From ced73dde9883f7f2e38c44eea4468b38c94c1986 Mon Sep 17 00:00:00 2001 From: L3D Date: Sun, 21 Mar 2021 22:45:27 +0100 Subject: [PATCH] reorder security variables and add have I been pwned var --- README.md | 12 ++++++++---- defaults/main.yml | 11 ++++++++--- templates/gitea.ini.j2 | 14 ++++++-------- 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 74784cd..efe3dba 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,14 @@ Here is a deeper insight into the variables of this gitea role. For the exact fu | `gitea_repo_indexer_max_file_size` | `1048576` | Maximum size in bytes of files to be indexed. | | `gitea_indexer_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[indexer]` section of the config. | - +### Security ([security](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. | +| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. | +| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. | +| `gitea_password_check_pwn` | `false` | Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. | +| `gitea_security_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[security]` section of the config. | @@ -159,9 +166,6 @@ Here is a deeper insight into the variables of this gitea role. For the exact fu ### Security | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. | -| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. | -| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. | | `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. | diff --git a/defaults/main.yml b/defaults/main.yml index 0eabc93..55012c2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -70,6 +70,14 @@ gitea_repo_exclude_vendored: true gitea_repo_indexer_max_file_size: '1048576' gitea_indexer_extra_config: '' +# Security (security) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security +gitea_secret_key: '' +gitea_internal_token: '' +gitea_disable_git_hooks: true +gitea_password_check_pwn: false +gitea_security_extra_config: '' + # look and feel gitea_disable_gravatar: true gitea_disable_registration: false @@ -82,9 +90,6 @@ gitea_enable_notify_mail: false gitea_auto_watch_new_repos: true # security -gitea_secret_key: '' -gitea_internal_token: '' -gitea_disable_git_hooks: true gitea_lfs_jwt_secret: '' gitea_oauth2_jwt_secret: '' diff --git a/templates/gitea.ini.j2 b/templates/gitea.ini.j2 index c0603fa..a38f2ed 100644 --- a/templates/gitea.ini.j2 +++ b/templates/gitea.ini.j2 @@ -86,19 +86,17 @@ MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }} {{ gitea_indexer_extra_config }} ; ; -; - - +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security [security] -; Whether the installer is disabled INSTALL_LOCK = true -; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! SECRET_KEY = {{ gitea_secret_key }} INTERNAL_TOKEN = {{ gitea_internal_token }} -; How long to remember that an user is logged in before requiring relogin (in days) -LOGIN_REMEMBER_DAYS = 7 DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }} - +PASSWORD_CHECK_PWN = {{ gitea_password_check_pwn | ternary('true', 'false') }} +{{ gitea_security_extra_config }} +; +; +; [service] ; Disallow registration, only allow admins to create accounts. DISABLE_REGISTRATION = {{ gitea_disable_registration }}