 `[storage.xxx]` 继承。当继承时, `PATH` 默认为 `data/repo-archive`,`MINIO_BASE_PATH` 默认为 `repo-archive/`。
+
+- `STORAGE_TYPE`: **local**: Repository archive 的存储类型,`local` 将存储到磁盘,`minio` 将存储到 s3 兼容的对象服务。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前,仅 Minio/S3 是支持的。
+- `PATH`: 存放 Repository archive 上传的文件的地方,默认是 `data/repo-archive`。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 地址,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location ,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BASE_PATH`: **repo-archive/**: Minio base path ,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio 是否启用 ssl ,仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+
+## Proxy (`proxy`)
+
+- `PROXY_ENABLED`: **false**: 是否启用全局代理。如果为否,则不使用代理,环境变量中的代理也不使用
+- `PROXY_URL`: **\<empty\>**: 代理服务器地址,支持 http://, https//, socks://,为空则不启用代理而使用环境变量中的 http_proxy/https_proxy
+- `PROXY_HOSTS`: **\<empty\>**: 逗号分隔的多个需要代理的网址,支持 * 号匹配符号, ** 表示匹配所有网站
+
+i.e.
+
+```ini
+PROXY_ENABLED = true
+PROXY_URL = socks://127.0.0.1:1080
+PROXY_HOSTS = *.github.com
+```
+
+## Other (`other`)
+
+- `SHOW_FOOTER_BRANDING`: 为真则在页面底部显示Gitea的字样。
+- `SHOW_FOOTER_VERSION`: 为真则在页面底部显示Gitea的版本。
diff --git a/docs/content/doc/administration/customizing-gitea.en-us.md b/docs/content/doc/administration/customizing-gitea.en-us.md
new file mode 100644
index 0000000000..9a4c5639a3
--- /dev/null
+++ b/docs/content/doc/administration/customizing-gitea.en-us.md
@@ -0,0 +1,372 @@
+---
+date: "2017-04-15T14:56:00+02:00"
+title: "Customizing Gitea"
+slug: "customizing-gitea"
+weight: 9
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Customizing Gitea"
+ identifier: "customizing-gitea"
+ weight: 100
+---
+
+# Customizing Gitea
+
+Customizing Gitea is typically done using the `CustomPath` folder - by default this is
+the `custom` folder from the running directory, but may be different if your build has
+set this differently. This is the central place to override configuration settings,
+templates, etc. You can check the `CustomPath` using `gitea help`. You can also find
+the path on the _Configuration_ tab in the _Site Administration_ page. You can override
+the `CustomPath` by setting either the `GITEA_CUSTOM` environment variable or by
+using the `--custom-path` option on the `gitea` binary. (The option will override the
+environment variable.)
+
+If Gitea is deployed from binary, all default paths will be relative to the Gitea
+binary. If installed from a distribution, these paths will likely be modified to
+the Linux Filesystem Standard. Gitea will attempt to create required folders, including
+`custom/`. Distributions may provide a symlink for `custom` using `/etc/gitea/`.
+
+Application settings can be found in file `CustomConf` which is by default,
+`$GITEA_CUSTOM/conf/app.ini` but may be different if your build has set this differently.
+Again `gitea help` will allow you review this variable and you can override it using the
+`--config` option on the `gitea` binary.
+
+- [Quick Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
+- [Complete List](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)
+
+If the `CustomPath` folder can't be found despite checking `gitea help`, check the `GITEA_CUSTOM`
+environment variable; this can be used to override the default path to something else.
+`GITEA_CUSTOM` might, for example, be set by an init script. You can check whether the value
+is set under the "Configuration" tab on the site administration page.
+
+- [List of Environment Variables](https://docs.gitea.io/en-us/environment-variables/)
+
+**Note:** Gitea must perform a full restart to see configuration changes.
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Serving custom public files
+
+To make Gitea serve custom public files (like pages and images), use the folder
+`$GITEA_CUSTOM/public/` as the webroot. Symbolic links will be followed.
+
+For example, a file `image.png` stored in `$GITEA_CUSTOM/public/`, can be accessed with
+the url `http://gitea.domain.tld/assets/image.png`.
+
+## Changing the logo
+
+To build a custom logo and/or favicon clone the Gitea source repository, replace `assets/logo.svg` and/or `assets/favicon.svg` and run
+`make generate-images`. `assets/favicon.svg` is used for the favicon only. This will update below output files which you can then place in `$GITEA_CUSTOM/public/img` on your server:
+
+- `public/img/logo.svg` - Used for site icon, app icon
+- `public/img/logo.png` - Used for Open Graph
+- `public/img/avatar_default.png` - Used as the default avatar image
+- `public/img/apple-touch-icon.png` - Used on iOS devices for bookmarks
+- `public/img/favicon.svg` - Used for favicon
+- `public/img/favicon.png` - Used as fallback for browsers that don't support SVG favicons
+
+In case the source image is not in vector format, you can attempt to convert a raster image using tools like [this](https://www.aconvert.com/image/png-to-svg/).
+
+## Customizing Gitea pages and resources
+
+Gitea's executable contains all the resources required to run: templates, images, style-sheets
+and translations. Any of them can be overridden by placing a replacement in a matching path
+inside the `custom` directory. For example, to replace the default `.gitignore` provided
+for C++ repositories, we want to replace `options/gitignore/C++`. To do this, a replacement
+must be placed in `$GITEA_CUSTOM/options/gitignore/C++` (see about the location of the `CustomPath`
+directory at the top of this document).
+
+Every single page of Gitea can be changed. Dynamic content is generated using [go templates](https://golang.org/pkg/html/template/),
+which can be modified by placing replacements below the `$GITEA_CUSTOM/templates` directory.
+
+To obtain any embedded file (including templates), the [`gitea embedded` tool]({{< relref "doc/administration/cmd-embedded.en-us.md" >}}) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/main/templates) directory of Gitea source (Note: the example link is from the `main` branch. Make sure to use templates compatible with the release you are using).
+
+Be aware that any statement contained inside `{{` and `}}` are Gitea's template syntax and
+shouldn't be touched without fully understanding these components.
+
+### Customizing startpage / homepage
+
+Copy [`home.tmpl`](https://github.com/go-gitea/gitea/blob/main/templates/home.tmpl) for your version of Gitea from `templates` to `$GITEA_CUSTOM/templates`.
+Edit as you wish.
+Dont forget to restart your Gitea to apply the changes.
+
+### Adding links and tabs
+
+If all you want is to add extra links to the top navigation bar or footer, or extra tabs to the repository view, you can put them in `extra_links.tmpl` (links added to the navbar), `extra_links_footer.tmpl` (links added to the left side of footer), and `extra_tabs.tmpl` inside your `$GITEA_CUSTOM/templates/custom/` directory.
+
+For instance, let's say you are in Germany and must add the famously legally-required "Impressum"/about page, listing who is responsible for the site's content:
+just place it under your "$GITEA_CUSTOM/public/" directory (for instance `$GITEA_CUSTOM/public/impressum.html`) and put a link to it in either `$GITEA_CUSTOM/templates/custom/extra_links.tmpl` or `$GITEA_CUSTOM/templates/custom/extra_links_footer.tmpl`.
+
+To match the current style, the link should have the class name "item", and you can use `{{AppSubUrl}}` to get the base URL:
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`
+
+For more information, see [Adding Legal Pages](https://docs.gitea.io/en-us/adding-legal-pages).
+
+You can add new tabs in the same way, putting them in `extra_tabs.tmpl`.
+The exact HTML needed to match the style of other tabs is in the file
+`templates/repo/header.tmpl`
+([source in GitHub](https://github.com/go-gitea/gitea/blob/main/templates/repo/header.tmpl))
+
+### Other additions to the page
+
+Apart from `extra_links.tmpl` and `extra_tabs.tmpl`, there are other useful templates you can put in your `$GITEA_CUSTOM/templates/custom/` directory:
+
+- `header.tmpl`, just before the end of the `<head>` tag where you can add custom CSS files for instance.
+- `body_outer_pre.tmpl`, right after the start of `<body>`.
+- `body_inner_pre.tmpl`, before the top navigation bar, but already inside the main container `<div class="full height">`.
+- `body_inner_post.tmpl`, before the end of the main container.
+- `body_outer_post.tmpl`, before the bottom `<footer>` element.
+- `footer.tmpl`, right before the end of the `<body>` tag, a good place for additional JavaScript.
+
+#### Example: PlantUML
+
+You can add [PlantUML](https://plantuml.com/) support to Gitea's markdown by using a PlantUML server.
+The data is encoded and sent to the PlantUML server which generates the picture. There is an online
+demo server at http://www.plantuml.com/plantuml, but if you (or your users) have sensitive data you
+can set up your own [PlantUML server](https://plantuml.com/server) instead. To set up PlantUML rendering,
+copy JavaScript files from https://gitea.com/davidsvantesson/plantuml-code-highlight and put them in your
+`$GITEA_CUSTOM/public` folder. Then add the following to `custom/footer.tmpl`:
+
+```html
+<script>
+ $(async () => {
+ if (!$('.language-plantuml').length) return;
+ await Promise.all([
+ $.getScript('https://your-gitea-server.com/assets/deflate.js'),
+ $.getScript('https://your-gitea-server.com/assets/encode.js'),
+ $.getScript('https://your-gitea-server.com/assets/plantuml_codeblock_parse.js'),
+ ]);
+ // Replace call with address to your plantuml server
+ parsePlantumlCodeBlocks("https://www.plantuml.com/plantuml");
+ });
+</script>
+```
+
+You can then add blocks like the following to your markdown:
+
+```plantuml
+Alice -> Bob: Authentication Request
+Bob --> Alice: Authentication Response
+
+Alice -> Bob: Another authentication Request
+Alice <-- Bob: Another authentication Response
+```
+
+The script will detect tags with `class="language-plantuml"`, but you can change this by providing a second argument to `parsePlantumlCodeBlocks`.
+
+#### Example: STL Preview
+
+You can display STL file directly in Gitea by adding:
+
+```html
+<script>
+ function lS(src) {
+ return new Promise(function (resolve, reject) {
+ let s = document.createElement("script");
+ s.src = src;
+ s.addEventListener("load", () => {
+ resolve();
+ });
+ document.body.appendChild(s);
+ });
+ }
+
+ if ($('.view-raw>a[href$=".stl" i]').length) {
+ $("body").append(
+ '<link href="/assets/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">'
+ );
+ Promise.all([
+ lS("/assets/Madeleine.js/src/lib/stats.js"),
+ lS("/assets/Madeleine.js/src/lib/detector.js"),
+ lS("/assets/Madeleine.js/src/lib/three.min.js"),
+ lS("/assets/Madeleine.js/src/Madeleine.js"),
+ ]).then(function () {
+ $(".view-raw")
+ .attr("id", "view-raw")
+ .attr("style", "padding: 0;margin-bottom: -10px;");
+ new Madeleine({
+ target: "view-raw",
+ data: $('.view-raw>a[href$=".stl" i]').attr("href"),
+ path: "/assets/Madeleine.js/src",
+ });
+ $('.view-raw>a[href$=".stl"]').remove();
+ });
+ }
+</script>
+```
+
+to the file `templates/custom/footer.tmpl`
+
+You also need to download the content of the library [Madeleine.js](https://github.com/beige90/Madeleine.js) and place it under `$GITEA_CUSTOM/public/` folder.
+
+You should end-up with a folder structure similar to:
+
+```
+$GITEA_CUSTOM/templates
+-- custom
+ `-- footer.tmpl
+$GITEA_CUSTOM/public
+-- Madeleine.js
+ |-- LICENSE
+ |-- README.md
+ |-- css
+ | |-- pygment_trac.css
+ | `-- stylesheet.css
+ |-- examples
+ | |-- ajax.html
+ | |-- index.html
+ | `-- upload.html
+ |-- images
+ | |-- bg_hr.png
+ | |-- blacktocat.png
+ | |-- icon_download.png
+ | `-- sprite_download.png
+ |-- models
+ | |-- dino2.stl
+ | |-- ducati.stl
+ | |-- gallardo.stl
+ | |-- lamp.stl
+ | |-- octocat.stl
+ | |-- skull.stl
+ | `-- treefrog.stl
+ `-- src
+ |-- Madeleine.js
+ |-- css
+ | `-- Madeleine.css
+ |-- icons
+ | |-- logo.png
+ | |-- madeleine.eot
+ | |-- madeleine.svg
+ | |-- madeleine.ttf
+ | `-- madeleine.woff
+ `-- lib
+ |-- MadeleineConverter.js
+ |-- MadeleineLoader.js
+ |-- detector.js
+ |-- stats.js
+ `-- three.min.js
+```
+
+Then restart Gitea and open a STL file on your Gitea instance.
+
+## Customizing Gitea mails
+
+The `$GITEA_CUSTOM/templates/mail` folder allows changing the body of every mail of Gitea.
+Templates to override can be found in the
+[`templates/mail`](https://github.com/go-gitea/gitea/tree/main/templates/mail)
+directory of Gitea source.
+Override by making a copy of the file under `$GITEA_CUSTOM/templates/mail` using a
+full path structure matching source.
+
+Any statement contained inside `{{` and `}}` are Gitea's template
+syntax and shouldn't be touched without fully understanding these components.
+
+## Adding Analytics to Gitea
+
+Google Analytics, Matomo (previously Piwik), and other analytics services can be added to Gitea. To add the tracking code, refer to the `Other additions to the page` section of this document, and add the JavaScript to the `$GITEA_CUSTOM/templates/custom/header.tmpl` file.
+
+## Customizing gitignores, labels, licenses, locales, and readmes.
+
+Place custom files in corresponding sub-folder under `custom/options`.
+
+**NOTE:** The files should not have a file extension, e.g. `Labels` rather than `Labels.txt`
+
+### gitignores
+
+To add custom .gitignore, add a file with existing [.gitignore rules](https://git-scm.com/docs/gitignore) in it to `$GITEA_CUSTOM/options/gitignore`
+
+### Labels
+
+Starting with Gitea 1.19, you can add a file that follows the [YAML label format](https://github.com/go-gitea/gitea/blob/main/options/label/Advanced.yaml) to `$GITEA_CUSTOM/options/label`:
+
+```yaml
+labels:
+ - name: "foo/bar" # name of the label that will appear in the dropdown
+ exclusive: true # whether to use the exclusive namespace for scoped labels. scoped delimiter is /
+ color: aabbcc # hex colour coding
+ description: Some label # long description of label intent
+ ```
+
+The [legacy file format](https://github.com/go-gitea/gitea/blob/main/options/label/Default) can still be used following the format below, however we strongly recommend using the newer YAML format instead.
+
+`#hex-color label name ; label description`
+
+For more information, see the [labels documentation]({{< relref "doc/usage/labels.en-us.md" >}}).
+
+### Licenses
+
+To add a custom license, add a file with the license text to `$GITEA_CUSTOM/options/license`
+
+### Locales
+
+Locales are managed via our [Crowdin](https://crowdin.com/project/gitea).
+You can override a locale by placing an altered locale file in `$GITEA_CUSTOM/options/locale`.
+Gitea's default locale files can be found in the [`options/locale`](https://github.com/go-gitea/gitea/tree/main/options/locale) source folder and these should be used as examples for your changes.
+
+To add a completely new locale, as well as placing the file in the above location, you will need to add the new lang and name to the `[i18n]` section in your `app.ini`. Keep in mind that Gitea will use those settings as **overrides**, so if you want to keep the other languages as well you will need to copy/paste the default values and add your own to them.
+
+```
+[i18n]
+LANGS = en-US,foo-BAR
+NAMES = English,FooBar
+```
+
+The first locale will be used as the default if user browser's language doesn't match any locale in the list.
+
+Locales may change between versions, so keeping track of your customized locales is highly encouraged.
+
+### Readmes
+
+To add a custom Readme, add a markdown formatted file (without an `.md` extension) to `$GITEA_CUSTOM/options/readme`
+
+**NOTE:** readme templates support **variable expansion**.
+currently there are `{Name}` (name of repository), `{Description}`, `{CloneURL.SSH}`, `{CloneURL.HTTPS}` and `{OwnerName}`
+
+### Reactions
+
+To change reaction emoji's you can set allowed reactions at app.ini
+
+```
+[ui]
+REACTIONS = +1, -1, laugh, confused, heart, hooray, eyes
+```
+
+A full list of supported emoji's is at [emoji list](https://gitea.com/gitea/gitea.com/issues/8)
+
+## Customizing the look of Gitea
+
+The default built-in themes are `gitea` (light), `arc-green` (dark), and `auto` (chooses light or dark depending on operating system settings).
+The default theme can be changed via `DEFAULT_THEME` in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini`.
+
+Gitea also has support for user themes, which means every user can select which theme should be used.
+The list of themes a user can choose from can be configured with the `THEMES` value in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini`.
+
+To make a custom theme available to all users:
+
+1. Add a CSS file to `$GITEA_CUSTOM/public/css/theme-<theme-name>.css`.
+ The value of `$GITEA_CUSTOM` of your instance can be queried by calling `gitea help` and looking up the value of "CustomPath".
+2. Add `<theme-name>` to the comma-separated list of setting `THEMES` in `app.ini`
+
+Community themes are listed in [gitea/awesome-gitea#themes](https://gitea.com/gitea/awesome-gitea#themes).
+
+The `arc-green` theme source can be found [here](https://github.com/go-gitea/gitea/blob/main/web_src/css/themes/theme-arc-green.css).
+
+If your custom theme is considered a dark theme, set the global css variable `--is-dark-theme` to `true`.
+This allows Gitea to adjust the Monaco code editor's theme accordingly.
+
+## Customizing fonts
+
+Fonts can be customized using CSS variables:
+
+```css
+:root {
+ --fonts-proportional: /* custom proportional fonts */ !important;
+ --fonts-monospace: /* custom monospace fonts */ !important;
+ --fonts-emoji: /* custom emoji fonts */ !important;
+}
+```
diff --git a/docs/content/doc/administration/customizing-gitea.zh-cn.md b/docs/content/doc/administration/customizing-gitea.zh-cn.md
new file mode 100644
index 0000000000..200f958245
--- /dev/null
+++ b/docs/content/doc/administration/customizing-gitea.zh-cn.md
@@ -0,0 +1,88 @@
+---
+date: "2017-04-15T14:56:00+02:00"
+title: "自定义 Gitea 配置"
+slug: "customizing-gitea"
+weight: 9
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "自定义 Gitea 配置"
+ weight: 100
+ identifier: "customizing-gitea"
+---
+
+# 自定义 Gitea 配置
+
+Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板等默认配置。
+
+如果从二进制部署 Gitea ,则所有默认路径都将相对于该 gitea 二进制文件;如果从发行版安装,则可能会将这些路径修改为Linux文件系统标准。Gitea
+将会自动创建包括 `custom/` 在内的必要应用目录,应用本身的配置存放在
+`custom/conf/app.ini` 当中。在发行版中可能会以 `/etc/gitea/` 的形式为 `custom` 设置一个符号链接,查看配置详情请移步:
+
+- [快速备忘单](https://docs.gitea.io/en-us/config-cheat-sheet/)
+- [完整配置清单](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.example.ini)
+
+如果您在 binary 同目录下无法找到 `custom` 文件夹,请检查您的 `GITEA_CUSTOM`
+环境变量配置, 因为它可能被配置到了其他地方(可能被一些启动脚本设置指定了目录)。
+
+- [环境变量清单](https://docs.gitea.io/en-us/specific-variables/)
+
+**注:** 必须完全重启 Gitea 以使配置生效。
+
+## 使用自定义 /robots.txt
+
+将 [想要展示的内容](http://www.robotstxt.org/) 存放在 `custom` 目录中的
+`robots.txt` 文件来让 Gitea 使用自定义的`/robots.txt` (默认:空 404)。
+
+## 使用自定义的公共文件
+
+将自定义的公共文件(比如页面和图片)作为 webroot 放在 `custom/public/` 中来让 Gitea 提供这些自定义内容(符号链接将被追踪)。
+
+举例说明:`image.png` 存放在 `custom/public/`中,那么它可以通过链接 http://gitea.domain.tld/assets/image.png 访问。
+
+## 修改默认头像
+
+替换以下目录中的 png 图片: `custom/public/img/avatar\_default.png`
+
+## 自定义 Gitea 页面
+
+您可以改变 Gitea `custom/templates` 的每个单页面。您可以在 Gitea 源码的 `templates` 目录中找到用于覆盖的模板文件,应用将根据
+`custom/templates` 目录下的路径结构进行匹配和覆盖。
+
+包含在 `{{` 和 `}}` 中的任何语句都是 Gitea 的模板语法,如果您不完全理解这些组件,不建议您对它们进行修改。
+
+### 添加链接和页签
+
+如果您只是想添加额外的链接到顶部导航栏或额外的选项卡到存储库视图,您可以将它们放在您 `custom/templates/custom/` 目录下的 `extra_links.tmpl` 和 `extra_tabs.tmpl` 文件中。
+
+举例说明:假设您需要在网站放置一个静态的“关于”页面,您只需将该页面放在您的
+"custom/public/"目录下(比如 `custom/public/impressum.html`)并且将它与 `custom/templates/custom/extra_links.tmpl` 链接起来即可。
+
+这个链接应当使用一个名为“item”的 class 来匹配当前样式,您可以使用 `{{AppSubUrl}}` 来获取 base URL:
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`
+
+同理,您可以将页签添加到 `extra_tabs.tmpl` 中,使用同样的方式来添加页签。它的具体样式需要与
+`templates/repo/header.tmpl` 中已有的其他选项卡的样式匹配
+([source in GitHub](https://github.com/go-gitea/gitea/blob/master/templates/repo/header.tmpl))
+
+### 页面的其他新增内容
+
+除了 `extra_links.tmpl` 和 `extra_tabs.tmpl`,您可以在您的 `custom/templates/custom/` 目录中存放一些其他有用的模板,例如:
+
+- `header.tmpl`,在 `<head>` 标记结束之前的模板,例如添加自定义CSS文件
+- `body_outer_pre.tmpl`,在 `<body>` 标记开始处的模板
+- `body_inner_pre.tmpl`,在顶部导航栏之前,但在主 container 内部的模板,例如添加一个 `<div class="full height">`
+- `body_inner_post.tmpl`,在主 container 结束处的模板
+- `body_outer_post.tmpl`,在底部 `<footer>` 元素之前.
+- `footer.tmpl`,在 `<body>` 标签结束处的模板,可以在这里填写一些附加的 Javascript 脚本。
+
+## 自定义 gitignores,labels, licenses, locales 以及 readmes
+
+将自定义文件放在 `custom/options` 下相应子的文件夹中即可
+
+## 更改 Gitea 外观
+
+Gitea 目前由两种内置主题,分别为默认 `gitea` 主题和深色主题 `arc-green`,您可以通过修改
+`app.ini` [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) 部分的 `DEFAULT_THEME` 的值来变更至一个可用的 Gitea 外观。
diff --git a/docs/content/doc/administration/email-setup.en-us.md b/docs/content/doc/administration/email-setup.en-us.md
new file mode 100644
index 0000000000..27ecb0d2f2
--- /dev/null
+++ b/docs/content/doc/administration/email-setup.en-us.md
@@ -0,0 +1,90 @@
+---
+date: "2019-10-15T10:10:00+05:00"
+title: "Usage: Email setup"
+slug: "email-setup"
+weight: 12
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Email setup"
+ weight: 12
+ identifier: "email-setup"
+---
+
+# Email setup
+
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea has mailer functionality for sending transactional emails (such as registration confirmation). It can be configured to either use Sendmail (or compatible MTAs like Postfix and msmtp) or directly use SMTP server.
+
+## Using Sendmail
+
+Use `sendmail` command as mailer.
+
+Note: For use in the official Gitea Docker image, please configure with the SMTP version (see the following section).
+
+Note: For Internet-facing sites consult documentation of your MTA for instructions to send emails over TLS. Also set up SPF, DMARC, and DKIM DNS records to make emails sent be accepted as legitimate by various email providers.
+
+```ini
+[mailer]
+ENABLED = true
+FROM = gitea@mydomain.com
+MAILER_TYPE = sendmail
+SENDMAIL_PATH = /usr/sbin/sendmail
+SENDMAIL_ARGS = "--" ; most "sendmail" programs take options, "--" will prevent an email address being interpreted as an option.
+```
+
+## Using SMTP
+
+Directly use SMTP server as relay. This option is useful if you don't want to set up MTA on your instance but you have an account at email provider.
+
+```ini
+[mailer]
+ENABLED = true
+FROM = gitea@mydomain.com
+MAILER_TYPE = smtp
+SMTP_ADDR = mail.mydomain.com
+SMTP_PORT = 587
+IS_TLS_ENABLED = true
+USER = gitea@mydomain.com
+PASSWD = `password`
+```
+
+Restart Gitea for the configuration changes to take effect.
+
+To send a test email to validate the settings, go to Gitea > Site Administration > Configuration > SMTP Mailer Configuration.
+
+For the full list of options check the [Config Cheat Sheet]({{< relref "doc/administration/config-cheat-sheet.en-us.md" >}})
+
+Please note: authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. TLS encryption can be through:
+
+- STARTTLS (also known as Opportunistic TLS) via port 587. Initial connection is done over cleartext, but then be upgraded over TLS if the server supports it.
+- SMTPS connection (SMTP over TLS) via the default port 465. Connection to the server use TLS from the beginning.
+- Forced SMTPS connection with `IS_TLS_ENABLED=true`. (These are both known as Implicit TLS.)
+This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
+
+Note that Implicit TLS is recommended by [RFC8314](https://tools.ietf.org/html/rfc8314#section-3) since 2018.
+
+### Gmail
+
+The following configuration should work with GMail's SMTP server:
+
+```ini
+[mailer]
+ENABLED = true
+HOST = smtp.gmail.com:465 ; Remove this line for Gitea >= 1.18.0
+SMTP_ADDR = smtp.gmail.com
+SMTP_PORT = 465
+FROM = example.user@gmail.com
+USER = example.user
+PASSWD = ***
+MAILER_TYPE = smtp
+IS_TLS_ENABLED = true
+```
+
+Note that you'll need to create and use an [App password](https://support.google.com/accounts/answer/185833?hl=en) by enabling 2FA on your Google
+account. You won't be able to use your Google account password directly.
diff --git a/docs/content/doc/administration/environment-variables.en-us.md b/docs/content/doc/administration/environment-variables.en-us.md
new file mode 100644
index 0000000000..17a0250164
--- /dev/null
+++ b/docs/content/doc/administration/environment-variables.en-us.md
@@ -0,0 +1,63 @@
+---
+date: "2017-04-08T11:34:00+02:00"
+title: "Environment variables"
+slug: "environment-variables"
+weight: 20
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Environment variables"
+ weight: 10
+ identifier: "environment-variables"
+---
+
+# Environment variables
+
+**Table of Contents**
+
+{{< toc >}}
+
+This is an inventory of Gitea environment variables. They change Gitea behaviour.
+
+Initialize them before Gitea command to be effective, for example:
+
+```sh
+GITEA_CUSTOM=/home/gitea/custom ./gitea web
+```
+
+## From Go language
+
+As Gitea is written in Go, it uses some Go variables, such as:
+
+- `GOOS`
+- `GOARCH`
+- [`GOPATH`](https://golang.org/cmd/go/#hdr-GOPATH_environment_variable)
+
+For documentation about each of the variables available, refer to the
+[official Go documentation](https://golang.org/cmd/go/#hdr-Environment_variables).
+
+## Gitea files
+
+- `GITEA_WORK_DIR`: Absolute path of working directory.
+- `GITEA_CUSTOM`: Gitea uses `GITEA_WORK_DIR`/custom folder by default. Use this variable
+ to change _custom_ directory.
+- `GOGS_WORK_DIR`: Deprecated, use `GITEA_WORK_DIR`
+- `GOGS_CUSTOM`: Deprecated, use `GITEA_CUSTOM`
+
+## Operating system specifics
+
+- `USER`: System user that Gitea will run as. Used for some repository access strings.
+- `USERNAME`: if no `USER` found, Gitea will use `USERNAME`
+- `HOME`: User home directory path. The `USERPROFILE` environment variable is used in Windows.
+
+### Only on Windows
+
+- `USERPROFILE`: User home directory path. If empty, uses `HOMEDRIVE` + `HOMEPATH`
+- `HOMEDRIVE`: Main drive path used to access the home directory (C:)
+- `HOMEPATH`: Home relative path in the given home drive path
+
+## Miscellaneous
+
+- `SKIP_MINWINSVC`: If set to 1, do not run as a service on Windows.
diff --git a/docs/content/doc/administration/environment-variables.zh-cn.md b/docs/content/doc/administration/environment-variables.zh-cn.md
new file mode 100644
index 0000000000..c8a8fcba71
--- /dev/null
+++ b/docs/content/doc/administration/environment-variables.zh-cn.md
@@ -0,0 +1,55 @@
+---
+date: "2017-04-08T11:34:00+02:00"
+title: "环境变量清单"
+slug: "environment-variables"
+weight: 20
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "环境变量清单"
+ weight: 10
+ identifier: "environment-variables"
+---
+
+# 环境变量清单
+
+这里是用来控制 Gitea 行为表现的的环境变量清单,您需要在执行如下 Gitea 启动命令前设置它们来确保配置生效:
+
+```
+GITEA_CUSTOM=/home/gitea/custom ./gitea web
+```
+
+## Go 的配置
+
+因为 Gitea 使用 Go 语言编写,因此它使用了一些相关的 Go 的配置参数:
+
+* `GOOS`
+* `GOARCH`
+* [`GOPATH`](https://golang.org/cmd/go/#hdr-GOPATH_environment_variable)
+
+您可以在[官方文档](https://golang.org/cmd/go/#hdr-Environment_variables)中查阅这些配置参数的详细信息。
+
+## Gitea 的文件目录
+
+* `GITEA_WORK_DIR`:工作目录的绝对路径
+* `GITEA_CUSTOM`:默认情况下 Gitea 使用默认目录 `GITEA_WORK_DIR`/custom,您可以使用这个参数来配置 *custom* 目录
+* `GOGS_WORK_DIR`: 已废弃,请使用 `GITEA_WORK_DIR` 替代
+* `GOGS_CUSTOM`: 已废弃,请使用 `GITEA_CUSTOM` 替代
+
+## 操作系统配置
+
+* `USER`:Gitea 运行时使用的系统用户,它将作为一些 repository 的访问地址的一部分
+* `USERNAME`: 如果没有配置 `USER`, Gitea 将使用 `USERNAME`
+* `HOME`: 用户的 home 目录,在 Windows 中会使用 `USERPROFILE` 环境变量
+
+### 仅限于 Windows 的配置
+
+* `USERPROFILE`: 用户的主目录,如果未配置则会使用 `HOMEDRIVE` + `HOMEPATH`
+* `HOMEDRIVE`: 用于访问 home 目录的主驱动器路径(C盘)
+* `HOMEPATH`:在指定主驱动器下的 home 目录相对路径
+
+## Miscellaneous
+
+* `SKIP_MINWINSVC`:如果设置为 1,在 Windows 上不会以 service 的形式运行。
diff --git a/docs/content/doc/administration/external-renderers.en-us.md b/docs/content/doc/administration/external-renderers.en-us.md
new file mode 100644
index 0000000000..da2f493c71
--- /dev/null
+++ b/docs/content/doc/administration/external-renderers.en-us.md
@@ -0,0 +1,196 @@
+---
+date: "2018-11-23:00:00+02:00"
+title: "External renderers"
+slug: "external-renderers"
+weight: 40
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "External renderers"
+ weight: 60
+ identifier: "external-renderers"
+---
+
+# Custom files rendering configuration
+
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea supports custom file renderings (i.e., Jupyter notebooks, asciidoc, etc.) through external binaries,
+it is just a matter of:
+
+- installing external binaries
+- add some configuration to your `app.ini` file
+- restart your Gitea instance
+
+This supports rendering of whole files. If you want to render code blocks in markdown you would need to do something with javascript. See some examples on the [Customizing Gitea](../customizing-gitea) page.
+
+## Installing external binaries
+
+In order to get file rendering through external binaries, their associated packages must be installed.
+If you're using a Docker image, your `Dockerfile` should contain something along this lines:
+
+```docker
+FROM gitea/gitea:{{< version >}}
+[...]
+
+COPY custom/app.ini /data/gitea/conf/app.ini
+[...]
+
+RUN apk --no-cache add asciidoctor freetype freetype-dev gcc g++ libpng libffi-dev py-pip python3-dev py3-pip py3-pyzmq
+# install any other package you need for your external renderers
+
+RUN pip3 install --upgrade pip
+RUN pip3 install -U setuptools
+RUN pip3 install jupyter docutils
+# add above any other python package you may need to install
+```
+
+## `app.ini` file configuration
+
+add one `[markup.XXXXX]` section per external renderer on your custom `app.ini`:
+
+```ini
+[markup.asciidoc]
+ENABLED = true
+FILE_EXTENSIONS = .adoc,.asciidoc
+RENDER_COMMAND = "asciidoctor -s -a showtitle --out-file=- -"
+; Input is not a standard input but a file
+IS_INPUT_FILE = false
+
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter nbconvert --stdin --stdout --to html --template basic"
+IS_INPUT_FILE = false
+
+[markup.restructuredtext]
+ENABLED = true
+FILE_EXTENSIONS = .rst
+RENDER_COMMAND = "timeout 30s pandoc +RTS -M512M -RTS -f rst"
+IS_INPUT_FILE = false
+```
+
+If your external markup relies on additional classes and attributes on the generated HTML elements, you might need to enable custom sanitizer policies. Gitea uses the [`bluemonday`](https://godoc.org/github.com/microcosm-cc/bluemonday) package as our HTML sanitizer. The example below could be used to support server-side [KaTeX](https://katex.org/) rendering output from [`pandoc`](https://pandoc.org/).
+
+```ini
+[markup.sanitizer.TeX]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+; - note this is different from the built-in math support in our markdown parser which uses <code>
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+
+[markup.markdown]
+ENABLED = true
+FILE_EXTENSIONS = .md,.markdown
+RENDER_COMMAND = pandoc -f markdown -t html --katex
+```
+
+You must define `ELEMENT` and `ALLOW_ATTR` in each section.
+
+To define multiple entries, add a unique alphanumeric suffix (e.g., `[markup.sanitizer.1]` and `[markup.sanitizer.something]`).
+
+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`, `[markup.sanitizer.<renderer>.rule-1]`.
+
+**Note**: If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.
+
+Once your configuration changes have been made, restart Gitea to have changes take effect.
+
+**Note**: Prior to Gitea 1.12 there was a single `markup.sanitiser` section with keys that were redefined for multiple rules, however,
+there were significant problems with this method of configuration necessitating configuration through multiple sections.
+
+### Example: HTML
+
+Render HTML files directly:
+
+```ini
+[markup.html]
+ENABLED = true
+FILE_EXTENSIONS = .html,.htm
+RENDER_COMMAND = cat
+; Input is not a standard input but a file
+IS_INPUT_FILE = true
+
+[markup.sanitizer.html.1]
+ELEMENT = div
+ALLOW_ATTR = class
+
+[markup.sanitizer.html.2]
+ELEMENT = a
+ALLOW_ATTR = class
+```
+
+### Example: Office DOCX
+
+Display Office DOCX files with [`pandoc`](https://pandoc.org/):
+
+```ini
+[markup.docx]
+ENABLED = true
+FILE_EXTENSIONS = .docx
+RENDER_COMMAND = "pandoc --from docx --to html --self-contained --template /path/to/basic.html"
+
+[markup.sanitizer.docx.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+The template file has the following content:
+
+```
+$body$
+```
+
+### Example: Jupyter Notebook
+
+Display Jupyter Notebook files with [`nbconvert`](https://github.com/jupyter/nbconvert):
+
+```ini
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter-nbconvert --stdin --stdout --to html --template basic"
+
+[markup.sanitizer.jupyter.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+## Customizing CSS
+
+The external renderer is specified in the .ini in the format `[markup.XXXXX]` and the HTML supplied by your external renderer will be wrapped in a `<div>` with classes `markup` and `XXXXX`. The `markup` class provides out of the box styling (as does `markdown` if `XXXXX` is `markdown`). Otherwise you can use these classes to specifically target the contents of your rendered HTML.
+
+And so you could write some CSS:
+
+```css
+.markup.XXXXX html {
+ font-size: 100%;
+ overflow-y: scroll;
+ -webkit-text-size-adjust: 100%;
+ -ms-text-size-adjust: 100%;
+}
+
+.markup.XXXXX body {
+ color: #444;
+ font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif;
+ font-size: 12px;
+ line-height: 1.7;
+ padding: 1em;
+ margin: auto;
+ max-width: 42em;
+ background: #fefefe;
+}
+
+.markup.XXXXX p {
+ color: orangered;
+}
+```
+
+Add your stylesheet to your custom directory e.g `custom/public/css/my-style-XXXXX.css` and import it using a custom header file `custom/templates/custom/header.tmpl`:
+
+```html
+<link rel="stylesheet" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
+```
diff --git a/docs/content/doc/administration/fail2ban-setup.en-us.md b/docs/content/doc/administration/fail2ban-setup.en-us.md
new file mode 100644
index 0000000000..746222420a
--- /dev/null
+++ b/docs/content/doc/administration/fail2ban-setup.en-us.md
@@ -0,0 +1,125 @@
+---
+date: "2018-05-11T11:00:00+02:00"
+title: "Usage: Setup fail2ban"
+slug: "fail2ban-setup"
+weight: 16
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Fail2ban setup"
+ weight: 16
+ identifier: "fail2ban-setup"
+---
+
+# Fail2ban setup to block users after failed login attempts
+
+**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make
+sure to test this before relying on it so you don't lock yourself out.**
+
+Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in
+`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
+on a bad authentication from the web or CLI using SSH or HTTP respectively:
+
+```log
+2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
+```
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:249:sshConnectionFailed() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(From 1.15 this new message will available and doesn't have any of the false positive results that above messages from publicKeyHandler do. This will only be logged if the user has completely failed authentication.)
+
+```log
+2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
+```
+
+Add our filter in `/etc/fail2ban/filter.d/gitea.conf`:
+
+```ini
+# gitea.conf
+[Definition]
+failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =
+```
+
+Add our jail in `/etc/fail2ban/jail.d/gitea.conf`:
+
+```ini
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+```
+
+If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**
+chain in **iptables**. Configure it in `/etc/fail2ban/jail.d/gitea-docker.conf`:
+
+```ini
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]
+```
+
+Then simply run `service fail2ban restart` to apply your changes. You can check to see if
+fail2ban has accepted your configuration using `service fail2ban status`.
+
+Make sure and read up on fail2ban and configure it to your needs, this bans someone
+for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.
+
+If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add
+this to your Nginx configuration so that IPs don't show up as 127.0.0.1:
+
+```
+proxy_set_header X-Real-IP $remote_addr;
+```
+
+The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
+as well as the list of IP addresses and networks that describe trusted proxy servers
+(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).
+
+```
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network
+```
diff --git a/docs/content/doc/administration/fail2ban-setup.zh-cn.md b/docs/content/doc/administration/fail2ban-setup.zh-cn.md
new file mode 100644
index 0000000000..37a0838b24
--- /dev/null
+++ b/docs/content/doc/administration/fail2ban-setup.zh-cn.md
@@ -0,0 +1,92 @@
+---
+date: "2022-08-01T00:00:00+00:00"
+title: "使用: 设置 Fail2ban"
+slug: "fail2ban-setup"
+weight: 16
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "设置 Fail2ban"
+ weight: 16
+ identifier: "fail2ban-setup"
+---
+
+# 使用 Fail2ban 阻止攻击者的暴力登录
+
+**Fail2ban 检查客户端登录日志,将多次登录失败的客户端识别为攻击者并在一段时间内阻止其访问服务。如果你的实例是公开的,这一点尤其重要。请管理员仔细设置 fail2ban,错误的配置将导致防火墙阻止你访问自己的服务器。**
+
+Gitea 会在日志文件 `log/gitea.log` 中记录登录失败的 CLI、SSH 或 HTTP 客户端 IP 地址,而你需要将 Gitea 的日志输出模式从默认的 `console` 更改为 `file`。这表示将日志输出到文件,使得 fail2ban 可以定期扫描日志内容。
+
+当用户的身份验证失败时,日志中会记录此类信息:
+
+```log
+2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
+```
+
+```log
+2020/10/15 16:08:44 [E] invalid credentials from xxx.xxx.xxx.xxx
+```
+
+## 设置 Fail2ban
+
+添加日志过滤器规则到配置文件 `/etc/fail2ban/filter.d/gitea.conf`:
+
+```ini
+[Definition]
+failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =
+```
+
+添加监狱规则到配置文件 `/etc/fail2ban/jail.d/gitea.conf`:
+
+```ini
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+```
+
+如果你的 Gitea 实例运行在 Docker 容器中,并且直接将容器端口暴露到外部网络,
+你还需要添加 `chain="FORWARD"` 到监狱规则配置文件 `/etc/fail2ban/jail.d/gitea-docker.conf`
+以适应 Docker 的网络转发规则。但如果你在容器的宿主机上使用 Nginx 反向代理连接到 Gitea 则无需这样配置。
+
+```ini
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]
+```
+
+最后,运行 `systemctl restart fail2ban` 即可应用更改。现在,你可以使用 `systemctl status fail2ban` 检查 fail2ban 运行状态。
+
+上述规则规定客户端在 1 小时内,如果登录失败的次数达到 10 次,则通过 iptables 锁定该客户端 IP 地址 15 分钟。
+
+## 设置反向代理
+
+如果你使用 Nginx 反向代理到 Gitea 实例,你还需要设置 Nginx 的 HTTP 头部值 `X-Real-IP` 将真实的客户端 IP 地址传递给 Gitea。否则 Gitea 程序会将客户端地址错误解析为反向代理服务器的地址,例如回环地址 `127.0.0.1`。
+
+```
+proxy_set_header X-Real-IP $remote_addr;
+```
+
+额外注意,在 Gitea 的配置文件 `app.ini` 中存在下列默认值:
+
+```
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
+```
+
+`REVERSE_PROXY_LIMIT` 限制反向代理服务器的层数,设置为 `0` 表示不使用这些标头。
+`REVERSE_PROXY_TRUSTED_PROXIES` 表示受信任的反向代理服务器网络地址,
+经过该网络地址转发来的流量会经过解析 `X-Real-IP` 头部得到真实客户端地址。
+(参考 [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security))
diff --git a/docs/content/doc/administration/git-lfs-support.en-us.md b/docs/content/doc/administration/git-lfs-support.en-us.md
new file mode 100644
index 0000000000..86cc3a5028
--- /dev/null
+++ b/docs/content/doc/administration/git-lfs-support.en-us.md
@@ -0,0 +1,30 @@
+---
+date: "2019-10-06T08:00:00+05:00"
+title: "Usage: Git LFS setup"
+slug: "git-lfs-setup"
+weight: 12
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Git LFS setup"
+ weight: 12
+ identifier: "git-lfs-setup"
+---
+
+# Git Large File Storage setup
+
+To use Gitea's built-in LFS support, you must update the `app.ini` file:
+
+```ini
+[server]
+; Enables git-lfs support. true or false, default is false.
+LFS_START_SERVER = true
+
+[lfs]
+; Where your lfs files reside, default is data/lfs.
+PATH = /home/gitea/data/lfs
+```
+
+**Note**: LFS server support needs at least Git v2.1.2 installed on the server
diff --git a/docs/content/doc/administration/https-support.en-us.md b/docs/content/doc/administration/https-support.en-us.md
new file mode 100644
index 0000000000..fd7badc64a
--- /dev/null
+++ b/docs/content/doc/administration/https-support.en-us.md
@@ -0,0 +1,102 @@
+---
+date: "2018-06-02T11:00:00+02:00"
+title: "Usage: HTTPS setup"
+slug: "https-setup"
+weight: 12
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "HTTPS setup"
+ weight: 12
+ identifier: "https-setup"
+---
+
+# HTTPS setup to encrypt connections to Gitea
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Using the built-in server
+
+Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.
+You could use self-generated certificates for evaluation and testing. Please run `gitea cert --host [HOST]` to generate a self signed certificate.
+
+If you are using Apache or nginx on the server, it's recommended to check the [reverse proxy guide]({{< relref "doc/administration/reverse-proxies.en-us.md" >}}).
+
+To use Gitea's built-in HTTPS support, you must change your `app.ini` file:
+
+```ini
+[server]
+PROTOCOL = https
+ROOT_URL = https://git.example.com:3000/
+HTTP_PORT = 3000
+CERT_FILE = cert.pem
+KEY_FILE = key.pem
+```
+
+Note that if your certificate is signed by a third party certificate authority (i.e. not self-signed), then cert.pem should contain the certificate chain. The server certificate must be the first entry in cert.pem, followed by the intermediaries in order (if any). The root certificate does not have to be included because the connecting client must already have it in order to estalbish the trust relationship.
+To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).
+
+For the `CERT_FILE` or `KEY_FILE` field, the file path is relative to the `GITEA_CUSTOM` environment variable when it is a relative path. It can be an absolute path as well.
+
+### Setting up HTTP redirection
+
+The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:
+
+```ini
+[server]
+REDIRECT_OTHER_PORT = true
+; Port the redirection service should listen on
+PORT_TO_REDIRECT = 3080
+```
+
+If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.
+
+## Using ACME (Default: Let's Encrypt)
+
+[ACME](https://tools.ietf.org/html/rfc8555) is a Certificate Authority standard protocol that allows you to automatically request and renew SSL/TLS certificates. [Let's Encrypt](https://letsencrypt.org/) is a free publicly trusted Certificate Authority server using this standard. Only `HTTP-01` and `TLS-ALPN-01` challenges are implemented. In order for ACME challenges to pass and verify your domain ownership, external traffic to the gitea domain on port `80` (`HTTP-01`) or port `443` (`TLS-ALPN-01`) has to be served by the gitea instance. Setting up [HTTP redirection](#setting-up-http-redirection) and port-forwards might be needed for external traffic to route correctly. Normal traffic to port `80` will otherwise be automatically redirected to HTTPS. **You must consent** to the ACME provider's terms of service (default Let's Encrypt's [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)).
+
+Minimum setup using the default Let's Encrypt:
+
+```ini
+[server]
+PROTOCOL=https
+DOMAIN=git.example.com
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_DIRECTORY=https
+;; Email can be omitted here and provided manually at first run, after which it is cached
+ACME_EMAIL=email@example.com
+```
+
+Minimum setup using a [smallstep CA](https://github.com/smallstep/certificates), refer to [their tutorial](https://smallstep.com/docs/tutorials/acme-challenge) for more information.
+
+```ini
+[server]
+PROTOCOL=https
+DOMAIN=git.example.com
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_URL=https://ca.example.com/acme/acme/directory
+;; Can be omitted if using the system's trust is preferred
+;ACME_CA_ROOT=/path/to/root_ca.crt
+ACME_DIRECTORY=https
+ACME_EMAIL=email@example.com
+```
+
+To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).
+
+## Using a reverse proxy
+
+Setup up your reverse proxy as shown in the [reverse proxy guide](../reverse-proxies).
+
+After that, enable HTTPS by following one of these guides:
+
+- [nginx](https://nginx.org/en/docs/http/configuring_https_servers.html)
+- [apache2/httpd](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html)
+- [caddy](https://caddyserver.com/docs/tls)
+
+Note: Enabling HTTPS only at the proxy level is referred as [TLS Termination Proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy). The proxy server accepts incoming TLS connections, decrypts the contents, and passes the now unencrypted contents to Gitea. This is normally fine as long as both the proxy and Gitea instances are either on the same machine, or on different machines within private network (with the proxy is exposed to outside network). If your Gitea instance is separated from your proxy over a public network, or if you want full end-to-end encryption, you can also [enable HTTPS support directly in Gitea using built-in server](#using-the-built-in-server) and forward the connections over HTTPS instead.
diff --git a/docs/content/doc/administration/logging-documentation.en-us.md b/docs/content/doc/administration/logging-documentation.en-us.md
new file mode 100644
index 0000000000..8d49ff3f14
--- /dev/null
+++ b/docs/content/doc/administration/logging-documentation.en-us.md
@@ -0,0 +1,522 @@
+---
+date: "2019-04-02T17:06:00+01:00"
+title: "Advanced: Logging Configuration"
+slug: "logging-configuration"
+weight: 55
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Logging Configuration"
+ weight: 40
+ identifier: "logging-configuration"
+---
+
+# Logging Configuration
+
+The logging configuration of Gitea mainly consists of 3 types of components:
+
+- The `[log]` section for general configuration
+- `[log.<sublogger>]` sections for the configuration of different log outputs
+- `[log.<sublogger>.<group>]` sections for output specific configuration of a log group
+
+As mentioned below, there is a fully functional log output by default, so it is not necessary to define one.
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Collecting Logs for Help
+
+To collect logs for help and issue report, see [Support Options]({{< relref "doc/help/seek-help.en-us.md" >}}).
+
+## The `[log]` section
+
+Configuration of logging facilities in Gitea happen in the `[log]` section and it's subsections.
+
+In the top level `[log]` section the following configurations can be placed:
+
+- `ROOT_PATH`: (Default: **%(GITEA_WORK_DIR)/log**): Base path for log files
+- `MODE`: (Default: **console**) List of log outputs to use for the Default logger.
+- `ROUTER`: (Default: **console**): List of log outputs to use for the Router logger.
+- `ACCESS`: List of log outputs to use for the Access logger.
+- `XORM`: (Default: **,**) List of log outputs to use for the XORM logger.
+- `ENABLE_ACCESS_LOG`: (Default: **false**): whether the Access logger is allowed to emit logs
+- `ENABLE_XORM_LOG`: (Default: **true**): whether the XORM logger is allowed to emit logs
+
+For details on the loggers check the "Log Groups" section.
+Important: log outputs won't be used if you don't enable them for the desired loggers in the corresponding list value.
+
+Lists are specified as comma separated values. This format also works in subsection.
+
+This section may be used for defining default values for subsections.
+Examples:
+
+- `LEVEL`: (Default: **Info**) Least severe log events to persist. Case insensitive. The full list of levels as of v1.17.3 can be read [here](https://github.com/go-gitea/gitea/blob/v1.17.3/custom/conf/app.example.ini#L507).
+- `STACKTRACE_LEVEL`: (Default: **None**) For this and more severe events the stacktrace will be printed upon getting logged.
+
+Some values are not inherited by subsections. For details see the "Non-inherited default values" section.
+
+## Log outputs
+
+Log outputs are the targets to which log messages will be sent.
+The content and the format of the log messages to be saved can be configured in these.
+
+Log outputs are also called subloggers.
+
+Gitea provides 4 possible log outputs:
+
+- `console` - Log to `os.Stdout` or `os.Stderr`
+- `file` - Log to a file
+- `conn` - Log to a socket (network or unix)
+- `smtp` - Log via email
+
+By default, Gitea has a `console` output configured, which is used by the loggers as seen in the section "The log section" above.
+
+### Common configuration
+
+Certain configuration is common to all modes of log output:
+
+- `MODE` is the mode of the log output. It will default to the sublogger
+ name, thus `[log.console.router]` will default to `MODE = console`.
+ For mode specific confgurations read further.
+- `LEVEL` is the lowest level that this output will log. This value
+ is inherited from `[log]` and in the case of the non-default loggers
+ from `[log.sublogger]`.
+- `STACKTRACE_LEVEL` is the lowest level that this output will print
+ a stacktrace. This value is inherited.
+- `COLORIZE` will default to `true` for `console` as
+ described, otherwise it will default to `false`.
+
+### Non-inherited default values
+
+There are several values which are not inherited as described above but
+rather default to those specific to type of logger, these are:
+`EXPRESSION`, `FLAGS`, `PREFIX` and `FILE_NAME`.
+
+#### `EXPRESSION`
+
+`EXPRESSION` represents a regular expression that log events must match to be logged by the sublogger. Either the log message, (with colors removed), must match or the `longfilename:linenumber:functionname` must match. NB: the whole message or string doesn't need to completely match.
+
+Please note this expression will be run in the sublogger's goroutine
+not the logging event subroutine. Therefore it can be complicated.
+
+#### `FLAGS`
+
+`FLAGS` represents the preceding logging context information that is
+printed before each message. It is a comma-separated string set. The order of values does not matter.
+
+Possible values are:
+
+- `none` or `,` - No flags.
+- `date` - the date in the local time zone: `2009/01/23`.
+- `time` - the time in the local time zone: `01:23:23`.
+- `microseconds` - microsecond resolution: `01:23:23.123123`. Assumes
+ time.
+- `longfile` - full file name and line number: `/a/b/c/d.go:23`.
+- `shortfile` - final file name element and line number: `d.go:23`.
+- `funcname` - function name of the caller: `runtime.Caller()`.
+- `shortfuncname` - last part of the function name. Overrides
+ `funcname`.
+- `utc` - if date or time is set, use UTC rather than the local time
+ zone.
+- `levelinitial` - Initial character of the provided level in brackets eg. `[I]` for info.
+- `level` - Provided level in brackets `[INFO]`
+- `medfile` - Last 20 characters of the filename - equivalent to
+ `shortfile,longfile`.
+- `stdflags` - Equivalent to `date,time,medfile,shortfuncname,levelinitial`
+
+### Console mode
+
+In this mode the logger will forward log messages to the stdout and
+stderr streams attached to the Gitea process.
+
+For loggers in console mode, `COLORIZE` will default to `true` if not
+on windows, or the windows terminal can be set into ANSI mode or is a
+cygwin or Msys pipe.
+
+Settings:
+
+- `STDERR`: **false**: Whether the logger should print to `stderr` instead of `stdout`.
+
+### File mode
+
+In this mode the logger will save log messages to a file.
+
+Settings:
+
+- `FILE_NAME`: The file to write the log events to. For details see below.
+- `MAX_SIZE_SHIFT`: **28**: Maximum size shift of a single file. 28 represents 256Mb. For details see below.
+- `LOG_ROTATE` **true**: Whether to rotate the log files. TODO: if false, will it delete instead on daily rotate, or do nothing?.
+- `DAILY_ROTATE`: **true**: Whether to rotate logs daily.
+- `MAX_DAYS`: **7**: Delete rotated log files after this number of days.
+- `COMPRESS`: **true**: Whether to compress old log files by default with gzip.
+- `COMPRESSION_LEVEL`: **-1**: Compression level. For details see below.
+
+The default value of `FILE_NAME` depends on the respective logger facility.
+If unset, their own default will be used.
+If set it will be relative to the provided `ROOT_PATH` in the master `[log]` section.
+
+`MAX_SIZE_SHIFT` defines the maximum size of a file by left shifting 1 the given number of times (`1 << x`).
+The exact behavior at the time of v1.17.3 can be seen [here](https://github.com/go-gitea/gitea/blob/v1.17.3/modules/setting/log.go#L185).
+
+The useful values of `COMPRESSION_LEVEL` are from 1 to (and including) 9, where higher numbers mean better compression.
+Beware that better compression might come with higher resource usage.
+Must be preceded with a `-` sign.
+
+### Conn mode
+
+In this mode the logger will send log messages over a network socket.
+
+Settings:
+
+- `ADDR`: **:7020**: Sets the address to connect to.
+- `PROTOCOL`: **tcp**: Set the protocol, either "tcp", "unix" or "udp".
+- `RECONNECT`: **false**: Try to reconnect when connection is lost.
+- `RECONNECT_ON_MSG`: **false**: Reconnect host for every single message.
+
+### SMTP mode
+
+In this mode the logger will send log messages in email.
+
+It is not recommended to use this logger to send general logging
+messages. However, you could perhaps set this logger to work on `FATAL` messages only.
+
+Settings:
+
+- `HOST`: **127.0.0.1:25**: The SMTP host to connect to.
+- `USER`: User email address to send from.
+- `PASSWD`: Password for the smtp server.
+- `RECEIVERS`: Email addresses to send to.
+- `SUBJECT`: **Diagnostic message from Gitea**. The content of the email's subject field.
+
+## Log Groups
+
+The fundamental thing to be aware of in Gitea is that there are several
+log groups:
+
+- The "Default" logger
+- The Router logger
+- The Access logger
+- The XORM logger
+
+There is also the go log logger.
+
+### The go log logger
+
+Go provides its own extremely basic logger in the `log` package,
+however, this is not sufficient for our purposes as it does not provide
+a way of logging at multiple levels, nor does it provide a good way of
+controlling where these logs are logged except through setting of a
+writer.
+
+We have therefore redirected this logger to our Default logger, and we
+will log anything that is logged using the go logger at the INFO level.
+
+### The "Default" logger
+
+Calls to `log.Info`, `log.Debug`, `log.Error` etc. from the `code.gitea.io/gitea/modules/log` package will log to this logger.
+
+You can configure the outputs of this logger by setting the `MODE`
+value in the `[log]` section of the configuration.
+
+Each output sublogger is configured in a separate `[log.sublogger.default]`
+which inherits from the sublogger `[log.sublogger]` section and from the
+generic `[log]` section, but there are certain default values. These will
+not be inherited from the `[log]` section:
+
+- `FLAGS` is `stdflags` (Equal to
+ `date,time,medfile,shortfuncname,levelinitial`)
+- `FILE_NAME` will default to `%(ROOT_PATH)/gitea.log`
+- `EXPRESSION` will default to `""`
+- `PREFIX` will default to `""`
+
+The provider type of the sublogger can be set using the `MODE` value in
+its subsection, but will default to the name. This allows you to have
+multiple subloggers that will log to files.
+
+### The "Router" logger
+
+The Router logger has been substantially changed in v1.17. If you are using the router logger for fail2ban or other monitoring
+you will need to update this configuration.
+
+You can disable Router log by setting `DISABLE_ROUTER_LOG` or by setting all of its sublogger configurations to `none`.
+
+You can configure the outputs of this
+router log by setting the `ROUTER` value in the `[log]` section of the
+configuration. `ROUTER` will default to `console` if unset and will default to same level as main logger.
+
+The Router logger logs the following:
+
+- `started` messages will be logged at TRACE level
+- `polling`/`completed` routers will be logged at INFO
+- `slow` routers will be logged at WARN
+- `failed` routers will be logged at WARN
+
+The logging level for the router will default to that of the main configuration. Set `[log.<mode>.router]` `LEVEL` to change this.
+
+Each output sublogger for this logger is configured in
+`[log.sublogger.router]` sections. There are certain default values
+which will not be inherited from the `[log]` or relevant
+`[log.sublogger]` sections:
+
+- `FILE_NAME` will default to `%(ROOT_PATH)/router.log`
+- `FLAGS` defaults to `date,time`
+- `EXPRESSION` will default to `""`
+- `PREFIX` will default to `""`
+
+NB: You can redirect the router logger to send its events to the Gitea
+log using the value: `ROUTER = ,`
+
+### The "Access" logger
+
+The Access logger is a new logger for version 1.9. It provides a NCSA
+Common Log compliant log format. It's highly configurable but caution
+should be taken when changing its template. The main benefit of this
+logger is that Gitea can now log accesses in a standard log format so
+standard tools may be used.
+
+You can enable this logger using `ENABLE_ACCESS_LOG`. Its outputs are
+configured by setting the `ACCESS` value in the `[log]` section of the
+configuration. `ACCESS` defaults to `file` if unset.
+
+Each output sublogger for this logger is configured in
+`[log.sublogger.access]` sections. There are certain default values
+which will not be inherited from the `[log]` or relevant
+`[log.sublogger]` sections:
+
+- `FILE_NAME` will default to `%(ROOT_PATH)/access.log`
+- `FLAGS` defaults to `` or None
+- `EXPRESSION` will default to `""`
+- `PREFIX` will default to `""`
+
+If desired the format of the Access logger can be changed by changing
+the value of the `ACCESS_LOG_TEMPLATE`.
+
+Please note, the access logger will log at `INFO` level, setting the
+`LEVEL` of this logger to `WARN` or above will result in no access logs.
+
+NB: You can redirect the access logger to send its events to the Gitea
+log using the value: `ACCESS = ,`
+
+#### The ACCESS_LOG_TEMPLATE
+
+This value represent a go template. It's default value is:
+
+`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`
+
+The template is passed following options:
+
+- `Ctx` is the `context.Context`
+- `Identity` is the `SignedUserName` or `"-"` if the user is not logged
+ in
+- `Start` is the start time of the request
+- `ResponseWriter` is the `http.ResponseWriter`
+
+Caution must be taken when changing this template as it runs outside of
+the standard panic recovery trap. The template should also be as simple
+as it runs for every request.
+
+### The "XORM" logger
+
+The XORM logger is a long-standing logger that exists to collect XORM
+log events. It is enabled by default but can be switched off by setting
+`ENABLE_XORM_LOG` to `false` in the `[log]` section. Its outputs are
+configured by setting the `XORM` value in the `[log]` section of the
+configuration. `XORM` defaults to `,` if unset, meaning it is redirected
+to the main Gitea log.
+
+XORM will log SQL events by default. This can be changed by setting
+the `LOG_SQL` value to `false` in the `[database]` section.
+
+Each output sublogger for this logger is configured in
+`[log.sublogger.xorm]` sections. There are certain default values
+which will not be inherited from the `[log]` or relevant
+`[log.sublogger]` sections:
+
+- `FILE_NAME` will default to `%(ROOT_PATH)/xorm.log`
+- `FLAGS` defaults to `date,time`
+- `EXPRESSION` will default to `""`
+- `PREFIX` will default to `""`
+
+## Debugging problems
+
+When submitting logs in Gitea issues it is often helpful to submit
+merged logs obtained by either by redirecting the console log to a file or
+copying and pasting it. To that end it is recommended to set your logging to:
+
+```ini
+[database]
+LOG_SQL = false ; SQL logs are rarely helpful unless we specifically ask for them
+
+...
+
+[log]
+MODE = console
+LEVEL = debug ; please set the level to debug when we are debugging a problem
+ROUTER = console
+COLORIZE = false ; this can be true if you can strip out the ansi coloring
+ENABLE_SSH_LOG = true ; shows logs related to git over SSH.
+```
+
+Sometimes it will be helpful get some specific `TRACE` level logging restricted
+to messages that match a specific `EXPRESSION`. Adjusting the `MODE` in the
+`[log]` section to `MODE = console,traceconsole` to add a new logger output
+`traceconsole` and then adding its corresponding section would be helpful:
+
+```ini
+[log.traceconsole] ; traceconsole here is just a name
+MODE = console ; this is the output that the traceconsole writes to
+LEVEL = trace
+EXPRESSION = ; putting a string here will restrict this logger to logging only those messages that match this expression
+```
+
+(It's worth noting that log messages that match the expression at or above debug
+level will get logged twice so don't worry about that.)
+
+`STACKTRACE_LEVEL` should generally be left unconfigured (and hence kept at
+`none`). There are only very specific occasions when it useful.
+
+## Empty Configuration
+
+The empty configuration is equivalent to:
+
+```ini
+[log]
+ROOT_PATH = %(GITEA_WORK_DIR)/log
+MODE = console
+LEVEL = Info
+STACKTRACE_LEVEL = None
+ENABLE_ACCESS_LOG = false
+ENABLE_XORM_LOG = true
+XORM = ,
+
+[log.console]
+MODE = console
+LEVEL = %(LEVEL)
+STACKTRACE_LEVEL = %(STACKTRACE_LEVEL)
+FLAGS = stdflags
+PREFIX =
+COLORIZE = true # Or false if your windows terminal cannot color
+```
+
+This is equivalent to sending all logs to the console, with default go log being sent to the console log too.
+
+## Releasing-and-Reopening, Pausing and Resuming logging
+
+If you are running on Unix you may wish to release-and-reopen logs in order to use `logrotate` or other tools.
+It is possible force Gitea to release and reopen it's logging files and connections by sending `SIGUSR1` to the
+running process, or running `gitea manager logging release-and-reopen`.
+
+Alternatively, you may wish to pause and resume logging - this can be accomplished through the use of the
+`gitea manager logging pause` and `gitea manager logging resume` commands. Please note that whilst logging
+is paused log events below INFO level will not be stored and only a limited number of events will be stored.
+Logging may block, albeit temporarily, slowing Gitea considerably whilst paused - therefore it is
+recommended that pausing only done for a very short period of time.
+
+## Adding and removing logging whilst Gitea is running
+
+It is possible to add and remove logging whilst Gitea is running using the `gitea manager logging add` and `remove` subcommands.
+This functionality can only adjust running log systems and cannot be used to start the access or router loggers if they
+were not already initialized. If you wish to start these systems you are advised to adjust the app.ini and (gracefully) restart
+the Gitea service.
+
+The main intention of these commands is to easily add a temporary logger to investigate problems on running systems where a restart
+may cause the issue to disappear.
+
+## Log colorization
+
+Logs to the console will be colorized by default when not running on
+Windows. Terminal sniffing will occur on Windows and if it is
+determined that we are running on a terminal capable of color we will
+colorize.
+
+Further, on \*nix it is becoming common to have file logs that are
+colored by default. Therefore file logs will be colorised by default
+when not running on Windows.
+
+You can switch on or off colorization by using the `COLORIZE` value.
+
+From a development point of view. If you write
+`log.Info("A %s string", "formatted")` the `formatted` part of the log
+message will be Bolded on colorized logs.
+
+You can change this by either rendering the formatted string yourself.
+Or you can wrap the value in a `log.ColoredValue` struct.
+
+The `log.ColoredValue` struct contains a pointer to value, a pointer to
+string of bytes which should represent a color and second set of reset
+bytes. Pointers were chosen to prevent copying of large numbers of
+values. There are several helper methods:
+
+- `log.NewColoredValue` takes a value and 0 or more color attributes
+ that represent the color. If 0 are provided it will default to a cached
+ bold. Note, it is recommended that color bytes constructed from
+ attributes should be cached if this is a commonly used log message.
+- `log.NewColoredValuePointer` takes a pointer to a value, and
+ 0 or more color attributes that represent the color.
+- `log.NewColoredValueBytes` takes a value and a pointer to an array
+ of bytes representing the color.
+
+These functions will not double wrap a `log.ColoredValue`. They will
+also set the `resetBytes` to the cached `resetBytes`.
+
+The `colorBytes` and `resetBytes` are not exported to prevent
+accidental overwriting of internal values.
+
+## ColorFormat & ColorFormatted
+
+Structs may implement the `log.ColorFormatted` interface by implementing the `ColorFormat(fmt.State)` function.
+
+If a `log.ColorFormatted` struct is logged with `%-v` format, its `ColorFormat` will be used instead of the usual `%v`. The full `fmt.State` will be passed to allow implementers to look at additional flags.
+
+In order to help implementers provide `ColorFormat` methods. There is a
+`log.ColorFprintf(...)` function in the log module that will wrap values in `log.ColoredValue` and recognise `%-v`.
+
+In general it is recommended not to make the results of this function too verbose to help increase its versatility. Usually this should simply be an `ID`:`Name`. If you wish to make a more verbose result, it is recommended to use `%-+v` as your marker.
+
+## Log Spoofing protection
+
+In order to protect the logs from being spoofed with cleverly
+constructed messages. Newlines are now prefixed with a tab and control
+characters except those used in an ANSI CSI are escaped with a
+preceding `\` and their octal value.
+
+## Creating a new named logger group
+
+Should a developer wish to create a new named logger, `NEWONE`. It is
+recommended to add an `ENABLE_NEWONE_LOG` value to the `[log]`
+section, and to add a new `NEWONE` value for the modes.
+
+A function like `func newNewOneLogService()` is recommended to manage
+construction of the named logger. e.g.
+
+```go
+func newNewoneLogService() {
+ EnableNewoneLog = Cfg.Section("log").Key("ENABLE_NEWONE_LOG").MustBool(false)
+ Cfg.Section("log").Key("NEWONE").MustString("file") // or console? or "," if you want to send this to default logger by default
+ if EnableNewoneLog {
+ options := newDefaultLogOptions()
+ options.filename = filepath.Join(LogRootPath, "newone.log")
+ options.flags = "stdflags"
+ options.bufferLength = Cfg.Section("log").Key("BUFFER_LEN").MustInt64(10000)
+ generateNamedLogger("newone", options)
+ }
+}
+```
+
+You should then add `newOneLogService` to `NewServices()` in
+`modules/setting/setting.go`
+
+## Using `logrotate` instead of built-in log rotation
+
+Gitea includes built-in log rotation, which should be enough for most deployments. However, if you instead want to use the `logrotate` utility:
+
+- Disable built-in log rotation by setting `LOG_ROTATE` to `false` in your `app.ini`.
+- Install `logrotate`.
+- Configure `logrotate` to match your deployment requirements, see `man 8 logrotate` for configuration syntax details. In the `postrotate/endscript` block send Gitea a `USR1` signal via `kill -USR1` or `kill -10` to the `gitea` process itself, or run `gitea manager logging release-and-reopen` (with the appropriate environment). Ensure that your configurations apply to all files emitted by Gitea loggers as described in the above sections.
+- Always do `logrotate /etc/logrotate.conf --debug` to test your configurations.
+- If you are using docker and are running from outside of the container you can use `docker exec -u $OS_USER $CONTAINER_NAME sh -c 'gitea manager logging release-and-reopen'` or `docker exec $CONTAINER_NAME sh -c '/bin/s6-svc -1 /etc/s6/gitea/'` or send `USR1` directly to the Gitea process itself.
+
+The next `logrotate` jobs will include your configurations, so no restart is needed. You can also immediately reload `logrotate` with `logrotate /etc/logrotate.conf --force`.
diff --git a/docs/content/doc/administration/mail-templates.en-us.md b/docs/content/doc/administration/mail-templates.en-us.md
new file mode 100644
index 0000000000..a4dc7453ee
--- /dev/null
+++ b/docs/content/doc/administration/mail-templates.en-us.md
@@ -0,0 +1,280 @@
+---
+date: "2019-10-23T17:00:00-03:00"
+title: "Mail templates"
+slug: "mail-templates"
+weight: 45
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Mail templates"
+ weight: 45
+ identifier: "mail-templates"
+---
+
+# Mail templates
+
+**Table of Contents**
+
+{{< toc >}}
+
+To craft the e-mail subject and contents for certain operations, Gitea can be customized by using templates. The templates
+for these functions are located under the [`custom` directory](https://docs.gitea.io/en-us/customizing-gitea/).
+Gitea has an internal template that serves as default in case there's no custom alternative.
+
+Custom templates are loaded when Gitea starts. Changes made to them are not recognized until Gitea is restarted again.
+
+## Mail notifications supporting templates
+
+Currently, the following notification events make use of templates:
+
+| Action name | Usage |
+| ----------- | ------------------------------------------------------------------------------------------------------------ |
+| `new` | A new issue or pull request was created. |
+| `comment` | A new comment was created in an existing issue or pull request. |
+| `close` | An issue or pull request was closed. |
+| `reopen` | An issue or pull request was reopened. |
+| `review` | The head comment of a review in a pull request. |
+| `approve` | The head comment of a approving review for a pull request. |
+| `reject` | The head comment of a review requesting changes for a pull request. |
+| `code` | A single comment on the code of a pull request. |
+| `assigned` | Used was assigned to an issue or pull request. |
+| `default` | Any action not included in the above categories, or when the corresponding category template is not present. |
+
+The path for the template of a particular message type is:
+
+```sh
+custom/templates/mail/{action type}/{action name}.tmpl
+```
+
+Where `{action type}` is one of `issue` or `pull` (for pull requests), and `{action name}` is one of the names listed above.
+
+For example, the specific template for a mail regarding a comment in a pull request is:
+
+```sh
+custom/templates/mail/pull/comment.tmpl
+```
+
+However, creating templates for each and every action type/name combination is not required.
+A fallback system is used to choose the appropriate template for an event. The _first existing_
+template on this list is used:
+
+- The specific template for the desired **action type** and **action name**.
+- The template for action type `issue` and the desired **action name**.
+- The template for the desired **action type**, action name `default`.
+- The template for action type `issue`, action name `default`.
+
+The only mandatory template is action type `issue`, action name `default`, which is already embedded in Gitea
+unless it's overridden by the user in the `custom` directory.
+
+## Template syntax
+
+Mail templates are UTF-8 encoded text files that need to follow one of the following formats:
+
+```
+Text and macros for the subject line
+------------
+Text and macros for the mail body
+```
+
+or
+
+```
+Text and macros for the mail body
+```
+
+Specifying a _subject_ section is optional (and therefore also the dash line separator). When used, the separator between
+_subject_ and _mail body_ templates requires at least three dashes; no other characters are allowed in the separator line.
+
+_Subject_ and _mail body_ are parsed by [Golang's template engine](https://golang.org/pkg/text/template/) and
+are provided with a _metadata context_ assembled for each notification. The context contains the following elements:
+
+| Name | Type | Available | Usage |
+| ------------------ | ---------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `.FallbackSubject` | string | Always | A default subject line. See Below. |
+| `.Subject` | string | Only in body | The _subject_, once resolved. |
+| `.Body` | string | Always | The message of the issue, pull request or comment, parsed from Markdown into HTML and sanitized. Do not confuse with the _mail body_. |
+| `.Link` | string | Always | The address of the originating issue, pull request or comment. |
+| `.Issue` | models.Issue | Always | The issue (or pull request) originating the notification. To get data specific to a pull request (e.g. `HasMerged`), `.Issue.PullRequest` can be used, but care should be taken as this field will be `nil` if the issue is _not_ a pull request. |
+| `.Comment` | models.Comment | If applicable | If the notification is from a comment added to an issue or pull request, this will contain the information about the comment. |
+| `.IsPull` | bool | Always | `true` if the mail notification is associated with a pull request (i.e. `.Issue.PullRequest` is not `nil`). |
+| `.Repo` | string | Always | Name of the repository, including owner name (e.g. `mike/stuff`) |
+| `.User` | models.User | Always | Owner of the repository from which the event originated. To get the user name (e.g. `mike`),`.User.Name` can be used. |
+| `.Doer` | models.User | Always | User that executed the action triggering the notification event. To get the user name (e.g. `rhonda`), `.Doer.Name` can be used. |
+| `.IsMention` | bool | Always | `true` if this notification was only generated because the user was mentioned in the comment, while not being subscribed to the source. It will be `false` if the recipient was subscribed to the issue or repository. |
+| `.SubjectPrefix` | string | Always | `Re: ` if the notification is about other than issue or pull request creation; otherwise an empty string. |
+| `.ActionType` | string | Always | `"issue"` or `"pull"`. Will correspond to the actual _action type_ independently of which template was selected. |
+| `.ActionName` | string | Always | It will be one of the action types described above (`new`, `comment`, etc.), and will correspond to the actual _action name_ independently of which template was selected. |
+| `.ReviewComments` | []models.Comment | Always | List of code comments in a review. The comment text will be in `.RenderedContent` and the referenced code will be in `.Patch`. |
+
+All names are case sensitive.
+
+### The _subject_ part of the template
+
+The template engine used for the mail _subject_ is golang's [`text/template`](https://golang.org/pkg/text/template/).
+Please refer to the linked documentation for details about its syntax.
+
+The _subject_ is built using the following steps:
+
+- A template is selected according to the type of notification and to what templates are present.
+- The template is parsed and resolved (e.g. `{{.Issue.Index}}` is converted to the number of the issue
+ or pull request).
+- All space-like characters (e.g. `TAB`, `LF`, etc.) are converted to normal spaces.
+- All leading, trailing and redundant spaces are removed.
+- The string is truncated to its first 256 runes (characters).
+
+If the end result is an empty string, **or** no subject template was available (i.e. the selected template
+did not include a subject part), Gitea's **internal default** will be used.
+
+The internal default (fallback) subject is the equivalent of:
+
+```sh
+{{.SubjectPrefix}}[{{.Repo}}] {{.Issue.Title}} (#{{.Issue.Index}})
+```
+
+For example: `Re: [mike/stuff] New color palette (#38)`
+
+Gitea's default subject can also be found in the template _metadata_ as `.FallbackSubject` from any of
+the two templates, even if a valid subject template is present.
+
+### The _mail body_ part of the template
+
+The template engine used for the _mail body_ is golang's [`html/template`](https://golang.org/pkg/html/template/).
+Please refer to the linked documentation for details about its syntax.
+
+The _mail body_ is parsed after the mail subject, so there is an additional _metadata_ field which is
+the actual rendered subject, after all considerations.
+
+The expected result is HTML (including structural elements like`<html>`, `<body>`, etc.). Styling
+through `<style>` blocks, `class` and `style` attributes is possible. However, `html/template`
+does some [automatic escaping](https://golang.org/pkg/html/template/#hdr-Contexts) that should be considered.
+
+Attachments (such as images or external style sheets) are not supported. However, other templates can
+be referenced too, for example to provide the contents of a `<style>` element in a centralized fashion.
+The external template must be placed under `custom/mail` and referenced relative to that directory.
+For example, `custom/mail/styles/base.tmpl` can be included using `{{template styles/base}}`.
+
+The mail is sent with `Content-Type: multipart/alternative`, so the body is sent in both HTML
+and text formats. The latter is obtained by stripping the HTML markup.
+
+## Troubleshooting
+
+How a mail is rendered is directly dependent on the capabilities of the mail application. Many mail
+clients don't even support HTML, so they show the text version included in the generated mail.
+
+If the template fails to render, it will be noticed only at the moment the mail is sent.
+A default subject is used if the subject template fails, and whatever was rendered successfully
+from the the _mail body_ is used, disregarding the rest.
+
+Please check [Gitea's logs](https://docs.gitea.io/en-us/logging-configuration/) for error messages in case of trouble.
+
+## Example
+
+`custom/templates/mail/issue/default.tmpl`:
+
+```html
+[{{.Repo}}] @{{.Doer.Name}}
+{{if eq .ActionName "new"}}
+ created
+{{else if eq .ActionName "comment"}}
+ commented on
+{{else if eq .ActionName "close"}}
+ closed
+{{else if eq .ActionName "reopen"}}
+ reopened
+{{else}}
+ updated
+{{end}}
+{{if eq .ActionType "issue"}}
+ issue
+{{else}}
+ pull request
+{{end}}
+#{{.Issue.Index}}: {{.Issue.Title}}
+------------
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>{{.Subject}}</title>
+</head>
+
+<body>
+ {{if .IsMention}}
+ <p>
+ You are receiving this because @{{.Doer.Name}} mentioned you.
+ </p>
+ {{end}}
+ <p>
+ <p>
+ <a href="{{AppUrl}}/{{.Doer.LowerName}}">@{{.Doer.Name}}</a>
+ {{if not (eq .Doer.FullName "")}}
+ ({{.Doer.FullName}})
+ {{end}}
+ {{if eq .ActionName "new"}}
+ created
+ {{else if eq .ActionName "close"}}
+ closed
+ {{else if eq .ActionName "reopen"}}
+ reopened
+ {{else}}
+ updated
+ {{end}}
+ <a href="{{.Link}}">{{.Repo}}#{{.Issue.Index}}</a>.
+ </p>
+ {{if not (eq .Body "")}}
+ <h3>Message content:</h3>
+ <hr>
+ {{.Body | Str2html}}
+ {{end}}
+ </p>
+ <hr>
+ <p>
+ <a href="{{.Link}}">View it on Gitea</a>.
+ </p>
+</body>
+</html>
+```
+
+This template produces something along these lines:
+
+### Subject
+
+> [mike/stuff] @rhonda commented on pull request #38: New color palette
+
+### Mail body
+
+> [@rhonda](#) (Rhonda Myers) updated [mike/stuff#38](#).
+>
+> #### Message content:
+>
+> \_********************************\_********************************
+>
+> Mike, I think we should tone down the blues a little.
+> \_********************************\_********************************
+>
+> [View it on Gitea](#).
+
+## Advanced
+
+The template system contains several functions that can be used to further process and format
+the messages. Here's a list of some of them:
+
+| Name | Parameters | Available | Usage |
+| ---------------- | ----------- | --------- | --------------------------------------------------------------------------- |
+| `AppUrl` | - | Any | Gitea's URL |
+| `AppName` | - | Any | Set from `app.ini`, usually "Gitea" |
+| `AppDomain` | - | Any | Gitea's host name |
+| `EllipsisString` | string, int | Any | Truncates a string to the specified length; adds ellipsis as needed |
+| `Str2html` | string | Body only | Sanitizes text by removing any HTML tags from it. |
+| `Safe` | string | Body only | Takes the input as HTML; can be used for `.ReviewComments.RenderedContent`. |
+
+These are _functions_, not metadata, so they have to be used:
+
+```html
+Like this: {{Str2html "Escape<my>text"}}
+Or this: {{"Escape<my>text" | Str2html}}
+Or this: {{AppUrl}}
+But not like this: {{.AppUrl}}
+```
diff --git a/docs/content/doc/administration/repo-indexer.en-us.md b/docs/content/doc/administration/repo-indexer.en-us.md
new file mode 100644
index 0000000000..11ce547a0d
--- /dev/null
+++ b/docs/content/doc/administration/repo-indexer.en-us.md
@@ -0,0 +1,62 @@
+---
+date: "2019-09-06T01:35:00-03:00"
+title: "Repository indexer"
+slug: "repo-indexer"
+weight: 45
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Repository indexer"
+ weight: 45
+ identifier: "repo-indexer"
+---
+
+# Repository indexer
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Setting up the repository indexer
+
+Gitea can search through the files of the repositories by enabling this function in your [`app.ini`](https://docs.gitea.io/en-us/config-cheat-sheet/):
+
+```ini
+[indexer]
+; ...
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_PATH = indexers/repos.bleve
+UPDATE_BUFFER_LEN = 20
+MAX_FILE_SIZE = 1048576
+REPO_INDEXER_INCLUDE =
+REPO_INDEXER_EXCLUDE = resources/bin/**
+```
+
+Please bear in mind that indexing the contents can consume a lot of system resources, especially when the index is created for the first time or globally updated (e.g. after upgrading Gitea).
+
+### Choosing the files for indexing by size
+
+The `MAX_FILE_SIZE` option will make the indexer skip all files larger than the specified value.
+
+### Choosing the files for indexing by path
+
+Gitea applies glob pattern matching from the [`gobwas/glob` library](https://github.com/gobwas/glob) to choose which files will be included in the index.
+
+Limiting the list of files prevents the indexes from becoming polluted with derived or irrelevant files (e.g. lss, sym, map, etc.), so the search results are more relevant. It can also help reduce the index size.
+
+`REPO_INDEXER_EXCLUDE_VENDORED` (default: true) excludes vendored files from index.
+
+`REPO_INDEXER_INCLUDE` (default: empty) is a comma separated list of glob patterns to **include** in the index. An empty list means "_include all files_".
+`REPO_INDEXER_EXCLUDE` (default: empty) is a comma separated list of glob patterns to **exclude** from the index. Files that match this list will not be indexed. `REPO_INDEXER_EXCLUDE` takes precedence over `REPO_INDEXER_INCLUDE`.
+
+Pattern matching works as follows:
+
+- To match all files with a `.txt` extension no matter what directory, use `**.txt`.
+- To match all files with a `.txt` extension _only at the root level of the repository_, use `*.txt`.
+- To match all files inside `resources/bin` and below, use `resources/bin/**`.
+- To match all files _immediately inside_ `resources/bin`, use `resources/bin/*`.
+- To match all files named `Makefile`, use `**Makefile`.
+- Matching a directory has no effect; the pattern `resources/bin` will not include/exclude files inside that directory; `resources/bin/**` will.
+- All files and patterns are normalized to lower case, so `**Makefile`, `**makefile` and `**MAKEFILE` are equivalent.
diff --git a/docs/content/doc/administration/reverse-proxies.en-us.md b/docs/content/doc/administration/reverse-proxies.en-us.md
new file mode 100644
index 0000000000..7b30ab78aa
--- /dev/null
+++ b/docs/content/doc/administration/reverse-proxies.en-us.md
@@ -0,0 +1,387 @@
+---
+date: "2018-05-22T11:00:00+00:00"
+title: "Usage: Reverse Proxies"
+slug: "reverse-proxies"
+weight: 17
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Reverse Proxies"
+ weight: 16
+ identifier: "reverse-proxies"
+---
+
+# Reverse Proxies
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Nginx
+
+If you want Nginx to serve your Gitea instance, add the following `server` section to the `http` section of `nginx.conf`:
+
+```apacheconf
+server {
+ listen 80;
+ server_name git.example.com;
+
+ location / {
+ proxy_pass http://localhost:3000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+```
+
+## Nginx with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Nginx to serve Gitea under a sub-path by adding the following `server` section inside the `http` section of `nginx.conf`:
+
+```apacheconf
+server {
+ listen 80;
+ server_name git.example.com;
+
+ # Note: Trailing slash
+ location /git/ {
+ # Note: Trailing slash
+ proxy_pass http://localhost:3000/;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+```
+
+Then you **MUST** set something like `[server] ROOT_URL = http://git.example.com/git/` correctly in your configuration.
+
+## Nginx and serve static resources directly
+
+We can tune the performance in splitting requests into categories static and dynamic.
+
+CSS files, JavaScript files, images and web fonts are static content.
+The front page, a repository view or issue list is dynamic content.
+
+Nginx can serve static resources directly and proxy only the dynamic requests to Gitea.
+Nginx is optimized for serving static content, while the proxying of large responses might be the opposite of that
+(see [https://serverfault.com/q/587386](https://serverfault.com/q/587386)).
+
+Download a snapshot of the Gitea source repository to `/path/to/gitea/`.
+After this, run `make frontend` in the repository directory to generate the static resources. We are only interested in the `public/` directory for this task, so you can delete the rest.
+(You will need to have [Node with npm](https://nodejs.org/en/download/) and `make` installed to generate the static resources)
+
+Depending on the scale of your user base, you might want to split the traffic to two distinct servers,
+or use a cdn for the static files.
+
+### Single node and single domain
+
+Set `[server] STATIC_URL_PREFIX = /_/static` in your configuration.
+
+```apacheconf
+server {
+ listen 80;
+ server_name git.example.com;
+
+ location /_/static/assets/ {
+ alias /path/to/gitea/public/;
+ }
+
+ location / {
+ proxy_pass http://localhost:3000;
+ }
+}
+```
+
+### Two nodes and two domains
+
+Set `[server] STATIC_URL_PREFIX = http://cdn.example.com/gitea` in your configuration.
+
+```apacheconf
+# application server running Gitea
+server {
+ listen 80;
+ server_name git.example.com;
+
+ location / {
+ proxy_pass http://localhost:3000;
+ }
+}
+```
+
+```apacheconf
+# static content delivery server
+server {
+ listen 80;
+ server_name cdn.example.com;
+
+ location /gitea/ {
+ alias /path/to/gitea/public/;
+ }
+
+ location / {
+ return 404;
+ }
+}
+```
+
+## Resolving Error: 413 Request Entity Too Large
+
+This error indicates nginx is configured to restrict the file upload size.
+
+In your nginx config file containing your Gitea proxy directive, find the `location { ... }` block for Gitea and add the line
+`client_max_body_size 16M;` to set this limit to 16 megabytes or any other number of choice.
+If you use Git LFS, this will also limit the size of the largest file you will be able to push.
+
+## Apache HTTPD
+
+If you want Apache HTTPD to serve your Gitea instance, you can add the following to your Apache HTTPD configuration (usually located at `/etc/apache2/httpd.conf` in Ubuntu):
+
+```apacheconf
+<VirtualHost *:80>
+ ...
+ ProxyPreserveHost On
+ ProxyRequests off
+ AllowEncodedSlashes NoDecode
+ ProxyPass / http://localhost:3000/ nocanon
+</VirtualHost>
+```
+
+Note: The following Apache HTTPD mods must be enabled: `proxy`, `proxy_http`.
+
+If you wish to use Let's Encrypt with webroot validation, add the line `ProxyPass /.well-known !` before `ProxyPass` to disable proxying these requests to Gitea.
+
+## Apache HTTPD with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Apache HTTPD to serve Gitea under a sub-path by adding the following to you Apache HTTPD configuration (usually located at `/etc/apache2/httpd.conf` in Ubuntu):
+
+```apacheconf
+<VirtualHost *:80>
+ ...
+ <Proxy *>
+ Order allow,deny
+ Allow from all
+ </Proxy>
+ AllowEncodedSlashes NoDecode
+ # Note: no trailing slash after either /git or port
+ ProxyPass /git http://localhost:3000 nocanon
+</VirtualHost>
+```
+
+Then you **MUST** set something like `[server] ROOT_URL = http://git.example.com/git/` correctly in your configuration.
+
+Note: The following Apache HTTPD mods must be enabled: `proxy`, `proxy_http`.
+
+## Caddy
+
+If you want Caddy to serve your Gitea instance, you can add the following server block to your Caddyfile:
+
+```apacheconf
+git.example.com {
+ reverse_proxy localhost:3000
+}
+```
+
+If you still use Caddy v1, use:
+
+```apacheconf
+git.example.com {
+ proxy / localhost:3000
+}
+```
+
+## Caddy with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Caddy to serve Gitea under a sub-path by adding the following to your server block in your Caddyfile:
+
+```apacheconf
+git.example.com {
+ route /git/* {
+ uri strip_prefix /git
+ reverse_proxy localhost:3000
+ }
+}
+```
+
+Or, for Caddy v1:
+
+```apacheconf
+git.example.com {
+ proxy /git/ localhost:3000
+}
+```
+
+Then set `[server] ROOT_URL = http://git.example.com/git/` in your configuration.
+
+## IIS
+
+If you wish to run Gitea with IIS. You will need to setup IIS with URL Rewrite as reverse proxy.
+
+1. Setup an empty website in IIS, named let's say, `Gitea Proxy`.
+2. Follow the first two steps in [Microsoft's Technical Community Guide to Setup IIS with URL Rewrite](https://techcommunity.microsoft.com/t5/iis-support-blog/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world/ba-p/846222#M343). That is:
+
+- Install Application Request Routing (ARR for short) either by using the Microsoft Web Platform Installer 5.1 (WebPI) or downloading the extension from [IIS.net](https://www.iis.net/downloads/microsoft/application-request-routing)
+- Once the module is installed in IIS, you will see a new Icon in the IIS Administration Console called URL Rewrite.
+- Open the IIS Manager Console and click on the `Gitea Proxy` Website from the tree view on the left. Select and double click the URL Rewrite Icon from the middle pane to load the URL Rewrite interface.
+- Choose the `Add Rule` action from the right pane of the management console and select the `Reverse Proxy Rule` from the `Inbound and Outbound Rules` category.
+- In the Inbound Rules section, set the server name to be the host that Gitea is running on with its port. e.g. if you are running Gitea on the localhost with port 3000, the following should work: `127.0.0.1:3000`
+- Enable SSL Offloading
+- In the Outbound Rules, ensure `Rewrite the domain names of the links in HTTP response` is set and set the `From:` field as above and the `To:` to your external hostname, say: `git.example.com`
+- Now edit the `web.config` for your website to match the following: (changing `127.0.0.1:3000` and `git.example.com` as appropriate)
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+ <system.web>
+ <httpRuntime requestPathInvalidCharacters="" />
+ </system.web>
+ <system.webServer>
+ <security>
+ <requestFiltering>
+ <hiddenSegments>
+ <clear />
+ </hiddenSegments>
+ <denyUrlSequences>
+ <clear />
+ </denyUrlSequences>
+ <fileExtensions allowUnlisted="true">
+ <clear />
+ </fileExtensions>
+ </requestFiltering>
+ </security>
+ <rewrite>
+ <rules useOriginalURLEncoding="false">
+ <rule name="ReverseProxyInboundRule1" stopProcessing="true">
+ <match url="(.*)" />
+ <action type="Rewrite" url="http://127.0.0.1:3000{UNENCODED_URL}" />
+ <serverVariables>
+ <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="HTTP_ACCEPT_ENCODING" />
+ <set name="HTTP_ACCEPT_ENCODING" value="" />
+ </serverVariables>
+ </rule>
+ </rules>
+ <outboundRules>
+ <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
+ <!-- set the pattern correctly here - if you only want to accept http or https -->
+ <!-- change the pattern and the action value as appropriate -->
+ <match filterByTags="A, Form, Img" pattern="^http(s)?://127.0.0.1:3000/(.*)" />
+ <action type="Rewrite" value="http{R:1}://git.example.com/{R:2}" />
+ </rule>
+ <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
+ <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
+ <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
+ </rule>
+ <preConditions>
+ <preCondition name="ResponseIsHtml1">
+ <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
+ </preCondition>
+ <preCondition name="NeedsRestoringAcceptEncoding">
+ <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
+ </preCondition>
+ </preConditions>
+ </outboundRules>
+ </rewrite>
+ <urlCompression doDynamicCompression="true" />
+ <handlers>
+ <clear />
+ <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
+ </handlers>
+ <!-- Map all extensions to the same MIME type, so all files can be
+ downloaded. -->
+ <staticContent>
+ <clear />
+ <mimeMap fileExtension="*" mimeType="application/octet-stream" />
+ </staticContent>
+ </system.webServer>
+</configuration>
+```
+
+## HAProxy
+
+If you want HAProxy to serve your Gitea instance, you can add the following to your HAProxy configuration
+
+add an acl in the frontend section to redirect calls to gitea.example.com to the correct backend
+
+```
+frontend http-in
+ ...
+ acl acl_gitea hdr(host) -i gitea.example.com
+ use_backend gitea if acl_gitea
+ ...
+```
+
+add the previously defined backend section
+
+```
+backend gitea
+ server localhost:3000 check
+```
+
+If you redirect the http content to https, the configuration work the same way, just remember that the connection between HAProxy and Gitea will be done via http so you do not have to enable https in Gitea's configuration.
+
+## HAProxy with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup HAProxy to serve Gitea under a sub-path by adding the following to you HAProxy configuration:
+
+```
+frontend http-in
+ ...
+ acl acl_gitea path_beg /gitea
+ use_backend gitea if acl_gitea
+ ...
+```
+
+With that configuration http://example.com/gitea/ will redirect to your Gitea instance.
+
+then for the backend section
+
+```
+backend gitea
+ http-request replace-path /gitea\/?(.*) \/\1
+ server localhost:3000 check
+```
+
+The added http-request will automatically add a trailing slash if needed and internally remove /gitea from the path to allow it to work correctly with Gitea by setting properly http://example.com/gitea as the root.
+
+Then you **MUST** set something like `[server] ROOT_URL = http://example.com/gitea/` correctly in your configuration.
+
+## Traefik
+
+If you want traefik to serve your Gitea instance, you can add the following label section to your `docker-compose.yaml` (Assuming the provider is docker).
+
+```yaml
+gitea:
+ image: gitea/gitea
+ ...
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.gitea.rule=Host(`example.com`)"
+ - "traefik.http.services.gitea-websecure.loadbalancer.server.port=3000"
+```
+
+This config assumes that you are handling HTTPS on the traefik side and using HTTP between Gitea and traefik.
+
+## Traefik with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Traefik to serve Gitea under a sub-path by adding the following to your `docker-compose.yaml` (Assuming the provider is docker) :
+
+```yaml
+gitea:
+ image: gitea/gitea
+ ...
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.gitea.rule=Host(`example.com`) && PathPrefix(`/gitea`)"
+ - "traefik.http.services.gitea-websecure.loadbalancer.server.port=3000"
+ - "traefik.http.middlewares.gitea-stripprefix.stripprefix.prefixes=/gitea"
+ - "traefik.http.routers.gitea.middlewares=gitea-stripprefix"
+```
+
+This config assumes that you are handling HTTPS on the traefik side and using HTTP between Gitea and traefik.
+
+Then you **MUST** set something like `[server] ROOT_URL = http://example.com/gitea/` correctly in your configuration.
diff --git a/docs/content/doc/administration/reverse-proxies.zh-cn.md b/docs/content/doc/administration/reverse-proxies.zh-cn.md
new file mode 100644
index 0000000000..1355d09e8a
--- /dev/null
+++ b/docs/content/doc/administration/reverse-proxies.zh-cn.md
@@ -0,0 +1,138 @@
+---
+date: "2018-05-22T11:00:00+00:00"
+title: "使用:反向代理"
+slug: "reverse-proxies"
+weight: 17
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "反向代理"
+ weight: 16
+ identifier: "reverse-proxies"
+---
+
+# 反向代理
+
+**目录**
+
+{{< toc >}}
+
+## 使用 Nginx 作为反向代理服务
+
+如果您想使用 Nginx 作为 Gitea 的反向代理服务,您可以参照以下 `nginx.conf` 配置中 `server` 的 `http` 部分:
+
+```
+server {
+ listen 80;
+ server_name git.example.com;
+
+ location / {
+ proxy_pass http://localhost:3000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+```
+
+## 使用 Nginx 作为反向代理服务并将 Gitea 路由至一个子路径
+
+如果您已经有一个域名并且想与 Gitea 共享该域名,您可以增加以下 `nginx.conf` 配置中 `server` 的 `http` 部分,为 Gitea 添加路由规则:
+
+```
+server {
+ listen 80;
+ server_name git.example.com;
+
+ # 注意: /git/ 最后需要有一个路径符号
+ location /git/ {
+ # 注意: 反向代理后端 URL 的最后需要有一个路径符号
+ proxy_pass http://localhost:3000/;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+```
+
+然后您**必须**在 Gitea 的配置文件中正确的添加类似 `[server] ROOT_URL = http://git.example.com/git/` 的配置项。
+
+## 使用 Apache HTTPD 作为反向代理服务
+
+如果您想使用 Apache HTTPD 作为 Gitea 的反向代理服务,您可以为您的 Apache HTTPD 作如下配置(在 Ubuntu 中,配置文件通常在 `/etc/apache2/httpd.conf` 目录下):
+
+```
+<VirtualHost *:80>
+ ...
+ ProxyPreserveHost On
+ ProxyRequests off
+ AllowEncodedSlashes NoDecode
+ ProxyPass / http://localhost:3000/ nocanon
+</VirtualHost>
+```
+
+注:必须启用以下 Apache HTTPD 组件:`proxy`, `proxy_http`
+
+## 使用 Apache HTTPD 作为反向代理服务并将 Gitea 路由至一个子路径
+
+如果您已经有一个域名并且想与 Gitea 共享该域名,您可以增加以下配置为 Gitea 添加路由规则(在 Ubuntu 中,配置文件通常在 `/etc/apache2/httpd.conf` 目录下):
+
+```
+<VirtualHost *:80>
+ ...
+ <Proxy *>
+ Order allow,deny
+ Allow from all
+ </Proxy>
+ AllowEncodedSlashes NoDecode
+ # 注意: 路径和 URL 后面都不要写路径符号 '/'
+ ProxyPass /git http://localhost:3000 nocanon
+</VirtualHost>
+```
+
+然后您**必须**在 Gitea 的配置文件中正确的添加类似 `[server] ROOT_URL = http://git.example.com/git/` 的配置项。
+
+注:必须启用以下 Apache HTTPD 组件:`proxy`, `proxy_http`
+
+## 使用 Caddy 作为反向代理服务
+
+如果您想使用 Caddy 作为 Gitea 的反向代理服务,您可以在 `Caddyfile` 中添加如下配置:
+
+```
+git.example.com {
+ proxy / http://localhost:3000
+}
+```
+
+## 使用 Caddy 作为反向代理服务并将 Gitea 路由至一个子路径
+
+如果您已经有一个域名并且想与 Gitea 共享该域名,您可以在您的 `Caddyfile` 文件中增加以下配置,为 Gitea 添加路由规则:
+
+```
+git.example.com {
+ # 注意: 路径 /git/ 最后需要有路径符号
+ proxy /git/ http://localhost:3000
+}
+```
+
+然后您**必须**在 Gitea 的配置文件中正确的添加类似 `[server] ROOT_URL = http://git.example.com/git/` 的配置项。
+
+## 使用 Traefik 作为反向代理服务
+
+如果您想使用 traefik 作为 Gitea 的反向代理服务,您可以在 `docker-compose.yaml` 中添加 label 部分(假设使用 docker 作为 traefik 的 provider):
+
+```yaml
+gitea:
+ image: gitea/gitea
+ ...
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.gitea.rule=Host(`example.com`)"
+ - "traefik.http.services.gitea-websecure.loadbalancer.server.port=3000"
+```
+
+这份配置假设您使用 traefik 来处理 HTTPS 服务,并在其和 Gitea 之间使用 HTTP 进行通信。
diff --git a/docs/content/doc/administration/search-engines-indexation.en-us.md b/docs/content/doc/administration/search-engines-indexation.en-us.md
new file mode 100644
index 0000000000..cabedb3a5d
--- /dev/null
+++ b/docs/content/doc/administration/search-engines-indexation.en-us.md
@@ -0,0 +1,38 @@
+---
+date: "2019-12-31T13:55:00+05:00"
+title: "Advanced: Search Engines Indexation"
+slug: "search-engines-indexation"
+weight: 30
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "Search Engines Indexation"
+ weight: 60
+ identifier: "search-engines-indexation"
+---
+
+# Search engines indexation of your Gitea installation
+
+By default your Gitea installation will be indexed by search engines.
+If you don't want your repository to be visible for search engines read further.
+
+## Block search engines indexation using robots.txt
+
+To make Gitea serve a custom `robots.txt` (default: empty 404) for top level installations,
+create a file called `robots.txt` in the [`custom` folder or `CustomPath`]({{< relref "doc/administration/customizing-gitea.en-us.md" >}})
+
+Examples on how to configure the `robots.txt` can be found at [https://moz.com/learn/seo/robotstxt](https://moz.com/learn/seo/robotstxt).
+
+```txt
+User-agent: *
+Disallow: /
+```
+
+If you installed Gitea in a subdirectory, you will need to create or edit the `robots.txt` in the top level directory.
+
+```txt
+User-agent: *
+Disallow: /gitea/
+```
diff --git a/docs/content/doc/administration/signing.en-us.md b/docs/content/doc/administration/signing.en-us.md
new file mode 100644
index 0000000000..8dd4ffdfb7
--- /dev/null
+++ b/docs/content/doc/administration/signing.en-us.md
@@ -0,0 +1,177 @@
+---
+date: "2019-08-17T10:20:00+01:00"
+title: "GPG Commit Signatures"
+slug: "signing"
+weight: 20
+toc: false
+draft: false
+menu:
+ sidebar:
+ parent: "administration"
+ name: "GPG Commit Signatures"
+ weight: 50
+ identifier: "signing"
+---
+
+# GPG Commit Signatures
+
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea will verify GPG commit signatures in the provided tree by
+checking if the commits are signed by a key within the Gitea database,
+or if the commit matches the default key for Git.
+
+Keys are not checked to determine if they have expired or revoked.
+Keys are also not checked with keyservers.
+
+A commit will be marked with a grey unlocked icon if no key can be
+found to verify it. If a commit is marked with a red unlocked icon,
+it is reported to be signed with a key with an id.
+
+Please note: The signer of a commit does not have to be an author or
+committer of a commit.
+
+This functionality requires Git >= 1.7.9 but for full functionality
+this requires Git >= 2.0.0.
+
+## Automatic Signing
+
+There are a number of places where Gitea will generate commits itself:
+
+- Repository Initialisation
+- Wiki Changes
+- CRUD actions using the editor or the API
+- Merges from Pull Requests
+
+Depending on configuration and server trust you may want Gitea to
+sign these commits.
+
+## Installing and generating a GPG key for Gitea
+
+It is up to a server administrator to determine how best to install
+a signing key. Gitea generates all its commits using the server `git`
+command at present - and therefore the server `gpg` will be used for
+signing (if configured.) Administrators should review best-practices
+for GPG - in particular it is probably advisable to only install a
+signing secret subkey without the master signing and certifying secret
+key.
+
+## General Configuration
+
+Gitea's configuration for signing can be found with the
+`[repository.signing]` section of `app.ini`:
+
+```ini
+...
+[repository.signing]
+SIGNING_KEY = default
+SIGNING_NAME =
+SIGNING_EMAIL =
+INITIAL_COMMIT = always
+CRUD_ACTIONS = pubkey, twofa, parentsigned
+WIKI = never
+MERGES = pubkey, twofa, basesigned, commitssigned
+
+...
+```
+
+### `SIGNING_KEY`
+
+The first option to discuss is the `SIGNING_KEY`. There are three main
+options:
+
+- `none` - this prevents Gitea from signing any commits
+- `default` - Gitea will default to the key configured within `git config`
+- `KEYID` - Gitea will sign commits with the gpg key with the ID
+ `KEYID`. In this case you should provide a `SIGNING_NAME` and
+ `SIGNING_EMAIL` to be displayed for this key.
+
+The `default` option will interrogate `git config` for
+`commit.gpgsign` option - if this is set, then it will use the results
+of the `user.signingkey`, `user.name` and `user.email` as appropriate.
+
+Please note: by adjusting Git's `config` file within Gitea's
+repositories, `SIGNING_KEY=default` could be used to provide different
+signing keys on a per-repository basis. However, this is clearly not an
+ideal UI and therefore subject to change.
+
+**Since 1.17**, Gitea runs git in its own home directory `[git].HOME_PATH` (default to `%(APP_DATA_PATH)/home`)
+and uses its own config `{[git].HOME_PATH}/.gitconfig`.
+If you have your own customized git config for Gitea, you should set these configs in system git config (aka `/etc/gitconfig`)
+or the Gitea internal git config `{[git].HOME_PATH}/.gitconfig`.
+Related home files for git command (like `.gnupg`) should also be put in Gitea's git home directory `[git].HOME_PATH`.
+If you like to keep the `.gnupg` directory outside of `{[git].HOME_PATH}/`, consider setting the `$GNUPGHOME` environment variable to your preferred location.
+
+### `INITIAL_COMMIT`
+
+This option determines whether Gitea should sign the initial commit
+when creating a repository. The possible values are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two factor authentication
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The commit will be signed if all selected options are true.
+
+### `WIKI`
+
+This options determines if Gitea should sign commits to the Wiki.
+The possible values are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two-factor authentication
+- `parentsigned`: Only sign if the parent commit is signed.
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The commit will be signed if all selected options are true.
+
+### `CRUD_ACTIONS`
+
+This option determines if Gitea should sign commits from the web
+editor or API CRUD actions. The possible values are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two-factor authentication
+- `parentsigned`: Only sign if the parent commit is signed.
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The change will be signed if all selected options are true.
+
+### `MERGES`
+
+This option determines if Gitea should sign merge commits from PRs.
+The possible options are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two-factor authentication
+- `basesigned`: Only sign if the parent commit in the base repo is signed.
+- `headsigned`: Only sign if the head commit in the head branch is signed.
+- `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.
+- `approved`: Only sign approved merges to a protected branch.
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The merge will be signed if all selected options are true.
+
+## Obtaining the Public Key of the Signing Key
+
+The public key used to sign Gitea's commits can be obtained from the API at:
+
+```sh
+/api/v1/signing-key.gpg
+```
+
+In cases where there is a repository specific key this can be obtained from:
+
+```sh
+/api/v1/repos/:username/:reponame/signing-key.gpg
+```