Configuration Cheat Sheet | Forgejo – Beyond coding. We forge. Configuration Cheat Sheet Default Configuration (non-app.ini configuration) Overall (DEFAULT) Repository (repository) Repository - Editor (repository.editor) Repository - Pull Request (repository.pull-request) Repository - Issue (repository.issue) Repository - Upload (repository.upload) Repository - Release (repository.release) Repository - Signing (repository.signing) Repository - Local (repository.local) Repository - MIME type mapping (repository.mimetype_mapping) Badges (badges) CORS (cors) UI (ui) UI - Admin (ui.admin) UI - User (ui.user) UI - Metadata (ui.meta) UI - Notification (ui.notification) UI - SVG Images (ui.svg) UI - CSV Files (ui.csv) Markdown (markdown) Server (server) Database (database) Indexer (indexer) Queue (queue and queue.*) Admin (admin) Security (security) Camo (camo) OpenID (openid) OAuth2 Client (oauth2_client) Service (service) Service - Explore (service.explore) SSH Minimum Key Sizes (ssh.minimum_key_sizes) Webhook (webhook) Mailer (mailer) Incoming Email (email.incoming) Cache (cache) Cache - LastCommitCache settings (cache.last_commit) Session (session) Picture (picture) Project (project) Issue and pull request attachments (attachment) LFS client (lfs_client) Log (log) Access Log (log) Log subsections (log.) Console log mode (log.console, or MODE=console) File log mode (log.file, or MODE=file) Conn log mode (log.conn, or MODE=conn) Cron (cron) Basic cron tasks - enabled by default Cron - Cleanup old repository archives (cron.archive_cleanup) Cron - Update Mirrors (cron.update_mirrors) Cron - Repository Health Check (cron.repo_health_check) Cron - Repository Statistics Check (cron.check_repo_stats) Cron - Cleanup hook_task Table (cron.cleanup_hook_task_table) Cron - Cleanup expired packages (cron.cleanup_packages) Cron - Update Migration Poster ID (cron.update_migration_poster_id) Cron - Sync External Users (cron.sync_external_users) Cron - Cleanup Expired Actions Assets (cron.cleanup_actions) Cron - Check for new Forgejo versions (cron.update_checker) Cron - Clean up deleted branches (cron.deleted_branches_cleanup) Extended cron tasks (not enabled by default) Cron - Garbage collect all repositories (cron.git_gc_repos) Cron - Update the ‘.ssh/authorized_keys’ file with Forgejo SSH keys (cron.resync_all_sshkeys) Cron - Resynchronize pre-receive, update and post-receive hooks of all repositories (cron.resync_all_hooks) Cron - Reinitialize all missing Git repositories for which records exist (cron.reinit_missing_repos) Cron - Delete all repositories missing their Git files (cron.delete_missing_repos) Cron - Delete generated repository avatars (cron.delete_generated_repository_avatars) Cron - Delete all old activities from database (cron.delete_old_actions) Cron - Cleanup Offline Runners (cron.cleanup_offline_runners) Cron - Delete all old system notices from database (cron.delete_old_system_notices) Cron - Garbage collect LFS pointers in repositories (cron.gc_lfs) Cron - Delete inactive account (cron.delete_inactive_accounts) Cron - Remove resolved reports (cron.remove_resolved_reports) Git (git) Git - Timeout settings (git.timeout) Git - Config options (git.config) Metrics (metrics) API (api) OAuth2 (oauth2) i18n (i18n) Markup (markup) Highlight Mappings (highlight.mapping) Time (time) Migrations (migrations) Federation (federation) Packages (packages) Mirror (mirror) LFS (lfs) Repository Avatars (repo-avatar) Avatars (avatar) Actions logs (storage.actions_log) Actions Artifacts (storage.artifacts) Storage (storage) Quota (quota) Default Quota (quota.default) Quota subjects (list) Proxy (proxy) Actions (actions) Moderation (moderation) Other (other) Configuration Cheat Sheet This is a cheat sheet for the Forgejo configuration file. It contains most of the settings that can be configured as well as their default values. Any changes to the Forgejo configuration file should be made in custom/conf/app.ini or any corresponding location. When installing from a distribution, this will typically be found at /etc/forgejo/app.ini The defaults provided here are best-effort (not built automatically). They are accurately recorded in app.example.ini (s/main/). Any string in the format %(X)s is a feature powered by ini , for reading values recursively. In the default values below, a value in the form $XYZ refers to an environment variable. See environment-to-ini for information on how environment variables are translated to app.ini variables. Values in the form XxYyZz refer to values listed as part of the default configuration. These notation forms will not work in your own app.ini file and are only listed here as documentation. Values containing or must be quoted using or """ Note: A full restart is required for Forgejo configuration changes to take effect. Default Configuration (non- app.ini configuration) These values are environment-dependent but form the basis of many values. They will be reported as part of the default configuration when running forgejo help or on start-up. The order they are emitted there is slightly different, but we will list them here in the order they are set up. AppPath : This is the absolute path of the running forgejo binary. AppWorkPath : This refers to the “working path” of the forgejo binary. It is determined by using the first defined value in the following hierarchy: The --work-path flag passed to the binary The environment variable $FORGEJO_WORK_DIR A built-in value set at build time (see building from source) Otherwise, it defaults to the directory of the AppPath If any of the above are relative paths, then they are made absolute against the directory of the AppPath CustomPath : This is the base directory for custom templates and other options. It is determined by using the first defined value in the following hierarchy: The --custom-path flag passed to the binary The environment variable $FORGEJO_CUSTOM A built-in value set at build time (see building from source) Otherwise, it defaults to AppWorkPath /custom If any of the above are relative paths, then they are made absolute against the directory of the AppWorkPath CustomConf : This is the path to the app.ini file. The --config flag passed to the binary A built-in value set at build time (see building from source) Otherwise, it defaults to CustomPath /conf/app.ini If any of the above are relative paths, then they are made absolute against the directory of the CustomPath In addition, there is StaticRootPath , which can be set as a built-in at build time, but will otherwise default to AppWorkPath Overall ( DEFAULT APP_NAME Forgejo: Beyond coding. We forge. : Application name, used in the page title. APP_SLOGAN : Application slogan, used in the page title. APP_DISPLAY_NAME_FORMAT {APP_NAME}: {APP_SLOGAN} : Defines how the application full name should be presented. It is only used if APP_SLOGAN is set. RUN_USER current OS username $USER $USERNAME e.g. git : The user Forgejo will run as. This should be a dedicated system (non-user) account. Setting this incorrectly will cause Forgejo to not start. RUN_MODE prod : Application run mode, affects performance and debugging: dev or prod , default is prod . Mode dev makes Forgejo easier to develop and debug; values other than dev are treated as prod , which is for production use. WORK_PATH the-work-path : The working directory, see the comment of AppWorkPath above. Repository ( repository ROOT %(APP_DATA_PATH)s/gitea-repositories : Root path for storing all repository data. A relative path is interpreted as AppWorkPath /%(ROOT)s SCRIPT_TYPE bash : The script type this server supports. Usually this is bash but some users report that only sh is available. DETECTED_CHARSETS_ORDER UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr : Tie-break order of detected charsets - if the detected charsets have equal confidence, charsets earlier in the list will be chosen in preference to those later. Adding defaults will place the unnamed charsets at that point. ANSI_CHARSET : Default ANSI charset to override non-UTF-8 charsets to. FORCE_PRIVATE false : Force every new repository to be private. DEFAULT_PRIVATE last : Default privacy setting when creating a new repository. [last, private, public] DEFAULT_PUSH_CREATE_PRIVATE true : Default privacy setting when creating a new repository with push-to-create. MAX_CREATION_LIMIT -1 : Global maximum creation limit of repositories for each user and organization; -1 means no limit. If regular users can create organizations (see DISABLE_REGULAR_ORG_CREATION ) then they can bypass this by creating new organizations. The global limit can be overridden by an administrator on each user and repository through their respective configuration UIs. PREFERRED_LICENSES Apache-2.0, MIT” : Preferred Licenses to place at the top of the list. Name must match the file name in options/license or custom/options/license. DISABLE_HTTP_GIT false : Disable the ability to interact with repositories over the HTTP protocol. USE_COMPAT_SSH_URI true : Always use ssh:// clone URL instead of scp-style URI. GO_GET_CLONE_URL_PROTOCOL https : Value for the “go get” request returns the repository URL as https or ssh. Default is https. ACCESS_CONTROL_ALLOW_ORIGIN : Value for Access-Control-Allow-Origin header; by default, the header is not present. WARNING : This may be harmful to your website if you do not give it the correct value. DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH false : Close an issue if a commit on a non-default branch marks it as closed. ENABLE_PUSH_CREATE_USER false : Allow users to push local repositories to Forgejo and have them automatically created for a user. ENABLE_PUSH_CREATE_ORG false : Allow users to push local repositories to Forgejo and have them automatically created for an org. DISABLED_REPO_UNITS empty : Comma-separated list of globally disabled repo units. Allowed values: [repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects, repo.packages, repo.actions] DEFAULT_REPO_UNITS repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions : Comma-separated list of default new repo units. Allowed values: [repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects, repo.packages, repo.actions]. Note: Code and Releases can currently not be deactivated. If you specify default repo units, you should still list them for future compatibility. External wiki and issue tracker can’t be enabled by default as it requires additional settings. Disabled repo units will not be added to new repositories regardless of whether they are in the default list. DEFAULT_FORK_REPO_UNITS repo.code,repo.pulls : Comma-separated list of default forked repo units. The set of allowed values and rules is the same as DEFAULT_REPO_UNITS DEFAULT_MIRROR_REPO_UNITS repo.code,repo.releases,repo.issues,repo.wiki,repo.projects,repo.packages : Comma-separated list of default units that migrated mirror repositories will have. The set of allowed values and rules is the same as DEFAULT_REPO_UNITS PREFIX_ARCHIVE_FILES true : Prefix archive files by placing them in a directory named after the repository. DISABLE_MIGRATIONS false : Disable migrating feature. DISABLE_STARS false : Disable stars feature. DISABLE_FORKS false : Disable repository forking. DEFAULT_BRANCH main : Default branch name for all new repositories. ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES false : Allow non-admin users to adopt unadopted repositories. ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES false : Allow non-admin users to delete unadopted repositories. DISABLE_DOWNLOAD_SOURCE_ARCHIVES false : Prevents the downloading of source archive files from the UI. ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT true : Allows forking repositories even if the user has reached their repository limit. Repository - Editor ( repository.editor LINE_WRAP_EXTENSIONS .txt,.md,.markdown,.mdown,.mkd,.livemd, : List of file extensions for which lines should be wrapped in the CodeMirror editor. Separate extensions with a comma. To line wrap files without an extension, just put a comma. PREVIEWABLE_FILE_MODES markdown : Valid file modes that have a preview API associated with them, such as api/v1/markdown . Separate the values by commas. The preview tab in edit mode won’t be displayed if the file extension doesn’t match. Repository - Pull Request ( repository.pull-request WORK_IN_PROGRESS_PREFIXES WIP:,[WIP] : List of prefixes used in Pull Request titles to mark them as Work In Progress. These are matched in a case-insensitive manner. CLOSE_KEYWORDS close closes closed fix fixes fixed resolve resolves resolved : List of keywords used in pull request comments to automatically close a related issue. REOPEN_KEYWORDS reopen reopens reopened : List of keywords used in Pull Request comments to automatically reopen a related issue. DEFAULT_MERGE_STYLE merge : Set default merge style for repository creation; valid options: merge rebase rebase-merge squash fast-forward-only DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT 50 : In the default merge message for squash commits, include at most this many commits. Set to -1 to include all commits. DEFAULT_MERGE_MESSAGE_SIZE 5120 : In the default merge message for squash commits, limit the size of the commit messages. Set to -1 to have no limit. Only used if POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES is true DEFAULT_MERGE_MESSAGE_ALL_AUTHORS false : In the default merge message for squash commits, walk all commits to include all authors in the Co-authored-by trailers; otherwise, just use those in the limited list. DEFAULT_MERGE_MESSAGE_MAX_APPROVERS 10 : In default merge messages, limit the number of approvers listed as Reviewed-by: . Set to -1 to include all. DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY true : In default merge messages, only include approvers who are officially allowed to review. DEFAULT_UPDATE_STYLE merge : Set default PR branch update style for repository creation; valid options: merge rebase POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES false : In default squash-merge messages, include the commit message of all commits comprising the pull request. RETARGET_CHILDREN_ON_MERGE true : Retarget child pull requests to the parent pull request branch target on merge of the parent pull request. It only works on merged PRs where the head and base branch target the same repo. Repository - Issue ( repository.issue LOCK_REASONS Too heated,Off-topic,Resolved,Spam : A list of reasons why a Pull Request or Issue can be locked. MAX_PINNED : Maximum number of pinned Issues per Repo. Set to 0 to disable pinning Issues. Repository - Upload ( repository.upload ENABLED true : Whether repository file uploads are enabled. TEMP_PATH data/tmp/uploads : Path for uploads (content gets deleted on Forgejo restart). ALLOWED_TYPES : Comma-separated list of allowed file extensions ( .zip ), MIME types ( text/plain ), or wildcard types ( image/* audio/* video/* ). Empty value or */* allows all types. FILE_MAX_SIZE 50 : Maximum size of each file in megabytes. MAX_FILES : Maximum number of files per upload. Repository - Release ( repository.release ALLOWED_TYPES : Comma-separated list of allowed file extensions ( .zip ), MIME types ( text/plain ), or wildcard types ( image/* audio/* video/* ). Empty value or */* allows all types. DEFAULT_PAGING_NUM 10 : The default paging number for the releases user interface. For settings related to file attachments on releases, see the attachment section. Repository - Signing ( repository.signing FORMAT openpgp : [openpgp, ssh]: Signing format that Forgejo should use, openpgp uses GPG and ssh uses OpenSSH. SIGNING_KEY default : [none, KEYID, default, path/to/ssh/key]: Key to sign with. If FORMAT is set to ssh this should be set to an absolute path to an public OpenSSH key. SIGNING_NAME SIGNING_EMAIL : if a KEYID is provided as the SIGNING_KEY , use these as the Name and Email address of the signer. These should match publicized name and email address for the key. INITIAL_COMMIT always : [never, pubkey, twofa, always]: Sign initial commit. never : Never sign. pubkey : Only sign if the user has a public key. twofa : Only sign if the user is logged in with 2FA. always : Always sign. Options other than never and always can be combined as a comma-separated list. DEFAULT_TRUST_MODEL collaborator : [collaborator, committer, collaboratorcommitter]: The default trust model used for verifying commits. collaborator : Trust signatures signed by keys of collaborators. committer : Trust signatures that match committers (This matches GitHub and will force Forgejo-signed commits to have Forgejo as the committer). collaboratorcommitter : Trust signatures signed by keys of collaborators which match the committer. WIKI never : [never, pubkey, twofa, always, parentsigned]: Sign commits to the wiki. CRUD_ACTIONS pubkey, twofa, parentsigned : [never, pubkey, twofa, parentsigned, always]: Sign CRUD actions. Options as above, with the addition of: parentsigned : Only sign if the parent commit is signed. MERGES pubkey, twofa, basesigned, commitssigned : [never, pubkey, twofa, approved, basesigned, commitssigned, always]: Sign merges. approved : Only sign approved merges to a protected branch. basesigned : Only sign if the parent commit in the base repo is signed. headsigned : Only sign if the head commit in the head branch is signed. commitssigned : Only sign if all the commits in the head branch to the merge point are signed. Repository - Local ( repository.local LOCAL_COPY_PATH tmp/local-repo : Path for temporary local repository copies. Defaults to tmp/local-repo (content gets deleted on Forgejo restart). Repository - MIME type mapping ( repository.mimetype_mapping Configuration to set the expected MIME type based on file extensions of downloadable files. Configuration consists of key-value pairs and file extensions starting with a leading The following configuration sets the Content-Type: application/vnd.android.package-archive header when downloading files with the .apk file extension. apk =application/vnd.android.package-archive Badges ( badges ENABLED true : Enable repository badges (via a generator like shields.io ). GENERATOR_URL_TEMPLATE : The URL template used for the badge generator service. CORS ( cors ENABLED false : Enable CORS headers (disabled by default). ALLOW_DOMAIN : List of requesting origins that are allowed, e.g. “https://*.example.com”. METHODS GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS : List of methods allowed to request. MAX_AGE 10m : Maximum time to cache the response. ALLOW_CREDENTIALS false : Allow requests with credentials. HEADERS Content-Type,User-Agent : Additional headers that are permitted in requests. X_FRAME_OPTIONS SAMEORIGIN : Set the X-Frame-Options header value. UI ( ui EXPLORE_PAGING_NUM 20 : Number of repositories shown on one explore page. ISSUE_PAGING_NUM 20 : Number of issues shown on one page (for all pages that list issues, milestones, projects). MEMBERS_PAGING_NUM 20 : Number of members shown in organization members list. FEED_MAX_COMMIT_NUM : Maximum number of commits shown in one activity feed. FEED_PAGING_NUM 20 : Number of items displayed in the home feed. SITEMAP_PAGING_NUM 20 : Number of items displayed in a single subsitemap. GRAPH_MAX_COMMIT_NUM 100 : Maximum number of commits shown in the commit graph. CODE_COMMENT_LINES : Number of lines of code shown for a code comment. DEFAULT_THEME forgejo-auto : [forgejo-auto, forgejo-light, forgejo-dark, auto, gitea, arc-green]: Set the default theme for the Forgejo installation. SHOW_USER_EMAIL true : Whether the user’s email should be shown on the Explore Users page. THEMES forgejo-auto, forgejo-light, forgejo-dark, gitea-auto, gitea-light, gitea-dark, forgejo-auto-deuteranopia-protanopia, forgejo-light-deuteranopia-protanopia, forgejo-dark-deuteranopia-protanopia, forgejo-auto-tritanopia, forgejo-light-tritanopia, forgejo-dark-tritanopia : All available themes. Allows users to select personalized themes regardless of the value of DEFAULT_THEME MAX_DISPLAY_FILE_SIZE 8388608 : Maximum size of files to be displayed (default is 8MiB). REACTIONS : All available reactions users can choose on issues/PRs and comments. Values can be emoji aliases (😄) or Unicode emojis. For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png. REACTION_MAX_USER_NUM 10 : Change the number of users displayed in the reactions tooltip (triggered by mouse hover). CUSTOM_EMOJIS forgejo, gitea, codeberg, gitlab, git, github, gogs : Additional Emojis not defined in the UTF-8 standard. By default, we support Forgejo (:forgejo:); to add more, copy them to public/assets/img/emoji/emoji_name.png and add them to this config. DEFAULT_SHOW_FULL_NAME false : Whether the full name of users should be shown where possible. If the full name isn’t set, the username will be used. SEARCH_REPO_DESCRIPTION true : Whether to search within descriptions during repository searches on the explore page. ONLY_SHOW_RELEVANT_REPOS false : Whether to only show relevant repos on the explore page when no keyword is specified, and the default sorting is used. repository is considered irrelevant if it’s a fork or if it has no metadata (no description, no icon, no topic). AMBIGUOUS_UNICODE_DETECTION true : Detect ambiguous Unicode characters in files and show warnings. SKIP_ESCAPE_CONTEXTS : [diff, file-view, wiki]: Comma-separated list of escape contexts where ambiguous Unicode detection should not be run. wiki is for content on the wiki pages, file-view is for (rendered) file content, and diff is for the diff of a commit and pull request. UI - Admin ( ui.admin USER_PAGING_NUM 50 : Number of users shown on one page. REPO_PAGING_NUM 50 : Number of repos shown on one page. NOTICE_PAGING_NUM 25 : Number of notices shown on one page. ORG_PAGING_NUM 50 : Number of organizations shown on one page. UI - User ( ui.user REPO_PAGING_NUM 15 : Number of repos shown on one page. UI - Metadata ( ui.meta AUTHOR Forgejo - Beyond coding. We forge. : Author meta tag for the homepage. DESCRIPTION Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job. : Description meta tag for the homepage. KEYWORDS git,forge,forgejo : Keywords meta tag for the homepage. UI - Notification ( ui.notification MIN_TIMEOUT 10s : These options control how often the notification endpoint is polled to update the notification count. On page load, the notification count will be checked after MIN_TIMEOUT . The timeout will increase to MAX_TIMEOUT by TIMEOUT_STEP if the notification count is unchanged. Set MIN_TIMEOUT to -1 to turn off polling. MAX_TIMEOUT 60s TIMEOUT_STEP 10s EVENT_SOURCE_UPDATE_TIME 10s : This setting determines how often the database is queried to update notification counts. If the browser client supports EventSource and SharedWorker , a SharedWorker will be used in preference to polling the notification endpoint. Set to -1 to disable EventSource UI - SVG Images ( ui.svg ENABLE_RENDER true : Whether to render SVG files as images. If SVG rendering is disabled, SVG files are displayed as text and cannot be embedded in Markdown files as images. UI - CSV Files ( ui.csv MAX_FILE_SIZE 524288 (512kb): Maximum allowed file size in bytes to render CSV files as tables. (Set to 0 for no limit). Markdown ( markdown ENABLE_HARD_LINE_BREAK_IN_COMMENTS true : Render soft line breaks as hard line breaks in comments, which means a single newline character between paragraphs will cause a line break, and adding trailing whitespace to paragraphs is not necessary to force a line break. ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS false : Render soft line breaks as hard line breaks in documents, which means a single newline character between paragraphs will cause a line break, and adding trailing whitespace to paragraphs is not necessary to force a line break. CUSTOM_URL_SCHEMES : Use a comma-separated list (ftp,git,svn) to indicate additional URL hyperlinks to be rendered in Markdown. URLs beginning with http and https are always displayed. If this entry is empty, all URL schemes are allowed. FILE_EXTENSIONS .md,.markdown,.mdown,.mkd,.livemd : List of file extensions that should be rendered/edited as Markdown. Separate the extensions with a comma. To render files without any extension as markdown, just put a comma. ENABLE_MATH true : Enables detection of \(...\) \[...\] $...$ and $$...$$ blocks as math blocks. Server ( server APP_DATA_PATH AppWorkPath /data : This is the default root path for storing data. PROTOCOL http : [http, https, fcgi, http+unix, fcgi+unix] Note: Value must be lowercase. USE_PROXY_PROTOCOL false : Expect PROXY protocol headers on connections. PROXY_PROTOCOL_TLS_BRIDGING false : When the protocol is https, expect PROXY protocol headers after TLS negotiation. PROXY_PROTOCOL_HEADER_TIMEOUT 5s : Timeout to wait for PROXY protocol header after a connection from the proxy has been opened (set to 0 to have no timeout). PROXY_PROTOCOL_ACCEPT_UNKNOWN false : Accept PROXY protocol headers with Unknown protocol type. DOMAIN localhost : Domain name of this server. ROOT_URL %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ Overwrite the automatically generated public URL. This is useful if the internal and external URLs don’t match (e.g. in Docker). STATIC_URL_PREFIX Overwrite this option to request static resources from a different URL. This includes CSS files, images, JS files, and web fonts. Avatar images are dynamic resources and are still served by Forgejo. The option can be just a different path, as in /static , or another domain, as in Requests are then made as %(ROOT_URL)s/static/assets/css/index.css or respectively. The static files are located in the public/ directory of the Forgejo source repository. You can proxy the STATIC_URL_PREFIX requests to the Forgejo server to serve the static assets, or copy the manually built Forgejo assets from $FORGEJO_BUILD/public to the assets location, e.g. /var/www/assets . Make sure $STATIC_URL_PREFIX/assets/css/index.css points to /var/www/assets/css/index.css HTTP_ADDR 0.0.0.0 : HTTP listen address. If PROTOCOL is set to fcgi , Forgejo will listen for FastCGI requests on the TCP socket defined by the HTTP_ADDR and HTTP_PORT configuration settings. If PROTOCOL is set to http+unix or fcgi+unix , this should be either: An absolute path to the socket file. A relative path, in which case it will be made absolute against the AppWorkPath An abstract domain socket name starting with HTTP_PORT 3000 : HTTP listen port. If PROTOCOL is set to fcgi , Forgejo will listen for FastCGI requests on the TCP socket defined by the HTTP_ADDR and HTTP_PORT configuration settings. UNIX_SOCKET_PERMISSION 666 : Permissions for the Unix socket. LOCAL_ROOT_URL %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ : Local (DMZ) URL for Forgejo workers (such as SSH update) accessing the web service. In most cases, you do not need to change the default value. Alter it only if your SSH server node is not the same as the HTTP node. For different protocols, the default values are different. If PROTOCOL is http+unix , the default value is If PROTOCOL is fcgi or fcgi+unix , the default value is %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ If listening on 0.0.0.0 , the default value is %(PROTOCOL)s://localhost:%(HTTP_PORT)s/ ; otherwise, the default value is %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ LOCAL_USE_PROXY_PROTOCOL %(USE_PROXY_PROTOCOL)s : When making local connections, pass the PROXY protocol header. This should be set to false if the local connection will go through the proxy. PER_WRITE_TIMEOUT 30s : Timeout for any write to the connection. (Set to -1 to disable all timeouts.) PER_WRITE_PER_KB_TIMEOUT 10s : Timeout per KB written to connections. DISABLE_SSH false : Disable SSH feature when it’s not available. START_SSH_SERVER false : When enabled, use the built-in SSH server. SSH_SERVER_USE_PROXY_PROTOCOL false : Expect PROXY protocol header on connections to the built-in SSH Server. BUILTIN_SSH_SERVER_USER %(RUN_USER)s : Username to use for the built-in SSH Server. SSH_USER %(BUILTIN_SSH_SERVER_USER)s : SSH username displayed in clone URLs. This is only for people who configure the SSH server themselves; in most cases, you want to leave this blank and modify BUILTIN_SSH_SERVER_USER SSH_DOMAIN %(DOMAIN)s : Domain name of this server, used for displayed clone URL. SSH_PORT 22 : SSH port displayed in the clone URL. SSH_LISTEN_HOST 0.0.0.0 : Listen address for the built-in SSH server. SSH_LISTEN_PORT %(SSH_PORT)s : Port for the built-in SSH server. SSH_ROOT_PATH ~/.ssh : Root path of the SSH directory. SSH_CREATE_AUTHORIZED_KEYS_FILE true : Forgejo will create an authorized_keys file by default when it is not using the internal SSH server. If you intend to use the AuthorizedKeysCommand functionality, then you should turn this off. SSH_AUTHORIZED_KEYS_BACKUP false : Enable SSH Authorized Key Backup when rewriting all keys; default is false. SSH_TRUSTED_USER_CA_KEYS : Specifies the public keys of certificate authorities that are trusted to sign user certificates for authentication. Multiple keys should be comma-separated. E.g. ssh- or ssh-, ssh- . For more information, see TrustedUserCAKeys in the sshd config man pages. When empty, no file will be created and SSH_AUTHORIZED_PRINCIPALS_ALLOW will default to off SSH_TRUSTED_USER_CA_KEYS_FILENAME RUN_USER /.ssh/gitea-trusted-user-ca-keys.pem : Absolute path of the TrustedUserCaKeys file Forgejo will manage. If you’re running your own SSH server and you want to use the Forgejo-managed file, you’ll also need to modify your sshd_config to point to this file. The official docker image will automatically work without further configuration. SSH_AUTHORIZED_PRINCIPALS_ALLOW off or username, email : [off, username, email, anything]: Specify the principals values that users are allowed to use as principal. When set to anything , no checks are done on the principal string. When set to off , authorized principals are not allowed to be set. SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE false/true : Forgejo will create an authorized_principals file by default when it is not using the internal SSH server and SSH_AUTHORIZED_PRINCIPALS_ALLOW is not off SSH_AUTHORIZED_PRINCIPALS_BACKUP false/true : Enable SSH Authorized Principals Backup when rewriting all keys; default is true if SSH_AUTHORIZED_PRINCIPALS_ALLOW is not off SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE {{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}} : Set the template for the command to be passed for authorized keys. Possible keys are: AppPath AppWorkPath CustomConf CustomPath Key - where Key is a models/asymkey.PublicKey and the others are strings which are shell-quoted. SSH_SERVER_CIPHERS chacha20-poly1305@openssh.com , aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com aes256-gcm@openssh.com : For the built-in SSH server, choose the ciphers to support for SSH connections; for system SSH, this setting has no effect. SSH_SERVER_KEY_EXCHANGES curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 : For the built-in SSH server, choose the key exchange algorithms to support for SSH connections; for system SSH, this setting has no effect. SSH_SERVER_MACS hmac-sha2-256-etm@openssh.com , hmac-sha2-256, hmac-sha1 : For the built-in SSH server, choose the MACs to support for SSH connections; for system SSH, this setting has no effect. SSH_SERVER_HOST_KEYS ssh/gitea.rsa, ssh/gogs.rsa : For the built-in SSH server, choose the keypairs to offer as the host key. The private key should be at SSH_SERVER_HOST_KEY and the public key at SSH_SERVER_HOST_KEY.pub . Relative paths are made absolute relative to the APP_DATA_PATH . If no key exists, a 4096-bit RSA key will be created for you. SSH_KEY_TEST_PATH /tmp : Directory to create temporary files in when testing public keys using ssh-keygen ; default is the system temporary directory. SSH_KEYGEN_PATH : Use ssh-keygen to parse public SSH keys. The value is passed to the shell. By default, Forgejo does the parsing itself. SSH_EXPOSE_ANONYMOUS false : Enable exposure of SSH clone URL to anonymous visitors; default is false. SSH_PER_WRITE_TIMEOUT 30s : Timeout for any write to the SSH connections. (Set to -1 to disable all timeouts.) SSH_PER_WRITE_PER_KB_TIMEOUT 10s : Timeout per KB written to SSH connections. MINIMUM_KEY_SIZE_CHECK true : Indicate whether to check minimum key size with corresponding type. OFFLINE_MODE true : Disables use of CDNs for static files and Gravatar for profile pictures. CERT_FILE https/cert.pem : Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). This is ignored if ENABLE_ACME=true . Paths are relative to CustomPath KEY_FILE https/key.pem : Key file path used for HTTPS. This is ignored if ENABLE_ACME=true . Paths are relative to CustomPath STATIC_ROOT_PATH StaticRootPath : Upper level of template and static files path. APP_DATA_PATH data /data/gitea on docker): Default path for application data. Relative paths will be made absolute against AppWorkPath STATIC_CACHE_TIME 6h : Web browser cache time for static resources on custom/ public/ and all uploaded avatars. Note that this cache is disabled when RUN_MODE is “dev”. ENABLE_GZIP false : Enable gzip compression for runtime-generated content; static resources excluded. ENABLE_PPROF false : Application profiling (memory and CPU). For the “web” command, it listens on localhost:6060 PPROF_DATA_PATH AppWorkPath /data/tmp/pprof PPROF_DATA_PATH , use an absolute path when you start Forgejo as a service. LANDING_PAGE : Landing page for unauthenticated users [home, explore, organizations, login, custom ]. Where custom would instead be any URL such as “/org/repo” or even LFS_START_SERVER false : Enables Git LFS support. LFS_CONTENT_PATH %(APP_DATA_PATH)s/lfs : Default LFS content path. (if it is on local storage.) DEPRECATED use settings in [lfs] LFS_JWT_SECRET : LFS authentication secret; change this to a unique base64-encoded 32-byte value. A new value can be generated with forgejo generate secret LFS_JWT_SECRET LFS_JWT_SECRET_URI : Instead of defining LFS_JWT_SECRET in the configuration, this option can be used to give Forgejo a path to a file that contains the secret (example value: file:/etc/forgejo/lfs_jwt_secret ). LFS_HTTP_AUTH_EXPIRY 24h : LFS authentication validity period in time.Duration ; pushes taking longer than this may fail. LFS_MAX_FILE_SIZE : Maximum allowed LFS file size in bytes (Set to 0 for no limit). LFS_LOCKS_PAGING_NUM 50 : Maximum number of LFS Locks returned per page. LFS_MAX_BATCH_SIZE 0: When clients make LFS batch requests, reject them if there are more pointers than this number. ‘0’ means ‘unlimited’. REDIRECT_OTHER_PORT false : If true and PROTOCOL is https, allows redirecting http requests on PORT_TO_REDIRECT to the https port Forgejo listens on. REDIRECTOR_USE_PROXY_PROTOCOL %(USE_PROXY_PROTOCOL)s : Expect PROXY protocol header on connections to the https redirector. PORT_TO_REDIRECT 80 : Port for the http redirection service to listen on. Used when REDIRECT_OTHER_PORT is true. SSL_MIN_VERSION TLSv1.2 : Set the minimum version of SSL/TLS support. SSL_MAX_VERSION : Set the maximum version of SSL/TLS support. SSL_CURVE_PREFERENCES X25519,P256 : Set the preferred curves. SSL_CIPHER_SUITES ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305 : Set the preferred cipher suites. If there is no hardware support for AES suites, by default the ChaCha suites will be preferred over the AES suites. Supported suites as of Go 1.18 are: TLS 1.0 - 1.2 cipher suites “rsa_with_rc4_128_sha” “rsa_with_3des_ede_cbc_sha” “rsa_with_aes_128_cbc_sha” “rsa_with_aes_256_cbc_sha” “rsa_with_aes_128_cbc_sha256” “rsa_with_aes_128_gcm_sha256” “rsa_with_aes_256_gcm_sha384” “ecdhe_ecdsa_with_rc4_128_sha” “ecdhe_ecdsa_with_aes_128_cbc_sha” “ecdhe_ecdsa_with_aes_256_cbc_sha” “ecdhe_rsa_with_rc4_128_sha” “ecdhe_rsa_with_3des_ede_cbc_sha” “ecdhe_rsa_with_aes_128_cbc_sha” “ecdhe_rsa_with_aes_256_cbc_sha” “ecdhe_ecdsa_with_aes_128_cbc_sha256” “ecdhe_rsa_with_aes_128_cbc_sha256” “ecdhe_rsa_with_aes_128_gcm_sha256” “ecdhe_ecdsa_with_aes_128_gcm_sha256” “ecdhe_rsa_with_aes_256_gcm_sha384” “ecdhe_ecdsa_with_aes_256_gcm_sha384” “ecdhe_rsa_with_chacha20_poly1305_sha256” “ecdhe_ecdsa_with_chacha20_poly1305_sha256” TLS 1.3 cipher suites “aes_128_gcm_sha256” “aes_256_gcm_sha384” “chacha20_poly1305_sha256” Aliased names “ecdhe_rsa_with_chacha20_poly1305” is an alias for “ecdhe_rsa_with_chacha20_poly1305_sha256” “ecdhe_ecdsa_with_chacha20_poly1305” is an alias for “ecdhe_ecdsa_with_chacha20_poly1305_sha256” ENABLE_ACME false : Flag to enable automatic certificate management via an ACME capable Certificate Authority (CA) server (default: Let’s Encrypt). If enabled, CERT_FILE and KEY_FILE are ignored, and the CA must resolve DOMAIN to this Forgejo server. Ensure that DNS records are set and either port 80 or port 443 are accessible by the CA server (the public internet by default), and redirected to the appropriate ports PORT_TO_REDIRECT or HTTP_PORT respectively. ACME_URL : The CA’s ACME directory URL; e.g. for a self-hosted smallstep CA server , it can look like . If left empty, it defaults to using Let’s Encrypt’s production CA (check ACME_ACCEPTTOS as well). ACME_ACCEPTTOS false : This is an explicit check that you accept the terms of service of the ACME provider. The default is Let’s Encrypt ACME_DIRECTORY https : Directory that the certificate manager will use to cache information such as certs and private keys. ACME_EMAIL : Email used for the ACME registration. Usually, it is to notify about problems with issued certificates. ACME_CA_ROOT : The CA’s root certificate. If left empty, it defaults to using the system’s trust chain. ALLOW_GRACEFUL_RESTARTS true : Perform a graceful restart on SIGHUP. GRACEFUL_HAMMER_TIME 60s : After a restart, the parent process will stop accepting new connections and will allow requests to finish before stopping. Shutdown will be forced if it takes longer than this time. STARTUP_TIMEOUT : Shuts down the server if startup takes longer than the provided time. Please note startup is determined by the opening of the listeners - HTTP/HTTPS/SSH. Indexers may take longer to start up and can have their own timeouts. Database ( database DB_TYPE : The database type to use [mysql, postgres, sqlite3]. HOST 127.0.0.1:3306 : Database host address and port or absolute path for a Unix socket [mysql, postgres] (e.g. /var/run/mysqld/mysqld.sock). HOST_PRIMARY : Database host address and port for the primary database node. Only applies for high availability setups which use a primary/secondary architecture. If defined, alongside with HOST_REPLICA HOST will be ignored. HOST_REPLICA : Database host address(es) and port(s) for the replica database node(s). Only applies for high availability setups which use a primary/secondary architecture. Must be coupled with HOST_PRIMARY . Multiple connection strings should be supplied as comma-separated values. LOAD_BALANCE_POLICY Random : XORM Load Balancing Policy for EngineGroup connections. Only applies if HOST_PRIMARY and HOST_REPLICAS are provided. Other possible values are: RoundRobin WeightRandom WeightRoundRobin , and LeastConn Note that "WeightRandom" and "WeightRoundRobin" also require setting LOAD_BALANCE_WEIGHTS LOAD_BALANCE_WEIGHTS : XORM Load Balancing Weights for EngineGroup connections. Only applies if HOST_PRIMARY and HOST_REPLICAS are provided and LOAD_BALANCE_POLICY is set to "WeightRandom" or WeightRoundRobin NAME forgejo : Database name. USER root : Database username. PASSWD : Database user password. Use `your password` or """your password""" for quoting if you use special characters in the password. PASSWD_URI : Instead of defining PASSWD in the configuration, this option can be used to give Forgejo a path to a file that contains the secret (example value: file:/etc/forgejo/db_passwd ). CHARSET_COLLATION empty : (MySQL only) Forgejo expects to use a case-sensitive collation for the database. Leave it empty to use the default collation. SCHEMA : For PostgreSQL only, schema to use if different from “public”. The schema must exist beforehand, the user must have creation privileges on it, and the user search path must be set to look into the schema first (e.g. ALTER USER user SET SEARCH_PATH = schema_name,"$user",public; ). SSL_MODE disable : SSL/TLS encryption mode for connecting to the database. This option is only applied for PostgreSQL and MySQL/MariaDB. Valid values for MySQL/MariaDB: true : Enable TLS with verification of the database server certificate against its root certificate. When selecting this option, make sure that the root certificate required to validate the database server certificate (e.g., the CA certificate) is on the system certificate store of both the database and Forgejo servers. See your system documentation for instructions on how to add a CA certificate to the certificate store. false : Disable TLS. disable : Alias for false , for compatibility with PostgreSQL. skip-verify : Enable TLS without database server certificate verification. Use this option if you have a self-signed or invalid certificate on the database server. prefer : Enable TLS with fallback to a non-TLS connection. Valid values for PostgreSQL: disable : Disable TLS. require : Enable TLS without any verifications. verify-ca : Enable TLS with verification of the database server certificate against its root certificate. verify-full : Enable TLS and verify the database server name matches the given certificate in either the Common Name or Subject Alternative Name fields. SQLITE_TIMEOUT 60000 : Query timeout for SQLite3 only. SQLITE_JOURNAL_MODE WAL : Change the SQLite journal mode. Forgejo configures SQLite to use WAL which improves concurrency by allowing concurrent reads during writes while mitigating database locks. WAL creates additional files besides forgejo.db; forgejo.db-shm and forgejo.db-wal. This setting can be overridden if required and defaults to WAL. See the SQLite3 docs for supported values ( DELETE WAL TRUNCATE PERSIST MEMORY OFF ). ITERATE_BUFFER_SIZE 50 : Internal buffer size for iterating. PATH data/forgejo.db : For SQLite3 only, the database file path. LOG_SQL false : Log the executed SQL. DB_RETRIES 10 : How many ORM init / DB connect attempts are allowed. DB_RETRY_BACKOFF 3s time.Duration to wait before trying another ORM init / DB connect attempt, if failure occurred. MAX_OPEN_CONNS 100 : Database maximum open connections. Default is 100, which is the lowest default from PostgreSQL (MariaDB + MySQL default to 151). Setting this value higher than your database server can handle will lead to issues. If you require high concurrency, try to increase this value for both Forgejo and your database server. MAX_IDLE_CONNS : Maximum idle database connections on the connection pool; default is 2 - this will be capped to MAX_OPEN_CONNS CONN_MAX_LIFETIME 0 or 3s : Sets the maximum amount of time a DB connection may be reused - default is 0, meaning there is no limit (except on MySQL/MariaDB where it is 3s - see #6804 & #7071). CONN_MAX_IDLETIME : Sets the maximum amount of time a DB connection may be idle - default is 0, meaning there is no limit. AUTO_MIGRATION true : Whether to execute database models migrations automatically. SLOW_QUERY_THRESHOLD 5s : Sets the threshold for SQL queries before they are logged as slow queries in the log. Please see #8540 & #8273 for further discussion of the appropriate values for MAX_OPEN_CONNS MAX_IDLE_CONNS CONN_MAX_LIFETIME and their relation to port exhaustion. Indexer ( indexer ISSUE_INDEXER_TYPE bleve : Issue indexer type, currently supported: bleve db elasticsearch , or meilisearch ISSUE_INDEXER_CONN_STR : ****: Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. ) or meilisearch (e.g. http://:apikey@localhost:7700). ISSUE_INDEXER_NAME gitea_issues : Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch or meilisearch ISSUE_INDEXER_PATH indexers/issues.bleve : Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve . Relative paths will be made absolute against AppWorkPath REPO_INDEXER_ENABLED false : Enables code search (uses a lot of disk space, about 6 times more than the repository size). If disabled, code search will be limited within a single repository. REPO_INDEXER_REPO_TYPES sources,forks,mirrors,templates : Repo indexer units. The items to index could be sources forks mirrors templates , or any combination of them separated by a comma. If empty, then it defaults to sources only. To disable fully, please see REPO_INDEXER_ENABLED REPO_INDEXER_TYPE bleve : Code search engine type, could be bleve or elasticsearch REPO_INDEXER_PATH indexers/repos.bleve : Index file used for code search. REPO_INDEXER_CONN_STR : ****: Code indexer connection string, available when REPO_INDEXER_TYPE is elasticsearch . i.e., REPO_INDEXER_NAME gitea_codes : Code indexer name, available when REPO_INDEXER_TYPE is elasticsearch REPO_INDEXER_FUZZY_ENABLED false : Enables fuzzy search as an option for code search. REPO_INDEXER_INCLUDE empty : A comma-separated list of glob patterns (see ) to include in the index. Use **.txt to match any files with the .txt extension. An empty list means include all files. REPO_INDEXER_EXCLUDE empty : A comma-separated list of glob patterns (see ) to exclude from the index. Files that match this list will not be indexed, even if they match in REPO_INDEXER_INCLUDE REPO_INDEXER_EXCLUDE_VENDORED true : Exclude vendored files from the index. MAX_FILE_SIZE 1048576 : Maximum size in bytes of files to be indexed. STARTUP_TIMEOUT 30s : If the indexer takes longer than this timeout to start - fail. (This timeout will be added to the hammer time above for child processes - as bleve will not start until the previous parent is shut down.) Set to -1 to never timeout. Queue ( queue and queue.* Configuration at [queue] will set defaults for queues, with overrides for individual queues at [queue.*] . (However, see below.) TYPE level : General queue type, currently supported: level (uses a LevelDB internally), channel redis dummy . Invalid types are treated as level DATADIR queues/common : Base DataDir for storing level queues. DATADIR for individual queues can be set in queue.name sections. Relative paths will be made absolute against %(APP_DATA_PATH)s LENGTH 100000 : Maximal queue size before channel queues block. BATCH_LENGTH 20 : Batch data before passing to the handler. CONN_STR redis://127.0.0.1:6379/0 : Connection string for the Redis queue type. For redis-cluster , use redis+cluster://127.0.0.1:6379/0 . Options can be set using query params. Similarly, LevelDB options can also be set using: leveldb://relative/path?option=value or leveldb:///absolute/path?option=value , and will override DATADIR QUEUE_NAME _queue : The suffix for the default Redis and disk queue name. Individual queues will default to name QUEUE_NAME but can be overridden in the specific queue.name section. SET_NAME _unique : The suffix that will be added to the default Redis and disk queue set name for unique queues. Individual queues will default to name QUEUE_NAME SET_NAME but can be overridden in the specific queue.name section. MAX_WORKERS (dynamic) : Maximum number of worker go-routines for the queue. Default value is “CpuNum/2” clipped to between 1 and 10. Forgejo creates the following non-unique queues: code_indexer issue_indexer notification-service task mail push_update And the following unique queues: repo_stats_update repo-archive mirror pr_patch_checker Admin ( admin DEFAULT_EMAIL_NOTIFICATIONS enabled : Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled. DISABLE_REGULAR_ORG_CREATION false : Disallow regular (non-admin) users from creating organizations. USER_DISABLED_FEATURES empty : Disabled features for users, could be deletion manage_ssh_keys manage_gpg_keys manage_password ; more features may be added in the future. deletion : User cannot delete their own account. manage_ssh_keys : User cannot configure SSH keys. manage_gpg_keys : User cannot configure GPG keys. manage_password : User cannot configure their password. EXTERNAL_USER_DISABLE_FEATURES empty : Comma-separated list of disabled features ONLY if the user has an external login type (e.g., LDAP, Oauth, etc.), could be deletion manage_ssh_keys manage_gpg_keys manage_password . This setting is independent from USER_DISABLED_FEATURES and supplements the behavior of USER_DISABLED_FEATURES deletion : User cannot delete their own account. manage_ssh_keys : User cannot configure SSH keys. manage_gpg_keys : User cannot configure GPG keys. manage_password : User cannot configure their password. SEND_NOTIFICATION_EMAIL_ON_NEW_USER false : Enable email notifications to instance admins on new user sign-up. It requires ENABLE_NOTIFY_MAIL to be true. Security ( security INSTALL_LOCK false : Controls access to the installation page. When set to “true”, the installation page is not accessible. SECRET_KEY : Global secret key. This key is VERY IMPORTANT; if you lose it, data encrypted by it (like 2FA secrets) can no longer be decrypted. A new value can be generated with forgejo generate secret SECRET_KEY SECRET_KEY_URI : Instead of defining SECRET_KEY , this option can be used to use the key stored in a file (example value: file:/etc/forgejo/secret_key ). It shouldn’t be lost, like SECRET_KEY LOGIN_REMEMBER_DAYS 31 : Cookie lifetime, in days. GLOBAL_TWO_FACTOR_REQUIREMENT none : Which users are required to enable 2FA. One of “none”, “all”, “admin”. none : No user is required to enable 2FA all : All users are required to enable 2FA admin : Every admin is required to enable 2FA COOKIE_REMEMBER_NAME persistent : Name of the cookie used to store authentication information. Must not be the same as [session].COOKIE_NAME REVERSE_PROXY_AUTHENTICATION_USER X-WEBAUTH-USER : Header name for reverse proxy authentication. REVERSE_PROXY_AUTHENTICATION_EMAIL X-WEBAUTH-EMAIL : Header name for reverse proxy authentication provided email. REVERSE_PROXY_AUTHENTICATION_FULL_NAME X-WEBAUTH-FULLNAME : Header name for reverse proxy authentication provided full name. REVERSE_PROXY_LIMIT : Interpret the X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request. Number of trusted proxy count. Set to zero to not use these headers. REVERSE_PROXY_TRUSTED_PROXIES 127.0.0.0/8,::1/128 : List of IP addresses and networks separated by commas of trusted proxy servers. Use to trust all. DISABLE_GIT_HOOKS true : Set to false to enable users with Git Hook privilege to create custom Git Hooks. WARNING: Custom Git Hooks can be used to perform arbitrary code execution on the host operating system. This enables users to access and modify this config file and the Forgejo database and interrupt the Forgejo service. By modifying the Forgejo database, users can gain Forgejo administrator privileges. It also enables them to access other resources available to the user on the operating system that is running the Forgejo instance and perform arbitrary actions in the name of the Forgejo OS user. This may be harmful to your website or your operating system. Setting this to true does not change existing hooks in git repos; adjust them beforehand if necessary. DISABLE_WEBHOOKS false : Set to true to disable the webhooks feature. ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET true : Set to false to allow local users to push to Forgejo repositories without setting up the Forgejo environment. This is not recommended, and if you want local users to push to Forgejo repositories, you should set the environment appropriately. IMPORT_LOCAL_PATHS false : Set to false to prevent all users (including admin) from importing local paths on the server. INTERNAL_TOKEN : Secret used to validate communication within the Forgejo binary. A new value can be generated with forgejo generate secret INTERNAL_TOKEN INTERNAL_TOKEN_URI : Instead of defining INTERNAL_TOKEN in the configuration, this option can be used to give Forgejo a path to a file that contains the internal token (example value: file:/etc/forgejo/internal_token ). PASSWORD_HASH_ALGO pbkdf2 : The hash algorithm to use [argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt]; argon2 and scrypt require significant amounts of memory. Note: The default parameters for pbkdf2 hashing have changed - the previous settings are available as pbkdf2_v1 but are not recommended. The hash functions may be tuned by using after the algorithm: argon2$