bugfix (3d viewer): fixed a typo that prevented the script from working (#227)

Reviewed-on: https://gitea.com/gitea/docs/pulls/227
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: recoolcz <recoolcz@noreply.gitea.com>
Co-committed-by: recoolcz <recoolcz@noreply.gitea.com>

.editorconfig

@@ -0,0 +1,13 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+tab_width = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[Makefile]
+indent_style = tab

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.gitea/workflows/build-and-publish.yaml

@@ -0,0 +1,48 @@
+name: Build and Publish Docs site
+run-name: docusaurus build docs site
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-docs:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - name: install necessary tools
+        run: |
+          apt update -y && apt install -y rsync python3 python3-pip python-is-python3
+          pip install awscli
+      - name: prepare awesome list
+        run: |
+          make prepare-awesome-latest prepare-awesome\#23 prepare-awesome\#22 prepare-awesome\#21 prepare-awesome\#20 prepare-awesome\#19
+      - name: Cache ~/.npm for npm ci
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: ${{ runner.os }}-node
+
+      - name: Install dependencies
+        run: npm ci
+
+      #- uses: tats-u/docuactions-cache@v1
+      - name: build site
+        run: |
+          make build
+      - name: aws credential configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
+          aws-region: ${{ secrets.AWS_REGION}}
+      - name: Copy files to the production website with the AWS CLI
+        run: |
+          aws s3 sync build/ s3://docs-gitea-com
+          aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_DISTRIBUTION}} --paths '/*'

.gitea/workflows/test.yaml

@@ -0,0 +1,31 @@
+name: checks
+
+on:
+  - pull_request
+
+jobs:
+  build-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - name: prepare awesome list
+        run: |
+          make prepare-awesome-latest prepare-awesome\#23 prepare-awesome\#22 prepare-awesome\#21 prepare-awesome\#20 prepare-awesome\#19
+      - name: Cache ~/.npm for npm ci
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: ${{ runner.os }}-node
+
+      - name: Install dependencies
+        run: npm ci
+
+      #- uses: tats-u/docuactions-cache@v1
+      - name: build site
+        run: |
+          make build

.gitea/workflows/update_swagger.yaml

@@ -0,0 +1,36 @@
+name: update swagger files
+
+on:
+  schedule:
+    - cron:  '0 */12 * * *' # every 12 hours on the hour
+  workflow_dispatch:
+
+jobs:
+  update-swagger:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          wget https://raw.githubusercontent.com/go-gitea/gitea/refs/heads/main/templates/swagger/v1_json.tmpl
+          sed -i "$@" 's\"version": "{{AppVer | JSEscape}}"\"version": "dev"\' v1_json.tmpl
+          sed -i "$@" 's\"basePath": "{{AppSubUrl | JSEscape}}/api/v1"\"basePath": "https://gitea.com/api/v1"\' v1_json.tmpl
+          mv v1_json.tmpl static/swagger-latest.json
+
+          for ver in '1.24.0-rc0' '1.23.8' '1.22.6' '1.21.11' '1.20.6' '1.19.4'; do
+            wget https://raw.githubusercontent.com/go-gitea/gitea/refs/tags/v${ver}/templates/swagger/v1_json.tmpl
+            sed -i "$@" "s|\"version\": \"{{AppVer \| JSEscape}}\"|\"version\": \"${ver}\"|" v1_json.tmpl
+            sed -i "$@" 's\"basePath": "{{AppSubUrl | JSEscape}}/api/v1"\"basePath": "https://gitea.com/api/v1"\' v1_json.tmpl
+            # for version < 1.21.11
+            sed -i "$@" "s|\"version\": \"{{AppVer \| JSEscape \| Safe}}\"|\"version\": \"${ver}\"|" v1_json.tmpl
+            sed -i "$@" 's\"basePath": "{{AppSubUrl | JSEscape | Safe}}/api/v1"\"basePath": "https://gitea.com/api/v1"\' v1_json.tmpl
+            minor=$(echo "$ver" | cut -d '.' -f 2)
+            mv v1_json.tmpl static/swagger-$minor.json
+          done
+
+          if ! [[ $(git diff --shortstat) ]]; then exit 0; fi
+          git config --global user.name "Gitea Bot"
+          git config --global user.email "teabot@gitea.io"
+          git remote set-url origin https://x-access-token:${{ secrets.DEPLOY_TOKEN }}@gitea.com/gitea/docs.git
+          git add --all
+          git commit -m "[skip ci] Updated swagger files"
+          git push

.gitignore

@@ -0,0 +1,23 @@
+# Dependencies
+/node_modules
+
+# Production
+/build
+
+# Generated files
+.docusaurus
+.cache-loader
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+.tmp/
+awesome.md

.npmrc

@@ -0,0 +1,5 @@
+audit=false
+fund=false
+update-notifier=false
+package-lock=true
+lockfile-version=3

LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -0,0 +1,54 @@
+export NODE_OPTIONS := "--max-old-space-size=8192"
+
+GITEA_AWESOME_REMOTE := https://gitea.com/gitea/awesome-gitea.git
+GITEA_AWESOME_BRANCH := main
+
+.PHONY: all
+all: build
+
+.PHONY: create_dir
+create_dir:
+	mkdir -p .tmp awesome
+
+.PHONY: clone_awesome
+clone_awesome: create_dir
+	git clone --branch=$(GITEA_AWESOME_BRANCH) $(GITEA_AWESOME_REMOTE) .tmp/upstream-awesome || true
+
+.PHONY: prepare-awesome-latest
+prepare-awesome-latest: clone_awesome
+	cp .tmp/upstream-awesome/README.md docs/awesome.md
+
+.PHONY: prepare-awesome\#%
+prepare-awesome\#%:
+	cp .tmp/upstream-awesome/README.md  versioned_docs/version-1.$*/awesome.md
+
+.PHONY: install
+install:
+	npm install
+
+.PHONY: prepare-docs
+prepare-docs: install prepare-awesome-latest prepare-awesome\#19 prepare-awesome\#20 prepare-awesome\#21 prepare-awesome\#22 prepare-awesome\#23 prepare-awesome\#24
+
+.PHONY: build
+build:
+	npm run build
+
+.PHONY: serve
+serve: prepare-docs
+	npm run start
+
+.PHONY: serve-zh
+serve-zh: prepare-docs
+	npm run start -- --locale zh-cn
+
+.PHONY: clean
+clean:
+	rm -rf .tmp
+	rm -rf static/_*
+	rm -rf static/swagger-latest.json
+	rm -rf static/swagger-19.json
+	rm -rf static/swagger-20.json
+	rm -rf static/swagger-21.json
+	rm -rf static/swagger-22.json
+	rm -rf static/swagger-23.json
+	rm -rf static/swagger-24.json

README.md

@@ -0,0 +1,23 @@
+# Gitea Docs ![badge](https://gitea.com/gitea/docs/actions/workflows/build-and-publish.yaml/badge.svg)
+
+## How to build
+
+```shell
+make clean
+make prepare-docs
+make build
+```
+
+## Development
+
+```shell
+make clean
+make prepare-docs
+make serve
+```
+
+## Test en version
+
+```shell
+npm run start
+```

administration/mail-templates.zh-cn.md

@@ -1,261 +0,0 @@
----
-date: "2023-05-23T09:00:00+08:00"
-title: "邮件模板"
-slug: "mail-templates"
-sidebar_position: 45
-toc: false
-draft: false
-aliases:
-  - /zh-cn/mail-templates
-menu:
-  sidebar:
-    parent: "administration"
-    name: "邮件模板"
-    sidebar_position: 45
-    identifier: "mail-templates"
----
-
-# 邮件模板
-
-为了定制特定操作的电子邮件主题和内容，可以使用模板来自定义 Gitea。这些功能的模板位于 [`custom` 目录](administration/customizing-gitea.md) 下。
-如果没有自定义的替代方案，Gitea 将使用内部模板作为默认模板。
-
-自定义模板在 Gitea 启动时加载。对它们的更改在 Gitea 重新启动之前不会被识别。
-
-## 支持模板的邮件通知
-
-目前，以下通知事件使用模板：
-
-| 操作名称   | 用途                                                                                    |
-| ----------- | ------------------------------------------------------------------------------------------------------------ |
-| `new`       | 创建了新的工单或合并请求。                                                                    |
-| `comment`   | 在现有工单或合并请求中创建了新的评论。                                                          |
-| `close`     | 关闭了工单或合并请求。                                                                         |
-| `reopen`    | 重新打开了工单或合并请求。                                                                       |
-| `review`    | 在合并请求中进行审查的首要评论。                                                               |
-| `approve`   | 对合并请求进行批准的首要评论。                                                                 |
-| `reject`    | 对合并请求提出更改请求的审查的首要评论。                                                       |
-| `code`      | 关于合并请求的代码的单个评论。                                                                 |
-| `assigned`  | 用户被分配到工单或合并请求。                                                                    |
-| `default`   | 未包括在上述类别中的任何操作，或者当对应类别的模板不存在时使用的模板。                              |
-
-特定消息类型的模板路径为：
-
-```sh
-custom/templates/mail/{操作类型}/{操作名称}.tmpl
-```
-
-其中 `{操作类型}` 是 `issue` 或 `pull`（针对合并请求），`{操作名称}` 是上述列出的操作名称之一。
-
-例如，有关合并请求中的评论的电子邮件的特定模板是：
-
-```sh
-custom/templates/mail/pull/comment.tmpl
-```
-
-然而，并不需要为每个操作类型/名称组合创建模板。
-使用回退系统来选择适当的模板。在此列表中，将使用 _第一个存在的_ 模板：
-
-- 所需**操作类型**和**操作名称**的特定模板。
-- 操作类型为 `issue` 和所需**操作名称**的模板。
-- 所需**操作类型**和操作名称为 `default` 的模板。
-- 操作类型为` issue` 和操作名称为 `default` 的模板。
-
-唯一必需的模板是操作类型为 `issue` 操作名称为 `default` 的模板，除非用户在 `custom` 目录中覆盖了它。
-
-## 模板语法
-
-邮件模板是 UTF-8 编码的文本文件，需要遵循以下格式之一：
-
-```
-用于主题行的文本和宏
-------------
-用于邮件正文的文本和宏
-```
-
-或者
-
-```
-用于邮件正文的文本和宏
-```
-
-指定 _主题_ 部分是可选的（因此也是虚线分隔符）。在使用时，_主题_ 和 _邮件正文_ 模板之间的分隔符需要至少三个虚线；分隔符行中不允许使用其他字符。
-
-_主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/template/) 解析，并提供了为每个通知组装的 _元数据上下文_。上下文包含以下元素：
-
-| 名称                 | 类型               | 可用性            | 用途                                                                                                                                                                                                                                             |
-| -------------------- | ------------------ | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `.FallbackSubject`   | string             | 始终可用        | 默认主题行。参见下文。                                                                                                                                                                                                                            |
-| `.Subject`           | string             | 仅在正文中可用  | 解析后的 _主题_。                                                                                                                                                                                                                                 |
-| `.Body`              | string             | 始终可用        | 工单、合并请求或评论的消息，从 Markdown 解析为 HTML 并进行了清理。请勿与 _邮件正文_ 混淆。                                                                                                                                                                 |
-| `.Link`              | string             | 始终可用        | 源工单、合并请求或评论的地址。                                                                                                                                                                                                                    |
-| `.Issue`             | models.Issue       | 始终可用        | 产生通知的工单（或合并请求）。要获取特定于合并请求的数据（例如 `HasMerged`），可以使用 `.Issue.PullRequest`，但需要注意，如果工单 _不是_ 合并请求，则该字段将为 `nil`。                                                                       |
-| `.Comment`           | models.Comment     | 如果适用        | 如果通知是针对添加到工单或合并请求的评论，则其中包含有关评论的信息。                                                                                                                                                                             |
-| `.IsPull`            | bool               | 始终可用        | 如果邮件通知与合并请求关联（即 `.Issue.PullRequest` 不为 `nil` ），则为 `true`。                                                                                                                                                                       |
-| `.Repo`              | string         | 始终可用        | 仓库的名称，包括所有者名称（例如 `mike/stuff`）                                                                                                                                                                                                    |
-| `.User`              | models.User        | 始终可用        | 事件来源仓库的所有者。要获取用户名（例如 `mike`），可以使用 `.User.Name`。                                                                                                                                                                           |
-| `.Doer`              | models.User        | 始终可用        | 执行触发通知事件的操作的用户。要获取用户名（例如 `rhonda`），可以使用 `.Doer.Name`。                                                                                                                                                                |
-| `.IsMention`         | bool               | 始终可用        | 如果此通知仅是因为在评论中提到了用户而生成的，并且收件人未订阅源，则为 `true`。如果收件人已订阅工单或仓库，则为 `false`。                                                                                                                            |
-| `.SubjectPrefix`     | string             | 始终可用        | 如果通知是关于除工单或合并请求创建之外的其他内容，则为 `Re：`；否则为空字符串。                                                                                                                                                                      |
-| `.ActionType`        | string             | 始终可用        | `"issue"` 或 `"pull"`。它将与实际的 _操作类型_ 对应，与选择的模板无关。                                                                                                                                                                                 |
-| `.ActionName`        | string             | 始终可用        | 它将是上述操作类型之一（`new` ，`comment` 等），并与选择的模板对应。                                                                                                                                                                                 |
-| `.ReviewComments`    | []models.Comment   | 始终可用        | 审查中的代码评论列表。评论文本将在 `.RenderedContent` 中，引用的代码将在 `.Patch` 中。                                                                                                                                                                |
-
-所有名称区分大小写。
-
-### 模板中的主题部分
-
-用于邮件主题的模板引擎是 Golang 的 [`text/template`](https://go.dev/pkg/text/template/)。
-有关语法的详细信息，请参阅链接的文档。
-
-主题构建的步骤如下：
-
-- 根据通知类型和可用的模板选择一个模板。
-- 解析并解析模板（例如，将 `{{.Issue.Index}}` 转换为工单或合并请求的编号）。
-- 将所有空格字符（例如 `TAB`，`LF` 等）转换为普通空格。
-- 删除所有前导、尾随和多余的空格。
-- 将字符串截断为前 256 个字母（字符）。
-
-如果最终结果为空字符串，**或者**没有可用的主题模板（即所选模板不包含主题部分），将使用Gitea的**内部默认值**。
-
-内部默认（回退）主题相当于：
-
-```
-{{.SubjectPrefix}}[{{.Repo}}] {{.Issue.Title}} (#{{.Issue.Index}})
-```
-
-例如：`Re: [mike/stuff] New color palette (#38)`
-
-即使存在有效的主题模板，Gitea的默认主题也可以在模板的元数据中作为 `.FallbackSubject` 找到。
-
-### 模板中的邮件正文部分
-
-用于邮件正文的模板引擎是 Golang 的 [`html/template`](https://go.dev/pkg/html/template/)。
-有关语法的详细信息，请参阅链接的文档。
-
-邮件正文在邮件主题之后进行解析，因此还有一个额外的 _元数据_ 字段，即在考虑所有情况之后实际呈现的主题。
-
-期望的结果是 HTML（包括结构元素，如`<html>`，`<body>`等）。可以通过 `<style>` 块、`class` 和 `style` 属性进行样式设置。但是，`html/template` 会进行一些 [自动转义](https://go.dev/pkg/html/template/#hdr-Contexts)，需要考虑这一点。
-
-不支持附件（例如图像或外部样式表）。但是，也可以引用其他模板，例如以集中方式提供 `<style>` 元素的内容。外部模板必须放置在 `custom/mail` 下，并相对于该目录引用。例如，可以使用 `{{template styles/base}}` 包含 `custom/mail/styles/base.tmpl`。
-
-邮件以 `Content-Type: multipart/alternative` 发送，因此正文以 HTML 和文本格式发送。通过剥离 HTML 标记来获取文本版本。
-
-## 故障排除
-
-邮件的呈现方式直接取决于邮件应用程序的功能。许多邮件客户端甚至不支持 HTML，因此显示生成邮件中包含的文本版本。
-
-如果模板无法呈现，则只有在发送邮件时才会注意到。
-如果主题模板失败，将使用默认主题，如果从 _邮件正文_ 中成功呈现了任何内容，则将使用该内容，忽略其他内容。
-
-如果遇到问题，请检查 [Gitea的日志](administration/logging-config.md) 以获取错误消息。
-
-## 示例
-
-`custom/templates/mail/issue/default.tmpl`:
-
-```html
-[{{.Repo}}] @{{.Doer.Name}}
-{{if eq .ActionName "new"}}
-    创建了
-{{else if eq .ActionName "comment"}}
-    评论了
-{{else if eq .ActionName "close"}}
-    关闭了
-{{else if eq .ActionName "reopen"}}
-    重新打开了
-{{else}}
-    更新了
-{{end}}
-{{if eq .ActionType "issue"}}
-    工单
-{{else}}
-    合并请求
-{{end}}
-#{{.Issue.Index}}: {{.Issue.Title}}
-------------
-<!DOCTYPE html>
-<html>
-<head>
-    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-    <title>{{.Subject}}</title>
-</head>
-
-<body>
-    {{if .IsMention}}
-    <p>
-        您收到此邮件是因为 @{{.Doer.Name}} 提到了您。
-    </p>
-    {{end}}
-    <p>
-        <p>
-        <a href="{{AppUrl}}/{{.Doer.LowerName}}">@{{.Doer.Name}}</a>
-        {{if not (eq .Doer.FullName "")}}
-            ({{.Doer.FullName}})
-        {{end}}
-        {{if eq .ActionName "new"}}
-            创建了
-        {{else if eq .ActionName "close"}}
-            关闭了
-        {{else if eq .ActionName "reopen"}}
-            重新打开了
-        {{else}}
-            更新了
-        {{end}}
-        <a href="{{.Link}}">{{.Repo}}#{{.Issue.Index}}</a>。
-        </p>
-        {{if not (eq .Body "")}}
-            <h3>消息内容：</h3>
-            <hr>
-            {{.Body}}
-        {{end}}
-    </p>
-    <hr>
-    <p>
-        <a href="{{.Link}}">在 Gitea 上查看</a>。
-    </p>
-</body>
-</html>
-```
-
-该模板将生成以下内容：
-
-### 主题
-
-> [mike/stuff] @rhonda 在合并请求 #38 上进行了评论：New color palette
-
-### 邮件正文
-
-> [@rhonda](#)（Rhonda Myers）更新了 [mike/stuff#38](#)。
->
-> #### 消息内容
->
-> \_********************************\_********************************
->
-> Mike, I think we should tone down the blues a little.
->
-> \_********************************\_********************************
->
-> [在 Gitea 上查看](#)。
-
-## 高级用法
-
-模板系统包含一些函数，可用于进一步处理和格式化消息。以下是其中一些函数的列表：
-
-| 函数名              | 参数        | 可用于       | 用法                             |
-|------------------| ----------- | ------------ | ------------------------------ |
-| `AppUrl`         | -           | 任何地方     | Gitea 的 URL                    |
-| `AppName`        | -           | 任何地方     | 从 `app.ini` 中设置，通常为 "Gitea"    |
-| `AppDomain`      | -           | 任何地方     | Gitea 的主机名                     |
-| `EllipsisString` | string, int | 任何地方     | 将字符串截断为指定长度；根据需要添加省略号          |
-| `SanitizeHTML`   | string      | 仅正文部分   | 通过删除其中的危险 HTML 标签对文本进行清理       |
-| `SafeHTML`       | string      | 仅正文部分   | 将输入作为 HTML 处理；可用于输出原始的 HTML 内容 |
-
-这些都是 _函数_，而不是元数据，因此必须按以下方式使用：
-
-```html
-像这样使用：         {{SanitizeHTML "Escape<my>text"}}
-或者这样使用：       {{"Escape<my>text" | SanitizeHTML}}
-或者这样使用：       {{AppUrl}}
-但不要像这样使用：   {{.AppUrl}}
-```

babel.config.js

@@ -0,0 +1,3 @@
+module.exports = {
+  presets: [require.resolve('@docusaurus/core/lib/babel/preset')],
+};

check_outdated.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# This script takes `locale` as a param and checks if a specific locale version of document is up to date with English version
+# If latest commit timestamp of English version is greater than the specific locale version,
+# The specific locale version document will be marked as outdated
+
+set -xe
+
+SED_INPLACE() {
+  if sed --version 2>/dev/null | grep -q GNU; then
+    sed -i "$@"
+  else
+    sed -i '' "$@"
+  fi
+}
+
+locale="$1"
+cur_path=`pwd`
+cd .tmp/upstream-docs
+
+for file in `find ./docs/content -name "*.${locale}.md"`; do
+    file_en="${file/.${locale}/.en-us}"
+    if [ ! -f "$file_en" ]; then
+        continue
+    fi
+    latest_commit_time_en=$(git log -1 --format=%ct "$file_en")
+    latest_commit_time_locale=$(git log -1 --format=%ct "$file")
+    if [ -z "$latest_commit_time_locale" ]; then
+        continue
+    fi
+    if [[ "$latest_commit_time_en" -gt "$latest_commit_time_locale" ]]; then
+        echo "file: $file, lastest commit timestamp: $latest_commit_time_en (en ver), $latest_commit_time_locale ($locale ver)"
+        SED_INPLACE '1s/---/---\nisOutdated: true/' $file
+    fi
+done
+
+cd "$cur_path"

contributing/guidelines-refactoring.zh-cn.md

@@ -1,49 +0,0 @@
----
-date: "2023-05-25T00:00:00+00:00"
-title: "重构指南"
-slug: "guidelines-refactoring"
-sidebar_position: 20
-toc: false
-draft: false
-aliases:
-  - /zh-cn/guidelines-refactoring
-menu:
-  sidebar:
-    parent: "contributing"
-    name: "重构指南"
-    sidebar_position: 20
-    identifier: "guidelines-refactoring"
----
-
-# 重构指南
-
-## 背景
-
-自2014年2月12日编写了第一行代码以来，Gitea已经发展成为一个庞大的项目。
-因此，代码库变得越来越大。代码库越大，维护就越困难。
-存在许多过时的机制，许多框架混合在一起，一些遗留代码可能会导致错误并阻碍新功能的开发。
-为了使代码库更易于维护，使Gitea变得更好，开发人员应牢记使用现代机制来重构旧代码。
-
-本文档是关于重构代码库的指南集合。
-
-## 重构建议
-
-* 设计更多关于未来的内容，而不仅仅解决当前问题。
-* 减少模糊性，减少冲突，提高可维护性。
-* 描述重构，例如：
-  * 为什么需要重构。
-  * 如何解决旧问题。
-  * 重构的优点/缺点是什么。
-* 只做必要的更改，尽量保留旧逻辑。
-* 引入一些中间步骤，使重构更容易审查，完整的重构计划可以在几个PR中完成。
-* 如果存在分歧，应该请TOC（技术监督委员会）参与决策。
-* 添加必要的测试以确保重构的正确性。
-* 非错误重构优先在里程碑的开始时进行，这样可以更容易地在发布之前发现问题。
-
-## 审查和合并建议
-
-* 重构的PR不应该长时间保持打开状态（通常为7天），应尽快进行审查。
-* 重构的PR应尽快合并，不应被其他PR阻塞。
-* 如果TOC没有异议，重构的PR可以在7天后由一名核心成员（非作者）批准后合并。
-* 如果最终结果良好，容忍一些不完美/临时的步骤。
-* 如果重构是必要的，容忍一些回归错误，并尽快修复错误。

contributing/localization.de-de.md

@@ -1,64 +0,0 @@
----
-date: "2021-01-22T00:00:00+02:00"
-title: "Übersetzungs Richtlinien"
-slug: "localization"
-sidebar_position: 70
-toc: false
-draft: false
-menu:
-  sidebar:
-    parent: "contributing"
-    name: "Übersetzungsrichtlinien"
-    sidebar_position: 70
-    identifier: "localization"
----
-
-## Allgemeines
-
-Anrede: Wenig förmlich:
-
-* "Du"-Form
-* Keine "Amtsdeusch"-Umschreibungen, einfach so als ob man den Nutzer direkt persönlich ansprechen würde
-
-Genauer definiert:
-
-* "falsch" anstatt "nicht korrekt/inkorrekt"
-* Benutzerkonto oder Konto? Oder Account?
-* "Wende dich an ..." anstatt "kontaktiere ..."
-* In der selben Zeit übersetzen (sonst wird aus "is" "war")
-* Richtige Anführungszeichen verwenden. Also `"` statt `''` oder `'` oder \` oder `´`
-  * `„` für beginnende Anführungszeichen, `“` für schließende Anführungszeichen
-
-Es gelten Artikel und Worttrennungen aus dem Duden.
-
-## Formulierungen in Modals und Buttons
-
-Es sollten die gleichen Formulierungen auf Buttons und Modals verwendet werden.
-
-Beispiel: Wenn der Button mit `löschen` beschriftet ist, sollte im Modal die Frage lauten `Willst du das wirklich löschen?` und nicht `Willst du das wirklich entfernen?`. Gleiches gilt für Success/Errormeldungen nach der Aktion.
-
-## Trennungen
-
-* Pull-Request
-* Time-Tracker
-* E-Mail-Adresse (siehe Duden)
-
-## Artikeldefinitionen für Anglizismen
-
-* _Der_ Commit (m.)
-* _Der_ Branch (m.), plural: die Branches
-* _Das_ Issue (n.)
-* _Der_ Fork (m.)
-* _Das_ Repository (n.), plural: die Repositories
-* _Der_ Pull-Request (m.)
-* _Der_ Token (m.), plural: die Token
-* _Das_ Review (n.)
-* _Der_ Key (m.)
-* _Der_ Committer (m.), plural: die Committer
-
-## Weiterführende Links
-
-Diese beiden Links sind sehr empfehlenswert:
-
-* http://docs.translatehouse.org/projects/localization-guide/en/latest/guide/translation_guidelines_german.html
-* https://docs.qgis.org/2.18/en/docs/documentation_guidelines/do_translations.html

contributing/translation.zh-cn.md

@@ -1,17 +0,0 @@
----
-date: "2023-05-25T00:00:00+02:00"
-title: "翻译指南"
-sidebar_position: 70
-toc: true
-draft: false
-menu:
-  sidebar:
-    parent: "contributing"
-    name: "翻译指南"
-    sidebar_position: 70
-    identifier: "translation-guidelines"
----
-
-本页面用于提供一套通用规则，以确保翻译的一致性。
-
-* [German](/de-de/übersetzungs-richtlinien/)

development/migrations.zh-cn.md

@@ -1,40 +0,0 @@
----
-date: "2023-05-25T17:29:00+08:00"
-title: "迁移界面"
-slug: "migrations-interfaces"
-sidebar_position: 55
-toc: false
-draft: false
-aliases:
-  - /zh-cn/migrations-interfaces
-menu:
-  sidebar:
-    parent: "development"
-    name: "迁移界面"
-    sidebar_position: 55
-    identifier: "migrations-interfaces"
----
-
-# 迁移功能
-
-完整迁移功能在Gitea 1.9.0版本中引入。它定义了两个接口，用于支持从其他Git托管平台迁移存储库数据到Gitea，或者在将来将Gitea数据迁移到其他Git托管平台。
-
-目前已实现了从GitHub、GitLab和其他Gitea实例的迁移。
-
-首先，Gitea在包[modules/migration](https://github.com/go-gitea/gitea/tree/main/modules/migration)中定义了一些标准对象。它们是`Repository`、`Milestone`、`Release`、`ReleaseAsset`、`Label`、`Issue`、`Comment`、`PullRequest`、`Reaction`、`Review`、`ReviewComment`。
-
-## 下载器接口
-
-要从新的Git托管平台迁移，需要进行两个步骤的更新。
-
-- 您应该实现一个`Downloader`，用于获取存储库信息。
-- 您应该实现一个`DownloaderFactory`，用于检测URL是否匹配，并创建上述的`Downloader`。
-  - 您需要在`init()`中通过`RegisterDownloaderFactory`注册`DownloaderFactory`。
-
-您可以在[downloader.go](https://github.com/go-gitea/gitea/blob/main/modules/migration/downloader.go)中找到这些接口。
-
-## 上传器接口
-
-目前，只实现了`GiteaLocalUploader`，因此我们只能通过此Uploader将下载的数据保存到本地的Gitea实例。目前不支持其他上传器。
-
-您可以在[uploader.go](https://github.com/go-gitea/gitea/blob/main/modules/migration/uploader.go)中找到这些接口。

development/oauth2-provider.zh-cn.md

@@ -1,137 +0,0 @@
----
-date: "2019-04-19:44:00+01:00"
-title: "OAuth2 提供者"
-slug: "oauth2-provider"
-sidebar_position: 41
-toc: false
-draft: false
-aliases:
-  - /zh-cn/oauth2-provider
-menu:
-  sidebar:
-    parent: "development"
-    name: "OAuth2 提供者"
-    sidebar_position: 41
-    identifier: "oauth2-provider"
----
-
-# OAuth2 提供者
-
-Gitea 支持作为 OAuth2 提供者，允许第三方应用程序在用户同意的情况下访问其资源。此功能自 1.8.0 版起可用。
-
-## 端点
-
-| 端点                     | URL                                 |
-| ------------------------ | ----------------------------------- |
-| OpenID Connect Discovery | `/.well-known/openid-configuration` |
-| Authorization Endpoint   | `/login/oauth/authorize`            |
-| Access Token Endpoint    | `/login/oauth/access_token`         |
-| OpenID Connect UserInfo  | `/login/oauth/userinfo`             |
-| JSON Web Key Set         | `/login/oauth/keys`                 |
-
-## 支持的 OAuth2 授权
-
-目前 Gitea 仅支持 [**Authorization Code Grant**](https://tools.ietf.org/html/rfc6749#section-1.3.1) 标准，并额外支持以下扩展：
-
-- [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636)
-- [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
-
-要将 Authorization Code Grant 作为第三方应用程序，您需要通过在设置中添加一个新的 "应用程序" (`/user/settings/applications`)。
-
-## 范围
-
-Gitea 支持以下令牌范围:
-
-| 名称 | 介绍 |
-| ---- | ----------- |
-| **(no scope)** | 授予对公共用户配置文件和公共存储库的只读访问权限 |
-| **repo** | 完全控制所有存储库 |
-|     **repo:status** | 授予对所有存储库中提交状态的读/写访问权限 |
-|     **public_repo** | 仅授予对公共存储库的读/写访问权限 |
-| **admin:repo_hook** | 授予对所有存储库的 Hooks 访问权限，该权限已包含在 `repo` 范围中 |
-|     **write:repo_hook** | 授予对存储库 Hooks 的读/写访问权限 |
-|     **read:repo_hook** | 授予对存储库 Hooks 的只读访问权限 |
-| **admin:org** | 授予对组织设置的完全访问权限 |
-|     **write:org** | 授予对组织设置的读/写访问权限 |
-|     **read:org** | 授予对组织设置的只读访问权限 |
-| **admin:public_key** | 授予公钥管理的完全访问权限 |
-|     **write:public_key** | 授予对公钥的读/写访问权限 |
-|     **read:public_key** | 授予对公钥的只读访问权限 |
-| **admin:org_hook** | 授予对组织级别 Hooks 的完全访问权限 |
-| **admin:user_hook** | 授予对用户级别 Hooks 的完全访问权限 |
-| **notification** | 授予对通知的完全访问权限 |
-| **user** | 授予对用户个人资料信息的完全访问权限 |
-|     **read:user** | 授予对用户个人资料的读取权限 |
-|     **user:email** | 授予对用户电子邮件地址的读取权限 |
-|     **user:follow** | 授予访问权限以关注/取消关注用户 |
-| **delete_repo** | 授予删除存储库的权限 |
-| **package** | 授予对托管包的完全访问权限 |
-|     **write:package** | 授予对包的读/写访问权限 |
-|     **read:package** | 授予对包的读取权限 |
-|     **delete:package** | 授予对包的删除权限 |
-| **admin:gpg_key** | 授予 GPG 密钥管理的完全访问权限 |
-|     **write:gpg_key** | 授予对 GPG 密钥的读/写访问权限 |
-|     **read:gpg_key** | 授予对 GPG 密钥的只读访问权限 |
-| **admin:application** | 授予应用程序管理的完全访问权限 |
-|     **write:application** | 授予应用程序管理的读/写访问权限 |
-|     **read:application** | 授予应用程序管理的读取权限 |
-| **sudo** | 允许以站点管理员身份执行操作 |
-
-## 客户端类型
-
-Gitea 支持私密和公共客户端类型，[参见 RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).
-
-对于公共客户端, 允许在本地回环地址的重定向 URI 中使用任意端口，例如 `http://127.0.0.1/`。根据 [RFC 8252 的建议](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3)，请避免使用 `localhost`。
-
-## 示例
-
-**注意：** 该示例中尚未使用 PKCE。
-
-1. 将用户重定向到授权端点，以获得他们的访问资源授权:
-
-   ```curl
-   https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI& response_type=code&state=STATE
-   ```
-
-   在设置中注册应用程序以获得 `CLIENT_ID`。`STATE` 是一个随机字符串，它将在获得用户授权后发送回您的应用程序。`state` 参数是可选的，但您应该使用它来防止 CSRF 攻击。
-
-   ![Authorization Page](/authorize.png)
-
-   用户将会被询问是否授权给您的应用程序。如果他们同意了授权，用户将会被重定向到 `REDIRECT_URL`，例如：
-
-   ```curl
-   https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
-   ```
-
-2. 使用重定向提供的 `code`，您可以请求一个新的应用程序和 Refresh Token。Access Token Endpoint 接受 `application/json` 或 `application/x-www-form-urlencoded` 类型的 POST 请求，例如：
-
-   ```curl
-   POST https://[YOUR-GITEA-URL]/login/oauth/access_token
-   ```
-
-   ```json
-   {
-     "client_id": "YOUR_CLIENT_ID",
-     "client_secret": "YOUR_CLIENT_SECRET",
-     "code": "RETURNED_CODE",
-     "grant_type": "authorization_code",
-     "redirect_uri": "REDIRECT_URI"
-   }
-   ```
-
-   返回：
-
-   ```json
-   {
-     "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",
-     "token_type": "bearer",
-     "expires_in": 3600,
-     "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"
-   }
-   ```
-
-   `CLIENT_SECRET` 是生成给应用程序的唯一密钥。请注意，该密钥只会在您使用 Gitea 创建/注册应用程序后出现一次。如果您丢失了密钥，您必须在应用程序设置中重新生成密钥。
-
-   `access_token` 请求中的 `REDIRECT_URI` 必须与 `authorize` 请求中的 `REDIRECT_URI` 相符。
-
-3. 使用 `access_token` 来构造 [API 请求](development/api-usage.md#oauth2-provider) 以读写用户的资源。

docs/administration.md

@@ -3,8 +3,7 @@ date: "2016-12-01T16:00:00+02:00"
 title: "Administration"
 slug: "administration"
 sidebar_position: 30
-toc: false
-draft: false
+
 menu:
   sidebar:
     name: "Administration"

docs/administration/adding-legal-pages.md

@@ -0,0 +1,33 @@
+---
+date: "2019-12-28"
+slug: adding-legal-pages
+sidebar_position: 110
+aliases:
+  - /en-us/adding-legal-pages
+---
+
+# Adding Legal Pages
+
+Some jurisdictions (such as EU), requires certain legal pages (e.g. Privacy Policy) to be added to website. Follow these steps to add them to your Gitea instance.
+
+## Getting Pages
+
+Gitea source code ships with sample pages, available in `contrib/legal` directory. Copy them to `custom/public/assets/`. For example, to add Privacy Policy:
+
+```bash
+wget -O /path/to/custom/public/assets/privacy.html https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/legal/privacy.html.sample
+```
+
+Now you need to edit the page to meet your requirements. In particular you must change the email addresses, web addresses and references to "Your Gitea Instance" to match your situation.
+
+You absolutely must not place a general ToS or privacy statement that implies that the Gitea project is responsible for your server.
+
+## Make it Visible
+
+Create or append to `/path/to/custom/templates/custom/extra_links_footer.tmpl`:
+
+```go
+<a class="item" href="{{AppSubUrl}}/assets/privacy.html">Privacy Policy</a>
+```
+
+Restart Gitea to see the changes.

docs/administration/authentication.md

@@ -1,18 +1,9 @@
 ---
 date: "2016-12-01T16:00:00+02:00"
-title: "Authentication"
 slug: "authentication"
 sidebar_position: 10
-toc: false
-draft: false
 aliases:
   - /en-us/authentication
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Authentication"
-    sidebar_position: 10
-    identifier: "authentication"
 ---
 
 # Authentication
@@ -236,7 +227,7 @@ configure this, set the fields below:
 
   - Restrict what domains can log in if using a public SMTP host or SMTP host
     with multiple domains.
-  - Example: `gitea.io,mydomain.com,mydomain2.com`
+  - Example: `gitea.com,mydomain.com,mydomain2.com`
 
 - Force SMTPS
 
@@ -348,4 +339,13 @@ If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WE
 
 You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
 
-Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
+You can enable the this authentication method for the API with
+
+```ini
+[service]
+ENABLE_REVERSE_PROXY_AUTHENTICATION_API = true
+```
+
+:::note
+When this method is enabled for the API, the reverse proxy is responsible for handling CSRF protection.
+:::

docs/administration/backup-and-restore.md

@@ -0,0 +1,176 @@
+---
+date: "2017-01-01T16:00:00+02:00"
+slug: "backup-and-restore"
+sidebar_position: 11
+aliases:
+  - /en-us/backup-and-restore
+---
+
+# Backup and Restore
+
+Gitea currently has a `dump` command that will save the installation to a ZIP file. This
+file can be unpacked and used to restore an instance.
+
+## Backup Consistency
+
+To ensure the consistency of the Gitea instance, it must be shutdown during backup.
+
+Gitea consists of a database, files and git repositories, all of which change when it is used. For instance, when a migration is in progress, a transaction is created in the database while the git repository is being copied over. If the backup happens in the middle of the migration, the git repository may be incomplete although the database claims otherwise because it was dumped afterwards. The only way to avoid such race conditions is by stopping the Gitea instance during the backups.
+
+## Backup Command (`dump`)
+
+Switch to the user running Gitea: `su git`. Run `./gitea dump -c /path/to/app.ini` in the Gitea installation
+directory. There should be some output similar to the following:
+
+```log
+2016/12/27 22:32:09 Creating tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:09 Dumping local repositories.../home/git/gitea-repositories
+2016/12/27 22:32:22 Dumping database...
+2016/12/27 22:32:22 Packing dump files...
+2016/12/27 22:32:34 Removing tmp work dir: /tmp/gitea-dump-417443001
+2016/12/27 22:32:34 Finish dumping in file gitea-dump-1482906742.zip
+```
+
+Inside the `gitea-dump-1482906742.zip` file, will be the following:
+
+- `app.ini` - Optional copy of configuration file if originally stored outside the default `custom/` directory
+- `custom/` - All config or customization files in `custom/`.
+- `data/` - Data directory (APP_DATA_PATH), except sessions if you are using file session. This directory includes `attachments`, `avatars`, `lfs`, `indexers`, SQLite file if you are using SQLite.
+- `repos/` - Complete copy of the repository directory.
+- `gitea-db.sql` - SQL dump of database
+- `log/` - Various logs. They are not needed for a recovery or migration.
+
+Intermediate backup files are created in a temporary directory specified either with the
+`--tempdir` command-line parameter or the `TMPDIR` environment variable.
+
+## Backup the database
+
+The SQL dump created by `gitea dump` uses XORM and Gitea admins may prefer to use the native the MySQL and PostgreSQL dump tools instead. There are still open issues when using XORM for dumping the database that may cause problems when attempting to restore it.
+
+```sh
+# mysql
+mysqldump -u$USER -p$PASS --database $DATABASE > gitea-db.sql
+# postgres
+pg_dump -U $USER $DATABASE > gitea-db.sql
+```
+
+### Using Docker (`dump`)
+
+There are a few caveats for using the `dump` command with Docker.
+
+The command has to be executed with the `RUN_USER = <OS_USERNAME>` specified in `gitea/conf/app.ini`; and, for the zipping of the backup folder to occur without permission error the command `docker exec` must be executed inside of the `--tempdir`.
+
+Example:
+
+```bash
+docker exec -u <OS_USERNAME> -it -w <--tempdir> $(docker ps -qf 'name=^<NAME_OF_DOCKER_CONTAINER>$') bash -c '/usr/local/bin/gitea dump -c </path/to/app.ini>'
+```
+
+\*Note: `--tempdir` refers to the temporary directory of the docker environment used by Gitea; if you have not specified a custom `--tempdir`, then Gitea uses `/tmp` or the `TMPDIR` environment variable of the docker container. For `--tempdir` adjust your `docker exec` command options accordingly.
+
+The result should be a file, stored in the `--tempdir` specified, along the lines of: `gitea-dump-1482906742.zip`
+
+## Restore Command (`restore`)
+
+There is currently no support for a recovery command. It is a manual process that mostly
+involves moving files to their correct locations and restoring a database dump.
+
+Example:
+
+```sh
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+mv app.ini /etc/gitea/conf/app.ini
+mv data/* /var/lib/gitea/data/
+mv log/* /var/lib/gitea/log/
+mv repos/* /var/lib/gitea/data/gitea-repositories/
+chown -R gitea:gitea /etc/gitea/conf/app.ini /var/lib/gitea
+
+# mysql
+mysql --default-character-set=utf8mb4 -u$USER -p$PASS $DATABASE <gitea-db.sql
+# sqlite3
+sqlite3 $DATABASE_PATH <gitea-db.sql
+# postgres
+psql -U $USER -d $DATABASE < gitea-db.sql
+
+service gitea restart
+```
+
+Repository Git Hooks should be regenerated if installation method is changed (eg. binary -> Docker), or if Gitea is installed to a different directory than the previous installation.
+
+With Gitea running, and from the directory Gitea's binary is located, execute: `./gitea admin regenerate hooks`
+
+This ensures that application and configuration file paths in repository Git Hooks are consistent and applicable to the current installation. If these paths are not updated, repository `push` actions will fail.
+
+If you still have issues, consider running `./gitea doctor check` to inspect possible errors (or run with `--fix`).
+
+### Using Docker (`restore`)
+
+There is also no support for a recovery command in a Docker-based gitea instance. The restore process contains the same steps as described in the previous section but with different paths.
+
+Example:
+
+```sh
+# open bash session in container
+docker exec --user git -it 2a83b293548e bash
+# unzip your backup file within the container
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+# restore the gitea data
+mv data/* /data/gitea
+# restore the repositories itself
+mv repos/* /data/git/gitea-repositories/
+# adjust file permissions
+chown -R git:git /data
+# Regenerate Git Hooks
+/usr/local/bin/gitea -c '/data/gitea/conf/app.ini' admin regenerate hooks
+```
+
+The default user in the gitea container is `git` (1000:1000). Please replace `2a83b293548e` with your gitea container id or name.
+
+### Using Docker-rootless (`restore`)
+
+The restore workflow in Docker-rootless containers differs only in the directories to be used:
+
+```sh
+# open bash session in container
+docker exec --user git -it 2a83b293548e bash
+# unzip your backup file within the container
+unzip gitea-dump-1610949662.zip
+cd gitea-dump-1610949662
+# restore the app.ini
+mv data/conf/app.ini /etc/gitea/app.ini
+# restore the gitea data
+mv data/* /var/lib/gitea
+# restore the repositories itself
+mv repos/* /var/lib/gitea/git/gitea-repositories
+# adjust file permissions
+chown -R git:git /etc/gitea/app.ini /var/lib/gitea
+# Regenerate Git Hooks
+/usr/local/bin/gitea -c '/etc/gitea/app.ini' admin regenerate hooks
+```
+
+### Using `gitea dump` to convert database types
+
+The `gitea dump` command can produce a SQL file that can be read by another database type, which is useful to convert the database to another in case you did not choose the correct one during the first installation.
+
+Note that this conversion process is not well-tested, which is why it is recommended to choose the final database type during the first installation without attempting to change it afterwards.
+
+Stop the Gitea server, then make sure you have a full backup of your original database.
+
+Before attempting the conversion, ensure that the original database is clean. Run `gitea doctor check --all --fix` and `gitea doctor recreate-table` to address common issues.
+
+Use the `--database` flag to get a Gitea dump with the SQL file in the target format, in this example PostgreSQL: `gitea dump --database postgres`, then extract the file `gitea-db.sql` from the generated ZIP file.
+
+Create the PostgreSQL Gitea user and Gitea database. Then, import the SQL file as the Gitea user into the Gitea database, using commands such as:
+
+```sh
+sudo -u postgres psql -d gitea
+gitea=# SET synchronous_commit TO off
+gitea=# SET on_error_stop TO on
+gitea=# \i gitea-db.sql
+```
+
+Disabling `synchronous_commit` makes PostgreSQL less resilient to crashes, but makes the import a lot faster. Since we already have a backup of the original database and we can check that the import completes successfully, it should be a good trade-off.
+
+After the import is completed, set up Gitea to use PostgreSQL and start the Gitea server again. Good luck!

docs/administration/cmd-embedded.md

@@ -1,30 +1,23 @@
 ---
 date: "2020-01-25T21:00:00-03:00"
-title: "Embedded data extraction tool"
 slug: "cmd-embedded"
 sidebar_position: 20
-toc: false
-draft: false
 aliases:
   - /en-us/cmd-embedded
-menu:
-  sidebar:
-    parent: "administration"
-    name: "Embedded data extraction tool"
-    sidebar_position: 20
-    identifier: "cmd-embedded"
 ---
 
 # Embedded data extraction tool
 
 Gitea's executable contains all the resources required to run: templates, images, style-sheets
 and translations. Any of them can be overridden by placing a replacement in a matching path
-inside the `custom` directory (see [Customizing Gitea](administration/customizing-gitea.md)).
+inside the `custom` directory (see [Customizing Gitea](../administration/customizing-gitea.md)).
 
 To obtain a copy of the embedded resources ready for editing, the `embedded` command from the CLI
 can be used from the OS shell interface.
 
-**NOTE:** The embedded data extraction tool is included in Gitea versions 1.12 and above.
+:::note
+The embedded data extraction tool is included in Gitea versions 1.12 and above.
+:::
 
 ## Listing resources
 
@@ -83,7 +76,7 @@ The default is the current directory.
 The `--custom` flag tells Gitea to extract the files directly into the `custom` directory.
 For this to work, the command needs to know the location of the `app.ini` configuration
 file (`--config`) and, depending of the configuration, be ran from the directory where
-Gitea normally starts. See [Customizing Gitea](administration/customizing-gitea.md) for details.
+Gitea normally starts. See [Customizing Gitea](../administration/customizing-gitea.md) for details.
 
 The `--overwrite` flag allows any existing files in the destination directory to be overwritten.
 

docs/administration/command-line.md

@@ -0,0 +1,564 @@
+---
+date: "2017-01-01T16:00:00+02:00"
+slug: "command-line"
+sidebar_position: 1
+aliases:
+  - /en-us/command-line
+---
+
+# Gitea Command Line
+
+## Usage
+
+`gitea [global options] command [command or global options] [arguments...]`
+
+## Global options
+
+All global options can be placed at the command level.
+
+- `--help`, `-h`: Show help text and exit. Optional.
+- `--version`, `-v`: Show version and exit. Optional. (example: `Gitea version 1.1.0+218-g7b907ed built with: bindata, sqlite`).
+- `--work-path path`, `-w path`: Gitea's work path. Optional. (default: the binary's path or `$GITEA_WORK_DIR`)
+- `--custom-path path`, `-C path`: Gitea's custom folder path. Optional. (default: `WorkPath`/custom or `$GITEA_CUSTOM`).
+- `--config path`, `-c path`: Gitea configuration file path. Optional. (default: `CustomPath`/conf/app.ini).
+
+NB: The defaults custom-path, config and work-path can also be
+changed at build time (if preferred).
+
+## Commands
+
+### web
+
+Starts the server:
+
+- Options:
+  - `--port number`, `-p number`: Port number. Optional. (default: 3000). Overrides configuration file.
+  - `--install-port number`: Port number to run the install page on. Optional. (default: 3000). Overrides configuration file.
+  - `--pid path`, `-P path`: Pidfile path. Optional.
+  - `--quiet`, `-q`: Only emit Fatal logs on the console for logs emitted before logging set up.
+  - `--verbose`: Emit tracing logs on the console for logs emitted before logging is set-up.
+- Examples:
+  - `gitea web`
+  - `gitea web --port 80`
+  - `gitea web --config /etc/gitea.ini --pid /some/custom/gitea.pid`
+- Notes:
+  - Gitea should not be run as root. To bind to a port below 1024, you can use setcap on
+    Linux: `sudo setcap 'cap_net_bind_service=+ep' /path/to/gitea`. This will need to be
+    redone every time you update Gitea.
+
+### admin
+
+Admin operations:
+
+- Commands:
+  - `user`:
+    - `list`:
+      - Options:
+        - `--admin`: List only admin users. Optional.
+      - Description: lists all users that exist
+      - Examples:
+        - `gitea admin user list`
+    - `delete`:
+      - Options:
+        - `--email`: Email of the user to be deleted.
+        - `--username`: Username of user to be deleted.
+        - `--id`: ID of user to be deleted.
+        - One of `--id`, `--username` or `--email` is required. If more than one is provided then all have to match.
+      - Examples:
+        - `gitea admin user delete --id 1`
+    - `create`:
+      - Options:
+        - `--name value`: Username. Required. As of Gitea 1.9.0, use the `--username` flag instead.
+        - `--username value`: Username. Required. New in Gitea 1.9.0.
+        - `--password value`: Password. Required.
+        - `--email value`: Email. Required.
+        - `--admin`: If provided, this makes the user an admin. Optional.
+        - `--access-token`: If provided, an access token will be created for the user. Optional. (default: false).
+        - `--must-change-password`: The created user will be required to set a new password after the initial login, default: true. It could be disabled by `--must-change-password=false`.
+        - `--random-password`: If provided, a randomly generated password will be used as the password of the created
+          user. The value of `--password` will be discarded. Optional.
+        - `--random-password-length`: If provided, it will be used to configure the length of the randomly generated
+          password. Optional. (default: 12)
+      - Examples:
+        - `gitea admin user create --username myname --password asecurepassword --email me@example.com`
+    - `change-password`:
+      - Options:
+        - `--username value`, `-u value`: Username. Required.
+        - `--password value`, `-p value`: New password. Required.
+        - `--must-change-password`: The user is required to set a new password after the login, default: true. It could be disabled by `--must-change-password=false`.
+      - Examples:
+        - `gitea admin user change-password --username myname --password asecurepassword`
+    - `must-change-password`:
+      - Args:
+        - `[username...]`: Users that must change their passwords
+      - Options:
+        - `--all`, `-A`: Force a password change for all users
+        - `--exclude username`, `-e username`: Exclude the given user. Can be set multiple times.
+        - `--unset`: Revoke forced password change for the given users
+    - `generate-access-token`:
+      - Options:
+        - `--username value`, `-u value`: Username. Required.
+        - `--token-name value`, `-t value`: Token name. Required.
+        - `--scopes value`: Comma-separated list of scopes. Scopes follow the format `[read|write]:<block>` or `all` where `<block>` is one of the available visual groups you can see when opening the API page showing the available routes (for example `repo`).
+      - Examples:
+        - `gitea admin user generate-access-token --username myname --token-name mytoken`
+        - `gitea admin user generate-access-token --help`
+  - `regenerate`
+    - Options:
+      - `hooks`: Regenerate Git Hooks for all repositories
+      - `keys`: Regenerate authorized_keys file
+    - Examples:
+      - `gitea admin regenerate hooks`
+      - `gitea admin regenerate keys`
+  - `auth`:
+    - `list`:
+      - Description: lists all external authentication sources that exist
+      - Examples:
+        - `gitea admin auth list`
+    - `delete`:
+      - Options:
+        - `--id`: ID of source to be deleted. Required.
+      - Examples:
+        - `gitea admin auth delete --id 1`
+    - `add-oauth`:
+      - Options:
+        - `--name`: Application Name.
+        - `--provider`: OAuth2 Provider.
+        - `--key`: Client ID (Key).
+        - `--secret`: Client Secret.
+        - `--auto-discover-url`: OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider).
+        - `--use-custom-urls`: Use custom URLs for GitLab/GitHub OAuth endpoints.
+        - `--custom-tenant-id`: Use custom Tenant ID for OAuth endpoints.
+        - `--custom-auth-url`: Use a custom Authorization URL (option for GitLab/GitHub).
+        - `--custom-token-url`: Use a custom Token URL (option for GitLab/GitHub).
+        - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
+        - `--custom-email-url`: Use a custom Email URL (option for GitHub).
+        - `--icon-url`: Custom icon URL for OAuth2 login source.
+        - `--skip-local-2fa`: Allow source to override local 2FA. (Optional)
+        - `--scopes`: Additional scopes to request for this OAuth2 source. (Optional)
+        - `--required-claim-name`: Claim name that has to be set to allow users to login with this source. (Optional)
+        - `--required-claim-value`: Claim value that has to be set to allow users to login with this source. (Optional)
+        - `--group-claim-name`: Claim name providing group names for this source. (Optional)
+        - `--admin-group`: Group Claim value for administrator users. (Optional)
+        - `--restricted-group`: Group Claim value for restricted users. (Optional)
+        - `--group-team-map`: JSON mapping between groups and org teams. (Optional)
+        - `--group-team-map-removal`: Activate automatic team membership removal depending on groups. (Optional)
+      - Examples:
+        - `gitea admin auth add-oauth --name external-github --provider github --key OBTAIN_FROM_SOURCE --secret OBTAIN_FROM_SOURCE`
+    - `update-oauth`:
+      - Options:
+        - `--id`: ID of source to be updated. Required.
+        - `--name`: Application Name.
+        - `--provider`: OAuth2 Provider.
+        - `--key`: Client ID (Key).
+        - `--secret`: Client Secret.
+        - `--auto-discover-url`: OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider).
+        - `--use-custom-urls`: Use custom URLs for GitLab/GitHub OAuth endpoints.
+        - `--custom-tenant-id`: Use custom Tenant ID for OAuth endpoints.
+        - `--custom-auth-url`: Use a custom Authorization URL (option for GitLab/GitHub).
+        - `--custom-token-url`: Use a custom Token URL (option for GitLab/GitHub).
+        - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
+        - `--custom-email-url`: Use a custom Email URL (option for GitHub).
+        - `--icon-url`: Custom icon URL for OAuth2 login source.
+        - `--skip-local-2fa`: Allow source to override local 2FA. (Optional)
+        - `--scopes`: Additional scopes to request for this OAuth2 source.
+        - `--required-claim-name`: Claim name that has to be set to allow users to login with this source. (Optional)
+        - `--required-claim-value`: Claim value that has to be set to allow users to login with this source. (Optional)
+        - `--group-claim-name`: Claim name providing group names for this source. (Optional)
+        - `--admin-group`: Group Claim value for administrator users. (Optional)
+        - `--restricted-group`: Group Claim value for restricted users. (Optional)
+      - Examples:
+        - `gitea admin auth update-oauth --id 1 --name external-github-updated`
+    - `add-smtp`:
+      - Options:
+        - `--name`: Application Name. Required.
+        - `--auth-type`: SMTP Authentication Type (PLAIN/LOGIN/CRAM-MD5). Default to PLAIN.
+        - `--host`: SMTP host. Required.
+        - `--port`: SMTP port. Required.
+        - `--force-smtps`: SMTPS is always used on port 465. Set this to force SMTPS on other ports.
+        - `--skip-verify`: Skip TLS verify.
+        - `--helo-hostname`: Hostname sent with HELO. Leave blank to send current hostname.
+        - `--disable-helo`: Disable SMTP helo.
+        - `--allowed-domains`: Leave empty to allow all domains. Separate multiple domains with a comma (',').
+        - `--skip-local-2fa`: Skip 2FA to log on.
+        - `--active`: This Authentication Source is Activated.
+        Remarks:
+        `--force-smtps`, `--skip-verify`, `--disable-helo`, `--skip-loca-2fs` and `--active` options can be used in form:
+        - `--option`, `--option=true` to enable
+        - `--option=false` to disable
+        If those options are not specified value would not be changed in `update-smtp` or would use default `false` value in `add-smtp`
+      - Examples:
+        - `gitea admin auth add-smtp --name ldap --host smtp.mydomain.org --port 587 --skip-verify --active`
+    - `update-smtp`:
+      - Options:
+        - `--id`: ID of source to be updated. Required.
+        - other options are shared with `add-smtp`
+      - Examples:
+        - `gitea admin auth update-smtp --id 1 --host smtp.mydomain.org --port 587 --skip-verify=false`
+        - `gitea admin auth update-smtp --id 1 --active=false`
+    - `add-ldap`: Add new LDAP (via Bind DN) authentication source
+      - Options:
+        - `--name value`: Authentication name. Required.
+        - `--not-active`: Deactivate the authentication source.
+        - `--security-protocol value`: Security protocol name. Required.
+        - `--skip-tls-verify`: Disable TLS verification.
+        - `--host value`: The address where the LDAP server can be reached. Required.
+        - `--port value`: The port to use when connecting to the LDAP server. Required.
+        - `--user-search-base value`: The LDAP base at which user accounts will be searched for. Required.
+        - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate. Required.
+        - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+        - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+        - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+        - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+        - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+        - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
+        - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+        - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
+        - `--bind-password value`: The password for the Bind DN, if any.
+        - `--attributes-in-bind`: Fetch attributes in bind DN context.
+        - `--synchronize-users`: Enable user synchronization.
+        - `--page-size value`: Search page size.
+      - Examples:
+        - `gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-search-base "ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))" --email-attribute mail`
+    - `update-ldap`: Update existing LDAP (via Bind DN) authentication source
+      - Options:
+        - `--id value`: ID of authentication source. Required.
+        - `--name value`: Authentication name.
+        - `--not-active`: Deactivate the authentication source.
+        - `--security-protocol value`: Security protocol name.
+        - `--skip-tls-verify`: Disable TLS verification.
+        - `--host value`: The address where the LDAP server can be reached.
+        - `--port value`: The port to use when connecting to the LDAP server.
+        - `--user-search-base value`: The LDAP base at which user accounts will be searched for.
+        - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate.
+        - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+        - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+        - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+        - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+        - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+        - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
+        - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+        - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
+        - `--bind-password value`: The password for the Bind DN, if any.
+        - `--attributes-in-bind`: Fetch attributes in bind DN context.
+        - `--synchronize-users`: Enable user synchronization.
+        - `--page-size value`: Search page size.
+      - Examples:
+        - `gitea admin auth update-ldap --id 1 --name "my ldap auth source"`
+        - `gitea admin auth update-ldap --id 1 --username-attribute uid --firstname-attribute givenName --surname-attribute sn`
+    - `add-ldap-simple`: Add new LDAP (simple auth) authentication source
+      - Options:
+        - `--name value`: Authentication name. Required.
+        - `--not-active`: Deactivate the authentication source.
+        - `--security-protocol value`: Security protocol name. Required.
+        - `--skip-tls-verify`: Disable TLS verification.
+        - `--host value`: The address where the LDAP server can be reached. Required.
+        - `--port value`: The port to use when connecting to the LDAP server. Required.
+        - `--user-search-base value`: The LDAP base at which user accounts will be searched for.
+        - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate. Required.
+        - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+        - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+        - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+        - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+        - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+        - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
+        - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+        - `--user-dn value`: The user’s DN. Required.
+      - Examples:
+        - `gitea admin auth add-ldap-simple --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-dn "cn=%s,ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(cn=%s))" --email-attribute mail`
+    - `update-ldap-simple`: Update existing LDAP (simple auth) authentication source
+      - Options:
+        - `--id value`: ID of authentication source. Required.
+        - `--name value`: Authentication name.
+        - `--not-active`: Deactivate the authentication source.
+        - `--security-protocol value`: Security protocol name.
+        - `--skip-tls-verify`: Disable TLS verification.
+        - `--host value`: The address where the LDAP server can be reached.
+        - `--port value`: The port to use when connecting to the LDAP server.
+        - `--user-search-base value`: The LDAP base at which user accounts will be searched for.
+        - `--user-filter value`: An LDAP filter declaring how to find the user record that is attempting to authenticate.
+        - `--admin-filter value`: An LDAP filter specifying if a user should be given administrator privileges.
+        - `--restricted-filter value`: An LDAP filter specifying if a user should be given restricted status.
+        - `--username-attribute value`: The attribute of the user’s LDAP record containing the user name.
+        - `--firstname-attribute value`: The attribute of the user’s LDAP record containing the user’s first name.
+        - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
+        - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
+        - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
+        - `--user-dn value`: The user’s DN.
+      - Examples:
+        - `gitea admin auth update-ldap-simple --id 1 --name "my ldap auth source"`
+        - `gitea admin auth update-ldap-simple --id 1 --username-attribute uid --firstname-attribute givenName --surname-attribute sn`
+
+### cert
+
+Generates a self-signed SSL certificate. Outputs to `cert.pem` and `key.pem` in the current
+directory and will overwrite any existing files.
+
+- Options:
+  - `--host value`: Comma separated hostnames and ips which this certificate is valid for.
+    Wildcards are supported. Required.
+  - `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
+    are P224, P256, P384, P521.
+  - `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
+    set. (default: 3072).
+  - `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
+  - `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
+  - `--ca`: If provided, this cert generates it's own certificate authority. Optional.
+- Examples:
+  - `gitea cert --host git.example.com,example.com,www.example.com --ca`
+
+### dump
+
+Dumps all files and databases into a zip file. Outputs into a file like `gitea-dump-1482906742.zip`
+in the current directory.
+
+- Options:
+  - `--file name`, `-f name`: Name of the dump file with will be created. Optional. (default: gitea-dump-[timestamp].zip).
+  - `--tempdir path`, `-t path`: Path to the temporary directory used. Optional. (default: /tmp).
+  - `--skip-repository`, `-R`: Skip the repository dumping. Optional.
+  - `--skip-custom-dir`: Skip dumping of the custom dir. Optional.
+  - `--skip-lfs-data`: Skip dumping of LFS data. Optional.
+  - `--skip-attachment-data`: Skip dumping of attachment data. Optional.
+  - `--skip-package-data`: Skip dumping of package data. Optional.
+  - `--skip-log`: Skip dumping of log data. Optional.
+  - `--skip-index`: Skip dumping of Bleve indexer data. Optional. Applies only for bleve.
+  - `--database`, `-d`: Specify the database SQL syntax. Optional (supported arguments: sqlite3, mysql, mssql, postgres).
+  - `--verbose`, `-V`: If provided, shows additional details. Optional.
+  - `--type`: Set the dump output format. Optional. (formats: zip, tar, tar.sz, tar.gz, tar.xz, tar.bz2, tar.br, tar.lz4, tar.zst default: zip).
+- Examples:
+  - `gitea dump`
+  - `gitea dump --verbose`
+
+### generate
+
+Generates random values and tokens for usage in configuration file. Useful for generating values
+for automatic deployments.
+
+- Commands:
+  - `secret`:
+    - Options:
+      - `INTERNAL_TOKEN`: Token used for an internal API call authentication.
+      - `JWT_SECRET`: LFS & OAUTH2 JWT authentication secret (LFS_JWT_SECRET is aliased to this option for backwards compatibility).
+      - `SECRET_KEY`: Global secret key.
+    - Examples:
+      - `gitea generate secret INTERNAL_TOKEN`
+      - `gitea generate secret JWT_SECRET`
+      - `gitea generate secret SECRET_KEY`
+
+### keys
+
+Provides an SSHD AuthorizedKeysCommand. Needs to be configured in the sshd config file:
+
+```ini
+# The value of -e and the AuthorizedKeysCommandUser should match the
+# username running Gitea
+AuthorizedKeysCommandUser git
+AuthorizedKeysCommand /path/to/gitea keys -e git -u %u -t %t -k %k
+```
+
+The command will return the appropriate authorized_keys line for the
+provided key. You should also set the value
+`SSH_CREATE_AUTHORIZED_KEYS_FILE=false` in the `[server]` section of
+`app.ini`.
+
+:::note
+opensshd requires the Gitea program to be owned by root and not
+writable by group or others. The program must be specified by an absolute
+path.
+Gitea must be running for this command to succeed.
+:::
+
+### migrate
+
+Migrates the database. This command can be used to run other commands before starting the server for the first time.
+This command is idempotent.
+
+### doctor check
+
+Diagnose and potentially fix problems with the current Gitea instance.
+Several checks are run by default, but additional ones can be run:
+
+- `gitea doctor check --list` - will list all the available checks
+- `gitea doctor check --all` - will run all available checks
+- `gitea doctor check --default` - will run the default checks
+- `gitea doctor check --run [check(s),]...` - will run the named checks
+
+Some problems can be automatically fixed by passing the `--fix` option.
+Extra logging can be set with `--log-file=...`.
+
+#### doctor recreate-table
+
+Sometimes when there are migrations the old columns and default values may be left
+unchanged in the database schema. This may lead to warning such as:
+
+```log
+2020/08/02 11:32:29 ...rm/session_schema.go:360:Sync() [W] Table user Column keep_activity_private db default is , struct default is 0
+```
+
+You can cause Gitea to recreate these tables and copy the old data into the new table
+with the defaults set appropriately by using:
+
+```bash
+gitea doctor recreate-table user
+```
+
+You can ask Gitea to recreate multiple tables using:
+
+```bash
+gitea doctor recreate-table table1 table2 ...
+```
+
+And if you would like Gitea to recreate all tables simply call:
+
+```bash
+gitea doctor recreate-table
+```
+
+It is highly recommended to back-up your database before running these commands.
+
+### doctor convert
+
+Converts a MySQL database from utf8 to utf8mb4 or a MSSQL database from varchar to nvarchar.
+
+### manager
+
+Manage running server operations:
+
+- Commands:
+  - `shutdown`: Gracefully shutdown the running process
+  - `restart`: Gracefully restart the running process - (not implemented for windows servers)
+  - `flush-queues`: Flush queues in the running process
+    - Options:
+      - `--timeout value`: Timeout for the flushing process (default: 1m0s)
+      - `--non-blocking`: Set to true to not wait for flush to complete before returning
+  - `logging`: Adjust logging commands
+    - Commands:
+      - `pause`: Pause logging
+        - Notes:
+          - The logging level will be raised to INFO temporarily if it is below this level.
+          - Gitea will buffer logs up to a certain point and will drop them after that point.
+      - `resume`: Resume logging
+      - `release-and-reopen`: Cause Gitea to release and re-open files and connections used for logging (Equivalent to sending SIGUSR1 to Gitea.)
+      - `remove name`: Remove the named logger
+        - Options:
+          - `--group group`, `-g group`: Set the group to remove the sublogger from. (defaults to `default`)
+      - `add`: Add a logger
+        - Commands:
+          - `console`: Add a console logger
+            - Options:
+              - `--group value`, `-g value`: Group to add logger to - will default to "default"
+              - `--name value`, `-n value`: Name of the new logger - will default to mode
+              - `--level value`, `-l value`: Logging level for the new logger
+              - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+              - `--flags value`, `-F value`: Flags for the logger
+              - `--expression value`, `-e value`: Matching expression for the logger
+              - `--prefix value`, `-p value`: Prefix for the logger
+              - `--color`: Use color in the logs
+              - `--stderr`: Output console logs to stderr - only relevant for console
+          - `file`: Add a file logger
+            - Options:
+              - `--group value`, `-g value`: Group to add logger to - will default to "default"
+              - `--name value`, `-n value`: Name of the new logger - will default to mode
+              - `--level value`, `-l value`: Logging level for the new logger
+              - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+              - `--flags value`, `-F value`: Flags for the logger
+              - `--expression value`, `-e value`: Matching expression for the logger
+              - `--prefix value`, `-p value`: Prefix for the logger
+              - `--color`: Use color in the logs
+              - `--filename value`, `-f value`: Filename for the logger -
+              - `--rotate`, `-r`: Rotate logs
+              - `--max-size value`, `-s value`: Maximum size in bytes before rotation
+              - `--daily`, `-d`: Rotate logs daily
+              - `--max-days value`, `-D value`: Maximum number of daily logs to keep
+              - `--compress`, `-z`: Compress rotated logs
+              - `--compression-level value`, `-Z value`: Compression level to use
+          - `conn`: Add a network connection logger
+            - Options:
+              - `--group value`, `-g value`: Group to add logger to - will default to "default"
+              - `--name value`, `-n value`: Name of the new logger - will default to mode
+              - `--level value`, `-l value`: Logging level for the new logger
+              - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+              - `--flags value`, `-F value`: Flags for the logger
+              - `--expression value`, `-e value`: Matching expression for the logger
+              - `--prefix value`, `-p value`: Prefix for the logger
+              - `--color`: Use color in the logs
+              - `--reconnect-on-message`, `-R`: Reconnect to host for every message
+              - `--reconnect`, `-r`: Reconnect to host when connection is dropped
+              - `--protocol value`, `-P value`: Set protocol to use: tcp, unix, or udp (defaults to tcp)
+              - `--address value`, `-a value`: Host address and port to connect to (defaults to :7020)
+          - `smtp`: Add an SMTP logger
+            - Options:
+              - `--group value`, `-g value`: Group to add logger to - will default to "default"
+              - `--name value`, `-n value`: Name of the new logger - will default to mode
+              - `--level value`, `-l value`: Logging level for the new logger
+              - `--stacktrace-level value`, `-L value`: Stacktrace logging level
+              - `--flags value`, `-F value`: Flags for the logger
+              - `--expression value`, `-e value`: Matching expression for the logger
+              - `--prefix value`, `-p value`: Prefix for the logger
+              - `--color`: Use color in the logs
+              - `--username value`, `-u value`: Mail server username
+              - `--password value`, `-P value`: Mail server password
+              - `--host value`, `-H value`: Mail server host (defaults to: 127.0.0.1:25)
+              - `--send-to value`, `-s value`: Email address(es) to send to
+              - `--subject value`, `-S value`: Subject header of sent emails
+  - `processes`: Display Gitea processes and goroutine information
+    - Options:
+      - `--flat`: Show processes as flat table rather than as tree
+      - `--no-system`: Do not show system processes
+      - `--stacktraces`: Show stacktraces for goroutines associated with processes
+      - `--json`: Output as json
+      - `--cancel PID`: Send cancel to process with PID. (Only for non-system processes.)
+
+### dump-repo
+
+Dump-repo dumps repository data from Git/GitHub/Gitea/GitLab:
+
+- Options:
+  - `--git_service service` : Git service, it could be `git`, `github`, `gitea`, `gitlab`, If clone_addr could be recognized, this could be ignored.
+  - `--repo_dir dir`, `-r dir`: Repository dir path to store the data
+  - `--clone_addr addr`: The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL. i.e. https://github.com/lunny/tango.git
+  - `--auth_username lunny`: The username to visit the clone_addr
+  - `--auth_password <password>`: The password to visit the clone_addr
+  - `--auth_token <token>`: The personal token to visit the clone_addr
+  - `--owner_name lunny`: The data will be stored on a directory with owner name if not empty
+  - `--repo_name tango`: The data will be stored on a directory with repository name if not empty
+  - `--units <units>`: Which items will be migrated, one or more units should be separated as comma. wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.
+
+### restore-repo
+
+Restore-repo restore repository data from disk dir:
+
+- Options:
+  - `--repo_dir dir`, `-r dir`: Repository dir path to restore from
+  - `--owner_name lunny`: Restore destination owner name
+  - `--repo_name tango`: Restore destination repository name
+  - `--units <units>`: Which items will be restored, one or more units should be separated as comma. wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.
+
+### actions generate-runner-token
+
+Generate a new token for a runner to use to register with the server
+
+- Options:
+  - `--scope {owner}[/{repo}]`, `-s {owner}[/{repo}]`: To limit the scope of the runner, no scope means the runner can be used for all repos, but you can also limit it to a specific repo or owner
+
+To register a global runner:
+
+```bash
+gitea actions generate-runner-token
+```
+
+To register a runner for a specific organization, in this case `org`:
+
+```bash
+gitea actions generate-runner-token -s org
+```
+
+To register a runner for a specific repo, in this case `username/test-repo`:
+
+```bash
+gitea actions generate-runner-token -s username/test-repo
+```

docs/administration/customizing-gitea.md

@@ -0,0 +1,444 @@
+---
+date: "2017-04-15T14:56:00+02:00"
+slug: "customizing-gitea"
+sidebar_position: 100
+aliases:
+  - /en-us/customizing-gitea
+---
+
+# Customizing Gitea
+
+Customizing Gitea is typically done using the `CustomPath` folder - by default this is
+the `custom` folder from the working directory (WorkPath), but may be different if your [installation](../installation/installation.md) has
+set this differently. This is the central place to override configuration settings,
+templates, etc. You can check the `CustomPath` using `gitea help`. You can also find
+the path on the _Configuration_ tab in the _Site Administration_ page. You can override
+the `CustomPath` by setting either the `GITEA_CUSTOM` environment variable or by
+using the `--custom-path` option on the `gitea` binary. (The option will override the
+environment variable.)
+
+If Gitea is deployed from binary, all default paths will be relative to the Gitea
+binary. If installed from a distribution, these paths will likely be modified to
+the Linux Filesystem Standard. Gitea will attempt to create required folders, including
+`custom/`. Distributions may provide a symlink for `custom` using `/etc/gitea/`.
+
+Application settings can be found in file `CustomConf` which is by default,
+`$GITEA_CUSTOM/conf/app.ini` but may be different if your [installation](../installation/installation.md) has set this differently.
+Again `gitea help` will allow you review this variable and you can override it using the
+`--config` option on the `gitea` binary.
+
+- [Quick Cheat Sheet](../administration/config-cheat-sheet.md)
+- [Complete List](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)
+
+If the `CustomPath` folder can't be found despite checking `gitea help`, check the `GITEA_CUSTOM`
+environment variable; this can be used to override the default path to something else.
+`GITEA_CUSTOM` might, for example, be set by an init script. You can check whether the value
+is set under the "Configuration" tab on the site administration page.
+
+- [List of Environment Variables](../administration/environment-variables.md)
+
+:::note
+Gitea must perform a full restart to see configuration changes.
+:::
+
+## Serving custom public files
+
+To make Gitea serve custom public files (like pages and images), use the folder
+`$GITEA_CUSTOM/public/` as the webroot. Symbolic links will be followed.
+At the moment, only the following files are served:
+
+- `public/robots.txt`
+- files in the `public/.well-known/` folder
+- files in the `public/assets/` folder
+
+For example, a file `image.png` stored in `$GITEA_CUSTOM/public/assets/`, can be accessed with
+the url `http://gitea.domain.tld/assets/image.png`.
+
+## Changing the logo
+
+To build a custom logo and/or favicon clone the Gitea source repository, replace `assets/logo.svg` and/or `assets/favicon.svg` and run
+`make generate-images`. `assets/favicon.svg` is used for the favicon only. This will update below output files which you can then place in `$GITEA_CUSTOM/public/assets/img` on your server:
+
+- `public/assets/img/logo.svg` - Used for site icon, app icon
+- `public/assets/img/logo.png` - Used for Open Graph
+- `public/assets/img/avatar_default.png` - Used as the default avatar image
+- `public/assets/img/apple-touch-icon.png` - Used on iOS devices for bookmarks
+- `public/assets/img/favicon.svg` - Used for favicon
+- `public/assets/img/favicon.png` - Used as fallback for browsers that don't support SVG favicons
+
+In case the source image is not in vector format, you can attempt to convert a raster image using tools like [this](https://www.aconvert.com/image/png-to-svg/).
+
+## Customizing Gitea pages and resources
+
+Gitea's executable contains all the resources required to run: templates, images, style-sheets
+and translations. Any of them can be overridden by placing a replacement in a matching path
+inside the `custom` directory. For example, to replace the default `.gitignore` provided
+for C++ repositories, we want to replace `options/gitignore/C++`. To do this, a replacement
+must be placed in `$GITEA_CUSTOM/options/gitignore/C++` (see about the location of the `CustomPath`
+directory at the top of this document).
+
+Every single page of Gitea can be changed. Dynamic content is generated using [go templates](https://pkg.go.dev/html/template),
+which can be modified by placing replacements below the `$GITEA_CUSTOM/templates` directory.
+
+To obtain any embedded file (including templates), the [`gitea embedded` tool](../administration/cmd-embedded.md) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/main/templates) directory of Gitea source (Note: the example link is from the `main` branch. Make sure to use templates compatible with the release you are using).
+
+Be aware that any statement contained inside `{{` and `}}` are Gitea's template syntax and
+shouldn't be touched without fully understanding these components.
+
+### Customizing startpage / homepage
+
+Copy [`home.tmpl`](https://github.com/go-gitea/gitea/blob/main/templates/home.tmpl) for your version of Gitea from `templates` to `$GITEA_CUSTOM/templates`.
+Edit as you wish.
+Dont forget to restart your Gitea to apply the changes.
+
+### Adding links and tabs
+
+If all you want is to add extra links to the top navigation bar or footer, or extra tabs to the repository view, you can put them in `extra_links.tmpl` (links added to the navbar), `extra_links_footer.tmpl` (links added to the left side of footer), and `extra_tabs.tmpl` inside your `$GITEA_CUSTOM/templates/custom/` directory.
+
+For instance, let's say you are in Germany and must add the famously legally-required "Impressum"/about page, listing who is responsible for the site's content:
+just place it under your "$GITEA_CUSTOM/public/assets/" directory (for instance `$GITEA_CUSTOM/public/assets/impressum.html`) and put a link to it in either `$GITEA_CUSTOM/templates/custom/extra_links.tmpl` or `$GITEA_CUSTOM/templates/custom/extra_links_footer.tmpl`.
+
+To match the current style, the link should have the class name "item", and you can use `{{AppSubUrl}}` to get the base URL:
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`
+
+For more information, see [Adding Legal Pages](../administration/adding-legal-pages.md).
+
+You can add new tabs in the same way, putting them in `extra_tabs.tmpl`.
+The exact HTML needed to match the style of other tabs is in the file
+`templates/repo/header.tmpl`
+([source in GitHub](https://github.com/go-gitea/gitea/blob/main/templates/repo/header.tmpl))
+
+### Other additions to the page
+
+Apart from `extra_links.tmpl` and `extra_tabs.tmpl`, there are other useful templates you can put in your `$GITEA_CUSTOM/templates/custom/` directory:
+
+- `header.tmpl`, just before the end of the `<head>` tag where you can add custom CSS files for instance.
+- `body_outer_pre.tmpl`, right after the start of `<body>`.
+- `body_inner_pre.tmpl`, before the top navigation bar, but already inside the main container `<div class="full height">`.
+- `body_inner_post.tmpl`, before the end of the main container.
+- `body_outer_post.tmpl`, before the bottom `<footer>` element.
+- `footer.tmpl`, right before the end of the `<body>` tag, a good place for additional JavaScript.
+
+### Using Gitea variables
+
+It's possible to use various Gitea variables in your custom templates.
+
+First, _temporarily_ enable development mode: in your `app.ini` change from `RUN_MODE = prod` to `RUN_MODE = dev`. Then add `{{ $ | DumpVar }}` to any of your templates, restart Gitea and refresh that page; that will dump all available variables.
+
+Find the data that you need, and use the corresponding variable; for example, if you need the name of the repository then you'd use `{{.Repository.Name}}`.
+
+If you need to transform that data somehow, and aren't familiar with Go, an easy workaround is to add the data to the DOM and add a small JavaScript script block to manipulate the data.
+
+### Example: PlantUML
+
+You can add [PlantUML](https://plantuml.com/) support to Gitea's markdown by using a PlantUML server.
+The data is encoded and sent to the PlantUML server which generates the picture. There is an online
+demo server at http://www.plantuml.com/plantuml, but if you (or your users) have sensitive data you
+can set up your own [PlantUML server](https://plantuml.com/server) instead. To set up PlantUML rendering,
+copy JavaScript files from https://gitea.com/davidsvantesson/plantuml-code-highlight and put them in your
+`$GITEA_CUSTOM/public/assets/` folder. Then add the following to `custom/footer.tmpl`:
+
+```html
+<script>
+  $(async () => {
+    if (!$('.language-plantuml').length) return;
+    await Promise.all([
+      $.getScript('https://your-gitea-server.com/assets/deflate.js'),
+      $.getScript('https://your-gitea-server.com/assets/encode.js'),
+      $.getScript('https://your-gitea-server.com/assets/plantuml_codeblock_parse.js'),
+    ]);
+    // Replace call with address to your plantuml server
+    parsePlantumlCodeBlocks("https://www.plantuml.com/plantuml");
+  });
+</script>
+```
+
+You can then add blocks like the following to your markdown:
+
+```plantuml
+Alice -> Bob: Authentication Request
+Bob --> Alice: Authentication Response
+
+Alice -> Bob: Another authentication Request
+Alice <-- Bob: Another authentication Response
+```
+
+The script will detect tags with `class="language-plantuml"`, but you can change this by providing a second argument to `parsePlantumlCodeBlocks`.
+
+### Example: CAD Files Preview using Online 3D Viewer
+
+You can implement CAD file preview inside your Gitea instance. This implemenation uses [`Online 3D Viewer`](https://github.com/kovacsv/Online3DViewer).
+
+Supports following 3D file formats:
+'3dm', '3ds', '3mf', 'amf', 'bim', 'brep', 'dae', 'fbx', 'fcstd', 'glb',
+'gltf', 'ifc', 'igs', 'iges', 'stp', 'step', 'stl', 'obj', 'off', 'ply', 'wrl'
+(Only v2 for .gltf files)
+
+#### Part 1: Add template
+
+In $GITEA_CUSTOM we need to add our template.
+This template needs to be saved in "$GITEA_CUSTOM/templates/custom/".
+Here create file "footer.tmpl" and add following text into it:
+
+```html
+<script>
+    document.addEventListener('DOMContentLoaded', () => {
+      // Supported 3D file types
+      const fileTypes = ['3dm', '3ds', '3mf', 'amf', 'bim', 'brep', 'dae', 'fbx', 'fcstd', 'glb', 'gltf', 'ifc', 'igs', 'iges', 'stp', 'step', 'stl', 'obj', 'off', 'ply', 'wrl'];
+  
+      // Select matching link
+      const links = Array.from(document.querySelectorAll('a.ui.mini.basic.button'));
+      const link3D = links.find(link => {
+        const href = link.href.toLowerCase();
+        return href.includes('/raw/') && fileTypes.some(ext => href.endsWith(`.${ext}`));
+      });
+  
+      if (link3D) {
+        const script = document.createElement('script');
+        script.onload = () => {
+          const fileUrl = link3D.getAttribute('href');
+  
+          // Prepare the container for the viewer
+          const fileView = document.querySelector('.file-view');
+          if (fileView) {
+            fileView.setAttribute('id', 'view-3d');
+            fileView.style.padding = '0';
+            fileView.style.margin = '0';
+            fileView.style.height = '400px';
+            fileView.style.width = '100%';
+            fileView.innerHTML = '';
+          }
+  
+          // Initialize viewer
+          const parentDiv = document.getElementById('view-3d');
+          if (parentDiv) {
+            const viewer = new OV.EmbeddedViewer(parentDiv, {
+              backgroundColor: new OV.RGBAColor(59, 68, 76, 0), // Transparent
+              defaultColor: new OV.RGBColor(200, 200, 200),
+              edgeSettings: new OV.EdgeSettings(false, new OV.RGBColor(0, 0, 0), 1),
+              environmentSettings: new OV.EnvironmentSettings([
+                '/assets/o3dv/envmaps/fishermans_bastion/negx.jpg',
+                '/assets/o3dv/envmaps/fishermans_bastion/posx.jpg',
+                '/assets/o3dv/envmaps/fishermans_bastion/posy.jpg',
+                '/assets/o3dv/envmaps/fishermans_bastion/negy.jpg',
+                '/assets/o3dv/envmaps/fishermans_bastion/posz.jpg',
+                '/assets/o3dv/envmaps/fishermans_bastion/negz.jpg'
+              ], false)
+            });
+  
+            // Load the model
+            viewer.LoadModelFromUrlList([fileUrl]);
+          }
+        };
+  
+        script.src = '/assets/o3dv/o3dv.min.js';
+        document.head.appendChild(script);
+      }
+    });
+</script>
+```
+
+#### Part 2: Add public files
+
+Now we need to download latest version of O3DV. Go to "$GITEA_CUSTOM/public/assets/".
+Create folder using (and cd into it):
+
+```
+mkdir o3dv
+cd o3dv
+```
+
+Copy latest release zip link from [`GitHub`](https://github.com/kovacsv/Online3DViewer/releases) (v0.15.0 as of now).
+Here use e.g. wget to download the file:
+
+```
+wget https://github.com/kovacsv/Online3DViewer/releases/download/0.15.0/o3dv.zip
+```
+
+Use e.g. unzip to unzip the archive:
+```
+unzip o3dv.zip
+```
+
+#### Part 3: Folder permissions
+
+Now the last thing. Change permissions on the "footer.tmpl":
+```
+chown git:git $GITEA_CUSTOM/templates/custom/footer.tmpl
+chmod 770 $GITEA_CUSTOM/templates/custom/footer.tmpl
+```
+
+And on the public folder:
+```
+chown -R git:git $GITEA_CUSTOM/public
+```
+
+Now we have everything ready! Restart your gitea instance to apply these changes and test it in your browser.
+
+You should end-up with a folder structure similar to this:
+
+```
+$GITEA_CUSTOM/templates
+-- custom
+    `-- footer.tmpl
+
+$GITEA_CUSTOM/public/assets/
+-- o3dv
+   |-- o3dv_0.15.0.zip
+   |-- o3dv.license.md
+   |-- o3dv.min.js
+   |-- envmaps
+    \...
+```
+
+## Customizing Gitea mails
+
+The `$GITEA_CUSTOM/templates/mail` folder allows changing the body of every mail of Gitea.
+Templates to override can be found in the
+[`templates/mail`](https://github.com/go-gitea/gitea/tree/main/templates/mail)
+directory of Gitea source.
+Override by making a copy of the file under `$GITEA_CUSTOM/templates/mail` using a
+full path structure matching source.
+
+Any statement contained inside `{{` and `}}` are Gitea's template
+syntax and shouldn't be touched without fully understanding these components.
+
+## Adding Analytics to Gitea
+
+Google Analytics, Matomo (previously Piwik), and other analytics services can be added to Gitea. To add the tracking code, refer to the `Other additions to the page` section of this document, and add the JavaScript to the `$GITEA_CUSTOM/templates/custom/header.tmpl` file.
+
+## Customizing gitignores, labels, licenses, locales, and readmes
+
+Place custom files in corresponding sub-folder under `custom/options`.
+
+:::note
+The files should not have a file extension, e.g. `Labels` rather than `Labels.txt`
+:::
+
+### gitignores
+
+To add custom .gitignore, add a file with existing [.gitignore rules](https://git-scm.com/docs/gitignore) in it to `$GITEA_CUSTOM/options/gitignore`
+
+## Customizing the git configuration
+
+Starting with Gitea 1.20, you can customize the git configuration via the `git.config` section.
+
+### Enabling signed git pushes
+
+To enable signed git pushes, set these two options:
+
+```ini
+[git.config]
+receive.advertisePushOptions = true
+receive.certNonceSeed = <randomstring>
+```
+
+`certNonceSeed` should be set to a random string and be kept secret.
+
+### Labels
+
+Starting with Gitea 1.19, you can add a file that follows the [YAML label format](https://github.com/go-gitea/gitea/blob/main/options/label/Advanced.yaml) to `$GITEA_CUSTOM/options/label`:
+
+```yaml
+labels:
+  - name: "foo/bar"  # name of the label that will appear in the dropdown
+    exclusive: true # whether to use the exclusive namespace for scoped labels. scoped delimiter is /
+    color: aabbcc # hex colour coding
+    description: Some label # long description of label intent
+ ```
+
+The [legacy file format](https://github.com/go-gitea/gitea/blob/main/options/label/Default) can still be used following the format below, however we strongly recommend using the newer YAML format instead.
+
+`#hex-color label name ; label description`
+
+For more information, see the [labels documentation](usage/labels.md).
+
+### Licenses
+
+To add a custom license, add a file with the license text to `$GITEA_CUSTOM/options/license`
+
+### Locales
+
+Locales are managed via our [Crowdin](https://crowdin.com/project/gitea).
+You can override a locale by placing an altered locale file in `$GITEA_CUSTOM/options/locale`.
+Gitea's default locale files can be found in the [`options/locale`](https://github.com/go-gitea/gitea/tree/main/options/locale) source folder and these should be used as examples for your changes.
+
+To add a completely new locale, as well as placing the file in the above location, you will need to add the new lang and name to the `[i18n]` section in your `app.ini`. Keep in mind that Gitea will use those settings as **overrides**, so if you want to keep the other languages as well you will need to copy/paste the default values and add your own to them.
+
+```ini title="app.ini"
+[i18n]
+LANGS = en-US,foo-BAR
+NAMES = English,FooBar
+```
+
+The first locale will be used as the default if user browser's language doesn't match any locale in the list.
+
+Locales may change between versions, so keeping track of your customized locales is highly encouraged.
+
+### Readmes
+
+To add a custom Readme, add a markdown formatted file (without an `.md` extension) to `$GITEA_CUSTOM/options/readme`
+
+:::note
+Readme templates support **variable expansion**.
+currently there are `{Name}` (name of repository), `{Description}`, `{CloneURL.SSH}`, `{CloneURL.HTTPS}` and `{OwnerName}`
+:::
+
+### Reactions
+
+To change reaction emoji's you can set allowed reactions at app.ini
+
+```ini title="app.ini"
+[ui]
+REACTIONS = +1, -1, laugh, confused, heart, hooray, eyes
+```
+
+A full list of supported emoji's is at [emoji list](https://gitea.com/gitea/gitea.com/issues/8)
+
+## Customizing the look of Gitea
+
+The built-in themes are `gitea-light`, `gitea-dark`, and `gitea-auto` (which automatically adapts to OS settings).
+
+The default theme can be changed via `DEFAULT_THEME` in the [ui](../administration/config-cheat-sheet.md#ui-ui) section of `app.ini`.
+
+Gitea also has support for user themes, which means every user can select which theme should be used.
+The list of themes a user can choose from can be configured with the `THEMES` value in the [ui](../administration/config-cheat-sheet.md#ui-ui) section of `app.ini`.
+
+To make a custom theme available to all users:
+
+1. Add a CSS file to `$GITEA_CUSTOM/public/assets/css/theme-<theme-name>.css`.
+  The value of `$GITEA_CUSTOM` of your instance can be queried by calling `gitea help` and looking up the value of "CustomPath".
+2. Add `<theme-name>` to the comma-separated list of setting `THEMES` in `app.ini`, or leave `THEMES` empty to allow all themes.
+
+A custom theme file named `theme-my-theme.css` will be displayed as `my-theme` on the user's theme selection page.
+It could add theme meta information into the custom theme CSS file to provide more information about the theme.
+If a custom theme is a dark theme, please set the global css variable `--is-dark-theme: true` in the `:root` block.
+This allows Gitea to adjust the Monaco code editor's theme accordingly.
+An "auto" theme could be implemented by using "theme-gitea-auto.css" as a reference.
+
+```css
+gitea-theme-meta-info {
+  --theme-display-name: "My Awesome Theme"; /* this theme will be display as "My Awesome Theme" on the UI */
+}
+:root {
+  --is-dark-theme: true; /* if it is a dark theme */
+  --color-primary: #112233;
+  /* more custom theme variables ... */
+}
+```
+
+Community themes are listed in [gitea/awesome-gitea#themes](https://gitea.com/gitea/awesome-gitea#themes).
+
+The default theme sources can be found [here](https://github.com/go-gitea/gitea/blob/main/web_src/css/themes).
+
+## Customizing fonts
+
+Fonts can be customized using CSS variables:
+
+```css
+:root {
+  --fonts-proportional: /* custom proportional fonts */ !important;
+  --fonts-monospace: /* custom monospace fonts */ !important;
+  --fonts-emoji: /* custom emoji fonts */ !important;
+}
+```

docs/administration/email-setup.md

@@ -0,0 +1,116 @@
+---
+date: "2019-10-15T10:10:00+05:00"
+slug: "email-setup"
+sidebar_position: 12
+aliases:
+  - /en-us/email-setup
+---
+
+# Email setup
+
+Gitea has mailer functionality for sending transactional emails (such as registration confirmation). It can be configured to either use Sendmail (or compatible MTAs like Postfix and msmtp) or directly use SMTP server.
+
+## Using Sendmail
+
+Use `sendmail` command as mailer.
+
+:::note
+For use in the official Gitea Docker image, please configure with the SMTP version (see the following section).
+:::
+
+:::note
+For Internet-facing sites consult documentation of your MTA for instructions to send emails over TLS. Also set up SPF, DMARC, and DKIM DNS records to make emails sent be accepted as legitimate by various email providers.
+:::
+
+```ini title="app.ini"
+[mailer]
+ENABLED       = true
+FROM          = gitea@mydomain.com
+PROTOCOL      = sendmail
+SENDMAIL_PATH = /usr/sbin/sendmail
+SENDMAIL_ARGS = "--" ; most "sendmail" programs take options, "--" will prevent an email address being interpreted as an option.
+```
+
+## Using SMTP
+
+Directly use SMTP server as relay. This option is useful if you don't want to set up MTA on your instance but you have an account at email provider.
+
+```ini title="app.ini"
+[mailer]
+ENABLED        = true
+FROM           = gitea@mydomain.com
+PROTOCOL       = smtps
+SMTP_ADDR      = mail.mydomain.com
+SMTP_PORT      = 587
+USER           = gitea@mydomain.com
+PASSWD         = `password`
+```
+
+Restart Gitea for the configuration changes to take effect.
+
+To send a test email to validate the settings, go to Gitea > Site Administration > Configuration > Summary -> Mailer Configuration.
+
+For the full list of options check the [Config Cheat Sheet](../administration/config-cheat-sheet.md)
+
+:::note
+Authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. TLS encryption can be through:
+:::
+
+- STARTTLS (also known as Opportunistic TLS) via port 587. Initial connection is done over cleartext, but then be upgraded over TLS if the server supports it.
+- SMTPS connection (SMTP over TLS) via the default port 465. Connection to the server use TLS from the beginning.
+- Forced SMTPS connection with `PROTOCOL=smtps`. (These are both known as Implicit TLS.)
+This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
+
+Note that Implicit TLS is recommended by [RFC8314](https://tools.ietf.org/html/rfc8314#section-3) since 2018.
+
+### Gmail
+
+The following configuration should work with GMail's SMTP server:
+
+```ini title="app.ini"
+[mailer]
+ENABLED        = true
+HOST           = smtp.gmail.com:465 ; Remove this line for Gitea >= 1.18.0
+SMTP_ADDR      = smtp.gmail.com
+SMTP_PORT      = 465
+FROM           = example.user@gmail.com
+USER           = example.user
+PASSWD         = `***`
+PROTOCOL       = smtps
+```
+
+Note that you'll need to create and use an [App password](https://support.google.com/accounts/answer/185833?hl=en) by enabling 2FA on your Google
+account. You won't be able to use your Google account password directly.
+
+### ProtonMail
+
+This feature is currently only available for select Proton for Business customers and those with Visionary and Family plans with custom domain addresses. See [ProtonMail's SMTP documentation](https://proton.me/support/smtp-submission) for more information. This limitation can be circumvented by using the ProtonMail Bridge application.
+
+Note that emails sent using SMTP are not [end-to-end encrypted](https://proton.me/support/proton-mail-encryption-explained). However, they’re still stored with zero-access encryption like any other emails in your Proton Mail inbox.
+
+The following configuration should work with ProtonMail's SMTP server:
+
+1. In your browser (or desktop application), sign in to your Proton Mail account and select **Settings → All settings → Proton Mail → IMAP/SMTP → SMTP tokens**.
+2. Click **Generate token**.
+3. Enter the following details to create a new SMTP token:
+    - **Token name**: Select a name for your token. This is for your reference only and does not affect the token's functionality.
+    - **Email address**: Select one of your active custom domain addresses to pair with your token. Copy this email address and use it for the `FROM` and `USER` configuration in `app.ini`.
+4. Click **Generate**.
+5. Enter your Proton Mail Account password.
+
+Your SMTP username and SMTP token (password) will be generated. You can now enter them as the `USER` and `PASSWD` in your `app.ini` configuration.
+
+```ini title="app.ini"
+[mailer]
+ENABLED        = true
+FROM           = example.user@customdomain.tld
+PROTOCOL       = smtp+starttls
+SMTP_ADDR      = smtp.protonmail.ch
+SMTP_PORT      = 587
+USER           = example.user@customdomain.tld
+PASSWD         = `TOKEN`
+```
+
+After closing the popup, you will not be able to see this SMTP token (password) again for security reasons. You can always generate more tokens if you need to rotate passwords.
+
+Note: Your Proton Mail login or mailbox passwords will not work with SMTP

docs/administration/environment-variables.md

@@ -1,18 +1,9 @@
 ---
 date: "2017-04-08T11:34:00+02:00"
-title: "Environment variables"
 slug: "environment-variables"
 sidebar_position: 10
-toc: false
-draft: false
 aliases:
   - /en-us/environment-variables
-menu:
-  sidebar:
-    parent: "administration"
-    name: "Environment variables"
-    sidebar_position: 10
-    identifier: "environment-variables"
 ---
 
 # Environment variables

docs/administration/external-renderers.md

@@ -0,0 +1,183 @@
+---
+date: "2018-11-23:00:00+02:00"
+slug: "external-renderers"
+sidebar_position: 60
+aliases:
+  - /en-us/external-renderers
+---
+
+# External renderers
+
+Gitea supports custom file renderings (i.e., Jupyter notebooks, asciidoc, etc.) through external binaries,
+it is just a matter of:
+
+- installing external binaries
+- add some configuration to your `app.ini` file
+- restart your Gitea instance
+
+This supports rendering of whole files. If you want to render code blocks in markdown you would need to do something with javascript. See some examples on the [Customizing Gitea](../administration/customizing-gitea.md) page.
+
+## Installing external binaries
+
+In order to get file rendering through external binaries, their associated packages must be installed.
+If you're using a Docker image, your `Dockerfile` should contain something along this lines:
+
+```docker
+FROM docker.gitea.com/gitea:@dockerVersion@
+[...]
+
+COPY custom/app.ini /data/gitea/conf/app.ini
+[...]
+
+RUN apk --no-cache add asciidoctor freetype freetype-dev gcc g++ libpng libffi-dev pandoc python3-dev py3-pyzmq pipx
+# install any other package you need for your external renderers
+
+RUN pipx install jupyter docutils --include-deps --global
+# add above any other python package you may need to install
+```
+
+## `app.ini` file configuration
+
+add one `[markup.XXXXX]` section per external renderer on your custom `app.ini`:
+
+```ini
+[markup.asciidoc]
+ENABLED = true
+FILE_EXTENSIONS = .adoc,.asciidoc
+RENDER_COMMAND = "asciidoctor -s -a showtitle --out-file=- -"
+; Input is not a standard input but a file
+IS_INPUT_FILE = false
+
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter nbconvert --stdin --stdout --to html --template basic"
+IS_INPUT_FILE = false
+
+[markup.restructuredtext]
+ENABLED = true
+FILE_EXTENSIONS = .rst
+RENDER_COMMAND = "timeout 30s pandoc +RTS -M512M -RTS -f rst"
+IS_INPUT_FILE = false
+```
+
+If your external markup relies on additional classes and attributes on the generated HTML elements, you might need to enable custom sanitizer policies. Gitea uses the [`bluemonday`](https://godoc.org/github.com/microcosm-cc/bluemonday) package as our HTML sanitizer. The example below could be used to support server-side [KaTeX](https://katex.org/) rendering output from [`pandoc`](https://pandoc.org/).
+
+```ini
+[markup.sanitizer.TeX]
+; Pandoc renders TeX segments as <span>s with the "math" class, optionally
+; with "inline" or "display" classes depending on context.
+; - note this is different from the built-in math support in our markdown parser which uses <code>
+ELEMENT = span
+ALLOW_ATTR = class
+REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+
+[markup.markdown]
+ENABLED         = true
+FILE_EXTENSIONS = .md,.markdown
+RENDER_COMMAND  = pandoc -f markdown -t html --katex
+```
+
+You must define `ELEMENT` and `ALLOW_ATTR` in each section.
+
+To define multiple entries, add a unique alphanumeric suffix (e.g., `[markup.sanitizer.1]` and `[markup.sanitizer.something]`).
+
+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`, `[markup.sanitizer.<renderer>.rule-1]`.
+
+**Note**: If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.
+
+Once your configuration changes have been made, restart Gitea to have changes take effect.
+
+**Note**: Prior to Gitea 1.12 there was a single `markup.sanitiser` section with keys that were redefined for multiple rules, however,
+there were significant problems with this method of configuration necessitating configuration through multiple sections.
+
+### Example: HTML
+
+Render HTML files directly:
+
+```ini
+[markup.html]
+ENABLED         = true
+FILE_EXTENSIONS = .html,.htm
+RENDER_COMMAND  = cat
+; Input is not a standard input but a file
+IS_INPUT_FILE   = true
+
+[markup.sanitizer.html.1]
+ELEMENT = div
+ALLOW_ATTR = class
+
+[markup.sanitizer.html.2]
+ELEMENT = a
+ALLOW_ATTR = class
+```
+
+### Example: Office DOCX
+
+Display Office DOCX files with [`pandoc`](https://pandoc.org/):
+
+```ini
+[markup.docx]
+ENABLED = true
+FILE_EXTENSIONS = .docx
+RENDER_COMMAND = "pandoc --from docx --to html --self-contained --template /path/to/basic.html"
+
+[markup.sanitizer.docx.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+The template file has the following content:
+
+```
+$body$
+```
+
+### Example: Jupyter Notebook
+
+Display Jupyter Notebook files with [`nbconvert`](https://github.com/jupyter/nbconvert):
+
+```ini
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter-nbconvert --stdin --stdout --to html --template basic"
+
+[markup.sanitizer.jupyter.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+## Customizing CSS
+
+The external renderer is specified in the .ini in the format `[markup.XXXXX]` and the HTML supplied by your external renderer will be wrapped in a `<div>` with classes `markup` and `XXXXX`. The `markup` class provides out of the box styling (as does `markdown` if `XXXXX` is `markdown`). Otherwise you can use these classes to specifically target the contents of your rendered HTML.
+
+And so you could write some CSS:
+
+```css
+.markup.XXXXX html {
+  font-size: 100%;
+  overflow-y: scroll;
+  -webkit-text-size-adjust: 100%;
+  -ms-text-size-adjust: 100%;
+}
+
+.markup.XXXXX body {
+  color: #444;
+  font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif;
+  font-size: 12px;
+  line-height: 1.7;
+  padding: 1em;
+  margin: auto;
+  max-width: 42em;
+  background: #fefefe;
+}
+
+.markup.XXXXX p {
+  color: orangered;
+}
+```
+
+Add your stylesheet to your custom directory e.g `custom/public/assets/css/my-style-XXXXX.css` and import it using a custom header file `custom/templates/custom/header.tmpl`:
+
+```html
+<link rel="stylesheet" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
+```

docs/administration/fail2ban-setup.md

@@ -0,0 +1,118 @@
+---
+date: "2018-05-11T11:00:00+02:00"
+slug: "fail2ban-setup"
+sidebar_position: 16
+aliases:
+  - /en-us/fail2ban-setup
+---
+
+# Fail2ban Setup
+
+**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make
+sure to test this before relying on it so you don't lock yourself out.**
+
+Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in
+`app.ini`, then you should be able to go off of `log/gitea.log`, which gives you something like this
+on a bad authentication from the web or CLI using SSH or HTTP respectively:
+
+```log
+2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
+```
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:249:sshConnectionFailed() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+
+(From 1.15 this new message will available and doesn't have any of the false positive results that above messages from publicKeyHandler do. This will only be logged if the user has completely failed authentication.)
+
+```log
+2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
+```
+
+Add our filter in `/etc/fail2ban/filter.d/gitea.local`:
+
+```ini
+# gitea.local
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =
+```
+
+Add our jail in `/etc/fail2ban/jail.d/gitea.local`:
+
+```ini
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+```
+
+If you're using Docker, you'll also need to add an additional jail to handle the **FORWARD**
+chain in **iptables**. Configure it in `/etc/fail2ban/jail.d/gitea-docker.local`:
+
+```ini
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]
+```
+
+Then simply run `service fail2ban restart` to apply your changes. You can check to see if
+fail2ban has accepted your configuration using `service fail2ban status`.
+
+Make sure and read up on fail2ban and configure it to your needs, this bans someone
+for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.
+
+If you run Gitea behind a reverse proxy with Nginx (for example with Docker), you need to add
+this to your Nginx configuration so that IPs don't show up as 127.0.0.1:
+
+```
+proxy_set_header X-Real-IP $remote_addr;
+```
+
+The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
+as well as the list of IP addresses and networks that describe trusted proxy servers
+(See the [configuration cheat sheet](../administration/config-cheat-sheet.md#security-security) for more information).
+
+```
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network
+```

docs/administration/git-lfs-support.md

@@ -0,0 +1,43 @@
+---
+date: "2019-10-06T08:00:00+05:00"
+slug: "git-lfs-setup"
+sidebar_position: 12
+aliases:
+  - /en-us/git-lfs-setup
+---
+
+# Git LFS setup
+
+To use Gitea's built-in LFS support, you must update the `app.ini` file:
+
+```ini
+[server]
+; Enables git-lfs support. true or false, default is false.
+LFS_START_SERVER = true
+
+[lfs]
+; Where your lfs files reside, default is data/lfs.
+PATH = /home/gitea/data/lfs
+```
+
+:::note
+LFS server support needs at least Git v2.1.2 installed on the server
+:::
+
+# Git LFS Pure SSH protocol
+
+The LFS Pure SSH protocol supports making LFS connections purely over SSH
+(without having to expose an HTTP endpoint for the Gitea server).
+Support for it can be enabled with the config option `server.LFS_ALLOW_PURE_SSH`:
+
+```ini
+[server]
+LFS_ALLOW_PURE_SSH = true
+```
+
+:::note
+The option is currently set to default false due to an open bug in the `git-lfs`
+client that causes SSH transfers to hang: https://github.com/git-lfs/git-lfs/pull/5816
+This can be worked around on all the client machines by setting the git config:
+`git config --global lfs.ssh.automultiplex false`
+:::

docs/administration/https-support.md

@@ -0,0 +1,93 @@
+---
+date: "2018-06-02T11:00:00+02:00"
+slug: "https-setup"
+sidebar_position: 12
+aliases:
+  - /en-us/https-setup
+---
+
+# HTTPS Setup
+
+## Using the built-in server
+
+Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.
+You could use self-generated certificates for evaluation and testing. Please run `gitea cert --host [HOST]` to generate a self signed certificate.
+
+If you are using Apache or nginx on the server, it's recommended to check the [reverse proxy guide](./reverse-proxies.md).
+
+To use Gitea's built-in HTTPS support, you must change your `app.ini` file:
+
+```ini
+[server]
+PROTOCOL  = https
+ROOT_URL  = https://git.example.com:3000/
+HTTP_PORT = 3000
+CERT_FILE = cert.pem
+KEY_FILE  = key.pem
+```
+
+Note that if your certificate is signed by a third party certificate authority (i.e. not self-signed), then cert.pem should contain the certificate chain. The server certificate must be the first entry in cert.pem, followed by the intermediaries in order (if any). The root certificate does not have to be included because the connecting client must already have it in order to establish the trust relationship.
+To learn more about the config values, please checkout the [Config Cheat Sheet](./config-cheat-sheet.md#server-server).
+
+For the `CERT_FILE` or `KEY_FILE` field, the file path is relative to the `GITEA_CUSTOM` environment variable when it is a relative path. It can be an absolute path as well.
+
+### Setting up HTTP redirection
+
+The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:
+
+```ini
+[server]
+REDIRECT_OTHER_PORT = true
+; Port the redirection service should listen on
+PORT_TO_REDIRECT = 3080
+```
+
+If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.
+
+## Using ACME (Default: Let's Encrypt)
+
+[ACME](https://tools.ietf.org/html/rfc8555) is a Certificate Authority standard protocol that allows you to automatically request and renew SSL/TLS certificates. [Let's Encrypt](https://letsencrypt.org/) is a free publicly trusted Certificate Authority server using this standard. Only `HTTP-01` and `TLS-ALPN-01` challenges are implemented. In order for ACME challenges to pass and verify your domain ownership, external traffic to the gitea domain on port `80` (`HTTP-01`) or port `443` (`TLS-ALPN-01`) has to be served by the gitea instance. Setting up [HTTP redirection](#setting-up-http-redirection) and port-forwards might be needed for external traffic to route correctly. Normal traffic to port `80` will otherwise be automatically redirected to HTTPS. **You must consent** to the ACME provider's terms of service (default Let's Encrypt's [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)).
+
+Minimum setup using the default Let's Encrypt:
+
+```ini
+[server]
+PROTOCOL=https
+DOMAIN=git.example.com
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_DIRECTORY=https
+;; Email can be omitted here and provided manually at first run, after which it is cached
+ACME_EMAIL=email@example.com
+```
+
+Minimum setup using a [smallstep CA](https://github.com/smallstep/certificates), refer to [their tutorial](https://smallstep.com/docs/tutorials/acme-challenge) for more information.
+
+```ini
+[server]
+PROTOCOL=https
+DOMAIN=git.example.com
+ENABLE_ACME=true
+ACME_ACCEPTTOS=true
+ACME_URL=https://ca.example.com/acme/acme/directory
+;; Can be omitted if using the system's trust is preferred
+;ACME_CA_ROOT=/path/to/root_ca.crt
+ACME_DIRECTORY=https
+ACME_EMAIL=email@example.com
+```
+
+To learn more about the config values, please checkout the [Config Cheat Sheet](./config-cheat-sheet.md#server-server).
+
+## Using a reverse proxy
+
+Setup up your reverse proxy as shown in the [reverse proxy guide](../administration/reverse-proxies.md).
+
+After that, enable HTTPS by following one of these guides:
+
+- [nginx](https://nginx.org/en/docs/http/configuring_https_servers.html)
+- [apache2/httpd](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html)
+- [caddy](https://caddyserver.com/docs/tls)
+
+:::note
+Enabling HTTPS only at the proxy level is referred as [TLS Termination Proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy). The proxy server accepts incoming TLS connections, decrypts the contents, and passes the now unencrypted contents to Gitea. This is normally fine as long as both the proxy and Gitea instances are either on the same machine, or on different machines within private network (with the proxy is exposed to outside network). If your Gitea instance is separated from your proxy over a public network, or if you want full end-to-end encryption, you can also [enable HTTPS support directly in Gitea using built-in server](#using-the-built-in-server) and forward the connections over HTTPS instead.
+:::

docs/administration/logging-config.md

@@ -0,0 +1,284 @@
+---
+date: "2019-04-02T17:06:00+01:00"
+slug: "logging-config"
+sidebar_position: 40
+aliases:
+  - /en-us/logging-configuration
+---
+
+# Logging Configuration
+
+The logging configuration of Gitea mainly consists of 3 types of components:
+
+- The `[log]` section for general configuration
+- `[log.<mode-name>]` sections for the configuration of different log writers to output logs, aka: "writer mode", the mode name is also used as "writer name".
+- The `[log]` section can also contain sub-logger configurations following the key schema `logger.<logger-name>.<CONFIG-KEY>`
+
+There is a fully functional log output by default, so it is not necessary to define one.
+
+## Collecting Logs for Help
+
+To collect logs for help and issue report, see [Support Options](help/support.md).
+
+## The `[log]` section
+
+Configuration of logging facilities in Gitea happen in the `[log]` section and its subsections.
+
+In the top level `[log]` section the following configurations can be placed:
+
+- `ROOT_PATH`: (Default: **%(GITEA_WORK_DIR)/log**): Base path for log files
+- `MODE`: (Default: **console**) List of log outputs to use for the Default logger.
+- `LEVEL`: (Default: **Info**) Least severe log events to persist, case-insensitive. Possible values are: `Trace`, `Debug`, `Info`, `Warn`, `Error`, `Fatal`.
+- `STACKTRACE_LEVEL`: (Default: **None**) For this and more severe events the stacktrace will be printed upon getting logged.
+
+And it can contain the following sub-loggers:
+
+- `logger.router.MODE`: (Default: **,**): List of log outputs to use for the Router logger.
+- `logger.access.MODE`: (Default: **_empty_**)  List of log outputs to use for the Access logger. By default, the access logger is disabled.
+- `logger.xorm.MODE`: (Default: **,**) List of log outputs to use for the XORM logger.
+
+Setting a comma (`,`) to sub-logger's mode means making it use the default global `MODE`.
+
+## Quick samples
+
+### Default (empty) Configuration
+
+The empty configuration is equivalent to default:
+
+```ini
+[log]
+ROOT_PATH = %(GITEA_WORK_DIR)/log
+MODE = console
+LEVEL = Info
+STACKTRACE_LEVEL = None
+logger.router.MODE = ,
+logger.xorm.MODE = ,
+logger.access.MODE =
+
+; this is the config options of "console" mode (used by MODE=console above)
+[log.console]
+MODE = console
+FLAGS = stdflags
+PREFIX =
+COLORIZE = true
+```
+
+This is equivalent to sending all logs to the console, with default Golang log being sent to the console log too.
+
+This is only a sample, and it is the default, do not need to write it into your configuration file.
+
+### Disable Router logs and record some access logs to file
+
+The Router logger is disabled, the access logs (>=Warn) goes into `access.log`:
+
+```ini
+[log]
+logger.router.MODE =
+logger.access.MODE = access-file
+
+[log.access-file]
+MODE = file
+LEVEL = Warn
+FILE_NAME = access.log
+```
+
+### Set different log levels for different modes
+
+Default logs (>=Warn) goes into `gitea.log`, while Error logs goes into `file-error.log`:
+
+```ini
+[log]
+LEVEL = Warn
+MODE = file, file-error
+
+; by default, the "file" mode will record logs to %(log.ROOT_PATH)/gitea.log, so we don't need to set it
+; [log.file]
+; by default, the MODE (actually it's the output writer of this logger) is taken from the section name, so we don't need to set it either
+; MODE = file
+
+[log.file-error]
+MODE = file
+LEVEL = Error
+FILE_NAME = file-error.log
+```
+
+## Log outputs (mode and writer)
+
+Gitea provides the following log output writers:
+
+- `console` - Log to `stdout` (or `stderr` if it is set in the config)
+- `file` - Log to a file
+- `conn` - Log to a socket (network or unix)
+
+### Common configuration
+
+Certain configuration is common to all modes of log output:
+
+- `MODE` is the mode of the log output writer. It will default to the mode name in the ini section. Thus `[log.console]` will default to `MODE = console`.
+- `LEVEL` is the lowest level that this output will log.
+- `STACKTRACE_LEVEL` is the lowest level that this output will print a stacktrace.
+- `COLORIZE` will default to `true` for `console` as described, otherwise it will default to `false`.
+
+#### `EXPRESSION`
+
+`EXPRESSION` represents a regular expression that log events must match to be logged by the output writer.
+Either the log message, (with colors removed), must match or the `longfilename:linenumber:functionname` must match.
+NB: the whole message or string doesn't need to completely match.
+
+Please note this expression will be run in the writer's goroutine but not the logging event goroutine.
+
+#### `FLAGS`
+
+`FLAGS` represents the preceding logging context information that is
+printed before each message. It is a comma-separated string set. The order of values does not matter.
+
+It defaults to `stdflags` (= `date,time,medfile,shortfuncname,levelinitial`)
+
+Possible values are:
+
+- `none` or `,` - No flags.
+- `date` - the date in the local time zone: `2009/01/23`.
+- `time` - the time in the local time zone: `01:23:23`.
+- `microseconds` - microsecond resolution: `01:23:23.123123`. Assumes  time.
+- `longfile` - full file name and line number: `/a/b/c/d.go:23`.
+- `shortfile` - final file name element and line number: `d.go:23`.
+- `funcname` - function name of the caller: `runtime.Caller()`.
+- `shortfuncname` - last part of the function name. Overrides `funcname`.
+- `utc` - if date or time is set, use UTC rather than the local time zone.
+- `levelinitial` - initial character of the provided level in brackets eg. `[I]` for info.
+- `level` - level in brackets `[INFO]`.
+- `gopid` - the Goroutine-PID of the context.
+- `medfile` - last 20 characters of the filename - equivalent to `shortfile,longfile`.
+- `stdflags` - equivalent to `date,time,medfile,shortfuncname,levelinitial`.
+
+### Console mode
+
+In this mode the logger will forward log messages to the stdout and
+stderr streams attached to the Gitea process.
+
+For loggers in console mode, `COLORIZE` will default to `true` if not
+on windows, or the Windows terminal can be set into ANSI mode or is a
+cygwin or Msys pipe.
+
+Settings:
+
+- `STDERR`: **false**: Whether the logger should print to `stderr` instead of `stdout`.
+
+### File mode
+
+In this mode the logger will save log messages to a file.
+
+Settings:
+
+- `FILE_NAME`: The file to write the log events to, relative to `ROOT_PATH`, Default to `%(ROOT_PATH)/gitea.log`. Exception: access log will default to `%(ROOT_PATH)/access.log`.
+- `MAX_SIZE_SHIFT`: **28**: Maximum size shift of a single file. 28 represents 256Mb. For details see below.
+- `LOG_ROTATE` **true**: Whether to rotate the log files. TODO: if false, will it delete instead on daily rotate, or do nothing?.
+- `DAILY_ROTATE`: **true**: Whether to rotate logs daily.
+- `MAX_DAYS`: **7**: Delete rotated log files after this number of days.
+- `COMPRESS`: **true**: Whether to compress old log files by default with gzip.
+- `COMPRESSION_LEVEL`: **-1**: Compression level. For details see below.
+
+`MAX_SIZE_SHIFT` defines the maximum size of a file by left shifting 1 the given number of times (`1 << x`).
+The exact behavior at the time of v1.17.3 can be seen [here](https://github.com/go-gitea/gitea/blob/v1.17.3/modules/setting/log.go#L185).
+
+The useful values of `COMPRESSION_LEVEL` are from 1 (best speed) to 9 (best compression). [DefaultCompression](https://pkg.go.dev/compress/gzip#pkg-constants) (-1) and [HuffmanOnly](https://pkg.go.dev/compress/flate#HuffmanOnly) (-2) can also be chosen.
+Beware that better compression might come with higher resource usage.
+
+### Conn mode
+
+In this mode the logger will send log messages over a network socket.
+
+Settings:
+
+- `ADDR`: **:7020**: Sets the address to connect to.
+- `PROTOCOL`: **tcp**: Set the protocol, either "tcp", "unix" or "udp".
+- `RECONNECT`: **false**: Try to reconnect when connection is lost.
+- `RECONNECT_ON_MSG`: **false**: Reconnect host for every single message.
+
+### The "Router" logger
+
+The Router logger logs the following message types when Gitea's route handlers work:
+
+- `started` messages will be logged at TRACE level
+- `polling`/`completed` routers will be logged at INFO. Exception: "/assets" static resource requests are also logged at TRACE.
+- `slow` routers will be logged at WARN
+- `failed` routers will be logged at WARN
+
+### The "XORM" logger
+
+To make XORM outputs SQL logs, the `LOG_SQL` in `[database]` section should also be set to `true`.
+
+### The "Access" logger
+
+The Access logger is a new logger since Gitea 1.9. It provides a NCSA
+Common Log compliant log format. It's highly configurable but caution
+should be taken when changing its template. The main benefit of this
+logger is that Gitea can now log accesses in a standard log format so
+standard tools may be used.
+
+You can enable this logger using `logger.access.MODE = ...`.
+
+If desired the format of the Access logger can be changed by changing
+the value of the `ACCESS_LOG_TEMPLATE`.
+
+Please note, the access logger will log at `INFO` level, setting the
+`LEVEL` of this logger to `WARN` or above will result in no access logs.
+
+#### The ACCESS_LOG_TEMPLATE
+
+This value represents a go template. Its default value is
+
+```tmpl
+{{.Ctx.RemoteHost}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}" "{{.Ctx.Req.UserAgent}}"`
+```
+
+The template is passed following options:
+
+- `Ctx` is the `context.Context`
+- `Identity` is the `SignedUserName` or `"-"` if the user is not logged in
+- `Start` is the start time of the request
+- `ResponseWriter` is the `http.ResponseWriter`
+
+Caution must be taken when changing this template as it runs outside of
+the standard panic recovery trap. The template should also be as simple
+as it runs for every request.
+
+## Releasing-and-Reopening, Pausing and Resuming logging
+
+If you are running on Unix you may wish to release-and-reopen logs in order to use `logrotate` or other tools.
+It is possible force Gitea to release and reopen it's logging files and connections by sending `SIGUSR1` to the
+running process, or running `gitea manager logging release-and-reopen`.
+
+Alternatively, you may wish to pause and resume logging - this can be accomplished through the use of the
+`gitea manager logging pause` and `gitea manager logging resume` commands. Please note that whilst logging
+is paused log events below INFO level will not be stored and only a limited number of events will be stored.
+Logging may block, albeit temporarily, slowing Gitea considerably whilst paused - therefore it is
+recommended that pausing only done for a very short period of time.
+
+## Adding and removing logging whilst Gitea is running
+
+It is possible to add and remove logging whilst Gitea is running using the `gitea manager logging add` and `remove` subcommands.
+This functionality can only adjust running log systems and cannot be used to start the access or router loggers if they
+were not already initialized. If you wish to start these systems you are advised to adjust the app.ini and (gracefully) restart
+the Gitea service.
+
+The main intention of these commands is to easily add a temporary logger to investigate problems on running systems where a restart
+may cause the issue to disappear.
+
+## Using `logrotate` instead of built-in log rotation
+
+Gitea includes built-in log rotation, which should be enough for most deployments. However, if you instead want to use the `logrotate` utility:
+
+- Disable built-in log rotation by setting `LOG_ROTATE` to `false` in your `app.ini`.
+- Install `logrotate`.
+- Configure `logrotate` to match your deployment requirements, see `man 8 logrotate` for configuration syntax details.
+  In the `postrotate/endscript` block send Gitea a `USR1` signal via `kill -USR1` or `kill -10` to the `gitea` process itself,
+  or run `gitea manager logging release-and-reopen` (with the appropriate environment).
+  Ensure that your configurations apply to all files emitted by Gitea loggers as described in the above sections.
+- Always do `logrotate /etc/logrotate.conf --debug` to test your configurations.
+- If you are using docker and are running from outside the container you can use
+  `docker exec -u $OS_USER $CONTAINER_NAME sh -c 'gitea manager logging release-and-reopen'`
+  or `docker exec $CONTAINER_NAME sh -c '/bin/s6-svc -1 /etc/s6/gitea/'` or send `USR1` directly to the Gitea process itself.
+
+The next `logrotate` jobs will include your configurations, so no restart is needed.
+You can also immediately reload `logrotate` with `logrotate /etc/logrotate.conf --force`.

docs/administration/mail-templates.md

@@ -1,24 +1,15 @@
 ---
 date: "2019-10-23T17:00:00-03:00"
-title: "Mail templates"
 slug: "mail-templates"
 sidebar_position: 45
-toc: false
-draft: false
 aliases:
   - /en-us/mail-templates
-menu:
-  sidebar:
-    parent: "administration"
-    name: "Mail templates"
-    sidebar_position: 45
-    identifier: "mail-templates"
 ---
 
 # Mail templates
 
 To craft the e-mail subject and contents for certain operations, Gitea can be customized by using templates. The templates
-for these functions are located under the [`custom` directory](administration/customizing-gitea.md).
+for these functions are located under the [`custom` directory](../administration/customizing-gitea.md).
 Gitea has an internal template that serves as default in case there's no custom alternative.
 
 Custom templates are loaded when Gitea starts. Changes made to them are not recognized until Gitea is restarted again.
@@ -165,7 +156,7 @@ If the template fails to render, it will be noticed only at the moment the mail
 A default subject is used if the subject template fails, and whatever was rendered successfully
 from the _mail body_ is used, disregarding the rest.
 
-Please check [Gitea's logs](administration/logging-config.md) for error messages in case of trouble.
+Please check [Gitea's logs](../administration/logging-config.md) for error messages in case of trouble.
 
 ## Example
 

docs/administration/repo-indexer.md

@@ -1,18 +1,9 @@
 ---
 date: "2019-09-06T01:35:00-03:00"
-title: "Repository indexer"
 slug: "repo-indexer"
 sidebar_position: 45
-toc: false
-draft: false
 aliases:
   - /en-us/repo-indexer
-menu:
-  sidebar:
-    parent: "administration"
-    name: "Repository indexer"
-    sidebar_position: 45
-    identifier: "repo-indexer"
 ---
 
 # Repository indexer
@@ -25,7 +16,7 @@ Better code search support could be achieved by setting up the repository indexe
 
 ## Setting up the repository indexer
 
-Gitea can search through the files of the repositories by enabling this function in your [`app.ini`](administration/config-cheat-sheet.md):
+Gitea can search through the files of the repositories by enabling this function in your [`app.ini`](../administration/config-cheat-sheet.md):
 
 ```ini
 [indexer]

docs/administration/reverse-proxies.md

@@ -0,0 +1,389 @@
+---
+date: "2018-05-22T11:00:00+00:00"
+slug: "reverse-proxies"
+sidebar_position: 16
+aliases:
+  - /en-us/reverse-proxies
+---
+
+# Reverse Proxies
+
+## General configuration
+
+1. Set `[server] ROOT_URL = https://git.example.com/` in your `app.ini` file.
+2. Make the reverse-proxy pass `https://git.example.com/foo` to `http://gitea:3000/foo`.
+3. Make sure the reverse-proxy does not decode the URI. The request `https://git.example.com/a%2Fb` should be passed as `http://gitea:3000/a%2Fb`.
+4. Make sure `Host` and `X-Fowarded-Proto` headers are correctly passed to Gitea to make Gitea see the real URL being visited.
+
+### Use a sub-path
+
+Usually it's **not recommended** to put Gitea in a sub-path, it's not widely used and may have some issues in rare cases.
+
+To make Gitea work with a sub-path (eg: `https://common.example.com/gitea/`),
+there are some extra requirements besides the general configuration above:
+
+1. Use `[server] ROOT_URL = https://common.example.com/gitea/` in your `app.ini` file.
+2. Make the reverse-proxy pass `https://common.example.com/gitea/foo` to `http://gitea:3000/foo`.
+3. The container registry requires a fixed sub-path `/v2` at the root level which must be configured:
+   - Make the reverse-proxy pass `https://common.example.com/v2` to `http://gitea:3000/v2`.
+   - Make sure the URI and headers are also correctly passed (see the general configuration above).
+
+## Nginx
+
+If you want Nginx to serve your Gitea instance, add the following `server` section to the `http` section of `nginx.conf`.
+
+Make sure `client_max_body_size` is large enough, otherwise there would be "413 Request Entity Too Large" error when uploading large files.
+
+```nginx
+server {
+    ...
+    location / {
+        client_max_body_size 512M;
+        proxy_pass http://localhost:3000;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+## Nginx with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name,
+you can setup Nginx to serve Gitea under a sub-path by adding the following `server` section
+into the `http` section of `nginx.conf`:
+
+```nginx
+server {
+    ...
+    location ~ ^/(gitea|v2)($|/) {
+        client_max_body_size 512M;
+
+        # make nginx use unescaped URI, keep "%2F" as-is, remove the "/gitea" sub-path prefix, pass "/v2" as-is.
+        rewrite ^ $request_uri;
+        rewrite ^/(gitea($|/))?(.*) /$3 break;
+        proxy_pass http://127.0.0.1:3000$uri;
+
+        # other common HTTP headers, see the "Nginx" config section above
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+Then you **MUST** set something like `[server] ROOT_URL = http://git.example.com/gitea/` correctly in your configuration.
+
+## Nginx and serve static resources directly
+
+We can tune the performance in splitting requests into categories static and dynamic.
+
+CSS files, JavaScript files, images and web fonts are static content.
+The front page, a repository view or issue list is dynamic content.
+
+Nginx can serve static resources directly and proxy only the dynamic requests to Gitea.
+Nginx is optimized for serving static content, while the proxying of large responses might be the opposite of that
+(see [https://serverfault.com/q/587386](https://serverfault.com/q/587386)).
+
+Download a snapshot of the Gitea source repository to `/path/to/gitea/`.
+After this, run `make frontend` in the repository directory to generate the static resources. We are only interested in the `public/` directory for this task, so you can delete the rest.
+(You will need to have [Node with npm](https://nodejs.org/en/download/) and `make` installed to generate the static resources)
+
+Depending on the scale of your user base, you might want to split the traffic to two distinct servers,
+or use a cdn for the static files.
+
+### Single node and single domain
+
+Set `[server] STATIC_URL_PREFIX = /_/static` in your configuration.
+
+```nginx
+server {
+    listen 80;
+    server_name git.example.com;
+
+    location /_/static/assets/ {
+        alias /path/to/gitea/public/;
+    }
+
+    location / {
+        proxy_pass http://localhost:3000;
+    }
+}
+```
+
+### Two nodes and two domains
+
+Set `[server] STATIC_URL_PREFIX = http://cdn.example.com/gitea` in your configuration.
+
+```nginx
+# application server running Gitea
+server {
+    listen 80;
+    server_name git.example.com;
+
+    location / {
+        proxy_pass http://localhost:3000;
+    }
+}
+```
+
+```nginx
+# static content delivery server
+server {
+    listen 80;
+    server_name cdn.example.com;
+
+    location /gitea/ {
+        alias /path/to/gitea/public/;
+    }
+
+    location / {
+        return 404;
+    }
+}
+```
+
+## Apache HTTPD
+
+If you want Apache HTTPD to serve your Gitea instance, you can add the following to your Apache HTTPD configuration (usually located at `/etc/apache2/httpd.conf` in Ubuntu):
+
+```apacheconf
+<VirtualHost *:80>
+    ...
+    ProxyPreserveHost On
+    ProxyRequests off
+    AllowEncodedSlashes NoDecode
+    ProxyPass / http://localhost:3000/ nocanon
+    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+</VirtualHost>
+```
+
+:::note
+The following Apache HTTPD mods must be enabled: `proxy`, `proxy_http`.
+:::
+
+If you wish to use Let's Encrypt with webroot validation, add the line `ProxyPass /.well-known !` before `ProxyPass` to disable proxying these requests to Gitea.
+
+## Apache HTTPD with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Apache HTTPD to serve Gitea under a sub-path by adding the following to you Apache HTTPD configuration (usually located at `/etc/apache2/httpd.conf` in Ubuntu):
+
+```apacheconf
+<VirtualHost *:80>
+    ...
+    <Proxy *>
+         Order allow,deny
+         Allow from all
+    </Proxy>
+    AllowEncodedSlashes NoDecode
+    # Note: no trailing slash after either /git or port
+    ProxyPass /git http://localhost:3000 nocanon
+    ProxyPreserveHost On
+    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+</VirtualHost>
+```
+
+Then you **MUST** set something like `[server] ROOT_URL = http://git.example.com/git/` correctly in your configuration.
+
+:::note
+The following Apache HTTPD mods must be enabled: `proxy`, `proxy_http`.
+:::
+
+## Caddy
+
+If you want Caddy to serve your Gitea instance, you can add the following server block to your Caddyfile:
+
+```
+git.example.com {
+    reverse_proxy localhost:3000
+}
+```
+
+## Caddy with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Caddy to serve Gitea under a sub-path by adding the following to your server block in your Caddyfile:
+
+```
+git.example.com {
+    route /git/* {
+        uri strip_prefix /git
+        reverse_proxy localhost:3000
+    }
+}
+```
+
+Then set `[server] ROOT_URL = http://git.example.com/git/` in your configuration.
+
+## IIS
+
+If you wish to run Gitea with IIS. You will need to setup IIS with URL Rewrite as reverse proxy.
+
+1. Setup an empty website in IIS, named let's say, `Gitea Proxy`.
+2. Follow the first two steps in [Microsoft's Technical Community Guide to Setup IIS with URL Rewrite](https://techcommunity.microsoft.com/t5/iis-support-blog/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world/ba-p/846222#M343). That is:
+
+- Install Application Request Routing (ARR for short) either by using the Microsoft Web Platform Installer 5.1 (WebPI) or downloading the extension from [IIS.net](https://www.iis.net/downloads/microsoft/application-request-routing)
+- Once the module is installed in IIS, you will see a new Icon in the IIS Administration Console called URL Rewrite.
+- Open the IIS Manager Console and click on the `Gitea Proxy` Website from the tree view on the left. Select and double click the URL Rewrite Icon from the middle pane to load the URL Rewrite interface.
+- Choose the `Add Rule` action from the right pane of the management console and select the `Reverse Proxy Rule` from the `Inbound and Outbound Rules` category.
+- In the Inbound Rules section, set the server name to be the host that Gitea is running on with its port. e.g. if you are running Gitea on the localhost with port 3000, the following should work: `127.0.0.1:3000`
+- Enable SSL Offloading
+- In the Outbound Rules, ensure `Rewrite the domain names of the links in HTTP response` is set and set the `From:` field as above and the `To:` to your external hostname, say: `git.example.com`
+- Now edit the `web.config` for your website to match the following: (changing `127.0.0.1:3000` and `git.example.com` as appropriate)
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <system.web>
+        <httpRuntime requestPathInvalidCharacters="" />
+    </system.web>
+    <system.webServer>
+        <security>
+          <requestFiltering>
+            <hiddenSegments>
+              <clear />
+            </hiddenSegments>
+            <denyUrlSequences>
+              <clear />
+            </denyUrlSequences>
+            <fileExtensions allowUnlisted="true">
+              <clear />
+            </fileExtensions>
+          </requestFiltering>
+        </security>
+        <rewrite>
+            <rules useOriginalURLEncoding="false">
+                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
+                    <match url="(.*)" />
+                    <action type="Rewrite" url="http://127.0.0.1:3000{UNENCODED_URL}" />
+                    <serverVariables>
+                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="HTTP_ACCEPT_ENCODING" />
+                        <set name="HTTP_ACCEPT_ENCODING" value="" />
+                    </serverVariables>
+                </rule>
+            </rules>
+            <outboundRules>
+                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
+                    <!-- set the pattern correctly here - if you only want to accept http or https -->
+                    <!-- change the pattern and the action value as appropriate -->
+                    <match filterByTags="A, Form, Img" pattern="^http(s)?://127.0.0.1:3000/(.*)" />
+                    <action type="Rewrite" value="http{R:1}://git.example.com/{R:2}" />
+                </rule>
+                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
+                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
+                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
+                </rule>
+                <preConditions>
+                    <preCondition name="ResponseIsHtml1">
+                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
+                    </preCondition>
+                    <preCondition name="NeedsRestoringAcceptEncoding">
+                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
+                    </preCondition>
+                </preConditions>
+            </outboundRules>
+        </rewrite>
+        <urlCompression doDynamicCompression="true" />
+        <handlers>
+          <clear />
+          <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
+        </handlers>
+        <!-- Map all extensions to the same MIME type, so all files can be
+               downloaded. -->
+        <staticContent>
+          <clear />
+          <mimeMap fileExtension="*" mimeType="application/octet-stream" />
+        </staticContent>
+    </system.webServer>
+</configuration>
+```
+
+## HAProxy
+
+If you want HAProxy to serve your Gitea instance, you can add the following to your HAProxy configuration
+
+add an acl in the frontend section to redirect calls to gitea.example.com to the correct backend
+
+```
+frontend http-in
+    ...
+    acl acl_gitea hdr(host) -i gitea.example.com
+    use_backend gitea if acl_gitea
+    ...
+```
+
+add the previously defined backend section
+
+```
+backend gitea
+    server localhost:3000 check
+```
+
+If you redirect the http content to https, the configuration work the same way, just remember that the connection between HAProxy and Gitea will be done via http so you do not have to enable https in Gitea's configuration.
+
+## HAProxy with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup HAProxy to serve Gitea under a sub-path by adding the following to you HAProxy configuration:
+
+```
+frontend http-in
+    ...
+    acl acl_gitea path_beg /gitea
+    use_backend gitea if acl_gitea
+    ...
+```
+
+With that configuration http://example.com/gitea/ will redirect to your Gitea instance.
+
+then for the backend section
+
+```
+backend gitea
+    http-request replace-path /gitea\/?(.*) \/\1
+    server localhost:3000 check
+```
+
+The added http-request will automatically add a trailing slash if needed and internally remove /gitea from the path to allow it to work correctly with Gitea by setting properly http://example.com/gitea as the root.
+
+Then you **MUST** set something like `[server] ROOT_URL = http://example.com/gitea/` correctly in your configuration.
+
+## Traefik
+
+If you want traefik to serve your Gitea instance, you can add the following label section to your `docker-compose.yaml` (Assuming the provider is docker).
+
+```yaml
+gitea:
+  image: docker.io/gitea/gitea
+  ...
+  labels:
+    - "traefik.enable=true"
+    - "traefik.http.routers.gitea.rule=Host(`example.com`)"
+    - "traefik.http.services.gitea-websecure.loadbalancer.server.port=3000"
+```
+
+This config assumes that you are handling HTTPS on the traefik side and using HTTP between Gitea and traefik.
+
+## Traefik with a sub-path
+
+In case you already have a site, and you want Gitea to share the domain name, you can setup Traefik to serve Gitea under a sub-path by adding the following to your `docker-compose.yaml` (Assuming the provider is docker) :
+
+```yaml
+gitea:
+  image: docker.io/gitea/gitea
+  ...
+  labels:
+    - "traefik.enable=true"
+    - "traefik.http.routers.gitea.rule=Host(`example.com`) && PathPrefix(`/gitea`)"
+    - "traefik.http.services.gitea-websecure.loadbalancer.server.port=3000"
+    - "traefik.http.middlewares.gitea-stripprefix.stripprefix.prefixes=/gitea"
+    - "traefik.http.routers.gitea.middlewares=gitea-stripprefix"
+```
+
+This config assumes that you are handling HTTPS on the traefik side and using HTTP between Gitea and traefik.
+
+Then you **MUST** set something like `[server] ROOT_URL = http://example.com/gitea/` correctly in your configuration.

docs/administration/search-engines-indexation.md

@@ -1,21 +1,12 @@
 ---
 date: "2019-12-31T13:55:00+05:00"
-title: "Search Engines Indexation"
 slug: "search-engines-indexation"
 sidebar_position: 60
-toc: false
-draft: false
 aliases:
   - /en-us/search-engines-indexation
-menu:
-  sidebar:
-    parent: "administration"
-    name: "Search Engines Indexation"
-    sidebar_position: 60
-    identifier: "search-engines-indexation"
 ---
 
-# Search engines indexation of your Gitea installation
+# Search Engines Indexation
 
 By default your Gitea installation will be indexed by search engines.
 If you don't want your repository to be visible for search engines read further.
@@ -23,7 +14,7 @@ If you don't want your repository to be visible for search engines read further.
 ## Block search engines indexation using robots.txt
 
 To make Gitea serve a custom `robots.txt` (default: empty 404) for top level installations,
-create a file with path `public/robots.txt` in the [`custom` folder or `CustomPath`](administration/customizing-gitea.md)
+create a file with path `public/robots.txt` in the [`custom` folder or `CustomPath`](../administration/customizing-gitea.md)
 
 Examples on how to configure the `robots.txt` can be found at [https://moz.com/learn/seo/robotstxt](https://moz.com/learn/seo/robotstxt).
 

docs/administration/signing.md

@@ -0,0 +1,170 @@
+---
+date: "2019-08-17T10:20:00+01:00"
+slug: "signing"
+sidebar_position: 50
+aliases:
+  - /en-us/signing
+---
+
+# GPG Commit Signatures
+
+Gitea will verify GPG commit signatures in the provided tree by
+checking if the commits are signed by a key within the Gitea database,
+or if the commit matches the default key for Git.
+
+Keys are not checked to determine if they have expired or revoked.
+Keys are also not checked with keyservers.
+
+A commit will be marked with a grey unlocked icon if no key can be
+found to verify it. If a commit is marked with a red unlocked icon,
+it is reported to be signed with a key with an id.
+
+:::note
+The signer of a commit does not have to be an author or
+committer of a commit.
+:::
+
+## Automatic Signing
+
+There are a number of places where Gitea will generate commits itself:
+
+- Repository Initialisation
+- Wiki Changes
+- CRUD actions using the editor or the API
+- Merges from Pull Requests
+
+Depending on configuration and server trust you may want Gitea to
+sign these commits.
+
+## Installing and generating a GPG key for Gitea
+
+It is up to a server administrator to determine how best to install
+a signing key. Gitea generates all its commits using the server `git`
+command at present - and therefore the server `gpg` will be used for
+signing (if configured.) Administrators should review best-practices
+for GPG - in particular it is probably advisable to only install a
+signing secret subkey without the master signing and certifying secret
+key.
+
+## General Configuration
+
+Gitea's configuration for signing can be found with the
+`[repository.signing]` section of `app.ini`:
+
+```ini
+...
+[repository.signing]
+SIGNING_KEY = default
+SIGNING_NAME =
+SIGNING_EMAIL =
+INITIAL_COMMIT = always
+CRUD_ACTIONS = pubkey, twofa, parentsigned
+WIKI = never
+MERGES = pubkey, twofa, basesigned, commitssigned
+
+...
+```
+
+### `SIGNING_KEY`
+
+The first option to discuss is the `SIGNING_KEY`. There are three main
+options:
+
+- `none` - this prevents Gitea from signing any commits
+- `default` - Gitea will default to the key configured within `git config`
+- `KEYID` - Gitea will sign commits with the gpg key with the ID
+  `KEYID`. In this case you should provide a `SIGNING_NAME` and
+  `SIGNING_EMAIL` to be displayed for this key.
+
+The `default` option will interrogate `git config` for
+`commit.gpgsign` option - if this is set, then it will use the results
+of the `user.signingkey`, `user.name` and `user.email` as appropriate.
+
+By adjusting Git's `config` file within Gitea's
+repositories, `SIGNING_KEY=default` could be used to provide different
+signing keys on a per-repository basis. However, this is clearly not an
+ideal UI and therefore subject to change.
+
+:::warning
+**Since 1.17**, Gitea runs git in its own home directory `[git].HOME_PATH` (default to `%(APP_DATA_PATH)/home`)
+and uses its own config `{[git].HOME_PATH}/.gitconfig`.
+
+If you have your own customized git config for Gitea, you should set these configs in system git config (aka `/etc/gitconfig`)
+or the Gitea internal git config `{[git].HOME_PATH}/.gitconfig`.
+
+Related home files for git command (like `.gnupg`) should also be put in Gitea's git home directory `[git].HOME_PATH`.
+
+If you like to keep the `.gnupg` directory outside of `{[git].HOME_PATH}/`, consider setting the `$GNUPGHOME` environment variable to your preferred location, otherwise Gitea will use the gpg keys only under `{[git].HOME_PATH}/.gnupg`.
+:::
+
+### `INITIAL_COMMIT`
+
+This option determines whether Gitea should sign the initial commit
+when creating a repository. The possible values are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two factor authentication
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The commit will be signed if all selected options are true.
+
+### `WIKI`
+
+This options determines if Gitea should sign commits to the Wiki.
+The possible values are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two-factor authentication
+- `parentsigned`: Only sign if the parent commit is signed.
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The commit will be signed if all selected options are true.
+
+### `CRUD_ACTIONS`
+
+This option determines if Gitea should sign commits from the web
+editor or API CRUD actions. The possible values are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two-factor authentication
+- `parentsigned`: Only sign if the parent commit is signed.
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The change will be signed if all selected options are true.
+
+### `MERGES`
+
+This option determines if Gitea should sign merge commits from PRs.
+The possible options are:
+
+- `never`: Never sign
+- `pubkey`: Only sign if the user has a public key
+- `twofa`: Only sign if the user logs in with two-factor authentication
+- `basesigned`: Only sign if the parent commit in the base repo is signed.
+- `headsigned`: Only sign if the head commit in the head branch is signed.
+- `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.
+- `approved`: Only sign approved merges to a protected branch.
+- `always`: Always sign
+
+Options other than `never` and `always` can be combined as a comma
+separated list. The merge will be signed if all selected options are true.
+
+## Obtaining the Public Key of the Signing Key
+
+The public key used to sign Gitea's commits can be obtained from the API at:
+
+```sh
+/api/v1/signing-key.gpg
+```
+
+In cases where there is a repository specific key this can be obtained from:
+
+```sh
+/api/v1/repos/:username/:reponame/signing-key.gpg
+```

docs/contributing.md

@@ -3,8 +3,7 @@ date: "2021-01-22T00:00:00+02:00"
 title: "Contributing"
 slug: "contributing"
 sidebar_position: 35
-toc: false
-draft: false
+
 menu:
   sidebar:
     name: "Contributing"

docs/contributing/guidelines-backend.md

@@ -0,0 +1,115 @@
+---
+date: "2021-11-01T23:41:00+08:00"
+slug: "guidelines-backend"
+sidebar_position: 20
+aliases:
+  - /en-us/guidelines-backend
+---
+
+# Guidelines for Backend Development
+
+## Background
+
+Gitea uses Golang as the backend programming language. It uses many third-party packages and also write some itself.
+For example, Gitea uses [Chi](https://github.com/go-chi/chi) as basic web framework. [Xorm](https://xorm.io) is an ORM framework that is used to interact with the database.
+So it's very important to manage these packages. Please take the below guidelines before you start to write backend code.
+
+## Package Design Guideline
+
+### Packages List
+
+To maintain understandable code and avoid circular dependencies it is important to have a good code structure. The Gitea backend is divided into the following parts:
+
+- `build`: Scripts to help build Gitea.
+- `cmd`: All Gitea actual sub commands includes web, doctor, serv, hooks, admin and etc. `web` will start the web service. `serv` and `hooks` will be invoked by Git or OpenSSH. Other sub commands could help to maintain Gitea.
+- `tests`: Common test utility functions
+  - `tests/integration`: Integration tests, to test back-end regressions
+  - `tests/e2e`: E2e tests, to test front-end and back-end compatibility and visual regressions.
+- `models`: Contains the data structures used by xorm to construct database tables. It also contains functions to query and update the database. Dependencies to other Gitea code should be avoided. You can make exceptions in cases such as logging.
+  - `models/db`: Basic database operations. All other `models/xxx` packages should depend on this package. The `GetEngine` function should only be invoked from `models/`.
+  - `models/fixtures`: Sample data used in unit tests and integration tests. One `yml` file means one table which will be loaded into database when beginning the tests.
+  - `models/migrations`: Stores database migrations between versions. PRs that change a database structure **MUST** also have a migration step.
+- `modules`: Different modules to handle specific functionality in Gitea. Work in Progress: Some of them should be moved to `services`, in particular those that depend on models because they rely on the database.
+  - `modules/setting`: Store all system configurations read from ini files and has been referenced by everywhere. But they should be used as function parameters when possible.
+  - `modules/git`: Package to interactive with `Git` command line or Gogit package.
+- `public`: Compiled frontend files (javascript, images, css, etc.)
+- `routers`: Handling of server requests. As it uses other Gitea packages to serve the request, other packages (models, modules or services) must not depend on routers.
+  - `routers/api` Contains routers for `/api/v1` aims to handle RESTful API requests.
+  - `routers/install` Could only respond when system is in INSTALL mode (INSTALL_LOCK=false).
+  - `routers/private` will only be invoked by internal sub commands, especially `serv` and `hooks`.
+  - `routers/web` will handle HTTP requests from web browsers or Git SMART HTTP protocols.
+- `services`: Support functions for common routing operations or command executions. Uses `models` and `modules` to handle the requests.
+- `templates`: Golang templates for generating the html output.
+
+### Package Dependencies
+
+Since Golang doesn't support import cycles, we have to decide the package dependencies carefully. There are some levels between those packages. Below is the ideal package dependencies direction.
+
+`cmd` -> `routers` -> `services` -> `models` -> `modules`
+
+From left to right, left packages could depend on right packages, but right packages MUST not depend on left packages. The sub packages on the same level could depend on according this level's rules.
+
+:::warning
+Why do we need database transactions outside of `models`? And how?
+Some actions should allow for rollback when database record insertion/update/deletion failed.
+So services must be allowed to create a database transaction. Here is some example,
+
+```go
+// services/repository/repository.go
+func CreateXXXX() error {
+    return db.WithTx(func(ctx context.Context) error {
+        // do something, if err is returned, it will rollback automatically
+        if err := issues.UpdateIssue(ctx, repoID); err != nil {
+            // ...
+            return err
+        }
+        // ...
+        return nil
+    })
+}
+```
+
+You should **not** use `db.GetEngine(ctx)` in `services` directly, but just write a function under `models/`.
+If the function will be used in the transaction, just let `context.Context` as the function's first parameter.
+
+```go
+// models/issues/issue.go
+func UpdateIssue(ctx context.Context, repoID int64) error {
+    e := db.GetEngine(ctx)
+
+    // ...
+}
+```
+:::
+
+### Package Name
+
+For the top level package, use a plural as package name, i.e. `services`, `models`, for sub packages, use singular,
+i.e. `services/user`, `models/repository`.
+
+### Import Alias
+
+Since there are some packages which use the same package name, it is possible that you find packages like `modules/user`, `models/user`, and `services/user`. When these packages are imported in one Go file, it's difficult to know which package we are using and if it's a variable name or an import name. So, we always recommend to use import aliases. To differ from package variables which are commonly in camelCase, just use **snake_case** for import aliases.
+i.e. `import user_service "code.gitea.io/gitea/services/user"`
+
+### Implementing `io.Closer`
+
+If a type implements `io.Closer`, calling `Close` multiple times must not fail or `panic` but return an error or `nil`.
+
+### Important Gotchas
+
+- Never write `x.Update(exemplar)` without an explicit `WHERE` clause:
+  - This will cause all rows in the table to be updated with the non-zero values of the exemplar - including IDs.
+  - You should usually write `x.ID(id).Update(exemplar)`.
+- If during a migration you are inserting into a table using `x.Insert(exemplar)` where the ID is preset:
+  - You will need to ``SET IDENTITY_INSERT `table` ON`` for the MSSQL variant (the migration will fail otherwise)
+  - However, you will also need to update the id sequence for postgres - the migration will silently pass here but later insertions will fail:
+    ``SELECT setval('table_name_id_seq', COALESCE((SELECT MAX(id)+1 FROM `table_name`), 1), false)``
+
+### Future Tasks
+
+Currently, we are creating some refactors to do the following things:
+
+- Correct that codes which doesn't follow the rules.
+- There are too many files in `models`, so we are moving some of them into a sub package `models/xxx`.
+- Some `modules` sub packages should be moved to `services` because they depend on `models`.

docs/contributing/guidelines-frontend.md

@@ -0,0 +1,156 @@
+---
+date: "2021-10-13T16:00:00+02:00"
+slug: "guidelines-frontend"
+sidebar_position: 30
+aliases:
+  - /en-us/guidelines-frontend
+---
+
+# Guidelines for Frontend Development
+
+## Background
+
+Gitea uses [Fomantic-UI](https://fomantic-ui.com/introduction/getting-started.html) (based on [jQuery](https://api.jquery.com)) and [Vue3](https://vuejs.org/) for its frontend.
+
+The HTML pages are rendered by [Go HTML Template](https://pkg.go.dev/html/template).
+
+The source files can be found in the following directories:
+
+* **CSS styles:** `web_src/css/`
+* **JavaScript files:** `web_src/js/`
+* **Vue components:** `web_src/js/components/`
+* **Go HTML templates:** `templates/`
+
+## General Guidelines
+
+We recommend [Google HTML/CSS Style Guide](https://google.github.io/styleguide/htmlcssguide.html) and [Google JavaScript Style Guide](https://google.github.io/styleguide/jsguide.html)
+
+### Gitea specific guidelines
+
+1. Every feature (Fomantic-UI/jQuery module) should be put in separate files/directories.
+2. HTML ids and classes should use kebab-case, it's preferred to contain 2-3 feature related keywords.
+3. HTML ids and classes used in JavaScript should be unique for the whole project, and should contain 2-3 feature related keywords. We recommend to use the `js-` prefix for classes that are only used in JavaScript.
+4. CSS styling for classes provided by frameworks should not be overwritten. Always use new class names with 2-3 feature related keywords to overwrite framework styles. Gitea's helper CSS classes in `helpers.less` could be helpful.
+5. The backend can pass complex data to the frontend by using `ctx.PageData["myModuleData"] = map[]{}`, but do not expose whole models to the frontend to avoid leaking sensitive data.
+6. Simple pages and SEO-related pages use Go HTML Template render to generate static Fomantic-UI HTML output. Complex pages can use Vue3.
+7. Clarify variable types, prefer `elem.disabled = true` instead of `elem.setAttribute('disabled', 'anything')`, prefer `$el.prop('checked', var === 'yes')` instead of `$el.prop('checked', var)`.
+8. Use semantic elements, prefer `<button class="ui button">` instead of `<div class="ui button">`.
+9. Avoid unnecessary `!important` in CSS, add comments to explain why it's necessary if it can't be avoided.
+10. Avoid mixing different events in one event listener, prefer to use individual event listeners for every event.
+11. Custom event names are recommended to use `ce-` prefix.
+12. Prefer using Tailwind CSS which is available via `tw-` prefix, e.g. `tw-relative`. Gitea's helper CSS classes use `gt-` prefix (`gt-ellipsis`), while Gitea's own private framework-level CSS classes use `g-` prefix (`g-modal-confirm`).
+13. Avoid inline scripts & styles as much as possible, it's recommended to put JS code into JS files and use CSS classes. If inline scripts & styles are unavoidable, explain the reason why it can't be avoided.
+
+### Accessibility / ARIA
+
+In history, Gitea heavily uses Fomantic UI which is not an accessibility-friendly framework.
+Gitea uses some patches to make Fomantic UI more accessible (see `aria.md` and related JS files),
+but there are still many problems which need a lot of work and time to fix.
+
+### Framework Usage
+
+Mixing different frameworks together is discouraged, it makes the code difficult to be maintained.
+A JavaScript module should follow one major framework and follow the framework's best practice.
+
+Recommended implementations:
+
+* Vue + Vanilla JS
+* Fomantic-UI (jQuery)
+* htmx (partial page reloads for otherwise static components)
+* Vanilla JS
+
+Discouraged implementations:
+
+* Vue + Fomantic-UI (jQuery)
+* jQuery + Vanilla JS
+* htmx + any other framework which requires heavy JS code, or unnecessary features like htmx scripting (`hx-on`)
+
+To make UI consistent, Vue components can use Fomantic-UI CSS classes.
+We use htmx for simple interactions. You can see an example for simple interactions where htmx should be used in this [PR](https://github.com/go-gitea/gitea/pull/28908). Do not use htmx if you require more advanced reactivity, use another framework (Vue/Vanilla JS).
+Although mixing different frameworks is discouraged,
+it should also work if the mixing is necessary and the code is well-designed and maintainable.
+
+### Typescript
+
+Gitea is in the process of migrating to type-safe Typescript. Here are some specific guidelines regarding Typescript in the codebase:
+
+#### Use type aliases instead of interfaces
+
+Prefer to use type aliases because they can represent any type and are generally more flexible to use than interfaces.
+
+#### Use separate type imports
+
+We use `verbatimModuleSyntax` so type and non-type imports from the same file must be split into two `import type` statements. This enables the typescript compiler to completely eliminate the type import statements during compilation.
+
+#### Use `@ts-expect-error` instead of `@ts-ignore`
+
+Both annotations should be avoided, but if you have to use them, use `@ts-expect-error` because it will not leave ineffective statements after the issue is fixed.
+
+### `async` Functions
+
+Only mark a function as `async` if and only if there are `await` calls
+or `Promise` returns inside the function.
+
+It's not recommended to use `async` event listeners, which may lead to problems.
+The reason is that the code after await is executed outside the event dispatch.
+Reference: https://github.com/github/eslint-plugin-github/blob/main/docs/rules/async-preventdefault.md
+
+If an event listener must be `async`, the `e.preventDefault()` should be before any `await`,
+it's recommended to put it at the beginning of the function.
+
+If we want to call an `async` function in a non-async context,
+it's recommended to use `const _promise = asyncFoo()` to tell readers
+that this is done by purpose, we want to call the async function and ignore the Promise.
+Some lint rules and IDEs also have warnings if the returned Promise is not handled.
+
+### Fetching data
+
+To fetch data, use the wrapper functions `GET`, `POST` etc. from `modules/fetch.js`. They
+accept a `data` option for the content, will automatically set CSRF token and return a
+Promise for a [Response](https://developer.mozilla.org/en-US/docs/Web/API/Response).
+
+### HTML Attributes and `dataset`
+
+The usage of `dataset` is forbidden, its camel-casing behaviour makes it hard to grep for attributes.
+However, there are still some special cases, so the current guideline is:
+
+* For legacy code:
+  * `$.data()` should be refactored to `$.attr()`.
+  * `$.data()` can be used to bind some non-string data to elements in rare cases, but it is highly discouraged.
+
+* For new code:
+  * `node.dataset` should not be used, use `node.getAttribute` instead.
+  * never bind any user data to a DOM node, use a suitable design pattern to describe the relation between node and data.
+
+### Show/Hide Elements
+
+* Vue components are recommended to use `v-if` and `v-show` to show/hide elements.
+* Go template code should use `.tw-hidden` and `showElem()/hideElem()/toggleElem()`, see more details in `.tw-hidden`'s comment.
+
+### Styles and Attributes in Go HTML Template
+
+It's recommended to use:
+
+```html
+<div class="gt-name1 gt-name2 {{if .IsFoo}}gt-foo{{end}}" {{if .IsFoo}}data-foo{{end}}></div>
+```
+
+instead of:
+
+```html
+<div class="gt-name1 gt-name2{{if .IsFoo}} gt-foo{{end}}"{{if .IsFoo}} data-foo{{end}}></div>
+```
+
+to make the code more readable.
+
+### Legacy Code
+
+A lot of legacy code already existed before this document's written. It's recommended to refactor legacy code to follow the guidelines.
+
+### Vue3 and JSX
+
+Gitea is using Vue3 now. We decided not to introduce JSX to keep the HTML and the JavaScript code separated.
+
+### UI Examples
+
+Gitea uses some self-made UI elements and customizes others to integrate them better into the general UI approach. When running Gitea in development mode (`RUN_MODE=dev`), a page with some standardized UI examples is available under `http(s)://your-gitea-url:port/devtest`.

docs/contributing/guidelines-refactoring.md

@@ -1,18 +1,9 @@
 ---
 date: "2023-02-14T00:00:00+00:00"
-title: "Guidelines for Refactoring"
 slug: "guidelines-refactoring"
 sidebar_position: 40
-toc: false
-draft: false
 aliases:
   - /en-us/guidelines-refactoring
-menu:
-  sidebar:
-    parent: "contributing"
-    name: "Guidelines for Refactoring"
-    sidebar_position: 40
-    identifier: "guidelines-refactoring"
 ---
 
 # Guidelines for Refactoring

docs/contributing/localization.md

@@ -1,18 +1,9 @@
 ---
 date: "2016-12-01T16:00:00+02:00"
-title: "Localization"
 slug: "localization"
 sidebar_position: 70
-toc: false
-draft: false
 aliases:
   - /en-us/localization
-menu:
-  sidebar:
-    parent: "contributing"
-    name: "Localization"
-    sidebar_position: 70
-    identifier: "localization"
 ---
 
 # Localization

docs/development.md

@@ -3,8 +3,7 @@ date: "2016-12-01T16:00:00+02:00"
 title: "Development"
 slug: "development"
 sidebar_position: 40
-toc: false
-draft: false
+
 menu:
   sidebar:
     name: "Development"

docs/development/api-usage.md

@@ -0,0 +1,124 @@
+---
+date: "2018-06-24:00:00+02:00"
+slug: "api-usage"
+sidebar_position: 40
+aliases:
+  - /en-us/api-usage
+---
+
+# API Usage
+
+## Enabling/configuring API access
+
+By default, `ENABLE_SWAGGER` is true, and `MAX_RESPONSE_ITEMS` is set to 50. See [Config Cheat Sheet](../administration/config-cheat-sheet.md) for more information.
+
+## Authentication
+
+Gitea supports these methods of API authentication:
+
+- HTTP basic authentication
+- `token=...` parameter in URL query string
+- `access_token=...` parameter in URL query string
+- `Authorization: token ...` header in HTTP headers
+
+All of these methods accept the same API key token type. You can
+better understand this by looking at the code -- as of this writing,
+Gitea parses queries and headers to find the token in
+[modules/auth/auth.go](https://github.com/go-gitea/gitea/blob/6efdcaed86565c91a3dc77631372a9cc45a58e89/modules/auth/auth.go#L47).
+
+## Generating and listing API tokens
+
+A new token can be generated with a `POST` request to
+`/users/:name/tokens`.
+
+Note that `/users/:name/tokens` is a special endpoint and requires you
+to authenticate using `BasicAuth` and a password, as follows:
+
+```sh
+$ curl -H "Content-Type: application/json" -d '{"name":test_token","scopes":["read:activitypub","read:issue", "write:misc", "read:notification", "read:organization", "read:package", "read:repository", "read:user"]}'
+-u 'username:password' "https://gitea.your.host/api/v1/users/{username}/tokens"
+{"id":1,"name":"test_token","sha1":"9fcb1158165773dd010fca5f0cf7174316c3e37d","token_last_eight":"16c3e37d"}
+```
+
+The ``sha1`` (the token) is only returned once and is not stored in
+plain-text.  It will not be displayed when listing tokens with a `GET`
+request; e.g.
+
+```sh
+$ curl --url https://yourusername:password@gitea.your.host/api/v1/users/<username>/tokens
+[{"name":"test","sha1":"","token_last_eight:"........":},{"name":"dev","sha1":"","token_last_eight":"........"}]
+```
+
+To use the API with basic authentication with two factor authentication
+enabled, you'll need to send an additional header that contains the one
+time password (6 digitrotating token).
+An example of the header is `X-Gitea-OTP: 123456` where `123456`
+is where you'd place the code from your authenticator.
+Here is how the request would look like in curl:
+
+```sh
+$ curl -H "X-Gitea-OTP: 123456" --url https://yourusername:yourpassword@gitea.your.host/api/v1/users/yourusername/tokens
+```
+
+You can also create an API key token via your Gitea installation's web
+interface: `Settings | Applications | Generate New Token`.
+
+## OAuth2 Provider
+
+Access tokens obtained from Gitea's [OAuth2 provider](development/oauth2-provider.md) are accepted by these methods:
+
+- `Authorization bearer ...` header in HTTP headers
+- `token=...` parameter in URL query string
+- `access_token=...` parameter in URL query string
+
+### More on the `Authorization:` header
+
+For historical reasons, Gitea needs the word `token` included before
+the API key token in an authorization header, like this:
+
+```sh
+Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675
+```
+
+In a `curl` command, for instance, this would look like:
+
+```sh
+curl "http://localhost:4000/api/v1/repos/test1/test1/issues" \
+    -H "accept: application/json" \
+    -H "Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675" \
+    -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 20\"}" -i
+```
+
+As mentioned above, the token used is the same one you would use in
+the `token=` string in a GET request.
+
+## Pagination
+
+The API supports pagination. The `page` and `limit` parameters are used to specify the page number and the number of items per page. As well, the `Link` header is returned with the next, previous, and last page links if there are more than one pages. The `x-total-count` is also returned to indicate the total number of items.
+
+```sh
+curl -v "http://localhost/api/v1/repos/search?limit=1"
+...
+< link: <http://localhost/api/v1/repos/search?limit=1&page=2>; rel="next",<http://localhost/api/v1/repos/search?limit=1&page=5252>; rel="last"
+...
+< x-total-count: 5252
+```
+
+## API Guide
+
+API Reference guide is auto-generated by swagger and available on:
+`https://gitea.your.host/api/swagger`
+or on the
+[Gitea instance](https://gitea.com/api/swagger)
+
+The OpenAPI document is at:
+`https://gitea.your.host/swagger.v1.json`
+
+## Sudo
+
+The API allows admin users to sudo API requests as another user. Simply add either a `sudo=` parameter or `Sudo:` request header with the username of the user to sudo.
+
+## SDKs
+
+- [Official go-sdk](https://gitea.com/gitea/go-sdk)
+- [more](https://gitea.com/gitea/awesome-gitea#user-content-sdk)

docs/development/hacking-on-gitea.md

@@ -1,18 +1,9 @@
 ---
 date: "2016-12-01T16:00:00+02:00"
-title: "Hacking on Gitea"
 slug: "hacking-on-gitea"
 sidebar_position: 10
-toc: false
-draft: false
 aliases:
   - /en-us/hacking-on-gitea
-menu:
-  sidebar:
-    parent: "development"
-    name: "Hacking on Gitea"
-    sidebar_position: 10
-    identifier: "hacking-on-gitea"
 ---
 
 # Hacking on Gitea
@@ -32,17 +23,21 @@ Next, [install Node.js with npm](https://nodejs.org/en/download/) which is
 required to build the JavaScript and CSS files. The minimum supported Node.js
 version is @minNodeVersion@ and the latest LTS version is recommended.
 
-**Note**: When executing make tasks that require external tools, like
+:::note
+When executing make tasks that require external tools, like
 `make watch-backend`, Gitea will automatically download and build these as
 necessary. To be able to use these you must have the `"$GOPATH"/bin` directory
 on the executable path. If you don't add the go bin directory to the
 executable path you will have to manage this yourself.
+:::
 
-**Note 2**: Go version @minGoVersion@ or higher is required.
+:::note
+Go version @minGoVersion@ or higher is required.
 Gitea uses `gofmt` to format source code. However, the results of
 `gofmt` can differ by the version of `go`. Therefore it is
 recommended to install the version of Go that our continuous integration is
 running. As of last update, the Go version should be @goVersion@.
+:::
 
 To lint the template files, ensure [Python](https://www.python.org/) and
 [Poetry](https://python-poetry.org/) are installed.
@@ -82,7 +77,9 @@ One of these three distributions of Make will run on Windows:
   - To compile Gitea with CGO_ENABLED (eg: SQLite3), you might need to use [tdm-gcc](https://jmeubank.github.io/tdm-gcc/) instead of MSYS2 gcc, because MSYS2 gcc headers lack some Windows-only CRT functions like `_beginthread`.
 - [Chocolatey package](https://chocolatey.org/packages/make). Run `choco install make`
 
-**Note**: If you are attempting to build using make with Windows Command Prompt, you may run into issues. The above prompts (Git bash, or MinGW) are recommended, however if you only have command prompt (or potentially PowerShell) you can set environment variables using the [set](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1) command, e.g. `set TAGS=bindata`.
+:::note
+If you are attempting to build using make with Windows Command Prompt, you may run into issues. The above prompts (Git bash, or MinGW) are recommended, however if you only have command prompt (or potentially PowerShell) you can set environment variables using the [set](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1) command, e.g. `set TAGS=bindata`.
+:::
 
 ## Downloading and cloning the Gitea source code
 
@@ -256,15 +253,16 @@ server will check that this has been done using:
 make swagger-check
 ```
 
-**Note**: Please note you should use the Swagger 2.0 documentation, not the
-OpenAPI 3 documentation.
+:::note
+Please note you should use the Swagger 2.0 documentation, not the OpenAPI 3 documentation.
+:::
 
 ### Creating new configuration options
 
 When creating new configuration options, it is not enough to add them to the
 `modules/setting` files. You should add information to `custom/conf/app.ini`
 and to the
-[configuration cheat sheet](administration/config-cheat-sheet.md)
+[configuration cheat sheet](../administration/config-cheat-sheet.md)
 found in `docs/content/doc/administer/config-cheat-sheet.en-us.md`
 
 ### Changing the logo

docs/development/integrations.md

@@ -1,18 +1,9 @@
 ---
 date: "2019-04-15T17:29:00+08:00"
-title: "Integrations"
 slug: "integrations"
 sidebar_position: 65
-toc: false
-draft: false
 aliases:
   - /en-us/integrations
-menu:
-  sidebar:
-    parent: "development"
-    name: "Integrations"
-    sidebar_position: 65
-    identifier: "integrations"
 ---
 
 # Integrations

docs/development/migrations.md

@@ -1,21 +1,12 @@
 ---
 date: "2019-04-15T17:29:00+08:00"
-title: "Migrations Interfaces"
 slug: "migrations-interfaces"
 sidebar_position: 55
-toc: false
-draft: false
 aliases:
   - /en-us/migrations-interfaces
-menu:
-  sidebar:
-    parent: "development"
-    name: "Migrations Interfaces"
-    sidebar_position: 55
-    identifier: "migrations-interfaces"
 ---
 
-# Migration Features
+# Migration Interfaces
 
 Complete migrations were introduced in Gitea 1.9.0. It defines two interfaces to support migrating
 repository data from other Git host platforms to Gitea or, in the future, migrating Gitea data to other Git host platforms.

docs/development/oauth2-provider.md

@@ -0,0 +1,271 @@
+---
+date: "2023-06-01T08:40:00+08:00"
+slug: "oauth2-provider"
+sidebar_position: 41
+aliases:
+  - /en-us/oauth2-provider
+---
+
+# OAuth2 Provider
+
+Gitea supports acting as an OAuth2 Provider, allowing third-party applications to access its resources with user consent.
+
+When acting as the OAuth2 Provider, Gitea verifies every authorization request against the related OAuth2 Application. This application can be set up by an individual user, an organization admin, or a Gitea instance admin.
+
+Regardless of who configured the application, the first authorization attempt opens a new page in the user's web browser, prompting them to authorize the application.
+
+## Configuration
+
+An OAuth2 Application in Gitea requires the following configuration made in two steps:
+
+### Gitea Step 1
+- Name (`/admin/applications/`)
+- Redirect URL (`/admin/applications/`)
+
+![](/development/gitea_oauth2_step1.png)
+
+### Gitea Step 2
+- Client ID (`/admin/applications/oauth2/_id_`)
+- Client Secret (`/admin/applications/oauth2/_id_`)
+- Confidential client status (`/admin/applications/oauth2/_id_`)
+
+![](/development/gitea_oauth2_step2.png)
+
+### Third Party Step 3
+
+The third-party (Relaying Parties) application's request must include:
+
+- Credentials (Client ID and Client Secret)
+- Desired scope and claims (expected to be provided by Gitea)
+
+An example of MinIO:
+
+![](/development/minio_oauth2.png)
+
+
+### Gitea's User Approval Step 3
+
+For example, logging in with a Gitea account on MinIO...
+![](/development/minio_login.png)
+
+...will display the approval popup after a successful login:
+![](/development/gitea_approval.png)
+
+By default, if the third party sets the scopes to `openid`, `email`, `profile`, and `groups`, and the user approves, the application gains full access to all of the user's public and private resources (repositories, issues, user information, etc.).
+
+> **NOTE:** At present, an admin who sets up the OAuth2 Application in Gitea must rely on the scopes sent by the third party and an approval decision by the informed user if restrictive access is expected. There is no way for the admin to set restrictive access via scopes during the application setup process.
+
+
+## Granular Scopes
+
+As of version v1.23, Gitea supports granular scopes, allowing third parties to request more limited access. These scopes, previously available only for [Personal Access Tokens](#scopes), enable users to restrict access to specific URL routes.
+
+Scopes are grouped by high-level API routes and further refined as follows:
+
+- `read`: `GET` routes
+- `write`: `POST`, `PUT`, `PATCH`, and `DELETE` routes (in addition to `GET`)
+
+For example, a third party can request minimal access, allowing Gitea to act as a simple OpenID Connect (OIDC) Provider. If the third party adds only `public-only` to 'openid', no other or any combination of the scopes `email`, `userinfo`, or `groups`, Gitea will act as a basic Single Sign-On provider. This configuration provides only verification that the user can log in with the correct credentials, supplying only basic information such as username, email, and a list of public memberships in organizations and teams.
+
+When any of the granular scopes known from Personal Access Tokens is introduced, Gitea will not allow full access (as it does by default). Instead, it will build granular access following read or write permissions to resources such as Repositories, Issues, ActivityPub, Admin functions, Organizations, Users, Packages, or miscellaneous features.
+
+> **NOTE:** If third party adds any scope other than the OIDC ones: `openid`, `email`, `profile`, and `groups` or the ones found already in Personal Access Token the scope will fallback to full access as it was the case before v1.23
+
+The approval page displayed to the user shows the list of scopes requested by the third party. Once approved, this decision is remembered. If the third party changes its requested scopes in future requests, the entire flow will fail, requiring re-authorization.
+
+## Endpoints
+
+| Endpoint                 | URL                                 |
+| ------------------------ | ----------------------------------- |
+| OpenID Connect Discovery | `/.well-known/openid-configuration` |
+| Authorization Endpoint   | `/login/oauth/authorize`            |
+| Access Token Endpoint    | `/login/oauth/access_token`         |
+| Token Introspection Endpoint | `/login/oauth/introspect`           |
+| OpenID Connect UserInfo  | `/login/oauth/userinfo`             |
+| JSON Web Key Set         | `/login/oauth/keys`                 |
+
+## Supported OAuth2 Grants
+
+At the moment Gitea only supports the [**Authorization Code Grant**](https://tools.ietf.org/html/rfc6749#section-1.3.1) standard with additional support of the following extensions:
+
+- [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636)
+- [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+
+To use the Authorization Code Grant as a third party application it is required to register a new application via the "Settings" (`/user/settings/applications`) section of the settings. To test or debug you can use the web-tool https://oauthdebugger.com/.
+
+## Scopes
+
+Gitea supports scoped access tokens, which allow users the ability to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following:
+
+- `read`: `GET` routes
+- `write`: `POST`, `PUT`, `PATCH`, and `DELETE` routes (in addition to `GET`)
+
+Gitea token scopes are as follows:
+
+| Name | Description                                                                                                                                          |
+| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **(no scope)** | Not supported. A scope is required even for public repositories.                                                                                     |
+| **activitypub** | `activitypub` API routes: ActivityPub related operations.                                                                                            |
+|     **read:activitypub** | Grants read access for ActivityPub operations.                                                                                                       |
+|     **write:activitypub** | Grants read/write/delete access for ActivityPub operations.                                                                                          |
+| **admin** | `/admin/*` API routes: Site-wide administrative operations (hidden for non-admin accounts).                                                          |
+|     **read:admin** | Grants read access for admin operations, such as getting cron jobs or registered user emails.                                                        |
+|     **write:admin** | Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.                                           |
+| **issue** | `issues/*`, `labels/*`, `milestones/*` API routes: Issue-related operations.                                                                         |
+|     **read:issue** | Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones.                                         |
+|     **write:issue** | Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.           |
+| **misc** | Reserved for future usage.                                                                                                                           |
+|     **read:misc** | Reserved for future usage.                                                                                                                           |
+|     **write:misc** | Reserved for future usage.                                                                                                                           |
+| **notification** | `notification/*` API routes: user notification operations.                                                                                           |
+|     **read:notification** | Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications.                            |
+|     **write:notification** | Grants read/write/delete access to user notifications, such as marking notifications as read.                                                        |
+| **organization** | `orgs/*` and `teams/*` API routes: Organization and team management operations.                                                                      |
+|     **read:organization** | Grants read access to org and team status, such as listing all orgs a user has visibility to, teams, and team members.                               |
+|     **write:organization** | Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings.                               |
+| **package** | `/packages/*` API routes: Packages operations                                                                                                        |
+|     **read:package** | Grants read access to package operations, such as reading and downloading available packages.                                                        |
+|     **write:package** | Grants read/write/delete access to package operations. Currently the same as `read:package`.                                                         |
+| **repository** | `/repos/*` API routes except `/repos/issues/*`: Repository file, pull-request, and release operations.                                               |
+|     **read:repository** | Grants read access to repository operations, such as getting repository files, releases, collaborators.                                              |
+|     **write:repository** | Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators. |
+| **user** | `/user/*` and `/users/*` API routes: User-related operations.                                                                                        |
+|     **read:user** | Grants read access to user operations, such as getting user repo subscriptions and user settings.                                                    |
+|     **write:user** | Grants read/write/delete access to user operations, such as updating user repo subscriptions, followed users, and user settings.                     |
+
+## Pre-configured Applications
+
+Gitea creates OAuth applications for the following services by default on startup, as we assume that these are universally useful.
+
+|Application|Description|Client ID|
+|-----------|-----------|---------|
+|[git-credential-oauth](https://github.com/hickford/git-credential-oauth)|Git credential helper|`a4792ccc-144e-407e-86c9-5e7d8d9c3269`|
+|[Git Credential Manager](https://github.com/git-ecosystem/git-credential-manager)|Git credential helper|`e90ee53c-94e2-48ac-9358-a874fb9e0662`|
+|[tea](https://gitea.com/gitea/tea)|tea|`d57cb8c4-630c-4168-8324-ec79935e18d4`|
+
+To prevent unexpected behavior, they are being displayed as locked in the UI and their creation can instead be controlled by the `DEFAULT_APPLICATIONS` parameter in `app.ini`.
+
+## Client types
+
+Gitea supports both confidential and public client types, [as defined by RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).
+
+For public clients, a redirect URI of a loopback IP address such as `http://127.0.0.1/` allows any port. Avoid using `localhost`, [as recommended by RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3).
+
+## Examples
+
+### Confidential client
+
+:::note
+This example does not use PKCE.
+:::
+
+1. Redirect the user to the authorization endpoint in order to get their consent for accessing the resources:
+
+   ```curl
+   https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE
+   ```
+
+   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be sent back to your application after the user authorizes. The `state` parameter is optional, but should be used to prevent CSRF attacks.
+
+   ![Authorization Page](/authorize.png)
+
+   The user will now be asked to authorize your application. If they authorize it, the user will be redirected to the `REDIRECT_URL`, for example:
+
+   ```curl
+   https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
+   ```
+
+2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoint accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
+
+   ```curl
+   POST https://[YOUR-GITEA-URL]/login/oauth/access_token
+   ```
+
+   ```json
+   {
+     "client_id": "YOUR_CLIENT_ID",
+     "client_secret": "YOUR_CLIENT_SECRET",
+     "code": "RETURNED_CODE",
+     "grant_type": "authorization_code",
+     "redirect_uri": "REDIRECT_URI"
+   }
+   ```
+
+   Response:
+
+   ```json
+   {
+     "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",
+     "token_type": "bearer",
+     "expires_in": 3600,
+     "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"
+   }
+   ```
+
+   The `CLIENT_SECRET` is the unique secret code generated for this application. Please note that the secret will only be visible after you created/registered the application with Gitea and cannot be recovered. If you lose the secret, you must regenerate the secret via the application's settings.
+
+   The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.
+
+3. Use the `access_token` to make [API requests](development/api-usage.md#oauth2-provider) to access the user's resources.
+
+### Public client (PKCE)
+
+PKCE (Proof Key for Code Exchange) is an extension to the OAuth flow which allows for a secure credential exchange without the requirement to provide a client secret.
+
+**Note**: Please ensure you have registered your OAuth application as a public client.
+
+To achieve this, you have to provide a `code_verifier` for every authorization request. A `code_verifier` has to be a random string with a minimum length of 43 characters and a maximum length of 128 characters. It can contain alphanumeric characters as well as the characters `-`, `.`, `_`  and `~`.
+
+Using this `code_verifier` string, a new one called `code_challenge` is created by using one of two methods:
+
+- If you have the required functionality on your client, set `code_challenge` to be a URL-safe base64-encoded string of the SHA256 hash of `code_verifier`. In that case, your `code_challenge_method` becomes `S256`.
+- If you are unable to do so, you can provide your `code_verifier` as a plain string to `code_challenge`. Then you have to set your `code_challenge_method` as `plain`.
+
+After you have generated this values, you can continue with your request.
+
+1. Redirect the user to the authorization endpoint in order to get their consent for accessing the resources:
+
+   ```curl
+   https://[YOUR-GITEA-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&code_challenge_method=CODE_CHALLENGE_METHOD&code_challenge=CODE_CHALLENGE&state=STATE
+   ```
+
+   The `CLIENT_ID` can be obtained by registering an application in the settings. The `STATE` is a random string that will be sent back to your application after the user authorizes. The `state` parameter is optional, but should be used to prevent CSRF attacks.
+
+   ![Authorization Page](/authorize.png)
+
+   The user will now be asked to authorize your application. If they authorize it, the user will be redirected to the `REDIRECT_URL`, for example:
+
+   ```curl
+   https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
+   ```
+
+2. Using the provided `code` from the redirect, you can request a new application and refresh token. The access token endpoint accepts POST requests with `application/json` and `application/x-www-form-urlencoded` body, for example:
+
+   ```curl
+   POST https://[YOUR-GITEA-URL]/login/oauth/access_token
+   ```
+
+   ```json
+   {
+     "client_id": "YOUR_CLIENT_ID",
+     "code": "RETURNED_CODE",
+     "grant_type": "authorization_code",
+     "redirect_uri": "REDIRECT_URI",
+     "code_verifier": "CODE_VERIFIER",
+   }
+   ```
+
+   Response:
+
+   ```json
+   {
+     "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",
+     "token_type": "bearer",
+     "expires_in": 3600,
+     "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"
+   }
+   ```
+
+   The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.
+
+3. Use the `access_token` to make [API requests](development/api-usage.md#oauth2-provider) to access the user's resources.

docs/help.md

@@ -3,8 +3,7 @@ date: "2017-01-20T15:00:00+08:00"
 title: "Help"
 slug: "help"
 sidebar_position: 5
-toc: false
-draft: false
+
 menu:
   sidebar:
     name: "Help"

docs/help/faq.md

@@ -0,0 +1,352 @@
+---
+date: "2019-04-05T16:00:00+02:00"
+slug: "faq"
+sidebar_position: 5
+aliases:
+  - /en-us/faq
+---
+
+# FAQ
+
+This page contains some common questions and answers.
+
+For more help resources, check all [Support Options](help/support.md).
+
+## Difference between 1.x and 1.x.x downloads, how can I get latest stable release with bug fixes?
+
+Version 1.20.x will be used for this example.
+
+On our [downloads page](https://dl.gitea.com/gitea/) you will see a 1.20 directory, as well as directories for 1.20.0, 1.20.1.
+
+The 1.20 directory is the nightly build, which is built on each merged commit to the [`release/v1.20`](https://github.com/go-gitea/gitea/tree/release/v1.20) branch.
+
+The 1.20.0 directory is a release build that was created when the [`v1.20.0`](https://github.com/go-gitea/gitea/releases/tag/v1.20.0) tag was created.
+
+The nightly builds (1.x) downloads will change as commits are merged to their respective branch, they contain the latest changes/fixes before a tag release is built.
+
+If a bug fix is targeted on 1.20.1 but 1.20.1 is not released yet, you can get the "1.20-nightly" build to get the bug fix.
+
+## How to find the config file "app.ini"
+
+It depends on how you installed Gitea. If you didn't set a path for custom path or config file manually,
+then the config file (app.ini) should exists in the "custom/conf" directory of your Gitea's working path.
+Some package vendors might use "/etc/gitea" to store the config file, while some others don't.
+
+You could manually find the config file (app.ini) by checking Gitea's startup logs
+or reading the Gitea Web's Site Administrator -> Confugiraton Summary.
+
+If you are using some isolated enviroments like container (docker),
+the path you see usually is not what it is in the host's filesystem.
+In this case you need to check the container's filesystem volume mapping
+and figure out the real path of the config file on the host.
+
+## Where does Gitea store what file
+
+- _`AppWorkPath`_
+  - The `WORK_PATH` option in `app.ini`
+  - Else the `--work-path` flag
+  - Else Environment variable `GITEA_WORK_DIR`
+  - Else a built-in value set at build time
+  - Else the directory that contains the Gitea binary
+- `AppDataPath` (default for database, indexers, etc.)
+  - `APP_DATA_PATH` from `app.ini`
+  - Else _`AppWorkPath`_`/data`
+- _`CustomPath`_ (custom templates)
+  - The `--custom-path` flag
+  - Else Environment variable `GITEA_CUSTOM`
+  - Else a built-in value set at build time
+  - Else _`AppWorkPath`_`/custom`
+- HomeDir
+  - Unix: Environment variable `HOME`
+  - Windows: Environment variable `USERPROFILE`, else environment variables `HOMEDRIVE`+`HOMEPATH`
+- RepoRootPath
+  - `ROOT` in the \[repository] section of `app.ini` if absolute
+  - Else _`AppWorkPath`_`/ROOT` if `ROOT` in the \[repository] section of `app.ini` if relative
+  - Default `%(APP_DATA_PATH)/gitea-repositories`
+- INI (config file)
+  - `--config` flag
+  - A possible built-in value set a build time
+  - Else _`CustomPath`_`/conf/app.ini`
+- SQLite Database
+  - `PATH` in `database` section of `app.ini`
+  - Else `%(APP_DATA_PATH)/gitea.db`
+
+## Not seeing a clone URL or the clone URL being incorrect
+
+There are a few places that could make this show incorrectly.
+
+1. If using a reverse proxy, make sure you have followed the correction directions in the [reverse proxy guide](../administration/reverse-proxies.md)
+2. Make sure you have correctly set `ROOT_URL` in the `server` section of your `app.ini`
+
+If certain clone options aren't showing up (HTTP/S or SSH), the following options can be checked in your `app.ini`
+
+- `DISABLE_HTTP_GIT`: if set to true, there will be no HTTP/HTTPS link
+- `DISABLE_SSH`: if set to true, there will be no SSH link
+- `SSH_EXPOSE_ANONYMOUS`: if set to false, SSH links will be hidden for anonymous users
+
+## File upload fails with: 413 Request Entity Too Large
+
+This error occurs when the reverse proxy limits the file upload size.
+
+See the [reverse proxy guide](../administration/reverse-proxies.md) for a solution with nginx.
+
+## Custom Templates not loading or working incorrectly
+
+Gitea's custom templates must be added to the correct location or Gitea will not find and use them.
+
+The correct path for the template(s) will be relative to the `CustomPath`
+
+1. To find `CustomPath`, look for Custom File Root Path in Site Administration -> Configuration
+2. If you are still unable to find a path, the default can be [calculated above](#where-does-gitea-store-what-file)
+3. Once you have figured out the correct custom path, you can refer to the [customizing Gitea](../administration/customizing-gitea.md) page to add your template to the correct location.
+
+## Does Gitea have a "GitHub/GitLab pages" feature?
+
+Gitea doesn't provide a built-in Pages server. You need a dedicated domain to serve static pages to avoid CSRF security risks.
+
+For simple usage, you can use a reverse proxy to rewrite & serve static contents from Gitea's raw file URLs.
+
+And there are already available third-party services, like a standalone [pages server](https://codeberg.org/Codeberg/pages-server) or a [caddy plugin](https://github.com/42wim/caddy-gitea), that can provide the required functionality.
+
+## Active user vs login prohibited user
+
+In Gitea, an "active" user refers to a user that has activated their account via email.
+
+A "login prohibited" user is a user that is not allowed to log in to Gitea anymore
+
+
+## What is Swagger?
+
+[Swagger](https://swagger.io/) is what Gitea uses for its API documentation.
+
+All Gitea instances have the built-in API and there is no way to disable it completely.
+You can, however, disable showing its documentation by setting `ENABLE_SWAGGER` to `false` in the `api` section of your `app.ini`.
+For more information, refer to Gitea's [API docs](development/api-usage.md).
+
+You can see the latest API (for example) on https://gitea.com/api/swagger
+
+You can also see an example of the `swagger.json` file at https://gitea.com/swagger.v1.json
+
+## Adjusting your server for public/private use
+
+### Preventing spammers
+
+There are multiple things you can combine to prevent spammers.
+
+1. By whitelisting or blocklisting certain email domains
+2. By only whitelisting certain domains with OpenID (see below)
+3. Setting `ENABLE_CAPTCHA` to `true` in your `app.ini` and properly configuring `RECAPTCHA_SECRET` and `RECAPTCHA_SITEKEY`
+4. Settings `DISABLE_REGISTRATION` to `true` and creating new users via the [CLI](../administration/command-line.md), [API](development/api-usage.md), or Gitea's Admin UI
+
+### Only allow/block certain email domains
+
+You can configure `EMAIL_DOMAIN_WHITELIST` or `EMAIL_DOMAIN_BLOCKLIST` in your app.ini under `[service]`
+
+### Only allow/block certain OpenID providers
+
+You can configure `WHITELISTED_URIS` or `BLACKLISTED_URIS` under `[openid]` in your `app.ini`
+
+:::note
+Whitelisted takes precedence, so if it is non-blank then blacklisted is ignored.
+:::
+
+### Issue only users
+
+The current way to achieve this is to create/modify a user with a max repo creation limit of 0.
+
+### Restricted users
+
+Restricted users are limited to a subset of the content based on their organization/team memberships and collaborations, ignoring the public flag on organizations/repos etc.\_\_
+
+Example use case: A company runs a Gitea instance that requires login. Most repos are public (accessible/browsable by all co-workers).
+
+At some point, a customer or third party needs access to a specific repo and only that repo. Making such a customer account restricted and granting any needed access using team membership(s) and/or collaboration(s) is a simple way to achieve that without the need to make everything private.
+
+### Enable Fail2ban
+
+Use [Fail2Ban](../administration/fail2ban-setup.md) to monitor and stop automated login attempts or other malicious behavior based on log patterns
+
+## SSHD vs built-in SSH
+
+SSHD is the built-in SSH server on most Unix systems.
+
+Gitea also provides its own SSH server, for usage when SSHD is not available.
+
+## Translation is incorrect/how to add more translations
+
+Our translations are currently crowd-sourced on our [Crowdin project](https://crowdin.com/project/gitea)
+
+Whether you want to change a translation or add a new one, it will need to be there as all translations are overwritten in our CI via the Crowdin integration.
+
+## Push Hook / Webhook / Actions aren't running
+
+If you can push but can't see push activities on the home dashboard, or the push doesn't trigger webhook and Actions workflows, it's likely that the git hooks are not working.
+
+There are a few possibilities:
+
+1. The git hooks are out of sync. Run the following actions on the site admin panel:
+- "Sync missed branches from git data to databases"
+- "Sync tags from git data to database"
+- "Resynchronize pre-receive, update and post-receive hooks of all repositories"
+2. The git repositories (and hooks) are stored on some filesystems (ex: mounted by NAS) which don't support script execution, make sure the filesystem supports `chmod a+x any-script`. Also make sure that the filesystem of the repositories is not mounted with the `noexec` option.
+3. If you are using docker, make sure Docker Server (not the client) >= 20.10.6
+
+## SSH issues
+
+If you cannot reach repositories over `ssh`, but `https` works fine, consider looking into the following.
+
+First, make sure you can access Gitea via SSH.
+
+`ssh git@myremote.example`
+
+If the connection is successful, you should receive an error message like the following:
+
+```
+Hi there, You've successfully authenticated, but Gitea does not provide shell access.
+If this is unexpected, please log in with password and setup Gitea under another user.
+```
+
+If you do not get the above message but still connect, it means your SSH key is **not** being managed by Gitea. This means hooks won't run, among other potential problems.
+
+If you cannot connect at all, your SSH key may not be configured correctly locally.
+This is specific to SSH and not Gitea, so will not be covered here.
+
+### SSH Common Errors
+
+```
+Permission denied (publickey).
+fatal: Could not read from remote repository.
+```
+
+This error signifies that the server rejected a log in attempt, check the
+following things:
+
+- On the client:
+  - Ensure the public and private ssh keys are added to the correct Gitea user.
+  - Make sure there are no issues in the remote url. In particular, ensure the name of the
+    Git user (before the `@`) is spelled correctly.
+  - Ensure public and private ssh keys are correct on client machine.
+- On the server:
+  - Make sure the repository exists and is correctly named.
+  - Check the permissions of the `.ssh` directory in the system user's home directory.
+  - Verify that the correct public keys are added to `.ssh/authorized_keys`.
+
+    Try to run `Rewrite '.ssh/authorized_keys' file (for Gitea SSH keys)` on the
+    Gitea admin panel.
+  - Read Gitea logs.
+  - Read /var/log/auth (or similar).
+  - Check permissions of repositories.
+
+The following is an example of a missing public SSH key where authentication
+succeeded, but some other setting is preventing SSH from reaching the correct
+repository.
+
+```
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+```
+
+In this case, look into the following settings:
+
+- On the server:
+  - Make sure that the `git` system user has a usable shell set
+    - Verify this with `getent passwd git | cut -d: -f7`
+    - `usermod` or `chsh` can be used to modify this.
+  - Ensure that the `gitea serv` command in `.ssh/authorized_keys` uses the
+    correct configuration file.
+
+## Missing releases after migrating repository with tags
+
+To migrate an repository _with_ all tags, you need to do two things:
+
+- Push tags to the repository:
+
+```
+ git push --tags
+```
+
+- (Re-)sync tags of all repositories within Gitea:
+
+```
+gitea admin repo-sync-releases
+```
+
+## How can I create users before starting Gitea
+
+Gitea provides a sub-command `gitea migrate` to initialize the database, after which you can use the [admin CLI commands](../administration/command-line.md#admin) to add users like normal.
+
+## How can I enable password reset
+
+There is no setting for password resets. It is enabled when a [mail service](../administration/email-setup.md) is configured, and disabled otherwise.
+
+## How can a user's password be changed
+
+- As an **admin**, you can change any user's password (and optionally force them to change it on next login)...
+  - By navigating to your `Site Administration -> User Accounts` page and editing a user.
+  - By using the [admin CLI commands](../administration/command-line.md#admin).
+
+    Keep in mind most commands will also need a [global flag](../administration/command-line.md#global-options) to point the CLI at the correct configuration.
+- As a **user** you can change it...
+  - In your account `Settings -> Account` page (this method **requires** you to know your current password).
+  - By using the `Forgot Password` link.
+
+    If the `Forgot Password/Account Recovery` page is disabled, please contact your administrator to configure a [mail service](../administration/email-setup.md).
+
+## Warnings about struct defaults during database startup
+
+Sometimes when there are migrations the old columns and default values may be left
+unchanged in the database schema. This may lead to warning such as:
+
+```
+2020/08/02 11:32:29 ...rm/session_schema.go:360:Sync() [W] Table user Column keep_activity_private db default is , struct default is 0
+```
+
+These can safely be ignored, but you are able to stop these warnings by getting Gitea to recreate these tables using:
+
+```
+gitea doctor recreate-table user
+```
+
+This will cause Gitea to recreate the user table and copy the old data into the new table
+with the defaults set appropriately.
+
+You can ask Gitea to recreate multiple tables using:
+
+```
+gitea doctor recreate-table table1 table2 ...
+```
+
+And if you would like Gitea to recreate all tables simply call:
+
+```
+gitea doctor recreate-table
+```
+
+It is highly recommended to back-up your database before running these commands.
+
+## How to adopt repositories from disk
+
+- Add your (bare) repositories to the correct spot for your configuration (`repository.ROOT`), ensuring they are in the correct layout `<REPO_ROOT>/[user]/[repo].git`.
+  - **Note:** the directory names must be lowercase.
+  - You can also check `<ROOT_URL>/-/admin/config` for the repository root path.
+- Ensure that the user/org exists that you want to adopt repositories for.
+- As an admin, go to `<ROOT_URL>/-/admin/repos/unadopted` and search.
+  - Users can also be given similar permissions via config [`ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`](../administration/config-cheat-sheet.md#repository-repository).
+- If the above steps are done correctly, you should be able to select repositories to adopt.
+  - If no repositories are found, enable [debug logging](../administration/config-cheat-sheet.md#repository-repository) to check for any specific errors.
+
+## Gitea can't start on NFS
+
+In most cases, it's caused by broken NFS lock system. You can try to stop Gitea process and
+run `flock -n /data-nfs/gitea/queues/LOCK echo 'lock acquired'` to see whether the lock can be acquired immediately.
+If the lock can't be acquired, NFS might report some errors like `lockd: cannot monitor node-3, statd: server rpc.statd not responding, timed out` in its server logs.
+
+Then the NFS lock could be reset by:
+
+```bash
+# /etc/init.d/nfs stop
+# rm -rf /var/lib/nfs/sm/*
+# /etc/init.d/nfs start
+```

docs/help/support.md

@@ -0,0 +1,71 @@
+---
+date: "2018-05-21T15:00:00+00:00"
+slug: "support"
+sidebar_position: 20
+aliases:
+  - /en-us/seek-help
+---
+
+# Support Options
+
+- [Paid Commercial Support](https://about.gitea.com/)
+- [Discord](https://discord.gg/Gitea)
+- [Forum](https://forum.gitea.com/)
+- [Matrix](https://matrix.to/#/#gitea-space:matrix.org)
+  - NOTE: Most of the Matrix channels are bridged with their counterpart in Discord and may experience some degree of flakiness with the bridge process.
+- Chinese Support
+  - [Discourse Chinese Category](https://forum.gitea.com/c/5-category/5)
+  - QQ Group 328432459
+
+# Bug Report
+
+If you found a bug, please [create an issue on GitHub](https://github.com/go-gitea/gitea/issues).
+
+:::note
+When asking for support, it may be a good idea to have the following available so that the person helping has all the info they need:
+:::
+
+1. Your `app.ini` (with any sensitive data scrubbed as necessary).
+2. Any error messages you are seeing.
+3. The Gitea logs, and all other related logs for the situation.
+   - It's more useful to collect `trace` / `debug` level logs (see the next section).
+   - When using systemd, use `journalctl --lines 1000 --unit gitea` to collect logs.
+   - When using docker, use `docker logs --tail 1000 <gitea-container>` to collect logs.
+4. Reproducible steps so that others could reproduce and understand the problem more quickly and easily.
+   - [demo.gitea.com](https://demo.gitea.com) could be used to reproduce the problem.
+5. If you encounter slow/hanging/deadlock problems, please report the stacktrace when the problem occurs.
+   Go to the "Site Admin" -> "Monitoring" -> "Stacktrace" -> "Download diagnosis report".
+
+# Advanced Bug Report Tips
+
+## More Config Options for Logs
+
+By default, the logs are outputted to console with `info` level.
+If you need to set log level and/or collect logs from files,
+you could just copy the following config into your `app.ini` (remove all other `[log]` sections),
+then you will find the `*.log` files in Gitea's log directory (default: `%(GITEA_WORK_DIR)/log`).
+
+```ini
+; To show all SQL logs, you can also set LOG_SQL=true in the [database] section
+[log]
+LEVEL=debug
+MODE=console,file
+```
+
+## Collecting Stacktrace by Command Line
+
+Gitea could use Golang's pprof handler and toolchain to collect stacktrace and other runtime information.
+
+If the web UI stops working, you could try to collect the stacktrace by command line:
+
+1. Set `app.ini`:
+
+    ```
+    [server]
+    ENABLE_PPROF = true
+    ```
+
+2. Restart Gitea
+
+3. Try to trigger the bug, when the requests get stuck for a while,
+   use `curl` or browser to visit: `http://127.0.0.1:6060/debug/pprof/goroutine?debug=1` to get the stacktrace.

docs/index.md

@@ -0,0 +1,110 @@
+---
+date: "2016-11-08T16:00:00+02:00"
+slug: /
+sidebar_position: 10
+
+---
+
+# What is Gitea?
+
+Gitea is a painless, self-hosted, all-in-one software development service. It includes Git hosting, code review, team collaboration, package registry, and CI/CD. It is similar to GitHub, Bitbucket and GitLab.
+
+Gitea was originally forked from [Gogs](https://gogs.io) and almost all the code has been changed. See the [Gitea Announcement](https://blog.gitea.com/welcome-to-gitea/) blog post to read about the justification for a fork.
+
+:::warning
+
+Gitea does not sent or cherry-picked commits from upstream, so there is no guarantee it will work if you upgrade from Gogs to Gitea. The recommended method is to migrate repositories from Gogs to Gitea.
+
+:::
+
+## Purpose
+
+The goal of this project is to provide the easiest, fastest, and most painless way of setting
+up a self-hosted Git service.
+
+With Go, this can be done platform-independently across
+**all platforms** which Go supports, including Linux, macOS, and Windows,
+on x86, amd64, ARM and PowerPC architectures.
+You can try it out using [the online demo](https://demo.gitea.com).
+
+## Features
+
+- **Code Hosting**
+
+  Gitea supports creating and managing repositories, browsing commit history and code files, reviewing and merging code submissions, managing collaborators, handling branches, and more. It also supports many common Git features such as tags, Cherry-pick, hooks, integrated collaboration tools, and more.
+
+- **Lightweight and Fast**
+
+  One of Gitea's design goals is to be lightweight and fast in response. Unlike some large code hosting platforms, it remains lean, performs well in terms of speed, and is suitable for resource-limited server environments. Due to its lightweight design, Gitea has relatively low resource consumption and performs well in resource-constrained environments.
+
+- **Easy Deployment and Maintenance**
+
+  It can be easily deployed on various servers without complex configurations or dependencies. This makes it convenient for individual developers or small teams to set up and manage their own Git services.
+
+- **Security**
+
+  Gitea places a strong emphasis on security, offering features such as user permission management, access control lists, and more to ensure the security of code and data.
+
+- **Code Review**
+
+  Code review supports both the Pull Request workflow and AGit workflow. Reviewers can browse code online and provide review comments or feedback. Submitters can receive review comments and respond or modify code online. Code reviews can help individuals and organizations enhance code quality.
+
+- **CI/CD**
+
+  Gitea Actions supports CI/CD functionality, compatible with GitHub Actions. Users can write workflows in familiar YAML format and reuse a variety of existing Actions plugins. Actions plugins support downloading from any Git website.
+
+- **Project Management**
+
+  Gitea tracks project requirements, features, and bugs through columns and issues. Issues support features like branches, tags, milestones, assignments, time tracking, due dates, dependencies, and more.
+
+- **Artifact Repository**
+
+  Gitea supports over 20 different types of public or private software package management, including Cargo, Chef, Composer, Conan, Conda, Container, Helm, Maven, npm, NuGet, Pub, PyPI, RubyGems, Vagrant, and more.
+
+- **Open Source Community Support**
+
+  Gitea is an open-source project based on the MIT license. It has an active open-source community that continuously develops and improves the platform. The project also actively welcomes community contributions, ensuring updates and innovation.
+
+- **Multilingual Support**
+
+  Gitea provides interfaces in multiple languages, catering to users globally and promoting internationalization and localization.
+
+For more detailed information, please refer to: https://docs.gitea.com/installation/comparison#general-features
+
+## System Requirements
+
+- A Raspberry Pi 3 is powerful enough to run Gitea for small workloads.
+- 2 CPU cores and 1GB RAM is typically sufficient for small teams/projects.
+- Gitea should be run with a dedicated non-root system account on UNIX-type systems.
+  - Note: Gitea manages the `~/.ssh/authorized_keys` file. Running Gitea as a regular user could break that user's ability to log in.
+- [Git](https://git-scm.com/) version 2.0.0 or later is required.
+  - [Git Large File Storage](https://git-lfs.github.com/) will be available if enabled and if your Git version is >= 2.1.2
+  - Git commit-graph rendering will be enabled automatically if your Git version is >= 2.18
+
+## Browser Support
+
+- Last 2 versions of Chrome, Firefox, Safari and Edge
+- Firefox ESR
+
+## Components
+
+- Web server framework: [Chi](http://github.com/go-chi/chi)
+- ORM: [XORM](https://xorm.io)
+- UI frameworks:
+  - [jQuery](https://jquery.com)
+  - [Fomantic UI](https://fomantic-ui.com)
+  - [Vue3](https://vuejs.org)
+  - and various components (see package.json)
+- Editors:
+  - [CodeMirror](https://codemirror.net)
+  - [EasyMDE](https://github.com/Ionaru/easy-markdown-editor)
+  - [Monaco Editor](https://microsoft.github.io/monaco-editor)
+- Database drivers:
+  - [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql)
+  - [github.com/lib/pq](https://github.com/lib/pq)
+  - [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3)
+  - [github.com/denisenkom/go-mssqldb](https://github.com/denisenkom/go-mssqldb)
+
+## Integrated support
+
+ Please visit [Awesome Gitea](https://gitea.com/gitea/awesome-gitea/) to get more third-party integrated support

docs/installation.md

@@ -3,8 +3,7 @@ date: "2016-12-01T16:00:00+02:00"
 title: "Installation"
 slug: "installation"
 sidebar_position: 10
-toc: false
-draft: false
+
 menu:
   sidebar:
     name: "Installation"

docs/installation/comparison.md

@@ -0,0 +1,145 @@
+---
+date: "2018-05-07T13:00:00+02:00"
+slug: "comparison"
+sidebar_position: 5
+aliases:
+  - /en-us/comparison
+---
+
+# Compared to other Git hosting
+
+To help decide if Gitea is suited for your needs, here is how it compares to other Git self hosted options.
+
+Be warned that we don't regularly check for feature changes in other products, so this list may be outdated. If you find anything that needs to be updated in the table below, please [open an issue](https://github.com/go-gitea/gitea/issues/new/choose).
+
+_Symbols used in table:_
+
+- _✓ - supported_
+
+- _⁄ - supported with limited functionality_
+
+- _✘ - unsupported_
+
+- _⚙️ - supported through third-party software_
+
+## General Features
+
+| Feature                                          | Gitea                                               | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE | RhodeCode EE |
+| ------------------------------------------------ | --------------------------------------------------- | --------- | --------- | --------- | --------- | ------------ | ------------ |
+| Open source and free                             | ✓                                                   | ✘         | ✓         | ✘         | ✘         | ✓            | ✓            |
+| Low RAM/ CPU usage                               | ✓                                                   | ✘         | ✘         | ✘         | ✘         | ✘            | ✘            |
+| Multiple database support                        | ✓                                                   | ✘         | ⁄         | ⁄         | ✓         | ✓            | ✓            |
+| Multiple OS support                              | ✓                                                   | ✘         | ✘         | ✘         | ✘         | ✓            | ✓            |
+| Easy upgrades                                    | ✓                                                   | ✘         | ✓         | ✓         | ✘         | ✓            | ✓            |
+| Telemetry                                        | **✘**                                               | ✓         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Third-party render tool support                  | ✓                                                   | ✘         | ✘         | ✘         | ✓         | ✘            | ✘            |
+| WebAuthn (2FA)                                   | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✘            | ✓            |
+| Extensive API                                    | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Built-in Package/Container Registry              | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Sync commits to an external repo (push mirror)   | ✓                                                   | ✘         | ✓         | ✓         | ✘         | ✓            | ✓            |
+| Sync commits from an external repo (pull mirror) | ✓                                                   | ✘         | ✓         | ✓         | ✘         | ✓            | ✓            |
+| Light and Dark Theme                             | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Custom Theme Support                             | ✓                                                   | ✘         | ✘         | ✘         | ✓         | ✓            | ✓            |
+| Markdown support                                 | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| CSV support                                      | ✓                                                   | ✓         | ✘         | ✘         | ✓         | ✘            | ✘            |
+| 'GitHub / GitLab pages'                          | [⚙️][gitea-pages-server], [⚙️][gitea-caddy-plugin]    | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Gists / Snippets                                 | [⚙️][opengist]                                       | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Repo-specific wiki (as a repo itself)            | ✓                                                   | ✓         | ✓         | ✓         | /         | ✘            | ✘            |
+| Deploy Tokens                                    | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Repository Tokens with write rights              | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| RSS Feeds                                        | ✓                                                   | ✓         | ✘         | ✘         | ✘         | ✓            | ✓            |
+| Built-in CI/CD                                   | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Subgroups: groups within groups                  | [✘](https://github.com/go-gitea/gitea/issues/1872)  | ✘         | ✓         | ✓         | ✘         | ✓            | ✓            |
+| Interaction with other instances                 | [/](https://github.com/go-gitea/gitea/issues/18240) | ✘         | ✘         | ✘         | ✘         | ✘            | ✘            |
+| Mermaid diagrams in Markdown                     | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Math syntax in Markdown                          | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✓            | ✓            |
+
+## Code management
+
+| Feature                                     | Gitea                                               | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE | RhodeCode EE |
+| ------------------------------------------- | --------------------------------------------------- | --------- | --------- | --------- | --------- | ------------ | ------------ |
+| Repository topics                           | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Repository code search                      | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Global code search                          | ✓                                                   | ✓         | ✘         | ✓         | ✓         | ✓            | ✓            |
+| Git LFS 2.0                                 | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Group Milestones                            | [✘](https://github.com/go-gitea/gitea/issues/14622) | ✘         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Granular user roles (Code, Issues, Wiki, …) | ✓                                                   | ✘         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Verified Committer                          | ⁄                                                   | ?         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| GPG Signed Commits                          | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| SSH Signed Commits                          | ✓                                                   | ✓         | ✓         | ✓         | ?         | ✘            | ✘            |
+| Reject unsigned commits                     | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Migrating repos from other services         | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Repository Activity page                    | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Branch manager                              | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Create new branches                         | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Web code editor                             | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Commit graph                                | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Template Repositories                       | ✓                                                   | ✓         | ✘         | ✓         | ✓         | ✘            | ✘            |
+| Git Blame                                   | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Visual comparison of image changes          | ✓                                                   | ✓         | ?         | ?         | ?         | ✘            | ✘            |
+
+- Gitea has builtin repository-level code search
+- Better code search support could be achieved by [using a repository indexer](../administration/repo-indexer.md)
+
+## Issue Tracker
+
+| Feature                       | Gitea                                               | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE | RhodeCode EE |
+| ----------------------------- | --------------------------------------------------- | --------- | --------- | --------- | --------- | ------------ | ------------ |
+| Issue tracker                 | ✓                                                   | ✓         | ✓         | ✓         | /         | ✘            | ✘            |
+| Issue templates               | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Labels                        | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Time tracking                 | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Multiple assignees for issues | ✓                                                   | ✓         | ✘         | ✓         | ✘         | ✘            | ✘            |
+| Related issues                | ✘                                                   | ⁄         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Confidential issues           | [✘](https://github.com/go-gitea/gitea/issues/3217)  | ✘         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Comment reactions             | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Lock Discussion               | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Batch issue handling          | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Projects                      | [/](https://github.com/go-gitea/gitea/issues/14710) | ✘         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Create branch from issue      | [✘](https://github.com/go-gitea/gitea/issues/20226) | ✘         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Convert comment to new issue  | ✓                                                   | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Issue search                  | ✓                                                   | ✓         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Global issue search           | [/](https://github.com/go-gitea/gitea/issues/2434)  | ✓         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Issue dependency              | ✓                                                   | ✘         | ✘         | ✘         | ✘         | ✘            | ✘            |
+| Create issue via email        | [✘](https://github.com/go-gitea/gitea/issues/6226)  | ✘         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Service Desk                  | [✘](https://github.com/go-gitea/gitea/issues/6219)  | ✘         | ✓         | ✓         | ✘         | ✘            | ✘            |
+
+## Pull/Merge requests
+
+| Feature                                         | Gitea                                              | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE | RhodeCode EE |
+| ----------------------------------------------- | -------------------------------------------------- | --------- | --------- | --------- | --------- | ------------ | ------------ |
+| Pull/Merge requests                             | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Squash merging                                  | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Rebase merging                                  | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Pull/Merge request inline comments              | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Pull/Merge request approval                     | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Pull/Merge require approval                     | ✓                                                  | ✓         | ✘         | ✓         | ✓         | ✓            | ✓            |
+| Pull/Merge multiple reviewers                   | ✓                                                  | ✓         | ✘         | ✓         | ✓         | ✓            | ✓            |
+| Merge conflict resolution                       | [✘](https://github.com/go-gitea/gitea/issues/9014) | ✓         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Restrict push and merge access to certain users | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Revert specific commits                         | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Pull/Merge requests templates                   | ✓                                                  | ✓         | ✓         | ✓         | ✘         | ✘            | ✘            |
+| Cherry-picking changes                          | ✓                                                  | ✘         | ✓         | ✓         | ✘         | ✘            | ✓            |
+| Download Patch                                  | ✓                                                  | ✓         | ✓         | ✓         | /         | ✓            | ✓            |
+| Merge queues                                    | ✓                                                  | ✓         | ✘         | ✓         | ✘         | ✘            | ✘            |
+
+## 3rd-party integrations
+
+| Feature                                        | Gitea                                              | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE | RhodeCode EE |
+| ---------------------------------------------- | -------------------------------------------------- | --------- | --------- | --------- | --------- | ------------ | ------------ |
+| Webhooks                                       | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Git Hooks                                      | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| AD / LDAP integration                          | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+| Multiple LDAP / AD server support              | ✓                                                  | ✘         | ✘         | ✓         | ✓         | ✓            | ✓            |
+| LDAP user synchronization                      | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✘            | ✓            |
+| SAML 2.0 service provider                      | [✘](https://github.com/go-gitea/gitea/issues/5512) | ✓         | ✓         | ✓         | ✓         | ✘            | ✓            |
+| OpenID Connect support                         | ✓                                                  | ✓         | ✓         | ✓         | ?         | ✘            | ✓            |
+| OAuth 2.0 integration (external authorization) | ✓                                                  | ⁄         | ✓         | ✓         | ?         | ✘            | ✓            |
+| Act as OAuth 2.0 provider                      | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✘            | ✘            |
+| Two factor authentication (2FA)                | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✘            | ✓            |
+| Integration with the most common services      | ✓                                                  | ⁄         | ✓         | ✓         | ⁄         | ✓            | ✓            |
+| Incorporate external CI/CD                     | ✓                                                  | ✓         | ✓         | ✓         | ✓         | ✓            | ✓            |
+
+[gitea-caddy-plugin]: https://github.com/42wim/caddy-gitea
+[gitea-pages-server]: https://codeberg.org/Codeberg/pages-server
+[opengist]: https://github.com/thomiceli/opengist

docs/installation/database-preparation.md

@@ -0,0 +1,311 @@
+---
+date: "2020-01-16"
+slug: "database-prep"
+sidebar_position: 10
+aliases:
+  - /en-us/database-prep
+---
+
+# Database Preparation
+
+You need a database to use Gitea. Gitea supports PostgreSQL (>= 12), MySQL (>= 8.0), MariaDB (>= 10.4), SQLite (builtin), and MSSQL (>= 2012 SP4). This page will guide into preparing database. Only PostgreSQL and MySQL will be covered here since those database engines are widely-used in production. If you plan to use SQLite, you can ignore this chapter.
+
+:::warning
+Converting one database type to another is not a well-tested process and you may experience issues. It is better to choose the final database type at the type of the first installation. Be aware that SQLite does not scale; if you expect your instance to grow at a later time, you should choose another database type.
+:::
+
+If you use an unsupported database version, please [get in touch](/help/support) with us for information on our Extended Support Contracts. We can provide testing and support for older databases and integrate those fixes into the Gitea codebase.
+
+Database instance can be on same machine as Gitea (local database setup), or on different machine (remote database).
+
+:::note
+All steps below requires that the database engine of your choice is installed on your system. For remote database setup, install the server application on database instance and client program on your Gitea server. The client program is used to test connection to the database from Gitea server, while Gitea itself use database driver provided by Go to accomplish the same thing. In addition, make sure you use same engine version for both server and client for some engine features to work. For security reason, protect `root` (MySQL) or `postgres` (PostgreSQL) database superuser with secure password. The steps assumes that you run Linux for both database and Gitea servers.
+:::
+
+## MySQL/MariaDB
+
+1. For remote database setup, you will need to make MySQL listen to your IP address. Configure the `bind-address` option in `/etc/mysql/my.cnf` on database instance by adding the following lines:
+
+    ```ini
+    [mysqld]
+    bind-address = 203.0.113.3
+    ```
+
+2. On database instance, login to database console as root:
+
+    ```sh
+    mysql -u root -p
+    ```
+
+    Enter the password as prompted.
+
+3. Create database user which will be used by Gitea, authenticated by password. This example uses `'gitea'` as password. Please use a secure password for your instance.
+
+    For local database:
+
+    ```sql
+    SET old_passwords=0;
+    CREATE USER 'gitea'@'%' IDENTIFIED BY 'gitea';
+    ```
+
+    For remote database:
+
+    ```sql
+    SET old_passwords=0;
+    CREATE USER 'gitea'@'192.0.2.10' IDENTIFIED BY 'gitea';
+    ```
+
+    where `192.0.2.10` is the IP address of your Gitea instance.
+
+    Replace username and password above as appropriate.
+
+4. Create database with UTF-8 charset and case-sensitive collation.
+
+    `utf8mb4_bin` is a common collation for both MySQL/MariaDB.
+    When Gitea starts, it will try to find a better collation (`utf8mb4_0900_as_cs` or `uca1400_as_cs`) and alter the database if it is possible.
+    If you would like to use other collation, you can set `[database].CHARSET_COLLATION` in the `app.ini` file.
+
+    ```sql
+    CREATE DATABASE giteadb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_bin';
+    ```
+
+    Replace database name as appropriate.
+
+5. Grant all privileges on the database to database user created above.
+
+    For local database:
+
+    ```sql
+    GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea';
+    FLUSH PRIVILEGES;
+    ```
+
+    For remote database:
+
+    ```sql
+    GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'192.0.2.10';
+    FLUSH PRIVILEGES;
+    ```
+
+6. Quit from database console by `exit`.
+
+7. On your Gitea server, test connection to the database:
+
+    ```
+    mysql -u gitea -h 203.0.113.3 -p giteadb
+    ```
+
+    where `gitea` is database username, `giteadb` is database name, and `203.0.113.3` is IP address of database instance. Omit `-h` option for local database.
+
+    You should be connected to the database.
+
+## PostgreSQL
+
+1. For remote database setup, configure PostgreSQL on database instance to listen to your IP address by editing `listen_addresses` on `postgresql.conf` to:
+
+    ```ini
+    listen_addresses = 'localhost, 203.0.113.3'
+    ```
+
+2. PostgreSQL uses `md5` challenge-response encryption scheme for password authentication by default. Nowadays this scheme is not considered secure anymore. Use SCRAM-SHA-256 scheme instead by editing the `postgresql.conf` configuration file on the database server to:
+
+    ```ini
+    password_encryption = scram-sha-256
+    ```
+
+    Restart PostgreSQL to apply the setting.
+
+3. On the database server, login to the database console as superuser:
+
+    ```
+    su -c "psql" - postgres
+    ```
+
+4. Create database user (role in PostgreSQL terms) with login privilege and password. Please use a secure, strong password instead of `'gitea'` below:
+
+    ```sql
+    CREATE ROLE gitea WITH LOGIN PASSWORD 'gitea';
+    ```
+
+    Replace username and password as appropriate.
+
+5. Create database with UTF-8 charset and owned by the database user created earlier. Any `libc` collations can be specified with `LC_COLLATE` and `LC_CTYPE` parameter, depending on expected content:
+
+    ```sql
+    CREATE DATABASE giteadb WITH OWNER gitea TEMPLATE template0 ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
+    ```
+
+    Replace database name as appropriate.
+
+6. Allow the database user to access the database created above by adding the following authentication rule to `pg_hba.conf`.
+
+    For local database:
+
+    ```ini
+    local    giteadb    gitea    scram-sha-256
+    ```
+
+    For remote database:
+
+    ```ini
+    host    giteadb    gitea    192.0.2.10/32    scram-sha-256
+    ```
+
+    Replace database name, user, and IP address of Gitea instance with your own.
+
+    :::note
+    Rules on `pg_hba.conf` are evaluated sequentially, that is the first matching rule will be used for authentication. Your PostgreSQL installation may come with generic authentication rules that match all users and databases. You may need to place the rules presented here above such generic rules if it is the case.
+    :::
+
+    Restart PostgreSQL to apply new authentication rules.
+
+7. On your Gitea server, test connection to the database.
+
+    For local database:
+
+    ```bash
+    psql -U gitea -d giteadb
+    ```
+
+    For remote database:
+
+    ```bash
+    psql "postgres://gitea@203.0.113.3/giteadb"
+    ```
+
+    where `gitea` is database user, `giteadb` is database name, and `203.0.113.3` is IP address of your database instance.
+
+    You should be prompted to enter password for the database user, and connected to the database.
+
+## Database Connection over TLS
+
+If the communication between Gitea and your database instance is performed through a private network, or if Gitea and the database are running on the same server, this section can be omitted since the security between Gitea and the database instance is not critically exposed. If instead the database instance is on a public network, use TLS to encrypt the connection to the database, as it is possible for third-parties to intercept the traffic data.
+
+### Prerequisites
+
+- You need two valid TLS certificates, one for the database instance (database server) and one for the Gitea instance (database client). Both certificates must be signed by a trusted CA.
+- The database certificate must contain `TLS Web Server Authentication` in the `X509v3 Extended Key Usage` extension attribute, while the client certificate needs `TLS Web Client Authentication` in the corresponding attribute.
+- On the database server certificate, one of `Subject Alternative Name` or `Common Name` entries must be the fully-qualified domain name (FQDN) of the database instance (e.g. `db.example.com`). On the database client certificate, one of the entries mentioned above must contain the database username that Gitea will be using to connect.
+- You need domain name mappings of both Gitea and database servers to their respective IP addresses. Either set up DNS records for them or add local mappings to `/etc/hosts` (`%WINDIR%\System32\drivers\etc\hosts` in Windows) on each system. This allows the database connections to be performed by domain name instead of IP address. See documentation of your system for details.
+
+### PostgreSQL TLS
+
+The PostgreSQL driver used by Gitea supports two-way TLS. In two-way TLS, both database client and server authenticate each other by sending their respective certificates to their respective opposite for validation. In other words, the server verifies client certificate, and the client verifies server certificate.
+
+1. On the server with the database instance, place the following credentials:
+
+    - `/path/to/postgresql.crt`: Database instance certificate
+    - `/path/to/postgresql.key`: Database instance private key
+    - `/path/to/root.crt`: CA certificate chain to validate client certificates
+
+2. Add following options to `postgresql.conf`:
+
+    ```ini
+    ssl = on
+    ssl_ca_file = '/path/to/root.crt'
+    ssl_cert_file = '/path/to/postgresql.crt'
+    ssl_key_file = '/path/to/postgresql.key'
+    ssl_min_protocol_version = 'TLSv1.2'
+    ```
+
+3. Adjust credentials ownership and permission, as required by PostgreSQL:
+
+    ```
+    chown postgres:postgres /path/to/root.crt /path/to/postgresql.crt /path/to/postgresql.key
+    chmod 0600 /path/to/root.crt /path/to/postgresql.crt /path/to/postgresql.key
+    ```
+
+4. Edit `pg_hba.conf` rule to only allow Gitea database user to connect over SSL, and to require client certificate verification.
+
+    For PostgreSQL 12:
+
+    ```ini
+    hostssl    giteadb    gitea    192.0.2.10/32    scram-sha-256    clientcert=verify-full
+    ```
+
+    For PostgreSQL 11 and earlier:
+
+    ```ini
+    hostssl    giteadb    gitea    192.0.2.10/32    scram-sha-256    clientcert=1
+    ```
+
+    Replace database name, user, and IP address of Gitea instance as appropriate.
+
+5. Restart PostgreSQL to apply configurations above.
+
+6. On the server running the Gitea instance, place the following credentials under the home directory of the user who runs Gitea (e.g. `git`):
+
+    - `~/.postgresql/postgresql.crt`: Database client certificate
+    - `~/.postgresql/postgresql.key`: Database client private key
+    - `~/.postgresql/root.crt`: CA certificate chain to validate server certificate
+
+    :::note
+    Those file names above are hardcoded in PostgreSQL and it is not possible to change them.
+    :::
+
+7. Adjust credentials, ownership and permission as required:
+
+    ```
+    chown git:git ~/.postgresql/postgresql.crt ~/.postgresql/postgresql.key ~/.postgresql/root.crt
+    chown 0600 ~/.postgresql/postgresql.crt ~/.postgresql/postgresql.key ~/.postgresql/root.crt
+    ```
+
+8. Test the connection to the database:
+
+    ```
+    psql "postgres://gitea@example.db/giteadb?sslmode=verify-full"
+    ```
+
+    You should be prompted to enter password for the database user, and then be connected to the database.
+
+### MySQL/MariaDB TLS
+
+While the MySQL driver used by Gitea also supports two-way TLS, Gitea currently supports only one-way TLS. See issue #10828 for details.
+
+In one-way TLS, the database client verifies the certificate sent from server during the connection handshake, and the server assumes that the connected client is legitimate, since client certificate verification doesn't take place.
+
+1. On the database instance, place the following credentials:
+
+    - `/path/to/mysql.crt`: Database instance certificate
+    - `/path/to/mysql.key`: Database instance key
+    - `/path/to/ca.crt`: CA certificate chain. This file isn't used on one-way TLS, but is used to validate client certificates on two-way TLS.
+
+2. Add following options to `my.cnf`:
+
+    ```ini
+    [mysqld]
+    ssl-ca = /path/to/ca.crt
+    ssl-cert = /path/to/mysql.crt
+    ssl-key = /path/to/mysql.key
+    tls-version = TLSv1.2,TLSv1.3
+    ```
+
+3. Adjust credentials ownership and permission:
+
+    ```
+    chown mysql:mysql /path/to/ca.crt /path/to/mysql.crt /path/to/mysql.key
+    chmod 0600 /path/to/ca.crt /path/to/mysql.crt /path/to/mysql.key
+    ```
+
+4. Restart MySQL to apply the setting.
+
+5. The database user for Gitea may have been created earlier, but it would authenticate only against the IP addresses of the server running Gitea. To authenticate against its domain name, recreate the user, and this time also set it to require TLS for connecting to the database:
+
+    ```sql
+    DROP USER 'gitea'@'192.0.2.10';
+    CREATE USER 'gitea'@'example.gitea' IDENTIFIED BY 'gitea' REQUIRE SSL;
+    GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'example.gitea';
+    FLUSH PRIVILEGES;
+    ```
+
+    Replace database user name, password, and Gitea instance domain as appropriate.
+
+6. Make sure that the CA certificate chain required to validate the database server certificate is on the system certificate store of both the database and Gitea servers. Consult your system documentation for instructions on adding a CA certificate to the certificate store.
+
+7. On the server running Gitea, test connection to the database:
+
+    ```
+    mysql -u gitea -h example.db -p --ssl
+    ```
+
+    You should be connected to the database.

docs/installation/from-binary.md

@@ -0,0 +1,240 @@
+---
+date: "2017-06-19T12:00:00+02:00"
+slug: "install-from-binary"
+sidebar_position: 15
+aliases:
+  - /en-us/install-from-binary
+---
+
+# Installation from binary
+
+All downloads come with SQLite, MySQL and PostgreSQL support, and are built with
+embedded assets. This can be different from Gogs.
+
+## Download
+
+You can find the file matching your platform from the [downloads page](https://dl.gitea.com/gitea/) after navigating to the version you want to download.
+
+### Choosing the right file
+
+**For Linux**, you will likely want `linux-amd64`. It's for 64-bit Intel/AMD platforms, but there are other platforms available, including `arm64` (e.g. Raspberry PI 4), `386` (i.e. 32-bit), `arm-5`, and `arm-6`.
+
+**For Windows**, you will likely want `windows-4.0-amd64`. It's for all modern versions of Windows, but there is also a `386` platform available designed for older, 32-bit versions of Windows.
+
+:::info
+There is also a `gogit-windows` file available that was created to help with some [performance problems](https://github.com/go-gitea/gitea/pull/15482) reported by some Windows users on older systems/versions. You should consider using this file if you're experiencing performance issues, and let us know if it improves performance.
+:::
+
+**For macOS**, you should choose `darwin-arm64` if your hardware uses Apple Silicon, or `darwin-amd64` for Intel.
+
+**For FreeBSD**, you should choose `freebsd12-amd64` for 64-bit Intel/AMD platforms.
+
+### Downloading with wget
+
+Copy the commands below and replace the URL within the one you wish to download.
+
+```shell
+wget -O gitea https://dl.gitea.com/gitea/@version@/gitea-@version@-linux-amd64
+chmod +x gitea
+```
+
+Note that the above command will download Gitea @version@ for 64-bit Linux.
+
+## Verify GPG signature
+
+Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries.
+To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the GPG command line tool.
+
+```sh
+gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
+gpg --verify gitea-@version@-linux-amd64.asc gitea-@version@-linux-amd64
+```
+
+Look for the text `Good signature from "Teabot <teabot@gitea.io>"` to assert a good binary,
+despite warnings like `This key is not certified with a trusted signature!`.
+
+## Recommended server configuration
+
+:::note
+Many of the following directories can be configured using [Environment Variables](../administration/environment-variables.md) as well!
+Of note, configuring `GITEA_WORK_DIR` will tell Gitea where to base its working directory, as well as ease installation.
+:::
+
+### Prepare environment
+
+Check that Git is installed on the server. If it is not, install it first. Gitea requires Git version >= 2.0.
+
+```sh
+git --version
+```
+
+Create a user to run Gitea (e.g. `git`)
+
+```sh
+# On Ubuntu/Debian:
+adduser \
+   --system \
+   --shell /bin/bash \
+   --gecos 'Git Version Control' \
+   --group \
+   --disabled-password \
+   --home /home/git \
+   git
+
+# On Fedora/RHEL/CentOS:
+groupadd --system git
+adduser \
+   --system \
+   --shell /bin/bash \
+   --comment 'Git Version Control' \
+   --gid git \
+   --home-dir /home/git \
+   --create-home \
+   git
+```
+
+### Create required directory structure
+
+```sh
+mkdir -p /var/lib/gitea/{custom,data,log}
+chown -R git:git /var/lib/gitea/
+chmod -R 750 /var/lib/gitea/
+mkdir /etc/gitea
+chown root:git /etc/gitea
+chmod 770 /etc/gitea
+```
+
+:::note
+> `/etc/gitea` is temporarily set with write permissions for user `git` so that the web installer can write the configuration file. After the installation is finished, it is recommended to set permissions to read-only using:
+:::
+
+>
+> ```sh
+> chmod 750 /etc/gitea
+> chmod 640 /etc/gitea/app.ini
+> ```
+
+If you don't want the web installer to be able to write to the config file, it is possible to make the config file read-only for the Gitea user (owner/group `root:git`, mode `0640`) however you will need to edit your config file manually to:
+
+* Set `INSTALL_LOCK= true`,
+* Ensure all database configuration details are set correctly
+* Ensure that the `SECRET_KEY` and `INTERNAL_TOKEN` values are set. (You may want to use the `gitea generate secret` to generate these secret keys.)
+* Ensure that any other secret keys you need are set.
+
+See the [command line documentation](../administration/command-line.md) for information on using `gitea generate secret`.
+
+### Configure Gitea's working directory
+
+:::note
+If you plan on running Gitea as a Linux service, you can skip this step, as the service file allows you to set `WorkingDirectory`. Otherwise, consider setting this environment variable (semi-)permanently so that Gitea consistently uses the correct working directory.
+:::
+
+```sh
+export GITEA_WORK_DIR=/var/lib/gitea/
+```
+
+### Copy the Gitea binary to a global location
+
+```sh
+cp gitea /usr/local/bin/gitea
+```
+
+### Adding bash/zsh autocompletion (from 1.19)
+
+A script to enable bash-completion can be found at [`contrib/autocompletion/bash_autocomplete`](https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/autocompletion/bash_autocomplete). This can be copied to `/usr/share/bash-completion/completions/gitea`
+or sourced within your `.bashrc`.
+
+Similarly a script for zsh-completion can be found at [`contrib/autocompletion/zsh_autocomplete`](https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/autocompletion/zsh_autocomplete). This can be copied to `/usr/share/zsh/_gitea` or sourced within your
+`.zshrc`.
+
+YMMV and these scripts may need further improvement.
+
+## Running Gitea
+
+After you complete the above steps, you can run Gitea two ways:
+
+### 1. Creating a service file to start Gitea automatically (recommended)
+
+See how to create [Linux service](installation/run-as-service-in-ubuntu.md)
+
+### 2. Running from command-line/terminal
+
+```sh
+GITEA_WORK_DIR=/var/lib/gitea/ /usr/local/bin/gitea web -c /etc/gitea/app.ini
+```
+
+## Updating to a new version
+
+You can update to a new version of Gitea by stopping Gitea, replacing the binary at `/usr/local/bin/gitea` and restarting the instance.
+The binary file name should not be changed during the update to avoid problems in existing repositories.
+
+It is recommended that you make a [backup](../administration/backup-and-restore.md) before updating your installation.
+
+If you have carried out the installation steps as described above, the binary should
+have the generic name `gitea`. Do not change this, i.e. to include the version number.
+
+### 1. Restarting Gitea with systemd (recommended)
+
+As we explained before, we recommend to use systemd as the service manager. In this case, `systemctl restart gitea` should be fine.
+
+### 2. Restarting Gitea without systemd
+
+To restart your Gitea instance, we recommend to use SIGHUP signal. If you know your Gitea PID, use `kill -1 $GITEA_PID`, otherwise you can use `killall -1 gitea`.
+
+To gracefully stop the Gitea instance, a simple `kill $GITEA_PID` or `killall gitea` is enough.
+
+:::note
+We don't recommend to use the SIGKILL signal (`-9`); you may be forcefully stopping some of Gitea's internal tasks, and it will not gracefully stop (tasks in queues, indexers, etc.)
+:::
+
+See below for troubleshooting instructions to repair broken repositories after
+an update of your Gitea version.
+
+## Troubleshooting
+
+### Old glibc versions
+
+Older Linux distributions (such as Debian 7 and CentOS 6) may not be able to load the
+Gitea binary, usually producing an error such as `./gitea: /lib/x86_64-linux-gnu/libc.so.6:
+version 'GLIBC\_2.14' not found (required by ./gitea)`. This is due to the integrated
+SQLite support in the binaries provided by dl.gitea.com. In this situation, it is usually
+possible to [install from source](installation/from-source.md), without including
+SQLite support.
+
+### Running Gitea on another port
+
+For errors like `702 runWeb()] [E] Failed to start server: listen tcp 0.0.0.0:3000:
+bind: address already in use`, Gitea needs to be started on another free port. This
+is possible using `./gitea web -p $PORT`. It's possible another instance of Gitea
+is already running.
+
+### Running Gitea on Raspbian
+
+As of v1.8, there is a problem with the arm7 version of Gitea, and it doesn't run on Raspberry Pis and similar devices.
+
+It is recommended to switch to the arm6 version, which has been tested and shown to work on Raspberry Pis and similar devices.
+
+<!---
+please remove after fixing the arm7 bug
+--->
+### Git error after updating to a new version of Gitea
+
+If during the update, the binary file name has been changed to a new version of Gitea,
+Git Hooks in existing repositories will not work any more. In that case, a Git
+error will be displayed when pushing to the repository.
+
+```
+remote: ./hooks/pre-receive.d/gitea: line 2: [...]: No such file or directory
+```
+
+The `[...]` part of the error message will contain the path to your previous Gitea
+binary.
+
+To solve this, go to the admin options and run the task `Resynchronize pre-receive,
+update and post-receive hooks of all repositories` to update all hooks to contain
+the new binary path. Please note that this overwrites all Git Hooks, including ones
+with customizations made.
+
+If you aren't using the Gitea built-in SSH server, you will also need to re-write
+the authorized key file by running the `Update the '.ssh/authorized_keys' file with
+Gitea SSH keys.` task in the admin options.

docs/installation/from-package.md

@@ -1,18 +1,9 @@
 ---
 date: "2016-12-01T16:00:00+02:00"
-title: "Installation from package"
 slug: "install-from-package"
 sidebar_position: 20
-toc: false
-draft: false
 aliases:
   - /en-us/install-from-package
-menu:
-  sidebar:
-    parent: "installation"
-    name: "From package"
-    sidebar_position: 20
-    identifier: "install-from-package"
 ---
 
 # Installation from Package

docs/installation/from-source.md

@@ -1,18 +1,9 @@
 ---
 date: "2016-12-01T16:00:00+02:00"
-title: "Installation from source"
 slug: "install-from-source"
 sidebar_position: 30
-toc: false
-draft: false
 aliases:
   - /en-us/install-from-source
-menu:
-  sidebar:
-    parent: "installation"
-    name: "From source"
-    sidebar_position: 30
-    identifier: "install-from-source"
 ---
 
 # Installation from source
@@ -27,9 +18,11 @@ Next, [install Node.js with npm](https://nodejs.org/en/download/) which is
 required to build the JavaScript and CSS files. The minimum supported Node.js
 version is @minNodeVersion@ and the latest LTS version is recommended.
 
-**Note**: Go version @minGoVersion@ or higher is required. However, it is recommended to
+:::note
+Go version @minGoVersion@ or higher is required. However, it is recommended to
 obtain the same version as our continuous integration, see the advice given in
 [Hacking on Gitea](development/hacking-on-gitea.md)
+:::
 
 ## Download
 
@@ -52,7 +45,7 @@ To work with tagged releases, the following commands can be used:
 
 ```bash
 git branch -a
-git checkout v@version@
+git checkout @sourceBranch@
 ```
 
 To validate a Pull Request, first enable the new branch (`xyz` is the PR id;
@@ -62,14 +55,14 @@ for example `2663` for [#2663](https://github.com/go-gitea/gitea/pull/2663)):
 git fetch origin pull/xyz/head:pr-xyz
 ```
 
-To build Gitea from source at a specific tagged release (like v@version@), list the
+To build Gitea from source at a specific tagged release (like @sourceVersion@), list the
 available tags and check out the specific tag.
 
 List available tags with the following.
 
 ```bash
 git tag -l
-git checkout v@version@  # or git checkout pr-xyz
+git checkout @sourceVersion@  # or git checkout pr-xyz
 ```
 
 ## Build

docs/installation/on-cloud-provider.md

@@ -0,0 +1,43 @@
+---
+date: "2016-12-01T16:00:00+02:00"
+slug: "install-on-cloud-provider"
+sidebar_position: 90
+aliases:
+  - /en-us/install-on-cloud-provider
+---
+
+# Installation on Cloud Provider
+
+## Cloudron
+
+Gitea is available as a 1-click install on [Cloudron](https://cloudron.io).
+Cloudron makes it easy to run apps like Gitea on your server and keep them up-to-date and secure.
+
+[![Install](/cloudron.svg)](https://cloudron.io/button.html?app=io.gitea.cloudronapp)
+
+The Gitea package is maintained [here](https://git.cloudron.io/cloudron/gitea-app).
+
+There is a [demo instance](https://my.demo.cloudron.io) (username: cloudron password: cloudron) where
+you can experiment with running Gitea.
+
+## Linode
+
+[Linode](https://www.linode.com/) has Gitea as an app in their marketplace.
+
+To deploy Gitea to Linode, have a look at the [Linode Marketplace](https://www.linode.com/marketplace/apps/linode/gitea/).
+
+## alwaysdata
+
+[alwaysdata](https://www.alwaysdata.com/) has Gitea as an app in their marketplace.
+
+To deploy Gitea to alwaysdata, have a look at the [alwaysdata Marketplace](https://www.alwaysdata.com/en/marketplace/gitea/).
+
+## Exoscale
+
+[Exoscale](https://www.exoscale.com/) provides Gitea managed by [Glasskube](https://glasskube.eu/) in their marketplace.
+
+Exoscale is a European cloud service provider.
+
+The package is maintained and update via the open source [Glasskube Kubernetes Operator](https://github.com/glasskube/operator).
+
+To deploy Gitea to Exoscale, have a look at the [Exoscale Marketplace](https://www.exoscale.com/marketplace/listing/glasskube-gitea/).

docs/installation/on-kubernetes.md

@@ -1,21 +1,12 @@
 ---
 date: "2020-03-19T19:27:00+02:00"
-title: "Install on Kubernetes"
 slug: "install-on-kubernetes"
 sidebar_position: 80
-toc: false
-draft: false
 aliases:
   - /en-us/install-on-kubernetes
-menu:
-  sidebar:
-    parent: "installation"
-    name: "Kubernetes"
-    sidebar_position: 80
-    identifier: "install-on-kubernetes"
 ---
 
-# Installation with Helm (on Kubernetes)
+# Install on Kubernetes
 
 Gitea provides a Helm Chart to allow for installation on kubernetes.
 
@@ -46,7 +37,7 @@ Gitea comes with a health check endpoint `/api/healthz`, you can configure it in
 
 a successful health check response will respond with http code `200`, here's example:
 
-```
+```json
 HTTP/1.1 200 OK
 
 {

docs/installation/run-as-service-in-ubuntu.md

@@ -1,18 +1,9 @@
 ---
 date: "2017-07-21T12:00:00+02:00"
-title: "Run as a Linux service"
 slug: "linux-service"
 sidebar_position: 40
-toc: false
-draft: false
 aliases:
   - /en-us/linux-service
-menu:
-  sidebar:
-    parent: "installation"
-    name: "Linux service"
-    sidebar_position: 40
-    identifier: "linux-service"
 ---
 
 # Run as a Linux service

docs/installation/upgrade-from-gitea.md

@@ -1,18 +1,9 @@
 ---
 date: "2021-09-02T16:00:00+08:00"
-title: "Upgrade from an old Gitea"
 slug: "upgrade-from-gitea"
 sidebar_position: 100
-toc: false
-draft: false
 aliases:
   - /en-us/upgrade-from-gitea
-menu:
-  sidebar:
-    parent: "installation"
-    name: "Upgrade From Old Gitea"
-    sidebar_position: 100
-    identifier: "upgrade-from-gitea"
 ---
 
 # Upgrade from an old Gitea

docs/installation/windows-service.md

@@ -1,26 +1,18 @@
 ---
 date: "2016-12-21T15:00:00-02:00"
-title: "Register as a Windows service"
 slug: "windows-service"
 sidebar_position: 50
-toc: false
-draft: false
 aliases:
   - /en-us/windows-service
-menu:
-  sidebar:
-    parent: "installation"
-    name: "Windows Service"
-    sidebar_position: 50
-    identifier: "windows-service"
 ---
+
 # Register as a Windows service
 
 ## Prerequisites
 
 The following changes are made in C:\gitea\custom\conf\app.ini:
 
-```
+```ini title="app.ini"
 RUN_USER = COMPUTERNAME$
 ```
 
@@ -32,7 +24,7 @@ COMPUTERNAME is whatever the response is from `echo %COMPUTERNAME%` on the comma
 
 If you use SQLite3, change the `PATH` to include the full path:
 
-```
+```ini title="app.ini"
 [database]
 PATH     = c:/gitea/data/gitea.db
 ```
@@ -42,7 +34,7 @@ PATH     = c:/gitea/data/gitea.db
 To register Gitea as a Windows service, open a command prompt (cmd) as an Administrator,
 then run the following command:
 
-```
+```sh
 sc.exe create gitea start= auto binPath= "\"C:\gitea\gitea.exe\" web --config \"C:\gitea\custom\conf\app.ini\""
 ```
 
@@ -57,7 +49,7 @@ that was configured).
 It was observed that on loaded systems during boot Gitea service may fail to start with timeout records in Windows Event Log.
 In that case change startup type to `Automatic-Delayed`. This can be done during service creation, or by running config command
 
-```
+```sh
 sc.exe config gitea start= delayed-auto
 ```
 
@@ -65,7 +57,7 @@ sc.exe config gitea start= delayed-auto
 
 To add a startup dependency to the Gitea Windows service (eg Mysql, Mariadb), as an Administrator, then run the following command:
 
-```
+```sh
 sc.exe config gitea depend= mariadb
 ```
 
@@ -75,6 +67,6 @@ This will ensure that when the Windows machine restarts, the automatic starting
 
 To unregister Gitea as a Windows service, open a command prompt (cmd) as an Administrator and run:
 
-```
+```sh
 sc.exe delete gitea
 ```

docs/installation/with-docker-rootless.md

@@ -1,21 +1,12 @@
 ---
 date: "2020-02-09T20:00:00+02:00"
-title: "Installation with Docker (rootless)"
 slug: "install-with-docker-rootless"
 sidebar_position: 60
-toc: false
-draft: false
 aliases:
   - /en-us/install-with-docker-rootless
-menu:
-  sidebar:
-    parent: "installation"
-    name: "With Docker Rootless"
-    sidebar_position: 60
-    identifier: "install-with-docker-rootless"
 ---
 
-# Installation with Docker
+# Installation with Docker (rootless)
 
 Gitea provides automatically updated Docker images within its Docker Hub organization. It is
 possible to always use the latest stable tag or to use another service that handles updating
@@ -29,7 +20,7 @@ the official [install instructions](https://docs.docker.com/compose/install/).
 
 ## Basics
 
-The most simple setup just creates a volume and a network and starts the `gitea/gitea:latest-rootless`
+The most simple setup just creates a volume and a network and starts the `docker.gitea.com/gitea:latest-rootless`
 image as a service. Since there is no database available, one can be initialized using SQLite3.
 
 Create a directory for `data` and `config`:
@@ -47,7 +38,7 @@ version: "2"
 
 services:
   server:
-    image: gitea/gitea:@version@-rootless
+    image: docker.gitea.com/gitea:@dockerVersion@-rootless
     restart: always
     volumes:
       - ./data:/var/lib/gitea
@@ -67,7 +58,7 @@ sudo chown 1000:1000 config/ data/
 
 > If you don't give the volume correct permissions, the container may not start.
 
-For a stable release you could use `:latest-rootless`, `:1-rootless` or specify a certain release like `:@version@-rootless`, but if you'd like to use the latest development version then `:nightly-rootless` would be an appropriate tag. If you'd like to run the latest commit from a release branch you can use the `:1.x-nightly-rootless` tag, where x is the minor version of Gitea. (e.g. `:1.16-nightly-rootless`)
+For a stable release you could use `:latest-rootless`, `:1-rootless` or specify a certain release like `:@dockerVersion@-rootless`, but if you'd like to use the latest development version then `:nightly-rootless` would be an appropriate tag. If you'd like to run the latest commit from a release branch you can use the `:1.x-nightly-rootless` tag, where x is the minor version of Gitea. (e.g. `:1.16-nightly-rootless`)
 
 ## Custom port
 
@@ -80,7 +71,7 @@ version: "2"
 
 services:
   server:
-    image: gitea/gitea:@version@-rootless
+    image: docker.gitea.com/gitea:@dockerVersion@-rootless
     restart: always
     volumes:
       - ./data:/var/lib/gitea
@@ -104,7 +95,7 @@ version: "2"
 
 services:
   server:
-    image: gitea/gitea:@version@-rootless
+    image: docker.gitea.com/gitea:@dockerVersion@-rootless
 +    environment:
 +      - GITEA__database__DB_TYPE=mysql
 +      - GITEA__database__HOST=db:3306
@@ -124,7 +115,7 @@ services:
 +      - db
 +
 +  db:
-+    image: mysql:8
++    image: docker.io/library/mysql:8
 +    restart: always
 +    environment:
 +      - MYSQL_ROOT_PASSWORD=gitea
@@ -145,7 +136,7 @@ version: "2"
 
 services:
   server:
-    image: gitea/gitea:@version@-rootless
+    image: docker.gitea.com/gitea:@dockerVersion@-rootless
     environment:
 +      - GITEA__database__DB_TYPE=postgres
 +      - GITEA__database__HOST=db:5432
@@ -165,7 +156,7 @@ services:
 +      - db
 +
 +  db:
-+    image: postgres:14
++    image: docker.io/library/postgres:14
 +    restart: always
 +    environment:
 +      - POSTGRES_USER=gitea
@@ -193,7 +184,7 @@ version: "2"
 +
 services:
   server:
-    image: gitea/gitea:@version@-rootless
+    image: docker.gitea.com/gitea:@dockerVersion@-rootless
     restart: always
     volumes:
 -      - ./data:/var/lib/gitea
@@ -220,7 +211,7 @@ version: "2"
 
 services:
   server:
-    image: gitea/gitea:@version@-rootless
+    image: docker.gitea.com/gitea:@dockerVersion@-rootless
     restart: always
 +    user: 1001
     volumes:
@@ -233,7 +224,13 @@ services:
       - "2222:2222"
 ```
 
-## Start
+## Startup
+
+:::note
+From July 2023 Compose V1 stopped receiving updates. It's also no longer available in new releases of Docker Desktop.
+
+Compose V2 is included with all currently supported versions of Docker Desktop. Please use V2 to do below operations.
+:::
 
 To start this setup based on `docker-compose`, execute `docker-compose up -d`,
 to launch Gitea in the background. Using `docker-compose ps` will show if Gitea
@@ -242,8 +239,10 @@ started properly. Logs can be viewed with `docker-compose logs`.
 To shut down the setup, execute `docker-compose down`. This will stop
 and kill the containers. The volumes will still exist.
 
-Notice: if using a non-3000 port on http, change app.ini to match
+:::note
+If using a non-3000 port on http, change app.ini to match
 `LOCAL_ROOT_URL = http://localhost:3000/`.
+:::
 
 ## Install
 
@@ -252,21 +251,23 @@ favorite browser to finalize the installation. Visit http://server-ip:3000 and f
 installation wizard. If the database was started with the `docker-compose` setup as
 documented above, please note that `db` must be used as the database hostname.
 
-# Customization
+## Customization
 
-Customization files described [here](administration/customizing-gitea.md) should
+Customization files described [here](../administration/customizing-gitea.md) should
 be placed in `/var/lib/gitea/custom` directory. If using host volumes, it's quite easy to access these
 files; for named volumes, this is done through another container or by direct access at
 `/var/lib/docker/volumes/gitea_gitea/_/var_lib_gitea`. The configuration file will be saved at
 `/etc/gitea/app.ini` after the installation.
 
-# Upgrading
+## Upgrading
 
+:::warning
 :exclamation::exclamation: **Make sure you have volumed data to somewhere outside Docker container** :exclamation::exclamation:
+:::
 
 To upgrade your installation to the latest release:
 
-```
+```bash
 # Edit `docker-compose.yml` to update the version, if you have one specified
 # Pull new images
 docker-compose pull
@@ -274,7 +275,7 @@ docker-compose pull
 docker-compose up -d
 ```
 
-# Upgrading from standard image
+## Upgrading from standard image
 
 - Backup your setup
 - Change volume mountpoint from /data to /var/lib/gitea
@@ -282,7 +283,7 @@ docker-compose up -d
 - Rename folder (inside volume) gitea to custom
 - Edit app.ini if needed
   - Set START_SSH_SERVER = true
-- Use image gitea/gitea:@version@-rootless
+- Use image docker.gitea.com/gitea:@dockerVersion@-rootless
 
 ## Managing Deployments With Environment Variables
 
@@ -313,7 +314,7 @@ services:
       - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```
 
-To set required TOKEN and SECRET values, consider using Gitea's built-in [generate utility functions](administration/command-line.md#generate).
+To set required TOKEN and SECRET values, consider using Gitea's built-in [generate utility functions](../administration/command-line.md#generate).
 
 # SSH Container Passthrough
 
@@ -342,7 +343,7 @@ Once the wrapper is in place, you can make it the shell for the `git` user:
 sudo usermod -s /usr/local/bin/gitea-shell git
 ```
 
-Now that all the SSH commands are forwarded to the container, you need to set up the SSH authentication on the host. This is done by leveraging the [SSH AuthorizedKeysCommand](administration/command-line.md#keys) to match the keys against those accepted by Gitea. Add the following block to `/etc/ssh/sshd_config`, on the host:
+Now that all the SSH commands are forwarded to the container, you need to set up the SSH authentication on the host. This is done by leveraging the [SSH AuthorizedKeysCommand](../administration/command-line.md#keys) to match the keys against those accepted by Gitea. Add the following block to `/etc/ssh/sshd_config`, on the host:
 
 ```bash
 Match User git

docs/installation/with-docker.md

@@ -0,0 +1,650 @@
+---
+date: "2020-03-19T19:27:00+02:00"
+slug: "install-with-docker"
+sidebar_position: 70
+aliases:
+  - /en-us/install-with-docker
+---
+
+# Installation with Docker
+
+Gitea provides automatically updated Docker images within its Docker Hub organization. It is
+possible to always use the latest stable tag or to use another service that handles updating
+Docker images.
+
+This reference setup guides users through the setup based on `docker-compose`, but the installation
+of `docker-compose` is out of scope of this documentation. To install `docker-compose` itself, follow
+the official [install instructions](https://docs.docker.com/compose/install/).
+
+## Basics
+
+The most simple setup just creates a volume and a network and starts the `docker.gitea.com/gitea:latest`
+image as a service. Since there is no database available, one can be initialized using SQLite3.
+Create a directory like `gitea` and paste the following content into a file named `docker-compose.yml`.
+Note that the volume should be owned by the user/group with the UID/GID specified in the config file.
+If you don't give the volume correct permissions, the container may not start.
+For a stable release you can use `:latest`, `:1` or specify a certain release like `:@dockerVersion@`, but if you'd like to use the latest development version of Gitea then you could use the `:nightly` tag. If you'd like to run the latest commit from a release branch you can use the `:1.x-nightly` tag, where x is the minor version of Gitea. (e.g. `:1.16-nightly`)
+
+```yaml
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: docker.gitea.com/gitea:@dockerVersion@
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+```
+
+## Ports
+
+To bind the integrated OpenSSH daemon and the webserver on a different port, adjust
+the port section. It's common to just change the host port and keep the ports within
+the container like they are.
+
+```diff
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: docker.gitea.com/gitea:@dockerVersion@
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+-     - "3000:3000"
+-     - "222:22"
++     - "8080:3000"
++     - "2221:22"
+```
+
+## Databases
+
+### MySQL database
+
+To start Gitea in combination with a MySQL database, apply these changes to the
+`docker-compose.yml` file created above.
+
+```diff
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: docker.gitea.com/gitea:@dockerVersion@
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
++      - GITEA__database__DB_TYPE=mysql
++      - GITEA__database__HOST=db:3306
++      - GITEA__database__NAME=gitea
++      - GITEA__database__USER=gitea
++      - GITEA__database__PASSWD=gitea
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
++    depends_on:
++      - db
++
++  db:
++    image: docker.io/library/mysql:8
++    restart: always
++    environment:
++      - MYSQL_ROOT_PASSWORD=gitea
++      - MYSQL_USER=gitea
++      - MYSQL_PASSWORD=gitea
++      - MYSQL_DATABASE=gitea
++    networks:
++      - gitea
++    volumes:
++      - ./mysql:/var/lib/mysql
+```
+
+### PostgreSQL database
+
+To start Gitea in combination with a PostgreSQL database, apply these changes to
+the `docker-compose.yml` file created above.
+
+```diff
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: docker.gitea.com/gitea:@dockerVersion@
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
++      - GITEA__database__DB_TYPE=postgres
++      - GITEA__database__HOST=db:5432
++      - GITEA__database__NAME=gitea
++      - GITEA__database__USER=gitea
++      - GITEA__database__PASSWD=gitea
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
++    depends_on:
++      - db
++
++  db:
++    image: docker.io/library/postgres:14
++    restart: always
++    environment:
++      - POSTGRES_USER=gitea
++      - POSTGRES_PASSWORD=gitea
++      - POSTGRES_DB=gitea
++    networks:
++      - gitea
++    volumes:
++      - ./postgres:/var/lib/postgresql/data
+```
+
+## Named volumes
+
+To use named volumes instead of host volumes, define and use the named volume
+within the `docker-compose.yml` configuration. This change will automatically
+create the required volume. You don't need to worry about permissions with
+named volumes; Docker will deal with that automatically.
+
+```diff
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
++volumes:
++  gitea:
++    driver: local
++
+services:
+  server:
+    image: docker.gitea.com/gitea:@dockerVersion@
+    container_name: gitea
+    restart: always
+    networks:
+      - gitea
+    volumes:
+-      - ./gitea:/data
++      - gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+```
+
+MySQL or PostgreSQL containers will need to be created separately.
+
+## Startup
+
+:::note
+From July 2023 Compose V1 stopped receiving updates. It's also no longer available in new releases of Docker Desktop.
+
+Compose V2 is included with all currently supported versions of Docker Desktop. Please use V2 to do below operations.
+:::
+
+To start this setup based on `docker-compose`, execute `docker-compose up -d`,
+to launch Gitea in the background. Using `docker-compose ps` will show if Gitea
+started properly. Logs can be viewed with `docker-compose logs`.
+
+To shut down the setup, execute `docker-compose down`. This will stop
+and kill the containers. The volumes will still exist.
+
+:::note
+If using a non-3000 port on http, change app.ini to match
+`LOCAL_ROOT_URL = http://localhost:3000/`.
+:::
+
+## Installation
+
+After starting the Docker setup via `docker-compose`, Gitea should be available using a
+favorite browser to finalize the installation. Visit http://server-ip:3000 and follow the
+installation wizard. If the database was started with the `docker-compose` setup as
+documented above, please note that `db` must be used as the database hostname.
+
+## Configure the user inside Gitea using environment variables
+
+- `USER`: **git**: The username of the user that runs Gitea within the container.
+- `USER_UID`: **1000**: The UID (Unix user ID) of the user that runs Gitea within the container. Match this to the UID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
+- `USER_GID`: **1000**: The GID (Unix group ID) of the user that runs Gitea within the container. Match this to the GID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
+
+## Customization
+
+Customization files described [here](../administration/customizing-gitea.md) should
+be placed in `/data/gitea` directory. If using host volumes, it's quite easy to access these
+files; for named volumes, this is done through another container or by direct access at
+`/var/lib/docker/volumes/gitea_gitea/_data`. The configuration file will be saved at
+`/data/gitea/conf/app.ini` after the installation.
+
+Example: Analogous to the non-docker-installation customization linked above, you can create a `/public` folder within `/data/gitea` and place your custom `robots.txt` there which will then be served normally.
+
+## Upgrading
+
+:::warning
+Make sure you have volumed data to somewhere outside Docker container
+:::
+
+To upgrade your installation to the latest release:
+
+```bash
+# Edit `docker-compose.yml` to update the version, if you have one specified
+# Pull new images
+docker-compose pull
+# Start a new container, automatically removes old one
+docker-compose up -d
+```
+
+## Managing Deployments With Environment Variables
+
+In addition to the environment variables above, any settings in `app.ini` can be set
+or overridden with an environment variable of the form: `GITEA__SECTION_NAME__KEY_NAME`.
+These settings are applied each time the docker container starts, and won't be passed into Gitea's sub-processes.
+Full information [here](https://github.com/go-gitea/gitea/tree/master/contrib/environment-to-ini).
+
+These environment variables can be passed to the docker container in `docker-compose.yml`.
+The following example will enable an smtp mail server if the required env variables
+`GITEA__mailer__FROM`, `GITEA__mailer__HOST`, `GITEA__mailer__PASSWD` are set on the host
+or in a `.env` file in the same directory as `docker-compose.yml`.
+
+The settings can be also set or overridden with the content of a file by defining an environment variable of the form:
+`GITEA__section_name__KEY_NAME__FILE` that points to a file.
+
+```yaml
+...
+services:
+  server:
+    environment:
+      - GITEA__mailer__ENABLED=true
+      - GITEA__mailer__FROM=${GITEA__mailer__FROM:?GITEA__mailer__FROM not set}
+      - GITEA__mailer__PROTOCOL=smtps
+      - GITEA__mailer__SMTP_ADDR=${GITEA__mailer__SMTP_ADDR:?GITEA__mailer__SMTP_ADDR not set}
+      - GITEA__mailer__SMTP_PORT=${GITEA__mailer__SMTP_PORT:?GITEA__mailer__SMTP_PORT not set}
+      - GITEA__mailer__USER=${GITEA__mailer__USER:-apikey}
+      - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
+```
+
+Gitea will generate new secrets/tokens for every new installation automatically and write them into the app.ini. If you want to set the secrets/tokens manually, you can use the following docker commands to use of Gitea's built-in [generate utility functions](../administration/command-line.md#generate). Do not lose/change your SECRET_KEY after the installation, otherwise the encrypted data can not be decrypted anymore.
+
+The following commands will output a new `SECRET_KEY` and `INTERNAL_TOKEN` to `stdout`, which you can then place in your environment variables.
+
+```bash
+docker run -it --rm docker.gitea.com/gitea:1 gitea generate secret SECRET_KEY
+docker run -it --rm docker.gitea.com/gitea:1 gitea generate secret INTERNAL_TOKEN
+```
+
+```yaml
+...
+services:
+  server:
+    environment:
+      - GITEA__security__SECRET_KEY=[value returned by generate secret SECRET_KEY]
+      - GITEA__security__INTERNAL_TOKEN=[value returned by generate secret INTERNAL_TOKEN]
+```
+
+## SSH Container Passthrough
+
+Since SSH is running inside the container, SSH needs to be passed through from the host to the container if SSH support is desired. One option would be to run the container SSH on a non-standard port (or moving the host port to a non-standard port). Another option which might be more straightforward is for Gitea users to ssh to a Gitea user on the host which will then relay those connections to the docker. Alternatively, if the host machine has more than one IP address, the host can listen on one and Gitea on another.
+
+### Understanding SSH access to Gitea (without passthrough)
+
+To understand what needs to happen, you first need to understand what happens without passthrough. So we will try to explain this:
+
+1. The client adds their SSH public key to Gitea using the webpage.
+2. Gitea will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
+3. This entry has the public key, but also has a `command=` option. It is this command that Gitea uses to match this key to the client user and manages authentication.
+4. The client then makes an SSH request to the SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
+5. The client will attempt to authenticate with the server, passing one or more public keys one at a time to the server.
+6. For each key the client provides, the SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the `git` user's `authorized_keys` file.
+7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
+8. The SSH server creates a user session for the `git` user, and using the shell for the `git` user runs the `command=`
+9. This runs `gitea serv` which takes over control of the rest of the SSH session and manages gitea authentication & authorization of the git commands.
+
+Now, for the SSH passthrough to work, we need the host SSH to match the public keys and then run the `gitea serv` on the docker. There are multiple ways of doing this. However, all of these require some information about the docker being passed to the host.
+
+### SSHing Shim (with authorized_keys)
+
+In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 9 the `gitea` command that the host runs is a shim that actually runs ssh to go into the docker and then run the real docker `gitea` itself.
+
+- To make the forwarding work, the SSH port of the container (22) needs to be mapped to the host port 2222 in `docker-compose.yml` . Since this port does not need to be exposed to the outside world, it can be mapped to the `localhost` of the host machine:
+
+  ```yaml
+  ports:
+    # [...]
+    - "127.0.0.1:2222:22"
+  ```
+
+- Next on the host create the `git` user which shares the same `UID`/ `GID` as the container values `USER_UID`/ `USER_GID`. These values can be set as environment variables in the `docker-compose.yml`:
+
+  ```yaml
+  environment:
+    - USER_UID=1000
+    - USER_GID=1000
+  ```
+
+- Mount `/home/git/.ssh` of the host into the container. This ensures that the `authorized_keys` file is shared between the host `git` user and the container `git` user otherwise the SSH authentication cannot work inside the container.
+
+  ```yaml
+  volumes:
+    - /home/git/.ssh/:/data/git/.ssh
+  ```
+
+- Now a SSH key pair needs to be created on the host. This key pair will be used to authenticate the `git` user on the host to the container. As an administrative user on the host run: (by administrative user we mean a user that can sudo to root)
+
+  ```bash
+  sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"
+  ```
+
+- Please note depending on the local version of ssh you may want to consider using `-t ecdsa` here.
+
+- `/home/git/.ssh/authorized_keys` on the host now needs to be modified. It needs to act in the same way as `authorized_keys` within the Gitea container. Therefore add the public key of the key you created above ("Gitea Host Key") to `~/git/.ssh/authorized_keys`. As an administrative user on the host run:
+
+  ```bash
+  sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
+  sudo -u git chmod 600 /home/git/.ssh/authorized_keys
+  ```
+
+  Important: The pubkey from the `git` user needs to be added "as is" while all other pubkeys added via the Gitea web interface will be prefixed with `command="/usr [...]`.
+
+  `/home/git/.ssh/authorized_keys` should then look somewhat like
+
+  ```bash
+  # SSH pubkey from git user
+  ssh-rsa <Gitea Host Key>
+
+  # other keys from users
+  command="/usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <user pubkey>
+  ```
+
+- The next step is to create the fake host `gitea` command that will forward commands from the host to the container. The name of this file depends on your version of Gitea:
+
+  - For Gitea v1.16.0+. As an administrative user on the host run:
+
+    ```bash
+    cat <<"EOF" | sudo tee /usr/local/bin/gitea
+    #!/bin/sh
+    ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
+    EOF
+    sudo chmod +x /usr/local/bin/gitea
+    ```
+
+Here is a detailed explanation what is happening when a SSH request is made:
+
+1. The client adds their SSH public key to Gitea using the webpage.
+2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
+    - However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too.
+3. This entry has the public key, but also has a `command=` option.
+    - This command matches the location of the Gitea binary on the container, but also the location of the shim on the host.
+4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
+5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
+6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
+    - Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
+7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
+8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
+9. This means that the host runs the host `/usr/local/bin/gitea` shim that opens an SSH from the host to container passing the rest of the command arguments directly to `/usr/local/bin/gitea` on the container.
+10. Meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
+
+**Notes**
+
+SSH container passthrough using `authorized_keys` will work only if
+
+- `opensshd` is used in the container
+- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
+- `LOCAL_ROOT_URL` is not changed (depending on the changes)
+
+If you try to run `gitea` on the host, you will attempt to ssh to the container and thence run the `gitea` command there.
+
+Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
+
+### SSHing Shell (with authorized_keys)
+
+In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 8 above we change the shell that the host runs to ssh directly into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`.
+
+- In this case we setup as per SSHing Shim except instead of creating `/usr/local/bin/gitea`
+we create a new shell for the git user. As an administrative user on the host run:
+
+  ```bash
+  cat <<"EOF" | sudo tee /home/git/ssh-shell
+  #!/bin/sh
+  shift
+  ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@"
+  EOF
+  sudo chmod +x /home/git/ssh-shell
+  sudo usermod -s /home/git/ssh-shell git
+  ```
+
+  Be careful here - if you try to login as the git user in future you will ssh directly to the docker.
+
+Here is a detailed explanation what is happening when a SSH request is made:
+
+1. The client adds their SSH public key to Gitea using the webpage.
+2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
+    - However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too.
+3. This entry has the public key, but also has a `command=` option.
+    - This command matches the location of the Gitea binary on the container.
+4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
+5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
+6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
+    - Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
+7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
+8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
+9. The shell of the host `git` user is now our `ssh-shell` which opens an SSH connection from the host to container, (which opens a shell on the container for the container `git`).
+10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
+
+**Notes**
+
+SSH container passthrough using `authorized_keys` will work only if
+
+- `opensshd` is used in the container
+- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
+- `LOCAL_ROOT_URL` is not changed (depending on the changes)
+
+If you try to login as the `git` user on the host in future you will ssh directly to the docker.
+
+Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
+
+### Docker Shell (with authorized_keys)
+
+Similar to the above ssh shell technique we can use a shell which simply uses `docker exec`. As an administrative user on the host run:
+
+```bash
+cat <<"EOF" | sudo tee /home/git/docker-shell
+#!/bin/sh
+/usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"
+EOF
+sudo chmod +x /home/git/docker-shell
+sudo usermod -s /home/git/docker-shell git
+```
+
+Here is a detailed explanation what is happening when a SSH request is made:
+
+1. The client adds their SSH public key to Gitea using the webpage.
+2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
+    - However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too.
+3. This entry has the public key, but also has a `command=` option.
+    - This command matches the location of the Gitea binary on the container.
+4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
+5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
+6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
+    - Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
+7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
+8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
+9. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container.
+10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
+
+Note that `gitea` in the docker command above is the name of the container. If you named yours differently, don't forget to change that. The host `git` user also has to have
+permission to run `docker exec`.
+
+**Notes**
+
+Docker shell passthrough using `authorized_keys` will work only if
+
+- `opensshd` is used in the container
+- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
+- `LOCAL_ROOT_URL` is not changed (depending on the changes)
+
+If you try to login as the `git` user on the host in future you will `docker exec` directly to the docker.
+
+A Docker execing shim could be created similarly to above.
+
+### Docker Shell with AuthorizedKeysCommand
+
+The AuthorizedKeysCommand route provides another option that does not require many changes to the compose file or the `authorized_keys` - but does require changes to the host `/etc/sshd_config`.
+
+In this option, the idea is that the host SSH uses an `AuthorizedKeysCommand` instead of relying on sharing the `authorized_keys` file that gitea creates. We continue to use a special shell at step 8 above to exec into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`.
+
+- On the host create a `git` user with permission to run `docker exec`.
+- We will again assume that the Gitea container is called `gitea`.
+- Modify the `git` user's shell to forward commands to the `sh` executable inside the container using `docker exec`.  As an administrative user on the host run:
+
+  ```bash
+  cat <<"EOF" | sudo tee /home/git/docker-shell
+  #!/bin/sh
+  /usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"
+  EOF
+  sudo chmod +x /home/git/docker-shell
+  sudo usermod -s /home/git/docker-shell git
+  ```
+
+Now all attempts to login as the `git` user on the host will be forwarded to the docker - including the `SSH_ORIGINAL_COMMAND`. We now need to set-up SSH authentication on the host.
+
+We will do this by leveraging the [SSH AuthorizedKeysCommand](../administration/command-line.md#keys) to match the keys against those accepted by Gitea.
+
+Add the following block to `/etc/ssh/sshd_config`, on the host:
+
+```bash
+Match User git
+  AuthorizedKeysCommandUser git
+  AuthorizedKeysCommand /usr/bin/docker exec -i -u git gitea /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
+```
+
+(From 1.16.0 you will not need to set the `-c /data/gitea/conf/app.ini` option.)
+
+Finally restart the SSH server. As an administrative user on the host run:
+
+```bash
+sudo systemctl restart sshd
+```
+
+Here is a detailed explanation what is happening when a SSH request is made:
+
+1. The client adds their SSH public key to Gitea using the webpage.
+2. Gitea in the container will add an entry for this key to its database.
+3. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
+4. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
+5. For each key the client provides, the host SSH server will checks its configuration for an `AuthorizedKeysCommand`.
+6. The host runs the above `AuthorizedKeysCommand`, which execs in to the docker and then runs the `gitea keys` command.
+7. Gitea on the docker will look in it's database to see if the public key matches and will return an entry like that of an `authorized_keys` command.
+8. This entry has the public key, but also has a `command=` option which matches the location of the Gitea binary on the container.
+9. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`.
+10. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container.
+11. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
+
+**Notes**
+
+Docker shell passthrough using `AuthorizedKeysCommand` will work only if
+
+- The host `git` user is allowed to run the `docker exec` command.
+
+If you try to login as the `git` user on the host in future you will `docker exec` directly to the docker.
+
+A Docker execing shim could be created similarly to above.
+
+### SSH Shell with AuthorizedKeysCommand
+
+Create a key for the host `git` user as above, add it to the docker `/data/git/.ssh/authorized_keys` then finally create and set the `ssh-shell` as above.
+
+Add the following block to `/etc/ssh/sshd_config`, on the host:
+
+```bash
+Match User git
+  AuthorizedKeysCommandUser git
+  AuthorizedKeysCommand /usr/bin/ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
+```
+
+(From 1.16.0 you will not need to set the `-c /data/gitea/conf/app.ini` option.)
+
+Finally restart the SSH server. As an administrative user on the host run:
+
+```bash
+sudo systemctl restart sshd
+```
+
+Here is a detailed explanation what is happening when a SSH request is made:
+
+1. The client adds their SSH public key to Gitea using the webpage.
+2. Gitea in the container will add an entry for this key to its database.
+3. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
+4. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
+5. For each key the client provides, the host SSH server will checks its configuration for an `AuthorizedKeysCommand`.
+6. The host runs the above `AuthorizedKeysCommand`, which will SSH in to the docker and then run the `gitea keys` command.
+7. Gitea on the docker will look in it's database to see if the public key matches and will return an entry like that of an `authorized_keys` command.
+8. This entry has the public key, but also has a `command=` option which matches the location of the Gitea binary on the container.
+9. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`.
+10. The shell of the host `git` user is now our `git-shell` which uses SSH to open a shell for the `git` user on the container.
+11. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
+
+**Notes**
+
+SSH container passthrough using `AuthorizedKeysCommand` will work only if
+
+- `opensshd` is running on the container
+
+If you try to login as the `git` user on the host in future you will `ssh` directly to the docker.
+
+Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
+
+SSHing shims could be created similarly to above.
+
+### SSH with multiple IP addresses
+This assumes that the host machine has more than one reachable IP address: `192.168.1.1` (host) `192.168.1.2` (gitea)
+On the host machine, configure SSHD in `/etc/ssh/sshd_config` to listen on one IP address `ListenAddress 192.168.1.1`. In the compose file the SSH port forwarding then needs to be changed to `"192.168.1.2:22:22"`. The port forwarding needs to be adjusted similarily for all other forwarded ports to avoid problems with DNS.

docs/usage.md

@@ -3,8 +3,7 @@ date: "2016-12-27T16:00:00+02:00"
 title: "Usage"
 slug: "usage"
 sidebar_position: 35
-toc: false
-draft: false
+
 menu:
   sidebar:
     name: "Usage"

docs/usage/actions/act-runner.md

@@ -0,0 +1,376 @@
+---
+date: "2023-04-27T15:00:00+08:00"
+slug: "act-runner"
+sidebar_position: 20
+---
+
+# Act Runner
+
+This page will introduce the [act runner](https://gitea.com/gitea/act_runner) in detail, which is the runner of Gitea Actions.
+
+## Requirements
+
+Currently the runner supports run in two modes. One is running in docker container, another is running in host. It is recommended to run jobs in a [docker](https://docker.com) container, if you chose this mode, you need to [install docker](https://docs.docker.com/engine/install/) first and make sure that the docker daemon is running.
+
+Other OCI container engines which are compatible with Docker's API should also work, but are untested.
+
+However, if you are sure that you want to run jobs directly on the host only, then docker is not required.
+
+There are multiple ways to install the act runner.
+
+## Installation with binary
+
+### Download the binary
+
+You can download the binary from the [release page](https://gitea.com/gitea/act_runner/releases).
+However, if you want to use the latest nightly build, you can download it from the [download page](https://dl.gitea.com/act_runner/).
+
+When you download the binary, please make sure that you have downloaded the correct one for your platform.
+You can check it by running the following command if you are in a Unix-Style OS.
+
+```bash
+chmod +x act_runner
+./act_runner --version
+```
+
+If you see the version information, it means that you have downloaded the correct binary.
+
+### Obtain a registration token
+
+You can register a runner in different levels, it can be:
+
+- Instance level: The runner will run jobs for all repositories in the instance.
+- Organization level: The runner will run jobs for all repositories in the organization.
+- Repository level: The runner will run jobs for the repository it belongs to.
+
+Note that the repository may still use instance-level or organization-level runners even if it has its own repository-level runners. A future release may provide an option to allow more control over this.
+
+
+Before register the runner and run it, you need a registration token. The level of the runner determines where to obtain the registration token.
+
+- Instance level: The admin settings page, like `<your_gitea.com>/-/admin/actions/runners`.
+- Organization level: The organization settings page, like `<your_gitea.com>/<org>/settings/actions/runners`.
+- Repository level: The repository settings page, like `<your_gitea.com>/<owner>/<repo>/settings/actions/runners`.
+
+If you cannot see the settings page, please make sure that you have the right permissions and that Actions have been enabled.
+
+The format of the registration token is a random string `D0gvfu2iHfUjNqCYVljVyRV14fISpJxxxxxxxxxx`.
+
+A registration token can also be obtained from the gitea [command-line interface](../../administration/command-line.md#actions-generate-runner-token):
+
+```
+gitea --config /etc/gitea/app.ini actions generate-runner-token
+```
+
+You can also use `GITEA_RUNNER_REGISTRATION_TOKEN`/`GITEA_RUNNER_REGISTRATION_TOKEN_FILE` environment variable to set a global runner registration token when Gitea starts, for example:
+
+```
+openssl rand -hex 24 > /some-dir/runner-token
+export GITEA_RUNNER_REGISTRATION_TOKEN_FILE=/some-dir/runner-token
+./gitea --config ...
+```
+
+The token from environment is valid until you reset the token (re-create a new one) via web UI or API.
+
+Tokens are valid for registering multiple runners, until they are revoked and replaced by a new token using the token reset link in the web interface.
+
+### Configuration
+
+Configuration is done via a configuration file. It is optional, and the default configuration will be used when no configuration file is specified. You can generate a configuration file by running the following command:
+
+```bash
+./act_runner generate-config
+```
+
+The default configuration is safe to use without any modification, so you can just use it directly.
+
+```bash
+./act_runner generate-config > config.yaml
+./act_runner --config config.yaml [command]
+```
+
+### Register the runner
+
+Registration is required before running the act runner, because the runner needs to know where to get jobs from. And it is also important to Gitea instance to identify the runner.
+
+If this has been installed using the binary package, the act runner can be registered by running the following command.
+
+```bash
+./act_runner register
+```
+
+Alternatively, you can use the `--config` option to specify the configuration file mentioned in the previous section.
+
+```bash
+./act_runner --config config.yaml register
+```
+
+You will be asked to input the registration information step by step. Includes:
+
+- The Gitea instance URL, like `https://gitea.com/` or `http://192.168.8.8:3000/`.
+- The registration token.
+- The runner name, which is optional. If you leave it blank, the hostname will be used.
+- The runner labels, which is optional. If you leave it blank, the default labels will be used.
+
+You may be confused about the runner labels, which will be explained later.
+
+If you want to register the runner in a non-interactive way, you can use arguments to do it.
+
+```bash
+./act_runner register --no-interactive --instance <instance_url> --token <registration_token> --name <runner_name> --labels <runner_labels>
+```
+
+When you have registered the runner, you can find a new file named `.runner` in the current directory.
+This file stores the registration information.
+Please do not edit it manually.
+If this file is missing or corrupted, you can simply remove it and register again.
+
+If you want to store the registration information in another place, you can specify it in the configuration file,
+and don't forget to specify the `--config` option.
+
+### Start the runner in command line
+
+After you have registered the runner, you can run it by running the following command:
+
+```shell
+./act_runner daemon
+```
+
+or
+
+```bash
+./act_runner daemon --config config.yaml
+```
+
+The runner will fetch jobs from the Gitea instance and run them automatically.
+
+### Start the runner with Systemd
+
+It is also possible to run act-runner as a [systemd](https://en.wikipedia.org/wiki/Systemd) service. Create an unprivileged `act_runner` user on your system, and the following file in `/etc/systemd/system/act_runner.service`. The paths in `ExecStart` and `WorkingDirectory` may need to be adjusted depending on where you installed the `act_runner` binary, its configuration file, and the home directory of the `act_runner` user.
+
+```ini
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User=act_runner
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Then:
+
+```bash
+# load the new systemd unit file
+sudo systemctl daemon-reload
+# start the service and enable it at boot
+sudo systemctl enable act_runner --now
+```
+
+If using Docker, the `act_runner` user should also be added to the `docker` group before starting the service. Keep in mind that this effectively gives `act_runner` root access to the system [[1]](https://docs.docker.com/engine/security/#docker-daemon-attack-surface).
+
+### Start the runner with LaunchDaemon(macOS)
+
+Mac uses `launchd` in place of systemd for registering daemon processes. By default daemons run as the root user, so if desired an unprivileged `_act_runner` user can be created via the `dscl` tool. The following file should then be created at the directory `/Library/LaunchDaemon/com.gitea.act_runner.plist`. The paths for `WorkingDirectory`, `ProgramArguments`, `StandardOutPath`, `StandardErrPath`, and the `HOME` environment variable may need to be updated to reflect your installation. Also note that any executables outside of the example `PATH` shown will need to be explicitly included and will not be inherited from existing configurations.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>com.gitea.act_runner</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/usr/local/bin/act_runner</string>
+        <string>daemon</string>
+        <string>--config</string>
+        <string>/etc/act_runner/config.yaml</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+    <key>WorkingDirectory</key>
+    <string>/var/lib/act_runner</string>
+    <key>StandardOutPath</key>
+    <string>/var/lib/act_runner/act_runner.log</string>
+    <key>StandardErrorPath</key>
+    <string>/var/lib/act_runner/act_runner.err</string>
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>PATH</key>
+        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+        <key>HOME</key>
+        <string>/var/lib/act_runner</string>
+    </dict>
+    <key>UserName</key>
+    <string>_act_runner</string>
+</dict>
+</plist>
+```
+
+Then:
+
+```bash
+sudo launchctl load /Library/LaunchDaemon/com.gitea.act_runner.plist
+```
+
+You can also set up a Linux service or Windows service to let the runner run automatically.
+
+## Install with the docker image
+
+### Pull the image
+
+You can use the docker image from the [docker hub](https://hub.docker.com/r/gitea/act_runner/tags).
+Just like the binary, you can use the latest nightly build by using the `nightly` tag, while the `latest` tag is the latest stable release.
+
+```bash
+docker pull docker.io/gitea/act_runner:latest # for the latest stable release
+```
+
+If you want to test newly features, you could also use nightly image
+```bash
+docker pull docker.io/gitea/act_runner:nightly # for the latest nightly build
+```
+
+### Configuration
+
+Configuration is optional, but you could also generate config file with docker:
+
+```bash
+docker run --entrypoint="" --rm -it docker.io/gitea/act_runner:latest act_runner generate-config > config.yaml
+```
+
+When you are using the docker image, you can specify the configuration file by using the `CONFIG_FILE` environment variable. Make sure that the file is mounted into the container as a volume:
+
+```bash
+docker run -v $PWD/config.yaml:/config.yaml -e CONFIG_FILE=/config.yaml ...
+```
+
+You may notice the commands above are both incomplete, because it is not the time to run the act runner yet.
+Before running the act runner, we need to register it to your Gitea instance first.
+
+### Start the runner with docker
+
+If you are using the docker image, behaviour will be slightly different. Registration and running are combined into one step in this case, so you need to specify the registration information when running the act runner.
+
+A quick start with docker run like below. You need to get `<registration_token>` from the above step, and give
+a special unique name for `<runner_name>`
+
+```bash
+docker run \
+    -e GITEA_INSTANCE_URL=<instance_url> \
+    -e GITEA_RUNNER_REGISTRATION_TOKEN=<registration_token> \
+    -e GITEA_RUNNER_NAME=<runner_name> \
+    --name my_runner \
+    -d docker.io/gitea/act_runner:nightly
+```
+
+There are more parameters so that you can configure it.
+
+```bash
+docker run \
+    -v $PWD/config.yaml:/config.yaml \
+    -v $PWD/data:/data \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -e CONFIG_FILE=/config.yaml \
+    -e GITEA_INSTANCE_URL=<instance_url> \
+    -e GITEA_RUNNER_REGISTRATION_TOKEN=<registration_token> \
+    -e GITEA_RUNNER_NAME=<runner_name> \
+    -e GITEA_RUNNER_LABELS=<runner_labels> \
+    --name my_runner \
+    -d docker.io/gitea/act_runner:nightly
+```
+
+You may notice that we have mounted the `/var/run/docker.sock` into the container.
+It is because the act runner will run jobs in docker containers, so it needs to communicate with the docker daemon.
+As mentioned, you can remove it if you want to run jobs in the host directly.
+To be clear, the "host" actually means the container which is running the act runner now, instead of the host machine.
+
+### Start the runner using docker compose
+
+You could also set up the runner using the following `docker-compose.yml`:
+
+```yml
+version: "3.8"
+services:
+  runner:
+    image: docker.io/gitea/act_runner:nightly
+    environment:
+      CONFIG_FILE: /config.yaml
+      GITEA_INSTANCE_URL: "${INSTANCE_URL}"
+      GITEA_RUNNER_REGISTRATION_TOKEN: "${REGISTRATION_TOKEN}"
+      GITEA_RUNNER_NAME: "${RUNNER_NAME}"
+      GITEA_RUNNER_LABELS: "${RUNNER_LABELS}"
+    volumes:
+      - ./config.yaml:/config.yaml
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+```
+
+When using docker, there is no requirement to enter the container and manually run `./act_runner daemon` command as shown below. Once the container has been started successfully, it will show up as an active runner in your Gitea instance.
+
+## Advanced Configurations
+
+### Configuring cache when starting a Runner using docker image
+
+If you do not intend to use `actions/cache` in workflow, you can ignore this section.
+
+If you use `actions/cache` without any additional configuration, it will return the following error:
+> Failed to restore: getCacheEntry failed: connect ETIMEDOUT IP:PORT
+
+The error occurs because the runner container and job container are on different networks, so the job container cannot access the runner container.
+
+Therefore, it is essential to configure the cache action to ensure its proper functioning. Follow these steps:
+
+- 1.Obtain the LAN IP address of the host machine where the runner container is running.
+- 2.Find an available port number on the host machine where the runner container is running.
+- 3.Configure the following settings in the configuration file:
+
+```yaml
+cache:
+  enabled: true
+  dir: ""
+  # Use the LAN IP obtained in step 1
+  host: "192.168.8.17"
+  # Use the port number obtained in step 2
+  port: 8088
+```
+
+- 4.When starting the container, map the cache port to the host machine:
+
+```bash
+docker run \
+  --name gitea-docker-runner \
+  -p 8088:8088 \
+  -d docker.io/gitea/act_runner:nightly
+```
+
+### Labels
+
+The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+
+The default labels are `ubuntu-latest:docker://node:16-bullseye,ubuntu-22.04:docker://node:16-bullseye,ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster`.
+It is a comma-separated list, and each item is a label.
+
+Let's take `ubuntu-22.04:docker://node:16-bullseye` as an example.
+It means that the runner can run jobs with `runs-on: ubuntu-22.04`, and the job will be run in a docker container with the image `node:16-bullseye`.
+
+If the default image is insufficient for your needs, and you have enough disk space to use a better and bigger one, you can change it to `ubuntu-22.04:docker://<the image you like>`.
+You can find more useful images on [act images](https://github.com/nektos/act/blob/master/IMAGES.md).
+
+If you want to run jobs in the host directly, you can change it to `ubuntu-22.04:host` or just `ubuntu-22.04`, the `:host` is optional.
+However, we suggest you to use a special name like `linux_amd64:host` or `windows:host` to avoid misusing it.
+
+Starting with Gitea 1.21, you can change labels by modifying `runners.labels` in the runner configuration file (if you don't have a configuration file, please refer to [configuration tutorials](#configuration)).
+The runner will use these new labels as soon as you restart it, i.e., by calling `./act_runner daemon --config config.yaml`.

docs/usage/actions/badge.md

@@ -1,18 +1,7 @@
 ---
 date: "2023-02-25T00:00:00+00:00"
-title: "Badge"
 slug: "badge"
-sidebar_position: 11
-toc: false
-draft: false
-aliases:
-  - /en-us/badge
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Badge"
-    sidebar_position: 11
-    identifier: "Badge"
+sidebar_position: 110
 ---
 
 # Badge
@@ -27,7 +16,7 @@ It is designed to be compatible with [GitHub Actions workflow badge](https://doc
 You can use the following URL to get the badge:
 
 ```
-https://your-gitea-instance.com/{owner}/{repo}/actions/workflows/{workflow_file}?branch={branch}&event={event}
+https://your-gitea-instance.com/{owner}/{repo}/actions/workflows/{workflow_file}/badge.svg?branch={branch}&event={event}&style={style}
 ```
 
 - `{owner}`: The owner of the repository.
@@ -35,3 +24,4 @@ https://your-gitea-instance.com/{owner}/{repo}/actions/workflows/{workflow_file}
 - `{workflow_file}`: The name of the workflow file.
 - `{branch}`: Optional. The branch of the workflow. Default to your repository's default branch.
 - `{event}`: Optional. The event of the workflow. Default to none.
+- `{style}`: Optional. Style of the badge, either `flat` or `flat-square`. Default to `flat`.

docs/usage/actions/comparison.md

@@ -0,0 +1,127 @@
+---
+date: "2023-04-27T15:00:00+08:00"
+slug: "comparison"
+sidebar_position: 120
+---
+
+# Compared to GitHub Actions
+
+Even though Gitea Actions is designed to be compatible with GitHub Actions, there are some differences between them.
+
+## Additional features
+
+### Absolute action URLs
+
+Gitea Actions supports defining actions via absolute URL, which means that you can use actions from any git repository.
+Like `uses: https://github.com/actions/checkout@v4` or `uses: http://your_gitea.com/owner/repo@branch`.
+
+### Actions written in Go
+
+Gitea Actions supports writing actions in Go.
+See [Creating Go Actions](https://blog.gitea.com/creating-go-actions/).
+
+### Support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly on schedule
+
+Github Actions doesn't support that. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
+
+## Unsupported workflows syntax
+
+### `concurrency`
+
+It's used to run a single job at a time.
+See [Using concurrency](https://docs.github.com/en/actions/using-jobs/using-concurrency).
+
+It's ignored by Gitea Actions now.
+
+### `run-name`
+
+The name for workflow runs generated from the workflow.
+See [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#run-name).
+
+It's ignored by Gitea Actions now.
+
+### `permissions` and `jobs.<job_id>.permissions`
+
+See [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions).
+
+It's ignored by Gitea Actions now.
+
+### `jobs.<job_id>.timeout-minutes`
+
+See [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes).
+
+It's ignored by Gitea Actions now.
+
+### `jobs.<job_id>.continue-on-error`
+
+See [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error).
+
+It's ignored by Gitea Actions now.
+
+### `jobs.<job_id>.environment`
+
+See [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment).
+
+It's ignored by Gitea Actions now.
+
+### Complex `runs-on`
+
+See [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on).
+
+Gitea Actions only supports `runs-on: xyz` or `runs-on: [xyz]` now.
+
+## Missing features
+
+### Package repository authorization
+
+The `GITEA_TOKEN` for a job running within a repository should be able to publish to the associated package repository (i.e. to upload OCI images). See the "packages" scope for the "default access" in [Automatic token authentication](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
+
+This is not implemented in Gitea Actions now. A workaround for Gitea Actions is to use a Personal Access Token (PAT). See this [github issue and comment](https://github.com/go-gitea/gitea/issues/23642#issuecomment-2119876692) for tracking this feature.
+
+### Problem Matchers
+
+Problem Matchers are a way to scan the output of actions for a specified regex pattern and surface that information prominently in the UI.
+See [Problem matchers](https://github.com/actions/toolkit/blob/main/docs/problem-matchers.md).
+
+It's ignored by Gitea Actions now.
+
+### Create an error annotation
+
+See [Creating an annotation for an error](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-creating-an-annotation-for-an-error)
+
+It's ignored by Gitea Actions now.
+
+### Expressions
+
+For [expressions](https://docs.github.com/en/actions/learn-github-actions/expressions), only [`always()`](https://docs.github.com/en/actions/learn-github-actions/expressions#always) is supported.
+
+## Missing UI features
+
+### Pre and Post steps
+
+Pre and Post steps don't have their own section in the job log user interface.
+
+### Services steps
+
+Services steps don't have their own section in the job log user interface.
+
+## Different behavior
+
+### Downloading actions
+
+Previously (Pre 1.21.0), `[actions].DEFAULT_ACTIONS_URL` defaulted to `https://gitea.com`.
+We have since restricted this option to only allow two values (`github` and `self`).
+When set to `github`, the new default, Gitea will download non-fully-qualified actions from `https://github.com`.
+For example, if you use `uses: actions/checkout@v4`, it will download the checkout repository from `https://github.com/actions/checkout.git`.
+
+If you want to download an action from another git hoster, you can use an absolute URL, e.g. `uses: https://gitea.com/actions/checkout@v4`.
+
+If your Gitea instance is in an intranet or a restricted area, you can set the URL to `self` to only download actions from your own instance by default.
+Of course, you can still use absolute URLs in workflows.
+
+More details about the `[actions].DEFAULT_ACTIONS_URL` configuration can be found in the [Configuration Cheat Sheet](../../administration/config-cheat-sheet.md#actions-actions)。
+
+### Context availability
+
+Context availability is not checked, so you can use the env context on more places.
+See [Context availability](https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability).

docs/usage/actions/design.md

@@ -1,16 +1,7 @@
 ---
 date: "2023-04-27T15:00:00+08:00"
-title: "Design of Gitea Actions"
 slug: "design"
-sidebar_position: 40
-draft: false
-toc: false
-menu:
-  sidebar:
-    parent: "actions"
-    name: "Design"
-    sidebar_position: 40
-    identifier: "actions-design"
+sidebar_position: 140
 ---
 
 # Design of Gitea Actions

docs/usage/actions/faq.md

@@ -0,0 +1,168 @@
+---
+date: "2023-04-27T15:00:00+08:00"
+slug: "faq"
+sidebar_position: 200
+---
+
+# Frequently Asked Questions
+
+This page contains some common questions and answers about Gitea Actions.
+
+## Is it possible to disable Actions for new repositories by default for my own instance?
+
+Yes, when you enable Actions for the instance, you can choose to enable the `actions` unit for all new repositories by default.
+
+```ini
+[repository]
+; remove repo.actions will not enable actions for newly created repositories.
+DEFAULT_REPO_UNITS = ...,repo.actions
+```
+
+## Should we use `${{ github.xyz }}` or `${{ gitea.xyz }}`  in workflow files?
+
+You can use `github.xyz` and Gitea will work fine.
+As mentioned, Gitea Actions is designed to be compatible with GitHub Actions.
+However, we recommend using `gitea.xyz` in case Gitea adds something that GitHub does not have to avoid different kinds of secrets in your workflow file (and because you are using this workflow on Gitea, not GitHub).
+Still, this is completely optional since both options have the same effect at the moment.
+
+## Where will the runner download scripts when using actions such as `actions/checkout@v4`?
+
+There are tens of thousands of [actions scripts](https://github.com/marketplace?type=actions) in GitHub, and when you write `uses: actions/checkout@v4`, it downloads the scripts from [github.com/actions/checkout](http://github.com/actions/checkout) by default.
+But what if you want to use actions from other places such as gitea.com instead of GitHub?
+
+The good news is that you can specify the URL prefix to use actions from anywhere.
+This is an extra syntax in Gitea Actions.
+For example:
+
+- `uses: https://gitea.com/xxx/xxx@xxx`
+- `uses: https://github.com/xxx/xxx@xxx`
+- `uses: http://your_gitea_instance.com/xxx@xxx`
+
+Be careful, the `https://` or `http://` prefix is necessary!
+
+This is one of the differences from GitHub Actions which supports actions scripts only from GitHub.
+But it should allow users much more flexibility in how they run Actions.
+
+Alternatively, if you want your runners to download actions from your own Gitea instance by default, you can configure it by setting `[actions].DEFAULT_ACTIONS_URL`.
+See [Configuration Cheat Sheet](../../administration/config-cheat-sheet.md#actions-actions).
+
+## How to limit the permission of the runners?
+
+Runners have no more permissions than simply connecting to your Gitea instance.
+When any runner receives a job to run, it will temporarily gain limited permission to the repository associated with the job.
+If you want to give more permissions to the runner, allowing it to access more private repositories or external systems, you can pass [secrets](usage/actions/secrets.md) to it.
+
+Refined permission control to Actions is a complicated job.
+In the future, we will add more options to Gitea to make it more configurable, such as allowing more write access to repositories or read access to all repositories in the same organization.
+
+## Which operating systems are supported by act runner?
+
+We released official binaries for Linux, macOS, and Windows.
+While other operating systems are theoretically supported if it is supported by golang and docker(docker mode enabled).
+
+One thing to note is that if you choose to run jobs directly on the host instead of in job containers, the environmental differences between operating systems may cause unexpected failures.
+
+For example, bash is not available on Windows in most cases, while act tries to use bash to run scripts by default.
+Therefore, you need to specify `powershell` as the default shell in your workflow file, see [defaults.run](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun).
+
+
+```yaml
+defaults:
+  run:
+    shell: powershell
+```
+
+## How to avoid being hacked?
+
+There are two types of possible attacks: unknown runner stealing the code or secrets from your repository, or malicious scripts controlling your runner.
+
+Avoiding the former means not allowing people you don't know to register runners for your repository, organization, or instance.
+
+The latter is a bit more complicated.
+If you're using a private Gitea instance for your company, you may not need to worry about security since you trust your colleagues and can hold them accountable.
+
+For public instances, things are a little different.
+Here's how we do it on [gitea.com](http://gitea.com/):
+
+- We only register runners for the "gitea" organization, so our runners will not execute jobs from other repositories.
+- Our runners always run jobs with isolated containers. While it is possible to do this directly on the host, we choose not to for more security.
+- To run actions for fork pull requests, approval is required. See [#22803](https://github.com/go-gitea/gitea/pull/22803).
+- If someone registers their own runner for their repository or organization on [gitea.com](http://gitea.com/), we have no objections and will just not use it in our org. However, they should take care to ensure that the runner is not used by other users they do not know.
+
+## Why choose GitHub Actions? Why not something compatible with GitLab CI/CD?
+
+[@lunny](https://gitea.com/lunny) has explained this in the [issue to implement actions](https://github.com/go-gitea/gitea/issues/13539).
+Furthermore, Actions is not only a CI/CD system but also an automation tool.
+
+There have also been numerous [marketplace actions](https://github.com/marketplace?type=actions) implemented in the open-source world.
+It is exciting to be able to reuse them.
+
+## What if it runs on multiple labels, such as `runs-on: [label_a, label_b]`?
+
+This is valid syntax.
+It means that it should run on runners that have both the `label_a` **and** `label_b` labels, see [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on).
+Unfortunately, act runner does not work this way until v0.2.11.
+As mentioned, we map labels to environments:
+
+- `ubuntu` → `ubuntu:22.04`
+- `centos` → `centos:8`
+
+But we need to map label groups to environments instead, like so:
+
+- `[ubuntu]` → `ubuntu:22.04`
+- `[with-gpu]` → `linux:with-gpu`
+- `[ubuntu, with-gpu]` → `ubuntu:22.04_with-gpu`
+
+We also need to re-design how tasks are assigned to runners.
+A runner with `ubuntu`, `centos`, or `with-gpu` does not necessarily indicate that it can accept jobs with `[centos, with-gpu]`.
+Therefore, the runner should inform the Gitea instance that it can only accept jobs with `[ubuntu]`, `[centos]`, `[with-gpu]`, and `[ubuntu, with-gpu]`.
+This is not a technical problem, it was just overlooked in the early design.
+See [runtime.go#L65](https://gitea.com/gitea/act_runner/src/commit/90b8cc6a7a48f45cc28b5ef9660ebf4061fcb336/runtime/runtime.go#L65).
+
+Currently, the act runner attempts to match everyone in the labels and uses the first match it finds.
+
+## What is the difference between agent labels and custom labels for a runner?
+
+![labels](/images/usage/actions/labels.png)
+
+Agent labels are reported to the Gitea instance by the runner during registration.
+Custom labels, on the other hand, are added manually by a Gitea administrator or owners of the organization or repository (depending on the level of the runner).
+
+However, the design here needs improvement, as it currently has some rough edges.
+You can add a custom label such as `centos` to a registered runner, which means the runner will receive jobs with `runs-on: centos`.
+However, the runner may not know which environment to use for this label, resulting in it using a default image or leading to a logical dead end.
+This default may not match user expectations.
+See [runtime.go#L71](https://gitea.com/gitea/act_runner/src/commit/90b8cc6a7a48f45cc28b5ef9660ebf4061fcb336/runtime/runtime.go#L71).
+
+In the meantime, we suggest that you re-register your runner if you want to change its labels.
+
+## Will there be more implementations for Gitea Actions runner?
+
+Although we would like to provide more options, our limited manpower means that act runner will be the only officially supported runner at the moment.
+
+However, both Gitea and act runner are completely open source under MIT License, so anyone can modify the code to satisfy their requirements.
+
+In case you fork act runner to create your own version: Please contribute the changes back if you can and if you think your changes will help others as well.
+
+## What workflow trigger events does Gitea support?
+
+All events listed in this table are supported events and are compatible with GitHub.
+For events supported only by GitHub, see GitHub's [documentation](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows).
+
+| trigger event               | activity types                                                                                                           |
+|-----------------------------|--------------------------------------------------------------------------------------------------------------------------|
+| create                      | not applicable                                                                                                           |
+| delete                      | not applicable                                                                                                           |
+| fork                        | not applicable                                                                                                           |
+| gollum                      | not applicable                                                                                                           |
+| push                        | not applicable                                                                                                           |
+| issues                      | `opened`, `edited`, `closed`, `reopened`, `assigned`, `unassigned`, `milestoned`, `demilestoned`, `labeled`, `unlabeled` |
+| issue_comment               | `created`, `edited`, `deleted`                                                                                           |
+| pull_request                | `opened`, `edited`, `closed`, `reopened`, `assigned`, `unassigned`, `synchronize`, `labeled`, `unlabeled`                |
+| pull_request_review         | `submitted`, `edited`                                                                                                    |
+| pull_request_review_comment | `created`, `edited`                                                                                                      |
+| release                     | `published`, `edited`                                                                                                    |
+| registry_package            | `published`                                                                                                              |
+
+> For `pull_request` events, in [GitHub Actions](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request), the `ref` is `refs/pull/:prNumber/merge`, which is a reference to the merge commit preview. However, Gitea has no such reference.
+> Therefore, the `ref` in Gitea Actions is `refs/pull/:prNumber/head`, which points to the head of pull request rather than the preview of the merge commit.

docs/usage/actions/overview.md

@@ -0,0 +1,38 @@
+---
+date: "2023-04-27T15:00:00+08:00"
+slug: "overview"
+sidebar_position: 1
+---
+
+# Overview
+
+Starting with Gitea **1.19**, Gitea Actions are available as a built-in CI/CD solution.
+
+## Name
+
+It is similar and mostly compatible to [GitHub Actions](https://github.com/features/actions), and its name is inspired by it too.
+To avoid confusion, we have clarified the spelling here:
+
+- "Gitea Actions" (with an "s", both words capitalized) is the name of the Gitea feature.
+- "GitHub Actions" is the name of the GitHub feature.
+- "Actions" could refer to either of the above, depending on the context. So it refers to "Gitea Actions" in this document.
+- "action" or "actions" refer to some scripts/plugins to be used, like "actions/checkout@v4" or "actions/cache@v3".
+
+## Runners
+
+Just like other CI/CD solutions, Gitea doesn't run the jobs itself, but delegates the jobs to runners.
+The runner of Gitea Actions is called [act runner](https://gitea.com/gitea/act_runner), it is a standalone program and also written in Go.
+An important part of the application comes from a [fork](https://gitea.com/gitea/act) of [nektos/act](http://github.com/nektos/act).
+
+Because the runner is deployed independently, there could be potential security issues.
+To avoid them, please follow two simple rules:
+
+- Don't use a runner you don't trust for your repository, organization or instance.
+- Don't provide a runner to a repository, organization or instance you don't trust.
+
+For Gitea instances used internally, such as instances used by enterprises or individuals, neither of these two rules is a problem, they are naturally so.
+However, for public Gitea instances, such as [gitea.com](https://gitea.com), these two rules should be kept in mind when adding or using runners.
+
+## Status
+
+Gitea Actions is stable enough for production usage and we use Gitea Actions in all the repositories in https://gitea.com/gitea.

docs/usage/actions/quickstart.md

@@ -0,0 +1,138 @@
+---
+date: "2023-04-27T15:00:00+08:00"
+slug: "quickstart"
+sidebar_position: 10
+---
+
+# Quick Start
+
+This page will guide you through the process of using Gitea Actions.
+
+## Set up Gitea
+
+First of all, you need a Gitea instance.
+You can follow the [documentation](installation/from-package.md) to set up a new instance or upgrade your existing one.
+It doesn't matter how you install or run Gitea, as long as its version is 1.19.0 or higher.
+
+Since 1.21.0, Actions are enabled by default. If you are using versions before 1.21.0, you need to add the following to the configuration file to enable it:
+
+```ini
+[actions]
+ENABLED=true
+```
+
+If you want to learn more or encounter any problems while configuring it, please refer to the [Configuration Cheat Sheet](../../administration/config-cheat-sheet.md#actions-actions).
+
+### Set up runner
+
+Gitea Actions requires [act runner](https://gitea.com/gitea/act_runner) to run the jobs.
+In order to avoid consuming too many resources and affecting the Gitea instance, it is recommended to start runners on separate machines from the Gitea instance.
+
+You can use the [pre-built binaries](http://dl.gitea.com/act_runner) or the [docker images](https://hub.docker.com/r/gitea/act_runner/tags) to set up the runner.
+
+Before proceeding any further, we suggest running it as a command line with pre-built binaries to ensure that it works with your environment, especially if you are running a runner on your localhost.
+And it could be easier to debug if something goes wrong.
+
+The runner can run the jobs in isolated Docker containers, so you need to make sure that the Docker has been installed and Docker daemon is running.
+While it is not strictly necessary, because the runner can also run the jobs directly on the host, it depends on how you configure it.
+However, it is recommended to use Docker to run the jobs, because it is more secure and easier to manage.
+
+Before running a runner, you should first register it to your Gitea instance using the following command:
+
+```bash
+./act_runner register --no-interactive --instance <instance> --token <token>
+```
+
+There are two arguments required, `instance` and `token`.
+
+`instance` refers to the address of your Gitea instance, like `http://192.168.8.8:3000` or `https://gitea.com`.
+The runner and job containers (which are started by the runner to execute jobs) will connect to this address.
+This means that it could be different from the `ROOT_URL` of your Gitea instance, which is configured for web access.
+It is always a bad idea to use a loopback address such as `127.0.0.1` or `localhost`.
+If you are unsure which address to use, the LAN address is usually the right choice.
+
+`token` is used for authentication and identification, such as `P2U1U0oB4XaRCi8azcngmPCLbRpUGapalhmddh23`.
+Each token can be used to create multiple runners, until it is replaced with a new token using the reset link.
+You can obtain different levels of 'tokens' from the following places to create the corresponding level of 'runners':
+
+- Instance level: The admin settings page, like `<your_gitea.com>/-/admin/actions/runners`.
+- Organization level: The organization settings page, like `<your_gitea.com>/<org>/settings/actions/runners`.
+- Repository level: The repository settings page, like `<your_gitea.com>/<owner>/<repo>/settings/actions/runners`.
+
+![register runner](/images/usage/actions/register-runner.png)
+
+After registering, a new file named `.runner` will appear in the current directory.
+This file stores the registration information.
+Please do not edit it manually.
+If this file is missing or corrupted, you can simply remove it and register again.
+
+Finally, it's time to start the runner:
+
+```bash
+./act_runner daemon
+```
+
+And you can see the new runner in the management page:
+
+![view runner](/images/usage/actions/view-runner.png)
+
+You can find more information by visiting [Act runner](usage/actions/act-runner.md).
+
+### Use Actions
+
+Even if Actions is enabled for the Gitea instance, repositories still disable Actions by default.
+
+To enable it, go to the settings page of your repository like `your_gitea.com/<owner>/repo/settings` and enable `Enable Repository Actions`.
+
+![enable actions](/images/usage/actions/enable-actions.png)
+
+The next steps may be rather complicated.
+You will need to study [the workflow syntax](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions) for Actions and write the workflow files you want.
+
+However, we can just start from a simple demo:
+
+```yaml
+name: Gitea Actions Demo
+run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
+on: [push]
+
+jobs:
+  Explore-Gitea-Actions:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
+      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
+      - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}."
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner."
+      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: List files in the repository
+        run: |
+          ls ${{ gitea.workspace }}
+      - run: echo "🍏 This job's status is ${{ job.status }}."
+```
+
+:::warning
+
+Certain actions may not function correctly within SHA256 repositories or when Gitea runs on subpath. This includes [actions/checkout](https://github.com/actions/checkout/issues/1843).
+
+:::
+
+You can upload it as a file with the extension `.yaml` in the directory `.gitea/workflows/` of the repository, for example `.gitea/workflows/demo.yaml`.
+You might notice that this is fairly similar from the [Quickstart for GitHub Actions](https://docs.github.com/en/actions/quickstart).
+That is because  Gitea Actions is designed to be compatible with GitHub Actions wherever possible.
+
+Be careful, the demo file contains some emojis.
+Please make sure your database supports them, especially when using MySQL.
+If the charset is not `utf8mb4`, errors will occur, such as `Error 1366 (HY000): Incorrect string value: '\\xF0\\x9F\\x8E\\x89 T...' for column 'name' at row 1`.
+See [Database Preparation](../../installation/database-preparation.md#mysqlmariadb) for more information.
+
+Alternatively, you can remove all emojis from the demo file and try again.
+
+The line `on: [push]` indicates that the workflow will be triggered when you push commits to this repository.
+However, when you upload the YAML file, it also pushes a commit, so you should see a new task in the Actions tab.
+
+![view job](/images/usage/actions/view-job.png)
+
+Great job! You have successfully started working with Actions.

docs/usage/actions/secrets.md

@@ -0,0 +1,35 @@
+---
+date: "2024-07-10T09:23:00+02:00"
+slug: "secrets"
+sidebar_position: 50
+---
+
+# Secrets
+
+Secrets allow you to store sensitive information in your user, organization or repository.
+Secrets are available on Gitea 1.19+ and are only visible in 1.20+ when ACTIONS are enabled.
+
+# Naming your secrets
+
+The following rules apply to secret names:
+
+- Secret names can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
+
+- Secret names must not start with the `GITHUB_` and `GITEA_` prefix.
+
+- Secret names must not start with a number.
+
+- Secret names are not case-sensitive.
+
+- Secret names must be unique at the level they are created at.
+
+For example, a secret created at the repository level must have a unique name in that repository, and a secret created at the organization level must have a unique name at that level.
+
+### Using secrets
+
+After creating configuration variables, they will be automatically filled in the `secrets` context.
+They can be accessed through expressions like `${{ secrets.SECRET_NAME }}` in the workflow.
+
+### Precedence
+
+If a secret with the same name exists at multiple levels, the secret at the lowest level takes precedence. For example, if an organization-level secret has the same name as a repository-level secret, then the repository-level secret takes precedence.

docs/usage/actions/variables.md

@@ -0,0 +1,32 @@
+---
+date: "2024-04-10T22:21:00+08:00"
+slug: "actions-variables"
+sidebar_position: 25
+---
+
+# Variables
+
+You can create configuration variables on the user, organization and repository level.
+The level of the variable depends on where you created it. When creating a variable, the
+key will be converted to uppercase. You need use uppercase on the yaml file.
+
+## Naming conventions
+
+The following rules apply to variable names:
+
+- Variable names can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
+- Variable names must not start with the `GITHUB_` and `GITEA_` prefix.
+- Variable names must not start with a number.
+- Variable names are case-insensitive.
+- Variable names must be unique at the level they are created at.
+- Variable names must not start with `CI`.
+
+## Using variable
+
+After creating configuration variables, they will be automatically filled in the `vars` context.
+They can be accessed through expressions like `${{ vars.VARIABLE_NAME }}` in the workflow.
+
+## Precedence
+
+If a variable with the same name exists at multiple levels, the variable at the lowest level takes precedence:
+A repository variable will always be chosen over an organization/user variable.

docs/usage/agit.md

@@ -0,0 +1,48 @@
+---
+date: "	2022-09-01T20:50:42+0000"
+slug: "agit"
+sidebar_position: 12
+aliases:
+  - /en-us/agit-setup
+  - /agit-setup
+---
+
+# AGit
+
+In Gitea `1.13`, support for [AGit](https://git-repo.info/en/2020/03/agit-flow-and-git-repo/) was added. AGit enables users to create pull requests directly, even without write permissions of the repository, eliminating the need to fork it. This helps reduce the number of duplicated repositories and minimizes unnecessary disk usage.
+
+:::note
+Git version 2.29 or higher is required on the server side for this to work.
+:::
+
+## Creating PRs with AGit
+
+AGit allows to create PRs while pushing code to the remote repo.
+This can be done by pushing to the branch followed by a specific refspec (a location identifier known to git).
+The following example illustrates this:
+
+```shell
+git push origin HEAD:refs/for/main
+```
+
+The command has the following structure:
+
+- `HEAD`: The target branch
+- `origin`: The target repository (not a fork!)
+- `HEAD`: The local branch containing the changes you are proposing
+- `refs/<for|draft|for-review>/<branch>`: The target PR type and configuration
+  - `for`: Create a normal PR with `<branch>` as the target branch
+  - `draft`/`for-review`: Currently ignored silently
+  - `<branch>/`: The branch you want your changes to be merged into
+- `-o <topic|title|description>`: Options for the PR
+  - `topic`: The topic of this change. It will become the name of the branch holding the changes waiting for review.  This is REQUIRED to trigger a pull request.
+  - `title`: The PR title (optional but recommended), only used for topics not already having an associated PR.
+  - `description`: The PR description (optional but recommended), only used for topics not already having an associated PR.
+  - `force-push=true`: Specifies whether to force-update the target branch.
+    - Note: omitting the value and using just `-o force-push` will also work.
+
+Here's another advanced example for creating a new PR targeting `main` with `topic`, `title`, and `description`:
+
+```shell
+git push origin HEAD:refs/for/main -o topic="topic_of_my_PR" -o title="Title of the PR" -o description="# The PR Description\nThis can be **any** markdown content.\n- [x] Ok"
+```

docs/usage/blame.md

@@ -1,18 +1,9 @@
 ---
 date: "2023-08-14T00:00:00+00:00"
-title: "Blame File View"
 slug: "blame"
 sidebar_position: 13
-toc: false
-draft: false
 aliases:
   - /en-us/blame
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Blame"
-    sidebar_position: 13
-    identifier: "blame"
 ---
 
 # Blame File View

docs/usage/blocking-users.md

@@ -1,18 +1,9 @@
 ---
 date: "2024-01-31T00:00:00+00:00"
-title: "Blocking a user"
 slug: "blocking-user"
 sidebar_position: 25
-toc: false
-draft: false
 aliases:
   - /en-us/webhooks
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Blocking a user"
-    sidebar_position: 30
-    identifier: "blocking-user"
 ---
 
 # Blocking a user

docs/usage/clone-filter.md

@@ -1,18 +1,9 @@
 ---
 date: "2021-02-02"
-title: "Clone filters (partial clone)"
 slug: "clone-filters"
 sidebar_position: 25
-draft: false
-toc: false
 aliases:
   - /en-us/clone-filters
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Clone filters"
-    sidebar_position: 25
-    identifier: "clone-filters"
 ---
 
 # Clone filters (partial clone)

docs/usage/code-owners.md

@@ -1,18 +1,9 @@
 ---
 date: "2023-05-24T16:00:00+00:00"
-title: "Code Owners"
 slug: "code-owners"
 sidebar_position: 30
-toc: false
-draft: false
 aliases:
   - /en-us/code-owners
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Code Owners"
-    sidebar_position: 30
-    identifier: "code-owners"
 ---
 
 # Code Owners
@@ -32,7 +23,7 @@ Regexp can start with `!` for negative rules - match all files except specified.
 
 Example file:
 
-```
+```bash
 .*\\.go @user1 @user2 # This is comment
 
 # Comment too

docs/usage/incoming-email.md

@@ -1,18 +1,9 @@
 ---
 date: "2022-12-01T00:00:00+00:00"
-title: "Incoming Email"
 slug: "incoming-email"
 sidebar_position: 13
-draft: false
-toc: false
 aliases:
   - /en-us/incoming-email
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Incoming Email"
-    sidebar_position: 13
-    identifier: "incoming-email"
 ---
 
 # Incoming Email

docs/usage/issue-pull-request-templates.md

@@ -0,0 +1,328 @@
+---
+date: "2018-05-10T16:00:00+02:00"
+slug: "issue-pull-request-templates"
+sidebar_position: 15
+aliases:
+  - /en-us/issue-pull-request-templates
+---
+
+# Issue and Pull Request Templates
+
+Some projects have a standard list of questions that users need to answer
+when creating an issue or pull request. Gitea supports adding templates to the
+**default branch of the repository** so that they can autopopulate the form when users are
+creating issues and pull requests. This will cut down on the initial back and forth
+of getting some clarifying details.
+It is currently not possible to provide generic issue/pull-request templates globally.
+
+Additionally, the New Issue page URL can be suffixed with `?title=Issue+Title&body=Issue+Text` and the form will be populated with those strings. Those strings will be used instead of the template if there is one.
+
+## File names
+
+Possible file names for issue templates:
+
+- `ISSUE_TEMPLATE.md`
+- `ISSUE_TEMPLATE.yaml`
+- `ISSUE_TEMPLATE.yml`
+- `issue_template.md`
+- `issue_template.yaml`
+- `issue_template.yml`
+- `.gitea/ISSUE_TEMPLATE.md`
+- `.gitea/ISSUE_TEMPLATE.yaml`
+- `.gitea/ISSUE_TEMPLATE.yml`
+- `.gitea/issue_template.md`
+- `.gitea/issue_template.yaml`
+- `.gitea/issue_template.yml`
+- `.github/ISSUE_TEMPLATE.md`
+- `.github/ISSUE_TEMPLATE.yaml`
+- `.github/ISSUE_TEMPLATE.yml`
+- `.github/issue_template.md`
+- `.github/issue_template.yaml`
+- `.github/issue_template.yml`
+
+Possible file names for issue config:
+
+- `.gitea/ISSUE_TEMPLATE/config.yaml`
+- `.gitea/ISSUE_TEMPLATE/config.yml`
+- `.gitea/issue_template/config.yaml`
+- `.gitea/issue_template/config.yml`
+- `.github/ISSUE_TEMPLATE/config.yaml`
+- `.github/ISSUE_TEMPLATE/config.yml`
+- `.github/issue_template/config.yaml`
+- `.github/issue_template/config.yml`
+
+Possible file names for PR templates:
+
+- `PULL_REQUEST_TEMPLATE.md`
+- `PULL_REQUEST_TEMPLATE.yaml`
+- `PULL_REQUEST_TEMPLATE.yml`
+- `pull_request_template.md`
+- `pull_request_template.yaml`
+- `pull_request_template.yml`
+- `.gitea/PULL_REQUEST_TEMPLATE.md`
+- `.gitea/PULL_REQUEST_TEMPLATE.yaml`
+- `.gitea/PULL_REQUEST_TEMPLATE.yml`
+- `.gitea/pull_request_template.md`
+- `.gitea/pull_request_template.yaml`
+- `.gitea/pull_request_template.yml`
+- `.github/PULL_REQUEST_TEMPLATE.md`
+- `.github/PULL_REQUEST_TEMPLATE.yaml`
+- `.github/PULL_REQUEST_TEMPLATE.yml`
+- `.github/pull_request_template.md`
+- `.github/pull_request_template.yaml`
+- `.github/pull_request_template.yml`
+
+## Directory names
+
+Alternatively, users can create multiple issue templates inside a special directory and allow users to choose one that more specifically
+addresses their problem.
+
+Possible directory names for issue templates:
+
+- `ISSUE_TEMPLATE`
+- `issue_template`
+- `.gitea/ISSUE_TEMPLATE`
+- `.gitea/issue_template`
+- `.github/ISSUE_TEMPLATE`
+- `.github/issue_template`
+- `.gitlab/ISSUE_TEMPLATE`
+- `.gitlab/issue_template`
+
+Inside the directory can be multiple markdown (`.md`) or yaml (`.yaml`/`.yml`) issue templates of the form.
+
+## Syntax for markdown template
+
+```md
+---
+
+name: "Template Name"
+about: "This template is for testing!"
+title: "[TEST] "
+ref: "main"
+assignees: ["user1"]
+labels:
+
+- bug
+- "help needed"
+
+---
+
+This is the template!
+```
+
+In the above example, when a user is presented with the list of issues they can submit, this would show as `Template Name` with the description
+`This template is for testing!`. When submitting an issue with the above example, the issue title would be pre-populated with
+`[TEST] ` while the issue body would be pre-populated with `This is the template!`. 
+The issue would be assigned to `user1`.
+The issue would also be assigned two labels,
+`bug` and `help needed`, and the issue will have a reference to `main`.
+
+## Syntax for yaml template
+
+This example YAML configuration file defines an issue form using several inputs to report a bug.
+
+```yaml
+name: Bug Report
+about: File a bug report
+title: "[Bug]: "
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  # some markdown that will only be visible once the issue has been created
+  - type: markdown
+    attributes:
+      value: |
+        This issue was created by an issue **template** :)
+    visible: [content]
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+      value: "A bug happened!"
+    validations:
+      required: true
+  - type: dropdown
+    id: version
+    attributes:
+      label: Version
+      description: What version of our software are you running?
+      options:
+        - 1.0.2 (Default)
+        - 1.0.3 (Edge)
+    validations:
+      required: true
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      hide_label: true
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://example.com)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
+        - label: I have also read the CONTRIBUTION.MD
+          required: true
+          visible: [form]
+        - label: This is a TODO only visible after issue creation
+          visible: [content]
+```
+
+### Markdown
+
+You can use a `markdown` element to display Markdown in your form that provides extra context to the user, but is not submitted by default.
+
+Attributes:
+
+| Key   | Description                                                  | Required | Type   | Default | Valid values |
+|-------|--------------------------------------------------------------|----------|--------|---------|--------------|
+| value | The text that is rendered. Markdown formatting is supported. | Required | String | -       | -            |
+
+visible: Default is **[form]**
+
+### Textarea
+
+You can use a `textarea` element to add a multi-line text field to your form. Contributors can also attach files in `textarea` fields.
+
+Attributes:
+
+| Key         | Description                                                                                                                                                                   | Required | Type    | Default      | Valid values              |
+|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------|--------------|---------------------------|
+| label       | A brief description of the expected user input, which is also displayed in the form.                                                                                          | Required | String  | -            | -                         |
+| hide_label  | If true, the label normally used as a headline is not visible.                                                                                                                | Optional | Boolean | false        | -                         |
+| description | A description of the text area to provide context or guidance, which is displayed in the form.                                                                                | Optional | String  | Empty String | -                         |
+| placeholder | A semi-opaque placeholder that renders in the text area when empty.                                                                                                           | Optional | String  | Empty String | -                         |
+| value       | Text that is pre-filled in the text area.                                                                                                                                     | Optional | String  | -            | -                         |
+| render      | If a value is provided, submitted text will be formatted into a codeblock. When this key is provided, the text area will not expand for file attachments or Markdown editing. | Optional | String  | -            | Languages known to Gitea. |
+
+Validations:
+
+| Key      | Description                                          | Required | Type    | Default | Valid values |
+|----------|------------------------------------------------------|----------|---------|---------|--------------|
+| required | Prevents form submission until element is completed. | Optional | Boolean | false   | -            |
+
+visible: Default is **[form, content]**
+
+### Input
+
+You can use an `input` element to add a single-line text field to your form.
+
+Attributes:
+
+| Key         | Description                                                                                | Required | Type    | Default      | Valid values |
+|-------------|--------------------------------------------------------------------------------------------|----------|---------|--------------|--------------|
+| label       | A brief description of the expected user input, which is also displayed in the form.       | Required | String  | -            | -            |
+| hide_label  | If true, the label normally used as a headline is not visible.                             | Optional | Boolean | false        | -            |
+| description | A description of the field to provide context or guidance, which is displayed in the form. | Optional | String  | Empty String | -            |
+| placeholder | A semi-transparent placeholder that renders in the field when empty.                       | Optional | String  | Empty String | -            |
+| value       | Text that is pre-filled in the field.                                                      | Optional | String  | -            | -            |
+
+Validations:
+
+| Key       | Description                                                                                      | Required | Type    | Default | Valid values                                                             |
+|-----------|--------------------------------------------------------------------------------------------------|----------|---------|---------|--------------------------------------------------------------------------|
+| required  | Prevents form submission until element is completed.                                             | Optional | Boolean | false   | -                                                                        |
+| is_number | Prevents form submission until element is filled with a number.                                  | Optional | Boolean | false   | -                                                                        |
+| regex     | Prevents form submission until element is filled with a value that match the regular expression. | Optional | String  | -       | a [regular expression](https://en.wikipedia.org/wiki/Regular_expression) |
+
+visible: Default is **[form, content]**
+
+### Dropdown
+
+You can use a `dropdown` element to add a dropdown menu in your form.
+
+Attributes:
+
+| Key         | Description                                                                                         | Required | Type         | Default      | Valid values |
+|-------------|-----------------------------------------------------------------------------------------------------|----------|--------------|--------------|--------------|
+| label       | A brief description of the expected user input, which is displayed in the form.                     | Required | String       | -            | -            |
+| hide_label  | If true, the label normally used as a headline is not visible.                                      | Optional | Boolean | false        | -            |
+| description | A description of the dropdown to provide extra context or guidance, which is displayed in the form. | Optional | String       | Empty String | -            |
+| multiple    | Determines if the user can select more than one option.                                             | Optional | Boolean      | false        | -            |
+| list        | If true, display as a list. If false, print items on one line with commas.                          | Optional | Boolean      | false        | -            |
+| options     | An array of options the user can choose from. Cannot be empty and all choices must be distinct.     | Required | String array | -            | -            |
+
+Validations:
+
+| Key      | Description                                          | Required | Type    | Default | Valid values |
+|----------|------------------------------------------------------|----------|---------|---------|--------------|
+| required | Prevents form submission until element is completed. | Optional | Boolean | false   | -            |
+
+visible: Default is **[form, content]**
+
+### Checkboxes
+
+You can use the `checkboxes` element to add a set of checkboxes to your form.
+
+Attributes:
+
+| Key         | Description                                                                                           | Required | Type    | Default      | Valid values |
+|-------------|-------------------------------------------------------------------------------------------------------|----------|---------|--------------|--------------|
+| label       | A brief description of the expected user input, which is displayed in the form.                       | Required | String  | -            | -            |
+| hide_label  | If true, the label normally used as a headline is not visible.                                        | Optional | Boolean | false        | -            |
+| description | A description of the set of checkboxes, which is displayed in the form. Supports Markdown formatting. | Optional | String  | Empty String | -            |
+| options     | An array of checkboxes that the user can select. For syntax, see below.                               | Required | Array   | -            | -            |
+
+For each value in the options array, you can set the following keys.
+
+| Key          | Description                                                                                                                              | Required | Type         | Default | Options |
+|--------------|------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------|---------|---------|
+| label        | The identifier for the option, which is displayed in the form. Markdown is supported for bold or italic text formatting, and hyperlinks. | Required | String       | -       | -       |
+| required     | Prevents form submission until element is completed.                                                                                     | Optional | Boolean      | false   | -       |
+| visible      | Whether a specific checkbox appears in the form only, in the created issue only, or both. Valid options are "form" and "content".        | Optional | String array | false   | -       |
+
+visible: Default is **[form, content]**
+
+## Syntax for issue config
+
+This is a example for a issue config file
+
+```yaml
+blank_issues_enabled: true
+contact_links:
+  - name: Gitea
+    url: https://gitea.com
+    about: Visit the Gitea Website
+```
+
+### Possible Options
+
+| Key                  | Description                                           | Type               | Default     |
+|----------------------|-------------------------------------------------------|--------------------|-------------|
+| blank_issues_enabled | If set to false, the User is forced to use a Template | Boolean            | true        |
+| contact_links        | Custom Links to show in the Choose Box                | Contact Link Array | Empty Array |
+
+### Contact Link
+
+| Key   | Description                      | Type   | Required |
+|-------|----------------------------------|--------|----------|
+| name  | the name of your link            | String | true     |
+| url   | The URL of your Link             | String | true     |
+| about | A short description of your Link | String | true     |

docs/usage/labels.md

@@ -0,0 +1,33 @@
+---
+date: "2023-03-04T19:00:00+00:00"
+slug: "labels"
+sidebar_position: 13
+aliases:
+  - /en-us/labels
+---
+
+# Labels
+
+You can use labels to classify issues and pull requests and to improve your overview over them.
+
+## Creating Labels
+
+For repositories, labels can be created by going to `Issues` and clicking on `Labels`.
+
+For organizations, you can define organization-wide labels that are shared with all organization repositories, including both already-existing repositories as well as newly created ones. Organization-wide labels can be created in the organization `Settings`.
+
+Labels have a mandatory name, a mandatory color, an optional description, and must either be exclusive or not (see `Scoped Labels` below).
+
+When you create a repository, you can ensure certain labels exist by using the `Issue Labels` option. This option lists a number of available label sets that are [configured globally on your instance](../administration/customizing-gitea.md#labels). Its contained labels will all be created as well while creating the repository.
+
+## Scoped Labels
+
+Scoped labels are used to ensure at most a single label with the same scope is assigned to an issue or pull request. For example, if labels `kind/bug` and `kind/enhancement` have the Exclusive option set, an issue can only be classified as a bug or an enhancement.
+
+A scoped label must contain `/` in its name (not at either end of the name). The scope of a label is determined based on the **last** `/`, so for example the scope of label `scope/subscope/item` is `scope/subscope`.
+
+## Filtering by Label
+
+Issue and pull request lists can be filtered by label. Selecting multiple labels shows issues and pull requests that have all selected labels assigned.
+
+By holding alt to click the label, issues and pull requests with the chosen label are excluded from the list.

docs/usage/linked-references.md

@@ -0,0 +1,194 @@
+---
+date: "2019-11-21T17:00:00-03:00"
+slug: "automatically-linked-references"
+sidebar_position: 15
+aliases:
+  - /en-us/automatically-linked-references
+---
+
+# Automatically Linked References
+
+When an issue, pull request or comment is posted, the text description is parsed
+in search for references. These references will be shown as links in the Issue View
+and, in some cases, produce certain _actions_.
+
+Likewise, commit messages are parsed when they are listed, and _actions_
+can be triggered when they are pushed to the main branch.
+
+To prevent the creation of unintended references, there are certain rules
+for them to be recognized. For example, they should not be included inside code
+text. They should also be reasonably cleared from their surrounding text
+(for example, using spaces).
+
+## User, Team and Organization Mentions
+
+When a text in the form `@username` is found and `username` matches the name
+of an existing user, a _mention_ reference is created. This will be shown
+by changing the text into a link to said user's profile, and possibly create
+a notification for the mentioned user depending on whether they have
+the necessary permission to access the contents.
+
+Example:
+
+> [@John](#), can you give this a look?
+
+This is also valid for teams and organizations:
+
+> [@Documenters](#), we need to plan for this.
+> [@CoolCompanyInc](#), this issue concerns us all!
+
+Teams will receive mail notifications when appropriate, but whole organizations won't.
+
+Commit messages do not produce user notifications.
+
+## Commits
+
+Commits can be referenced using their SHA1 hash, or a portion of it of
+at least seven characters. They will be shown as a link to the corresponding
+commit.
+
+Example:
+
+> This bug was introduced in [e59ff077](#)
+
+## Issues and Pull Requests
+
+A reference to another issue or pull request can be created using the simple
+notation `#1234`, where _1234_ is the number of an issue or pull request
+in the same repository. These references will be shown as links to the
+referenced content.
+
+The effect of creating this type of reference is that a _notice_ will be
+created in the referenced document, provided the creator of the reference
+has reading permissions on it.
+
+Example:
+
+> This seems related to [#1234](#)
+
+Issues and pull requests in other repositories can be referred to as well
+using the form `owner/repository#1234`:
+
+> This seems related to [mike/compiler#1234](#)
+
+Alternatively, the `!1234` notation can be used as well. Even when in Gitea
+a pull request is a form of issue, the `#1234` form will always link to
+an issue; if the linked entry happens to be a pull request instead, Gitea
+will redirect as appropriate. With the `!1234` notation, a pull request
+link will be created, which will be redirected to an issue if required.
+However, this distinction could be important if an external tracker is
+used, where links to issues and pull requests are not interchangeable.
+
+## Actionable References in Pull Requests and Commit Messages
+
+Sometimes a commit or pull request may fix or bring back a problem documented
+in a particular issue. Gitea supports closing and reopening the referenced
+issues by preceding the reference with a particular _keyword_. Common keywords
+include "closes", "fixes", "reopens", etc. This list can be
+[customized](../administration/config-cheat-sheet.md) by the
+site administrator.
+
+Example:
+
+> This PR _closes_ [#1234](#)
+
+If the actionable reference is accepted, this will create a notice on the
+referenced issue announcing that it will be closed when the referencing PR
+is merged.
+
+For an actionable reference to be accepted, _at least one_ of the following
+conditions must be met:
+
+- The commenter has permissions to close or reopen the issue at the moment
+  of creating the reference.
+- The reference is inside a commit message.
+- The reference is posted as part of the pull request description.
+
+In the last case, the issue will be closed or reopened only if the merger
+of the pull request has permissions to do so.
+
+Additionally, only pull requests and commit messages can create an action,
+and only issues can be closed or reopened this way.
+
+The default _keywords_ are:
+
+- **Closing**: close, closes, closed, fix, fixes, fixed, resolve, resolves, resolved
+- **Reopening**: reopen, reopens, reopened
+
+## Time tracking in Pull Requests and Commit Messages
+
+When commit or merging of pull request results in automatic closing of issue
+it is possible to also add spent time resolving this issue through commit message.
+
+To specify spent time on resolving issue you need to specify time in format
+`@<number><time-unit>` after issue number. In one commit message you can specify
+multiple fixed issues and spent time for each of them.
+
+Supported time units (`<time-unit>`):
+
+- `m` - minutes
+- `h` - hours
+- `d` - days (equals to 8 hours)
+- `w` - weeks (equals to 5 days)
+- `mo` - months (equals to 4 weeks)
+
+Numbers to specify time (`<number>`) can be also decimal numbers, ex. `@1.5h` would
+result in one and half hours. Multiple time units can be combined, ex. `@1h10m` would
+mean 1 hour and 10 minutes.
+
+Example of commit message:
+
+> Fixed #123 spent @1h, refs #102, fixes #124 @1.5h
+
+This would result in 1 hour added to issue #123 and 1 and half hours added to issue #124.
+
+## External Trackers
+
+Gitea supports the use of external issue trackers, and references to issues
+hosted externally can be created in pull requests. However, if the external
+tracker uses numbers to identify issues, they will be indistinguishable from
+the pull requests hosted in Gitea. To address this, Gitea allows the use of
+the `!` marker to identify pull requests. For example:
+
+> This is issue [#1234](#), and links to the external tracker.
+> This is pull request [!1234](#), and links to a pull request in Gitea.
+
+The `!` and `#` can be used interchangeably for issues and pull request _except_
+for this case, where a distinction is required. If the repository uses external
+tracker, commit message for squash merge will use `!` as reference by default.
+
+## Issues and Pull Requests References Summary
+
+This table illustrates the different kinds of cross-reference for issues and pull requests.
+In the examples, `User1/Repo1` refers to the repository where the reference is used, while
+`UserZ/RepoZ` indicates a different repository.
+
+| Reference in User1/Repo1    | Repo1 issues are external | RepoZ issues are external | Should render                                           |
+| --------------------------- | :-----------------------: | :-----------------------: | ------------------------------------------------------- |
+| `#1234`                     |            no             |            -              | A link to issue/pull 1234 in `User1/Repo1`              |
+| `!1234`                     |            no             |            -              | A link to issue/pull 1234 in `User1/Repo1`              |
+| `#1234`                     |            yes            |            -              | A link to _external issue_ 1234 for `User1/Repo1`       |
+| `!1234`                     |            yes            |            -              | A link to _PR_ 1234 for `User1/Repo1`                   |
+| `User1/Repo1#1234`          |            no             |            -              | A link to issue/pull 1234 in `User1/Repo1`              |
+| `User1/Repo1!1234`          |            no             |            -              | A link to issue/pull 1234 in `User1/Repo1`              |
+| `User1/Repo1#1234`          |            yes            |            -              | A link to _external issue_ 1234 for `User1/Repo1`       |
+| `User1/Repo1!1234`          |            yes            |            -              | A link to _PR_ 1234 for `User1/Repo1`                   |
+| `UserZ/RepoZ#1234`          |            -              |            no             | A link to issue/pull 1234 in `UserZ/RepoZ`              |
+| `UserZ/RepoZ!1234`          |            -              |            no             | A link to issue/pull 1234 in `UserZ/RepoZ`              |
+| `UserZ/RepoZ#1234`          |            -              |            yes            | A link to _external issue_ 1234 for `UserZ/RepoZ`       |
+| `UserZ/RepoZ!1234`          |            -              |            yes            | A link to _PR_ 1234 for `UserZ/RepoZ`                   |
+| **Alphanumeric issue IDs:** |             -             |             -             | -                                                       |
+| `AAA-1234`                  |            yes            |            -              | A link to _external issue_ `AAA-1234` for `User1/Repo1` |
+| `!1234`                     |            yes            |            -              | A link to _PR_ 1234 for `User1/Repo1`                   |
+| `User1/Repo1!1234`          |            yes            |            -              | A link to _PR_ 1234 for `User1/Repo1`                   |
+| _Not supported_             |            -              |            yes            | A link to _external issue_ `AAA-1234` for `UserZ/RepoZ` |
+| `UserZ/RepoZ!1234`          |            -              |            yes            | A link to _PR_ 1234 in `UserZ/RepoZ`                    |
+
+_The last section is for repositories with external issue trackers that use alphanumeric format._
+
+_**-**: not applicable._
+
+:::note
+Automatic references between repositories with different types of issues (external vs. internal) are not fully supported
+and may render invalid links.
+:::

docs/usage/markdown.md

@@ -0,0 +1,102 @@
+---
+date: "2025-04-05T00:00:00+08:00"
+slug: "markdown"
+---
+
+# Markdown
+
+Gitea uses MarkDown structured text in many places, you can recognise it by the `.md` file extension.
+Markdown is plain text format for writing structured documents, allowing one to write
+"plain" text files that nonetheless have _"fancy"_ **formatting**, while still keeping the plain-text version readable.
+
+Unfortunately, due to historical implementation differences, many subtle dialects exist.
+To avoid adding to the confusion, Gitea tries to follow "[GitHub Flavoured Markdown (GFM)](https://help.github.com/articles/github-flavored-markdown/)" as close as possible.
+"GFM" is an extension on top of the rigorously-specified [CommonMark](https://commonmark.org/) standard.
+CommonMark flavours are used by most major web platforms (e.g. Reddit, Stack Overflow, Discourse)
+and git forges (GitHub, GitLab and our very own Gitea), thus you shouldn't run into any surprises with Gitea.
+
+For a quick introduction to the syntax and features of GitHub Flavoured Markdown, see the GitHub documentation:
+- [Basic formatting](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
+- [Advanced formatting](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting)
+
+For a deeper history about CommonMark, its spec, and its reason for existence, see [CommonMark.org](https://commonmark.org/).
+
+## Rendering options
+
+Some Gitea's markdown rendering behaviors can be fine-tuned by global config options, see the `[markdown]` config section in the `app.example.ini`
+
+
+## Link path resolving
+
+When rendering links for `<a href>`, `<img src>` and `<video src>`, Gitea resolves the link paths in the rendering context.
+
+- If the link is an absolute path with scheme, the link is kept as-is.
+- If the link is an URL path, it is resolved with the base path of current rendering context.
+  - In a comment-like context (issues, pull-requests, commit message), the base path is current repository's home link: `/owner-name/repo-name`.
+  - In a repository file context (markdown files in the repository), the base path is current git ref path.
+
+### Special link tokens
+
+To make users easier to resolve a link to the Gitea instance's root path, Gitea has a special `/:root` path syntax.
+This will always resolve to Gitea's ROOT_URL.
+
+Gitea also supports GitHub's `?raw=1` query parameter.
+A request to `/owner-name/repo-name/src/branch/main/file?raw=1` will be redirected to
+`/owner-name/repo-name/raw/branch/main/file`. This makes it possible to target raw contents from relative links
+(normally, the `src/` section of the path is provided automatically by Gitea and cannot be overriden).
+
+### Link handling examples
+
+For example, when rendering a markdown file in `/owner-name/repo-name/src/branch/main/dir`:
+  1) Absolute with scheme: Link `https://example.org` will be rendered as-is.
+  2) Relative from current file: Link `sub/file`is resolved to `/owner-name/repo-name/src/branch/main/dir/sub/file`
+  3) Relative from repo root: Link `/sub/file` (note leading slash) is resolved to `/owner-name/repo-name/src/branch/main/sub/file`
+  4) Raw media: If the link is used as `src` of an image or video, then it is resolved to `/owner-name/repo-name/raw/...`
+  5) Raw relative: `sub/file?raw=1` will resolve to `/owner-name/repo-name/src/branch/main/dir/sub/file?raw=1`,
+    which will redirect to `/owner-name/repo-name/raw/branch/main/dir/sub/file`.
+  6) explicit root: Link `/:root/any-path` is always resolved to `$ROOT_URL/any-path` without any further processing.
+
+
+## Issue and pull-request reference
+
+Using issue/pull-request numbers in a list:
+
+```
+* #123
+* #456
+```
+
+It will be rendered with issue titles to:
+
+```
+* the issue title (#123)
+* the other issue title (#456)
+```
+
+## Math expressions
+
+Gitea supports GitHub-like math expression formatting.
+
+### Inline expression
+
+  - ``` $\alpha$ ```: quoted by single-dollar `$`
+  - ``` $$\alpha$$ ```: quoted by double-dollar `$$`
+  - ``` $`\alpha`$ ```: quoted by dollar with backquotes, the backquotes could repeat like normal code blocks.
+
+### Block expression
+
+Using `$$`:
+
+````
+$$
+\alpha
+$$
+````
+
+Using code-block with language:
+
+````
+```math
+\alpha
+```
+````

docs/usage/merge-message-templates.md

@@ -0,0 +1,46 @@
+---
+date: "2022-08-31T17:35:40+08:00"
+slug: "merge-message-templates"
+sidebar_position: 15
+aliases:
+  - /en-us/merge-message-templates
+---
+
+# Merge Message templates
+
+## File names
+
+Possible file names for PR default merge message templates:
+
+- `.gitea/default_merge_message/MERGE_TEMPLATE.md`
+- `.gitea/default_merge_message/REBASE_TEMPLATE.md`
+- `.gitea/default_merge_message/REBASE-MERGE_TEMPLATE.md`
+- `.gitea/default_merge_message/SQUASH_TEMPLATE.md`
+- `.gitea/default_merge_message/MANUALLY-MERGED_TEMPLATE.md`
+- `.gitea/default_merge_message/REBASE-UPDATE-ONLY_TEMPLATE.md`
+
+## Variables
+
+You can use the following variables enclosed in `${}` inside these templates which follow [os.Expand](https://pkg.go.dev/os#Expand) syntax:
+
+- BaseRepoOwnerName: Base repository owner name of this pull request
+- BaseRepoName: Base repository name of this pull request
+- BaseBranch: Base repository target branch name of this pull request
+- HeadRepoOwnerName: Head repository owner name of this pull request
+- HeadRepoName: Head repository name of this pull request
+- HeadBranch: Head repository branch name of this pull request
+- PullRequestTitle: Pull request's title
+- PullRequestDescription: Pull request's description
+- PullRequestPosterName: Pull request's poster name
+- PullRequestIndex: Pull request's index number
+- PullRequestReference: Pull request's reference char with index number. i.e. #1, !2
+- ClosingIssues: return a string contains all issues which will be closed by this pull request i.e. `close #1, close #2`
+- ReviewedOn: Which pull request this commit belongs to. For example `Reviewed-on: https://gitea.com/foo/bar/pulls/1`
+- ReviewedBy: Who approved the pull request before the merge. For example `Reviewed-by: Jane Doe <jane.doe@example.com>`
+
+## Rebase
+
+When rebasing without a merge commit, `REBASE_TEMPLATE.md` modifies the message of the last commit. The following additional variables are available in this template:
+
+- CommitTitle: Commit's title
+- CommitBody: Commits's body text

docs/usage/migration.md

@@ -0,0 +1,53 @@
+---
+date: "2024-09-11T09:30:00+08:00"
+slug: "migration"
+sidebar_position: 45
+---
+
+# Migration
+
+You can migrate repositories from other Git services to your Gitea instance.
+
+## How to migrate from Gogs/GitHub/GitLab to Gitea
+
+To migrate from Gogs to Gitea:
+
+- [Gogs version 0.11.46.0418](https://github.com/go-gitea/gitea/issues/4286)
+
+To migrate from GitHub to Gitea, you can use Gitea's built-in migration form.
+
+In order to migrate items such as issues, pull requests, etc. you will need to input at least your username.
+
+[Example (requires login)](https://demo.gitea.com/repo/migrate)
+
+To migrate from GitLab to Gitea, you can use this non-affiliated tool:
+
+https://github.com/loganinak/MigrateGitlabToGogs
+
+## How to migrate from AWS CodeCommit to Gitea
+
+- To use the AWS CodeCommit API, Gitea requires an access key ID and a secret access key. For security reasons, we recommend creating a new user with the minimum necessary permissions and generating an access key ID and secret access key for the migration. The minimum permissions required for this user are as follows:
+  ```
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "codecommit:GetRepository",
+          "codecommit:GitPull",
+          "codecommit:ListPullRequests",
+          "codecommit:GetPullRequest",
+          "codecommit:GetCommentsForPullRequest"
+        ],
+        "Resource": [
+          "arn:aws:codecommit:<region>:<account>:<Repo-to-Migrate>
+      }
+    ]
+  }
+  ```
+  - If you do not need to migrate pull requests, you can remove the `ListPullRequests`, `GetPullRequest`, and `GetCommentsForPullRequest` actions.
+
+  - For instructions on how to create an IAM user and assign permissions, you can refer to this [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
+
+- To clone this repository, Gitea requires HTTPS Git credentials. You can create HTTPS Git credentials according to this [AWS documentation](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html).

docs/usage/multi-factor-authentication.md

@@ -1,16 +1,7 @@
 ---
 date: "2023-08-22T14:21:00+08:00"
-title: "Multi-factor Authentication (MFA)"
 slug: "multi-factor-authentication"
 weight: 15
-toc: false
-draft: false
-menu:
-  sidebar:
-    parent: "usage"
-    name: "Multi-factor Authentication (MFA)"
-    weight: 15
-    identifier: "multi-factor-authentication"
 ---
 
 # Multi-factor Authentication (MFA)
@@ -28,8 +19,10 @@ This interface does not support MFA, and trying to use a password normally will
 If SSH is not an option for Git operations, an access token can be generated within the "Applications" tab of the user settings page.
 This access token can be used as if it were a password in order to allow the Git CLI to function over HTTP.
 
-> **Warning** - By its very nature, an access token sidesteps the security benefits of MFA.
-> It must be kept secure and should only be used as a last resort.
+:::warning
+By its very nature, an access token sidesteps the security benefits of MFA.
+It must be kept secure and should only be used as a last resort.
+:::
 
 The Gitea API supports providing the relevant TOTP password in the `X-Gitea-OTP` header, as described in [API Usage](development/api-usage.md).
 This should be used instead of an access token where possible.

docs/usage/packages/alpine.md

@@ -1,15 +1,7 @@
 ---
 date: "2023-03-25T00:00:00+00:00"
-title: "Alpine Package Registry"
 slug: "alpine"
-draft: false
-toc: false
-menu:
-  sidebar:
-    parent: "packages"
-    name: "Alpine"
-    sidebar_position: 4
-    identifier: "alpine"
+sidebar_position: 4
 ---
 
 # Alpine Package Registry

docs/usage/packages/arch.md

@@ -0,0 +1,132 @@
+---
+date: "2023-05-15T00:00:00+00:00"
+slug: "arch"
+sidebar_position: 5
+---
+
+# Arch package registry
+
+Publish [Arch](https://archlinux.org/packages/) packages for your user or organization. The registry can act as a fully working [Arch linux mirror](https://wiki.archlinux.org/title/mirrors) connected directly in `/etc/pacman.conf`.
+
+## Requirements
+
+To work with the Arch registry, you need to use a HTTP client like `curl` to upload and a package manager like `pacman` to consume packages.
+
+The following examples use `pacman`.
+
+## Configuring the package registry
+
+Before you can use the package registry, you need to download the package verification key and add the registry to the pacman config.
+
+Download the package verification key.
+```sh
+wget https://gitea.example.com/api/packages/{owner}/arch/repository.key
+```
+
+Display the id the key (the long line with hex characters).
+```sh
+gpg --show-keys repository.key
+```
+
+Add the key to pacman and sign it (use the key id from the previous step).
+```sh
+pacman-key --add repository.key
+pacman-key --lsign-key {key id}
+```
+
+Now add the registry configuration to `/etc/pacman.conf`.
+```conf
+[{owner}.gitea.example.com]
+SigLevel = Required
+Server = https://gitea.example.com/api/packages/{owner}/arch/{repository}/{architecture}
+```
+
+| Placeholder    | Description |
+| -------------- | ----------- |
+| `owner`        | The owner of the packages. |
+| `repository`   | The repository to use. |
+| `architecture` | The architecture to use. |
+
+Consult the owners package overview to see what `repository` and `architecture` is available.
+
+If the registry is private, provide credentials in the url. You can use a password or a [personal access token](development/api-usage.md#authentication):
+
+```
+Server = https://{username}:{your_password_or_token}@gitea.example.com/api/packages/{owner}/arch/{repository}/{architecture}
+```
+
+## Publish a package
+
+To publish an Arch package, perform a HTTP `PUT` operation with the package content in the request body.
+
+```
+PUT https://gitea.example.com/api/packages/{owner}/arch/{repository}
+```
+
+| Parameter    | Description |
+| ------------ | ----------- |
+| `owner`      | The owner of the package. |
+| `repository` | The repository can be used to group packages or just `core` or similar. |
+
+Example request using HTTP Basic authentication:
+
+```shell
+curl --user your_username:your_password_or_token \
+     --upload-file path/to/file.pkg.tar.zst \
+     https://gitea.example.com/api/packages/testuser/arch/core
+```
+
+If you are using 2FA or OAuth use a [personal access token](development/api-usage.md#authentication) instead of the password.
+
+You cannot publish a file with the same name twice to a package. You must delete the existing package file first.
+
+The server responds with the following HTTP Status codes.
+
+| HTTP Status Code  | Meaning |
+| ----------------- | ------- |
+| `201 Created`     | The package has been published. |
+| `400 Bad Request` | Something of the package is invalid. The error message contains more information. |
+| `409 Conflict`    | A package file with the same combination of parameters exist already in the package. |
+
+## Install packages
+
+To install a package run the pacman sync command:
+
+```sh
+pacman -Sy {package_name}
+```
+
+| Parameter      | Description |
+| -------------- | ----------- |
+| `package_name` | The package name. |
+
+## Delete a package
+
+To delete an Arch package perform a HTTP `DELETE` operation. This will delete the package version too if there is no file left.
+
+```
+DELETE https://gitea.example.com/api/packages/{owner}/arch/{repository}/{package_name}/{package_version}/{architecture}
+```
+
+| Parameter         | Description |
+| ----------------- | ----------- |
+| `owner`           | The owner of the package. |
+| `repository`      | The repository to use. |
+| `architecture`    | The package architecture. |
+| `package_name`    | The package name. |
+| `package_version` | The package version. |
+
+
+Example request using HTTP Basic authentication:
+
+```shell
+curl --user your_username:your_token_or_password -X DELETE \
+     https://gitea.example.com/api/packages/testuser/arch/core/test-package/1.0.0/x86-64
+```
+
+The server responds with the following HTTP Status codes.
+
+| HTTP Status Code  | Meaning |
+| ----------------- | ------- |
+| `204 No Content`  | Success |
+| `404 Not Found`   | The package or file was not found. |

docs/usage/packages/cargo.md

@@ -1,16 +1,7 @@
 ---
 date: "2022-11-20T00:00:00+00:00"
-title: "Cargo Package Registry"
 slug: "cargo"
 sidebar_position: 5
-draft: false
-toc: false
-menu:
-  sidebar:
-    parent: "packages"
-    name: "Cargo"
-    sidebar_position: 5
-    identifier: "cargo"
 ---
 
 # Cargo Package Registry

docs/usage/packages/chef.md

@@ -0,0 +1,84 @@
+---
+date: "2023-01-20T00:00:00+00:00"
+slug: "chef"
+sidebar_position: 10
+---
+
+# Chef Package Registry
+
+Publish [Chef](https://chef.io/) cookbooks for your user or organization.
+
+## Requirements
+
+To work with the Chef package registry, you have to use [`knife`](https://docs.chef.io/workstation/knife/).
+
+## Authentication
+
+The Chef package registry does not use an username:password authentication but signed requests with a private:public key pair.
+Visit the package owner settings page to create the necessary key pair.
+Only the public key is stored inside Gitea. if you loose access to the private key you must re-generate the key pair.
+[Configure `knife`](https://docs.chef.io/workstation/knife_setup/) to use the downloaded private key with your Gitea username as `client_name`.
+
+## Configure the package registry
+
+To [configure `knife`](https://docs.chef.io/workstation/knife_setup/) to use the Gitea package registry add the url to the `~/.chef/config.rb` file.
+
+```
+knife[:supermarket_site] = 'https://gitea.example.com/api/packages/{owner}/chef'
+```
+
+| Parameter | Description |
+| --------- | ----------- |
+| `owner`   | The owner of the package. |
+
+## Publish a package
+
+To publish a Chef package execute the following command:
+
+```shell
+knife supermarket share {package_name}
+```
+
+| Parameter      | Description |
+| -------------- | ----------- |
+| `package_name` | The package name. |
+
+You cannot publish a package if a package of the same name and version already exists. You must delete the existing package first.
+
+## Install a package
+
+To install a package from the package registry, execute the following command:
+
+```shell
+knife supermarket install {package_name}
+```
+
+Optional you can specify the package version:
+
+```shell
+knife supermarket install {package_name} {package_version}
+```
+
+| Parameter         | Description |
+| ----------------- | ----------- |
+| `package_name`    | The package name. |
+| `package_version` | The package version. |
+
+## Delete a package
+
+If you want to remove a package from the registry, execute the following command:
+
+```shell
+knife supermarket unshare {package_name}
+```
+
+Optional you can specify the package version:
+
+```shell
+knife supermarket unshare {package_name}/versions/{package_version}
+```
+
+| Parameter         | Description |
+| ----------------- | ----------- |
+| `package_name`    | The package name. |
+| `package_version` | The package version. |