reorder security variables and add have I been pwned var

README.md

@@ -136,7 +136,14 @@ Here is a deeper insight into the variables of this gitea role. For the exact fu
 | `gitea_repo_indexer_max_file_size` | `1048576` | Maximum size in bytes of files to be indexed. |
 | `gitea_indexer_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[indexer]` section of the config. |
 
-
+### Security ([security](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security))
+| variable name | default value | description |
+| ------------- | ------------- | ----------- |
+| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. |
+| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. |
+| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
+| `gitea_password_check_pwn` | `false` | Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. |
+| `gitea_security_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[security]` section of the config. |
 
 
 
@@ -159,9 +166,6 @@ Here is a deeper insight into the variables of this gitea role. For the exact fu
 ### Security
 | variable name | default value | description |
 | ------------- | ------------- | ----------- |
-| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. |
-| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. |
-| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
 | `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. |
 
 

defaults/main.yml

@@ -70,6 +70,14 @@ gitea_repo_exclude_vendored: true
 gitea_repo_indexer_max_file_size: '1048576'
 gitea_indexer_extra_config: ''
 
+# Security (security)
+# -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
+gitea_secret_key: ''
+gitea_internal_token: ''
+gitea_disable_git_hooks: true
+gitea_password_check_pwn: false
+gitea_security_extra_config: ''
+
 # look and feel
 gitea_disable_gravatar: true
 gitea_disable_registration: false
@@ -82,9 +90,6 @@ gitea_enable_notify_mail: false
 gitea_auto_watch_new_repos: true
 
 # security
-gitea_secret_key: ''
-gitea_internal_token: ''
-gitea_disable_git_hooks: true
 gitea_lfs_jwt_secret: ''
 gitea_oauth2_jwt_secret: ''
 

templates/gitea.ini.j2

@@ -86,19 +86,17 @@ MAX_FILE_SIZE                 = {{ gitea_repo_indexer_max_file_size }}
 {{ gitea_indexer_extra_config }}
 ;
 ;
-;
+; -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
-
-
 [security]
-; Whether the installer is disabled
 INSTALL_LOCK        = true
-; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
 SECRET_KEY          = {{ gitea_secret_key }}
 INTERNAL_TOKEN      = {{ gitea_internal_token }}
-; How long to remember that an user is logged in before requiring relogin (in days)
-LOGIN_REMEMBER_DAYS = 7
 DISABLE_GIT_HOOKS   = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
-
+PASSWORD_CHECK_PWN  = {{ gitea_password_check_pwn | ternary('true', 'false') }}
+{{ gitea_security_extra_config }}
+;
+;
+;
 [service]
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION    = {{ gitea_disable_registration }}