Changelog 1.15.5 (#17392 )

* SECURITY * Upgrade Bluemonday to v1.0.16 (#17372) (#17374) * Ensure correct SSH permissions check for private and restricted users (#17370) (#17373) * BUGFIXES * Prevent NPE in CSV diff rendering when column removed (#17018) (#17377) * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376) * Don't panic if we fail to parse U2FRegistration data (#17304) (#17371) * Ensure popup text is aligned left (backport for 1.15) (#17343) * Ensure that git daemon export ok is created for mirrors (#17243) (#17306) * Disable core.protectNTFS (#17300) (#17302) * Use pointer for wrappedConn methods (#17295) (#17296) * AutoRegistration is supposed to be working with disabled registration (backport) (#17292) * Handle duplicate keys on GPG key ring (#17242) (#17284) * Fix SVG side by side comparison link (#17375) (#17391) Signed-off-by: Andrew Thornton <art27@cantab.net>
Fix SVG side by side comparison link (#17375 ) (#17391 )
2025-07-21 17:41:16 +02:00 · 2021-10-21 23:50:22 +02:00 · 2021-10-21 20:38:29 +01:00 · 2021-10-21 16:37:49 +08:00 · 2021-10-21 09:00:41 +01:00 · 2021-10-20 16:57:19 -04:00
7892 changed files with 1165158 additions and 359855 deletions
--- a/.air.conf
+++ b/.air.conf
@@ -0,0 +1,9 @@
+root = "."
+tmp_dir = ".air"
+
+[build]
+cmd = "make backend"
+bin = "gitea"
+include_ext = ["go", "tmpl"]
+exclude_dir = ["modules/git/tests", "services/gitdiff/testdata", "modules/avatar/testdata"]
+include_dir = ["cmd", "models", "modules", "options", "routers", "services", "templates"]
--- a/.changelog.yml
+++ b/.changelog.yml
@@ -14,24 +14,28 @@ groups:
    name: BREAKING
    labels:
      - kind/breaking
-  -
-    name: FEATURES
-    labels:
-      - kind/feature
  -
    name: SECURITY
    labels:
      - kind/security
  -
-    name: BUGFIXES
+    name: FEATURES
    labels:
-      - kind/bug
+      - kind/feature
+  -
+    name: API
+    labels:
+      - kind/api
  -
    name: ENHANCEMENTS
    labels:
      - kind/enhancement
      - kind/refactor
      - kind/ui
+  -
+    name: BUGFIXES
+    labels:
+      - kind/bug
  -
    name: TESTING
    labels:
--- a/.drone.yml
+++ b/.drone.yml
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,25 +1,31 @@
 root = true

 [*]
-charset = utf-8
-insert_final_newline = true
-trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+tab_width = 2
 end_of_line = lf
-
-[*.md]
-trim_trailing_whitespace = false
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

 [*.{go,tmpl,html}]
 indent_style = tab
-indent_size = 4

-[*.{less,css}]
-indent_style = space
-indent_size = 4
+[templates/custom/*.tmpl]
+insert_final_newline = false

-[*.{js,json,yml}]
+[templates/swagger/v1_json.tmpl]
+indent_style = space
+
+[templates/user/auth/oidc_wellknown.tmpl]
 indent_style = space
-indent_size = 2

 [Makefile]
 indent_style = tab
+
+[*.svg]
+insert_final_newline = false
+
+[*.md]
+trim_trailing_whitespace = false
--- a/.eslintrc
+++ b/.eslintrc
@@ -1,19 +1,27 @@
 root: true
-
-extends:
-  - eslint-config-airbnb-base
-  - eslint:recommended
+reportUnusedDisableDirectives: true

 ignorePatterns:
  - /web_src/js/vendor
+  - /templates/base/head.tmpl
+  - /templates/repo/activity.tmpl
+  - /templates/repo/view_file.tmpl

 parserOptions:
-  ecmaVersion: 2020
+  sourceType: module
+  ecmaVersion: 2021
+
+plugins:
+  - eslint-plugin-unicorn
+  - eslint-plugin-import
+  - eslint-plugin-vue
+  - eslint-plugin-html
+
+extends:
+  - plugin:vue/recommended

 env:
-  browser: true
-  es6: true
-  jquery: true
+  es2021: true
  node: true

 globals:
@@ -22,51 +30,410 @@ globals:
  Dropzone: false
  SimpleMDE: false
  u2fApi: false
-  Tribute: false
+
+settings:
+  html/html-extensions: [".tmpl"]

 overrides:
-  - files: ["web_src/**/*.worker.js"]
+  - files: ["web_src/**/*.js", "web_src/**/*.vue", "templates/**/*.tmpl"]
+    env:
+      browser: true
+      jquery: true
+      node: false
+  - files: ["templates/**/*.tmpl"]
+    rules:
+      no-tabs: [0]
+      indent: [2, tab, {SwitchCase: 1}]
+  - files: ["web_src/**/*worker.js"]
    env:
      worker: true
    rules:
-      no-restricted-globals: [0]
+      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
+  - files: ["build/generate-images.js"]
+    rules:
+      import/no-unresolved: [0]
+      import/no-extraneous-dependencies: [0]
+  - files: ["*.test.js"]
+    env:
+      jest: true
+  - files: ["*.config.js"]
+    rules:
+      import/no-unused-modules: [0]

 rules:
+  accessor-pairs: [2]
+  array-bracket-newline: [0]
+  array-bracket-spacing: [2, never]
+  array-callback-return: [0]
+  array-element-newline: [0]
  arrow-body-style: [0]
  arrow-parens: [2, always]
+  arrow-spacing: [2, {before: true, after: true}]
+  block-scoped-var: [2]
+  brace-style: [2, 1tbs, {allowSingleLine: true}]
  camelcase: [0]
+  capitalized-comments: [0]
+  class-methods-use-this: [0]
  comma-dangle: [2, only-multiline]
+  comma-spacing: [2, {before: false, after: true}]
+  comma-style: [2, last]
+  complexity: [0]
+  computed-property-spacing: [2, never]
  consistent-return: [0]
+  consistent-this: [0]
+  constructor-super: [2]
+  curly: [0]
+  default-case-last: [2]
  default-case: [0]
+  default-param-last: [0]
+  dot-location: [2, property]
+  dot-notation: [0]
+  eol-last: [2]
+  eqeqeq: [2]
+  for-direction: [2]
+  func-call-spacing: [2, never]
+  func-name-matching: [2]
  func-names: [0]
+  func-style: [0]
+  function-call-argument-newline: [0]
+  function-paren-newline: [0]
+  generator-star-spacing: [0]
+  getter-return: [2]
+  grouped-accessor-pairs: [2]
+  guard-for-in: [0]
+  id-blacklist: [0]
+  id-length: [0]
+  id-match: [0]
+  implicit-arrow-linebreak: [0]
+  import/default: [0]
+  import/dynamic-import-chunkname: [0]
+  import/export: [2]
+  import/exports-last: [0]
  import/extensions: [2, always, {ignorePackages: true}]
+  import/first: [2]
+  import/group-exports: [0]
+  import/max-dependencies: [0]
+  import/named: [2]
+  import/namespace: [0]
+  import/newline-after-import: [0]
+  import/no-absolute-path: [0]
+  import/no-amd: [0]
+  import/no-anonymous-default-export: [0]
+  import/no-commonjs: [0]
+  import/no-cycle: [2, {ignoreExternal: true}]
+  import/no-default-export: [0]
+  import/no-deprecated: [0]
+  import/no-dynamic-require: [0]
+  import/no-extraneous-dependencies: [2]
+  import/no-internal-modules: [0]
+  import/no-mutable-exports: [2]
+  import/no-named-as-default-member: [0]
+  import/no-named-as-default: [2]
+  import/no-named-default: [0]
+  import/no-named-export: [0]
+  import/no-namespace: [0]
+  import/no-nodejs-modules: [0]
+  import/no-relative-parent-imports: [0]
+  import/no-restricted-paths: [0]
+  import/no-self-import: [2]
+  import/no-unassigned-import: [0]
+  import/no-unresolved: [2, {commonjs: true}]
+  import/no-unused-modules: [2, {unusedExports: true}]
+  import/no-useless-path-segments: [2, {commonjs: true}]
+  import/no-webpack-loader-syntax: [2]
+  import/order: [0]
  import/prefer-default-export: [0]
+  import/unambiguous: [0]
+  indent: [2, 2, {SwitchCase: 1}]
+  init-declarations: [0]
+  key-spacing: [2]
+  keyword-spacing: [2]
+  line-comment-position: [0]
+  linebreak-style: [2, unix]
+  lines-around-comment: [0]
+  lines-between-class-members: [0]
+  max-classes-per-file: [0]
+  max-depth: [0]
  max-len: [0]
+  max-lines-per-function: [0]
+  max-lines: [0]
+  max-nested-callbacks: [0]
+  max-params: [0]
+  max-statements-per-line: [0]
+  max-statements: [0]
  multiline-comment-style: [2, separate-lines]
+  multiline-ternary: [0]
+  new-cap: [0]
+  new-parens: [2]
  newline-per-chained-call: [0]
  no-alert: [0]
+  no-array-constructor: [2]
+  no-async-promise-executor: [2]
+  no-await-in-loop: [0]
+  no-bitwise: [0]
+  no-buffer-constructor: [0]
+  no-caller: [2]
+  no-case-declarations: [2]
+  no-class-assign: [2]
+  no-compare-neg-zero: [2]
  no-cond-assign: [2, except-parens]
+  no-confusing-arrow: [0]
  no-console: [1, {allow: [info, warn, error]}]
+  no-const-assign: [2]
+  no-constant-condition: [0]
+  no-constructor-return: [2]
  no-continue: [0]
+  no-control-regex: [0]
+  no-debugger: [1]
+  no-delete-var: [2]
+  no-div-regex: [0]
+  no-dupe-args: [2]
+  no-dupe-class-members: [2]
+  no-dupe-else-if: [2]
+  no-dupe-keys: [2]
+  no-duplicate-case: [2]
+  no-duplicate-imports: [2]
+  no-else-return: [2]
+  no-empty-character-class: [2]
+  no-empty-function: [0]
+  no-empty-pattern: [2]
+  no-empty: [2, {allowEmptyCatch: true}]
  no-eq-null: [2]
+  no-eval: [2]
+  no-ex-assign: [2]
+  no-extend-native: [2]
+  no-extra-bind: [2]
+  no-extra-boolean-cast: [2]
+  no-extra-label: [0]
+  no-extra-parens: [0]
+  no-extra-semi: [2]
+  no-fallthrough: [2]
+  no-floating-decimal: [0]
+  no-func-assign: [2]
+  no-global-assign: [2]
+  no-implicit-coercion: [0]
+  no-implicit-globals: [0]
+  no-implied-eval: [2]
+  no-import-assign: [2]
+  no-inline-comments: [0]
+  no-inner-declarations: [2]
+  no-invalid-regexp: [2]
+  no-invalid-this: [0]
+  no-irregular-whitespace: [2]
+  no-iterator: [2]
+  no-label-var: [2]
+  no-labels: [2]
+  no-lone-blocks: [2]
+  no-lonely-if: [0]
+  no-loop-func: [0]
+  no-loss-of-precision: [2]
+  no-magic-numbers: [0]
+  no-misleading-character-class: [2]
  no-mixed-operators: [0]
+  no-mixed-spaces-and-tabs: [2]
  no-multi-assign: [0]
+  no-multi-spaces: [2, {ignoreEOLComments: true, exceptions: {Property: true}}]
+  no-multi-str: [2]
+  no-negated-condition: [0]
+  no-nested-ternary: [0]
+  no-new-func: [2]
+  no-new-object: [2]
+  no-new-symbol: [2]
+  no-new-wrappers: [2]
  no-new: [0]
+  no-nonoctal-decimal-escape: [2]
+  no-obj-calls: [2]
+  no-octal-escape: [2]
+  no-octal: [2]
  no-param-reassign: [0]
  no-plusplus: [0]
-  no-restricted-syntax: [0]
+  no-promise-executor-return: [0]
+  no-proto: [2]
+  no-prototype-builtins: [2]
+  no-redeclare: [2]
+  no-regex-spaces: [2]
+  no-restricted-exports: [0]
+  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top]
+  no-restricted-imports: [0]
+  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement]
+  no-return-assign: [0]
  no-return-await: [0]
+  no-script-url: [2]
+  no-self-assign: [2, {props: true}]
+  no-self-compare: [2]
+  no-sequences: [2]
+  no-setter-return: [2]
+  no-shadow-restricted-names: [2]
  no-shadow: [0]
-  no-unused-vars: [2, {args: all, argsIgnorePattern: ^_, varsIgnorePattern: ^_, ignoreRestSiblings: true}]
-  no-use-before-define: [0]
+  no-sparse-arrays: [2]
+  no-tabs: [2]
+  no-template-curly-in-string: [2]
+  no-ternary: [0]
+  no-this-before-super: [2]
+  no-throw-literal: [2]
+  no-trailing-spaces: [2]
+  no-undef-init: [2]
+  no-undef: [2, {typeof: true}]
+  no-undefined: [0]
+  no-underscore-dangle: [0]
+  no-unexpected-multiline: [2]
+  no-unmodified-loop-condition: [2]
+  no-unneeded-ternary: [0]
+  no-unreachable-loop: [2]
+  no-unreachable: [2]
+  no-unsafe-finally: [2]
+  no-unsafe-negation: [2]
+  no-unused-expressions: [2]
+  no-unused-labels: [2]
+  no-unused-vars: [2, {args: all, argsIgnorePattern: ^_, varsIgnorePattern: ^_, caughtErrorsIgnorePattern: ^_, ignoreRestSiblings: false}]
+  no-use-before-define: [2, nofunc]
+  no-useless-backreference: [0]
+  no-useless-call: [2]
+  no-useless-catch: [2]
+  no-useless-computed-key: [2]
+  no-useless-concat: [2]
+  no-useless-constructor: [2]
+  no-useless-escape: [2]
+  no-useless-rename: [2]
+  no-useless-return: [2]
  no-var: [2]
+  no-void: [2]
+  no-warning-comments: [0]
+  no-whitespace-before-property: [2]
+  no-with: [2]
+  nonblock-statement-body-position: [2]
  object-curly-newline: [0]
  object-curly-spacing: [2, never]
+  object-shorthand: [2, always]
  one-var-declaration-per-line: [0]
  one-var: [0]
+  operator-assignment: [2, always]
  operator-linebreak: [2, after]
+  padded-blocks: [2, never]
+  padding-line-between-statements: [0]
+  prefer-arrow-callback: [2, {allowNamedFunctions: true, allowUnboundThis: true}]
  prefer-const: [2, {destructuring: all}]
  prefer-destructuring: [0]
+  prefer-exponentiation-operator: [2]
+  prefer-named-capture-group: [0]
+  prefer-numeric-literals: [2]
+  prefer-object-spread: [0]
+  prefer-promise-reject-errors: [2, {allowEmptyReject: false}]
+  prefer-regex-literals: [2]
+  prefer-rest-params: [2]
+  prefer-spread: [2]
+  prefer-template: [2]
+  quote-props: [0]
  quotes: [2, single, {avoidEscape: true, allowTemplateLiterals: true}]
  radix: [2, as-needed]
+  require-atomic-updates: [0]
+  require-await: [0]
+  require-unicode-regexp: [0]
+  require-yield: [2]
+  rest-spread-spacing: [2, never]
+  semi-spacing: [2, {before: false, after: true}]
+  semi-style: [2, last]
  semi: [2, always, {omitLastInOneLineBlock: true}]
+  sort-imports: [0]
+  sort-keys: [0]
+  sort-vars: [0]
+  space-before-blocks: [2, always]
+  space-in-parens: [2, never]
+  space-infix-ops: [2]
+  space-unary-ops: [2]
+  spaced-comment: [2, always]
+  strict: [0]
+  switch-colon-spacing: [2]
+  symbol-description: [2]
+  template-curly-spacing: [2, never]
+  template-tag-spacing: [2, never]
+  unicode-bom: [2, never]
+  unicorn/better-regex: [0]
+  unicorn/catch-error-name: [0]
+  unicorn/consistent-destructuring: [2]
+  unicorn/consistent-function-scoping: [2]
+  unicorn/custom-error-definition: [0]
+  unicorn/empty-brace-spaces: [2]
+  unicorn/error-message: [0]
+  unicorn/escape-case: [0]
+  unicorn/expiring-todo-comments: [0]
+  unicorn/explicit-length-check: [0]
+  unicorn/filename-case: [0]
+  unicorn/import-index: [0]
+  unicorn/import-style: [0]
+  unicorn/new-for-builtins: [2]
+  unicorn/no-abusive-eslint-disable: [0]
+  unicorn/no-array-for-each: [0]
+  unicorn/no-array-instanceof: [0]
+  unicorn/no-array-push-push: [2]
+  unicorn/no-console-spaces: [0]
+  unicorn/no-document-cookie: [2]
+  unicorn/no-fn-reference-in-iterator: [0]
+  unicorn/no-for-loop: [0]
+  unicorn/no-hex-escape: [0]
+  unicorn/no-keyword-prefix: [0]
+  unicorn/no-lonely-if: [2]
+  unicorn/no-nested-ternary: [0]
+  unicorn/no-new-array: [0]
+  unicorn/no-new-buffer: [0]
+  unicorn/no-null: [0]
+  unicorn/no-object-as-default-parameter: [2]
+  unicorn/no-process-exit: [0]
+  unicorn/no-reduce: [2]
+  unicorn/no-static-only-class: [2]
+  unicorn/no-this-assignment: [2]
+  unicorn/no-unreadable-array-destructuring: [0]
+  unicorn/no-unsafe-regex: [0]
+  unicorn/no-unused-properties: [2]
+  unicorn/no-useless-undefined: [0]
+  unicorn/no-zero-fractions: [2]
+  unicorn/number-literal-case: [0]
+  unicorn/numeric-separators-style: [0]
+  unicorn/prefer-add-event-listener: [2]
+  unicorn/prefer-array-find: [2]
+  unicorn/prefer-array-flat-map: [2]
+  unicorn/prefer-array-flat: [2]
+  unicorn/prefer-array-index-of: [2]
+  unicorn/prefer-array-some: [2]
+  unicorn/prefer-dataset: [2]
+  unicorn/prefer-date-now: [2]
+  unicorn/prefer-default-parameters: [0]
+  unicorn/prefer-event-key: [2]
+  unicorn/prefer-includes: [2]
+  unicorn/prefer-math-trunc: [2]
+  unicorn/prefer-modern-dom-apis: [0]
+  unicorn/prefer-module: [2]
+  unicorn/prefer-negative-index: [2]
+  unicorn/prefer-node-append: [0]
+  unicorn/prefer-node-protocol: [0]
+  unicorn/prefer-node-remove: [0]
+  unicorn/prefer-number-properties: [0]
+  unicorn/prefer-optional-catch-binding: [2]
+  unicorn/prefer-query-selector: [0]
+  unicorn/prefer-reflect-apply: [0]
+  unicorn/prefer-regexp-test: [2]
+  unicorn/prefer-replace-all: [0]
+  unicorn/prefer-set-has: [0]
+  unicorn/prefer-spread: [0]
+  unicorn/prefer-starts-ends-with: [2]
+  unicorn/prefer-string-slice: [0]
+  unicorn/prefer-switch: [0]
+  unicorn/prefer-ternary: [0]
+  unicorn/prefer-text-content: [2]
+  unicorn/prefer-trim-start-end: [2]
+  unicorn/prefer-type-error: [0]
+  unicorn/prevent-abbreviations: [0]
+  unicorn/string-content: [0]
+  unicorn/throw-new-error: [2]
+  use-isnan: [2]
+  valid-typeof: [2, {requireStringLiterals: true}]
+  vars-on-top: [0]
+  vue/attributes-order: [0]
+  vue/component-definition-name-casing: [0]
+  vue/html-closing-bracket-spacing: [0]
+  vue/max-attributes-per-line: [0]
+  vue/one-component-per-file: [0]
+  wrap-iife: [2, inside]
+  wrap-regex: [0]
+  yield-star-spacing: [2, after]
+  yoda: [2, never]
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,10 +1,6 @@
 * text=auto eol=lf
-/vendor/** -text -eol
-/public/vendor/** -text -eol
-
-conf/* linguist-vendored
-docker/* linguist-vendored
-options/* linguist-vendored
-public/* linguist-vendored
-build/* linguist-vendored
-templates/* linguist-vendored
+/vendor/** -text -eol linguist-vendored
+/public/vendor/** -text -eol linguist-vendored
+/templates/**/*.tmpl linguist-language=Handlebars
+/.eslintrc linguist-language=YAML
+/.stylelintrc linguist-language=YAML
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1 +1,2 @@
 open_collective: gitea
+custom: https://www.bountysource.com/teams/gitea
--- a/.github/issue_template.md
+++ b/.github/issue_template.md
@@ -2,16 +2,20 @@

 <!--
    1. Please speak English, this is the language all maintainers can speak and write.
-    2. Please ask questions or configuration/deploy problems on our Discord 
+    2. Please ask questions or configuration/deploy problems on our Discord
       server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
    3. Please take a moment to check that your issue doesn't already exist.
-    4. Please give all relevant information below for bug reports, because 
+    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
+    5. Please give all relevant information below for bug reports, because
       incomplete details will be handled as an invalid report.
 -->

 - Gitea version (or commit ref):
 - Git version:
 - Operating system:
+  <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package -->
+  <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. --->
+  <!-- If you are using a package or systemd tell us what distribution you are using -->
 - Database (use `[x]`):
  - [ ] PostgreSQL
  - [ ] MySQL
@@ -20,10 +24,15 @@
 - Can you reproduce the bug at https://try.gitea.io:
  - [ ] Yes (provide example URL)
  - [ ] No
-  - [ ] Not relevant
 - Log gist:
+<!-- It really is important to provide pertinent logs -->
+<!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems -->
+<!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini -->

 ## Description
+<!-- If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please
+     disable the proxy/CDN fully and connect to gitea directly to confirm
+     the issue still persists without those services. -->

 ...

--- a/.github/lock.yml
+++ b/.github/lock.yml
@@ -0,0 +1,23 @@
+# Configuration for Lock Threads - https://github.com/dessant/lock-threads-app
+
+# Number of days of inactivity before a closed issue or pull request is locked
+daysUntilLock: 60
+
+# Skip issues and pull requests created before a given timestamp. Timestamp must
+# follow ISO 8601 (`YYYY-MM-DD`). `false` is disabled
+skipCreatedBefore: false
+
+# Issues and pull requests with these labels will be ignored.
+exemptLabels: []
+
+# Label to add before locking, such as `outdated`. `false` is disabled
+lockLabel: false
+
+# Comment to post before locking.
+lockComment: >
+  This thread has been automatically locked since there has not been
+  any recent activity after it was closed. Please open a new issue for
+  related bugs and link to relevant comments in this thread.
+
+# Assign `resolved` as the reason for locking. Set to `false` to disable
+setLockReason: true
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,6 +1,6 @@
 Please check the following:

-1. Make sure you are targeting the `master` branch, pull requests on release branches are only allowed for bug fixes.
+1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
 2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md
 3. Describe what your pull request does and which issue you're targeting (if any)

--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,7 @@ _testmain.go

 *coverage.out
 coverage.all
+cpu.out

 /modules/options/bindata.go
 /modules/options/bindata.go.hash
@@ -53,7 +54,7 @@ coverage.all
 /custom/*
 !/custom/conf
 /custom/conf/*
-!/custom/conf/app.ini.sample
+!/custom/conf/app.example.ini
 /data
 /indexers
 /log
@@ -75,12 +76,27 @@ coverage.all
 /integrations/mssql.ini
 /node_modules
 /yarn.lock
+/yarn-error.log
+/npm-debug.log*
 /public/js
+/public/serviceworker.js
 /public/css
 /public/fonts
-/public/fomantic
-/public/img/svg
+/public/img/webpack
+/web_src/fomantic/node_modules
+/web_src/fomantic/build/*
+!/web_src/fomantic/build/semantic.js
+!/web_src/fomantic/build/semantic.css
+!/web_src/fomantic/build/themes
+/web_src/fomantic/build/themes/*
+!/web_src/fomantic/build/themes/default
+/web_src/fomantic/build/themes/default/assets/*
+!/web_src/fomantic/build/themes/default/assets/fonts
+/web_src/fomantic/build/themes/default/assets/fonts/*
+!/web_src/fomantic/build/themes/default/assets/fonts/icons.woff2
+!/web_src/fomantic/build/themes/default/assets/fonts/outline-icons.woff2
 /VERSION
+/.air

 # Snapcraft
 snap/.snapcraft/
@@ -94,3 +110,6 @@ prime/

 # Make evidence files
 /.make_evidence
+
+# Manpage
+/man
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -26,7 +26,7 @@ linters-settings:
  gocritic:
    disabled-checks:
      - ifElseChain
-      - singleCaseSwitch # Every time this occured in the code, there  was no other way.
+      - singleCaseSwitch # Every time this occurred in the code, there  was no other way.

 issues:
  exclude-rules:
@@ -70,9 +70,6 @@ issues:
    - path: modules/log/
      linters:
        - errcheck
-    - path: routers/routes/routes.go
-      linters:
-        - dupl
    - path: routers/api/v1/repo/issue_subscription.go
      linters:
        - dupl
@@ -98,3 +95,20 @@ issues:
    - path: models/update.go
      linters:
        - unused
+    - path: cmd/dump.go
+      linters:
+        - dupl
+    - path: services/webhook/webhook.go
+      linters:
+        - structcheck
+    - text: "commentFormatting: put a space between `//` and comment text"
+      linters:
+        - gocritic
+    - text: "exitAfterDefer:"
+      linters:
+        - gocritic
+    - path: modules/graceful/manager_windows.go
+      linters:
+        - staticcheck
+      text: "svc.IsAnInteractiveSession is deprecated: Use IsWindowsService instead."
+
--- a/.ignore
+++ b/.ignore
@@ -1,6 +1,5 @@
 /vendor
 /public/vendor/plugins
-/public/vendor/assets
 /modules/options/bindata.go
 /modules/public/bindata.go
 /modules/templates/bindata.go
--- a/.npmrc
+++ b/.npmrc
@@ -1,2 +1,5 @@
+audit=false
+fund=false
+update-notifier=false
 package-lock=true
 save-exact=true
--- a/.stylelintrc
+++ b/.stylelintrc
@@ -1,16 +1,15 @@
 extends: stylelint-config-standard

-ignoreFiles:
-  - web_src/less/vendor/**/*
-
 rules:
  at-rule-empty-line-before: null
  block-closing-brace-empty-line-before: null
  color-hex-length: null
  comment-empty-line-before: null
+  declaration-block-single-line-max-declarations: null
  declaration-empty-line-before: null
-  indentation: 4
+  indentation: 2
  no-descending-specificity: null
  number-leading-zero: never
  rule-empty-line-before: null
-  selector-pseudo-element-colon-notation: null
+  selector-pseudo-element-colon-notation: double
+  shorthand-property-no-redundant-values: true
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -3,12 +3,14 @@
 ## Table of Contents

 - [Contribution Guidelines](#contribution-guidelines)
+  - [Table of Contents](#table-of-contents)
  - [Introduction](#introduction)
  - [Bug reports](#bug-reports)
  - [Discuss your design](#discuss-your-design)
  - [Testing redux](#testing-redux)
  - [Vendoring](#vendoring)
  - [Translation](#translation)
+  - [Building Gitea](#building-gitea)
  - [Code review](#code-review)
  - [Styleguide](#styleguide)
  - [Design guideline](#design-guideline)
@@ -158,7 +160,7 @@ import (
 To maintain understandable code and avoid circular dependencies it is important to have a good structure of the code. The gitea code is divided into the following parts:

 - **integration:** Integrations tests
- **models:** Contains the data structures used by xorm to construct database tables. It also contains supporting functions to query and update the database. Dependecies to other code in Gitea should be avoided although some modules might be needed (for example for logging).
+- **models:** Contains the data structures used by xorm to construct database tables. It also contains supporting functions to query and update the database. Dependencies to other code in Gitea should be avoided although some modules might be needed (for example for logging).
 - **models/fixtures:** Sample model data used in integration tests.
 - **models/migrations:** Handling of database migrations between versions. PRs that changes a database structure shall also have a migration step.
 - **modules:** Different modules to handle specific functionality in Gitea.
@@ -181,16 +183,16 @@ The same applies to status responses. If you notice a problem, feel free to leav
 All expected results (errors, success, fail messages) should be documented
 ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L319-L327)).

-All JSON input types must be defined as a struct in `models/structs/`
+All JSON input types must be defined as a struct in [modules/structs/](modules/structs/)
 ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L76-L91))
 and referenced in
 [routers/api/v1/swagger/options.go](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/options.go).  
 They can then be used like the following:
 ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L318)).

-All JSON responses must be defined as a struct in `models/structs/`
+All JSON responses must be defined as a struct in [modules/structs/](modules/structs/)
 ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/modules/structs/issue.go#L36-L68))
-and referenced in its category in `routers/api/v1/swagger/`
+and referenced in its category in [routers/api/v1/swagger/](routers/api/v1/swagger/)
 ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/swagger/issue.go#L11-L16))  
 They can be used like the following:
 ([example](https://github.com/go-gitea/gitea/blob/c620eb5b2d0d874da68ebd734d3864c5224f71f7/routers/api/v1/repo/issue.go#L277-L279))
@@ -199,7 +201,7 @@ In general, HTTP methods are chosen as follows:
 * **GET** endpoints return requested object and status **OK (200)**
 * **DELETE** endpoints return status **No Content (204)**
 * **POST** endpoints return status **Created (201)**, used to **create** new objects (e.g. a User)
- * **PUT** endpoints return status **No Content (204)**, used to **add/assign** existing Obejcts (e.g. User) to something (e.g. Org-Team)
+ * **PUT** endpoints return status **No Content (204)**, used to **add/assign** existing Objects (e.g. User) to something (e.g. Org-Team)
 * **PATCH** endpoints return changed object and status **OK (200)**, used to **edit/change** an existing object


@@ -226,18 +228,18 @@ We assume in good faith that the information you provide is legally binding.

 We adopted a release schedule to streamline the process of working
 on, finishing, and issuing releases. The overall goal is to make a
-minor release every two months, which breaks down into one month of
+minor release every three or four months, which breaks down into two or three months of
 general development followed by one month of testing and polishing
 known as the release freeze. All the feature pull requests should be
-merged in the first month of one release period. And, during the frozen
-period, a corresponding release branch is open for fixes backported from
-master. Release candidates are made during this period for user testing to
+merged before feature freeze. And, during the frozen period, a corresponding 
+release branch is open for fixes backported from main branch. Release candidates 
+are made during this period for user testing to
 obtain a final version that is maintained in this branch. A release is
 maintained by issuing patch releases to only correct critical problems
 such as crashes or security issues.

-Major release cycles are bimonthly. They always begin on the 25th and end on
-the 24th (i.e., the 25th of December to February 24th).
+Major release cycles are seasonal. They always begin on the 25th and end on
+the 24th (i.e., the 25th of December to March 24th).

 During a development cycle, we may also publish any necessary minor releases
 for the previous version. For example, if the latest, published release is
@@ -293,25 +295,30 @@ and lead the development of Gitea.
 To honor the past owners, here's the history of the owners and the time
 they served:

-* 2016-11-04 ~ 2017-12-31
-  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
-  * [Thomas Boerger](https://github.com/tboerger) <thomas@webhippie.de>
-  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
+* 2021-01-01 ~ 2021-12-31 - https://github.com/go-gitea/gitea/issues/13801
+  * [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
+  * [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) <lauris@nix.lv>
+  * [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>

-* 2018-01-01 ~ 2018-12-31
-  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
-  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
-  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
+* 2020-01-01 ~ 2020-12-31 - https://github.com/go-gitea/gitea/issues/9230
+  * [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
+  * [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) <lauris@nix.lv>
+  * [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>

-* 2019-01-01 ~ 2019-12-31
+* 2019-01-01 ~ 2019-12-31 - https://github.com/go-gitea/gitea/issues/5572
  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
  * [Matti Ranta](https://github.com/techknowlogick) <techknowlogick@gitea.io>

-* 2020-01-01 ~ 2020-12-31
-  * [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-  * [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) <lauris@nix.lv>
-  * [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>
+* 2018-01-01 ~ 2018-12-31 - https://github.com/go-gitea/gitea/issues/3255
+  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
+  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
+  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>
+
+* 2016-11-04 ~ 2017-12-31
+  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
+  * [Thomas Boerger](https://github.com/tboerger) <thomas@webhippie.de>
+  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>

 ## Versions

--- a/14
+++ b/14
@@ -1,14 +1,15 @@

 ###################################
 #Build stage
-FROM golang:1.14-alpine3.11 AS build-env
+FROM golang:1.16-alpine3.13 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}

 ARG GITEA_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
-ENV TAGS "bindata $TAGS"
+ENV TAGS "bindata timetzdata $TAGS"
+ARG CGO_EXTRA_CFLAGS

 #Build deps
 RUN apk --no-cache add build-base git nodejs npm
@@ -21,7 +22,10 @@ WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 && make clean-all build

-FROM alpine:3.11
+# Begin env-to-ini build
+RUN go build contrib/environment-to-ini/environment-to-ini.go
+
+FROM alpine:3.13
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 22 3000
@@ -37,7 +41,6 @@ RUN apk --no-cache add \
    s6 \
    sqlite \
    su-exec \
-    tzdata \
    gnupg

 RUN addgroup \
@@ -50,7 +53,7 @@ RUN addgroup \
    -u 1000 \
    -G git \
    git && \
-  echo "git:$(dd if=/dev/urandom bs=24 count=1 status=none | base64)" | chpasswd
+  echo "git:*" | chpasswd -e

 ENV USER git
 ENV GITEA_CUSTOM /data/gitea
@@ -62,4 +65,5 @@ CMD ["/bin/s6-svscan", "/etc/s6"]

 COPY docker/root /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
+COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 RUN ln -s /app/gitea/gitea /usr/local/bin/gitea
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -0,0 +1,74 @@
+
+###################################
+#Build stage
+FROM golang:1.16-alpine3.13 AS build-env
+
+ARG GOPROXY
+ENV GOPROXY ${GOPROXY:-direct}
+
+ARG GITEA_VERSION
+ARG TAGS="sqlite sqlite_unlock_notify"
+ENV TAGS "bindata timetzdata $TAGS"
+ARG CGO_EXTRA_CFLAGS 
+
+#Build deps
+RUN apk --no-cache add build-base git nodejs npm
+
+#Setup repo
+COPY . ${GOPATH}/src/code.gitea.io/gitea
+WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+
+#Checkout version if set
+RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
+ && make clean-all build
+
+# Begin env-to-ini build
+RUN go build contrib/environment-to-ini/environment-to-ini.go
+
+FROM alpine:3.13
+LABEL maintainer="maintainers@gitea.io"
+
+EXPOSE 2222 3000
+
+RUN apk --no-cache add \
+    bash \
+    ca-certificates \
+    gettext \
+    git \
+    curl \
+    gnupg
+
+RUN addgroup \
+    -S -g 1000 \
+    git && \
+  adduser \
+    -S -H -D \
+    -h /var/lib/gitea/git \
+    -s /bin/bash \
+    -u 1000 \
+    -G git \
+    git
+
+RUN mkdir -p /var/lib/gitea /etc/gitea
+RUN chown git:git /var/lib/gitea /etc/gitea
+
+COPY docker/rootless /
+COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /usr/local/bin/gitea
+COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
+
+#git:git
+USER 1000:1000
+ENV GITEA_WORK_DIR /var/lib/gitea
+ENV GITEA_CUSTOM /var/lib/gitea/custom
+ENV GITEA_TEMP /tmp/gitea
+ENV TMPDIR /tmp/gitea
+
+#TODO add to docs the ability to define the ini to load (usefull to test and revert a config)
+ENV GITEA_APP_INI /etc/gitea/app.ini
+ENV HOME "/var/lib/gitea/git"
+VOLUME ["/var/lib/gitea", "/etc/gitea"]
+WORKDIR /var/lib/gitea
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+CMD []
+
--- a/8
+++ b/8
@@ -36,3 +36,11 @@ Mura Li <typeless@ctli.io> (@typeless)
 6543 <6543@obermui.de> (@6543)
 jaqra <jaqra@hotmail.com> (@jaqra)
 David Svantesson <davidsvantesson@gmail.com> (@davidsvantesson)
+a1012112796 <1012112796@qq.com> (@a1012112796)
+Karl Heinz Marbaise <kama@soebes.de> (@khmarbaise)
+Norwin Roosen <git@nroo.de> (@noerw)
+Kyle Dumont <kdumontnu@gmail.com> (@kdumontnu)
+Patrick Schratz <patrick.schratz@gmail.com> (@pat-s)
+Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
+Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
+Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
--- a/427
+++ b/427
@@ -1,4 +1,3 @@
-
 ifeq ($(USE_REPO_TEST_DIR),1)

 # This rule replaces the whole Makefile when we're trying to use /tmp repository temporary files
@@ -21,44 +20,53 @@ IMPORT := code.gitea.io/gitea
 export GO111MODULE=on

 GO ?= go
-SED_INPLACE := sed -i
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 COMMA := ,

-XGO_VERSION := go-1.14.x
-MIN_GO_VERSION := 001012000
-MIN_NODE_VERSION := 010013000
+XGO_VERSION := go-1.16.x
+MIN_GO_VERSION := 001016000
+MIN_NODE_VERSION := 012017000
+
+DOCKER_IMAGE ?= gitea/gitea
+DOCKER_TAG ?= latest
+DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)

 ifeq ($(HAS_GO), GO)
 	GOPATH ?= $(shell $(GO) env GOPATH)
 	export PATH := $(GOPATH)/bin:$(PATH)
+
+	CGO_EXTRA_CFLAGS := -DSQLITE_MAX_VARIABLE_NUMBER=32766
+	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif

-
 ifeq ($(OS), Windows_NT)
+	GOFLAGS := -v -buildmode=exe
+	EXECUTABLE ?= gitea.exe
+else ifeq ($(OS), Windows)
+	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
 else
+	GOFLAGS := -v
 	EXECUTABLE ?= gitea
-	UNAME_S := $(shell uname -s)
-	ifeq ($(UNAME_S),Darwin)
-		SED_INPLACE := sed -i ''
-	endif
-	ifeq ($(UNAME_S),FreeBSD)
-		SED_INPLACE := sed -i ''
-	endif
+endif
+
+ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
+	SED_INPLACE := sed -i
+else
+	SED_INPLACE := sed -i ''
 endif

 GOFMT ?= gofmt -s

-GOFLAGS := -v
 EXTRA_GOFLAGS ?=

 MAKE_VERSION := $(shell $(MAKE) -v | head -n 1)
 MAKE_EVIDENCE_DIR := .make_evidence

-ifneq ($(RACE_ENABLED),)
-	GOTESTFLAGS ?= -race
+ifeq ($(RACE_ENABLED),true)
+	GOFLAGS += -race
+	GOTESTFLAGS += -race
 endif

 STORED_VERSION_FILE := VERSION
@@ -70,7 +78,7 @@ else
 	ifneq ($(DRONE_BRANCH),)
 		VERSION ?= $(subst release/v,,$(DRONE_BRANCH))
 	else
-		VERSION ?= master
+		VERSION ?= main
 	endif

 	STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
@@ -83,21 +91,34 @@ endif

 LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(GITEA_VERSION)" -X "main.Tags=$(TAGS)"

-GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/integrations/migration-test,$(filter-out code.gitea.io/gitea/integrations,$(shell $(GO) list -mod=vendor ./... | grep -v /vendor/)))
+LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64
+
+GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/models/migrations code.gitea.io/gitea/integrations/migration-test code.gitea.io/gitea/integrations,$(shell $(GO) list -mod=vendor ./... | grep -v /vendor/))
+
+FOMANTIC_WORK_DIR := web_src/fomantic

 WEBPACK_SOURCES := $(shell find web_src/js web_src/less -type f)
 WEBPACK_CONFIGS := webpack.config.js
 WEBPACK_DEST := public/js/index.js public/css/index.css
-WEBPACK_DEST_DIRS := public/js public/css public/fonts
+WEBPACK_DEST_ENTRIES := public/js public/css public/fonts public/img/webpack public/serviceworker.js

 BINDATA_DEST := modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
 BINDATA_HASH := $(addsuffix .hash,$(BINDATA_DEST))

+SVG_DEST_DIR := public/img/svg
+
+AIR_TMP_DIR := .air
+
 TAGS ?=
 TAGS_SPLIT := $(subst $(COMMA), ,$(TAGS))
 TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags

-GO_DIRS := cmd integrations models modules routers build services vendor
+TEST_TAGS ?= sqlite sqlite_unlock_notify
+
+TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMANTIC_WORK_DIR)/node_modules $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR)
+
+GO_DIRS := cmd integrations models modules routers build services vendor tools
+
 GO_SOURCES := $(wildcard *.go)
 GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" -not -path modules/options/bindata.go -not -path modules/public/bindata.go -not -path modules/templates/bindata.go)

@@ -107,15 +128,12 @@ endif

 GO_SOURCES_OWN := $(filter-out vendor/% %/bindata.go, $(GO_SOURCES))

-FOMANTIC_CONFIGS := semantic.json web_src/fomantic/theme.config.less web_src/fomantic/_site/globals/site.variables web_src/fomantic/css.js
-FOMANTIC_DEST := public/fomantic/semantic.min.js public/fomantic/semantic.min.css
-FOMANTIC_DEST_DIR := public/fomantic
-
-#To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger@v0.20.1
+#To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger
 SWAGGER := $(GO) run -mod=vendor github.com/go-swagger/go-swagger/cmd/swagger
 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
-SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl}}/api/v1"|g
-SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl}}/api/v1"|"basePath": "/api/v1"|g
+SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|g
+SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|"basePath": "/api/v1"|g
+SWAGGER_EXCLUDE := code.gitea.io/sdk
 SWAGGER_NEWLINE_COMMAND := -e '$$a\'

 TEST_MYSQL_HOST ?= mysql:3306
@@ -139,40 +157,50 @@ TEST_MSSQL_PASSWORD ?= MwantsaSecurePassword1
 .PHONY: all
 all: build

-include docker/Makefile
-
 .PHONY: help
 help:
 	@echo "Make Routines:"
-	@echo " - \"\"                             equivalent to \"build\""
+	@echo " - \"\"                               equivalent to \"build\""
 	@echo " - build                            build everything"
 	@echo " - frontend                         build frontend files"
 	@echo " - backend                          build backend files"
+	@echo " - watch                            watch everything and continuously rebuild"
+	@echo " - watch-frontend                   watch frontend files and continuously rebuild"
+	@echo " - watch-backend                    watch backend files and continuously rebuild"
 	@echo " - clean                            delete backend and integration files"
 	@echo " - clean-all                        delete backend, frontend and integration files"
 	@echo " - lint                             lint everything"
 	@echo " - lint-frontend                    lint frontend files"
 	@echo " - lint-backend                     lint backend files"
-	@echo " - watch-frontend                   watch frontend files and continuously rebuild"
+	@echo " - checks                           run various consistency checks"
+	@echo " - checks-frontend                  check frontend files"
+	@echo " - checks-backend                   check backend files"
+	@echo " - test                             test everything"
+	@echo " - test-frontend                    test frontend files"
+	@echo " - test-backend                     test backend files"
 	@echo " - webpack                          build webpack files"
+	@echo " - svg                              build svg files"
 	@echo " - fomantic                         build fomantic files"
 	@echo " - generate                         run \"go generate\""
 	@echo " - fmt                              format the Go code"
+	@echo " - generate-license                 update license files"
+	@echo " - generate-gitignore               update gitignore files"
+	@echo " - generate-manpage                 generate manpage"
 	@echo " - generate-swagger                 generate the swagger spec from code comments"
 	@echo " - swagger-validate                 check if the swagger spec is valid"
 	@echo " - golangci-lint                    run golangci-lint linter"
 	@echo " - revive                           run revive linter"
 	@echo " - misspell                         check for misspellings"
 	@echo " - vet                              examines Go source code and reports suspicious constructs"
-	@echo " - test[\#TestSpecificName]    	   run unit test"
+	@echo " - test[\#TestSpecificName]    	    run unit test"
 	@echo " - test-sqlite[\#TestSpecificName]  run integration test for sqlite"
 	@echo " - pr#<index>                       build and start gitea from a PR with integration test data loaded"

 .PHONY: go-check
 go-check:
-	$(eval GO_VERSION := $(shell printf "%03d%03d%03d" $(shell go version | grep -Eo '[0-9]+\.[0-9.]+' | tr '.' ' ');))
+	$(eval GO_VERSION := $(shell printf "%03d%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9.]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Gitea requires Go 1.12 or greater to build. You can get it at https://golang.org/dl/"; \
+		echo "Gitea requires Go 1.16 or greater to build. You can get it at https://golang.org/dl/"; \
 		exit 1; \
 	fi

@@ -186,15 +214,16 @@ git-check:
 .PHONY: node-check
 node-check:
 	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | tr '.' ' ');))
+	$(eval MIN_NODE_VER_FMT := $(shell printf "%g.%g.%g" $(shell echo $(MIN_NODE_VERSION) | grep -o ...)))
 	$(eval NPM_MISSING := $(shell hash npm > /dev/null 2>&1 || echo 1))
 	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" -o "$(NPM_MISSING)" = "1" ]; then \
-		echo "Gitea requires Node.js 10 or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
+		echo "Gitea requires Node.js $(MIN_NODE_VER_FMT) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
 		exit 1; \
 	fi

 .PHONY: clean-all
 clean-all: clean
-	rm -rf $(WEBPACK_DEST_DIRS) $(FOMANTIC_DEST_DIR)
+	rm -rf $(WEBPACK_DEST_ENTRIES) node_modules

 .PHONY: clean
 clean:
@@ -203,19 +232,19 @@ clean:
 		integrations*.test \
 		integrations/gitea-integration-pgsql/ integrations/gitea-integration-mysql/ integrations/gitea-integration-mysql8/ integrations/gitea-integration-sqlite/ \
 		integrations/gitea-integration-mssql/ integrations/indexers-mysql/ integrations/indexers-mysql8/ integrations/indexers-pgsql integrations/indexers-sqlite \
-		integrations/indexers-mssql integrations/mysql.ini integrations/mysql8.ini integrations/pgsql.ini integrations/mssql.ini
+		integrations/indexers-mssql integrations/mysql.ini integrations/mysql8.ini integrations/pgsql.ini integrations/mssql.ini man/

 .PHONY: fmt
 fmt:
-	$(GOFMT) -w $(GO_SOURCES_OWN)
+	@echo "Running go fmt..."
+	@$(GOFMT) -w $(GO_SOURCES_OWN)

 .PHONY: vet
 vet:
-	# Default vet
-	$(GO) vet $(GO_PACKAGES)
-	# Custom vet
-	$(GO) build -mod=vendor gitea.com/jolheiser/gitea-vet
-	$(GO) vet -vettool=gitea-vet $(GO_PACKAGES)
+	@echo "Running go vet..."
+	@$(GO) vet $(GO_PACKAGES)
+	@GOOS= GOARCH= $(GO) build -mod=vendor code.gitea.io/gitea-vet
+	@$(GO) vet -vettool=gitea-vet $(GO_PACKAGES)

 .PHONY: $(TAGS_EVIDENCE)
 $(TAGS_EVIDENCE):
@@ -228,7 +257,7 @@ endif

 .PHONY: generate-swagger
 generate-swagger:
-	$(SWAGGER) generate spec -o './$(SWAGGER_SPEC)'
+	$(SWAGGER) generate spec -x "$(SWAGGER_EXCLUDE)" -o './$(SWAGGER_SPEC)'
 	$(SED_INPLACE) '$(SWAGGER_SPEC_S_TMPL)' './$(SWAGGER_SPEC)'
 	$(SED_INPLACE) $(SWAGGER_NEWLINE_COMMAND) './$(SWAGGER_SPEC)'

@@ -239,7 +268,7 @@ swagger-check: generate-swagger
 		echo "Please run 'make generate-swagger' and commit the result:"; \
 		echo "$${diff}"; \
 		exit 1; \
-	fi;
+	fi

 .PHONY: swagger-validate
 swagger-validate:
@@ -250,27 +279,33 @@ swagger-validate:
 .PHONY: errcheck
 errcheck:
 	@hash errcheck > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u github.com/kisielk/errcheck; \
+		GO111MODULE=off $(GO) get -u github.com/kisielk/errcheck; \
 	fi
-	errcheck $(GO_PACKAGES)
+	@echo "Running errcheck..."
+	@errcheck $(GO_PACKAGES)

 .PHONY: revive
 revive:
-	GO111MODULE=on $(GO) run -mod=vendor build/lint.go -config .revive.toml -exclude=./vendor/... ./... || exit 1
+	@hash revive > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		GO111MODULE=off $(GO) get -u github.com/mgechev/revive; \
+	fi
+	@revive -config .revive.toml -exclude=./vendor/... ./...

 .PHONY: misspell-check
 misspell-check:
 	@hash misspell > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u github.com/client9/misspell/cmd/misspell; \
+		GO111MODULE=off $(GO) get -u github.com/client9/misspell/cmd/misspell; \
 	fi
-	misspell -error -i unknwon,destory $(GO_SOURCES_OWN)
+	@echo "Running misspell-check..."
+	@misspell -error -i unknwon $(GO_SOURCES_OWN)

 .PHONY: misspell
 misspell:
 	@hash misspell > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u github.com/client9/misspell/cmd/misspell; \
+		GO111MODULE=off $(GO) get -u github.com/client9/misspell/cmd/misspell; \
 	fi
-	misspell -w -i unknwon $(GO_SOURCES_OWN)
+	@echo "Running go misspell..."
+	@misspell -w -i unknwon $(GO_SOURCES_OWN)

 .PHONY: fmt-check
 fmt-check:
@@ -280,42 +315,73 @@ fmt-check:
 		echo "Please run 'make fmt' and commit the result:"; \
 		echo "$${diff}"; \
 		exit 1; \
-	fi;
+	fi
+
+.PHONY: checks
+checks: checks-frontend checks-backend
+
+.PHONY: checks-frontend
+checks-frontend: svg-check
+
+.PHONY: checks-backend
+checks-backend: misspell-check test-vendor swagger-check swagger-validate

 .PHONY: lint
-lint: lint-backend lint-frontend
-
-.PHONY: lint-backend
-lint-backend: golangci-lint revive vet swagger-check swagger-validate test-vendor
+lint: lint-frontend lint-backend

 .PHONY: lint-frontend
 lint-frontend: node_modules
-	npx eslint web_src/js webpack.config.js
-	npx stylelint web_src/less
+	npx eslint --color --max-warnings=0 web_src/js build templates *.config.js
+	npx stylelint --color --max-warnings=0 web_src/less
+	npx editorconfig-checker templates
+
+.PHONY: lint-backend
+lint-backend: golangci-lint revive vet
+
+.PHONY: watch
+watch:
+	bash tools/watch.sh

 .PHONY: watch-frontend
-watch-frontend: node_modules
-	NODE_ENV=development npx webpack --hide-modules --display-entrypoints=false --watch --progress
+watch-frontend: node-check node_modules
+	rm -rf $(WEBPACK_DEST_ENTRIES)
+	NODE_ENV=development npx webpack --watch --progress
+
+.PHONY: watch-backend
+watch-backend: go-check
+	@hash air > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		GO111MODULE=off $(GO) get -u github.com/cosmtrek/air; \
+	fi
+	air -c .air.conf

 .PHONY: test
-test:
-	$(GO) test $(GOTESTFLAGS) -mod=vendor -tags='sqlite sqlite_unlock_notify' $(GO_PACKAGES)
+test: test-frontend test-backend
+
+.PHONY: test-backend
+test-backend:
+	@echo "Running go test with -tags '$(TEST_TAGS)'..."
+	@$(GO) test $(GOTESTFLAGS) -mod=vendor -tags='$(TEST_TAGS)' $(GO_PACKAGES)
+
+.PHONY: test-frontend
+test-frontend: node_modules
+	@NODE_OPTIONS="--experimental-vm-modules --no-warnings" npx jest --color

 .PHONY: test-check
 test-check:
-	@echo "Checking if tests have changed the source tree...";
+	@echo "Running test-check...";
 	@diff=$$(git status -s); \
 	if [ -n "$$diff" ]; then \
-		echo "make test has changed files in the source tree:"; \
+		echo "make test-backend has changed files in the source tree:"; \
 		echo "$${diff}"; \
 		echo "You should change the tests to create these files in a temporary directory."; \
 		echo "Do not simply add these files to .gitignore"; \
 		exit 1; \
-	fi;
+	fi

 .PHONY: test\#%
 test\#%:
-	$(GO) test -mod=vendor -tags='sqlite sqlite_unlock_notify' -run $(subst .,/,$*) $(GO_PACKAGES)
+	@echo "Running go test with -tags '$(TEST_TAGS)'..."
+	@$(GO) test -mod=vendor $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_PACKAGES)

 .PHONY: coverage
 coverage:
@@ -323,7 +389,8 @@ coverage:

 .PHONY: unit-test-coverage
 unit-test-coverage:
-	$(GO) test $(GOTESTFLAGS) -mod=vendor -tags='sqlite sqlite_unlock_notify' -cover -coverprofile coverage.out $(GO_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	@echo "Running unit-test-coverage -tags '$(TEST_TAGS)'..."
+	@$(GO) test $(GOTESTFLAGS) -mod=vendor -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1

 .PHONY: vendor
 vendor:
@@ -336,7 +403,7 @@ test-vendor: vendor
 		echo "Please run 'make vendor' and commit the result:"; \
 		echo "$${diff}"; \
 		exit 1; \
-	fi;
+	fi

 generate-ini-sqlite:
 	sed -e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
@@ -344,15 +411,16 @@ generate-ini-sqlite:

 .PHONY: test-sqlite
 test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test

 .PHONY: test-sqlite\#%
 test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)

 .PHONY: test-sqlite-migration
-test-sqlite-migration:  migrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/sqlite.ini ./migrations.sqlite.test
+test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test

 generate-ini-mysql:
 	sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
@@ -364,15 +432,16 @@ generate-ini-mysql:

 .PHONY: test-mysql
 test-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test

 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)

 .PHONY: test-mysql-migration
-test-mysql-migration: migrations.mysql.test generate-ini-mysql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql.ini ./migrations.mysql.test
+test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test generate-ini-mysql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./migrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./migrations.individual.mysql.test

 generate-ini-mysql8:
 	sed -e 's|{{TEST_MYSQL8_HOST}}|${TEST_MYSQL8_HOST}|g' \
@@ -384,15 +453,16 @@ generate-ini-mysql8:

 .PHONY: test-mysql8
 test-mysql8: integrations.mysql8.test generate-ini-mysql8
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test

 .PHONY: test-mysql8\#%
 test-mysql8\#%: integrations.mysql8.test generate-ini-mysql8
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test -test.run $(subst .,/,$*)

 .PHONY: test-mysql8-migration
-test-mysql8-migration: migrations.mysql8.test generate-ini-mysql8
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql8.ini ./migrations.mysql8.test
+test-mysql8-migration: migrations.mysql8.test migrations.individual.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./migrations.mysql8.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./migrations.individual.mysql8.test

 generate-ini-pgsql:
 	sed -e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
@@ -405,15 +475,16 @@ generate-ini-pgsql:

 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test

 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)

 .PHONY: test-pgsql-migration
-test-pgsql-migration: migrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/pgsql.ini ./migrations.pgsql.test
+test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test generate-ini-pgsql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./migrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./migrations.individual.pgsql.test

 generate-ini-mssql:
 	sed -e 's|{{TEST_MSSQL_HOST}}|${TEST_MSSQL_HOST}|g' \
@@ -425,35 +496,36 @@ generate-ini-mssql:

 .PHONY: test-mssql
 test-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test

 .PHONY: test-mssql\#%
 test-mssql\#%: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)

 .PHONY: test-mssql-migration
-test-mssql-migration: migrations.mssql.test generate-ini-mssql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mssql.ini ./migrations.mssql.test
+test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test generate-ini-mssql
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./migrations.mssql.test -test.failfast
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./migrations.individual.mssql.test -test.failfast

 .PHONY: bench-sqlite
 bench-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: bench-mysql
 bench-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: bench-mssql
 bench-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: bench-pgsql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .

 .PHONY: integration-test-coverage
 integration-test-coverage: integrations.cover.test generate-ini-mysql
-	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.cover.test -test.coverprofile=integration.coverage.out

 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -mod=vendor -c code.gitea.io/gitea/integrations -o integrations.mysql.test
@@ -468,7 +540,7 @@ integrations.mssql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -mod=vendor -c code.gitea.io/gitea/integrations -o integrations.mssql.test

 integrations.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -mod=vendor -c code.gitea.io/gitea/integrations -o integrations.sqlite.test -tags 'sqlite sqlite_unlock_notify'
+	$(GO) test $(GOTESTFLAGS) -mod=vendor -c code.gitea.io/gitea/integrations -o integrations.sqlite.test -tags '$(TEST_TAGS)'

 integrations.cover.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -mod=vendor -c code.gitea.io/gitea/integrations -coverpkg $(shell echo $(GO_PACKAGES) | tr ' ' ',') -o integrations.cover.test
@@ -491,33 +563,54 @@ migrations.mssql.test: $(GO_SOURCES)

 .PHONY: migrations.sqlite.test
 migrations.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.sqlite.test -tags 'sqlite sqlite_unlock_notify'
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
+
+.PHONY: migrations.individual.mysql.test
+migrations.individual.mysql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mysql.test
+
+.PHONY: migrations.individual.mysql8.test
+migrations.individual.mysql8.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mysql8.test
+
+.PHONY: migrations.individual.pgsql.test
+migrations.individual.pgsql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.pgsql.test
+
+.PHONY: migrations.individual.mssql.test
+migrations.individual.mssql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mssql.test
+
+.PHONY: migrations.individual.sqlite.test
+migrations.individual.sqlite.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.sqlite.test -tags '$(TEST_TAGS)'

 .PHONY: check
 check: test

 .PHONY: install $(TAGS_PREREQ)
 install: $(wildcard *.go)
-	$(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'

 .PHONY: build
 build: frontend backend

 .PHONY: frontend
-frontend: node-check $(FOMANTIC_DEST) $(WEBPACK_DEST)
+frontend: $(WEBPACK_DEST)

 .PHONY: backend
 backend: go-check generate $(EXECUTABLE)

 .PHONY: generate
 generate: $(TAGS_PREREQ)
-	CC= GOOS= GOARCH= $(GO) generate -mod=vendor -tags '$(TAGS)' $(GO_PACKAGES)
+	@echo "Running go generate..."
+	@CC= GOOS= GOARCH= $(GO) generate -mod=vendor -tags '$(TAGS)' $(GO_PACKAGES)

 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
-	$(GO) build -mod=vendor $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build -mod=vendor $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@

 .PHONY: release
-release: frontend generate release-windows release-linux release-darwin release-copy release-compress release-sources release-check
+release: frontend generate release-windows release-linux release-darwin release-copy release-compress release-sources release-docs release-check

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)
@@ -525,9 +618,12 @@ $(DIST_DIRS):
 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u src.techknowlogick.com/xgo; \
+		$(GO) install src.techknowlogick.com/xgo@latest; \
 	fi
-	GO111MODULE=off xgo -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" xgo -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
+ifeq (,$(findstring gogit,$(TAGS)))
+	CGO_CFLAGS="$(CGO_CFLAGS)" xgo -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo gogit $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION)-gogit .
+endif
 ifeq ($(CI),drone)
 	cp /build/* $(DIST)/binaries
 endif
@@ -535,9 +631,9 @@ endif
 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u src.techknowlogick.com/xgo; \
+		$(GO) install src.techknowlogick.com/xgo@latest; \
 	fi
-	GO111MODULE=off xgo -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64,linux/mips64le,linux/mips,linux/mipsle' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" xgo -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out gitea-$(VERSION) .
 ifeq ($(CI),drone)
 	cp /build/* $(DIST)/binaries
 endif
@@ -545,9 +641,9 @@ endif
 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u src.techknowlogick.com/xgo; \
+		$(GO) install src.techknowlogick.com/xgo@latest; \
 	fi
-	GO111MODULE=off xgo -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'darwin/*' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" xgo -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'darwin-10.12/amd64,darwin-10.12/arm64' -out gitea-$(VERSION) .
 ifeq ($(CI),drone)
 	cp /build/* $(DIST)/binaries
 endif
@@ -568,11 +664,24 @@ release-compress: | $(DIST_DIRS)
 	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && gxz -k -9 $${file}; done;

 .PHONY: release-sources
-release-sources: | $(DIST_DIRS) node_modules
+release-sources: | $(DIST_DIRS)
 	echo $(VERSION) > $(STORED_VERSION_FILE)
-	tar --exclude=./$(DIST) --exclude=./.git --exclude=./$(MAKE_EVIDENCE_DIR) --exclude=./node_modules/.cache -czf $(DIST)/release/gitea-src-$(VERSION).tar.gz .
+# bsdtar needs a ^ to prevent matching subdirectories
+	$(eval EXCL := --exclude=$(shell tar --help | grep -q bsdtar && echo "^")./)
+	tar $(addprefix $(EXCL),$(TAR_EXCLUDES)) -czf $(DIST)/release/gitea-src-$(VERSION).tar.gz .
 	rm -f $(STORED_VERSION_FILE)

+.PHONY: release-docs
+release-docs: | $(DIST_DIRS) docs
+	tar -czf $(DIST)/release/gitea-docs-$(VERSION).tar.gz -C ./docs/public .
+
+.PHONY: docs
+docs:
+	@hash hugo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		curl -sL https://github.com/gohugoio/hugo/releases/download/v0.74.3/hugo_0.74.3_Linux-64bit.tar.gz | tar zxf - -C /tmp && mv /tmp/hugo /usr/bin/hugo && chmod +x /usr/bin/hugo; \
+	fi
+	cd docs; make trans-copy clean build-offline;
+
 node_modules: package-lock.json
 	npm install --no-save
 	@touch node_modules
@@ -582,26 +691,41 @@ npm-update: node-check | node_modules
 	npx updates -cu
 	rm -rf node_modules package-lock.json
 	npm install --package-lock
+	@touch node_modules

 .PHONY: fomantic
-fomantic: $(FOMANTIC_DEST)
-
-$(FOMANTIC_DEST): $(FOMANTIC_CONFIGS) package-lock.json | node_modules
-	rm -rf $(FOMANTIC_DEST_DIR)
-	cp web_src/fomantic/theme.config.less node_modules/fomantic-ui/src/theme.config
-	cp -r web_src/fomantic/_site/* node_modules/fomantic-ui/src/_site/
-	cp web_src/fomantic/css.js node_modules/fomantic-ui/tasks/build/css.js
-	npx gulp -f node_modules/fomantic-ui/gulpfile.js build
-	@touch $(FOMANTIC_DEST)
+fomantic:
+	rm -rf $(FOMANTIC_WORK_DIR)/build
+	cd $(FOMANTIC_WORK_DIR) && npm install --no-save
+	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
+	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
+	cp -f web_src/js/vendor/dropdown.js $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/definitions/modules
+	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build

 .PHONY: webpack
 webpack: $(WEBPACK_DEST)

-$(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) package-lock.json | node_modules
-	rm -rf $(WEBPACK_DEST_DIRS)
-	npx webpack --hide-modules --display-entrypoints=false
+$(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) package-lock.json
+	@$(MAKE) -s node-check node_modules
+	rm -rf $(WEBPACK_DEST_ENTRIES)
+	npx webpack
 	@touch $(WEBPACK_DEST)

+.PHONY: svg
+svg: node-check | node_modules
+	rm -rf $(SVG_DEST_DIR)
+	node build/generate-svg.js
+
+.PHONY: svg-check
+svg-check: svg
+	@git add $(SVG_DEST_DIR)
+	@diff=$$(git diff --cached $(SVG_DEST_DIR)); \
+	if [ -n "$$diff" ]; then \
+		echo "Please run 'make svg' and 'git add $(SVG_DEST_DIR)' and commit the result:"; \
+		echo "$${diff}"; \
+		exit 1; \
+	fi
+
 .PHONY: update-translations
 update-translations:
 	mkdir -p ./translations
@@ -612,36 +736,26 @@ update-translations:
 	mv ./translations/*.ini ./options/locale/
 	rmdir ./translations

-.PHONY: generate-images
-generate-images:
-	$(eval TMPDIR := $(shell mktemp -d 2>/dev/null || mktemp -d -t 'gitea-temp'))
-	mkdir -p $(TMPDIR)/images
-	inkscape -f $(PWD)/assets/logo.svg -w 880 -h 880 -e $(PWD)/public/img/gitea-lg.png
-	inkscape -f $(PWD)/assets/logo.svg -w 512 -h 512 -e $(PWD)/public/img/gitea-512.png
-	inkscape -f $(PWD)/assets/logo.svg -w 192 -h 192 -e $(PWD)/public/img/gitea-192.png
-	inkscape -f $(PWD)/assets/logo.svg -w 120 -h 120 -jC -i layer1 -e $(TMPDIR)/images/sm-1.png
-	inkscape -f $(PWD)/assets/logo.svg -w 120 -h 120 -jC -i layer2 -e $(TMPDIR)/images/sm-2.png
-	composite -compose atop $(TMPDIR)/images/sm-2.png $(TMPDIR)/images/sm-1.png $(PWD)/public/img/gitea-sm.png
-	inkscape -f $(PWD)/assets/logo.svg -w 200 -h 200 -e $(PWD)/public/img/avatar_default.png
-	inkscape -f $(PWD)/assets/logo.svg -w 180 -h 180 -e $(PWD)/public/img/favicon.png
-	inkscape -f $(PWD)/assets/logo.svg -w 128 -h 128 -e $(TMPDIR)/images/128-raw.png
-	inkscape -f $(PWD)/assets/logo.svg -w 64 -h 64 -e $(TMPDIR)/images/64-raw.png
-	inkscape -f $(PWD)/assets/logo.svg -w 32 -h 32 -jC -i layer1 -e $(TMPDIR)/images/32-1.png
-	inkscape -f $(PWD)/assets/logo.svg -w 32 -h 32 -jC -i layer2 -e $(TMPDIR)/images/32-2.png
-	composite -compose atop $(TMPDIR)/images/32-2.png $(TMPDIR)/images/32-1.png $(TMPDIR)/images/32-raw.png
-	inkscape -f $(PWD)/assets/logo.svg -w 16 -h 16 -jC -i layer1 -e $(TMPDIR)/images/16-raw.png
-	zopflipng -m -y $(TMPDIR)/images/128-raw.png $(TMPDIR)/images/128.png
-	zopflipng -m -y $(TMPDIR)/images/64-raw.png $(TMPDIR)/images/64.png
-	zopflipng -m -y $(TMPDIR)/images/32-raw.png $(TMPDIR)/images/32.png
-	zopflipng -m -y $(TMPDIR)/images/16-raw.png $(TMPDIR)/images/16.png
-	rm -f $(TMPDIR)/images/*-*.png
-	convert $(TMPDIR)/images/16.png $(TMPDIR)/images/32.png \
-					$(TMPDIR)/images/64.png $(TMPDIR)/images/128.png \
-					$(PWD)/public/img/favicon.ico
-	convert -flatten $(PWD)/public/img/favicon.png $(PWD)/public/img/apple-touch-icon.png
+.PHONY: generate-license
+generate-license:
+	GO111MODULE=on $(GO) run build/generate-licenses.go

-	rm -rf $(TMPDIR)/images
-	$(foreach file, $(shell find public/img -type f -name '*.png' ! -name 'loading.png'),zopflipng -m -y $(file) $(file);)
+.PHONY: generate-gitignore
+generate-gitignore:
+	GO111MODULE=on $(GO) run build/generate-gitignores.go
+
+.PHONY: generate-images
+generate-images: | node_modules
+	npm install --no-save --no-package-lock fabric@4 imagemin-zopfli@7
+	node build/generate-images.js $(TAGS)
+
+.PHONY: generate-manpage
+generate-manpage:
+	@[ -f gitea ] || make backend
+	@mkdir -p man/man1/ man/man5
+	@./gitea docs --man > man/man1/gitea.1
+	@gzip -9 man/man1/gitea.1 && echo man/man1/gitea.1.gz created
+	@#TODO A smal script witch format config-cheat-sheet.en-us.md nicely to suit as config man page

 .PHONY: pr\#%
 pr\#%: clean-all
@@ -651,9 +765,18 @@ pr\#%: clean-all
 golangci-lint:
 	@hash golangci-lint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		export BINARY="golangci-lint"; \
-		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.24.0; \
+		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.37.0; \
 	fi
-	golangci-lint run --timeout 5m
+	golangci-lint run --timeout 10m
+
+.PHONY: docker
+docker:
+	docker build --disable-content-trust=false -t $(DOCKER_REF) .
+# support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify"  .
+
+.PHONY: docker-build
+docker-build:
+	docker run -ti --rm -v "$(CURDIR):/srv/app/src/code.gitea.io/gitea" -w /srv/app/src/code.gitea.io/gitea -e TAGS="bindata $(TAGS)" LDFLAGS="$(LDFLAGS)" CGO_EXTRA_CFLAGS="$(CGO_EXTRA_CFLAGS)" webhippie/golang:edge make clean build

 # This endif closes the if at the top of the file
 endif
--- a/README.md
+++ b/README.md
@@ -1,18 +1,52 @@
-[简体中文](README_ZH.md)
+<p align="center">
+  <a href="https://gitea.io/">
+    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
+  </a>
+</p>
+<h1 align="center">Gitea - Git with a cup of tea</h1>

-<h1> <img src="https://raw.githubusercontent.com/go-gitea/gitea/master/public/img/gitea-192.png" alt="logo" width="30" height="30"> Gitea - Git with a cup of tea</h1>
+<p align="center">
+  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
+    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
+  </a>
+  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
+    <img src="https://img.shields.io/discord/322538954119184384.svg">
+  </a>
+  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
+    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
+  </a>
+  <a href="https://godoc.org/code.gitea.io/gitea" title="Go Report Card">
+    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
+  </a>
+  <a href="https://godoc.org/code.gitea.io/gitea" title="GoDoc">
+    <img src="https://godoc.org/code.gitea.io/gitea?status.svg">
+  </a>
+  <a href="https://github.com/go-gitea/gitea/releases/latest" title="GitHub release">
+    <img src="https://img.shields.io/github/release/go-gitea/gitea.svg">
+  </a>
+  <a href="https://www.codetriage.com/go-gitea/gitea" title="Help Contribute to Open Source">
+    <img src="https://www.codetriage.com/go-gitea/gitea/badges/users.svg">
+  </a>
+  <a href="https://opencollective.com/gitea" title="Become a backer/sponsor of gitea">
+    <img src="https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen">
+  </a>
+  <a href="https://opensource.org/licenses/MIT" title="License: MIT">
+    <img src="https://img.shields.io/badge/License-MIT-blue.svg">
+  </a>
+  <a href="https://crowdin.com/project/gitea" title="Crowdin">
+    <img src="https://badges.crowdin.net/gitea/localized.svg">
+  </a>
+  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea" title="TODOs">
+    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea">
+  </a>
+  <a href="https://www.bountysource.com/teams/gitea" title="Bountysource">
+    <img src="https://img.shields.io/bountysource/team/gitea/activity">
+  </a>
+</p>

-[![Build Status](https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg)](https://drone.gitea.io/go-gitea/gitea)
-[![Join the Discord chat at https://discord.gg/Gitea](https://img.shields.io/discord/322538954119184384.svg)](https://discord.gg/Gitea)
-[![](https://images.microbadger.com/badges/image/gitea/gitea.svg)](https://microbadger.com/images/gitea/gitea "Get your own image badge on microbadger.com")
-[![codecov](https://codecov.io/gh/go-gitea/gitea/branch/master/graph/badge.svg)](https://codecov.io/gh/go-gitea/gitea)
-[![Go Report Card](https://goreportcard.com/badge/code.gitea.io/gitea)](https://goreportcard.com/report/code.gitea.io/gitea)
-[![GoDoc](https://godoc.org/code.gitea.io/gitea?status.svg)](https://godoc.org/code.gitea.io/gitea)
-[![GitHub release](https://img.shields.io/github/release/go-gitea/gitea.svg)](https://github.com/go-gitea/gitea/releases/latest)
-[![Help Contribute to Open Source](https://www.codetriage.com/go-gitea/gitea/badges/users.svg)](https://www.codetriage.com/go-gitea/gitea)
-[![Become a backer/sponsor of gitea](https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen)](https://opencollective.com/gitea)
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
+<p align="center">
+  <a href="README_ZH.md">View the chinese version of this document</a>
+</p>

 ## Purpose

@@ -39,12 +73,12 @@ or if sqlite support is required:

 The `build` target is split into two sub-targets:

- `make backend` which requires [Go 1.12](https://golang.org/dl/) or greater.
- `make frontend` which requires [Node.js 10.13](https://nodejs.org/en/download/) or greater.
+- `make backend` which requires [Go 1.13](https://golang.org/dl/) or greater.
+- `make frontend` which requires [Node.js 12.17](https://nodejs.org/en/download/) or greater and Internet connectivity to download npm dependencies.

-If pre-built frontend files are present it is possible to only build the backend:
+When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js and Internet connectivity.

-		TAGS="bindata" make backend
+Parallelism (`make -j <num>`) is not supported.

 More info: https://docs.gitea.io/en-us/install-from-source/

@@ -64,13 +98,24 @@ NOTES:
 1. **YOU MUST READ THE [CONTRIBUTORS GUIDE](CONTRIBUTING.md) BEFORE STARTING TO WORK ON A PULL REQUEST.**
 2. If you have found a vulnerability in the project, please write privately to **security@gitea.io**. Thanks!

+## Translating
+
+Translations are done through Crowdin. If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there. 
+
+You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope fo fill it as questions pop up.
+
+https://docs.gitea.io/en-us/translation-guidelines/
+
+[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
+
 ## Further information

-For more information and instructions about how to install Gitea, please look
-at our [documentation](https://docs.gitea.io/en-us/). If you have questions
-that are not covered by the documentation, you can get in contact with us on
-our [Discord server](https://discord.gg/Gitea),
-or [forum](https://discourse.gitea.io/)!
+For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.io/en-us/).
+If you have questions that are not covered by the documentation, you can get in contact with us on our [Discord server](https://discord.gg/Gitea) or create  a post in the [discourse forum](https://discourse.gitea.io/).
+
+We maintain a list of Gitea-related projects at [gitea/awesome-gitea](https://gitea.com/gitea/awesome-gitea).  
+The hugo-based documentation theme is hosted at [gitea/theme](https://gitea.com/gitea/theme).  
+The official Gitea CLI is developed at [gitea/tea](https://gitea.com/gitea/tea).

 ## Authors

@@ -112,7 +157,7 @@ We're [working on it](https://github.com/go-gitea/gitea/issues/1029).
 ## License

 This project is licensed under the MIT License.
-See the [LICENSE](https://github.com/go-gitea/gitea/blob/master/LICENSE) file
+See the [LICENSE](https://github.com/go-gitea/gitea/blob/main/LICENSE) file
 for the full license text.

 ## Screenshots
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -1,18 +1,55 @@
-[English](README.md)
+<p align="center">
+  <a href="https://gitea.io/">
+    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
+  </a>
+</p>
+<h1 align="center">Gitea - Git with a cup of tea</h1>

-<h1> <img src="https://raw.githubusercontent.com/go-gitea/gitea/master/public/img/gitea-192.png" alt="logo" width="30" height="30"> Gitea - Git with a cup of tea</h1>
+<p align="center">
+  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
+    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
+  </a>
+  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
+    <img src="https://img.shields.io/discord/322538954119184384.svg">
+  </a>
+  <a href="https://microbadger.com/images/gitea/gitea" title="Get your own image badge on microbadger.com">
+    <img src="https://images.microbadger.com/badges/image/gitea/gitea.svg">
+  </a>
+  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
+    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
+  </a>
+  <a href="https://godoc.org/code.gitea.io/gitea" title="Go Report Card">
+    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
+  </a>
+  <a href="https://godoc.org/code.gitea.io/gitea" title="GoDoc">
+    <img src="https://godoc.org/code.gitea.io/gitea?status.svg">
+  </a>
+  <a href="https://github.com/go-gitea/gitea/releases/latest" title="GitHub release">
+    <img src="https://img.shields.io/github/release/go-gitea/gitea.svg">
+  </a>
+  <a href="https://www.codetriage.com/go-gitea/gitea" title="Help Contribute to Open Source">
+    <img src="https://www.codetriage.com/go-gitea/gitea/badges/users.svg">
+  </a>
+  <a href="https://opencollective.com/gitea" title="Become a backer/sponsor of gitea">
+    <img src="https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen">
+  </a>
+  <a href="https://opensource.org/licenses/MIT" title="License: MIT">
+    <img src="https://img.shields.io/badge/License-MIT-blue.svg">
+  </a>
+  <a href="https://crowdin.com/project/gitea" title="Crowdin">
+    <img src="https://badges.crowdin.net/gitea/localized.svg">
+  </a>
+  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea" title="TODOs">
+    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea">
+  </a>
+  <a href="https://img.shields.io/bountysource/team/gitea" title="Bountysource">
+    <img src="https://img.shields.io/bountysource/team/gitea/activity">
+  </a>
+</p>

-[![Build Status](https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg)](https://drone.gitea.io/go-gitea/gitea)
-[![Join the Discord chat at https://discord.gg/Gitea](https://img.shields.io/discord/322538954119184384.svg)](https://discord.gg/Gitea)
-[![](https://images.microbadger.com/badges/image/gitea/gitea.svg)](https://microbadger.com/images/gitea/gitea "Get your own image badge on microbadger.com")
-[![codecov](https://codecov.io/gh/go-gitea/gitea/branch/master/graph/badge.svg)](https://codecov.io/gh/go-gitea/gitea)
-[![Go Report Card](https://goreportcard.com/badge/code.gitea.io/gitea)](https://goreportcard.com/report/code.gitea.io/gitea)
-[![GoDoc](https://godoc.org/code.gitea.io/gitea?status.svg)](https://godoc.org/code.gitea.io/gitea)
-[![GitHub release](https://img.shields.io/github/release/go-gitea/gitea.svg)](https://github.com/go-gitea/gitea/releases/latest)
-[![Help Contribute to Open Source](https://www.codetriage.com/go-gitea/gitea/badges/users.svg)](https://www.codetriage.com/go-gitea/gitea)
-[![Become a backer/sponsor of gitea](https://opencollective.com/gitea/tiers/backers/badge.svg?label=backers&color=brightgreen)](https://opencollective.com/gitea)
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
+<p align="center">
+  <a href="README.md">View the english version of this document</a>
+</p>

 ## 目标

@@ -34,6 +71,11 @@ Gitea 的首要目标是创建一个极易安装，运行非常快速，安装

 Fork -> Patch -> Push -> Pull Request

+## 翻译
+
+多语言翻译是基于Crowdin进行的.
+[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
+
 ## 作者

 * [Maintainers](https://github.com/orgs/go-gitea/people)
@@ -42,7 +84,7 @@ Fork -> Patch -> Push -> Pull Request

 ## 授权许可

-本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/go-gitea/gitea/blob/master/LICENSE) 文件中。
+本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/go-gitea/gitea/blob/main/LICENSE) 文件中。

 ## 截图

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Reporting security issues
+
+The Gitea maintainers take security seriously.  
+If you discover a security issue, please bring it to their attention right away!
+
+### Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately to `security@gitea.io`.
+
+Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it.
--- a/assets/emoji.json
+++ b/assets/emoji.json
--- a/assets/logo.svg
+++ b/assets/logo.svg
@@ -1,160 +1,31 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="512"
-   height="512"
-   viewBox="0 0 135.46667 135.46667"
-   version="1.1"
-   id="svg8"
-   sodipodi:docname="logo.svg"
-   inkscape:version="0.92.1 r15371"
-   inkscape:export-filename=""
-   inkscape:export-xdpi="48.000004"
-   inkscape:export-ydpi="48.000004">
-  <defs
-     id="defs2" />
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="0.70710678"
-     inkscape:cx="418.13805"
-     inkscape:cy="177.57445"
-     inkscape:document-units="mm"
-     inkscape:current-layer="layer2"
-     showgrid="false"
-     units="px"
-     width="256px"
-     showguides="false"
-     inkscape:window-width="1920"
-     inkscape:window-height="1137"
-     inkscape:window-x="1912"
-     inkscape:window-y="-8"
-     inkscape:window-maximized="1"
-     inkscape:pagecheckerboard="false"
-     inkscape:measure-start="283.373,243.952"
-     inkscape:measure-end="290.267,236.527">
-    <sodipodi:guide
-       position="0,0"
-       orientation="0,512"
-       id="guide3699"
-       inkscape:locked="false" />
-    <sodipodi:guide
-       position="135.46667,0"
-       orientation="-512,0"
-       id="guide3701"
-       inkscape:locked="false" />
-    <sodipodi:guide
-       position="135.46667,135.46667"
-       orientation="0,-512"
-       id="guide3703"
-       inkscape:locked="false" />
-    <sodipodi:guide
-       position="0,135.46667"
-       orientation="512,0"
-       id="guide3705"
-       inkscape:locked="false" />
-  </sodipodi:namedview>
-  <metadata
-     id="metadata5">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(0,-161.53334)"
-     style="display:inline">
-    <path
-       style="fill:#609926;fill-opacity:1;stroke:#428f29;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:none"
-       d="m 27.709937,195.15095 c -9.546573,-0.0272 -22.3392732,6.79805 -21.6317552,23.90397 1.105534,26.72889 25.4565952,29.20839 35.1916502,29.42301 1.068023,5.01357 12.521798,22.30563 21.001818,23.21667 h 37.15277 c 22.27763,-1.66785 38.9607,-75.75671 26.59321,-76.03825 -46.781583,2.47691 -49.995146,2.13838 -88.599758,0 -2.495053,-0.0266 -5.972321,-0.49474 -9.707935,-0.5054 z m 2.491319,9.45886 c 1.351378,13.69267 3.555849,21.70359 8.018216,33.94345 -11.382872,-1.50473 -21.069822,-5.22443 -22.851515,-19.10984 -0.950962,-7.4112 2.390428,-15.16769 14.833299,-14.83361 z"
-       id="path3722"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="sscccccsccsc" />
-  </g>
-  <g
-     inkscape:groupmode="layer"
-     id="layer2"
-     inkscape:label="Layer 2"
-     style="display:inline">
-    <rect
-       style="display:inline;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.24757317;stroke-opacity:1"
-       id="rect4599"
-       width="34.762054"
-       height="34.762054"
-       x="87.508659"
-       y="18.291576"
-       transform="rotate(25.914715)"
-       ry="5.4825778" />
-    <path
-       style="display:inline;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26644793px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       d="m 79.804947,57.359056 3.241146,1.609954 V 35.255731 h -3.262698 z"
-       id="path4525"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccccc" />
-  </g>
-  <g
-     inkscape:groupmode="layer"
-     id="layer3"
-     inkscape:label="Layer 3"
-     style="display:inline">
-    <g
-       style="display:inline"
-       id="g4539">
-      <circle
-         transform="rotate(-19.796137)"
-         r="3.4745038"
-         cy="90.077766"
-         cx="49.064713"
-         id="path4606"
-         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.26458332;stroke-opacity:1" />
-      <circle
-         transform="rotate(-19.796137)"
-         r="3.4745038"
-         cy="102.1049"
-         cx="36.810425"
-         id="path4606-3"
-         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.26458332;stroke-opacity:1" />
-      <circle
-         transform="rotate(-19.796137)"
-         r="3.4745038"
-         cy="111.43928"
-         cx="46.484283"
-         id="path4606-1"
-         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.26458332;stroke-opacity:1" />
-      <rect
-         transform="rotate(26.024158)"
-         y="18.061695"
-         x="97.333458"
-         height="27.261492"
-         width="2.6726954"
-         id="rect4629-8"
-         style="fill:#609926;fill-opacity:1;stroke:none;stroke-width:0.27444693;stroke-opacity:1" />
-      <path
-         sodipodi:nodetypes="cc"
-         inkscape:connector-curvature="0"
-         id="path4514"
-         d="m 76.558096,68.116343 c 12.97589,6.395378 13.012989,4.101862 4.890858,20.907244"
-         style="fill:none;stroke:#609926;stroke-width:2.68000007;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    </g>
-  </g>
+<?xml version="1.0" encoding="utf-8"?>
+<svg version="1.1" id="main_outline" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px"
+	 y="0px" viewBox="0 0 640 640" style="enable-background:new 0 0 640 640;" xml:space="preserve">
+<g>
+	<path id="teabag" style="fill:#FFFFFF" d="M395.9,484.2l-126.9-61c-12.5-6-17.9-21.2-11.8-33.8l61-126.9c6-12.5,21.2-17.9,33.8-11.8
+		c17.2,8.3,27.1,13,27.1,13l-0.1-109.2l16.7-0.1l0.1,117.1c0,0,57.4,24.2,83.1,40.1c3.7,2.3,10.2,6.8,12.9,14.4
+		c2.1,6.1,2,13.1-1,19.3l-61,126.9C423.6,484.9,408.4,490.3,395.9,484.2z"/>
+	<g>
+		<g>
+			<path style="fill:#609926" d="M622.7,149.8c-4.1-4.1-9.6-4-9.6-4s-117.2,6.6-177.9,8c-13.3,0.3-26.5,0.6-39.6,0.7c0,39.1,0,78.2,0,117.2
+				c-5.5-2.6-11.1-5.3-16.6-7.9c0-36.4-0.1-109.2-0.1-109.2c-29,0.4-89.2-2.2-89.2-2.2s-141.4-7.1-156.8-8.5
+				c-9.8-0.6-22.5-2.1-39,1.5c-8.7,1.8-33.5,7.4-53.8,26.9C-4.9,212.4,6.6,276.2,8,285.8c1.7,11.7,6.9,44.2,31.7,72.5
+				c45.8,56.1,144.4,54.8,144.4,54.8s12.1,28.9,30.6,55.5c25,33.1,50.7,58.9,75.7,62c63,0,188.9-0.1,188.9-0.1s12,0.1,28.3-10.3
+				c14-8.5,26.5-23.4,26.5-23.4s12.9-13.8,30.9-45.3c5.5-9.7,10.1-19.1,14.1-28c0,0,55.2-117.1,55.2-231.1
+				C633.2,157.9,624.7,151.8,622.7,149.8z M125.6,353.9c-25.9-8.5-36.9-18.7-36.9-18.7S69.6,321.8,60,295.4
+				c-16.5-44.2-1.4-71.2-1.4-71.2s8.4-22.5,38.5-30c13.8-3.7,31-3.1,31-3.1s7.1,59.4,15.7,94.2c7.2,29.2,24.8,77.7,24.8,77.7
+				S142.5,359.9,125.6,353.9z M425.9,461.5c0,0-6.1,14.5-19.6,15.4c-5.8,0.4-10.3-1.2-10.3-1.2s-0.3-0.1-5.3-2.1l-112.9-55
+				c0,0-10.9-5.7-12.8-15.6c-2.2-8.1,2.7-18.1,2.7-18.1L322,273c0,0,4.8-9.7,12.2-13c0.6-0.3,2.3-1,4.5-1.5c8.1-2.1,18,2.8,18,2.8
+				l110.7,53.7c0,0,12.6,5.7,15.3,16.2c1.9,7.4-0.5,14-1.8,17.2C474.6,363.8,425.9,461.5,425.9,461.5z"/>
+			<path style="fill:#609926" d="M326.8,380.1c-8.2,0.1-15.4,5.8-17.3,13.8c-1.9,8,2,16.3,9.1,20c7.7,4,17.5,1.8,22.7-5.4
+				c5.1-7.1,4.3-16.9-1.8-23.1l24-49.1c1.5,0.1,3.7,0.2,6.2-0.5c4.1-0.9,7.1-3.6,7.1-3.6c4.2,1.8,8.6,3.8,13.2,6.1
+				c4.8,2.4,9.3,4.9,13.4,7.3c0.9,0.5,1.8,1.1,2.8,1.9c1.6,1.3,3.4,3.1,4.7,5.5c1.9,5.5-1.9,14.9-1.9,14.9
+				c-2.3,7.6-18.4,40.6-18.4,40.6c-8.1-0.2-15.3,5-17.7,12.5c-2.6,8.1,1.1,17.3,8.9,21.3c7.8,4,17.4,1.7,22.5-5.3
+				c5-6.8,4.6-16.3-1.1-22.6c1.9-3.7,3.7-7.4,5.6-11.3c5-10.4,13.5-30.4,13.5-30.4c0.9-1.7,5.7-10.3,2.7-21.3
+				c-2.5-11.4-12.6-16.7-12.6-16.7c-12.2-7.9-29.2-15.2-29.2-15.2s0-4.1-1.1-7.1c-1.1-3.1-2.8-5.1-3.9-6.3c4.7-9.7,9.4-19.3,14.1-29
+				c-4.1-2-8.1-4-12.2-6.1c-4.8,9.8-9.7,19.7-14.5,29.5c-6.7-0.1-12.9,3.5-16.1,9.4c-3.4,6.3-2.7,14.1,1.9,19.8
+				C343.2,346.5,335,363.3,326.8,380.1z"/>
+		</g>
+	</g>
+</g>
 </svg>
--- a/build.go
+++ b/build.go
@@ -10,14 +10,6 @@ package main
 // These libraries will not be included in a normal compilation.

 import (
-	// for lint
-	_ "github.com/BurntSushi/toml"
-	_ "github.com/mgechev/dots"
-	_ "github.com/mgechev/revive/formatter"
-	_ "github.com/mgechev/revive/lint"
-	_ "github.com/mgechev/revive/rule"
-	_ "github.com/mitchellh/go-homedir"
-
 	// for embed
 	_ "github.com/shurcooL/vfsgen"

@@ -25,7 +17,7 @@ import (
 	_ "golang.org/x/tools/cover"

 	// for vet
-	_ "gitea.com/jolheiser/gitea-vet"
+	_ "code.gitea.io/gitea-vet"

 	// for swagger
 	_ "github.com/go-swagger/go-swagger/cmd/swagger"
--- a/build/generate-emoji.go
+++ b/build/generate-emoji.go
@@ -8,7 +8,6 @@
 package main

 import (
-	"encoding/json"
 	"flag"
 	"fmt"
 	"go/format"
@@ -19,6 +18,9 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"unicode/utf8"
+
+	jsoniter "github.com/json-iterator/go"
 )

 const (
@@ -39,6 +41,7 @@ type Emoji struct {
 	Description    string   `json:"description,omitempty"`
 	Aliases        []string `json:"aliases"`
 	UnicodeVersion string   `json:"unicode_version,omitempty"`
+	SkinTones      bool     `json:"skin_tones,omitempty"`
 }

 // Don't include some fields in JSON
@@ -47,6 +50,8 @@ func (e Emoji) MarshalJSON() ([]byte, error) {
 	x := emoji(e)
 	x.UnicodeVersion = ""
 	x.Description = ""
+	x.SkinTones = false
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	return json.Marshal(x)
 }

@@ -75,6 +80,7 @@ var replacer = strings.NewReplacer(
 	", Description:", ", ",
 	", Aliases:", ", ",
 	", UnicodeVersion:", ", ",
+	", SkinTones:", ", ",
 )

 var emojiRE = regexp.MustCompile(`\{Emoji:"([^"]*)"`)
@@ -97,23 +103,26 @@ func generate() ([]byte, error) {

 	// unmarshal
 	var data Gemoji
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	err = json.Unmarshal(body, &data)
 	if err != nil {
 		return nil, err
 	}

-	var re = regexp.MustCompile(`keycap|registered|copyright`)
-	tmp := data[:0]
+	var skinTones = make(map[string]string)

-	// filter out emoji that require greater than max unicode version
+	skinTones["\U0001f3fb"] = "Light Skin Tone"
+	skinTones["\U0001f3fc"] = "Medium-Light Skin Tone"
+	skinTones["\U0001f3fd"] = "Medium Skin Tone"
+	skinTones["\U0001f3fe"] = "Medium-Dark Skin Tone"
+	skinTones["\U0001f3ff"] = "Dark Skin Tone"
+
+	var tmp Gemoji
+
+	//filter out emoji that require greater than max unicode version
 	for i := range data {
 		val, _ := strconv.ParseFloat(data[i].UnicodeVersion, 64)
 		if int(val) <= maxUnicodeVersion {
-			// remove these keycaps for now they really complicate matching since
-			// they include normal letters in them
-			if re.MatchString(data[i].Description) {
-				continue
-			}
 			tmp = append(tmp, data[i])
 		}
 	}
@@ -123,7 +132,6 @@ func generate() ([]byte, error) {
 		return data[i].Aliases[0] < data[j].Aliases[0]
 	})

-	aliasPairs := make([]string, 0)
 	aliasMap := make(map[string]int, len(data))

 	for i, e := range data {
@@ -135,7 +143,6 @@ func generate() ([]byte, error) {
 				continue
 			}
 			aliasMap[a] = i
-			aliasPairs = append(aliasPairs, ":"+a+":", e.Emoji)
 		}
 	}

@@ -149,6 +156,43 @@ func generate() ([]byte, error) {
 		data[i].Aliases = append(data[i].Aliases, "laugh")
 	}

+	// write a JSON file to use with tribute (write before adding skin tones since we can't support them there yet)
+	file, _ := json.Marshal(data)
+	_ = ioutil.WriteFile("assets/emoji.json", file, 0644)
+
+	// Add skin tones to emoji that support it
+	var (
+		s              []string
+		newEmoji       string
+		newDescription string
+		newData        Emoji
+	)
+
+	for i := range data {
+		if data[i].SkinTones {
+			for k, v := range skinTones {
+				s = strings.Split(data[i].Emoji, "")
+
+				if utf8.RuneCountInString(data[i].Emoji) == 1 {
+					s = append(s, k)
+				} else {
+					// insert into slice after first element because all emoji that support skin tones
+					// have that modifier placed at this spot
+					s = append(s, "")
+					copy(s[2:], s[1:])
+					s[1] = k
+				}
+
+				newEmoji = strings.Join(s, "")
+				newDescription = data[i].Description + ": " + v
+				newAlias := data[i].Aliases[0] + "_" + strings.ReplaceAll(v, " ", "_")
+
+				newData = Emoji{newEmoji, newDescription, []string{newAlias}, "12.0", false}
+				data = append(data, newData)
+			}
+		}
+	}
+
 	// add header
 	str := replacer.Replace(fmt.Sprintf(hdr, gemojiURL, data))

@@ -162,10 +206,6 @@ func generate() ([]byte, error) {
 		return "{" + strconv.QuoteToASCII(s)
 	})

-	// write a JSON file to use with tribute
-	file, _ := json.Marshal(data)
-	_ = ioutil.WriteFile("assets/emoji.json", file, 0644)
-
 	// format
 	return format.Source([]byte(str))
 }
--- a/build/generate-gitignores.go
+++ b/build/generate-gitignores.go
@@ -15,16 +15,22 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+
+	"code.gitea.io/gitea/modules/util"
 )

 func main() {
 	var (
-		prefix      = "gitea-gitignore"
-		url         = "https://api.github.com/repos/github/gitignore/tarball"
-		destination = ""
+		prefix         = "gitea-gitignore"
+		url            = "https://api.github.com/repos/github/gitignore/tarball"
+		githubApiToken = ""
+		githubUsername = ""
+		destination    = ""
 	)

 	flag.StringVar(&destination, "dest", "options/gitignore/", "destination for the gitignores")
+	flag.StringVar(&githubUsername, "username", "", "github username")
+	flag.StringVar(&githubApiToken, "token", "", "github api token")
 	flag.Parse()

 	file, err := ioutil.TempFile(os.TempDir(), prefix)
@@ -33,14 +39,21 @@ func main() {
 		log.Fatalf("Failed to create temp file. %s", err)
 	}

-	defer os.Remove(file.Name())
-
-	resp, err := http.Get(url)
+	defer util.Remove(file.Name())

+	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		log.Fatalf("Failed to download archive. %s", err)
 	}

+	if len(githubApiToken) > 0 && len(githubUsername) > 0 {
+		req.SetBasicAuth(githubUsername, githubApiToken)
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		log.Fatalf("Failed to download archive. %s", err)
+	}
 	defer resp.Body.Close()

 	if _, err := io.Copy(file, resp.Body); err != nil {
--- a/build/generate-images.js
+++ b/build/generate-images.js
@@ -0,0 +1,83 @@
+import imageminZopfli from 'imagemin-zopfli';
+import {optimize, extendDefaultPlugins} from 'svgo';
+import {fabric} from 'fabric';
+import fs from 'fs';
+import {resolve, dirname} from 'path';
+import {fileURLToPath} from 'url';
+
+const {readFile, writeFile} = fs.promises;
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const logoFile = resolve(__dirname, '../assets/logo.svg');
+
+function exit(err) {
+  if (err) console.error(err);
+  process.exit(err ? 1 : 0);
+}
+
+function loadSvg(svg) {
+  return new Promise((resolve) => {
+    fabric.loadSVGFromString(svg, (objects, options) => {
+      resolve({objects, options});
+    });
+  });
+}
+
+async function generate(svg, outputFile, {size, bg}) {
+  if (outputFile.endsWith('.svg')) {
+    const {data} = optimize(svg, {
+      plugins: extendDefaultPlugins([
+        'removeDimensions',
+        {
+          name: 'addAttributesToSVGElement',
+          params: {attributes: [{width: size}, {height: size}]}
+        },
+      ]),
+    });
+    await writeFile(outputFile, data);
+    return;
+  }
+
+  const {objects, options} = await loadSvg(svg);
+  const canvas = new fabric.Canvas();
+  canvas.setDimensions({width: size, height: size});
+  const ctx = canvas.getContext('2d');
+  ctx.scale(options.width ? (size / options.width) : 1, options.height ? (size / options.height) : 1);
+
+  if (bg) {
+    canvas.add(new fabric.Rect({
+      left: 0,
+      top: 0,
+      height: size * (1 / (size / options.height)),
+      width: size * (1 / (size / options.width)),
+      fill: 'white',
+    }));
+  }
+
+  canvas.add(fabric.util.groupSVGElements(objects, options));
+  canvas.renderAll();
+
+  let png = Buffer.from([]);
+  for await (const chunk of canvas.createPNGStream()) {
+    png = Buffer.concat([png, chunk]);
+  }
+
+  png = await imageminZopfli({more: true})(png);
+  await writeFile(outputFile, png);
+}
+
+async function main() {
+  const gitea = process.argv.slice(2).includes('gitea');
+  const svg = await readFile(logoFile, 'utf8');
+
+  await Promise.all([
+    generate(svg, resolve(__dirname, '../public/img/logo.svg'), {size: 32}),
+    generate(svg, resolve(__dirname, '../public/img/logo.png'), {size: 512}),
+    generate(svg, resolve(__dirname, '../public/img/favicon.png'), {size: 180}),
+    generate(svg, resolve(__dirname, '../public/img/avatar_default.png'), {size: 200}),
+    generate(svg, resolve(__dirname, '../public/img/apple-touch-icon.png'), {size: 180, bg: true}),
+    gitea && generate(svg, resolve(__dirname, '../public/img/gitea.svg'), {size: 32}),
+  ]);
+}
+
+main().then(exit).catch(exit);
+
--- a/build/generate-licenses.go
+++ b/build/generate-licenses.go
@@ -15,16 +15,22 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+
+	"code.gitea.io/gitea/modules/util"
 )

 func main() {
 	var (
-		prefix      = "gitea-licenses"
-		url         = "https://api.github.com/repos/spdx/license-list-data/tarball"
-		destination = ""
+		prefix         = "gitea-licenses"
+		url            = "https://api.github.com/repos/spdx/license-list-data/tarball"
+		githubApiToken = ""
+		githubUsername = ""
+		destination    = ""
 	)

 	flag.StringVar(&destination, "dest", "options/license/", "destination for the licenses")
+	flag.StringVar(&githubUsername, "username", "", "github username")
+	flag.StringVar(&githubApiToken, "token", "", "github api token")
 	flag.Parse()

 	file, err := ioutil.TempFile(os.TempDir(), prefix)
@@ -33,10 +39,18 @@ func main() {
 		log.Fatalf("Failed to create temp file. %s", err)
 	}

-	defer os.Remove(file.Name())
+	defer util.Remove(file.Name())

-	resp, err := http.Get(url)
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		log.Fatalf("Failed to download archive. %s", err)
+	}

+	if len(githubApiToken) > 0 && len(githubUsername) > 0 {
+		req.SetBasicAuth(githubUsername, githubApiToken)
+	}
+
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		log.Fatalf("Failed to download archive. %s", err)
 	}
--- a/build/generate-svg.js
+++ b/build/generate-svg.js
@@ -0,0 +1,63 @@
+import fastGlob from 'fast-glob';
+import {optimize, extendDefaultPlugins} from 'svgo';
+import {resolve, parse, dirname} from 'path';
+import fs from 'fs';
+import {fileURLToPath} from 'url';
+
+const {readFile, writeFile, mkdir} = fs.promises;
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const glob = (pattern) => fastGlob.sync(pattern, {cwd: resolve(__dirname), absolute: true});
+const outputDir = resolve(__dirname, '../public/img/svg');
+
+function exit(err) {
+  if (err) console.error(err);
+  process.exit(err ? 1 : 0);
+}
+
+async function processFile(file, {prefix, fullName} = {}) {
+  let name;
+
+  if (fullName) {
+    name = fullName;
+  } else {
+    name = parse(file).name;
+    if (prefix) name = `${prefix}-${name}`;
+    if (prefix === 'octicon') name = name.replace(/-[0-9]+$/, ''); // chop of '-16' on octicons
+  }
+
+  const {data} = optimize(await readFile(file, 'utf8'), {
+    plugins: extendDefaultPlugins([
+      'removeXMLNS',
+      'removeDimensions',
+      {name: 'prefixIds', params: {prefix: () => name}},
+      {
+        name: 'addClassesToSVGElement',
+        params: {classNames: ['svg', name]},
+      },
+      {
+        name: 'addAttributesToSVGElement',
+        params: {attributes: [{'width': '16'}, {'height': '16'}, {'aria-hidden': 'true'}]},
+      },
+    ]),
+  });
+  await writeFile(resolve(outputDir, `${name}.svg`), data);
+}
+
+function processFiles(pattern, opts) {
+  return glob(pattern).map((file) => processFile(file, opts));
+}
+
+async function main() {
+  try {
+    await mkdir(outputDir);
+  } catch {}
+
+  await Promise.all([
+    ...processFiles('../node_modules/@primer/octicons/build/svg/*-16.svg', {prefix: 'octicon'}),
+    ...processFiles('../web_src/svg/*.svg'),
+    ...processFiles('../public/img/gitea.svg', {fullName: 'gitea-gitea'}),
+  ]);
+}
+
+main().then(exit).catch(exit);
+
--- a/build/lint.go
+++ b/build/lint.go
@@ -1,325 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// Copyright (c) 2018 Minko Gechev. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-// +build ignore
-
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/BurntSushi/toml"
-	"github.com/mgechev/dots"
-	"github.com/mgechev/revive/formatter"
-	"github.com/mgechev/revive/lint"
-	"github.com/mgechev/revive/rule"
-	"github.com/mitchellh/go-homedir"
-)
-
-func fail(err string) {
-	fmt.Fprintln(os.Stderr, err)
-	os.Exit(1)
-}
-
-var defaultRules = []lint.Rule{
-	&rule.VarDeclarationsRule{},
-	&rule.PackageCommentsRule{},
-	&rule.DotImportsRule{},
-	&rule.BlankImportsRule{},
-	&rule.ExportedRule{},
-	&rule.VarNamingRule{},
-	&rule.IndentErrorFlowRule{},
-	&rule.IfReturnRule{},
-	&rule.RangeRule{},
-	&rule.ErrorfRule{},
-	&rule.ErrorNamingRule{},
-	&rule.ErrorStringsRule{},
-	&rule.ReceiverNamingRule{},
-	&rule.IncrementDecrementRule{},
-	&rule.ErrorReturnRule{},
-	&rule.UnexportedReturnRule{},
-	&rule.TimeNamingRule{},
-	&rule.ContextKeysType{},
-	&rule.ContextAsArgumentRule{},
-}
-
-var allRules = append([]lint.Rule{
-	&rule.ArgumentsLimitRule{},
-	&rule.CyclomaticRule{},
-	&rule.FileHeaderRule{},
-	&rule.EmptyBlockRule{},
-	&rule.SuperfluousElseRule{},
-	&rule.ConfusingNamingRule{},
-	&rule.GetReturnRule{},
-	&rule.ModifiesParamRule{},
-	&rule.ConfusingResultsRule{},
-	&rule.DeepExitRule{},
-	&rule.UnusedParamRule{},
-	&rule.UnreachableCodeRule{},
-	&rule.AddConstantRule{},
-	&rule.FlagParamRule{},
-	&rule.UnnecessaryStmtRule{},
-	&rule.StructTagRule{},
-	&rule.ModifiesValRecRule{},
-	&rule.ConstantLogicalExprRule{},
-	&rule.BoolLiteralRule{},
-	&rule.RedefinesBuiltinIDRule{},
-	&rule.ImportsBlacklistRule{},
-	&rule.FunctionResultsLimitRule{},
-	&rule.MaxPublicStructsRule{},
-	&rule.RangeValInClosureRule{},
-	&rule.RangeValAddress{},
-	&rule.WaitGroupByValueRule{},
-	&rule.AtomicRule{},
-	&rule.EmptyLinesRule{},
-	&rule.LineLengthLimitRule{},
-	&rule.CallToGCRule{},
-	&rule.DuplicatedImportsRule{},
-	&rule.ImportShadowingRule{},
-	&rule.BareReturnRule{},
-	&rule.UnusedReceiverRule{},
-	&rule.UnhandledErrorRule{},
-	&rule.CognitiveComplexityRule{},
-	&rule.StringOfIntRule{},
-}, defaultRules...)
-
-var allFormatters = []lint.Formatter{
-	&formatter.Stylish{},
-	&formatter.Friendly{},
-	&formatter.JSON{},
-	&formatter.NDJSON{},
-	&formatter.Default{},
-	&formatter.Unix{},
-	&formatter.Checkstyle{},
-	&formatter.Plain{},
-}
-
-func getFormatters() map[string]lint.Formatter {
-	result := map[string]lint.Formatter{}
-	for _, f := range allFormatters {
-		result[f.Name()] = f
-	}
-	return result
-}
-
-func getLintingRules(config *lint.Config) []lint.Rule {
-	rulesMap := map[string]lint.Rule{}
-	for _, r := range allRules {
-		rulesMap[r.Name()] = r
-	}
-
-	lintingRules := []lint.Rule{}
-	for name := range config.Rules {
-		rule, ok := rulesMap[name]
-		if !ok {
-			fail("cannot find rule: " + name)
-		}
-		lintingRules = append(lintingRules, rule)
-	}
-
-	return lintingRules
-}
-
-func parseConfig(path string) *lint.Config {
-	config := &lint.Config{}
-	file, err := ioutil.ReadFile(path)
-	if err != nil {
-		fail("cannot read the config file")
-	}
-	_, err = toml.Decode(string(file), config)
-	if err != nil {
-		fail("cannot parse the config file: " + err.Error())
-	}
-	return config
-}
-
-func normalizeConfig(config *lint.Config) {
-	if config.Confidence == 0 {
-		config.Confidence = 0.8
-	}
-	severity := config.Severity
-	if severity != "" {
-		for k, v := range config.Rules {
-			if v.Severity == "" {
-				v.Severity = severity
-			}
-			config.Rules[k] = v
-		}
-		for k, v := range config.Directives {
-			if v.Severity == "" {
-				v.Severity = severity
-			}
-			config.Directives[k] = v
-		}
-	}
-}
-
-func getConfig() *lint.Config {
-	config := defaultConfig()
-	if configPath != "" {
-		config = parseConfig(configPath)
-	}
-	normalizeConfig(config)
-	return config
-}
-
-func getFormatter() lint.Formatter {
-	formatters := getFormatters()
-	formatter := formatters["default"]
-	if formatterName != "" {
-		f, ok := formatters[formatterName]
-		if !ok {
-			fail("unknown formatter " + formatterName)
-		}
-		formatter = f
-	}
-	return formatter
-}
-
-func buildDefaultConfigPath() string {
-	var result string
-	if homeDir, err := homedir.Dir(); err == nil {
-		result = filepath.Join(homeDir, "revive.toml")
-		if _, err := os.Stat(result); err != nil {
-			result = ""
-		}
-	}
-
-	return result
-}
-
-func defaultConfig() *lint.Config {
-	defaultConfig := lint.Config{
-		Confidence: 0.0,
-		Severity:   lint.SeverityWarning,
-		Rules:      map[string]lint.RuleConfig{},
-	}
-	for _, r := range defaultRules {
-		defaultConfig.Rules[r.Name()] = lint.RuleConfig{}
-	}
-	return &defaultConfig
-}
-
-func normalizeSplit(strs []string) []string {
-	res := []string{}
-	for _, s := range strs {
-		t := strings.Trim(s, " \t")
-		if len(t) > 0 {
-			res = append(res, t)
-		}
-	}
-	return res
-}
-
-func getPackages() [][]string {
-	globs := normalizeSplit(flag.Args())
-	if len(globs) == 0 {
-		globs = append(globs, ".")
-	}
-
-	packages, err := dots.ResolvePackages(globs, normalizeSplit(excludePaths))
-	if err != nil {
-		fail(err.Error())
-	}
-
-	return packages
-}
-
-type arrayFlags []string
-
-func (i *arrayFlags) String() string {
-	return strings.Join([]string(*i), " ")
-}
-
-func (i *arrayFlags) Set(value string) error {
-	*i = append(*i, value)
-	return nil
-}
-
-var configPath string
-var excludePaths arrayFlags
-var formatterName string
-var help bool
-
-var originalUsage = flag.Usage
-
-func init() {
-	flag.Usage = func() {
-		originalUsage()
-	}
-	// command line help strings
-	const (
-		configUsage    = "path to the configuration TOML file, defaults to $HOME/revive.toml, if present (i.e. -config myconf.toml)"
-		excludeUsage   = "list of globs which specify files to be excluded (i.e. -exclude foo/...)"
-		formatterUsage = "formatter to be used for the output (i.e. -formatter stylish)"
-	)
-
-	defaultConfigPath := buildDefaultConfigPath()
-
-	flag.StringVar(&configPath, "config", defaultConfigPath, configUsage)
-	flag.Var(&excludePaths, "exclude", excludeUsage)
-	flag.StringVar(&formatterName, "formatter", "", formatterUsage)
-	flag.Parse()
-}
-
-func main() {
-	config := getConfig()
-	formatter := getFormatter()
-	packages := getPackages()
-
-	revive := lint.New(func(file string) ([]byte, error) {
-		return ioutil.ReadFile(file)
-	})
-
-	lintingRules := getLintingRules(config)
-
-	failures, err := revive.Lint(packages, lintingRules, *config)
-	if err != nil {
-		fail(err.Error())
-	}
-
-	formatChan := make(chan lint.Failure)
-	exitChan := make(chan bool)
-
-	var output string
-	go (func() {
-		output, err = formatter.Format(formatChan, *config)
-		if err != nil {
-			fail(err.Error())
-		}
-		exitChan <- true
-	})()
-
-	exitCode := 0
-	for f := range failures {
-		if f.Confidence < config.Confidence {
-			continue
-		}
-		if exitCode == 0 {
-			exitCode = config.WarningCode
-		}
-		if c, ok := config.Rules[f.RuleName]; ok && c.Severity == lint.SeverityError {
-			exitCode = config.ErrorCode
-		}
-		if c, ok := config.Directives[f.RuleName]; ok && c.Severity == lint.SeverityError {
-			exitCode = config.ErrorCode
-		}
-
-		formatChan <- f
-	}
-
-	close(formatChan)
-	<-exitChan
-	if output != "" {
-		fmt.Println(output)
-	}
-
-	os.Exit(exitCode)
-}
--- a/build/update-locales.sh
+++ b/build/update-locales.sh
@@ -10,10 +10,10 @@ sed -i -r -e '/^[a-zA-Z0-9_.-]+[ ]*=[ ]*".*"$/ {
 	}' ./options/locale/*.ini

 # Remove translation under 25% of en_us
-baselines=`wc -l "./options/locale_en-US.ini" | cut -d" " -f1`
+baselines=$(wc -l "./options/locale_en-US.ini" | cut -d" " -f1)
 baselines=$((baselines / 4))
 for filename in ./options/locale/*.ini; do
-  lines=`wc -l "$filename" | cut -d" " -f1`
+  lines=$(wc -l "$filename" | cut -d" " -f1)
  if [ $lines -lt $baselines ]; then
    echo "Removing $filename: $lines/$baselines"
    rm "$filename"
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -6,9 +6,11 @@
 package cmd

 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 	"text/tabwriter"

 	"code.gitea.io/gitea/models"
@@ -19,6 +21,7 @@ import (
 	pwd "code.gitea.io/gitea/modules/password"
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/storage"

 	"github.com/urfave/cli"
 )
@@ -29,16 +32,39 @@ var (
 		Name:  "admin",
 		Usage: "Command line interface to perform common administrative operations",
 		Subcommands: []cli.Command{
-			subcmdCreateUser,
-			subcmdChangePassword,
+			subcmdUser,
 			subcmdRepoSyncReleases,
 			subcmdRegenerate,
 			subcmdAuth,
+			subcmdSendMail,
 		},
 	}

-	subcmdCreateUser = cli.Command{
-		Name:   "create-user",
+	subcmdUser = cli.Command{
+		Name:  "user",
+		Usage: "Modify users",
+		Subcommands: []cli.Command{
+			microcmdUserCreate,
+			microcmdUserList,
+			microcmdUserChangePassword,
+			microcmdUserDelete,
+		},
+	}
+
+	microcmdUserList = cli.Command{
+		Name:   "list",
+		Usage:  "List users",
+		Action: runListUsers,
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name:  "admin",
+				Usage: "List only admin users",
+			},
+		},
+	}
+
+	microcmdUserCreate = cli.Command{
+		Name:   "create",
 		Usage:  "Create a new user in database",
 		Action: runCreateUser,
 		Flags: []cli.Flag{
@@ -82,7 +108,7 @@ var (
 		},
 	}

-	subcmdChangePassword = cli.Command{
+	microcmdUserChangePassword = cli.Command{
 		Name:   "change-password",
 		Usage:  "Change a user's password",
 		Action: runChangePassword,
@@ -100,6 +126,26 @@ var (
 		},
 	}

+	microcmdUserDelete = cli.Command{
+		Name:  "delete",
+		Usage: "Delete specific user by id, name or email",
+		Flags: []cli.Flag{
+			cli.Int64Flag{
+				Name:  "id",
+				Usage: "ID of user of the user to delete",
+			},
+			cli.StringFlag{
+				Name:  "username,u",
+				Usage: "Username of the user to delete",
+			},
+			cli.StringFlag{
+				Name:  "email,e",
+				Usage: "Email of the user to delete",
+			},
+		},
+		Action: runDeleteUser,
+	}
+
 	subcmdRepoSyncReleases = cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
@@ -237,6 +283,11 @@ var (
 			Value: "",
 			Usage: "Use a custom Email URL (option for GitHub)",
 		},
+		cli.StringFlag{
+			Name:  "icon-url",
+			Value: "",
+			Usage: "Custom icon URL for OAuth2 login source",
+		},
 	}

 	microcmdAuthUpdateOauth = cli.Command{
@@ -252,6 +303,28 @@ var (
 		Action: runAddOauth,
 		Flags:  oauthCLIFlags,
 	}
+
+	subcmdSendMail = cli.Command{
+		Name:   "sendmail",
+		Usage:  "Send a message to all users",
+		Action: runSendMail,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "title",
+				Usage: `a title of a message`,
+				Value: "",
+			},
+			cli.StringFlag{
+				Name:  "content",
+				Usage: "a content of a message",
+				Value: "",
+			},
+			cli.BoolFlag{
+				Name:  "force,f",
+				Usage: "A flag to bypass a confirmation step",
+			},
+		},
+	}
 )

 func runChangePassword(c *cli.Context) error {
@@ -265,17 +338,23 @@ func runChangePassword(c *cli.Context) error {
 	if !pwd.IsComplexEnough(c.String("password")) {
 		return errors.New("Password does not meet complexity requirements")
 	}
+	pwned, err := pwd.IsPwned(context.Background(), c.String("password"))
+	if err != nil {
+		return err
+	}
+	if pwned {
+		return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
+	}
 	uname := c.String("username")
 	user, err := models.GetUserByName(uname)
 	if err != nil {
 		return err
 	}
-	if user.Salt, err = models.GetUserSalt(); err != nil {
+	if err = user.SetPassword(c.String("password")); err != nil {
 		return err
 	}
-	user.HashPassword(c.String("password"))

-	if err := models.UpdateUserCols(user, "passwd", "salt"); err != nil {
+	if err = models.UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil {
 		return err
 	}

@@ -369,7 +448,76 @@ func runCreateUser(c *cli.Context) error {
 	return nil
 }

-func runRepoSyncReleases(c *cli.Context) error {
+func runListUsers(c *cli.Context) error {
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	users, err := models.GetAllUsers()
+
+	if err != nil {
+		return err
+	}
+
+	w := tabwriter.NewWriter(os.Stdout, 5, 0, 1, ' ', 0)
+
+	if c.IsSet("admin") {
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\n")
+		for _, u := range users {
+			if u.IsAdmin {
+				fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", u.ID, u.Name, u.Email, u.IsActive)
+			}
+		}
+	} else {
+		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\n")
+		for _, u := range users {
+			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin)
+		}
+
+	}
+
+	w.Flush()
+	return nil
+
+}
+
+func runDeleteUser(c *cli.Context) error {
+	if !c.IsSet("id") && !c.IsSet("username") && !c.IsSet("email") {
+		return fmt.Errorf("You must provide the id, username or email of a user to delete")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	if err := storage.Init(); err != nil {
+		return err
+	}
+
+	var err error
+	var user *models.User
+	if c.IsSet("email") {
+		user, err = models.GetUserByEmail(c.String("email"))
+	} else if c.IsSet("username") {
+		user, err = models.GetUserByName(c.String("username"))
+	} else {
+		user, err = models.GetUserByID(c.Int64("id"))
+	}
+	if err != nil {
+		return err
+	}
+	if c.IsSet("username") && user.LowerName != strings.ToLower(strings.TrimSpace(c.String("username"))) {
+		return fmt.Errorf("The user %s who has email %s does not match the provided username %s", user.Name, c.String("email"), c.String("username"))
+	}
+
+	if c.IsSet("id") && user.ID != c.Int64("id") {
+		return fmt.Errorf("The user %s does not match the provided id %d", user.Name, c.Int64("id"))
+	}
+
+	return models.DeleteUser(user)
+}
+
+func runRepoSyncReleases(_ *cli.Context) error {
 	if err := initDB(); err != nil {
 		return err
 	}
@@ -435,14 +583,14 @@ func getReleaseCount(id int64) (int64, error) {
 	)
 }

-func runRegenerateHooks(c *cli.Context) error {
+func runRegenerateHooks(_ *cli.Context) error {
 	if err := initDB(); err != nil {
 		return err
 	}
 	return repo_module.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
 }

-func runRegenerateKeys(c *cli.Context) error {
+func runRegenerateKeys(_ *cli.Context) error {
 	if err := initDB(); err != nil {
 		return err
 	}
@@ -467,6 +615,7 @@ func parseOAuth2Config(c *cli.Context) *models.OAuth2Config {
 		ClientSecret:                  c.String("secret"),
 		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
 		CustomURLMapping:              customURLMapping,
+		IconURL:                       c.String("icon-url"),
 	}
 }

@@ -519,6 +668,10 @@ func runUpdateOauth(c *cli.Context) error {
 		oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")
 	}

+	if c.IsSet("icon-url") {
+		oAuth2Config.IconURL = c.String("icon-url")
+	}
+
 	// update custom URL mapping
 	var customURLMapping = &oauth2.CustomURLMapping{}

--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -7,8 +7,13 @@
 package cmd

 import (
+	"context"
 	"errors"
 	"fmt"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
@@ -32,6 +37,25 @@ func argsSet(c *cli.Context, args ...string) error {
 	return nil
 }

+// confirm waits for user input which confirms an action
+func confirm() (bool, error) {
+	var response string
+
+	_, err := fmt.Scanln(&response)
+	if err != nil {
+		return false, err
+	}
+
+	switch strings.ToLower(response) {
+	case "y", "yes":
+		return true, nil
+	case "n", "no":
+		return false, nil
+	default:
+		return false, errors.New(response + " isn't a correct confirmation string")
+	}
+}
+
 func initDB() error {
 	return initDBDisableConsole(false)
 }
@@ -46,3 +70,25 @@ func initDBDisableConsole(disableConsole bool) error {
 	}
 	return nil
 }
+
+func installSignals() (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+		// install notify
+		signalChannel := make(chan os.Signal, 1)
+
+		signal.Notify(
+			signalChannel,
+			syscall.SIGINT,
+			syscall.SIGTERM,
+		)
+		select {
+		case <-signalChannel:
+		case <-ctx.Done():
+		}
+		cancel()
+		signal.Reset()
+	}()
+
+	return ctx, cancel
+}
--- a/cmd/convert.go
+++ b/cmd/convert.go
@@ -27,10 +27,10 @@ func runConvert(ctx *cli.Context) error {
 		return err
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
 	setting.InitDBConfig()

 	if !setting.Database.UseMySQL {
--- a/cmd/docs.go
+++ b/cmd/docs.go
@@ -0,0 +1,61 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/urfave/cli"
+)
+
+// CmdDocs represents the available docs sub-command.
+var CmdDocs = cli.Command{
+	Name:        "docs",
+	Usage:       "Output CLI documentation",
+	Description: "A command to output Gitea's CLI documentation, optionally to a file.",
+	Action:      runDocs,
+	Flags: []cli.Flag{
+		&cli.BoolFlag{
+			Name:  "man",
+			Usage: "Output man pages instead",
+		},
+		&cli.StringFlag{
+			Name:  "output, o",
+			Usage: "Path to output to instead of stdout (will overwrite if exists)",
+		},
+	},
+}
+
+func runDocs(ctx *cli.Context) error {
+	docs, err := ctx.App.ToMarkdown()
+	if ctx.Bool("man") {
+		docs, err = ctx.App.ToMan()
+	}
+	if err != nil {
+		return err
+	}
+
+	if !ctx.Bool("man") {
+		// Clean up markdown. The following bug was fixed in v2, but is present in v1.
+		// It affects markdown output (even though the issue is referring to man pages)
+		// https://github.com/urfave/cli/issues/1040
+		docs = docs[strings.Index(docs, "#"):]
+	}
+
+	out := os.Stdout
+	if ctx.String("output") != "" {
+		fi, err := os.Create(ctx.String("output"))
+		if err != nil {
+			return err
+		}
+		defer fi.Close()
+		out = fi
+	}
+
+	_, err = fmt.Fprintln(out, docs)
+	return err
+}
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@@ -5,26 +5,20 @@
 package cmd

 import (
-	"bufio"
-	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
 	golog "log"
 	"os"
-	"os/exec"
-	"path/filepath"
 	"strings"
 	"text/tabwriter"

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/migrations"
-	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/doctor"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/options"
-	"code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
-	"xorm.io/builder"
+
+	"xorm.io/xorm"

 	"github.com/urfave/cli"
 )
@@ -60,65 +54,76 @@ var CmdDoctor = cli.Command{
 			Name:  "log-file",
 			Usage: `Name of the log file (default: "doctor.log"). Set to "-" to output to stdout, set to "" to disable`,
 		},
+		cli.BoolFlag{
+			Name:  "color, H",
+			Usage: "Use color for outputted information",
+		},
+	},
+	Subcommands: []cli.Command{
+		cmdRecreateTable,
 	},
 }

-type check struct {
-	title            string
-	name             string
-	isDefault        bool
-	f                func(ctx *cli.Context) ([]string, error)
-	abortIfFailed    bool
-	skipDatabaseInit bool
+var cmdRecreateTable = cli.Command{
+	Name:      "recreate-table",
+	Usage:     "Recreate tables from XORM definitions and copy the data.",
+	ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
+	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "debug",
+			Usage: "Print SQL commands sent",
+		},
+	},
+	Description: `The database definitions Gitea uses change across versions, sometimes changing default values and leaving old unused columns.
+
+This command will cause Xorm to recreate tables, copying over the data and deleting the old table.
+
+You should back-up your database before doing this and ensure that your database is up-to-date first.`,
+	Action: runRecreateTable,
 }

-// checklist represents list for all checks
-var checklist = []check{
-	{
-		// NOTE: this check should be the first in the list
-		title:            "Check paths and basic configuration",
-		name:             "paths",
-		isDefault:        true,
-		f:                runDoctorPathInfo,
-		abortIfFailed:    true,
-		skipDatabaseInit: true,
-	},
-	{
-		title:         "Check Database Version",
-		name:          "check-db",
-		isDefault:     true,
-		f:             runDoctorCheckDBVersion,
-		abortIfFailed: true,
-	},
-	{
-		title:     "Check if OpenSSH authorized_keys file is up-to-date",
-		name:      "authorized_keys",
-		isDefault: true,
-		f:         runDoctorAuthorizedKeys,
-	},
-	{
-		title:     "Check if SCRIPT_TYPE is available",
-		name:      "script-type",
-		isDefault: false,
-		f:         runDoctorScriptType,
-	},
-	{
-		title:     "Check if hook files are up-to-date and executable",
-		name:      "hooks",
-		isDefault: false,
-		f:         runDoctorHooks,
-	},
-	{
-		title:     "Recalculate merge bases",
-		name:      "recalculate_merge_bases",
-		isDefault: false,
-		f:         runDoctorPRMergeBase,
-	},
-	// more checks please append here
+func runRecreateTable(ctx *cli.Context) error {
+	// Redirect the default golog to here
+	golog.SetFlags(0)
+	golog.SetPrefix("")
+	golog.SetOutput(log.NewLoggerAsWriter("INFO", log.GetLogger(log.DEFAULT)))
+
+	setting.NewContext()
+	setting.InitDBConfig()
+
+	setting.EnableXORMLog = ctx.Bool("debug")
+	setting.Database.LogSQL = ctx.Bool("debug")
+	setting.Cfg.Section("log").Key("XORM").SetValue(",")
+
+	setting.NewXORMLogService(!ctx.Bool("debug"))
+	if err := models.SetEngine(); err != nil {
+		fmt.Println(err)
+		fmt.Println("Check if you are using the right config file. You can use a --config directive to specify one.")
+		return nil
+	}
+
+	args := ctx.Args()
+	names := make([]string, 0, ctx.NArg())
+	for i := 0; i < ctx.NArg(); i++ {
+		names = append(names, args.Get(i))
+	}
+
+	beans, err := models.NamesToBean(names...)
+	if err != nil {
+		return err
+	}
+	recreateTables := migrations.RecreateTables(beans...)
+
+	return models.NewEngine(context.Background(), func(x *xorm.Engine) error {
+		if err := migrations.EnsureUpToDate(x); err != nil {
+			return err
+		}
+		return recreateTables(x)
+	})
+
 }

 func runDoctor(ctx *cli.Context) error {
-
 	// Silence the default loggers
 	log.DelNamedLogger("console")
 	log.DelNamedLogger(log.DEFAULT)
@@ -129,10 +134,15 @@ func runDoctor(ctx *cli.Context) error {
 		logFile = "doctor.log"
 	}

+	colorize := log.CanColorStdout
+	if ctx.IsSet("color") {
+		colorize = ctx.Bool("color")
+	}
+
 	if len(logFile) == 0 {
-		log.NewLogger(1000, "doctor", "console", `{"level":"NONE","stacktracelevel":"NONE","colorize":"%t"}`)
+		log.NewLogger(1000, "doctor", "console", fmt.Sprintf(`{"level":"NONE","stacktracelevel":"NONE","colorize":%t}`, colorize))
 	} else if logFile == "-" {
-		log.NewLogger(1000, "doctor", "console", `{"level":"trace","stacktracelevel":"NONE"}`)
+		log.NewLogger(1000, "doctor", "console", fmt.Sprintf(`{"level":"trace","stacktracelevel":"NONE","colorize":%t}`, colorize))
 	} else {
 		log.NewLogger(1000, "doctor", "file", fmt.Sprintf(`{"filename":%q,"level":"trace","stacktracelevel":"NONE"}`, logFile))
 	}
@@ -143,24 +153,24 @@ func runDoctor(ctx *cli.Context) error {
 	golog.SetOutput(log.NewLoggerAsWriter("INFO", log.GetLogger(log.DEFAULT)))

 	if ctx.IsSet("list") {
-		w := tabwriter.NewWriter(os.Stdout, 0, 8, 0, '\t', 0)
+		w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
 		_, _ = w.Write([]byte("Default\tName\tTitle\n"))
-		for _, check := range checklist {
-			if check.isDefault {
+		for _, check := range doctor.Checks {
+			if check.IsDefault {
 				_, _ = w.Write([]byte{'*'})
 			}
 			_, _ = w.Write([]byte{'\t'})
-			_, _ = w.Write([]byte(check.name))
+			_, _ = w.Write([]byte(check.Name))
 			_, _ = w.Write([]byte{'\t'})
-			_, _ = w.Write([]byte(check.title))
+			_, _ = w.Write([]byte(check.Title))
 			_, _ = w.Write([]byte{'\n'})
 		}
 		return w.Flush()
 	}

-	var checks []check
+	var checks []*doctor.Check
 	if ctx.Bool("all") {
-		checks = checklist
+		checks = doctor.Checks
 	} else if ctx.IsSet("run") {
 		addDefault := ctx.Bool("default")
 		names := ctx.StringSlice("run")
@@ -168,330 +178,37 @@ func runDoctor(ctx *cli.Context) error {
 			names[i] = strings.ToLower(strings.TrimSpace(name))
 		}

-		for _, check := range checklist {
-			if addDefault && check.isDefault {
+		for _, check := range doctor.Checks {
+			if addDefault && check.IsDefault {
 				checks = append(checks, check)
 				continue
 			}
 			for _, name := range names {
-				if name == check.name {
+				if name == check.Name {
 					checks = append(checks, check)
 					break
 				}
 			}
 		}
 	} else {
-		for _, check := range checklist {
-			if check.isDefault {
+		for _, check := range doctor.Checks {
+			if check.IsDefault {
 				checks = append(checks, check)
 			}
 		}
 	}

-	dbIsInit := false
-
-	for i, check := range checks {
-		if !dbIsInit && !check.skipDatabaseInit {
-			// Only open database after the most basic configuration check
-			setting.EnableXORMLog = false
-			if err := initDBDisableConsole(true); err != nil {
-				fmt.Println(err)
-				fmt.Println("Check if you are using the right config file. You can use a --config directive to specify one.")
-				return nil
-			}
-			dbIsInit = true
-		}
-		fmt.Println("[", i+1, "]", check.title)
-		messages, err := check.f(ctx)
-		for _, message := range messages {
-			fmt.Println("-", message)
-		}
-		if err != nil {
-			fmt.Println("Error:", err)
-			if check.abortIfFailed {
-				return nil
-			}
-		} else {
-			fmt.Println("OK.")
-		}
-		fmt.Println()
-	}
-	return nil
-}
-
-func runDoctorPathInfo(ctx *cli.Context) ([]string, error) {
-
-	res := make([]string, 0, 10)
-
-	if fi, err := os.Stat(setting.CustomConf); err != nil || !fi.Mode().IsRegular() {
-		res = append(res, fmt.Sprintf("Failed to find configuration file at '%s'.", setting.CustomConf))
-		res = append(res, fmt.Sprintf("If you've never ran Gitea yet, this is normal and '%s' will be created for you on first run.", setting.CustomConf))
-		res = append(res, "Otherwise check that you are running this command from the correct path and/or provide a `--config` parameter.")
-		return res, fmt.Errorf("can't proceed without a configuration file")
-	}
-
-	setting.NewContext()
-
-	fail := false
-
-	check := func(name, path string, is_dir, required, is_write bool) {
-		res = append(res, fmt.Sprintf("%-25s  '%s'", name+":", path))
-		fi, err := os.Stat(path)
-		if err != nil {
-			if os.IsNotExist(err) && ctx.Bool("fix") && is_dir {
-				if err := os.MkdirAll(path, 0777); err != nil {
-					res = append(res, fmt.Sprintf("    ERROR: %v", err))
-					fail = true
-					return
-				}
-				fi, err = os.Stat(path)
-			}
-		}
-		if err != nil {
-			if required {
-				res = append(res, fmt.Sprintf("    ERROR: %v", err))
-				fail = true
-				return
-			}
-			res = append(res, fmt.Sprintf("    NOTICE: not accessible (%v)", err))
-			return
-		}
-
-		if is_dir && !fi.IsDir() {
-			res = append(res, "    ERROR: not a directory")
-			fail = true
-			return
-		} else if !is_dir && !fi.Mode().IsRegular() {
-			res = append(res, "    ERROR: not a regular file")
-			fail = true
-		} else if is_write {
-			if err := runDoctorWritableDir(path); err != nil {
-				res = append(res, fmt.Sprintf("    ERROR: not writable: %v", err))
-				fail = true
-			}
-		}
-	}
-
-	// Note print paths inside quotes to make any leading/trailing spaces evident
-	check("Configuration File Path", setting.CustomConf, false, true, false)
-	check("Repository Root Path", setting.RepoRootPath, true, true, true)
-	check("Data Root Path", setting.AppDataPath, true, true, true)
-	check("Custom File Root Path", setting.CustomPath, true, false, false)
-	check("Work directory", setting.AppWorkPath, true, true, false)
-	check("Log Root Path", setting.LogRootPath, true, true, true)
-
-	if options.IsDynamic() {
-		// Do not check/report on StaticRootPath if data is embedded in Gitea (-tags bindata)
-		check("Static File Root Path", setting.StaticRootPath, true, true, false)
-	}
-
-	if fail {
-		return res, fmt.Errorf("please check your configuration file and try again")
-	}
-
-	return res, nil
-}
-
-func runDoctorWritableDir(path string) error {
-	// There's no platform-independent way of checking if a directory is writable
-	// https://stackoverflow.com/questions/20026320/how-to-tell-if-folder-exists-and-is-writable
-
-	tmpFile, err := ioutil.TempFile(path, "doctors-order")
-	if err != nil {
+	// Now we can set up our own logger to return information about what the doctor is doing
+	if err := log.NewNamedLogger("doctorouter",
+		1000,
+		"console",
+		"console",
+		fmt.Sprintf(`{"level":"INFO","stacktracelevel":"NONE","colorize":%t,"flags":-1}`, colorize)); err != nil {
+		fmt.Println(err)
 		return err
 	}
-	if err := os.Remove(tmpFile.Name()); err != nil {
-		fmt.Printf("Warning: can't remove temporary file: '%s'\n", tmpFile.Name())
-	}
-	tmpFile.Close()
-	return nil
-}
-
-const tplCommentPrefix = `# gitea public key`
-
-func runDoctorAuthorizedKeys(ctx *cli.Context) ([]string, error) {
-	if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile {
-		return nil, nil
-	}
-
-	fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys")
-	f, err := os.Open(fPath)
-	if err != nil {
-		if ctx.Bool("fix") {
-			return []string{fmt.Sprintf("Error whilst opening authorized_keys: %v. Attempting regeneration", err)}, models.RewriteAllPublicKeys()
-		}
-		return nil, err
-	}
-	defer f.Close()
-
-	linesInAuthorizedKeys := map[string]bool{}
-
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, tplCommentPrefix) {
-			continue
-		}
-		linesInAuthorizedKeys[line] = true
-	}
-	f.Close()
-
-	// now we regenerate and check if there are any lines missing
-	regenerated := &bytes.Buffer{}
-	if err := models.RegeneratePublicKeys(regenerated); err != nil {
-		return nil, err
-	}
-	scanner = bufio.NewScanner(regenerated)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, tplCommentPrefix) {
-			continue
-		}
-		if ok := linesInAuthorizedKeys[line]; ok {
-			continue
-		}
-		if ctx.Bool("fix") {
-			return []string{"authorized_keys is out of date, attempting regeneration"}, models.RewriteAllPublicKeys()
-		}
-		return nil, fmt.Errorf(`authorized_keys is out of date and should be regenerated with "gitea admin regenerate keys" or "gitea doctor --run authorized_keys --fix"`)
-	}
-	return nil, nil
-}
-
-func runDoctorCheckDBVersion(ctx *cli.Context) ([]string, error) {
-	if err := models.NewEngine(context.Background(), migrations.EnsureUpToDate); err != nil {
-		if ctx.Bool("fix") {
-			return []string{fmt.Sprintf("WARN: Got Error %v during ensure up to date", err), "Attempting to migrate to the latest DB version to fix this."}, models.NewEngine(context.Background(), migrations.Migrate)
-		}
-		return nil, err
-	}
-	return nil, nil
-}
-
-func iterateRepositories(each func(*models.Repository) ([]string, error)) ([]string, error) {
-	results := []string{}
-	err := models.Iterate(
-		models.DefaultDBContext(),
-		new(models.Repository),
-		builder.Gt{"id": 0},
-		func(idx int, bean interface{}) error {
-			res, err := each(bean.(*models.Repository))
-			results = append(results, res...)
-			return err
-		},
-	)
-	return results, err
-}
-
-func iteratePRs(repo *models.Repository, each func(*models.Repository, *models.PullRequest) ([]string, error)) ([]string, error) {
-	results := []string{}
-	err := models.Iterate(
-		models.DefaultDBContext(),
-		new(models.PullRequest),
-		builder.Eq{"base_repo_id": repo.ID},
-		func(idx int, bean interface{}) error {
-			res, err := each(repo, bean.(*models.PullRequest))
-			results = append(results, res...)
-			return err
-		},
-	)
-	return results, err
-}
-
-func runDoctorHooks(ctx *cli.Context) ([]string, error) {
-	// Need to iterate across all of the repositories
-	return iterateRepositories(func(repo *models.Repository) ([]string, error) {
-		results, err := repository.CheckDelegateHooks(repo.RepoPath())
-		if err != nil {
-			return nil, err
-		}
-		if len(results) > 0 && ctx.Bool("fix") {
-			return []string{fmt.Sprintf("regenerated hooks for %s", repo.FullName())}, repository.CreateDelegateHooks(repo.RepoPath())
-		}
-
-		return results, nil
-	})
-}
-
-func runDoctorPRMergeBase(ctx *cli.Context) ([]string, error) {
-	numRepos := 0
-	numPRs := 0
-	numPRsUpdated := 0
-	results, err := iterateRepositories(func(repo *models.Repository) ([]string, error) {
-		numRepos++
-		return iteratePRs(repo, func(repo *models.Repository, pr *models.PullRequest) ([]string, error) {
-			numPRs++
-			results := []string{}
-			pr.BaseRepo = repo
-			repoPath := repo.RepoPath()
-
-			oldMergeBase := pr.MergeBase
-
-			if !pr.HasMerged {
-				var err error
-				pr.MergeBase, err = git.NewCommand("merge-base", "--", pr.BaseBranch, pr.GetGitRefName()).RunInDir(repoPath)
-				if err != nil {
-					var err2 error
-					pr.MergeBase, err2 = git.NewCommand("rev-parse", git.BranchPrefix+pr.BaseBranch).RunInDir(repoPath)
-					if err2 != nil {
-						results = append(results, fmt.Sprintf("WARN: Unable to get merge base for PR ID %d, #%d onto %s in %s/%s", pr.ID, pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name))
-						log.Error("Unable to get merge base for PR ID %d, Index %d in %s/%s. Error: %v & %v", pr.ID, pr.Index, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, err, err2)
-						return results, nil
-					}
-				}
-			} else {
-				parentsString, err := git.NewCommand("rev-list", "--parents", "-n", "1", pr.MergedCommitID).RunInDir(repoPath)
-				if err != nil {
-					results = append(results, fmt.Sprintf("WARN: Unable to get parents for merged PR ID %d, #%d onto %s in %s/%s", pr.ID, pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name))
-					log.Error("Unable to get parents for merged PR ID %d, Index %d in %s/%s. Error: %v", pr.ID, pr.Index, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, err)
-					return results, nil
-				}
-				parents := strings.Split(strings.TrimSpace(parentsString), " ")
-				if len(parents) < 2 {
-					return results, nil
-				}
-
-				args := append([]string{"merge-base", "--"}, parents[1:]...)
-				args = append(args, pr.GetGitRefName())
-
-				pr.MergeBase, err = git.NewCommand(args...).RunInDir(repoPath)
-				if err != nil {
-					results = append(results, fmt.Sprintf("WARN: Unable to get merge base for merged PR ID %d, #%d onto %s in %s/%s", pr.ID, pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name))
-					log.Error("Unable to get merge base for merged PR ID %d, Index %d in %s/%s. Error: %v", pr.ID, pr.Index, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, err)
-					return results, nil
-				}
-			}
-			pr.MergeBase = strings.TrimSpace(pr.MergeBase)
-			if pr.MergeBase != oldMergeBase {
-				if ctx.Bool("fix") {
-					if err := pr.UpdateCols("merge_base"); err != nil {
-						return results, err
-					}
-				} else {
-					results = append(results, fmt.Sprintf("#%d onto %s in %s/%s: MergeBase should be %s but is %s", pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, oldMergeBase, pr.MergeBase))
-				}
-				numPRsUpdated++
-			}
-			return results, nil
-		})
-	})
-
-	if ctx.Bool("fix") {
-		results = append(results, fmt.Sprintf("%d PR mergebases updated of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos))
-	} else {
-		if numPRsUpdated > 0 && err == nil {
-			return results, fmt.Errorf("%d PRs with incorrect mergebases of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos)
-		}
-		results = append(results, fmt.Sprintf("%d PRs with incorrect mergebases of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos))
-	}
-
-	return results, err
-}
-
-func runDoctorScriptType(ctx *cli.Context) ([]string, error) {
-	path, err := exec.LookPath(setting.ScriptType)
-	if err != nil {
-		return []string{fmt.Sprintf("ScriptType %s is not on the current PATH", setting.ScriptType)}, err
-	}
-	return []string{fmt.Sprintf("ScriptType %s is on the current PATH at %s", setting.ScriptType, path)}, nil
+
+	logger := log.GetLogger("doctorouter")
+	defer logger.Close()
+	return doctor.RunChecks(logger, ctx.Bool("fix"), checks)
 }
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -11,17 +11,86 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"
 	"time"

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/storage"
+	"code.gitea.io/gitea/modules/util"

-	"github.com/unknwon/cae/zip"
-	"github.com/unknwon/com"
+	"gitea.com/go-chi/session"
+	jsoniter "github.com/json-iterator/go"
+	archiver "github.com/mholt/archiver/v3"
 	"github.com/urfave/cli"
 )

+func addFile(w archiver.Writer, filePath string, absPath string, verbose bool) error {
+	if verbose {
+		log.Info("Adding file %s\n", filePath)
+	}
+	file, err := os.Open(absPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	fileInfo, err := file.Stat()
+	if err != nil {
+		return err
+	}
+
+	return w.Write(archiver.File{
+		FileInfo: archiver.FileInfo{
+			FileInfo:   fileInfo,
+			CustomName: filePath,
+		},
+		ReadCloser: file,
+	})
+}
+
+func isSubdir(upper string, lower string) (bool, error) {
+	if relPath, err := filepath.Rel(upper, lower); err != nil {
+		return false, err
+	} else if relPath == "." || !strings.HasPrefix(relPath, ".") {
+		return true, nil
+	}
+	return false, nil
+}
+
+type outputType struct {
+	Enum     []string
+	Default  string
+	selected string
+}
+
+func (o outputType) Join() string {
+	return strings.Join(o.Enum, ", ")
+}
+
+func (o *outputType) Set(value string) error {
+	for _, enum := range o.Enum {
+		if enum == value {
+			o.selected = value
+			return nil
+		}
+	}
+
+	return fmt.Errorf("allowed values are %s", o.Join())
+}
+
+func (o outputType) String() string {
+	if o.selected == "" {
+		return o.Default
+	}
+	return o.selected
+}
+
+var outputTypeEnum = &outputType{
+	Enum:    []string{"zip", "tar", "tar.gz", "tar.xz", "tar.bz2"},
+	Default: "zip",
+}
+
 // CmdDump represents the available dump sub-command.
 var CmdDump = cli.Command{
 	Name:  "dump",
@@ -33,7 +102,7 @@ It can be used for backup and capture Gitea server image to send to maintainer`,
 		cli.StringFlag{
 			Name:  "file, f",
 			Value: fmt.Sprintf("gitea-dump-%d.zip", time.Now().Unix()),
-			Usage: "Name of the dump file which will be created.",
+			Usage: "Name of the dump file which will be created. Supply '-' for stdout. See type for available types.",
 		},
 		cli.BoolFlag{
 			Name:  "verbose, V",
@@ -56,6 +125,23 @@ It can be used for backup and capture Gitea server image to send to maintainer`,
 			Name:  "skip-log, L",
 			Usage: "Skip the log dumping",
 		},
+		cli.BoolFlag{
+			Name:  "skip-custom-dir",
+			Usage: "Skip custom directory",
+		},
+		cli.BoolFlag{
+			Name:  "skip-lfs-data",
+			Usage: "Skip LFS data",
+		},
+		cli.BoolFlag{
+			Name:  "skip-attachment-data",
+			Usage: "Skip attachment data",
+		},
+		cli.GenericFlag{
+			Name:  "type",
+			Value: outputTypeEnum,
+			Usage: fmt.Sprintf("Dump output format: %s", outputTypeEnum.Join()),
+		},
 	},
 }

@@ -65,7 +151,27 @@ func fatal(format string, args ...interface{}) {
 }

 func runDump(ctx *cli.Context) error {
+	var file *os.File
+	fileName := ctx.String("file")
+	if fileName == "-" {
+		file = os.Stdout
+		err := log.DelLogger("console")
+		if err != nil {
+			fatal("Deleting default logger failed. Can not write to stdout: %v", err)
+		}
+	}
 	setting.NewContext()
+	// make sure we are logging to the console no matter what the configuration tells us do to
+	if _, err := setting.Cfg.Section("log").NewKey("MODE", "console"); err != nil {
+		fatal("Setting logging mode to console failed: %v", err)
+	}
+	if _, err := setting.Cfg.Section("log.console").NewKey("STDERR", "true"); err != nil {
+		fatal("Setting console logger to stderr failed: %v", err)
+	}
+	if !setting.InstallLock {
+		log.Error("Is '%s' really the right config path?\n", setting.CustomConf)
+		return fmt.Errorf("gitea is not initialized")
+	}
 	setting.NewServices() // cannot access session settings otherwise

 	err := models.SetEngine()
@@ -73,45 +179,84 @@ func runDump(ctx *cli.Context) error {
 		return err
 	}

-	tmpDir := ctx.String("tempdir")
-	if _, err := os.Stat(tmpDir); os.IsNotExist(err) {
-		fatal("Path does not exist: %s", tmpDir)
+	if err := storage.Init(); err != nil {
+		return err
 	}
-	tmpWorkDir, err := ioutil.TempDir(tmpDir, "gitea-dump-")
+
+	if file == nil {
+		file, err = os.Create(fileName)
+		if err != nil {
+			fatal("Unable to open %s: %v", fileName, err)
+		}
+	}
+	defer file.Close()
+
+	absFileName, err := filepath.Abs(fileName)
 	if err != nil {
-		fatal("Failed to create tmp work directory: %v", err)
-	}
-	log.Info("Creating tmp work dir: %s", tmpWorkDir)
-
-	// work-around #1103
-	if os.Getenv("TMPDIR") == "" {
-		os.Setenv("TMPDIR", tmpWorkDir)
+		return err
 	}

-	dbDump := path.Join(tmpWorkDir, "gitea-db.sql")
-
-	fileName := ctx.String("file")
-	log.Info("Packing dump files...")
-	z, err := zip.Create(fileName)
+	verbose := ctx.Bool("verbose")
+	outType := ctx.String("type")
+	var iface interface{}
+	if fileName == "-" {
+		iface, err = archiver.ByExtension(fmt.Sprintf(".%s", outType))
+	} else {
+		iface, err = archiver.ByExtension(fileName)
+	}
 	if err != nil {
-		fatal("Failed to create %s: %v", fileName, err)
+		fatal("Unable to get archiver for extension: %v", err)
 	}

-	zip.Verbose = ctx.Bool("verbose")
+	w, _ := iface.(archiver.Writer)
+	if err := w.Create(file); err != nil {
+		fatal("Creating archiver.Writer failed: %v", err)
+	}
+	defer w.Close()

 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
 		log.Info("Skip dumping local repositories")
 	} else {
-		log.Info("Dumping local repositories...%s", setting.RepoRootPath)
-		reposDump := path.Join(tmpWorkDir, "gitea-repo.zip")
-		if err := zip.PackTo(setting.RepoRootPath, reposDump, true); err != nil {
-			fatal("Failed to dump local repositories: %v", err)
+		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
+		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
+			fatal("Failed to include repositories: %v", err)
 		}
-		if err := z.AddFile("gitea-repo.zip", reposDump); err != nil {
-			fatal("Failed to include gitea-repo.zip: %v", err)
+
+		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
+			log.Info("Skip dumping LFS data")
+		} else if err := storage.LFS.IterateObjects(func(objPath string, object storage.Object) error {
+			info, err := object.Stat()
+			if err != nil {
+				return err
+			}
+
+			return w.Write(archiver.File{
+				FileInfo: archiver.FileInfo{
+					FileInfo:   info,
+					CustomName: path.Join("data", "lfs", objPath),
+				},
+				ReadCloser: object,
+			})
+		}); err != nil {
+			fatal("Failed to dump LFS objects: %v", err)
 		}
 	}

+	tmpDir := ctx.String("tempdir")
+	if _, err := os.Stat(tmpDir); os.IsNotExist(err) {
+		fatal("Path does not exist: %s", tmpDir)
+	}
+
+	dbDump, err := ioutil.TempFile(tmpDir, "gitea-db.sql")
+	if err != nil {
+		fatal("Failed to create tmp file: %v", err)
+	}
+	defer func() {
+		if err := util.Remove(dbDump.Name()); err != nil {
+			log.Warn("Unable to remove temporary file: %s: Error: %v", dbDump.Name(), err)
+		}
+	}()
+
 	targetDBType := ctx.String("database")
 	if len(targetDBType) > 0 && targetDBType != setting.Database.Type {
 		log.Info("Dumping database %s => %s...", setting.Database.Type, targetDBType)
@@ -119,74 +264,132 @@ func runDump(ctx *cli.Context) error {
 		log.Info("Dumping database...")
 	}

-	if err := models.DumpDatabase(dbDump, targetDBType); err != nil {
+	if err := models.DumpDatabase(dbDump.Name(), targetDBType); err != nil {
 		fatal("Failed to dump database: %v", err)
 	}

-	if err := z.AddFile("gitea-db.sql", dbDump); err != nil {
+	if err := addFile(w, "gitea-db.sql", dbDump.Name(), verbose); err != nil {
 		fatal("Failed to include gitea-db.sql: %v", err)
 	}

 	if len(setting.CustomConf) > 0 {
 		log.Info("Adding custom configuration file from %s", setting.CustomConf)
-		if err := z.AddFile("app.ini", setting.CustomConf); err != nil {
+		if err := addFile(w, "app.ini", setting.CustomConf, verbose); err != nil {
 			fatal("Failed to include specified app.ini: %v", err)
 		}
 	}

-	customDir, err := os.Stat(setting.CustomPath)
-	if err == nil && customDir.IsDir() {
-		if err := z.AddDir("custom", setting.CustomPath); err != nil {
-			fatal("Failed to include custom: %v", err)
-		}
+	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
+		log.Info("Skipping custom directory")
 	} else {
-		log.Info("Custom dir %s doesn't exist, skipped", setting.CustomPath)
+		customDir, err := os.Stat(setting.CustomPath)
+		if err == nil && customDir.IsDir() {
+			if is, _ := isSubdir(setting.AppDataPath, setting.CustomPath); !is {
+				if err := addRecursiveExclude(w, "custom", setting.CustomPath, []string{absFileName}, verbose); err != nil {
+					fatal("Failed to include custom: %v", err)
+				}
+			} else {
+				log.Info("Custom dir %s is inside data dir %s, skipped", setting.CustomPath, setting.AppDataPath)
+			}
+		} else {
+			log.Info("Custom dir %s doesn't exist, skipped", setting.CustomPath)
+		}
 	}

-	if com.IsExist(setting.AppDataPath) {
+	isExist, err := util.IsExist(setting.AppDataPath)
+	if err != nil {
+		log.Error("Unable to check if %s exists. Error: %v", setting.AppDataPath, err)
+	}
+	if isExist {
 		log.Info("Packing data directory...%s", setting.AppDataPath)

-		var sessionAbsPath string
-		if setting.SessionConfig.Provider == "file" {
-			sessionAbsPath = setting.SessionConfig.ProviderConfig
+		var excludes []string
+		if setting.Cfg.Section("session").Key("PROVIDER").Value() == "file" {
+			var opts session.Options
+			json := jsoniter.ConfigCompatibleWithStandardLibrary
+			if err = json.Unmarshal([]byte(setting.SessionConfig.ProviderConfig), &opts); err != nil {
+				return err
+			}
+			excludes = append(excludes, opts.ProviderConfig)
 		}
-		if err := zipAddDirectoryExclude(z, "data", setting.AppDataPath, sessionAbsPath); err != nil {
+
+		excludes = append(excludes, setting.RepoRootPath)
+		excludes = append(excludes, setting.LFS.Path)
+		excludes = append(excludes, setting.Attachment.Path)
+		excludes = append(excludes, setting.LogRootPath)
+		excludes = append(excludes, absFileName)
+		if err := addRecursiveExclude(w, "data", setting.AppDataPath, excludes, verbose); err != nil {
 			fatal("Failed to include data directory: %v", err)
 		}
 	}

+	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
+		log.Info("Skip dumping attachment data")
+	} else if err := storage.Attachments.IterateObjects(func(objPath string, object storage.Object) error {
+		info, err := object.Stat()
+		if err != nil {
+			return err
+		}
+
+		return w.Write(archiver.File{
+			FileInfo: archiver.FileInfo{
+				FileInfo:   info,
+				CustomName: path.Join("data", "attachments", objPath),
+			},
+			ReadCloser: object,
+		})
+	}); err != nil {
+		fatal("Failed to dump attachments: %v", err)
+	}
+
 	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
 	// ensuring that it's clear the dump is skipped whether the directory's initialized
 	// yet or not.
 	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
 		log.Info("Skip dumping log files")
-	} else if com.IsExist(setting.LogRootPath) {
-		if err := z.AddDir("log", setting.LogRootPath); err != nil {
-			fatal("Failed to include log: %v", err)
+	} else {
+		isExist, err := util.IsExist(setting.LogRootPath)
+		if err != nil {
+			log.Error("Unable to check if %s exists. Error: %v", setting.LogRootPath, err)
+		}
+		if isExist {
+			if err := addRecursiveExclude(w, "log", setting.LogRootPath, []string{absFileName}, verbose); err != nil {
+				fatal("Failed to include log: %v", err)
+			}
 		}
 	}

-	if err = z.Close(); err != nil {
-		_ = os.Remove(fileName)
-		fatal("Failed to save %s: %v", fileName, err)
+	if fileName != "-" {
+		if err = w.Close(); err != nil {
+			_ = util.Remove(fileName)
+			fatal("Failed to save %s: %v", fileName, err)
+		}
+
+		if err := os.Chmod(fileName, 0600); err != nil {
+			log.Info("Can't change file access permissions mask to 0600: %v", err)
+		}
 	}

-	if err := os.Chmod(fileName, 0600); err != nil {
-		log.Info("Can't change file access permissions mask to 0600: %v", err)
+	if fileName != "-" {
+		log.Info("Finish dumping in file %s", fileName)
+	} else {
+		log.Info("Finish dumping to stdout")
 	}

-	log.Info("Removing tmp work dir: %s", tmpWorkDir)
-
-	if err := os.RemoveAll(tmpWorkDir); err != nil {
-		fatal("Failed to remove %s: %v", tmpWorkDir, err)
-	}
-	log.Info("Finish dumping in file %s", fileName)
-
 	return nil
 }

-// zipAddDirectoryExclude zips absPath to specified zipPath inside z excluding excludeAbsPath
-func zipAddDirectoryExclude(zip *zip.ZipArchive, zipPath, absPath string, excludeAbsPath string) error {
+func contains(slice []string, s string) bool {
+	for _, v := range slice {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
+
+// addRecursiveExclude zips absPath to specified insidePath inside writer excluding excludeAbsPath
+func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeAbsPath []string, verbose bool) error {
 	absPath, err := filepath.Abs(absPath)
 	if err != nil {
 		return err
@@ -197,24 +400,24 @@ func zipAddDirectoryExclude(zip *zip.ZipArchive, zipPath, absPath string, exclud
 	}
 	defer dir.Close()

-	zip.AddEmptyDir(zipPath)
-
 	files, err := dir.Readdir(0)
 	if err != nil {
 		return err
 	}
 	for _, file := range files {
 		currentAbsPath := path.Join(absPath, file.Name())
-		currentZipPath := path.Join(zipPath, file.Name())
+		currentInsidePath := path.Join(insidePath, file.Name())
 		if file.IsDir() {
-			if currentAbsPath != excludeAbsPath {
-				if err = zipAddDirectoryExclude(zip, currentZipPath, currentAbsPath, excludeAbsPath); err != nil {
+			if !contains(excludeAbsPath, currentAbsPath) {
+				if err := addFile(w, currentInsidePath, currentAbsPath, false); err != nil {
+					return err
+				}
+				if err = addRecursiveExclude(w, currentInsidePath, currentAbsPath, excludeAbsPath, verbose); err != nil {
 					return err
 				}
 			}
-
 		} else {
-			if err = zip.AddFile(currentZipPath, currentAbsPath); err != nil {
+			if err = addFile(w, currentInsidePath, currentAbsPath, verbose); err != nil {
 				return err
 			}
 		}
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@@ -0,0 +1,162 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"code.gitea.io/gitea/modules/convert"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/migrations"
+	"code.gitea.io/gitea/modules/migrations/base"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
+
+	"github.com/urfave/cli"
+)
+
+// CmdDumpRepository represents the available dump repository sub-command.
+var CmdDumpRepository = cli.Command{
+	Name:        "dump-repo",
+	Usage:       "Dump the repository from git/github/gitea/gitlab",
+	Description: "This is a command for dumping the repository data.",
+	Action:      runDumpRepository,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "git_service",
+			Value: "",
+			Usage: "Git service, git, github, gitea, gitlab. If clone_addr could be recognized, this could be ignored.",
+		},
+		cli.StringFlag{
+			Name:  "repo_dir, r",
+			Value: "./data",
+			Usage: "Repository dir path to store the data",
+		},
+		cli.StringFlag{
+			Name:  "clone_addr",
+			Value: "",
+			Usage: "The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL",
+		},
+		cli.StringFlag{
+			Name:  "auth_username",
+			Value: "",
+			Usage: "The username to visit the clone_addr",
+		},
+		cli.StringFlag{
+			Name:  "auth_password",
+			Value: "",
+			Usage: "The password to visit the clone_addr",
+		},
+		cli.StringFlag{
+			Name:  "auth_token",
+			Value: "",
+			Usage: "The personal token to visit the clone_addr",
+		},
+		cli.StringFlag{
+			Name:  "owner_name",
+			Value: "",
+			Usage: "The data will be stored on a directory with owner name if not empty",
+		},
+		cli.StringFlag{
+			Name:  "repo_name",
+			Value: "",
+			Usage: "The data will be stored on a directory with repository name if not empty",
+		},
+		cli.StringFlag{
+			Name:  "units",
+			Value: "",
+			Usage: `Which items will be migrated, one or more units should be separated as comma.
+wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
+		},
+	},
+}
+
+func runDumpRepository(ctx *cli.Context) error {
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
+	setting.InitDBConfig()
+
+	var (
+		serviceType structs.GitServiceType
+		cloneAddr   = ctx.String("clone_addr")
+		serviceStr  = ctx.String("git_service")
+	)
+
+	if strings.HasPrefix(strings.ToLower(cloneAddr), "https://github.com/") {
+		serviceStr = "github"
+	} else if strings.HasPrefix(strings.ToLower(cloneAddr), "https://gitlab.com/") {
+		serviceStr = "gitlab"
+	} else if strings.HasPrefix(strings.ToLower(cloneAddr), "https://gitea.com/") {
+		serviceStr = "gitea"
+	}
+	if serviceStr == "" {
+		return errors.New("git_service missed or clone_addr cannot be recognized")
+	}
+	serviceType = convert.ToGitServiceType(serviceStr)
+
+	var opts = base.MigrateOptions{
+		GitServiceType: serviceType,
+		CloneAddr:      cloneAddr,
+		AuthUsername:   ctx.String("auth_username"),
+		AuthPassword:   ctx.String("auth_password"),
+		AuthToken:      ctx.String("auth_token"),
+		RepoName:       ctx.String("repo_name"),
+	}
+
+	if len(ctx.String("units")) == 0 {
+		opts.Wiki = true
+		opts.Issues = true
+		opts.Milestones = true
+		opts.Labels = true
+		opts.Releases = true
+		opts.Comments = true
+		opts.PullRequests = true
+		opts.ReleaseAssets = true
+	} else {
+		units := strings.Split(ctx.String("units"), ",")
+		for _, unit := range units {
+			switch strings.ToLower(unit) {
+			case "wiki":
+				opts.Wiki = true
+			case "issues":
+				opts.Issues = true
+			case "milestones":
+				opts.Milestones = true
+			case "labels":
+				opts.Labels = true
+			case "releases":
+				opts.Releases = true
+			case "release_assets":
+				opts.ReleaseAssets = true
+			case "comments":
+				opts.Comments = true
+			case "pull_requests":
+				opts.PullRequests = true
+			}
+		}
+	}
+
+	if err := migrations.DumpRepository(
+		context.Background(),
+		ctx.String("repo_dir"),
+		ctx.String("owner_name"),
+		opts,
+	); err != nil {
+		log.Fatal("Failed to dump repository: %v", err)
+		return err
+	}
+
+	log.Trace("Dump finished!!!")
+
+	return nil
+}
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@@ -19,6 +19,7 @@ import (
 	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
+	"code.gitea.io/gitea/modules/util"

 	"github.com/gobwas/glob"
 	"github.com/urfave/cli"
@@ -271,7 +272,7 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {
 	} else if !fi.Mode().IsRegular() {
 		return fmt.Errorf("%s already exists, but it's not a regular file", dest)
 	} else if rename {
-		if err := os.Rename(dest, dest+".bak"); err != nil {
+		if err := util.Rename(dest, dest+".bak"); err != nil {
 			return fmt.Errorf("Error creating backup for %s: %v", dest, err)
 		}
 		// Attempt to respect file permissions mask (even if user:group will be set anew)
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -7,9 +7,11 @@ package cmd

 import (
 	"fmt"
+	"os"

 	"code.gitea.io/gitea/modules/generate"

+	"github.com/mattn/go-isatty"
 	"github.com/urfave/cli"
 )

@@ -59,17 +61,27 @@ func runGenerateInternalToken(c *cli.Context) error {
 		return err
 	}

-	fmt.Printf("%s\n", internalToken)
+	fmt.Printf("%s", internalToken)
+
+	if isatty.IsTerminal(os.Stdout.Fd()) {
+		fmt.Printf("\n")
+	}
+
 	return nil
 }

 func runGenerateLfsJwtSecret(c *cli.Context) error {
-	JWTSecretBase64, err := generate.NewJwtSecret()
+	JWTSecretBase64, err := generate.NewJwtSecretBase64()
 	if err != nil {
 		return err
 	}

-	fmt.Printf("%s\n", JWTSecretBase64)
+	fmt.Printf("%s", JWTSecretBase64)
+
+	if isatty.IsTerminal(os.Stdout.Fd()) {
+		fmt.Printf("\n")
+	}
+
 	return nil
 }

@@ -79,6 +91,11 @@ func runGenerateSecretKey(c *cli.Context) error {
 		return err
 	}

-	fmt.Printf("%s\n", secretKey)
+	fmt.Printf("%s", secretKey)
+
+	if isatty.IsTerminal(os.Stdout.Fd()) {
+		fmt.Printf("\n")
+	}
+
 	return nil
 }
--- a/cmd/hook.go
+++ b/cmd/hook.go
@@ -46,18 +46,33 @@ var (
 		Usage:       "Delegate pre-receive Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookPreReceive,
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name: "debug",
+			},
+		},
 	}
 	subcmdHookUpdate = cli.Command{
 		Name:        "update",
 		Usage:       "Delegate update Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookUpdate,
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name: "debug",
+			},
+		},
 	}
 	subcmdHookPostReceive = cli.Command{
 		Name:        "post-receive",
 		Usage:       "Delegate post-receive Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookPostReceive,
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name: "debug",
+			},
+		},
 	}
 )

@@ -137,25 +152,26 @@ func runHookPreReceive(c *cli.Context) error {
 	if os.Getenv(models.EnvIsInternal) == "true" {
 		return nil
 	}
+	ctx, cancel := installSignals()
+	defer cancel()

-	setup("hooks/pre-receive.log", false)
+	setup("hooks/pre-receive.log", c.Bool("debug"))

 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
-			fail(`Rejecting changes as Gitea environment not set.
+			return fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
-		} else {
-			return nil
 		}
+		return nil
 	}

-	// the environment setted on serv command
-	isWiki := (os.Getenv(models.EnvRepoIsWiki) == "true")
+	// the environment is set by serv command
+	isWiki := os.Getenv(models.EnvRepoIsWiki) == "true"
 	username := os.Getenv(models.EnvRepoUsername)
 	reponame := os.Getenv(models.EnvRepoName)
 	userID, _ := strconv.ParseInt(os.Getenv(models.EnvPusherID), 10, 64)
-	prID, _ := strconv.ParseInt(os.Getenv(models.ProtectedBranchPRID), 10, 64)
+	prID, _ := strconv.ParseInt(os.Getenv(models.EnvPRID), 10, 64)
 	isDeployKey, _ := strconv.ParseBool(os.Getenv(models.EnvIsDeployKey))

 	hookOptions := private.HookOptions{
@@ -163,7 +179,8 @@ Gitea or set your environment appropriately.`, "")
 		GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
-		ProtectedBranchID:               prID,
+		GitPushOptions:                  pushOptions(),
+		PullRequestID:                   prID,
 		IsDeployKey:                     isDeployKey,
 	}

@@ -205,8 +222,8 @@ Gitea or set your environment appropriately.`, "")
 		total++
 		lastline++

-		// If the ref is a branch, check if it's protected
-		if strings.HasPrefix(refFullName, git.BranchPrefix) {
+		// If the ref is a branch or tag, check if it's protected
+		if strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
@@ -214,19 +231,19 @@ Gitea or set your environment appropriately.`, "")
 			fmt.Fprintf(out, "*")

 			if count >= hookBatchSize {
-				fmt.Fprintf(out, " Checking %d branches\n", count)
+				fmt.Fprintf(out, " Checking %d references\n", count)

 				hookOptions.OldCommitIDs = oldCommitIDs
 				hookOptions.NewCommitIDs = newCommitIDs
 				hookOptions.RefFullNames = refFullNames
-				statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
+				statusCode, msg := private.HookPreReceive(ctx, username, reponame, hookOptions)
 				switch statusCode {
 				case http.StatusOK:
 					// no-op
 				case http.StatusInternalServerError:
-					fail("Internal Server Error", msg)
+					return fail("Internal Server Error", msg)
 				default:
-					fail(msg, "")
+					return fail(msg, "")
 				}
 				count = 0
 				lastline = 0
@@ -245,14 +262,14 @@ Gitea or set your environment appropriately.`, "")
 		hookOptions.NewCommitIDs = newCommitIDs[:count]
 		hookOptions.RefFullNames = refFullNames[:count]

-		fmt.Fprintf(out, " Checking %d branches\n", count)
+		fmt.Fprintf(out, " Checking %d references\n", count)

-		statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
+		statusCode, msg := private.HookPreReceive(ctx, username, reponame, hookOptions)
 		switch statusCode {
 		case http.StatusInternalServerError:
-			fail("Internal Server Error", msg)
+			return fail("Internal Server Error", msg)
 		case http.StatusForbidden:
-			fail(msg, "")
+			return fail(msg, "")
 		}
 	} else if lastline > 0 {
 		fmt.Fprintf(out, "\n")
@@ -269,20 +286,28 @@ func runHookUpdate(c *cli.Context) error {
 }

 func runHookPostReceive(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	// First of all run update-server-info no matter what
+	if _, err := git.NewCommand("update-server-info").SetParentContext(ctx).Run(); err != nil {
+		return fmt.Errorf("Failed to call 'git update-server-info': %v", err)
+	}
+
+	// Now if we're an internal don't do anything else
 	if os.Getenv(models.EnvIsInternal) == "true" {
 		return nil
 	}

-	setup("hooks/post-receive.log", false)
+	setup("hooks/post-receive.log", c.Bool("debug"))

 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
-			fail(`Rejecting changes as Gitea environment not set.
+			return fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
-		} else {
-			return nil
 		}
+		return nil
 	}

 	var out io.Writer
@@ -298,9 +323,9 @@ Gitea or set your environment appropriately.`, "")
 		}
 	}

-	// the environment setted on serv command
+	// the environment is set by serv command
 	repoUser := os.Getenv(models.EnvRepoUsername)
-	isWiki := (os.Getenv(models.EnvRepoIsWiki) == "true")
+	isWiki := os.Getenv(models.EnvRepoIsWiki) == "true"
 	repoName := os.Getenv(models.EnvRepoName)
 	pusherID, _ := strconv.ParseInt(os.Getenv(models.EnvPusherID), 10, 64)
 	pusherName := os.Getenv(models.EnvPusherName)
@@ -311,6 +336,7 @@ Gitea or set your environment appropriately.`, "")
 		GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
+		GitPushOptions:                  pushOptions(),
 	}
 	oldCommitIDs := make([]string, hookBatchSize)
 	newCommitIDs := make([]string, hookBatchSize)
@@ -348,11 +374,11 @@ Gitea or set your environment appropriately.`, "")
 			hookOptions.OldCommitIDs = oldCommitIDs
 			hookOptions.NewCommitIDs = newCommitIDs
 			hookOptions.RefFullNames = refFullNames
-			resp, err := private.HookPostReceive(repoUser, repoName, hookOptions)
+			resp, err := private.HookPostReceive(ctx, repoUser, repoName, hookOptions)
 			if resp == nil {
 				_ = dWriter.Close()
 				hookPrintResults(results)
-				fail("Internal Server Error", err)
+				return fail("Internal Server Error", err)
 			}
 			wasEmpty = wasEmpty || resp.RepoWasEmpty
 			results = append(results, resp.Results...)
@@ -363,9 +389,9 @@ Gitea or set your environment appropriately.`, "")
 	if count == 0 {
 		if wasEmpty && masterPushed {
 			// We need to tell the repo to reset the default branch to master
-			err := private.SetDefaultBranch(repoUser, repoName, "master")
+			err := private.SetDefaultBranch(ctx, repoUser, repoName, "master")
 			if err != nil {
-				fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
+				return fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
 			}
 		}
 		fmt.Fprintf(out, "Processed %d references in total\n", total)
@@ -381,11 +407,11 @@ Gitea or set your environment appropriately.`, "")

 	fmt.Fprintf(out, " Processing %d references\n", count)

-	resp, err := private.HookPostReceive(repoUser, repoName, hookOptions)
+	resp, err := private.HookPostReceive(ctx, repoUser, repoName, hookOptions)
 	if resp == nil {
 		_ = dWriter.Close()
 		hookPrintResults(results)
-		fail("Internal Server Error", err)
+		return fail("Internal Server Error", err)
 	}
 	wasEmpty = wasEmpty || resp.RepoWasEmpty
 	results = append(results, resp.Results...)
@@ -394,9 +420,9 @@ Gitea or set your environment appropriately.`, "")

 	if wasEmpty && masterPushed {
 		// We need to tell the repo to reset the default branch to master
-		err := private.SetDefaultBranch(repoUser, repoName, "master")
+		err := private.SetDefaultBranch(ctx, repoUser, repoName, "master")
 		if err != nil {
-			fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
+			return fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
 		}
 	}
 	_ = dWriter.Close()
@@ -423,3 +449,17 @@ func hookPrintResults(results []private.HookPostReceiveBranchResult) {
 		os.Stderr.Sync()
 	}
 }
+
+func pushOptions() map[string]string {
+	opts := make(map[string]string)
+	if pushCount, err := strconv.Atoi(os.Getenv(private.GitPushOptionCount)); err == nil {
+		for idx := 0; idx < pushCount; idx++ {
+			opt := os.Getenv(fmt.Sprintf("GIT_PUSH_OPTION_%d", idx))
+			kv := strings.SplitN(opt, "=", 2)
+			if len(kv) == 2 {
+				opts[kv[0]] = kv[1]
+			}
+		}
+	}
+	return opts
+}
--- a/cmd/keys.go
+++ b/cmd/keys.go
@@ -62,9 +62,12 @@ func runKeys(c *cli.Context) error {
 		return errors.New("No key type and content provided")
 	}

+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("keys.log", false)

-	authorizedString, err := private.AuthorizedPublicKeyByContent(content)
+	authorizedString, err := private.AuthorizedPublicKeyByContent(ctx, content)
 	if err != nil {
 		return err
 	}
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@@ -0,0 +1,54 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"fmt"
+	"net/http"
+
+	"code.gitea.io/gitea/modules/private"
+	"code.gitea.io/gitea/modules/setting"
+	"github.com/urfave/cli"
+)
+
+func runSendMail(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setting.NewContext()
+
+	if err := argsSet(c, "title"); err != nil {
+		return err
+	}
+
+	subject := c.String("title")
+	confirmSkiped := c.Bool("force")
+	body := c.String("content")
+
+	if !confirmSkiped {
+		if len(body) == 0 {
+			fmt.Print("warning: Content is empty")
+		}
+
+		fmt.Print("Proceed with sending email? [Y/n] ")
+		isConfirmed, err := confirm()
+		if err != nil {
+			return err
+		} else if !isConfirmed {
+			fmt.Println("The mail was not sent")
+			return nil
+		}
+	}
+
+	status, message := private.SendEmail(ctx, subject, body, nil)
+	if status != http.StatusOK {
+		fmt.Printf("error: %s\n", message)
+		return nil
+	}
+
+	fmt.Printf("Success: %s\n", message)
+
+	return nil
+}
--- a/cmd/manager.go
+++ b/cmd/manager.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"time"

+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/private"

 	"github.com/urfave/cli"
@@ -25,16 +26,27 @@ var (
 			subcmdShutdown,
 			subcmdRestart,
 			subcmdFlushQueues,
+			subcmdLogging,
 		},
 	}
 	subcmdShutdown = cli.Command{
-		Name:   "shutdown",
-		Usage:  "Gracefully shutdown the running process",
+		Name:  "shutdown",
+		Usage: "Gracefully shutdown the running process",
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name: "debug",
+			},
+		},
 		Action: runShutdown,
 	}
 	subcmdRestart = cli.Command{
-		Name:   "restart",
-		Usage:  "Gracefully restart the running process - (not implemented for windows servers)",
+		Name:  "restart",
+		Usage: "Gracefully restart the running process - (not implemented for windows servers)",
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name: "debug",
+			},
+		},
 		Action: runRestart,
 	}
 	subcmdFlushQueues = cli.Command{
@@ -46,21 +58,344 @@ var (
 				Name:  "timeout",
 				Value: 60 * time.Second,
 				Usage: "Timeout for the flushing process",
-			},
-			cli.BoolFlag{
+			}, cli.BoolFlag{
 				Name:  "non-blocking",
 				Usage: "Set to true to not wait for flush to complete before returning",
 			},
+			cli.BoolFlag{
+				Name: "debug",
+			},
+		},
+	}
+	defaultLoggingFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "group, g",
+			Usage: "Group to add logger to - will default to \"default\"",
+		}, cli.StringFlag{
+			Name:  "name, n",
+			Usage: "Name of the new logger - will default to mode",
+		}, cli.StringFlag{
+			Name:  "level, l",
+			Usage: "Logging level for the new logger",
+		}, cli.StringFlag{
+			Name:  "stacktrace-level, L",
+			Usage: "Stacktrace logging level",
+		}, cli.StringFlag{
+			Name:  "flags, F",
+			Usage: "Flags for the logger",
+		}, cli.StringFlag{
+			Name:  "expression, e",
+			Usage: "Matching expression for the logger",
+		}, cli.StringFlag{
+			Name:  "prefix, p",
+			Usage: "Prefix for the logger",
+		}, cli.BoolFlag{
+			Name:  "color",
+			Usage: "Use color in the logs",
+		}, cli.BoolFlag{
+			Name: "debug",
+		},
+	}
+	subcmdLogging = cli.Command{
+		Name:  "logging",
+		Usage: "Adjust logging commands",
+		Subcommands: []cli.Command{
+			{
+				Name:  "pause",
+				Usage: "Pause logging (Gitea will buffer logs up to a certain point and will drop them after that point)",
+				Flags: []cli.Flag{
+					cli.BoolFlag{
+						Name: "debug",
+					},
+				},
+				Action: runPauseLogging,
+			}, {
+				Name:  "resume",
+				Usage: "Resume logging",
+				Flags: []cli.Flag{
+					cli.BoolFlag{
+						Name: "debug",
+					},
+				},
+				Action: runResumeLogging,
+			}, {
+				Name:  "release-and-reopen",
+				Usage: "Cause Gitea to release and re-open files used for logging",
+				Flags: []cli.Flag{
+					cli.BoolFlag{
+						Name: "debug",
+					},
+				},
+				Action: runReleaseReopenLogging,
+			}, {
+				Name:      "remove",
+				Usage:     "Remove a logger",
+				ArgsUsage: "[name] Name of logger to remove",
+				Flags: []cli.Flag{
+					cli.BoolFlag{
+						Name: "debug",
+					}, cli.StringFlag{
+						Name:  "group, g",
+						Usage: "Group to add logger to - will default to \"default\"",
+					},
+				},
+				Action: runRemoveLogger,
+			}, {
+				Name:  "add",
+				Usage: "Add a logger",
+				Subcommands: []cli.Command{
+					{
+						Name:  "console",
+						Usage: "Add a console logger",
+						Flags: append(defaultLoggingFlags,
+							cli.BoolFlag{
+								Name:  "stderr",
+								Usage: "Output console logs to stderr - only relevant for console",
+							}),
+						Action: runAddConsoleLogger,
+					}, {
+						Name:  "file",
+						Usage: "Add a file logger",
+						Flags: append(defaultLoggingFlags, []cli.Flag{
+							cli.StringFlag{
+								Name:  "filename, f",
+								Usage: "Filename for the logger - this must be set.",
+							}, cli.BoolTFlag{
+								Name:  "rotate, r",
+								Usage: "Rotate logs",
+							}, cli.Int64Flag{
+								Name:  "max-size, s",
+								Usage: "Maximum size in bytes before rotation",
+							}, cli.BoolTFlag{
+								Name:  "daily, d",
+								Usage: "Rotate logs daily",
+							}, cli.IntFlag{
+								Name:  "max-days, D",
+								Usage: "Maximum number of daily logs to keep",
+							}, cli.BoolTFlag{
+								Name:  "compress, z",
+								Usage: "Compress rotated logs",
+							}, cli.IntFlag{
+								Name:  "compression-level, Z",
+								Usage: "Compression level to use",
+							},
+						}...),
+						Action: runAddFileLogger,
+					}, {
+						Name:  "conn",
+						Usage: "Add a net conn logger",
+						Flags: append(defaultLoggingFlags, []cli.Flag{
+							cli.BoolFlag{
+								Name:  "reconnect-on-message, R",
+								Usage: "Reconnect to host for every message",
+							}, cli.BoolFlag{
+								Name:  "reconnect, r",
+								Usage: "Reconnect to host when connection is dropped",
+							}, cli.StringFlag{
+								Name:  "protocol, P",
+								Usage: "Set protocol to use: tcp, unix, or udp (defaults to tcp)",
+							}, cli.StringFlag{
+								Name:  "address, a",
+								Usage: "Host address and port to connect to (defaults to :7020)",
+							},
+						}...),
+						Action: runAddConnLogger,
+					}, {
+						Name:  "smtp",
+						Usage: "Add an SMTP logger",
+						Flags: append(defaultLoggingFlags, []cli.Flag{
+							cli.StringFlag{
+								Name:  "username, u",
+								Usage: "Mail server username",
+							}, cli.StringFlag{
+								Name:  "password, P",
+								Usage: "Mail server password",
+							}, cli.StringFlag{
+								Name:  "host, H",
+								Usage: "Mail server host (defaults to: 127.0.0.1:25)",
+							}, cli.StringSliceFlag{
+								Name:  "send-to, s",
+								Usage: "Email address(es) to send to",
+							}, cli.StringFlag{
+								Name:  "subject, S",
+								Usage: "Subject header of sent emails",
+							},
+						}...),
+						Action: runAddSMTPLogger,
+					},
+				},
+			},
 		},
 	}
 )

-func runShutdown(c *cli.Context) error {
-	setup("manager", false)
-	statusCode, msg := private.Shutdown()
+func runRemoveLogger(c *cli.Context) error {
+	setup("manager", c.Bool("debug"))
+	group := c.String("group")
+	if len(group) == 0 {
+		group = log.DEFAULT
+	}
+	name := c.Args().First()
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	statusCode, msg := private.RemoveLogger(ctx, group, name)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
+	}
+
+	fmt.Fprintln(os.Stdout, msg)
+	return nil
+}
+
+func runAddSMTPLogger(c *cli.Context) error {
+	setup("manager", c.Bool("debug"))
+	vals := map[string]interface{}{}
+	mode := "smtp"
+	if c.IsSet("host") {
+		vals["host"] = c.String("host")
+	} else {
+		vals["host"] = "127.0.0.1:25"
+	}
+
+	if c.IsSet("username") {
+		vals["username"] = c.String("username")
+	}
+	if c.IsSet("password") {
+		vals["password"] = c.String("password")
+	}
+
+	if !c.IsSet("send-to") {
+		return fmt.Errorf("Some recipients must be provided")
+	}
+	vals["sendTos"] = c.StringSlice("send-to")
+
+	if c.IsSet("subject") {
+		vals["subject"] = c.String("subject")
+	} else {
+		vals["subject"] = "Diagnostic message from Gitea"
+	}
+
+	return commonAddLogger(c, mode, vals)
+}
+
+func runAddConnLogger(c *cli.Context) error {
+	setup("manager", c.Bool("debug"))
+	vals := map[string]interface{}{}
+	mode := "conn"
+	vals["net"] = "tcp"
+	if c.IsSet("protocol") {
+		switch c.String("protocol") {
+		case "udp":
+			vals["net"] = "udp"
+		case "unix":
+			vals["net"] = "unix"
+		}
+	}
+	if c.IsSet("address") {
+		vals["address"] = c.String("address")
+	} else {
+		vals["address"] = ":7020"
+	}
+	if c.IsSet("reconnect") {
+		vals["reconnect"] = c.Bool("reconnect")
+	}
+	if c.IsSet("reconnect-on-message") {
+		vals["reconnectOnMsg"] = c.Bool("reconnect-on-message")
+	}
+	return commonAddLogger(c, mode, vals)
+}
+
+func runAddFileLogger(c *cli.Context) error {
+	setup("manager", c.Bool("debug"))
+	vals := map[string]interface{}{}
+	mode := "file"
+	if c.IsSet("filename") {
+		vals["filename"] = c.String("filename")
+	} else {
+		return fmt.Errorf("filename must be set when creating a file logger")
+	}
+	if c.IsSet("rotate") {
+		vals["rotate"] = c.Bool("rotate")
+	}
+	if c.IsSet("max-size") {
+		vals["maxsize"] = c.Int64("max-size")
+	}
+	if c.IsSet("daily") {
+		vals["daily"] = c.Bool("daily")
+	}
+	if c.IsSet("max-days") {
+		vals["maxdays"] = c.Int("max-days")
+	}
+	if c.IsSet("compress") {
+		vals["compress"] = c.Bool("compress")
+	}
+	if c.IsSet("compression-level") {
+		vals["compressionLevel"] = c.Int("compression-level")
+	}
+	return commonAddLogger(c, mode, vals)
+}
+
+func runAddConsoleLogger(c *cli.Context) error {
+	setup("manager", c.Bool("debug"))
+	vals := map[string]interface{}{}
+	mode := "console"
+	if c.IsSet("stderr") && c.Bool("stderr") {
+		vals["stderr"] = c.Bool("stderr")
+	}
+	return commonAddLogger(c, mode, vals)
+}
+
+func commonAddLogger(c *cli.Context, mode string, vals map[string]interface{}) error {
+	if len(c.String("level")) > 0 {
+		vals["level"] = log.FromString(c.String("level")).String()
+	}
+	if len(c.String("stacktrace-level")) > 0 {
+		vals["stacktraceLevel"] = log.FromString(c.String("stacktrace-level")).String()
+	}
+	if len(c.String("expression")) > 0 {
+		vals["expression"] = c.String("expression")
+	}
+	if len(c.String("prefix")) > 0 {
+		vals["prefix"] = c.String("prefix")
+	}
+	if len(c.String("flags")) > 0 {
+		vals["flags"] = log.FlagsFromString(c.String("flags"))
+	}
+	if c.IsSet("color") {
+		vals["colorize"] = c.Bool("color")
+	}
+	group := "default"
+	if c.IsSet("group") {
+		group = c.String("group")
+	}
+	name := mode
+	if c.IsSet("name") {
+		name = c.String("name")
+	}
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	statusCode, msg := private.AddLogger(ctx, group, name, mode, vals)
+	switch statusCode {
+	case http.StatusInternalServerError:
+		return fail("InternalServerError", msg)
+	}
+
+	fmt.Fprintln(os.Stdout, msg)
+	return nil
+}
+
+func runShutdown(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setup("manager", c.Bool("debug"))
+	statusCode, msg := private.Shutdown(ctx)
+	switch statusCode {
+	case http.StatusInternalServerError:
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -68,11 +403,14 @@ func runShutdown(c *cli.Context) error {
 }

 func runRestart(c *cli.Context) error {
-	setup("manager", false)
-	statusCode, msg := private.Restart()
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setup("manager", c.Bool("debug"))
+	statusCode, msg := private.Restart(ctx)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -80,11 +418,59 @@ func runRestart(c *cli.Context) error {
 }

 func runFlushQueues(c *cli.Context) error {
-	setup("manager", false)
-	statusCode, msg := private.FlushQueues(c.Duration("timeout"), c.Bool("non-blocking"))
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setup("manager", c.Bool("debug"))
+	statusCode, msg := private.FlushQueues(ctx, c.Duration("timeout"), c.Bool("non-blocking"))
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
+	}
+
+	fmt.Fprintln(os.Stdout, msg)
+	return nil
+}
+
+func runPauseLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setup("manager", c.Bool("debug"))
+	statusCode, msg := private.PauseLogging(ctx)
+	switch statusCode {
+	case http.StatusInternalServerError:
+		return fail("InternalServerError", msg)
+	}
+
+	fmt.Fprintln(os.Stdout, msg)
+	return nil
+}
+
+func runResumeLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setup("manager", c.Bool("debug"))
+	statusCode, msg := private.ResumeLogging(ctx)
+	switch statusCode {
+	case http.StatusInternalServerError:
+		return fail("InternalServerError", msg)
+	}
+
+	fmt.Fprintln(os.Stdout, msg)
+	return nil
+}
+
+func runReleaseReopenLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setup("manager", c.Bool("debug"))
+	statusCode, msg := private.ReleaseReopenLogging(ctx)
+	switch statusCode {
+	case http.StatusInternalServerError:
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@@ -28,10 +28,10 @@ func runMigrate(ctx *cli.Context) error {
 		return err
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
 	setting.InitDBConfig()

 	if err := models.NewEngine(context.Background(), migrations.Migrate); err != nil {
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@@ -0,0 +1,190 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/migrations"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/storage"
+
+	"github.com/urfave/cli"
+)
+
+// CmdMigrateStorage represents the available migrate storage sub-command.
+var CmdMigrateStorage = cli.Command{
+	Name:        "migrate-storage",
+	Usage:       "Migrate the storage",
+	Description: "This is a command for migrating storage.",
+	Action:      runMigrateStorage,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "type, t",
+			Value: "",
+			Usage: "Kinds of files to migrate, currently only 'attachments' is supported",
+		},
+		cli.StringFlag{
+			Name:  "storage, s",
+			Value: "",
+			Usage: "New storage type: local (default) or minio",
+		},
+		cli.StringFlag{
+			Name:  "path, p",
+			Value: "",
+			Usage: "New storage placement if store is local (leave blank for default)",
+		},
+		cli.StringFlag{
+			Name:  "minio-endpoint",
+			Value: "",
+			Usage: "Minio storage endpoint",
+		},
+		cli.StringFlag{
+			Name:  "minio-access-key-id",
+			Value: "",
+			Usage: "Minio storage accessKeyID",
+		},
+		cli.StringFlag{
+			Name:  "minio-secret-access-key",
+			Value: "",
+			Usage: "Minio storage secretAccessKey",
+		},
+		cli.StringFlag{
+			Name:  "minio-bucket",
+			Value: "",
+			Usage: "Minio storage bucket",
+		},
+		cli.StringFlag{
+			Name:  "minio-location",
+			Value: "",
+			Usage: "Minio storage location to create bucket",
+		},
+		cli.StringFlag{
+			Name:  "minio-base-path",
+			Value: "",
+			Usage: "Minio storage basepath on the bucket",
+		},
+		cli.BoolFlag{
+			Name:  "minio-use-ssl",
+			Usage: "Enable SSL for minio",
+		},
+	},
+}
+
+func migrateAttachments(dstStorage storage.ObjectStorage) error {
+	return models.IterateAttachment(func(attach *models.Attachment) error {
+		_, err := storage.Copy(dstStorage, attach.RelativePath(), storage.Attachments, attach.RelativePath())
+		return err
+	})
+}
+
+func migrateLFS(dstStorage storage.ObjectStorage) error {
+	return models.IterateLFS(func(mo *models.LFSMetaObject) error {
+		_, err := storage.Copy(dstStorage, mo.RelativePath(), storage.LFS, mo.RelativePath())
+		return err
+	})
+}
+
+func migrateAvatars(dstStorage storage.ObjectStorage) error {
+	return models.IterateUser(func(user *models.User) error {
+		_, err := storage.Copy(dstStorage, user.CustomAvatarRelativePath(), storage.Avatars, user.CustomAvatarRelativePath())
+		return err
+	})
+}
+
+func migrateRepoAvatars(dstStorage storage.ObjectStorage) error {
+	return models.IterateRepository(func(repo *models.Repository) error {
+		_, err := storage.Copy(dstStorage, repo.CustomAvatarRelativePath(), storage.RepoAvatars, repo.CustomAvatarRelativePath())
+		return err
+	})
+}
+
+func runMigrateStorage(ctx *cli.Context) error {
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
+	setting.InitDBConfig()
+
+	if err := models.NewEngine(context.Background(), migrations.Migrate); err != nil {
+		log.Fatal("Failed to initialize ORM engine: %v", err)
+		return err
+	}
+
+	goCtx := context.Background()
+
+	if err := storage.Init(); err != nil {
+		return err
+	}
+
+	var dstStorage storage.ObjectStorage
+	var err error
+	switch strings.ToLower(ctx.String("storage")) {
+	case "":
+		fallthrough
+	case string(storage.LocalStorageType):
+		p := ctx.String("path")
+		if p == "" {
+			log.Fatal("Path must be given when storage is loal")
+			return nil
+		}
+		dstStorage, err = storage.NewLocalStorage(
+			goCtx,
+			storage.LocalStorageConfig{
+				Path: p,
+			})
+	case string(storage.MinioStorageType):
+		dstStorage, err = storage.NewMinioStorage(
+			goCtx,
+			storage.MinioStorageConfig{
+				Endpoint:        ctx.String("minio-endpoint"),
+				AccessKeyID:     ctx.String("minio-access-key-id"),
+				SecretAccessKey: ctx.String("minio-secret-access-key"),
+				Bucket:          ctx.String("minio-bucket"),
+				Location:        ctx.String("minio-location"),
+				BasePath:        ctx.String("minio-base-path"),
+				UseSSL:          ctx.Bool("minio-use-ssl"),
+			})
+	default:
+		return fmt.Errorf("Unsupported storage type: %s", ctx.String("storage"))
+	}
+	if err != nil {
+		return err
+	}
+
+	tp := strings.ToLower(ctx.String("type"))
+	switch tp {
+	case "attachments":
+		if err := migrateAttachments(dstStorage); err != nil {
+			return err
+		}
+	case "lfs":
+		if err := migrateLFS(dstStorage); err != nil {
+			return err
+		}
+	case "avatars":
+		if err := migrateAvatars(dstStorage); err != nil {
+			return err
+		}
+	case "repo-avatars":
+		if err := migrateRepoAvatars(dstStorage); err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("Unsupported storage: %s", ctx.String("type"))
+	}
+
+	log.Warn("All files have been copied to the new placement but old files are still on the original placement.")
+
+	return nil
+}
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@@ -0,0 +1,68 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/private"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/urfave/cli"
+)
+
+// CmdRestoreRepository represents the available restore a repository sub-command.
+var CmdRestoreRepository = cli.Command{
+	Name:        "restore-repo",
+	Usage:       "Restore the repository from disk",
+	Description: "This is a command for restoring the repository data.",
+	Action:      runRestoreRepository,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "repo_dir, r",
+			Value: "./data",
+			Usage: "Repository dir path to restore from",
+		},
+		cli.StringFlag{
+			Name:  "owner_name",
+			Value: "",
+			Usage: "Restore destination owner name",
+		},
+		cli.StringFlag{
+			Name:  "repo_name",
+			Value: "",
+			Usage: "Restore destination repository name",
+		},
+		cli.StringFlag{
+			Name:  "units",
+			Value: "",
+			Usage: `Which items will be restored, one or more units should be separated as comma.
+wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
+		},
+	},
+}
+
+func runRestoreRepository(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setting.NewContext()
+
+	statusCode, errStr := private.RestoreRepo(
+		ctx,
+		c.String("repo_dir"),
+		c.String("owner_name"),
+		c.String("repo_name"),
+		c.StringSlice("units"),
+	)
+	if statusCode == http.StatusOK {
+		return nil
+	}
+
+	log.Fatal("Failed to restore repository: %v", errStr)
+	return errors.New(errStr)
+}
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -6,7 +6,6 @@
 package cmd

 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -18,14 +17,15 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/lfs"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/pprof"
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/lfs"

-	"github.com/dgrijalva/jwt-go"
-	"github.com/unknwon/com"
+	"github.com/golang-jwt/jwt"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/kballard/go-shellquote"
 	"github.com/urfave/cli"
 )

@@ -50,23 +50,18 @@ var CmdServ = cli.Command{
 }

 func setup(logPath string, debug bool) {
-	if !debug {
-		_ = log.DelLogger("console")
+	_ = log.DelLogger("console")
+	if debug {
+		_ = log.NewLogger(1000, "console", "console", `{"level":"trace","stacktracelevel":"NONE","stderr":true}`)
+	} else {
+		_ = log.NewLogger(1000, "console", "console", `{"level":"fatal","stacktracelevel":"NONE","stderr":true}`)
 	}
 	setting.NewContext()
 	if debug {
-		setting.ProdMode = false
+		setting.RunMode = "dev"
 	}
 }

-func parseCmd(cmd string) (string, string) {
-	ss := strings.SplitN(cmd, " ", 2)
-	if len(ss) != 2 {
-		return "", ""
-	}
-	return ss[0], strings.Replace(ss[1], "'/", "'", 1)
-}
-
 var (
 	allowedCommands = map[string]models.AccessMode{
 		"git-upload-pack":    models.AccessModeRead,
@@ -77,19 +72,30 @@ var (
 	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
 )

-func fail(userMessage, logMessage string, args ...interface{}) {
+func fail(userMessage, logMessage string, args ...interface{}) error {
+	// There appears to be a chance to cause a zombie process and failure to read the Exit status
+	// if nothing is outputted on stdout.
+	fmt.Fprintln(os.Stdout, "")
 	fmt.Fprintln(os.Stderr, "Gitea:", userMessage)

 	if len(logMessage) > 0 {
-		if !setting.ProdMode {
+		if !setting.IsProd() {
 			fmt.Fprintf(os.Stderr, logMessage+"\n", args...)
 		}
 	}
+	ctx, cancel := installSignals()
+	defer cancel()

-	os.Exit(1)
+	if len(logMessage) > 0 {
+		_ = private.SSHLog(ctx, true, fmt.Sprintf(logMessage+": ", args...))
+	}
+	return cli.NewExitError(fmt.Sprintf("Gitea: %s", userMessage), 1)
 }

 func runServ(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	// FIXME: This needs to internationalised
 	setup("serv.log", c.Bool("debug"))

@@ -107,74 +113,95 @@ func runServ(c *cli.Context) error {

 	keys := strings.Split(c.Args()[0], "-")
 	if len(keys) != 2 || keys[0] != "key" {
-		fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
+		return fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
+	}
+	keyID, err := strconv.ParseInt(keys[1], 10, 64)
+	if err != nil {
+		return fail("Key ID format error", "Invalid key argument: %s", c.Args()[1])
 	}
-	keyID := com.StrTo(keys[1]).MustInt64()

 	cmd := os.Getenv("SSH_ORIGINAL_COMMAND")
 	if len(cmd) == 0 {
-		key, user, err := private.ServNoCommand(keyID)
+		key, user, err := private.ServNoCommand(ctx, keyID)
 		if err != nil {
-			fail("Internal error", "Failed to check provided key: %v", err)
+			return fail("Internal error", "Failed to check provided key: %v", err)
 		}
-		if key.Type == models.KeyTypeDeploy {
+		switch key.Type {
+		case models.KeyTypeDeploy:
 			println("Hi there! You've successfully authenticated with the deploy key named " + key.Name + ", but Gitea does not provide shell access.")
-		} else {
+		case models.KeyTypePrincipal:
+			println("Hi there! You've successfully authenticated with the principal " + key.Content + ", but Gitea does not provide shell access.")
+		default:
 			println("Hi there, " + user.Name + "! You've successfully authenticated with the key named " + key.Name + ", but Gitea does not provide shell access.")
 		}
 		println("If this is unexpected, please log in with password and setup Gitea under another user.")
 		return nil
+	} else if c.Bool("debug") {
+		log.Debug("SSH_ORIGINAL_COMMAND: %s", os.Getenv("SSH_ORIGINAL_COMMAND"))
 	}

-	verb, args := parseCmd(cmd)
+	words, err := shellquote.Split(cmd)
+	if err != nil {
+		return fail("Error parsing arguments", "Failed to parse arguments: %v", err)
+	}
+
+	if len(words) < 2 {
+		return fail("Too few arguments", "Too few arguments in cmd: %s", cmd)
+	}
+
+	verb := words[0]
+	repoPath := words[1]
+	if repoPath[0] == '/' {
+		repoPath = repoPath[1:]
+	}

 	var lfsVerb string
 	if verb == lfsAuthenticateVerb {
 		if !setting.LFS.StartServer {
-			fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
+			return fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
 		}

-		argsSplit := strings.Split(args, " ")
-		if len(argsSplit) >= 2 {
-			args = strings.TrimSpace(argsSplit[0])
-			lfsVerb = strings.TrimSpace(argsSplit[1])
+		if len(words) > 2 {
+			lfsVerb = words[2]
 		}
 	}

-	repoPath := strings.ToLower(strings.Trim(args, "'"))
+	// LowerCase and trim the repoPath as that's how they are stored.
+	repoPath = strings.ToLower(strings.TrimSpace(repoPath))
+
 	rr := strings.SplitN(repoPath, "/", 2)
 	if len(rr) != 2 {
-		fail("Invalid repository path", "Invalid repository path: %v", args)
+		return fail("Invalid repository path", "Invalid repository path: %v", repoPath)
 	}

 	username := strings.ToLower(rr[0])
 	reponame := strings.ToLower(strings.TrimSuffix(rr[1], ".git"))

 	if alphaDashDotPattern.MatchString(reponame) {
-		fail("Invalid repo name", "Invalid repo name: %s", reponame)
+		return fail("Invalid repo name", "Invalid repo name: %s", reponame)
 	}

 	if setting.EnablePprof || c.Bool("enable-pprof") {
 		if err := os.MkdirAll(setting.PprofDataPath, os.ModePerm); err != nil {
-			fail("Error while trying to create PPROF_DATA_PATH", "Error while trying to create PPROF_DATA_PATH: %v", err)
+			return fail("Error while trying to create PPROF_DATA_PATH", "Error while trying to create PPROF_DATA_PATH: %v", err)
 		}

 		stopCPUProfiler, err := pprof.DumpCPUProfileForUsername(setting.PprofDataPath, username)
 		if err != nil {
-			fail("Internal Server Error", "Unable to start CPU profile: %v", err)
+			return fail("Internal Server Error", "Unable to start CPU profile: %v", err)
 		}
 		defer func() {
 			stopCPUProfiler()
 			err := pprof.DumpMemProfileForUsername(setting.PprofDataPath, username)
 			if err != nil {
-				fail("Internal Server Error", "Unable to dump Mem Profile: %v", err)
+				_ = fail("Internal Server Error", "Unable to dump Mem Profile: %v", err)
 			}
 		}()
 	}

 	requestedMode, has := allowedCommands[verb]
 	if !has {
-		fail("Unknown git command", "Unknown git command %s", verb)
+		return fail("Unknown git command", "Unknown git command %s", verb)
 	}

 	if verb == lfsAuthenticateVerb {
@@ -183,31 +210,32 @@ func runServ(c *cli.Context) error {
 		} else if lfsVerb == "download" {
 			requestedMode = models.AccessModeRead
 		} else {
-			fail("Unknown LFS verb", "Unknown lfs verb %s", lfsVerb)
+			return fail("Unknown LFS verb", "Unknown lfs verb %s", lfsVerb)
 		}
 	}

-	results, err := private.ServCommand(keyID, username, reponame, requestedMode, verb, lfsVerb)
+	results, err := private.ServCommand(ctx, keyID, username, reponame, requestedMode, verb, lfsVerb)
 	if err != nil {
 		if private.IsErrServCommand(err) {
 			errServCommand := err.(private.ErrServCommand)
 			if errServCommand.StatusCode != http.StatusInternalServerError {
-				fail("Unauthorized", "%s", errServCommand.Error())
-			} else {
-				fail("Internal Server Error", "%s", errServCommand.Error())
+				return fail("Unauthorized", "%s", errServCommand.Error())
 			}
+			return fail("Internal Server Error", "%s", errServCommand.Error())
 		}
-		fail("Internal Server Error", "%s", err.Error())
+		return fail("Internal Server Error", "%s", err.Error())
 	}
 	os.Setenv(models.EnvRepoIsWiki, strconv.FormatBool(results.IsWiki))
 	os.Setenv(models.EnvRepoName, results.RepoName)
 	os.Setenv(models.EnvRepoUsername, results.OwnerName)
 	os.Setenv(models.EnvPusherName, results.UserName)
+	os.Setenv(models.EnvPusherEmail, results.UserEmail)
 	os.Setenv(models.EnvPusherID, strconv.FormatInt(results.UserID, 10))
-	os.Setenv(models.ProtectedBranchRepoID, strconv.FormatInt(results.RepoID, 10))
-	os.Setenv(models.ProtectedBranchPRID, fmt.Sprintf("%d", 0))
+	os.Setenv(models.EnvRepoID, strconv.FormatInt(results.RepoID, 10))
+	os.Setenv(models.EnvPRID, fmt.Sprintf("%d", 0))
 	os.Setenv(models.EnvIsDeployKey, fmt.Sprintf("%t", results.IsDeployKey))
 	os.Setenv(models.EnvKeyID, fmt.Sprintf("%d", results.KeyID))
+	os.Setenv(models.EnvAppURL, setting.AppURL)

 	//LFS token authentication
 	if verb == lfsAuthenticateVerb {
@@ -228,7 +256,7 @@ func runServ(c *cli.Context) error {
 		// Sign and get the complete encoded token as a string using the secret
 		tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
 		if err != nil {
-			fail("Internal error", "Failed to sign JWT token: %v", err)
+			return fail("Internal error", "Failed to sign JWT token: %v", err)
 		}

 		tokenAuthentication := &models.LFSTokenResponse{
@@ -237,10 +265,11 @@ func runServ(c *cli.Context) error {
 		}
 		tokenAuthentication.Header["Authorization"] = fmt.Sprintf("Bearer %s", tokenString)

+		json := jsoniter.ConfigCompatibleWithStandardLibrary
 		enc := json.NewEncoder(os.Stdout)
 		err = enc.Encode(tokenAuthentication)
 		if err != nil {
-			fail("Internal error", "Failed to encode LFS json response: %v", err)
+			return fail("Internal error", "Failed to encode LFS json response: %v", err)
 		}
 		return nil
 	}
@@ -253,9 +282,9 @@ func runServ(c *cli.Context) error {
 	var gitcmd *exec.Cmd
 	verbs := strings.Split(verb, " ")
 	if len(verbs) == 2 {
-		gitcmd = exec.Command(verbs[0], verbs[1], repoPath)
+		gitcmd = exec.CommandContext(ctx, verbs[0], verbs[1], repoPath)
 	} else {
-		gitcmd = exec.Command(verb, repoPath)
+		gitcmd = exec.CommandContext(ctx, verb, repoPath)
 	}

 	gitcmd.Dir = setting.RepoRootPath
@@ -263,13 +292,13 @@ func runServ(c *cli.Context) error {
 	gitcmd.Stdin = os.Stdin
 	gitcmd.Stderr = os.Stderr
 	if err = gitcmd.Run(); err != nil {
-		fail("Internal error", "Failed to execute git command: %v", err)
+		return fail("Internal error", "Failed to execute git command: %v", err)
 	}

 	// Update user key activity.
 	if results.KeyID > 0 {
-		if err = private.UpdatePublicKeyInRepo(results.KeyID, results.RepoID); err != nil {
-			fail("Internal error", "UpdatePublicKeyInRepo: %v", err)
+		if err = private.UpdatePublicKeyInRepo(ctx, results.KeyID, results.RepoID); err != nil {
+			return fail("Internal error", "UpdatePublicKeyInRepo: %v", err)
 		}
 	}

--- a/cmd/web.go
+++ b/cmd/web.go
@@ -7,6 +7,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	_ "net/http/pprof" // Used for debugging if enabled and a web server is running
 	"os"
@@ -16,12 +17,10 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/routers"
-	"code.gitea.io/gitea/routers/routes"
+	"code.gitea.io/gitea/routers/install"

 	context2 "github.com/gorilla/context"
-	"github.com/unknwon/com"
 	"github.com/urfave/cli"
-	"golang.org/x/crypto/acme/autocert"
 	ini "gopkg.in/ini.v1"
 )

@@ -38,11 +37,24 @@ and it takes care of all the other things for you`,
 			Value: "3000",
 			Usage: "Temporary port number to prevent conflict",
 		},
+		cli.StringFlag{
+			Name:  "install-port",
+			Value: "3000",
+			Usage: "Temporary port number to run the install page on to prevent conflict",
+		},
 		cli.StringFlag{
 			Name:  "pid, P",
-			Value: "/var/run/gitea.pid",
+			Value: setting.PIDFile,
 			Usage: "Custom pid file path",
 		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "Only display Fatal logging errors until logging is set-up",
+		},
+		cli.BoolFlag{
+			Name:  "verbose",
+			Usage: "Set initial logging to TRACE level until logging is properly set-up",
+		},
 	},
 }

@@ -59,44 +71,27 @@ func runHTTPRedirector() {
 		http.Redirect(w, r, target, http.StatusTemporaryRedirect)
 	})

-	var err = runHTTP("tcp", source, context2.ClearHandler(handler))
+	var err = runHTTP("tcp", source, "HTTP Redirector", context2.ClearHandler(handler))

 	if err != nil {
 		log.Fatal("Failed to start port redirection: %v", err)
 	}
 }

-func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
-	certManager := autocert.Manager{
-		Prompt:     autocert.AcceptTOS,
-		HostPolicy: autocert.HostWhitelist(domain),
-		Cache:      autocert.DirCache(directory),
-		Email:      email,
+func runWeb(ctx *cli.Context) error {
+	if ctx.Bool("verbose") {
+		_ = log.DelLogger("console")
+		log.NewLogger(0, "console", "console", fmt.Sprintf(`{"level": "trace", "colorize": %t, "stacktraceLevel": "none"}`, log.CanColorStdout))
+	} else if ctx.Bool("quiet") {
+		_ = log.DelLogger("console")
+		log.NewLogger(0, "console", "console", fmt.Sprintf(`{"level": "fatal", "colorize": %t, "stacktraceLevel": "none"}`, log.CanColorStdout))
 	}
-	go func() {
-		log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
-		// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
-		var err = runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
-		if err != nil {
-			log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
+	defer func() {
+		if panicked := recover(); panicked != nil {
+			log.Fatal("PANIC: %v\n%s", panicked, string(log.Stack(2)))
 		}
 	}()
-	return runHTTPSWithTLSConfig("tcp", listenAddr, certManager.TLSConfig(), context2.ClearHandler(m))
-}

-func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
-	if r.Method != "GET" && r.Method != "HEAD" {
-		http.Error(w, "Use HTTPS", http.StatusBadRequest)
-		return
-	}
-	// Remove the trailing slash at the end of setting.AppURL, the request
-	// URI always contains a leading slash, which would result in a double
-	// slash
-	target := strings.TrimRight(setting.AppURL, "/") + r.URL.RequestURI()
-	http.Redirect(w, r, target, http.StatusFound)
-}
-
-func runWeb(ctx *cli.Context) error {
 	managerCtx, cancel := context.WithCancel(context.Background())
 	graceful.InitManager(managerCtx)
 	defer cancel()
@@ -109,59 +104,36 @@ func runWeb(ctx *cli.Context) error {

 	// Set pid file setting
 	if ctx.IsSet("pid") {
-		setting.CustomPID = ctx.String("pid")
+		setting.PIDFile = ctx.String("pid")
+		setting.WritePIDFile = true
 	}

-	// Perform global initialization
-	routers.GlobalInit(graceful.GetManager().HammerContext())
-
-	// Set up Macaron
-	m := routes.NewMacaron()
-	routes.RegisterRoutes(m)
-
-	// Flag for port number in case first time run conflict.
-	if ctx.IsSet("port") {
-		setting.AppURL = strings.Replace(setting.AppURL, setting.HTTPPort, ctx.String("port"), 1)
-		setting.HTTPPort = ctx.String("port")
-
-		switch setting.Protocol {
-		case setting.UnixSocket:
-		case setting.FCGI:
-		case setting.FCGIUnix:
-		default:
-			// Save LOCAL_ROOT_URL if port changed
-			cfg := ini.Empty()
-			if com.IsFile(setting.CustomConf) {
-				// Keeps custom settings if there is already something.
-				if err := cfg.Append(setting.CustomConf); err != nil {
-					return fmt.Errorf("Failed to load custom conf '%s': %v", setting.CustomConf, err)
-				}
-			}
-
-			defaultLocalURL := string(setting.Protocol) + "://"
-			if setting.HTTPAddr == "0.0.0.0" {
-				defaultLocalURL += "localhost"
-			} else {
-				defaultLocalURL += setting.HTTPAddr
-			}
-			defaultLocalURL += ":" + setting.HTTPPort + "/"
-
-			cfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
-
-			if err := cfg.SaveTo(setting.CustomConf); err != nil {
-				return fmt.Errorf("Error saving generated JWT Secret to custom config: %v", err)
+	// Perform pre-initialization
+	needsInstall := install.PreloadSettings(graceful.GetManager().HammerContext())
+	if needsInstall {
+		// Flag for port number in case first time run conflict
+		if ctx.IsSet("port") {
+			if err := setPort(ctx.String("port")); err != nil {
+				return err
 			}
 		}
-	}
-
-	listenAddr := setting.HTTPAddr
-	if setting.Protocol != setting.UnixSocket && setting.Protocol != setting.FCGIUnix {
-		listenAddr += ":" + setting.HTTPPort
-	}
-	log.Info("Listen: %v://%s%s", setting.Protocol, listenAddr, setting.AppSubURL)
-
-	if setting.LFS.StartServer {
-		log.Info("LFS server enabled")
+		if ctx.IsSet("install-port") {
+			if err := setPort(ctx.String("install-port")); err != nil {
+				return err
+			}
+		}
+		c := install.Routes()
+		err := listen(c, false)
+		select {
+		case <-graceful.GetManager().IsShutdown():
+			<-graceful.GetManager().Done()
+			log.Info("PID: %d Gitea Web Finished", os.Getpid())
+			log.Close()
+			return err
+		default:
+		}
+	} else {
+		NoInstallListener()
 	}

 	if setting.EnablePprof {
@@ -171,31 +143,97 @@ func runWeb(ctx *cli.Context) error {
 		}()
 	}

+	log.Info("Global init")
+	// Perform global initialization
+	routers.GlobalInit(graceful.GetManager().HammerContext())
+
+	// Override the provided port number within the configuration
+	if ctx.IsSet("port") {
+		if err := setPort(ctx.String("port")); err != nil {
+			return err
+		}
+	}
+
+	// Set up Chi routes
+	c := routers.NormalRoutes()
+	err := listen(c, true)
+	<-graceful.GetManager().Done()
+	log.Info("PID: %d Gitea Web Finished", os.Getpid())
+	log.Close()
+	return err
+}
+
+func setPort(port string) error {
+	setting.AppURL = strings.Replace(setting.AppURL, setting.HTTPPort, port, 1)
+	setting.HTTPPort = port
+
+	switch setting.Protocol {
+	case setting.UnixSocket:
+	case setting.FCGI:
+	case setting.FCGIUnix:
+	default:
+		defaultLocalURL := string(setting.Protocol) + "://"
+		if setting.HTTPAddr == "0.0.0.0" {
+			defaultLocalURL += "localhost"
+		} else {
+			defaultLocalURL += setting.HTTPAddr
+		}
+		defaultLocalURL += ":" + setting.HTTPPort + "/"
+
+		// Save LOCAL_ROOT_URL if port changed
+		setting.CreateOrAppendToCustomConf(func(cfg *ini.File) {
+			cfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
+		})
+	}
+	return nil
+}
+
+func listen(m http.Handler, handleRedirector bool) error {
+	listenAddr := setting.HTTPAddr
+	if setting.Protocol != setting.UnixSocket && setting.Protocol != setting.FCGIUnix {
+		listenAddr = net.JoinHostPort(listenAddr, setting.HTTPPort)
+	}
+	log.Info("Listen: %v://%s%s", setting.Protocol, listenAddr, setting.AppSubURL)
+
+	if setting.LFS.StartServer {
+		log.Info("LFS server enabled")
+	}
+
 	var err error
 	switch setting.Protocol {
 	case setting.HTTP:
-		NoHTTPRedirector()
-		err = runHTTP("tcp", listenAddr, context2.ClearHandler(m))
+		if handleRedirector {
+			NoHTTPRedirector()
+		}
+		err = runHTTP("tcp", listenAddr, "Web", context2.ClearHandler(m))
 	case setting.HTTPS:
 		if setting.EnableLetsEncrypt {
 			err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, context2.ClearHandler(m))
 			break
 		}
-		if setting.RedirectOtherPort {
-			go runHTTPRedirector()
-		} else {
+		if handleRedirector {
+			if setting.RedirectOtherPort {
+				go runHTTPRedirector()
+			} else {
+				NoHTTPRedirector()
+			}
+		}
+		err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, context2.ClearHandler(m))
+	case setting.FCGI:
+		if handleRedirector {
 			NoHTTPRedirector()
 		}
-		err = runHTTPS("tcp", listenAddr, setting.CertFile, setting.KeyFile, context2.ClearHandler(m))
-	case setting.FCGI:
-		NoHTTPRedirector()
-		err = runFCGI("tcp", listenAddr, context2.ClearHandler(m))
+		err = runFCGI("tcp", listenAddr, "FCGI Web", context2.ClearHandler(m))
 	case setting.UnixSocket:
-		NoHTTPRedirector()
-		err = runHTTP("unix", listenAddr, context2.ClearHandler(m))
+		if handleRedirector {
+			NoHTTPRedirector()
+		}
+		err = runHTTP("unix", listenAddr, "Web", context2.ClearHandler(m))
 	case setting.FCGIUnix:
-		NoHTTPRedirector()
-		err = runFCGI("unix", listenAddr, context2.ClearHandler(m))
+		if handleRedirector {
+			NoHTTPRedirector()
+		}
+		err = runFCGI("unix", listenAddr, "Web", context2.ClearHandler(m))
 	default:
 		log.Fatal("Invalid protocol: %s", setting.Protocol)
 	}
@@ -204,8 +242,5 @@ func runWeb(ctx *cli.Context) error {
 		log.Critical("Failed to start server: %v", err)
 	}
 	log.Info("HTTP Listener: %s Closed", listenAddr)
-	<-graceful.GetManager().Done()
-	log.Info("PID: %d Gitea Web Finished", os.Getpid())
-	log.Close()
-	return nil
+	return err
 }
--- a/cmd/web_graceful.go
+++ b/cmd/web_graceful.go
@@ -9,21 +9,23 @@ import (
 	"net"
 	"net/http"
 	"net/http/fcgi"
+	"strings"

 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 )

-func runHTTP(network, listenAddr string, m http.Handler) error {
-	return graceful.HTTPListenAndServe(network, listenAddr, m)
+func runHTTP(network, listenAddr, name string, m http.Handler) error {
+	return graceful.HTTPListenAndServe(network, listenAddr, name, m)
 }

-func runHTTPS(network, listenAddr, certFile, keyFile string, m http.Handler) error {
-	return graceful.HTTPListenAndServeTLS(network, listenAddr, certFile, keyFile, m)
+func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handler) error {
+	return graceful.HTTPListenAndServeTLS(network, listenAddr, name, certFile, keyFile, m)
 }

-func runHTTPSWithTLSConfig(network, listenAddr string, tlsConfig *tls.Config, m http.Handler) error {
-	return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, tlsConfig, m)
+func runHTTPSWithTLSConfig(network, listenAddr, name string, tlsConfig *tls.Config, m http.Handler) error {
+	return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m)
 }

 // NoHTTPRedirector tells our cleanup routine that we will not be using a fallback http redirector
@@ -37,12 +39,23 @@ func NoMainListener() {
 	graceful.GetManager().InformCleanup()
 }

-func runFCGI(network, listenAddr string, m http.Handler) error {
+// NoInstallListener tells our cleanup routine that we will not be using a possibly provided listener
+// for our install HTTP/HTTPS service
+func NoInstallListener() {
+	graceful.GetManager().InformCleanup()
+}
+
+func runFCGI(network, listenAddr, name string, m http.Handler) error {
 	// This needs to handle stdin as fcgi point
-	fcgiServer := graceful.NewServer(network, listenAddr)
+	fcgiServer := graceful.NewServer(network, listenAddr, name)

 	err := fcgiServer.ListenAndServe(func(listener net.Listener) error {
-		return fcgi.Serve(listener, m)
+		return fcgi.Serve(listener, http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			if setting.AppSubURL != "" {
+				req.URL.Path = strings.TrimPrefix(req.URL.Path, setting.AppSubURL)
+			}
+			m.ServeHTTP(resp, req)
+		}))
 	})
 	if err != nil {
 		log.Fatal("Failed to start FCGI main server: %v", err)
--- a/cmd/web_letsencrypt.go
+++ b/cmd/web_letsencrypt.go
@@ -0,0 +1,83 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/caddyserver/certmagic"
+	context2 "github.com/gorilla/context"
+)
+
+func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
+
+	// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
+	// Due to docker port mapping this can't be checked programmatically
+	// TODO: these are placeholders until we add options for each in settings with appropriate warning
+	enableHTTPChallenge := true
+	enableTLSALPNChallenge := true
+	altHTTPPort := 0
+	altTLSALPNPort := 0
+
+	if p, err := strconv.Atoi(setting.PortToRedirect); err == nil {
+		altHTTPPort = p
+	}
+	if p, err := strconv.Atoi(setting.HTTPPort); err == nil {
+		altTLSALPNPort = p
+	}
+
+	magic := certmagic.NewDefault()
+	magic.Storage = &certmagic.FileStorage{Path: directory}
+	myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
+		Email:                   email,
+		Agreed:                  setting.LetsEncryptTOS,
+		DisableHTTPChallenge:    !enableHTTPChallenge,
+		DisableTLSALPNChallenge: !enableTLSALPNChallenge,
+		ListenHost:              setting.HTTPAddr,
+		AltTLSALPNPort:          altTLSALPNPort,
+		AltHTTPPort:             altHTTPPort,
+	})
+
+	magic.Issuers = []certmagic.Issuer{myACME}
+
+	// this obtains certificates or renews them if necessary
+	err := magic.ManageSync([]string{domain})
+	if err != nil {
+		return err
+	}
+
+	tlsConfig := magic.TLSConfig()
+	tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
+
+	if enableHTTPChallenge {
+		go func() {
+			log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
+			// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
+			var err = runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
+			if err != nil {
+				log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
+			}
+		}()
+	}
+
+	return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, context2.ClearHandler(m))
+}
+
+func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" && r.Method != "HEAD" {
+		http.Error(w, "Use HTTPS", http.StatusBadRequest)
+		return
+	}
+	// Remove the trailing slash at the end of setting.AppURL, the request
+	// URI always contains a leading slash, which would result in a double
+	// slash
+	target := strings.TrimSuffix(setting.AppURL, "/") + r.URL.RequestURI()
+	http.Redirect(w, r, target, http.StatusFound)
+}
--- a/contrib/environment-to-ini/README
+++ b/contrib/environment-to-ini/README
@@ -22,11 +22,13 @@ The environment variables should be of the form:

 	GITEA__SECTION_NAME__KEY_NAME

+Note, SECTION_NAME in the notation above is case-insensitive.
+
 Environment variables are usually restricted to a reduced character
 set "0-9A-Z_" - in order to allow the setting of sections with
 characters outside of that set, they should be escaped as following:
-"_0X2E_" for ".". The entire section and key names can be escaped as
-a UTF8 byte string if necessary. E.g. to configure:
+"_0X2E_" for "." and "_0X2D_" for "-". The entire section and key names 
+can be escaped as a UTF8 byte string if necessary. E.g. to configure:

 	"""
 	...
@@ -40,27 +42,6 @@ You would set the environment variables: "GITEA__LOG_0x2E_CONSOLE__COLORIZE=fals
 and "GITEA__LOG_0x2E_CONSOLE__STDERR=false". Other examples can be found
 on the configuration cheat sheet.

-To plug this command in to the docker, you simply compile the provided go file using:
-
-	go build environment-to-ini.go
-
-And copy the resulting `environment-to-ini` command to /app/gitea in the docker.
-
-Apply the below patch to /etc/s6/gitea.setup to wire this in.
-
-If you find this useful please comment on #7287
-
-
-diff --git a/docker/root/etc/s6/gitea/setup b/docker/root/etc/s6/gitea/setup
-index f87ce9115..565bfcba9 100755
--- a/docker/root/etc/s6/gitea/setup
-+++ b/docker/root/etc/s6/gitea/setup
-@@ -44,6 +44,8 @@ if [ ! -f ${GITEA_CUSTOM}/conf/app.ini ]; then
-     SECRET_KEY=${SECRET_KEY:-""} \
-     envsubst < /etc/templates/app.ini > ${GITEA_CUSTOM}/conf/app.ini
-
-+    /app/gitea/environment-to-ini -c ${GITEA_CUSTOM}/conf/app.ini
-+
-     chown ${USER}:git ${GITEA_CUSTOM}/conf/app.ini
- fi
+To build locally, run:

+	go build contrib/environment-to-ini/environment-to-ini.go
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@@ -12,8 +12,8 @@ import (

 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"

-	"github.com/unknwon/com"
 	"github.com/urfave/cli"
 	ini "gopkg.in/ini.v1"
 )
@@ -97,7 +97,11 @@ func runEnvironmentToIni(c *cli.Context) error {
 	setting.SetCustomPathAndConf(providedCustom, providedConf, providedWorkPath)

 	cfg := ini.Empty()
-	if com.IsFile(setting.CustomConf) {
+	isFile, err := util.IsFile(setting.CustomConf)
+	if err != nil {
+		log.Fatal("Unable to check if %s is a file. Error: %v", setting.CustomConf, err)
+	}
+	if isFile {
 		if err := cfg.Append(setting.CustomConf); err != nil {
 			log.Fatal("Failed to load custom conf '%s': %v", setting.CustomConf, err)
 		}
@@ -106,6 +110,8 @@ func runEnvironmentToIni(c *cli.Context) error {
 	}
 	cfg.NameMapper = ini.SnackCase

+	changed := false
+
 	prefix := c.String("prefix") + "__"

 	for _, kv := range os.Environ() {
@@ -139,15 +145,21 @@ func runEnvironmentToIni(c *cli.Context) error {
 				continue
 			}
 		}
+		oldValue := key.Value()
+		if !changed && oldValue != value {
+			changed = true
+		}
 		key.SetValue(value)
 	}
 	destination := c.String("out")
 	if len(destination) == 0 {
 		destination = setting.CustomConf
 	}
-	err := cfg.SaveTo(destination)
-	if err != nil {
-		return err
+	if destination != setting.CustomConf || changed {
+		err = cfg.SaveTo(destination)
+		if err != nil {
+			return err
+		}
 	}
 	if c.Bool("clear") {
 		for _, kv := range os.Environ() {
@@ -220,5 +232,6 @@ func DecodeSectionKey(encoded string) (string, string) {
 	} else {
 		key += remaining
 	}
+	section = strings.ToLower(section)
 	return section, key
 }
--- a/contrib/ide/vscode/launch.json
+++ b/contrib/ide/vscode/launch.json
@@ -19,7 +19,7 @@
      "type": "go",
      "request": "launch",
      "mode": "debug",
-      "buildFlags": "-tags=\"sqlite sqlite_unlock_notify\"",
+      "buildFlags": "-tags='sqlite sqlite_unlock_notify'",
      "port": 2345,
      "host": "127.0.0.1",
      "program": "${workspaceRoot}/main.go",
--- a/contrib/ide/vscode/settings.json
+++ b/contrib/ide/vscode/settings.json
@@ -0,0 +1,4 @@
+{
+    "go.buildTags": "'sqlite sqlite_unlock_notify'",
+    "go.testFlags": ["-v"]
+}
--- a/contrib/ide/vscode/tasks.json
+++ b/contrib/ide/vscode/tasks.json
@@ -12,15 +12,14 @@
        "focus": false,
        "panel": "shared"
      },
-      "args": ["build"],
      "linux": {
-        "args": [ "-o", "gitea", "${workspaceRoot}/main.go" ]
+        "args": ["build", "-o", "gitea", "${workspaceRoot}/main.go" ]
      },
      "osx": {
-        "args": [ "-o", "gitea", "${workspaceRoot}/main.go" ]
+        "args": ["build", "-o", "gitea", "${workspaceRoot}/main.go" ]
      },
      "windows": {
-        "args": [ "-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
+        "args": ["build", "-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
      },
      "problemMatcher": ["$go"]
    },
@@ -35,15 +34,14 @@
        "focus": false,
        "panel": "shared"
      },
-      "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\""],
      "linux": {
-        "args": ["-o", "gitea", "${workspaceRoot}/main.go"]
+        "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\"", "-o", "gitea", "${workspaceRoot}/main.go"]
      },
      "osx": {
-        "args": ["-o", "gitea", "${workspaceRoot}/main.go"]
+        "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\"", "-o", "gitea", "${workspaceRoot}/main.go"]
      },
      "windows": {
-        "args": ["-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
+        "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\"", "-o", "gitea.exe", "\"${workspaceRoot}\\main.go\""]
      },
      "problemMatcher": ["$go"]
    }
--- a/contrib/init/debian/gitea
+++ b/contrib/init/debian/gitea
@@ -18,7 +18,7 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
 DESC="Gitea - Git with a cup of tea"
 NAME=gitea
 SERVICEVERBOSE=yes
-PIDFILE=/var/run/$NAME.pid
+PIDFILE=/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 WORKINGDIR=/var/lib/$NAME
 DAEMON=/usr/local/bin/$NAME
--- a/contrib/init/gentoo/gitea
+++ b/contrib/init/gentoo/gitea
@@ -7,7 +7,7 @@ start_stop_daemon_args="--user ${USER} --chdir ${DIR}"
 command="/usr/local/bin/gitea"
 command_args="web -c /etc/gitea/app.ini"
 command_background=yes
-pidfile=/var/run/gitea.pid
+pidfile=/run/gitea.pid

 depend()
 {
--- a/contrib/init/suse/gitea
+++ b/contrib/init/suse/gitea
@@ -93,7 +93,7 @@ case "$1" in

 		# Return value is slightly different for the status command:
 		# 0 - service up and running
-		# 1 - service dead, but /var/run/  pid  file exists
+		# 1 - service dead, but /run/  pid  file exists
 		# 2 - service dead, but /var/lock/ lock file exists
 		# 3 - service not running (unused)
 		# 4 - service status unknown :-(
--- a/contrib/k8s/gitea.yml
+++ b/contrib/k8s/gitea.yml
@@ -1,107 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gitea
-  namespace: gitea
-  labels:
-    app: gitea
-spec:
-  replicas: 1
-  template:
-    metadata:
-      name: gitea
-      labels:
-        app: gitea
-    spec:
-      containers:
-      - name: gitea
-        image: gitea/gitea:latest
-        imagePullPolicy: Always
-        volumeMounts:
-          - mountPath: "/var/lib/gitea"
-            name: "root"
-          - mountPath: "/data"
-            name: "data"
-        ports:
-          - containerPort: 22
-            name: ssh
-            protocol: TCP
-          - containerPort: 3000
-            name: http
-            protocol: TCP
-      restartPolicy: Always
-      volumes:
-        # Set up a data directory for gitea
-        # For production usage, you should consider using PV/PVC instead(or simply using storage like NAS)
-        # For more details, please see https://kubernetes.io/docs/concepts/storage/volumes/
-      - name: "root"
-        hostPath:
-          # directory location on host
-          path: "/var/lib/gitea"
-          # this field is optional
-          type: Directory
-      - name: "data"
-        hostPath:
-          path: "/data/gitea"
-          type: Directory
-  selector:
-    matchLabels:
-      app: gitea
---
-# Using cluster mode
-apiVersion: v1
-kind: Service
-metadata:
-  name: gitea-web
-  namespace: gitea
-  labels:
-    app: gitea-web
-spec:
-  ports:
-  - port: 80
-    targetPort: 3000
-    name: http
-  selector:
-    app: gitea
---
-# Using node-port mode
-# This mainly open a specific TCP port for SSH usage on each host,
-# so you can use a proxy layer to handle it(e.g. slb, nginx)
-apiVersion: v1
-kind: Service
-metadata:
-  name: gitea-ssh
-  namespace: gitea
-  labels:
-    app: gitea-ssh
-spec:
-  ports:
-  - port: 22
-    targetPort: 22
-    nodePort: 30022
-    name: ssh
-  selector:
-    app: gitea
-  type: NodePort
---
-# Ingress is always suitable for HTTP usage,
-# we suggest using an proxy layer such as slb to send traffic to different ports.
-# Usually 80/443 for web and 22 directly for SSH.
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: gitea
-  namespace: gitea
-spec:
-  rules:
-  - host: your-gitea-host.com
-    http:
-      paths:
-      - backend:
-          serviceName: gitea-web
-          servicePort: 80
--- a/contrib/legal/privacy.html.sample
+++ b/contrib/legal/privacy.html.sample
@@ -7,7 +7,7 @@
 <body>
  <h1>Privacy Policy</h1>

-  <h4>Last updated: December 28, 2019</h4>
+  <h4>Last updated: January 29, 2020</h4>

  <h2>Who We Are?</h2>

@@ -191,6 +191,6 @@

  <h2>COPYING</h2>

-  <p>This document is licensed under <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0 Public Domain license</a>.</p>
+  <p>This document is licensed under CC0 Public Domain License. See <a href="https://creativecommons.org/publicdomain/zero/1.0/legalcode">full legal code here</a>.</p>
 </body>
 </html>
--- a/contrib/legal/tos.html.sample
+++ b/contrib/legal/tos.html.sample
@@ -7,7 +7,7 @@
 <body>
  <h1>Terms of Service</h1>

-  <h4>Last updated: December 31, 2019</h4>
+  <h4>Last updated: January 29, 2020</h4>

  <p>Thank you for choosing Your Gitea Instance! Before you use it, please read this Terms of Service agreement carefully, which contains important contract between us and our users.</p>

@@ -130,7 +130,7 @@

  <p>If you'd like to use our trademarks, you must follow all of our trademark guidelines.</p>

-  <p>This Agreement is licensed under <a href="https://creativecommons.org/publicdomain/zero/1.0/">CCO Public Domain License</a>.</p>
+  <p>This Agreement is licensed under <a href="https://creativecommons.org/publicdomain/zero/1.0/legalcode">CCO Public Domain License</a>.</p>

  <h2>API Terms</h2>

--- a/contrib/pr/checkout.go
+++ b/contrib/pr/checkout.go
@@ -26,18 +26,17 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
+	gitea_git "code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/external"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers"
-	"code.gitea.io/gitea/routers/routes"

 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 	context2 "github.com/gorilla/context"
-	"github.com/unknwon/com"
-	"gopkg.in/testfixtures.v2"
 	"xorm.io/xorm"
 )

@@ -81,7 +80,7 @@ func runPR() {
 	setting.RunUser = curUser.Username

 	log.Printf("[PR] Loading fixtures data ...\n")
-	setting.CheckLFSVersion()
+	gitea_git.CheckLFSVersion()
 	//models.LoadConfigs()
 	/*
 		setting.Database.Type = "sqlite3"
@@ -96,14 +95,12 @@ func runPR() {
 	setting.Database.LogSQL = true
 	//x, err = xorm.NewEngine("sqlite3", "file::memory:?cache=shared")

-	var helper testfixtures.Helper = &testfixtures.SQLite{}
 	models.NewEngine(context.Background(), func(_ *xorm.Engine) error {
 		return nil
 	})
 	models.HasEngine = true
 	//x.ShowSQL(true)
 	err = models.InitFixtures(
-		helper,
 		path.Join(curDir, "models/fixtures/"),
 	)
 	if err != nil {
@@ -111,16 +108,15 @@ func runPR() {
 		os.Exit(1)
 	}
 	models.LoadFixtures()
-	os.RemoveAll(setting.RepoRootPath)
-	os.RemoveAll(models.LocalCopyPath())
-	com.CopyDir(path.Join(curDir, "integrations/gitea-repositories-meta"), setting.RepoRootPath)
+	util.RemoveAll(setting.RepoRootPath)
+	util.RemoveAll(models.LocalCopyPath())
+	util.CopyDir(path.Join(curDir, "integrations/gitea-repositories-meta"), setting.RepoRootPath)

 	log.Printf("[PR] Setting up router\n")
 	//routers.GlobalInit()
-	external.RegisterParsers()
+	external.RegisterRenderers()
 	markup.Init()
-	m := routes.NewMacaron()
-	routes.RegisterRoutes(m)
+	c := routers.NormalRoutes()

 	log.Printf("[PR] Ready for testing !\n")
 	log.Printf("[PR] Login with user1, user2, user3, ... with pass: password\n")
@@ -140,24 +136,24 @@ func runPR() {
 	*/

 	//Start the server
-	http.ListenAndServe(":8080", context2.ClearHandler(m))
+	http.ListenAndServe(":8080", context2.ClearHandler(c))

 	log.Printf("[PR] Cleaning up ...\n")
 	/*
-		if err = os.RemoveAll(setting.Indexer.IssuePath); err != nil {
-			fmt.Printf("os.RemoveAll: %v\n", err)
+		if err = util.RemoveAll(setting.Indexer.IssuePath); err != nil {
+			fmt.Printf("util.RemoveAll: %v\n", err)
 			os.Exit(1)
 		}
-		if err = os.RemoveAll(setting.Indexer.RepoPath); err != nil {
+		if err = util.RemoveAll(setting.Indexer.RepoPath); err != nil {
 			fmt.Printf("Unable to remove repo indexer: %v\n", err)
 			os.Exit(1)
 		}
 	*/
-	if err = os.RemoveAll(setting.RepoRootPath); err != nil {
-		log.Fatalf("os.RemoveAll: %v\n", err)
+	if err = util.RemoveAll(setting.RepoRootPath); err != nil {
+		log.Fatalf("util.RemoveAll: %v\n", err)
 	}
-	if err = os.RemoveAll(setting.AppDataPath); err != nil {
-		log.Fatalf("os.RemoveAll: %v\n", err)
+	if err = util.RemoveAll(setting.AppDataPath); err != nil {
+		log.Fatalf("util.RemoveAll: %v\n", err)
 	}
 }

@@ -201,7 +197,9 @@ func main() {
 	}
 	remoteUpstream := "origin" //Default
 	for _, r := range remotes {
-		if r.Config().URLs[0] == "https://github.com/go-gitea/gitea" || r.Config().URLs[0] == "git@github.com:go-gitea/gitea.git" { //fetch at index 0
+		if r.Config().URLs[0] == "https://github.com/go-gitea/gitea.git" ||
+			r.Config().URLs[0] == "https://github.com/go-gitea/gitea" ||
+			r.Config().URLs[0] == "git@github.com:go-gitea/gitea.git" { //fetch at index 0
 			remoteUpstream = r.Config().Name
 			break
 		}
--- a/contrib/systemd/gitea.service
+++ b/contrib/systemd/gitea.service
@@ -3,14 +3,23 @@ Description=Gitea (Git with a cup of tea)
 After=syslog.target
 After=network.target
 ###
-# Don't forget to add the database service requirements
+# Don't forget to add the database service dependencies
 ###
 #
-#Requires=mysql.service
-#Requires=mariadb.service
-#Requires=postgresql.service
-#Requires=memcached.service
-#Requires=redis.service
+#Wants=mysql.service
+#After=mysql.service
+#
+#Wants=mariadb.service
+#After=mariadb.service
+#
+#Wants=postgresql.service
+#After=postgresql.service
+#
+#Wants=memcached.service
+#After=memcached.service
+#
+#Wants=redis.service
+#After=redis.service
 #
 ###
 # If using socket activation for main http/s
@@ -57,6 +66,12 @@ WorkingDirectory=/var/lib/gitea/
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
 Restart=always
 Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
 # If you want to bind Gitea to a port below 1024, uncomment
 # the two values below, or use socket activation to pass Gitea its ports as above
 ###
--- a/contrib/update_dependencies.sh
+++ b/contrib/update_dependencies.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+grep 'git' go.mod | grep '\.com' | grep -v indirect | grep -v replace | cut -f 2 | cut -d ' ' -f 1 | while read line; do
+  go get -u "$line"
+  make vendor
+  git add .
+  git commit -S -m "update $line"
+done
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -1,14 +0,0 @@
-#Makefile related to docker
-
-DOCKER_IMAGE ?= gitea/gitea
-DOCKER_TAG ?= latest
-DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
-
-.PHONY: docker
-docker:
-	docker build --disable-content-trust=false -t $(DOCKER_REF) .
-# support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify"  .
-
-.PHONY: docker-build
-docker-build:
-	docker run -ti --rm -v $(CURDIR):/srv/app/src/code.gitea.io/gitea -w /srv/app/src/code.gitea.io/gitea -e TAGS="bindata $(TAGS)" LDFLAGS="$(LDFLAGS)" webhippie/golang:edge make clean build
--- a/docker/README.md
+++ b/docker/README.md
@@ -0,0 +1,7 @@
+# Gitea - Docker
+
+Dockerfile is found in root of repository.
+
+Docker image can be found on [docker hub](https://hub.docker.com/r/gitea/gitea)
+
+Documentation on using docker image can be found on [Gitea Docs site](https://docs.gitea.io/en-us/install-with-docker/)
--- a/docker/manifest.rootless.tmpl
+++ b/docker/manifest.rootless.tmpl
@@ -0,0 +1,20 @@
+image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-rootless
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}-rootless
+{{/each}}
+  - "latest-rootless"
+{{/if}}
+manifests:
+  -
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-linux-amd64-rootless
+    platform:
+      architecture: amd64
+      os: linux
+  -
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-linux-arm64-rootless
+    platform:
+      architecture: arm64
+      os: linux
+      variant: v8
--- a/docker/manifest.tmpl
+++ b/docker/manifest.tmpl
@@ -1,19 +1,20 @@
-image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
  - {{this}}
 {{/each}}
+  - "latest"
 {{/if}}
 manifests:
  -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{else}}dev-{{/if}}linux-amd64
    platform:
      architecture: amd64
      os: linux
  -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{else}}dev-{{/if}}linux-arm64
    platform:
      architecture: arm64
      os: linux
-      variant: v8
+      variant: v8
--- a/docker/root/etc/s6/gitea/run
+++ b/docker/root/etc/s6/gitea/run
@@ -1,6 +1,6 @@
 #!/bin/bash
 [[ -f ./setup ]] && source ./setup

-pushd /app/gitea > /dev/null
-    exec su-exec $USER /app/gitea/gitea web
+pushd /app/gitea >/dev/null
+exec su-exec $USER /app/gitea/gitea web
 popd
--- a/docker/root/etc/s6/gitea/setup
+++ b/docker/root/etc/s6/gitea/setup
@@ -23,9 +23,9 @@ if [ ! -f ${GITEA_CUSTOM}/conf/app.ini ]; then
        INSTALL_LOCK=true
    fi

-    # Substitude the environment variables in the template
+    # Substitute the environment variables in the template
    APP_NAME=${APP_NAME:-"Gitea: Git with a cup of tea"} \
-    RUN_MODE=${RUN_MODE:-"dev"} \
+    RUN_MODE=${RUN_MODE:-"prod"} \
    DOMAIN=${DOMAIN:-"localhost"} \
    SSH_DOMAIN=${SSH_DOMAIN:-"localhost"} \
    HTTP_PORT=${HTTP_PORT:-"3000"} \
@@ -48,6 +48,9 @@ if [ ! -f ${GITEA_CUSTOM}/conf/app.ini ]; then
    chown ${USER}:git ${GITEA_CUSTOM}/conf/app.ini
 fi

+# Replace app.ini settings with env variables in the form GITEA__SECTION_NAME__KEY_NAME
+environment-to-ini --config ${GITEA_CUSTOM}/conf/app.ini
+
 # only chown if current owner is not already the gitea ${USER}. No recursive check to save time
 if ! [[ $(ls -ld /data/gitea | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /data/gitea; fi
 if ! [[ $(ls -ld /app/gitea  | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /app/gitea;  fi
--- a/docker/root/etc/s6/openssh/run
+++ b/docker/root/etc/s6/openssh/run
@@ -1,6 +1,6 @@
 #!/bin/bash
 [[ -f ./setup ]] && source ./setup

-pushd /root > /dev/null
-    exec su-exec root /usr/sbin/sshd -D -e 2>&1
+pushd /root >/dev/null
+exec su-exec root /usr/sbin/sshd -D -e 2>&1
 popd
--- a/docker/root/etc/s6/openssh/setup
+++ b/docker/root/etc/s6/openssh/setup
@@ -24,9 +24,31 @@ if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
    ssh-keygen -t ecdsa -b 256 -f /data/ssh/ssh_host_ecdsa_key -N "" > /dev/null
 fi

+if [ -e /data/ssh/ssh_host_ed25519_cert ]; then
+  SSH_ED25519_CERT=${SSH_ED25519_CERT:-"/data/ssh/ssh_host_ed25519_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_rsa_cert ]; then
+  SSH_RSA_CERT=${SSH_RSA_CERT:-"/data/ssh/ssh_host_rsa_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
+  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_dsa_cert ]; then
+  SSH_DSA_CERT=${SSH_DSA_CERT:-"/data/ssh/ssh_host_dsa_cert"}
+fi
+
 if [ -d /etc/ssh ]; then
    SSH_PORT=${SSH_PORT:-"22"} \
    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
+    SSH_ED25519_CERT="${SSH_ED25519_CERT:+"HostCertificate "}${SSH_ED25519_CERT}" \
+    SSH_RSA_CERT="${SSH_RSA_CERT:+"HostCertificate "}${SSH_RSA_CERT}" \
+    SSH_ECDSA_CERT="${SSH_ECDSA_CERT:+"HostCertificate "}${SSH_ECDSA_CERT}" \
+    SSH_DSA_CERT="${SSH_DSA_CERT:+"HostCertificate "}${SSH_DSA_CERT}" \
+    SSH_MAX_STARTUPS="${SSH_MAX_STARTUPS:+"MaxStartups "}${SSH_MAX_STARTUPS}" \
+    SSH_MAX_SESSIONS="${SSH_MAX_SESSIONS:+"MaxSessions "}${SSH_MAX_SESSIONS}" \
    envsubst < /etc/templates/sshd_config > /etc/ssh/sshd_config

    chmod 0644 /etc/ssh/sshd_config
--- a/docker/root/etc/templates/app.ini
+++ b/docker/root/etc/templates/app.ini
@@ -29,6 +29,7 @@ HOST    = $DB_HOST
 NAME    = $DB_NAME
 USER    = $DB_USER
 PASSWD  = $DB_PASSWD
+LOG_SQL = false

 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
@@ -44,11 +45,16 @@ REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
 PATH = /data/gitea/attachments

 [log]
+MODE = console
+LEVEL = info
+ROUTER = console
 ROOT_PATH = /data/gitea/log

 [security]
 INSTALL_LOCK = $INSTALL_LOCK
 SECRET_KEY   = $SECRET_KEY
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *

 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
--- a/docker/root/etc/templates/sshd_config
+++ b/docker/root/etc/templates/sshd_config
@@ -5,14 +5,24 @@ AddressFamily any
 ListenAddress 0.0.0.0
 ListenAddress ::

+${SSH_MAX_STARTUPS}
+${SSH_MAX_SESSIONS}
+
 LogLevel INFO

 HostKey /data/ssh/ssh_host_ed25519_key
+${SSH_ED25519_CERT}
 HostKey /data/ssh/ssh_host_rsa_key
-HostKey /data/ssh/ssh_host_dsa_key
+${SSH_RSA_CERT}
 HostKey /data/ssh/ssh_host_ecdsa_key
+${SSH_ECDSA_CERT}
+HostKey /data/ssh/ssh_host_dsa_key
+${SSH_DSA_CERT}

 AuthorizedKeysFile .ssh/authorized_keys
+AuthorizedPrincipalsFile .ssh/authorized_principals
+TrustedUserCAKeys /data/git/.ssh/gitea-trusted-user-ca-keys.pem
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa

 UseDNS no
 AllowAgentForwarding no
--- a/docker/rootless/etc/templates/app.ini
+++ b/docker/rootless/etc/templates/app.ini
@@ -0,0 +1,57 @@
+APP_NAME = $APP_NAME
+RUN_USER = $RUN_USER
+RUN_MODE = $RUN_MODE
+
+[repository]
+ROOT = $GITEA_WORK_DIR/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = $GITEA_TEMP/local-repo
+
+[repository.upload]
+TEMP_PATH = $GITEA_TEMP/uploads
+
+[server]
+APP_DATA_PATH = $GITEA_WORK_DIR
+SSH_DOMAIN       = $SSH_DOMAIN
+HTTP_PORT        = $HTTP_PORT
+ROOT_URL         = $ROOT_URL
+DISABLE_SSH      = $DISABLE_SSH
+; In rootless gitea container only internal ssh server is supported
+START_SSH_SERVER = true
+SSH_PORT         = $SSH_PORT
+SSH_LISTEN_PORT  = $SSH_LISTEN_PORT
+BUILTIN_SSH_SERVER_USER = $RUN_USER
+LFS_START_SERVER = $LFS_START_SERVER
+LFS_CONTENT_PATH = $GITEA_WORK_DIR/git/lfs
+
+[database]
+PATH = $GITEA_WORK_DIR/data/gitea.db
+DB_TYPE = $DB_TYPE
+HOST    = $DB_HOST
+NAME    = $DB_NAME
+USER    = $DB_USER
+PASSWD  = $DB_PASSWD
+
+[session]
+PROVIDER_CONFIG = $GITEA_WORK_DIR/data/sessions
+
+[picture]
+AVATAR_UPLOAD_PATH = $GITEA_WORK_DIR/data/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = $GITEA_WORK_DIR/data/gitea/repo-avatars
+
+[attachment]
+PATH = $GITEA_WORK_DIR/data/attachments
+
+[log]
+ROOT_PATH = $GITEA_WORK_DIR/data/log
+
+[security]
+INSTALL_LOCK = $INSTALL_LOCK
+SECRET_KEY   = $SECRET_KEY
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+
+[service]
+DISABLE_REGISTRATION = $DISABLE_REGISTRATION
+REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
--- a/docker/rootless/usr/local/bin/docker-entrypoint.sh
+++ b/docker/rootless/usr/local/bin/docker-entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ -x /usr/local/bin/docker-setup.sh ]; then
+    /usr/local/bin/docker-setup.sh || { echo 'docker setup failed' ; exit 1; }
+fi
+
+if [ $# -gt 0 ]; then
+    exec "$@"
+else
+    exec /usr/local/bin/gitea -c ${GITEA_APP_INI} web
+fi
--- a/docker/rootless/usr/local/bin/docker-setup.sh
+++ b/docker/rootless/usr/local/bin/docker-setup.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Prepare git folder
+mkdir -p ${HOME} && chmod 0700 ${HOME}
+if [ ! -w ${HOME} ]; then echo "${HOME} is not writable"; exit 1; fi
+
+# Prepare custom folder
+mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
+
+# Prepare temp folder
+mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
+if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi
+
+#Prepare config file
+if [ ! -f ${GITEA_APP_INI} ]; then
+
+    #Prepare config file folder
+    GITEA_APP_INI_DIR=$(dirname ${GITEA_APP_INI})
+    mkdir -p ${GITEA_APP_INI_DIR} && chmod 0700 ${GITEA_APP_INI_DIR}
+    if [ ! -w ${GITEA_APP_INI_DIR} ]; then echo "${GITEA_APP_INI_DIR} is not writable"; exit 1; fi
+
+    # Set INSTALL_LOCK to true only if SECRET_KEY is not empty and
+    # INSTALL_LOCK is empty
+    if [ -n "$SECRET_KEY" ] && [ -z "$INSTALL_LOCK" ]; then
+        INSTALL_LOCK=true
+    fi
+
+    # Substitute the environment variables in the template
+    APP_NAME=${APP_NAME:-"Gitea: Git with a cup of tea"} \
+    RUN_MODE=${RUN_MODE:-"prod"} \
+    RUN_USER=${USER:-"git"} \
+    SSH_DOMAIN=${SSH_DOMAIN:-"localhost"} \
+    HTTP_PORT=${HTTP_PORT:-"3000"} \
+    ROOT_URL=${ROOT_URL:-""} \
+    DISABLE_SSH=${DISABLE_SSH:-"false"} \
+    SSH_PORT=${SSH_PORT:-"2222"} \
+    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-$SSH_PORT} \
+    DB_TYPE=${DB_TYPE:-"sqlite3"} \
+    DB_HOST=${DB_HOST:-"localhost:3306"} \
+    DB_NAME=${DB_NAME:-"gitea"} \
+    DB_USER=${DB_USER:-"root"} \
+    DB_PASSWD=${DB_PASSWD:-""} \
+    INSTALL_LOCK=${INSTALL_LOCK:-"false"} \
+    DISABLE_REGISTRATION=${DISABLE_REGISTRATION:-"false"} \
+    REQUIRE_SIGNIN_VIEW=${REQUIRE_SIGNIN_VIEW:-"false"} \
+    SECRET_KEY=${SECRET_KEY:-""} \
+    envsubst < /etc/templates/app.ini > ${GITEA_APP_INI}
+fi
+
+# Replace app.ini settings with env variables in the form GITEA__SECTION_NAME__KEY_NAME
+environment-to-ini --config ${GITEA_APP_INI}
--- a/docs/.editorconfig
+++ b/docs/.editorconfig
@@ -1,34 +0,0 @@
-# http://editorconfig.org
-
-root = true
-
-[*]
-charset = utf-8
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.go]
-indent_style = tab
-indent_size = 8
-
-[*.{tmpl,html}]
-indent_style = tab
-indent_size = 4
-
-[*.{less}]
-indent_style = space
-indent_size = 4
-
-[*.{yml}]
-indent_style = space
-indent_size = 2
-
-[*.js]
-indent_style = space
-indent_size = 4
-
-[Makefile]
-indent_style = tab
-
-[*.md]
-trim_trailing_whitespace = false
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -21,10 +21,14 @@ server: $(THEME)
 build: $(THEME)
 	hugo --cleanDestinationDir

+.PHONY: build-offline
+build-offline: $(THEME)
+	hugo --baseURL="/" --cleanDestinationDir
+
 .PHONY: update
 update: $(THEME)

 $(THEME): $(THEME)/theme.toml
 $(THEME)/theme.toml:
 	mkdir -p $$(dirname $@)
-	curl -s $(ARCHIVE) | tar xz -C $$(dirname $@)
+	curl -L -s $(ARCHIVE) | tar xz -C $$(dirname $@)
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -18,10 +18,10 @@ params:
  description: Git with a cup of tea
  author: The Gitea Authors
  website: https://docs.gitea.io
-  version: 1.11.5
-  minGoVersion: 1.12
-  goVersion: 1.14
-  minNodeVersion: 10.13
+  version: 1.14.6
+  minGoVersion: 1.16
+  goVersion: 1.16
+  minNodeVersion: 12.17

 outputs:
  home:
@@ -48,10 +48,10 @@ menu:
      url: https://blog.gitea.io/
      weight: 30
      pre: rss
-    - name: Code
-      url: https://code.gitea.io/
+    - name: Shop
+      url: https://shop.gitea.io/
      weight: 40
-      pre: code
+      pre: shopping-cart
    - name: Translation
      url: https://crowdin.com/project/gitea
      weight: 41
@@ -147,15 +147,15 @@ languages:
          url: https://blog.gitea.io/
          weight: 30
          pre: rss
-        - name: 程式碼
-          url: https://code.gitea.io/
+        - name: 商店
+          url: https://shop.gitea.io/
          weight: 40
-          pre: code
-        - name: 翻译
+          pre: shopping-cart
+        - name: 翻譯
          url: https://crowdin.com/project/gitea
          weight: 41
          pre: language
-        - name: 下载
+        - name: 下載
          url: https://dl.gitea.io/
          weight: 50
          pre: download
@@ -163,11 +163,11 @@ languages:
          url: https://github.com/go-gitea/
          weight: 60
          pre: github
-        - name: Discord Chat
+        - name: Discord 聊天室
          url: https://discord.gg/Gitea
          weight: 70
          pre: comment
-        - name: Forum
+        - name: 討論區
          url: https://discourse.gitea.io/
          weight: 80
          pre: group
@@ -312,3 +312,50 @@ languages:
          url: https://discourse.gitea.io/
          weight: 80
          pre: group
+
+  de-de:
+    weight: 6
+    languageName: Deutsch
+    menu:
+      page:
+        - name: Webseite
+          url: https://gitea.io/en-us/
+          weight: 10
+          pre: home
+          post: active
+        - name: Dokumentation
+          url: /de-de/
+          weight: 20
+          pre: question
+        - name: API
+          url: https://try.gitea.io/api/swagger
+          weight: 45
+          pre: plug
+        - name: Blog
+          url: https://blog.gitea.io/
+          weight: 30
+          pre: rss
+        - name: Code
+          url: https://code.gitea.io/
+          weight: 40
+          pre: code
+        - name: Übersetzung
+          url: https://crowdin.com/project/gitea
+          weight: 41
+          pre: language
+        - name: Downloads
+          url: https://dl.gitea.io/
+          weight: 50
+          pre: download
+        - name: GitHub
+          url: https://github.com/go-gitea/
+          weight: 60
+          pre: github
+        - name: Discord Chat
+          url: https://discord.gg/Gitea
+          weight: 70
+          pre: comment
+        - name: Forum
+          url: https://discourse.gitea.io/
+          weight: 80
+          pre: group
--- a/docs/content/doc/advanced.zh-tw.md
+++ b/docs/content/doc/advanced.zh-tw.md
@@ -0,0 +1,13 @@
+---
+date: "2016-12-01T16:00:00+02:00"
+title: "進階"
+slug: "advanced"
+weight: 30
+toc: false
+draft: false
+menu:
+  sidebar:
+    name: "進階"
+    weight: 40
+    identifier: "advanced"
+---
--- a/docs/content/doc/advanced/adding-legal-pages.en-us.md
+++ b/docs/content/doc/advanced/adding-legal-pages.en-us.md
@@ -32,7 +32,7 @@ You absolutely must not place a general ToS or privacy statement that implies th
 Create or append to `/path/to/custom/templates/custom/extra_links_footer.tmpl`:

 ```go
-<a class="item" href="{{AppSubUrl}}/privacy.html">Privacy Policy</a>
+<a class="item" href="{{AppSubUrl}}/assets/privacy.html">Privacy Policy</a>
 ```

 Restart Gitea to see the changes.
--- a/docs/content/doc/advanced/api-usage.en-us.md
+++ b/docs/content/doc/advanced/api-usage.en-us.md
@@ -1,101 +0,0 @@
---
-date: "2018-06-24:00:00+02:00"
-title: "API Usage"
-slug: "api-usage"
-weight: 40
-toc: true
-draft: false
-menu:
-  sidebar:
-    parent: "advanced"
-    name: "API Usage"
-    weight: 40
-    identifier: "api-usage"
---
-
-# Gitea API Usage
-
-## Enabling/configuring API access
-
-By default, `ENABLE_SWAGGER` is true, and
-`MAX_RESPONSE_ITEMS` is set to 50.  See [Config Cheat
-Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) for more
-information.
-
-## Authentication via the API
-
-Gitea supports these methods of API authentication:
-
- HTTP basic authentication
- `token=...` parameter in URL query string
- `access_token=...` parameter in URL query string
- `Authorization: token ...` header in HTTP headers
-
-All of these methods accept the same API key token type.  You can
-better understand this by looking at the code -- as of this writing,
-Gitea parses queries and headers to find the token in
-[modules/auth/auth.go](https://github.com/go-gitea/gitea/blob/6efdcaed86565c91a3dc77631372a9cc45a58e89/modules/auth/auth.go#L47).
-
-You can create an API key token via your Gitea installation's web interface:
-`Settings | Applications | Generate New Token`.
-
-### OAuth2
-
-Access tokens obtained from Gitea's [OAuth2 provider](https://docs.gitea.io/en-us/oauth2-provider) are accepted by these methods:
-
- `Authorization bearer ...` header in HTTP headers
- `token=...` parameter in URL query string
- `access_token=...` parameter in URL query string
-
-### More on the `Authorization:` header
-
-For historical reasons, Gitea needs the word `token` included before
-the API key token in an authorization header, like this:
-
-```
-Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675
-```
-
-In a `curl` command, for instance, this would look like:
-
-```
-curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" \
-    -H "accept: application/json" \
-    -H "Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675" \
-    -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 20\"}" -i
-```
-
-As mentioned above, the token used is the same one you would use in
-the `token=` string in a GET request.
-
-## API Guide:
-
-API Reference guide is auto-generated by swagger and available on: 
-    `https://gitea.your.host/api/swagger`
-    or on 
-    [gitea demo instance](https://try.gitea.io/api/swagger)
-
-
-## Listing your issued tokens via the API
-
-As mentioned in
-[#3842](https://github.com/go-gitea/gitea/issues/3842#issuecomment-397743346),
-`/users/:name/tokens` is special and requires you to authenticate
-using BasicAuth, as follows:
-
-### Using basic authentication:
-
-```
-$ curl --request GET --url https://yourusername:yourpassword@gitea.your.host/api/v1/users/yourusername/tokens
-[{"name":"test","sha1":"..."},{"name":"dev","sha1":"..."}]
-```
-
-As of v1.8.0 of Gitea, if using basic authentication with the API and your user has two factor authentication enabled, you'll need to send an additional header that contains the one time password (6 digit rotating token). An example of the header is `X-Gitea-OTP: 123456` where `123456` is where you'd place the code from your authenticator. Here is how the request would look like in curl:
-
-```
-$ curl -H "X-Gitea-OTP: 123456" --request GET --url https://yourusername:yourpassword@gitea.your.host/api/v1/users/yourusername/tokens
-```
-
-## Sudo
-
-The API allows admin users to sudo API requests as another user. Simply add either a `sudo=` parameter or `Sudo:` request header with the username of the user to sudo.
--- a/docs/content/doc/advanced/ci-cd.en-us.md
+++ b/docs/content/doc/advanced/ci-cd.en-us.md
@@ -1,37 +0,0 @@
---
-date: "2019-08-27:00:00+02:00"
-title: "CI/CD Usage"
-slug: "ci-cd"
-weight: 40
-toc: true
-draft: false
-menu:
-  sidebar:
-    parent: "advanced"
-    name: "CI/CD Usage"
-    weight: 40
-    identifier: "ci-cd"
---
-
-# Gitea and CI/CD
-**NOTE:** These tools are not endorsed by Gitea. They are listed here for convenience only.
-
-## Hey! This page may be out of date or even removed in the future! :scream:
-Instead, check out [awesome-gitea](https://gitea.com/gitea/awesome-gitea/src/branch/master/README.md#user-content-devops)!
-
-## Listing
-
-CI/CD solutions that have integration with Gitea. Following list is not complete,
-the purpose is to give a starting point to integrate a CI/CD process with your Gitea instance.
-
- - [Drone](https://drone.io) with [Gitea documentation](https://docs.drone.io/installation/providers/gitea/)
- - [Jenkins](https://jenkins.io/) with [Gitea plugin](https://plugins.jenkins.io/gitea)
- - [Agola](https://agola.io)
- - [Buildkite](https://buildkite.com) with [Gitea connector](https://github.com/techknowlogick/gitea-buildkite-connector)
- - [AppVeyor](https://www.appveyor.com) with [built-in Gitea support](https://www.appveyor.com/blog/2019/09/05/gitea-receives-first-class-support-in-appveyor/)
- - [Buildbot](https://www.buildbot.net/) with [Gitea plugin](https://github.com/lab132/buildbot-gitea)
- 
-
-Others CI/CD solutions that can partially be integrated with Gitea:
-
- - [Concourse](https://www.concourse-ci.org), see more information at [Concourse community forum](https://discuss.concourse-ci.org/t/concourse-ci-and-gitea-oauth/1475)
--- a/docs/content/doc/advanced/clone-filter.en-us.md
+++ b/docs/content/doc/advanced/clone-filter.en-us.md
@@ -0,0 +1,65 @@
+---
+date: "2021-02-02"
+title: "Clone filters (partial clone)"
+slug: "clone-filters"
+weight: 25
+draft: false
+toc: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "Clone filters"
+    weight: 25
+    identifier: "clone-filters"
+---
+
+# Clone filters (partial clone)
+
+Git introduces `--filter` option to `git clone` command, which filters out
+large files and objects (such as blobs) to create partial clone of a repo.
+Clone filters are especially useful for large repo and/or metered connection,
+where full clone (without `--filter`) can be expensive (as all history data
+must be downloaded).
+
+This requires Git version 2.22 or later, both on the Gitea server and on the
+client. For clone filters to work properly, make sure that Git version
+on the client is at least the same as on the server (or later). Login to
+Gitea server as admin and head to Site Administration -> Configuration to
+see Git version of the server.
+
+By default, clone filters are disabled, which cause the server to ignore
+`--filter` option.
+
+To enable clone filters on per-repo basis, edit the repo's `config` on
+repository location. Consult `ROOT` option on `repository` section of
+Gitea configuration (`app.ini`) for the exact location. For example, to
+enable clone filters for `some-repo`, edit
+`/var/gitea/data/gitea-repositories/some-user/some-repo.git/config` and add:
+
+```ini
+[uploadpack]
+	allowfilter = true
+```
+
+To enable clone filters globally, add that config above to `~/.gitconfig`
+of user that run Gitea (for example `git`).
+
+Alternatively, you can use `git config` to set the option.
+
+To enable for a specific repo:
+
+```bash
+cd /var/gitea/data/gitea-repositories/some-user/some-repo.git
+git config --local uploadpack.allowfilter true
+```
+To enable globally, login as user that run Gitea and:
+
+```bash
+git config --global uploadpack.allowfilter true
+```
+
+See [GitHub blog post: Get up to speed with partial clone](https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/)
+for common use cases of clone filters (blobless and treeless clones), and
+[Gitlab docs for partial clone](https://docs.gitlab.com/ee/topics/git/partial_clone.html)
+for more advanced use cases (such as filter by file size and remove
+filters to turn partial clone into full clone).
--- a/docs/content/doc/advanced/cmd-embedded.en-us.md
+++ b/docs/content/doc/advanced/cmd-embedded.en-us.md
@@ -3,7 +3,7 @@ date: "2020-01-25T21:00:00-03:00"
 title: "Embedded data extraction tool"
 slug: "cmd-embedded"
 weight: 40
-toc: true
+toc: false
 draft: false
 menu:
  sidebar:
@@ -15,6 +15,10 @@ menu:

 # Embedded data extraction tool

+**Table of Contents**
+
+{{< toc >}}
+
 Gitea's executable contains all the resources required to run: templates, images, style-sheets
 and translations. Any of them can be overridden by placing a replacement in a matching path
 inside the `custom` directory (see [Customizing Gitea]({{< relref "doc/advanced/customizing-gitea.en-us.md" >}})).
@@ -28,7 +32,7 @@ can be used from the OS shell interface.

 To list resources embedded in Gitea's executable, use the following syntax:

-```
+```sh
 gitea embedded list [--include-vendored] [patterns...]
 ```

@@ -48,11 +52,11 @@ a special meaning for your command shell.

 If no pattern is provided, all files are listed.

-#### Example
+### Example

 Listing all embedded files with `openid` in their path:

-```
+```sh
 $ gitea embedded list '**openid**'
 public/img/auth/openid_connect.svg
 public/img/openid-16x16.png
@@ -68,7 +72,7 @@ templates/user/settings/security_openid.tmpl

 To extract resources embedded in Gitea's executable, use the following syntax:

-```
+```sh
 gitea [--config {file}] embedded extract [--destination {dir}|--custom] [--overwrite|--rename] [--include-vendored] {patterns...}
 ```

@@ -91,7 +95,7 @@ as `filename.bak`. Previous `.bak` files are overwritten.
 At least one file search pattern must be provided; see `list` subcomand above for pattern
 syntax and examples.

-#### Important notice
+### Important notice

 Make sure to **only extract those files that require customization**. Files that
 are present in the `custom` directory are not upgraded by Gitea's upgrade process.
@@ -99,11 +103,11 @@ When Gitea is upgraded to a new version (by replacing the executable), many of t
 embedded files will suffer changes. Gitea will honor and use any files found
 in the `custom` directory, even if they are old and incompatible.

-#### Example
+### Example

 Extracting mail templates to a temporary directory:

-```
+```sh
 $ mkdir tempdir
 $ gitea embedded extract --destination tempdir 'templates/mail/**.tmpl'
 Extracting to tempdir:
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -23,7 +23,7 @@ or any corresponding location. When installing from a distribution, this will
 typically be found at `/etc/gitea/conf/app.ini`.

 The defaults provided here are best-effort (not built automatically). They are
-accurately recorded in [app.ini.sample](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample)
+accurately recorded in [app.example.ini](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.example.ini)
 (s/master/\<tag|release\>). Any string in the format `%(X)s` is a feature powered
 by [ini](https://github.com/go-ini/ini/#recursive-values), for reading values recursively.

@@ -31,25 +31,27 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

 **Note:** A full restart is required for Gitea configuration changes to take effect.

+{{< toc >}}
+
 ## Overall (`DEFAULT`)

 - `APP_NAME`: **Gitea: Git with a cup of tea**: Application name, used in the page title.
 - `RUN_USER`: **git**: The user Gitea will run as. This should be a dedicated system
   (non-user) account. Setting this incorrectly will cause Gitea to not start.
- `RUN_MODE`: **dev**: For performance and other purposes, change this to `prod` when
-   deployed to a production environment. The installation process will set this to `prod`
-   automatically. \[prod, dev, test\]
+- `RUN_MODE`: **prod**: Application run mode, affects performance and debugging. Either "dev", "prod" or "test".

 ## Repository (`repository`)

- `ROOT`: **~/gitea-repositories/**: Root path for storing all repository data. It must be
-   an absolute path.
+- `ROOT`: **data/gitea-repositories/**: Root path for storing all repository data. It must be
+   an absolute path. By default it is stored in a sub-directory of `APP_DATA_PATH`.
 - `SCRIPT_TYPE`: **bash**: The script type this server supports. Usually this is `bash`,
   but some users report that only `sh` is available.
- `ANSI_CHARSET`: **\<empty\>**: The default charset for an unrecognized charset.
+- `DETECTED_CHARSETS_ORDER`: **UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, ISO-8859, windows-1252, ISO-8859, windows-1250, ISO-8859, ISO-8859, ISO-8859, windows-1253, ISO-8859, windows-1255, ISO-8859, windows-1251, windows-1256, KOI8-R, ISO-8859, windows-1254, Shift_JIS, GB18030, EUC-JP, EUC-KR, Big5, ISO-2022, ISO-2022, ISO-2022, IBM424_rtl, IBM424_ltr, IBM420_rtl, IBM420_ltr**: Tie-break order of detected charsets - if the detected charsets have equal confidence, charsets earlier in the list will be chosen in preference to those later. Adding `defaults` will place the unnamed charsets at that point.
+- `ANSI_CHARSET`: **\<empty\>**: Default ANSI charset to override non-UTF-8 charsets to.
 - `FORCE_PRIVATE`: **false**: Force every new repository to be private.
 - `DEFAULT_PRIVATE`: **last**: Default private when creating a new repository.
   \[last, private, public\]
+- `DEFAULT_PUSH_CREATE_PRIVATE`: **true**: Default private when creating a new repository with push-to-create.
 - `MAX_CREATION_LIMIT`: **-1**: Global maximum creation limit of repositories per user,
   `-1` means no limit.
 - `PULL_REQUEST_QUEUE_LENGTH`: **1000**: Length of pull request patch test queue, make it
@@ -57,7 +59,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `MIRROR_QUEUE_LENGTH`: **1000**: Patch test queue length, increase if pull request patch
   testing starts hanging.
 - `PREFERRED_LICENSES`: **Apache License 2.0,MIT License**: Preferred Licenses to place at
-   the top of the list. Name must match file name in conf/license or custom/conf/license.
+   the top of the list. Name must match file name in options/license or custom/options/license.
 - `DISABLE_HTTP_GIT`: **false**: Disable the ability to interact with repositories over the
   HTTP protocol.
 - `USE_COMPAT_SSH_URI`: **false**: Force ssh:// clone url instead of scp-style uri when
@@ -68,7 +70,20 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH`:  **false**: Close an issue if a commit on a non default branch marks it as closed.
 - `ENABLE_PUSH_CREATE_USER`:  **false**: Allow users to push local repositories to Gitea and have them automatically created for a user.
 - `ENABLE_PUSH_CREATE_ORG`:  **false**: Allow users to push local repositories to Gitea and have them automatically created for an org.
+- `DISABLED_REPO_UNITS`: **_empty_**: Comma separated list of globally disabled repo units. Allowed values: \[repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects\]
+- `DEFAULT_REPO_UNITS`: **repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects**: Comma separated list of default repo units. Allowed values: \[repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki, repo.projects\]. Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. External wiki and issue tracker can't be enabled by default as it requires additional settings. Disabled repo units will not be added to new repositories regardless if it is in the default list.
 - `PREFIX_ARCHIVE_FILES`: **true**: Prefix archive files by placing them in a directory named after the repository.
+- `DISABLE_MIRRORS`: **false**: Disable the creation of **new** mirrors. Pre-existing mirrors remain valid.
+- `DISABLE_MIGRATIONS`: **false**: Disable migrating feature.
+- `DISABLE_STARS`: **false**: Disable stars feature.
+- `DEFAULT_BRANCH`: **master**: Default branch name of all repositories.
+- `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
+- `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
+
+### Repository - Editor (`repository.editor`)
+
+- `LINE_WRAP_EXTENSIONS`: **.txt,.md,.markdown,.mdown,.mkd,**: List of file extensions for which lines should be wrapped in the Monaco editor. Separate extensions with a comma. To line wrap files without an extension, just put a comma
+- `PREVIEWABLE_FILE_MODES`: **markdown**: Valid file modes that have a preview API associated with them, such as `api/v1/markdown`. Separate the values by commas. The preview tab in edit mode won't be displayed if the file extension doesn't match.

 ### Repository - Pull Request (`repository.pull-request`)

@@ -79,15 +94,28 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `REOPEN_KEYWORDS`: **reopen**, **reopens**, **reopened**: List of keywords used in Pull Request comments to automatically reopen
 a related issue
 - `DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT`: **50**: In the default merge message for squash commits include at most this many commits. Set to `-1` to include all commits
- `DEFAULT_MERGE_MESSAGE_SIZE`: **5120**: In the default merge message for squash commits limit the size of the commit messages. Set to `-1` to have no limit.
+- `DEFAULT_MERGE_MESSAGE_SIZE`: **5120**: In the default merge message for squash commits limit the size of the commit messages. Set to `-1` to have no limit. Only used if `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES` is `true`.
 - `DEFAULT_MERGE_MESSAGE_ALL_AUTHORS`: **false**: In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list
 - `DEFAULT_MERGE_MESSAGE_MAX_APPROVERS`: **10**: In default merge messages limit the number of approvers listed as `Reviewed-by:`. Set to `-1` to include all.
 - `DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY`: **true**: In default merge messages only include approvers who are officially allowed to review.
+- `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES`: **false**: In default squash-merge messages include the commit message of all commits comprising the pull request.

 ### Repository - Issue (`repository.issue`)

 - `LOCK_REASONS`: **Too heated,Off-topic,Resolved,Spam**: A list of reasons why a Pull Request or Issue can be locked

+### Repository - Upload (`repository.upload`)
+
+- `ENABLED`: **true**: Whether repository file uploads are enabled
+- `TEMP_PATH`: **data/tmp/uploads**: Path for uploads (tmp gets deleted on gitea restart)
+- `ALLOWED_TYPES`: **\<empty\>**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+- `FILE_MAX_SIZE`: **3**: Max size of each file in megabytes.
+- `MAX_FILES`: **5**: Max number of files per upload
+
+### Repository - Release (`repository.release`)
+
+- `ALLOWED_TYPES`: **\<empty\>**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+
 ### Repository - Signing (`repository.signing`)

 - `SIGNING_KEY`: **default**: \[none, KEYID, default \]: Key to sign with.
@@ -98,6 +126,10 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
  - `twofa`: Only sign if the user is logged in with twofa
  - `always`: Always sign
  - Options other than `never` and `always` can be combined as a comma separated list.
+- `DEFAULT_TRUST_MODEL`: **collaborator**: \[collaborator, committer, collaboratorcommitter\]: The default trust model used for verifying commits.
+   - `collaborator`: Trust signatures signed by keys of collaborators.
+   - `committer`: Trust signatures that match committers (This matches GitHub and will force Gitea signed commits to have Gitea as the committer).
+   - `collaboratorcommitter`: Trust signatures signed by keys of collaborators which match the committer.
 - `WIKI`: **never**: \[never, pubkey, twofa, always, parentsigned\]: Sign commits to wiki.
 - `CRUD_ACTIONS`: **pubkey, twofa, parentsigned**: \[never, pubkey, twofa, parentsigned, always\]: Sign CRUD actions.
  - Options as above, with the addition of:
@@ -108,6 +140,19 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
  - `headsigned`: Only sign if the head commit in the head branch is signed.
  - `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.

+## Repository - Local (`repository.local`)
+
+- `LOCAL_COPY_PATH`: **tmp/local-repo**: Path for temporary local repository copies. Defaults to `tmp/local-repo`
+
+## Repository -  MIME type mapping (`repository.mimetype_mapping`)
+
+Configuration for set the expected MIME type based on file extensions of downloadable files. Configuration presents in key-value pairs and file extensions starts with leading `.`.
+
+The following configuration set `Content-Type: application/vnd.android.package-archive` header when downloading files with `.apk` file extension.
+```ini
+.apk=application/vnd.android.package-archive
+```
+
 ## CORS (`cors`)

 - `ENABLED`: **false**: enable cors headers (disabled by default)
@@ -124,13 +169,21 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `ISSUE_PAGING_NUM`: **10**: Number of issues that are shown in one page (for all pages that list issues).
 - `MEMBERS_PAGING_NUM`: **20**: Number of members that are shown in organization members.
 - `FEED_MAX_COMMIT_NUM`: **5**: Number of maximum commits shown in one activity feed.
+- `FEED_PAGING_NUM`: **20**: Number of items that are displayed in home feed.
 - `GRAPH_MAX_COMMIT_NUM`: **100**: Number of maximum commits shown in the commit graph.
+- `CODE_COMMENT_LINES`: **4**: Number of line of codes shown for a code comment.
 - `DEFAULT_THEME`: **gitea**: \[gitea, arc-green\]: Set the default theme for the Gitea install.
- `THEMES`:  **gitea,arc-green**: All available themes. Allow users select personalized themes
+- `SHOW_USER_EMAIL`: **true**: Whether the email of the user should be shown in the Explore Users page.
+- `THEMES`:  **gitea,arc-green**: All available themes. Allow users select personalized themes.
  regardless of the value of `DEFAULT_THEME`.
+- `THEME_COLOR_META_TAG`: **#6cc644**:  Value of `theme-color` meta tag, used by Android >= 5.0. An invalid color like "none" or "disable" will have the default style.  More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
+- `MAX_DISPLAY_FILE_SIZE`: **8388608**: Max size of files to be displayed (default is 8MiB)
 - `REACTIONS`: All available reactions users can choose on issues/prs and comments
    Values can be emoji alias (:smile:) or a unicode emoji.
-    For custom reactions, add a tightly cropped square image to public/emoji/img/reaction_name.png
+    For custom reactions, add a tightly cropped square image to public/img/emoji/reaction_name.png
+- `CUSTOM_EMOJIS`: **gitea, codeberg, gitlab, git, github, gogs**: Additional Emojis not defined in the utf8 standard.
+    By default we support gitea (:gitea:), to add more copy them to public/img/emoji/emoji_name.png and
+    add it to this config.
 - `DEFAULT_SHOW_FULL_NAME`: **false**: Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
 - `SEARCH_REPO_DESCRIPTION`: **true**: Whether to search within description at repository search on explore page.
 - `USE_SERVICE_WORKER`: **true**: Whether to enable a Service Worker to cache frontend assets.
@@ -142,17 +195,33 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `NOTICE_PAGING_NUM`: **25**: Number of notices that are shown in one page.
 - `ORG_PAGING_NUM`: **50**: Number of organizations that are shown in one page.

+### UI - Metadata (`ui.meta`)
+
+- `AUTHOR`: **Gitea - Git with a cup of tea**: Author meta tag of the homepage.
+- `DESCRIPTION`: **Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go**: Description meta tag of the homepage.
+- `KEYWORDS`: **go,git,self-hosted,gitea**: Keywords meta tag of the homepage.
+
 ### UI - Notification (`ui.notification`)

 - `MIN_TIMEOUT`: **10s**: These options control how often notification endpoint is polled to update the notification count. On page load the notification count will be checked after `MIN_TIMEOUT`. The timeout will increase to `MAX_TIMEOUT` by `TIMEOUT_STEP` if the notification count is unchanged. Set MIN_TIMEOUT to 0 to turn off.
 - `MAX_TIMEOUT`: **60s**.
 - `TIMEOUT_STEP`: **10s**.
- `EVENT_SOURCE_UPDATE_TIME`: **10s**: This setting determines how often the database is queried to update notification counts. If the browser client supports `EventSource`, it will be used in preference to polling notification endpoint.
+- `EVENT_SOURCE_UPDATE_TIME`: **10s**: This setting determines how often the database is queried to update notification counts. If the browser client supports `EventSource` and `SharedWorker`, a `SharedWorker` will be used in preference to polling notification endpoint. Set to **-1** to disable the `EventSource`.

+### UI - SVG Images (`ui.svg`)
+
+- `ENABLE_RENDER`: **true**: Whether to render SVG files as images.  If SVG rendering is disabled, SVG files are displayed as text and cannot be embedded in markdown files as images.
+
+### UI - CSV Files (`ui.csv`)
+
+- `MAX_FILE_SIZE`: **524288** (512kb): Maximum allowed file size in bytes to render CSV files as table. (Set to 0 for no limit).

 ## Markdown (`markdown`)

- `ENABLE_HARD_LINE_BREAK`: **true**: Render soft line breaks as hard line breaks, which
+- `ENABLE_HARD_LINE_BREAK_IN_COMMENTS`: **true**: Render soft line breaks as hard line breaks in comments, which
+  means a single newline character between paragraphs will cause a line break and adding
+  trailing whitespace to paragraphs is not necessary to force a line break.
+- `ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS`: **false**: Render soft line breaks as hard line breaks in documents, which
  means a single newline character between paragraphs will cause a line break and adding
  trailing whitespace to paragraphs is not necessary to force a line break.
 - `CUSTOM_URL_SCHEMES`: Use a comma separated list (ftp,git,svn) to indicate additional
@@ -186,26 +255,57 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
   most cases you do not need to change the default value. Alter it only if
   your SSH server node is not the same as HTTP node. Do not set this variable
   if `PROTOCOL` is set to `unix`.
+- `PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the connection. (Set to 0 to
+   disable all timeouts.)
+- `PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to connections.
+
 - `DISABLE_SSH`: **false**: Disable SSH feature when it's not available.
 - `START_SSH_SERVER`: **false**: When enabled, use the built-in SSH server.
+- `BUILTIN_SSH_SERVER_USER`: **%(RUN_USER)s**: Username to use for the built-in SSH Server.
 - `SSH_DOMAIN`: **%(DOMAIN)s**: Domain name of this server, used for displayed clone URL.
 - `SSH_PORT`: **22**: SSH port displayed in clone URL.
 - `SSH_LISTEN_HOST`: **0.0.0.0**: Listen address for the built-in SSH server.
 - `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server.
+- `SSH_ROOT_PATH`: **~/.ssh**: Root path of SSH directory.
+- `SSH_CREATE_AUTHORIZED_KEYS_FILE`: **true**: Gitea will create a authorized_keys file by default when it is not using the internal ssh server. If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
+- `SSH_AUTHORIZED_KEYS_BACKUP`: **true**: Enable SSH Authorized Key Backup when rewriting all keys, default is true.
+- `SSH_TRUSTED_USER_CA_KEYS`: **\<empty\>**: Specifies the public keys of certificate authorities that are trusted to sign user certificates for authentication. Multiple keys should be comma separated. E.g.`ssh-<algorithm> <key>` or `ssh-<algorithm> <key1>, ssh-<algorithm> <key2>`. For more information see `TrustedUserCAKeys` in the sshd config man pages. When empty no file will be created and `SSH_AUTHORIZED_PRINCIPALS_ALLOW` will default to `off`.
+- `SSH_TRUSTED_USER_CA_KEYS_FILENAME`: **`RUN_USER`/.ssh/gitea-trusted-user-ca-keys.pem**: Absolute path of the `TrustedUserCaKeys` file gitea will manage. If you're running your own ssh server and you want to use the gitea managed file you'll also need to modify your sshd_config to point to this file. The official docker image will automatically work without further configuration.
+- `SSH_AUTHORIZED_PRINCIPALS_ALLOW`: **off** or **username, email**: \[off, username, email, anything\]: Specify the principals values that users are allowed to use as principal. When set to `anything` no checks are done on the principal string. When set to `off` authorized principal are not allowed to be set.
+- `SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE`: **false/true**: Gitea will create a authorized_principals file by default when it is not using the internal ssh server and `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
+- `SSH_AUTHORIZED_PRINCIPALS_BACKUP`: **false/true**: Enable SSH Authorized Principals Backup when rewriting all keys, default is true if `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
+- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}**: Set the template for the command to passed on authorized keys. Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath, Key - where Key is a `models.PublicKey` and the others are strings which are shellquoted.
+- `SSH_SERVER_CIPHERS`: **aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128**: For the built-in SSH server, choose the ciphers to support for SSH connections, for system SSH this setting has no effect.
+- `SSH_SERVER_KEY_EXCHANGES`: **diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org**: For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, for system SSH this setting has no effect.
+- `SSH_SERVER_MACS`: **hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96**: For the built-in SSH server, choose the MACs to support for SSH connections, for system SSH this setting has no effect
+- `SSH_SERVER_HOST_KEYS`: **ssh/gitea.rsa, ssh/gogs.rsa**: For the built-in SSH server, choose the keypairs to offer as the host key. The private key should be at `SSH_SERVER_HOST_KEY` and the public `SSH_SERVER_HOST_KEY.pub`. Relative paths are made absolute relative to the `APP_DATA_PATH`. If no key exists a 4096 bit RSA key will be created for you.
+- `SSH_KEY_TEST_PATH`: **/tmp**: Directory to create temporary files in when testing public keys using ssh-keygen, default is the system temporary directory.
+- `SSH_KEYGEN_PATH`: **ssh-keygen**: Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
+- `SSH_EXPOSE_ANONYMOUS`: **false**: Enable exposure of SSH clone URL to anonymous visitors, default is false.
+- `SSH_PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the SSH connections. (Set to
+  0 to disable all timeouts.)
+- `SSH_PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to SSH connections.
+- `MINIMUM_KEY_SIZE_CHECK`: **true**: Indicate whether to check minimum key size with corresponding type.
+
 - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
 - `DISABLE_ROUTER_LOG`: **false**: Mute printing of the router log.
- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
+- `CERT_FILE`: **https/cert.pem**: Cert file path used for HTTPS. When chaining, the server certificate must come first, then intermediate CA certificates (if any). From 1.11 paths are relative to `CUSTOM_PATH`.
 - `KEY_FILE`: **https/key.pem**: Key file path used for HTTPS. From 1.11 paths are relative to `CUSTOM_PATH`.
 - `STATIC_ROOT_PATH`: **./**: Upper level of template and static files path.
- `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars.
- `ENABLE_GZIP`: **false**: Enables application-level GZIP support.
+- `APP_DATA_PATH`: **data** (**/data/gitea** on docker): Default path for application data.
+- `STATIC_CACHE_TIME`: **6h**: Web browser cache time for static resources on `custom/`, `public/` and all uploaded avatars. Note that this cache is disabled when `RUN_MODE` is "dev".
+- `ENABLE_GZIP`: **false**: Enable gzip compression for runtime-generated content, static resources excluded.
+- `ENABLE_PPROF`: **false**: Application profiling (memory and cpu). For "web" command it listens on localhost:6060. For "serv" command it dumps to disk at `PPROF_DATA_PATH` as `(cpuprofile|memprofile)_<username>_<temporary id>`
+- `PPROF_DATA_PATH`: **data/tmp/pprof**: `PPROF_DATA_PATH`, use an absolute path when you start gitea as service
 - `LANDING_PAGE`: **home**: Landing page for unauthenticated users \[home, explore, organizations, login\].
+
 - `LFS_START_SERVER`: **false**: Enables git-lfs support.
- `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files.
+- `LFS_CONTENT_PATH`: **%(APP_DATA_PATH)/lfs**:  DEPRECATED: Default LFS content path. (if it is on local storage.)
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
 - `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
 - `LFS_MAX_FILE_SIZE`: **0**: Maximum allowed LFS file size in bytes (Set to 0 for no limit).
- `LFS_LOCK_PAGING_NUM`: **50**: Maximum number of LFS Locks returned per page.
+- `LFS_LOCKS_PAGING_NUM`: **50**: Maximum number of LFS Locks returned per page.
+
 - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
 - `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
 - `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server).
@@ -223,9 +323,9 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `HOST`: **127.0.0.1:3306**: Database host address and port or absolute path for unix socket \[mysql, postgres\] (ex: /var/run/mysqld/mysqld.sock).
 - `NAME`: **gitea**: Database name.
 - `USER`: **root**: Database username.
- `PASSWD`: **\<empty\>**: Database user password. Use \`your password\` for quoting if you use special characters in the password.
+- `PASSWD`: **\<empty\>**: Database user password. Use \`your password\` or """your password""" for quoting if you use special characters in the password.
 - `SCHEMA`: **\<empty\>**: For PostgreSQL only, schema to use if different from "public". The schema must exist beforehand,
-  the user must have creation privileges on it, and the user search path must be set to the look into the schema first 
+  the user must have creation privileges on it, and the user search path must be set to the look into the schema first
  (e.g. `ALTER USER user SET SEARCH_PATH = schema_name,"$user",public;`).
 - `SSL_MODE`: **disable**: SSL/TLS encryption mode for connecting to the database. This option is only applied for PostgreSQL and MySQL.
  - Valid values for MySQL:
@@ -239,15 +339,17 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
     - `require`: Enable TLS without any verifications.
     - `verify-ca`: Enable TLS with verification of the database server certificate against its root certificate.
     - `verify-full`: Enable TLS and verify the database server name matches the given certificate in either the `Common Name` or `Subject Alternative Name` fields.
- `CHARSET`: **utf8**: For MySQL only, either "utf8" or "utf8mb4", default is "utf8". NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
+- `SQLITE_TIMEOUT`: **500**: Query timeout for sqlite3 only.
+- `ITERATE_BUFFER_SIZE`: **50**: Internal buffer size for iterating.
+- `CHARSET`: **utf8mb4**: For MySQL only, either "utf8" or "utf8mb4". NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
 - `PATH`: **data/gitea.db**: For SQLite3 only, the database file path.
 - `LOG_SQL`: **true**: Log the executed SQL.
 - `DB_RETRIES`: **10**: How many ORM init / DB connect attempts allowed.
- `DB_RETRY_BACKOFF`: **3s**: time.Duration to wait before trying another ORM init / DB connect attempt, if failure occured.
+- `DB_RETRY_BACKOFF`: **3s**: time.Duration to wait before trying another ORM init / DB connect attempt, if failure occurred.
 - `MAX_OPEN_CONNS` **0**: Database maximum open connections - default is 0, meaning there is no limit.
- `MAX_IDLE_CONNS` **2**: Max idle database connections on connnection pool, default is 2 - this will be capped to `MAX_OPEN_CONNS`.
+- `MAX_IDLE_CONNS` **2**: Max idle database connections on connection pool, default is 2 - this will be capped to `MAX_OPEN_CONNS`.
 - `CONN_MAX_LIFETIME` **0 or 3s**: Sets the maximum amount of time a DB connection may be reused - default is 0, meaning there is no limit (except on MySQL where it is 3s - see #6804 & #7071).
-  
+
 Please see #8540 & #8273 for further discussion of the appropriate values for `MAX_OPEN_CONNS`, `MAX_IDLE_CONNS` & `CONN_MAX_LIFETIME` and their
 relation to port exhaustion.

@@ -258,44 +360,48 @@ relation to port exhaustion.
 - `ISSUE_INDEXER_NAME`: **gitea_issues**: Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
 - `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch.
 - The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility:
- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`.
- `ISSUE_INDEXER_QUEUE_DIR`: **indexers/issues.queue**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the queue will be saved path.
- `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string.
- `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number.
+- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of the form `leveldb://path/to/db?option=value&....`, and overrides `ISSUE_INDEXER_QUEUE_DIR`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number. **DEPRECATED** use settings in `[queue.issue_indexer]`.

 - `REPO_INDEXER_ENABLED`: **false**: Enables code search (uses a lot of disk space, about 6 times more than the repository size).
+- `REPO_INDEXER_TYPE`: **bleve**: Code search engine type, could be `bleve` or `elasticsearch`.
 - `REPO_INDEXER_PATH`: **indexers/repos.bleve**: Index file used for code search.
+- `REPO_INDEXER_CONN_STR`: ****: Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
+- `REPO_INDEXER_NAME`: **gitea_codes**: Code indexer name, available when `REPO_INDEXER_TYPE` is elasticsearch
+
 - `REPO_INDEXER_INCLUDE`: **empty**: A comma separated list of glob patterns (see https://github.com/gobwas/glob) to **include** in the index. Use `**.txt` to match any files with .txt extension. An empty list means include all files.
 - `REPO_INDEXER_EXCLUDE`: **empty**: A comma separated list of glob patterns (see https://github.com/gobwas/glob) to **exclude** from the index. Files that match this list will not be indexed, even if they match in `REPO_INDEXER_INCLUDE`.
 - `REPO_INDEXER_EXCLUDE_VENDORED`: **true**: Exclude vendored files from index.
- `UPDATE_BUFFER_LEN`: **20**: Buffer length of index request.
+- `UPDATE_BUFFER_LEN`: **20**: Buffer length of index request. **DEPRECATED** use settings in `[queue.issue_indexer]`.
 - `MAX_FILE_SIZE`: **1048576**: Maximum size in bytes of files to be indexed.
 - `STARTUP_TIMEOUT`: **30s**: If the indexer takes longer than this timeout to start - fail. (This timeout will be added to the hammer time above for child processes - as bleve will not start until the previous parent is shutdown.) Set to zero to never timeout.

 ## Queue (`queue` and `queue.*`)

- `TYPE`: **persistable-channel**: General queue type, currently support: `persistable-channel`, `channel`, `level`, `redis`, `dummy`
- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for inidividual queues can be set in `queue.name` sections but will default to `DATADIR/`**`name`**.
+- `TYPE`: **persistable-channel**: General queue type, currently support: `persistable-channel` (uses a LevelDB internally), `channel`, `level`, `redis`, `dummy`
+- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.)
 - `LENGTH`: **20**: Maximal queue size before channel queues block
 - `BATCH_LENGTH`: **20**: Batch data before passing to the handler
- `CONN_STR`: **addrs=127.0.0.1:6379 db=0**: Connection string for the redis queue type.
- `QUEUE_NAME`: **_queue**: The suffix for default redis queue name. Individual queues will default to **`name`**`QUEUE_NAME` but can be overriden in the specific `queue.name` section.
- `SET_NAME`: **_unique**: The suffix that will added to the default redis
-set name for unique queues. Individual queues will default to
-**`name`**`QUEUE_NAME`_`SET_NAME`_ but can be overridden in the specific
-`queue.name` section.
+- `CONN_STR`: **redis://127.0.0.1:6379/0**: Connection string for the redis queue type. Options can be set using query params. Similarly LevelDB options can also be set using: **leveldb://relative/path?option=value** or **leveldb:///absolute/path?option=value**, and will override `DATADIR`
+- `QUEUE_NAME`: **_queue**: The suffix for default redis and disk queue name. Individual queues will default to **`name`**`QUEUE_NAME` but can be overridden in the specific `queue.name` section.
+- `SET_NAME`: **_unique**: The suffix that will be added to the default redis and disk queue `set` name for unique queues. Individual queues will default to
+ **`name`**`QUEUE_NAME`_`SET_NAME`_ but can be overridden in the specific `queue.name` section.
 - `WRAP_IF_NECESSARY`: **true**: Will wrap queues with a timeoutable queue if the selected queue is not ready to be created - (Only relevant for the level queue.)
 - `MAX_ATTEMPTS`: **10**: Maximum number of attempts to create the wrapped queue
 - `TIMEOUT`: **GRACEFUL_HAMMER_TIME + 30s**: Timeout the creation of the wrapped queue if it takes longer than this to create.
 - Queues by default come with a dynamically scaling worker pool. The following settings configure this:
- `WORKERS`: **1**: Number of initial workers for the queue.
+- `WORKERS`: **0** (v1.14 and before: **1**): Number of initial workers for the queue.
 - `MAX_WORKERS`: **10**: Maximum number of worker go-routines for the queue.
 - `BLOCK_TIMEOUT`: **1s**: If the queue blocks for this time, boost the number of workers - the `BLOCK_TIMEOUT` will then be doubled before boosting again whilst the boost is ongoing.
 - `BOOST_TIMEOUT`: **5m**: Boost workers will timeout after this long.
- `BOOST_WORKERS`: **5**: This many workers will be added to the worker pool if there is a boost.
+- `BOOST_WORKERS`: **1** (v1.14 and before: **5**): This many workers will be added to the worker pool if there is a boost.

 ## Admin (`admin`)
+
 - `DEFAULT_EMAIL_NOTIFICATIONS`: **enabled**: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
+- `DISABLE_REGULAR_ORG_CREATION`: **false**: Disallow regular (non-admin) users from creating organizations.

 ## Security (`security`)

@@ -309,20 +415,31 @@ set name for unique queues. Individual queues will default to
   authentication.
 - `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
   authentication provided email.
- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom
-   git hooks.
+- `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
+   Number of trusted proxy count. Set to zero to not use these headers.
+- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
+- `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with git hook privilege to create custom git hooks.
+   WARNING: Custom git hooks can be used to perform arbitrary code execution on the host operating system.
+   This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.
+   By modifying the Gitea database, users can gain Gitea administrator privileges.
+   It also enables them to access other resources available to the user on the operating system that is running the
+   Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
+   This maybe harmful to you website or your operating system.
+- `DISABLE_WEBHOOKS`: **false**: Set to `true` to disable webhooks feature.
 - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\].
+- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\], argon2 will spend more memory than others.
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
- `PASSWORD_COMPLEXITY`: **lower,upper,digit,spec**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, the default values will be used. Possible values are: 
+- `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
+- `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
    - lower - use one or more lower latin characters
    - upper - use one or more upper latin characters
    - digit - use one or more digits
    - spec - use one or more special characters as ``!"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~``
    - off - do not check password complexity
+- `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed.

 ## OpenID (`openid`)

@@ -333,6 +450,21 @@ set name for unique queues. Individual queues will default to
 - `BLACKLISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching
   OpenID URI's to block.

+## OAuth2 Client (`oauth2_client`)
+
+- `REGISTER_EMAIL_CONFIRM`: *[service]* **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
+- `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added)
+- `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users.
+- `USERNAME`: **nickname**: The source of the username for new oauth2 accounts:
+    - userid - use the userid / sub attribute
+    - nickname - use the nickname attribute
+    - email - use the username part of the email attribute
+- `UPDATE_AVATAR`: **false**: Update avatar if available from oauth2 provider. Update will be performed on each login.
+- `ACCOUNT_LINKING`: **login**: How to handle if an account / email already exists:
+    - disabled - show an error
+    - login - show an account linking login
+    - auto - automatically link with the account (Please be aware that this will grant access to an existing account just because the same username or email is provided. You must make sure that this does not cause issues with your authentication providers.)
+
 ## Service (`service`)

 - `ACTIVE_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm account/email registration.
@@ -340,6 +472,8 @@ set name for unique queues. Individual queues will default to
   process.
 - `REGISTER_EMAIL_CONFIRM`: **false**: Enable this to ask for mail confirmation of registration.
   Requires `Mailer` to be enabled.
+- `REGISTER_MANUAL_CONFIRM`: **false**: Enable this to manually confirm new registrations.
+   Requires `REGISTER_EMAIL_CONFIRM` to be disabled.
 - `DISABLE_REGISTRATION`: **false**: Disable registration, after which only admin can create
   accounts for users.
 - `REQUIRE_EXTERNAL_REGISTRATION_PASSWORD`: **false**: Enable this to force externally created
@@ -360,24 +494,52 @@ set name for unique queues. Individual queues will default to
 - `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
 - `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
   even for External Accounts (i.e. GitHub, OpenID Connect, etc). You must `ENABLE_CAPTCHA` also.
- `CAPTCHA_TYPE`: **image**: \[image, recaptcha\]
+- `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha\]
 - `RECAPTCHA_SECRET`: **""**: Go to https://www.google.com/recaptcha/admin to get a secret for recaptcha.
 - `RECAPTCHA_SITEKEY`: **""**: Go to https://www.google.com/recaptcha/admin to get a sitekey for recaptcha.
 - `RECAPTCHA_URL`: **https://www.google.com/recaptcha/**: Set the recaptcha url - allows the use of recaptcha net.
+- `HCAPTCHA_SECRET`: **""**: Sign up at https://www.hcaptcha.com/ to get a secret for hcaptcha.
+- `HCAPTCHA_SITEKEY`: **""**: Sign up at https://www.hcaptcha.com/ to get a sitekey for hcaptcha.
+- `DEFAULT_KEEP_EMAIL_PRIVATE`: **false**: By default set users to keep their email address private.
+- `DEFAULT_ALLOW_CREATE_ORGANIZATION`: **true**: Allow new users to create organizations by default.
 - `DEFAULT_ENABLE_DEPENDENCIES`: **true**: Enable this to have dependencies enabled by default.
 - `ALLOW_CROSS_REPOSITORY_DEPENDENCIES` : **true** Enable this to allow dependencies on issues from any repository where the user is granted access.
 - `ENABLE_USER_HEATMAP`: **true**: Enable this to display the heatmap on users profiles.
+- `ENABLE_TIMETRACKING`: **true**: Enable Timetracking feature.
+- `DEFAULT_ENABLE_TIMETRACKING`: **true**: Allow repositories to use timetracking by deault.
+- `DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME`: **true**: Only allow users with write permissions to track time.
 - `EMAIL_DOMAIN_WHITELIST`: **\<empty\>**: If non-empty, list of domain names that can only be used to register
  on this instance.
+- `EMAIL_DOMAIN_BLOCKLIST`: **\<empty\>**: If non-empty, list of domain names that cannot be used to register on this instance
 - `SHOW_REGISTRATION_BUTTON`: **! DISABLE\_REGISTRATION**: Show Registration Button
 - `SHOW_MILESTONES_DASHBOARD_PAGE`: **true** Enable this to show the milestones dashboard page - a view of all the user's milestones
 - `AUTO_WATCH_NEW_REPOS`: **true**: Enable this to let all organisation users watch new repos when they are created
 - `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
+- `DEFAULT_USER_VISIBILITY`: **public**: Set default visibility mode for users, either "public", "limited" or "private".
+- `ALLOWED_USER_VISIBILITY_MODES`: **public,limited,private**: Set which visibility modes a user can have
 - `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
 - `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
+- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
 - `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
- `NO_REPLY_ADDRESS`: **DOMAIN** Default value for the domain part of the user's email address in the git log if he has set KeepEmailPrivate to true. 
+- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
  The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
+- `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
+- `VALID_SITE_URL_SCHEMES`: **http, https**: Valid site url schemes for user profiles
+
+### Service - Expore (`service.explore`)
+
+- `REQUIRE_SIGNIN_VIEW`: **false**: Only allow signed in users to view the explore pages.
+- `DISABLE_USERS_PAGE`: **false**: Disable the users explore page.
+
+
+## SSH Minimum Key Sizes (`ssh.minimum_key_sizes`)
+
+Define allowed algorithms and their minimum key length (use -1 to disable a type):
+
+- `ED25519`: **256**
+- `ECDSA`: **256**
+- `RSA`: **2048**
+- `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider

 ## Webhook (`webhook`)

@@ -394,12 +556,22 @@ set name for unique queues. Individual queues will default to
 - `DISABLE_HELO`: **\<empty\>**: Disable HELO operation.
 - `HELO_HOSTNAME`: **\<empty\>**: Custom hostname for HELO operation.
 - `HOST`: **\<empty\>**: SMTP mail host address and port (example: smtp.gitea.io:587).
+  - As per RFC 8314, if supported, Implicit TLS/SMTPS on port 465 is recommended, otherwise opportunistic TLS via STARTTLS on port 587 should be used.
+- `IS_TLS_ENABLED` :  **false** : Forcibly use TLS to connect even if not on a default SMTPS port.
+  - Note, if the port ends with `465` Implicit TLS/SMTPS/SMTP over TLS will be used despite this setting.
+  - Otherwise if `IS_TLS_ENABLED=false` and the server supports `STARTTLS` this will be used. Thus if `STARTTLS` is preferred you should set `IS_TLS_ENABLED=false`.
 - `FROM`: **\<empty\>**: Mail from address, RFC 5322. This can be just an email address, or
   the "Name" \<email@example.com\> format.
 - `USER`: **\<empty\>**: Username of mailing user (usually the sender's e-mail address).
 - `PASSWD`: **\<empty\>**: Password of mailing user.  Use \`your password\` for quoting if you use special characters in the password.
- `SKIP_VERIFY`: **\<empty\>**: Do not verify the self-signed certificates.
+   - Please note: authentication is only supported when the SMTP server communication is encrypted with TLS (this can be via `STARTTLS`) or `HOST=localhost`. See [Email Setup]({{< relref "doc/usage/email-setup.en-us.md" >}}) for more information.
+- `SEND_AS_PLAIN_TEXT`: **false**: Send mails as plain text.
+- `SKIP_VERIFY`: **false**: Whether or not to skip verification of certificates; `true` to disable verification.
+   - **Warning:** This option is unsafe. Consider adding the certificate to the system trust store instead.
   - **Note:** Gitea only supports SMTP with STARTTLS.
+- `USE_CERTIFICATE`: **false**: Use client certificate.
+- `CERT_FILE`: **custom/mailer/cert.pem**
+- `KEY_FILE`: **custom/mailer/key.pem**
 - `SUBJECT_PREFIX`: **\<empty\>**: Prefix to be placed before e-mail subject lines.
 - `MAILER_TYPE`: **smtp**: \[smtp, sendmail, dummy\]
   - **smtp** Use SMTP to send mail
@@ -411,17 +583,19 @@ set name for unique queues. Individual queues will default to
   - Enabling dummy will ignore all settings except `ENABLED`, `SUBJECT_PREFIX` and `FROM`.
 - `SENDMAIL_PATH`: **sendmail**: The location of sendmail on the operating system (can be
   command or full path).
+- `SENDMAIL_ARGS`: **_empty_**: Specify any extra sendmail arguments.
 - `SENDMAIL_TIMEOUT`: **5m**: default timeout for sending email through sendmail
- ``IS_TLS_ENABLED`` :  **false** : Decide if SMTP connections should use TLS.
+- `SEND_BUFFER_LEN`: **100**: Buffer length of mailing queue.

 ## Cache (`cache`)

 - `ENABLED`: **true**: Enable the cache.
- `ADAPTER`: **memory**: Cache engine adapter, either `memory`, `redis`, or `memcache`.
- `INTERVAL`: **60**: Garbage Collection interval (sec), for memory cache only.
- `HOST`: **\<empty\>**: Connection string for `redis` and `memcache`.
-   - Redis: `network=tcp,addr=127.0.0.1:6379,password=macaron,db=0,pool_size=100,idle_timeout=180`
+- `ADAPTER`: **memory**: Cache engine adapter, either `memory`, `redis`, `twoqueue` or `memcache`. (`twoqueue` represents a size limited LRU cache.)
+- `INTERVAL`: **60**: Garbage Collection interval (sec), for memory and twoqueue cache only.
+- `HOST`: **\<empty\>**: Connection string for `redis` and `memcache`. For `twoqueue` sets configuration for the queue.
+   - Redis: `redis://:macaron@127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
   - Memcache: `127.0.0.1:9090;127.0.0.1:9091`
+   - TwoQueue LRU cache: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` representing the maximum number of objects stored in the cache.
 - `ITEM_TTL`: **16h**: Time to keep items in cache if not used, Setting it to 0 disables caching.

 ## Cache - LastCommitCache settings (`cache.last_commit`)
@@ -432,11 +606,14 @@ set name for unique queues. Individual queues will default to

 ## Session (`session`)

- `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, mysql, couchbase, memcache, nodb, postgres\].
- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for others, the connection string.
+- `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, db, mysql, couchbase, memcache, postgres\].
+- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string.
 - `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access.
 - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
 - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
+- `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day)
+- `DOMAIN`: **\<empty\>**: Sets the cookie Domain
+- `SAME_SITE`: **lax** \[strict, lax, none\]: Set the SameSite setting for the cookie.

 ## Picture (`picture`)

@@ -445,25 +622,45 @@ set name for unique queues. Individual queues will default to
 - `DISABLE_GRAVATAR`: **false**: Enable this to use local avatars only.
 - `ENABLE_FEDERATED_AVATAR`: **false**: Enable support for federated avatars (see
   [http://www.libravatar.org](http://www.libravatar.org)).
+
+- `AVATAR_STORAGE_TYPE`: **default**: Storage type defined in `[storage.xxx]`. Default is `default` which will read `[storage]` if no section `[storage]` will be a type `local`.
 - `AVATAR_UPLOAD_PATH`: **data/avatars**: Path to store user avatar image files.
- `REPOSITORY_AVATAR_UPLOAD_PATH`: **data/repo-avatars**: Path to store repository avatar image files.
- `REPOSITORY_AVATAR_FALLBACK`: **none**: How Gitea deals with missing repository avatars
-  - none = no avatar will be displayed
-  - random = random avatar will be generated
-  - image = default image will be used (which is set in `REPOSITORY_AVATAR_DEFAULT_IMAGE`)
- `REPOSITORY_AVATAR_FALLBACK_IMAGE`: **/img/repo_default.png**: Image used as default repository avatar (if `REPOSITORY_AVATAR_FALLBACK` is set to image and none was uploaded)
 - `AVATAR_MAX_WIDTH`: **4096**: Maximum avatar image width in pixels.
 - `AVATAR_MAX_HEIGHT`: **3072**: Maximum avatar image height in pixels.
 - `AVATAR_MAX_FILE_SIZE`: **1048576** (1Mb): Maximum avatar image file size in bytes.

-## Attachment (`attachment`)
+- `REPOSITORY_AVATAR_STORAGE_TYPE`: **default**: Storage type defined in `[storage.xxx]`. Default is `default` which will read `[storage]` if no section `[storage]` will be a type `local`.
+- `REPOSITORY_AVATAR_UPLOAD_PATH`: **data/repo-avatars**: Path to store repository avatar image files.
+- `REPOSITORY_AVATAR_FALLBACK`: **none**: How Gitea deals with missing repository avatars
+  - none = no avatar will be displayed
+  - random = random avatar will be generated
+  - image = default image will be used (which is set in `REPOSITORY_AVATAR_FALLBACK_IMAGE`)
+- `REPOSITORY_AVATAR_FALLBACK_IMAGE`: **/img/repo_default.png**: Image used as default repository avatar (if `REPOSITORY_AVATAR_FALLBACK` is set to image and none was uploaded)

- `ENABLED`: **true**: Enable this to allow uploading attachments.
- `PATH`: **data/attachments**: Path to store attachments.
- `ALLOWED_TYPES`: **see app.ini.sample**: Allowed MIME types, e.g. `image/jpeg|image/png`.
-   Use `*/*` for all types.
+
+## Project (`project`)
+
+Default templates for project boards:
+
+- `PROJECT_BOARD_BASIC_KANBAN_TYPE`: **To Do, In Progress, Done**
+- `PROJECT_BOARD_BUG_TRIAGE_TYPE`: **Needs Triage, High Priority, Low Priority, Closed**
+
+## Issue and pull request attachments (`attachment`)
+
+- `ENABLED`: **true**: Whether issue and pull request attachments are enabled.
+- `ALLOWED_TYPES`: **.docx,.gif,.gz,.jpeg,.jpg,.log,.pdf,.png,.pptx,.txt,.xlsx,.zip**: Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 - `MAX_SIZE`: **4**: Maximum size (MB).
 - `MAX_FILES`: **5**: Maximum number of attachments that can be uploaded at once.
+- `STORAGE_TYPE`: **local**: Storage type for attachments, `local` for local disk or `minio` for s3 compatible object storage service, default is `local` or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **data/attachments**: Path to store attachments only available when STORAGE_TYPE is `local`
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when STORAGE_TYPE is `minio`
+- `MINIO_BASE_PATH`: **attachments/**: Minio base path on the bucket only available when STORAGE_TYPE is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when STORAGE_TYPE is `minio`

 ## Log (`log`)

@@ -471,16 +668,15 @@ set name for unique queues. Individual queues will default to
 - `MODE`: **console**: Logging mode. For multiple modes, use a comma to separate values. You can configure each mode in per mode log subsections `\[log.modename\]`. By default the file mode will log to `$ROOT_PATH/gitea.log`.
 - `LEVEL`: **Info**: General log level. \[Trace, Debug, Info, Warn, Error, Critical, Fatal, None\]
 - `STACKTRACE_LEVEL`: **None**: Default log level at which to log create stack traces. \[Trace, Debug, Info, Warn, Error, Critical, Fatal, None\]
- `REDIRECT_MACARON_LOG`: **false**: Redirects the Macaron log to its own logger or the default logger.
- `MACARON`: **file**: Logging mode for the macaron logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.macaron\]`. By default the file mode will log to `$ROOT_PATH/macaron.log`. (If you set this to `,` it will log to default gitea logger.)
 - `ROUTER_LOG_LEVEL`: **Info**: The log level that the router should log at. (If you are setting the access log, its recommended to place this at Debug.)
 - `ROUTER`: **console**: The mode or name of the log the router should log to. (If you set this to `,` it will log to default gitea logger.)
-NB: You must `REDIRECT_MACARON_LOG` and have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.
+NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.
 - `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template
+- `ENABLE_SSH_LOG`: **false**: save ssh log to log file
 - `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default gitea logger.)
 - `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log.
  - The following variables are available:
-  - `Ctx`: the `macaron.Context` of the request.
+  - `Ctx`: the `context.Context` of the request.
  - `Identity`: the SignedUserName or `"-"` if not logged in.
  - `Start`: the start time of the request.
  - `ResponseWriter`: the responseWriter from the request.
@@ -529,47 +725,121 @@ NB: You must `REDIRECT_MACARON_LOG` and have `DISABLE_ROUTER_LOG` set to `false`

 ## Cron (`cron`)

- `ENABLED`: **true**: Run cron tasks periodically.
+- `ENABLED`: **false**: Enable to run all cron tasks periodically with default settings.
 - `RUN_AT_START`: **false**: Run cron tasks at application start-up.
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.

-### Cron - Cleanup old repository archives (`cron.archive_cleanup`)
+- `SCHEDULE` accept formats
+   - Full crontab specs, e.g. `* * * * * ?`
+   - Descriptors, e.g. `@midnight`, `@every 1h30m` ...
+   - See more: [cron decument](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+
+### Basic cron tasks - enabled by default
+
+#### Cron - Cleanup old repository archives (`cron.archive_cleanup`)

 - `ENABLED`: **true**: Enable service.
 - `RUN_AT_START`: **true**: Run tasks at start up time (if ENABLED).
 - `SCHEDULE`: **@every 24h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
 - `OLDER_THAN`: **24h**: Archives created more than `OLDER_THAN` ago are subject to deletion, e.g. `12h`.

-### Cron - Update Mirrors (`cron.update_mirrors`)
+#### Cron - Update Mirrors (`cron.update_mirrors`)

 - `SCHEDULE`: **@every 10m**: Cron syntax for scheduling update mirrors, e.g. `@every 3h`.
+- `NO_SUCCESS_NOTICE`: **true**: The cron task for update mirrors success report is not very useful - as it just means that the mirrors have been queued. Therefore this is turned off by default.

-### Cron - Repository Health Check (`cron.repo_health_check`)
+#### Cron - Repository Health Check (`cron.repo_health_check`)

 - `SCHEDULE`: **@every 24h**: Cron syntax for scheduling repository health check.
 - `TIMEOUT`: **60s**: Time duration syntax for health check execution timeout.
 - `ARGS`: **\<empty\>**: Arguments for command `git fsck`, e.g. `--unreachable --tags`. See more on http://git-scm.com/docs/git-fsck

-### Cron - Repository Statistics Check (`cron.check_repo_stats`)
+#### Cron - Repository Statistics Check (`cron.check_repo_stats`)

 - `RUN_AT_START`: **true**: Run repository statistics check at start time.
 - `SCHEDULE`: **@every 24h**: Cron syntax for scheduling repository statistics check.

-### Cron - Update Migration Poster ID (`cron.update_migration_poster_id`)
+### Cron - Cleanup hook_task Table (`cron.cleanup_hook_task_table`)
+
+- `ENABLED`: **true**: Enable cleanup hook_task job.
+- `RUN_AT_START`: **false**: Run cleanup hook_task at start time (if ENABLED).
+- `SCHEDULE`: **@every 24h**: Cron syntax for cleaning hook_task table.
+- `CLEANUP_TYPE` **OlderThan** OlderThan or PerWebhook Method to cleanup hook_task, either by age (i.e. how long ago hook_task record was delivered) or by the number to keep per webhook (i.e. keep most recent x deliveries per webhook).
+- `OLDER_THAN`: **168h**: If CLEANUP_TYPE is set to OlderThan, then any delivered hook_task records older than this expression will be deleted.
+- `NUMBER_TO_KEEP`: **10**: If CLEANUP_TYPE is set to PerWebhook, this is number of hook_task records to keep for a webhook (i.e. keep the most recent x deliveries).
+
+#### Cron - Update Migration Poster ID (`cron.update_migration_poster_id`)

 - `SCHEDULE`: **@every 24h** : Interval as a duration between each synchronization, it will always attempt synchronization when the instance starts.

+#### Cron - Sync External Users (`cron.sync_external_users`)
+
+- `SCHEDULE`: **@every 24h** : Interval as a duration between each synchronization, it will always attempt synchronization when the instance starts.
+- `UPDATE_EXISTING`: **true**: Create new users, update existing user data and disable users that are not in external source anymore (default) or only create new users if UPDATE_EXISTING is set to false.
+
+### Extended cron tasks (not enabled by default)
+
+#### Cron - Garbage collect all repositories ('cron.git_gc_repos')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+- `TIMEOUT`: **60s**: Time duration syntax for garbage collection execution timeout.
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. The default value is same with [git] -> GC_ARGS
+
+#### Cron - Update the '.ssh/authorized_keys' file with Gitea SSH keys ('cron.resync_all_sshkeys')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Resynchronize pre-receive, update and post-receive hooks of all repositories ('cron.resync_all_hooks')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Reinitialize all missing Git repositories for which records exist ('cron.reinit_missing_repos')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron - Delete all repositories missing their Git files ('cron.delete_missing_repos')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron -  Delete generated repository avatars ('cron.delete_generated_repository_avatars')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.
+
+#### Cron -  Delete all old actions from database ('cron.delete_old_actions')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 128h**: Cron syntax for scheduling a work, e.g. `@every 128h`.
+- `OLDER_THAN`: **@every 8760h**: any action older than this expression will be deleted from database, suggest using `8760h` (1 year) because that's the max length of heatmap.
+
 ## Git (`git`)

 - `PATH`: **""**: The path of git executable. If empty, Gitea searches through the PATH environment.
- `MAX_GIT_DIFF_LINES`: **100**: Max number of lines allowed of a single file in diff view.
+- `DISABLE_DIFF_HIGHLIGHT`: **false**: Disables highlight of added and removed changes.
+- `MAX_GIT_DIFF_LINES`: **1000**: Max number of lines allowed of a single file in diff view.
 - `MAX_GIT_DIFF_LINE_CHARACTERS`: **5000**: Max character count per line highlighted in diff view.
 - `MAX_GIT_DIFF_FILES`: **100**: Max number of files shown in diff view.
+- `COMMITS_RANGE_SIZE`: **50**: Set the default commits range size
+- `BRANCHES_RANGE_SIZE`: **20**: Set the default branches range size
 - `GC_ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. See more on http://git-scm.com/docs/git-gc/
 - `ENABLE_AUTO_GIT_WIRE_PROTOCOL`: **true**: If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
 - `PULL_REQUEST_PUSH_MESSAGE`: **true**: Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
 - `VERBOSE_PUSH`: **true**: Print status information about pushes as they are being processed.
 - `VERBOSE_PUSH_DELAY`: **5s**: Only print verbose information if push takes longer than this delay.
-
+- `LARGE_OBJECT_THRESHOLD`: **1048576**: (Go-Git only), don't cache objects greater than this in memory. (Set to 0 to disable.)
+- `DISABLE_CORE_PROTECT_NTFS`: **false** Set to true to forcibly set `core.protectNTFS` to false.
 ## Git - Timeout settings (`git.timeout`)
 - `DEFAUlT`: **360**: Git operations default timeout seconds.
 - `MIGRATE`: **600**: Migrate external repositories timeout seconds.
@@ -595,40 +865,17 @@ NB: You must `REDIRECT_MACARON_LOG` and have `DISABLE_ROUTER_LOG` set to `false`

 - `ENABLE`: **true**: Enables OAuth2 provider.
 - `ACCESS_TOKEN_EXPIRATION_TIME`: **3600**: Lifetime of an OAuth2 access token in seconds
- `REFRESH_TOKEN_EXPIRATION_TIME`: **730**: Lifetime of an OAuth2 access token in hours
- `INVALIDATE_REFRESH_TOKEN`: **false**: Check if refresh token got already used
- `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this a unique string.
+- `REFRESH_TOKEN_EXPIRATION_TIME`: **730**: Lifetime of an OAuth2 refresh token in hours
+- `INVALIDATE_REFRESH_TOKENS`: **false**: Check if refresh token has already been used
+- `JWT_SIGNING_ALGORITHM`: **RS256**: Algorithm used to sign OAuth2 tokens. Valid values: \[`HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`\]
+- `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this to a unique string. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `HS256`, `HS384` or `HS512`.
+- `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
 - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider

 ## i18n (`i18n`)

- `LANGS`: **en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR**: List of locales shown in language selector
- `NAMES`: **English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어**: Visible names corresponding to the locales
-
-### i18n - Datepicker Language (`i18n.datelang`)
-Maps locales to the languages used by the datepicker plugin
-
- `en-US`: **en**
- `zh-CN`: **zh**
- `zh-HK`: **zh-HK**
- `zh-TW`: **zh-TW**
- `de-DE`: **de**
- `fr-FR`: **fr**
- `nl-NL`: **nl**
- `lv-LV`: **lv**
- `ru-RU`: **ru**
- `ja-JP`: **ja**
- `es-ES`: **es**
- `pt-BR`: **pt-BR**
- `pl-PL`: **pl**
- `bg-BG`: **bg**
- `it-IT`: **it**
- `fi-FI`: **fi**
- `tr-TR`: **tr**
- `cs-CZ`: **cs-CZ**
- `sr-SP`: **sr**
- `sv-SE`: **sv**
- `ko-KR`: **ko**
+- `LANGS`: **en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR**: List of locales shown in language selector
+- `NAMES`: **English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,Português de Portugal,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어**: Visible names corresponding to the locales

 ## U2F (`U2F`)
 - `APP_ID`: **`ROOT_URL`**: Declares the facet of the application. Requires HTTPS.
@@ -641,14 +888,16 @@ Gitea can support Markup using external tools. The example below will add a mark
 ```ini
 [markup.asciidoc]
 ENABLED = true
+NEED_POSTPROCESS = true
 FILE_EXTENSIONS = .adoc,.asciidoc
 RENDER_COMMAND = "asciidoc --out-file=- -"
 IS_INPUT_FILE = false
 ```

 - ENABLED: **false** Enable markup support; set to **true** to enable this renderer.
+- NEED\_POSTPROCESS: **true** set to **true** to replace links / sha1 and etc.
 - FILE\_EXTENSIONS: **\<empty\>** List of file extensions that should be rendered by an external
-   command. Multiple extentions needs a comma as splitter.
+   command. Multiple extensions needs a comma as splitter.
 - RENDER\_COMMAND: External command to render all matching extensions.
 - IS\_INPUT\_FILE: **false** Input is not a standard input but a file param followed `RENDER_COMMAND`.

@@ -666,17 +915,21 @@ Gitea supports customizing the sanitization policy for rendered HTML. The exampl
 ELEMENT = span
 ALLOW_ATTR = class
 REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+ALLOW_DATA_URI_IMAGES = true
 ```

 - `ELEMENT`: The element this policy applies to. Must be non-empty.
 - `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty.
 - `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute.
+ - `ALLOW_DATA_URI_IMAGES`: **false** Allow data uri images (`<img src="data:image/png;base64,..."/>`).

 Multiple sanitisation rules can be defined by adding unique subsections, e.g. `[markup.sanitizer.TeX-2]`.
+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`.
+If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.

 ## Time (`time`)

- `FORMAT`: Time format to diplay on UI. i.e. RFC1123 or 2006-01-02 15:04:05
+- `FORMAT`: Time format to display on UI. i.e. RFC1123 or 2006-01-02 15:04:05
 - `DEFAULT_UI_LOCATION`: Default location of time on the UI, so that we can display correct user's time on UI. i.e. Shanghai/Asia

 ## Task (`task`)
@@ -685,15 +938,90 @@ Task queue configuration has been moved to `queue.task`. However, the below conf

 - `QUEUE_TYPE`: **channel**: Task queue type, could be `channel` or `redis`.
 - `QUEUE_LENGTH`: **1000**: Task queue length, available only when `QUEUE_TYPE` is `channel`.
- `QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: Task queue connection string, available only when `QUEUE_TYPE` is `redis`. If redis needs a password, use `addrs=127.0.0.1:6379 password=123 db=0`.
+- `QUEUE_CONN_STR`: **redis://127.0.0.1:6379/0**: Task queue connection string, available only when `QUEUE_TYPE` is `redis`. If redis needs a password, use `redis://123@127.0.0.1:6379/0`.

 ## Migrations (`migrations`)

 - `MAX_ATTEMPTS`: **3**: Max attempts per http/https request on migrations.
 - `RETRY_BACKOFF`: **3**: Backoff time per http/https request retry (seconds)
+- `ALLOWED_DOMAINS`: **\<empty\>**: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas.
+- `BLOCKED_DOMAINS`: **\<empty\>**: Domains blocklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When `ALLOWED_DOMAINS` is not blank, this option will be ignored.
+- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291
+
+## Mirror (`mirror`)
+
+- `DEFAULT_INTERVAL`: **8h**: Default interval between each check
+- `MIN_INTERVAL`: **10m**: Minimum interval for checking. (Must be >1m).
+
+## LFS (`lfs`)
+
+Storage configuration for lfs data. It will be derived from default `[storage]` or
+`[storage.xxx]` when set `STORAGE_TYPE` to `xxx`. When derived, the default of `PATH`
+is `data/lfs` and the default of `MINIO_BASE_PATH` is `lfs/`.
+
+- `STORAGE_TYPE`: **local**: Storage type for lfs, `local` for local disk or `minio` for s3 compatible object storage service or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **./data/lfs**: Where to store LFS files, only available when `STORAGE_TYPE` is `local`. If not set it fall back to deprecated LFS_CONTENT_PATH value in [server] section.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the lfs only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_BASE_PATH`: **lfs/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+
+## Storage (`storage`)
+
+Default storage configuration for attachments, lfs, avatars and etc.
+
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the data only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+
+And you can also define a customize storage like below:
+
+```ini
+[storage.my_minio]
+STORAGE_TYPE = minio
+; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+MINIO_ENDPOINT = localhost:9000
+; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
+MINIO_ACCESS_KEY_ID =
+; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
+MINIO_SECRET_ACCESS_KEY =
+; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
+MINIO_BUCKET = gitea
+; Minio location to create bucket only available when STORAGE_TYPE is `minio`
+MINIO_LOCATION = us-east-1
+; Minio enabled ssl only available when STORAGE_TYPE is `minio`
+MINIO_USE_SSL = false
+```
+
+And used by `[attachment]`, `[lfs]` and etc. as `STORAGE_TYPE`.
+
+## Repository Archive Storage (`storage.repo-archive`)
+
+Configuration for repository archive storage. It will inherit from default `[storage]` or
+`[storage.xxx]` when set `STORAGE_TYPE` to `xxx`. The default of `PATH`
+is `data/repo-archive` and the default of `MINIO_BASE_PATH` is `repo-archive/`.
+
+- `STORAGE_TYPE`: **local**: Storage type for repo archive, `local` for local disk or `minio` for s3 compatible object storage service or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **./data/repo-archive**: Where to store archive files, only available when `STORAGE_TYPE` is `local`.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the lfs only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_BASE_PATH`: **repo-archive/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`

 ## Other (`other`)

 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
- `SHOW_FOOTER_VERSION`: **true**: Show Gitea version information in the footer.
+- `SHOW_FOOTER_VERSION`: **true**: Show Gitea and Go version information in the footer.
 - `SHOW_FOOTER_TEMPLATE_LOAD_TIME`: **true**: Show time of template execution in the footer.
--- a/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
@@ -15,7 +15,9 @@ menu:

 # 配置说明

-这是针对Gitea配置文件的说明，你可以了解Gitea的强大配置。需要说明的是，你的所有改变请修改 `custom/conf/app.ini` 文件而不是源文件。所有默认值可以通过 [app.ini.sample](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample) 查看到。如果你发现 `%(X)s` 这样的内容，请查看 [ini](https://github.com/go-ini/ini/#recursive-values) 这里的说明。标注了 :exclamation: 的配置项表明除非你真的理解这个配置项的意义，否则最好使用默认值。
+这是针对Gitea配置文件的说明，你可以了解Gitea的强大配置。需要说明的是，你的所有改变请修改 `custom/conf/app.ini` 文件而不是源文件。所有默认值可以通过 [app.example.ini](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.example.ini) 查看到。如果你发现 `%(X)s` 这样的内容，请查看 [ini](https://github.com/go-ini/ini/#recursive-values) 这里的说明。标注了 :exclamation: 的配置项表明除非你真的理解这个配置项的意义，否则最好使用默认值。
+
+{{< toc >}}

 ## Overall (`DEFAULT`)

@@ -30,6 +32,7 @@ menu:
 - `ANSI_CHARSET`: 默认字符编码。
 - `FORCE_PRIVATE`: 强制所有git工程必须私有。
 - `DEFAULT_PRIVATE`: 默认创建的git工程为私有。 可以是`last`, `private` 或 `public`。默认值是 `last`表示用户最后创建的Repo的选择。
+- `DEFAULT_PUSH_CREATE_PRIVATE`: **true**:  通过 ``push-to-create`` 方式创建的仓库是否默认为私有仓库.
 - `MAX_CREATION_LIMIT`: 全局最大每个用户创建的git工程数目， `-1` 表示没限制。
 - `PULL_REQUEST_QUEUE_LENGTH`: 小心：合并请求测试队列的长度，尽量放大。

@@ -67,11 +70,12 @@ menu:
 - `KEY_FILE`: 启用HTTPS的密钥文件。
 - `STATIC_ROOT_PATH`: 存放模板和静态文件的根目录，默认是 Gitea 的根目录。
 - `STATIC_CACHE_TIME`: **6h**: 静态资源文件，包括 `custom/`, `public/` 和所有上传的头像的浏览器缓存时间。
- `ENABLE_GZIP`: 启用应用级别的 GZIP 压缩。
+- `ENABLE_GZIP`: 启用实时生成的数据启用 GZIP 压缩，不包括静态资源。
 - `LANDING_PAGE`: 未登录用户的默认页面，可选 `home` 或 `explore`。
+
 - `LFS_START_SERVER`: 是否启用 git-lfs 支持. 可以为 `true` 或 `false`， 默认是 `false`。
- `LFS_CONTENT_PATH`: 存放 lfs 命令上传的文件的地方，默认是 `data/lfs`。
 - `LFS_JWT_SECRET`: LFS 认证密钥，改成自己的。
+- `LFS_CONTENT_PATH`: **已废弃**, 存放 lfs 命令上传的文件的地方，默认是 `data/lfs`。

 ## Database (`database`)

@@ -81,7 +85,7 @@ menu:
 - `USER`: 数据库用户名。
 - `PASSWD`: 数据库用户密码。
 - `SSL_MODE`: MySQL 或 PostgreSQL数据库是否启用SSL模式。
- `CHARSET`: **utf8**: 仅当数据库为 MySQL 时有效, 可以为 "utf8" 或 "utf8mb4"。注意：如果使用 "utf8mb4"，你的 MySQL InnoDB 版本必须在 5.6 以上。
+- `CHARSET`: **utf8mb4**: 仅当数据库为 MySQL 时有效, 可以为 "utf8" 或 "utf8mb4"。注意：如果使用 "utf8mb4"，你的 MySQL InnoDB 版本必须在 5.6 以上。
 - `PATH`: Tidb 或者 SQLite3 数据文件存放路径。
 - `LOG_SQL`: **true**: 显示生成的SQL，默认为真。
 - `MAX_IDLE_CONNS` **0**: 最大空闲数据库连接
@@ -98,8 +102,12 @@ menu:
 - `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: 当 `ISSUE_INDEXER_QUEUE_TYPE` 为 `redis` 时，保存Redis队列的连接字符串。
 - `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: 队列处理中批量提交数量。

- `REPO_INDEXER_ENABLED`: **false**: 是否启用代码搜索（启用后会占用比较大的磁盘空间）。
+- `REPO_INDEXER_ENABLED`: **false**: 是否启用代码搜索（启用后会占用比较大的磁盘空间，如果是bleve可能需要占用约6倍存储空间）。
+- `REPO_INDEXER_TYPE`: **bleve**: 代码搜索引擎类型，可以为 `bleve` 或者 `elasticsearch`。
 - `REPO_INDEXER_PATH`: **indexers/repos.bleve**: 用于代码搜索的索引文件路径。
+- `REPO_INDEXER_CONN_STR`: ****: 代码搜索引擎连接字符串，当 `REPO_INDEXER_TYPE` 为 `elasticsearch` 时有效。例如： http://elastic:changeme@localhost:9200
+- `REPO_INDEXER_NAME`: **gitea_codes**: 代码搜索引擎的名字，当 `REPO_INDEXER_TYPE` 为 `elasticsearch` 时有效。
+
 - `UPDATE_BUFFER_LEN`: **20**: 代码索引请求的缓冲区长度。
 - `MAX_FILE_SIZE`: **1048576**: 进行解析的源代码文件的最大长度，小于该值时才会索引。

@@ -117,6 +125,7 @@ menu:
 - `ACTIVE_CODE_LIVE_MINUTES`: 登录验证码失效时间，单位分钟。
 - `RESET_PASSWD_CODE_LIVE_MINUTES`: 重置密码失效时间，单位分钟。
 - `REGISTER_EMAIL_CONFIRM`: 启用注册邮件激活，前提是 `Mailer` 已经启用。
+- `REGISTER_MANUAL_CONFIRM`: **false**: 新注册用户必须由管理员手动激活,启用此选项需取消`REGISTER_EMAIL_CONFIRM`.
 - `DISABLE_REGISTRATION`: 禁用注册，启用后只能用管理员添加用户。
 - `SHOW_REGISTRATION_BUTTON`: 是否显示注册按钮。
 - `REQUIRE_SIGNIN_VIEW`: 是否所有页面都必须登录后才可访问。
@@ -126,6 +135,11 @@ menu:
 - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: 允许通过反向认证做自动注册。
 - `ENABLE_CAPTCHA`: 注册时使用图片验证码。

+### Service - Expore (`service.explore`)
+
+- `REQUIRE_SIGNIN_VIEW`: **false**: 仅允许已登录的用户查看探索页面。
+- `DISABLE_USERS_PAGE`: **false**: 不显示用户探索页面。
+
 ## Webhook (`webhook`)

 - `QUEUE_LENGTH`: 说明: Hook 任务队列长度。
@@ -177,13 +191,35 @@ menu:
 - `DISABLE_GRAVATAR`: 开启则只使用内部头像。
 - `ENABLE_FEDERATED_AVATAR`: 启用头像联盟支持 (参见 http://www.libravatar.org)

+- `AVATAR_STORAGE_TYPE`: **local**: 头像存储类型，可以为 `local` 或 `minio`，分别支持本地文件系统和 minio 兼容的API。
+- `AVATAR_UPLOAD_PATH`: **data/avatars**: 存储头像的文件系统路径。
+- `AVATAR_MAX_WIDTH`: **4096**: 头像最大宽度，单位像素。
+- `AVATAR_MAX_HEIGHT`: **3072**: 头像最大高度，单位像素。
+- `AVATAR_MAX_FILE_SIZE`: **1048576** (1Mb): 头像最大大小。
+
+- `REPOSITORY_AVATAR_STORAGE_TYPE`: **local**: 仓库头像存储类型，可以为 `local` 或 `minio`，分别支持本地文件系统和 minio 兼容的API。
+- `REPOSITORY_AVATAR_UPLOAD_PATH`: **data/repo-avatars**: 存储仓库头像的路径。
+- `REPOSITORY_AVATAR_FALLBACK`: **none**: 当头像丢失时的处理方式
+  - none = 不显示头像
+  - random = 显示随机生成的头像
+  - image = 显示默认头像，通过 `REPOSITORY_AVATAR_FALLBACK_IMAGE` 设置
+- `REPOSITORY_AVATAR_FALLBACK_IMAGE`: **/img/repo_default.png**: 默认仓库头像
+
 ## Attachment (`attachment`)

 - `ENABLED`: 是否允许用户上传附件。
- `PATH`: 附件存储路径
 - `ALLOWED_TYPES`: 允许上传的附件类型。比如：`image/jpeg|image/png`，用 `*/*` 表示允许任何类型。
 - `MAX_SIZE`: 附件最大限制，单位 MB，比如： `4`。
 - `MAX_FILES`: 一次最多上传的附件数量，比如： `5`。
+- `STORAGE_TYPE`: **local**: 附件存储类型，`local` 将存储到本地文件夹， `minio` 将存储到 s3 兼容的对象存储服务中。
+- `PATH`: **data/attachments**: 附件存储路径，仅当 `STORAGE_TYPE` 为 `local` 时有效。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 终端，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID ，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the attachments，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_BASE_PATH`: **attachments/**: Minio base path on the bucket，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl，仅当 `STORAGE_TYPE` 是 `minio` 时有效。

 关于 `ALLOWED_TYPES`， 在 (*)unix 系统中可以使用`file -I <filename>` 来快速获得对应的 `MIME type`。

@@ -209,6 +245,11 @@ test01.xls: application/vnd.ms-excel; charset=binary

 - `ENABLED`: 是否在后台运行定期任务。
 - `RUN_AT_START`: 是否启动时自动运行。
+- `SCHEDULE` 所接受的格式
+   - 完整 crontab 控制, 例如 `* * * * * ?`
+   - 描述符, 例如 `@midnight`, `@every 1h30m` ...
+   - 更多细节参见 [cron api文档](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+

 ### Cron - Update Mirrors (`cron.update_mirrors`)

@@ -261,12 +302,14 @@ test01.xls: application/vnd.ms-excel; charset=binary
 ```ini
 [markup.asciidoc]
 ENABLED = false
+NEED_POSTPROCESS = true
 FILE_EXTENSIONS = .adoc,.asciidoc
 RENDER_COMMAND = "asciidoc --out-file=- -"
 IS_INPUT_FILE = false
 ```

 - ENABLED: 是否启用，默认为false。
+- NEED\_POSTPROCESS: **true** 设置为 true 则会替换渲染文件中的内部链接和Commit ID 等。
 - FILE_EXTENSIONS: 关联的文档的扩展名，多个扩展名用都好分隔。
 - RENDER_COMMAND: 工具的命令行命令及参数。
 - IS_INPUT_FILE: 输入方式是最后一个参数为文件路径还是从标准输入读取。
@@ -286,6 +329,73 @@ IS_INPUT_FILE = false

 - `MAX_ATTEMPTS`: **3**: 在迁移过程中的 http/https 请求重试次数。
 - `RETRY_BACKOFF`: **3**: 等待下一次重试的时间，单位秒。
+- `ALLOWED_DOMAINS`: **\<empty\>**: 迁移仓库的域名白名单，默认为空，表示允许从任意域名迁移仓库，多个域名用逗号分隔。
+- `BLOCKED_DOMAINS`: **\<empty\>**: 迁移仓库的域名黑名单，默认为空，多个域名用逗号分隔。如果 `ALLOWED_DOMAINS` 不为空，此选项将会被忽略。
+- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918
+
+## LFS (`lfs`)
+
+LFS 的存储配置。 如果 `STORAGE_TYPE` 为空，则此配置将从 `[storage]` 继承。如果不为 `local` 或者 `minio` 而为 `xxx`， 则从 `[storage.xxx]` 继承。当继承时， `PATH` 默认为 `data/lfs`，`MINIO_BASE_PATH` 默认为 `lfs/`。
+
+- `STORAGE_TYPE`: **local**: LFS 的存储类型，`local` 将存储到磁盘，`minio` 将存储到 s3 兼容的对象服务。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前，仅 Minio/S3 是支持的。
+- `PATH`: 存放 lfs 命令上传的文件的地方，默认是 `data/lfs`。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 地址，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location ，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BASE_PATH`: **lfs/**: Minio base path ，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio 是否启用 ssl ，仅当 `LFS_STORAGE_TYPE` 为 `minio` 时有效。
+
+## Storage (`storage`)
+
+Attachments, lfs, avatars and etc 的默认存储配置。
+
+- `STORAGE_TYPE`: **local**: 附件存储类型，`local` 将存储到本地文件夹， `minio` 将存储到 s3 兼容的对象存储服务中。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前，仅 Minio/S3 是支持的。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 终端，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID ，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the attachments，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl，仅当 `STORAGE_TYPE` 是 `minio` 时有效。
+
+你也可以自定义一个存储的名字如下：
+
+```ini
+[storage.my_minio]
+STORAGE_TYPE = minio
+; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+MINIO_ENDPOINT = localhost:9000
+; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
+MINIO_ACCESS_KEY_ID =
+; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
+MINIO_SECRET_ACCESS_KEY =
+; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
+MINIO_BUCKET = gitea
+; Minio location to create bucket only available when STORAGE_TYPE is `minio`
+MINIO_LOCATION = us-east-1
+; Minio enabled ssl only available when STORAGE_TYPE is `minio`
+MINIO_USE_SSL = false
+```
+
+然后你在 `[attachment]`, `[lfs]` 等中可以把这个名字用作 `STORAGE_TYPE` 的值。
+
+## Repository Archive Storage (`storage.repo-archive`)
+
+Repository archive 的存储配置。 如果 `STORAGE_TYPE` 为空，则此配置将从 `[storage]` 继承。如果不为 `local` 或者 `minio` 而为 `xxx`， 则从 `[storage.xxx]` 继承。当继承时， `PATH` 默认为 `data/repo-archive`，`MINIO_BASE_PATH` 默认为 `repo-archive/`。
+
+- `STORAGE_TYPE`: **local**: Repository archive 的存储类型，`local` 将存储到磁盘，`minio` 将存储到 s3 兼容的对象服务。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前，仅 Minio/S3 是支持的。
+- `PATH`: 存放 Repository archive 上传的文件的地方，默认是 `data/repo-archive`。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 地址，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location ，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BASE_PATH`: **repo-archive/**: Minio base path ，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio 是否启用 ssl ，仅当 `STORAGE_TYPE` 为 `minio` 时有效。

 ## Other (`other`)

--- a/docs/content/doc/advanced/customizing-gitea.en-us.md
+++ b/docs/content/doc/advanced/customizing-gitea.en-us.md
@@ -30,32 +30,46 @@ the Linux Filesystem Standard. Gitea will attempt to create required folders, in
 `custom/`. Distributions may provide a symlink for `custom` using `/etc/gitea/`.

 Application settings can be found in file `CustomConf` which is by default,
-`CustomPath/conf/app.ini` but may be different if your build has set this differently.
+`$GITEA_CUSTOM/conf/app.ini` but may be different if your build has set this differently.
 Again `gitea help` will allow you review this variable and you can override it using the
 `--config` option on the `gitea` binary.

 - [Quick Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
- [Complete List](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample)
+- [Complete List](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)

 If the `CustomPath` folder can't be found despite checking `gitea help`, check the `GITEA_CUSTOM`
 environment variable; this can be used to override the default path to something else.
-`GITEA_CUSTOM` might, for example, be set by an init script.
+`GITEA_CUSTOM` might, for example, be set by an init script. You can check whether the value
+is set under the "Configuration" tab on the site administration page.

- [List of Environment Variables](https://docs.gitea.io/en-us/specific-variables/)
+- [List of Environment Variables](https://docs.gitea.io/en-us/environment-variables/)

 **Note:** Gitea must perform a full restart to see configuration changes.

+**Table of Contents**
+
+{{< toc >}}
+
 ## Serving custom public files

 To make Gitea serve custom public files (like pages and images), use the folder
-`custom/public/` as the webroot. Symbolic links will be followed.
+`$GITEA_CUSTOM/public/` as the webroot. Symbolic links will be followed.

-For example, a file `image.png` stored in `custom/public/`, can be accessed with
-the url `http://gitea.domain.tld/image.png`.
+For example, a file `image.png` stored in `$GITEA_CUSTOM/public/`, can be accessed with
+the url `http://gitea.domain.tld/assets/image.png`.

-## Changing the default avatar
+## Changing the logo

-Place the png image at the following path: `custom/public/img/avatar_default.png`
+To build a custom logo clone the Gitea source repository, replace `assets/logo.svg` and run
+`make generate-images`. This will update below output files which you can then place in `$GITEA_CUSTOM/public/img` on your server:
+
+- `public/img/logo.svg` - Used for favicon, site icon, app icon
+- `public/img/logo.png` - Used for Open Graph
+- `public/img/favicon.png` - Used as fallback for browsers that don't support SVG favicons
+- `public/img/avatar_default.png` - Used as the default avatar image
+- `public/img/apple-touch-icon.png` - Used on iOS devices for bookmarks
+
+In case the source image is not in vector format, you can attempt to convert a raster image using tools like [this](https://www.aconvert.com/image/png-to-svg/).

 ## Customizing Gitea pages and resources

@@ -63,43 +77,43 @@ Gitea's executable contains all the resources required to run: templates, images
 and translations. Any of them can be overridden by placing a replacement in a matching path
 inside the `custom` directory. For example, to replace the default `.gitignore` provided
 for C++ repositories, we want to replace `options/gitignore/C++`. To do this, a replacement
-must be placed in `custom/options/gitignore/C++` (see about the location of the `custom`
+must be placed in `$GITEA_CUSTOM/options/gitignore/C++` (see about the location of the `CustomPath`
 directory at the top of this document).

 Every single page of Gitea can be changed. Dynamic content is generated using [go templates](https://golang.org/pkg/html/template/),
-which can be modified by placing replacements below the `custom/templates` directory.
+which can be modified by placing replacements below the `$GITEA_CUSTOM/templates` directory.

-To obtain any embedded file (including templates), the [`gitea embedded` tool]({{< relref "doc/advanced/cmd-embedded.en-us.md" >}}) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/master/templates) directory of Gitea source (Note: the example link is from the `master` branch. Make sure to use templates compatible with the release you are using).
+To obtain any embedded file (including templates), the [`gitea embedded` tool]({{< relref "doc/advanced/cmd-embedded.en-us.md" >}}) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/main/templates) directory of Gitea source (Note: the example link is from the `main` branch. Make sure to use templates compatible with the release you are using).

 Be aware that any statement contained inside `{{` and `}}` are Gitea's template syntax and
 shouldn't be touched without fully understanding these components.

 ### Customizing startpage / homepage

-Copy [`home.tmpl`](https://github.com/go-gitea/gitea/blob/master/templates/home.tmpl) for your version of Gitea from `templates` to `custom/templates`.
+Copy [`home.tmpl`](https://github.com/go-gitea/gitea/blob/main/templates/home.tmpl) for your version of Gitea from `templates` to `$GITEA_CUSTOM/templates`.
 Edit as you wish.
 Dont forget to restart your gitea to apply the changes.

 ### Adding links and tabs

-If all you want is to add extra links to the top navigation bar or footer, or extra tabs to the repository view, you can put them in `extra_links.tmpl` (links added to the navbar), `extra_links_footer.tmpl` (links added to the left side of footer), and `extra_tabs.tmpl` inside your `custom/templates/custom/` directory.
+If all you want is to add extra links to the top navigation bar or footer, or extra tabs to the repository view, you can put them in `extra_links.tmpl` (links added to the navbar), `extra_links_footer.tmpl` (links added to the left side of footer), and `extra_tabs.tmpl` inside your `$GITEA_CUSTOM/templates/custom/` directory.

 For instance, let's say you are in Germany and must add the famously legally-required "Impressum"/about page, listing who is responsible for the site's content:
-just place it under your "custom/public/" directory (for instance `custom/public/impressum.html`) and put a link to it in either `custom/templates/custom/extra_links.tmpl` or `custom/templates/custom/extra_links_footer.tmpl`.
+just place it under your "$GITEA_CUSTOM/public/" directory (for instance `$GITEA_CUSTOM/public/impressum.html`) and put a link to it in either `$GITEA_CUSTOM/templates/custom/extra_links.tmpl` or `$GITEA_CUSTOM/templates/custom/extra_links_footer.tmpl`.

 To match the current style, the link should have the class name "item", and you can use `{{AppSubUrl}}` to get the base URL:
-`<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>`
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`

 For more information, see [Adding Legal Pages](https://docs.gitea.io/en-us/adding-legal-pages).

 You can add new tabs in the same way, putting them in `extra_tabs.tmpl`.
 The exact HTML needed to match the style of other tabs is in the file
 `templates/repo/header.tmpl`
-([source in GitHub](https://github.com/go-gitea/gitea/blob/master/templates/repo/header.tmpl))
+([source in GitHub](https://github.com/go-gitea/gitea/blob/main/templates/repo/header.tmpl))

 ### Other additions to the page

-Apart from `extra_links.tmpl` and `extra_tabs.tmpl`, there are other useful templates you can put in your `custom/templates/custom/` directory:
+Apart from `extra_links.tmpl` and `extra_tabs.tmpl`, there are other useful templates you can put in your `$GITEA_CUSTOM/templates/custom/` directory:

 - `header.tmpl`, just before the end of the `<head>` tag where you can add custom CSS files for instance.
 - `body_outer_pre.tmpl`, right after the start of `<body>`.
@@ -108,45 +122,6 @@ Apart from `extra_links.tmpl` and `extra_tabs.tmpl`, there are other useful temp
 - `body_outer_post.tmpl`, before the bottom `<footer>` element.
 - `footer.tmpl`, right before the end of the `<body>` tag, a good place for additional Javascript.

-#### Example: Mermaid.js
-
-If you would like to add [mermaid.js](https://mermaid-js.github.io/mermaid) support to Gitea's markdown you simply add:
-
-```html
-{{if .RequireHighlightJS}}
-<script src="https://unpkg.com/mermaid@8.4.5/dist/mermaid.min.js"></script>
-<!-- or wherever you have placed it -->
-<script>mermaid.init(".language-mermaid")</script>
-{{end}}
-```
-
-to `custom/footer.tmpl`. You then can add blocks
-like below to your markdown:
-
-    ```mermaid
-        stateDiagram
-        [*] --> Active
-
-        state Active {
-            [*] --> NumLockOff
-            NumLockOff --> NumLockOn : EvNumLockPressed
-            NumLockOn --> NumLockOff : EvNumLockPressed
-            --
-            [*] --> CapsLockOff
-            CapsLockOff --> CapsLockOn : EvCapsLockPressed
-            CapsLockOn --> CapsLockOff : EvCapsLockPressed
-            --
-            [*] --> ScrollLockOff
-            ScrollLockOff --> ScrollLockOn : EvCapsLockPressed
-            ScrollLockOn --> ScrollLockOff : EvCapsLockPressed
-        }
-    ```
-
-If you want to use Mermaid.js outside of markdown, e.g. in other templates or HTML files,
-you would need to remove `{{if .RequireHighlightJS}}` and `{{end}}`.
-
-Mermaid will detect and use tags with `class="language-mermaid"`.
-
 #### Example: PlantUML

 You can add [PlantUML](https://plantuml.com/) support to Gitea's markdown by using a PlantUML server.
@@ -154,7 +129,7 @@ The data is encoded and sent to the PlantUML server which generates the picture.
 demo server at http://www.plantuml.com/plantuml, but if you (or your users) have sensitive data you
 can set up your own [PlantUML server](https://plantuml.com/server) instead. To set up PlantUML rendering,
 copy javascript files from https://gitea.com/davidsvantesson/plantuml-code-highlight and put them in your
-`custom/public` folder. Then add the following to `custom/footer.tmpl`:
+`$GITEA_CUSTOM/public` folder. Then add the following to `custom/footer.tmpl`:

 ```html
 {{if .RequireHighlightJS}}
@@ -162,8 +137,8 @@ copy javascript files from https://gitea.com/davidsvantesson/plantuml-code-highl
 <script src="https://your-server.com/encode.js"></script>
 <script src="https://your-server.com/plantuml_codeblock_parse.js"></script>
 <script>
-<!-- Replace call with address to your plantuml server-->
-parsePlantumlCodeBlocks("http://www.plantuml..com/plantuml")
+  <!-- Replace call with address to your plantuml server-->
+  parsePlantumlCodeBlocks("http://www.plantuml.com/plantuml");
 </script>
 {{end}}
 ```
@@ -183,43 +158,55 @@ The script will detect tags with `class="language-plantuml"`, but you can change
 #### Example: STL Preview

 You can display STL file directly in Gitea by adding:
+
 ```html
 <script>
-function lS(src){
-  return new Promise(function(resolve, reject) {
-    let s = document.createElement('script')
-    s.src = src
-    s.addEventListener('load', () => {
-      resolve()
-    })
-    document.body.appendChild(s)
-  });
-}
-
-if($('.view-raw>a[href$=".stl" i]').length){
-  $('body').append('<link href="/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">');
-  Promise.all([lS("/Madeleine.js/src/lib/stats.js"),lS("/Madeleine.js/src/lib/detector.js"), lS("/Madeleine.js/src/lib/three.min.js"), lS("/Madeleine.js/src/Madeleine.js")]).then(function() {
-    $('.view-raw').attr('id', 'view-raw').attr('style', 'padding: 0;margin-bottom: -10px;');
-    new Madeleine({
-      target: 'view-raw',
-      data: $('.view-raw>a[href$=".stl" i]').attr('href'),
-      path: '/Madeleine.js/src'
+  function lS(src) {
+    return new Promise(function (resolve, reject) {
+      let s = document.createElement("script");
+      s.src = src;
+      s.addEventListener("load", () => {
+        resolve();
+      });
+      document.body.appendChild(s);
    });
-    $('.view-raw>a[href$=".stl"]').remove()
-  });
-}
+  }
+
+  if ($('.view-raw>a[href$=".stl" i]').length) {
+    $("body").append(
+      '<link href="/assets/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">'
+    );
+    Promise.all([
+      lS("/assets/Madeleine.js/src/lib/stats.js"),
+      lS("/assets/Madeleine.js/src/lib/detector.js"),
+      lS("/assets/Madeleine.js/src/lib/three.min.js"),
+      lS("/assets/Madeleine.js/src/Madeleine.js"),
+    ]).then(function () {
+      $(".view-raw")
+        .attr("id", "view-raw")
+        .attr("style", "padding: 0;margin-bottom: -10px;");
+      new Madeleine({
+        target: "view-raw",
+        data: $('.view-raw>a[href$=".stl" i]').attr("href"),
+        path: "/assets/Madeleine.js/src",
+      });
+      $('.view-raw>a[href$=".stl"]').remove();
+    });
+  }
 </script>
 ```
+
 to the file `templates/custom/footer.tmpl`

-You also need to download the content of the library [Madeleine.js](https://jinjunho.github.io/Madeleine.js/) and place it under `custom/public/` folder.
+You also need to download the content of the library [Madeleine.js](https://jinjunho.github.io/Madeleine.js/) and place it under `$GITEA_CUSTOM/public/` folder.

 You should end-up with a folder structucture similar to:
+
 ```
-custom/templates
+$GITEA_CUSTOM/templates
 -- custom
    `-- footer.tmpl
-custom/public
+$GITEA_CUSTOM/public
 -- Madeleine.js
   |-- LICENSE
   |-- README.md
@@ -265,11 +252,11 @@ Then restart gitea and open a STL file on your gitea instance.

 ## Customizing Gitea mails

-The `custom/templates/mail` folder allows changing the body of every mail of Gitea.
+The `$GITEA_CUSTOM/templates/mail` folder allows changing the body of every mail of Gitea.
 Templates to override can be found in the
-[`templates/mail`](https://github.com/go-gitea/gitea/tree/master/templates/mail)
+[`templates/mail`](https://github.com/go-gitea/gitea/tree/main/templates/mail)
 directory of Gitea source.
-Override by making a copy of the file under `custom/templates/mail` using a
+Override by making a copy of the file under `$GITEA_CUSTOM/templates/mail` using a
 full path structure matching source.

 Any statement contained inside `{{` and `}}` are Gitea's template
@@ -277,7 +264,7 @@ syntax and shouldn't be touched without fully understanding these components.

 ## Adding Analytics to Gitea

-Google Analytics, Matomo (previously Piwik), and other analytics services can be added to Gitea. To add the tracking code, refer to the `Other additions to the page` section of this document, and add the JavaScript to the `custom/templates/custom/header.tmpl` file.
+Google Analytics, Matomo (previously Piwik), and other analytics services can be added to Gitea. To add the tracking code, refer to the `Other additions to the page` section of this document, and add the JavaScript to the `$GITEA_CUSTOM/templates/custom/header.tmpl` file.

 ## Customizing gitignores, labels, licenses, locales, and readmes.

@@ -287,22 +274,22 @@ Place custom files in corresponding sub-folder under `custom/options`.

 ### gitignores

-To add custom .gitignore, add a file with existing [.gitignore rules](https://git-scm.com/docs/gitignore) in it to `custom/options/gitignore`
+To add custom .gitignore, add a file with existing [.gitignore rules](https://git-scm.com/docs/gitignore) in it to `$GITEA_CUSTOM/options/gitignore`

 ### Labels

-To add a custom label set, add a file that follows the [label format](https://github.com/go-gitea/gitea/blob/master/options/label/Default) to `custom/options/label`  
+To add a custom label set, add a file that follows the [label format](https://github.com/go-gitea/gitea/blob/main/options/label/Default) to `$GITEA_CUSTOM/options/label`
 `#hex-color label name ; label description`

 ### Licenses

-To add a custom license, add a file with the license text to `custom/options/license`
+To add a custom license, add a file with the license text to `$GITEA_CUSTOM/options/license`

 ### Locales

-Locales are managed via our [crowdin](https://crowdin.com/project/gitea).  
-You can override a locale by placing an altered locale file in `custom/options/locale`.  
-Gitea's default locale files can be found in  the [`options/locale`](https://github.com/go-gitea/gitea/tree/master/options/locale) source folder and these should be used as examples for your changes.  
+Locales are managed via our [crowdin](https://crowdin.com/project/gitea).
+You can override a locale by placing an altered locale file in `$GITEA_CUSTOM/options/locale`.
+Gitea's default locale files can be found in the [`options/locale`](https://github.com/go-gitea/gitea/tree/main/options/locale) source folder and these should be used as examples for your changes.

 To add a completely new locale, as well as placing the file in the above location, you will need to add the new lang and name to the `[i18n]` section in your `app.ini`. Keep in mind that Gitea will use those settings as **overrides**, so if you want to keep the other languages as well you will need to copy/paste the default values and add your own to them.

@@ -316,21 +303,35 @@ Locales may change between versions, so keeping track of your customized locales

 ### Readmes

-To add a custom Readme, add a markdown formatted file (without an `.md` extension) to `custom/options/readme`
+To add a custom Readme, add a markdown formatted file (without an `.md` extension) to `$GITEA_CUSTOM/options/readme`

-**NOTE:** readme templates support **variable expansion**.  
+**NOTE:** readme templates support **variable expansion**.
 currently there are `{Name}` (name of repository), `{Description}`, `{CloneURL.SSH}`, `{CloneURL.HTTPS}` and `{OwnerName}`

 ### Reactions

 To change reaction emoji's you can set allowed reactions at app.ini
+
 ```
 [ui]
 REACTIONS = +1, -1, laugh, confused, heart, hooray, eyes
 ```
+
 A full list of supported emoji's is at [emoji list](https://gitea.com/gitea/gitea.com/issues/8)

 ## Customizing the look of Gitea

-As of version 1.6.0 Gitea has built-in themes. The two built-in themes are, the default theme `gitea`, and a dark theme `arc-green`. To change the look of your Gitea install change the value of `DEFAULT_THEME` in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini` to another one of the available options.  
+As of version 1.6.0 Gitea has built-in themes. The two built-in themes are, the default theme `gitea`, and a dark theme `arc-green`. To change the look of your Gitea install change the value of `DEFAULT_THEME` in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini` to another one of the available options.
 As of version 1.8.0 Gitea also has per-user themes. The list of themes a user can choose from can be configured with the `THEMES` value in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini` (defaults to `gitea` and `arc-green`, light and dark respectively)
+
+## Customizing fonts
+
+Fonts can be customized using CSS variables:
+
+```css
+:root {
+  --fonts-proportional: /* custom proportional fonts */ !important;
+  --fonts-monospace: /* custom monospace fonts */ !important;
+  --fonts-emoji: /* custom emoji fonts */ !important;
+}
+```
--- a/docs/content/doc/advanced/customizing-gitea.zh-cn.md
+++ b/docs/content/doc/advanced/customizing-gitea.zh-cn.md
@@ -22,7 +22,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 `custom/conf/app.ini` 当中。在发行版中可能会以 `/etc/gitea/` 的形式为 `custom` 设置一个符号链接，查看配置详情请移步：

 - [快速备忘单](https://docs.gitea.io/en-us/config-cheat-sheet/)
- [完整配置清单](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample)
+- [完整配置清单](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.example.ini)

 如果您在 binary 同目录下无法找到 `custom` 文件夹，请检查您的 `GITEA_CUSTOM`
 环境变量配置， 因为它可能被配置到了其他地方（可能被一些启动脚本设置指定了目录）。
@@ -40,7 +40,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板

 将自定义的公共文件（比如页面和图片）作为 webroot 放在 `custom/public/` 中来让 Gitea 提供这些自定义内容（符号链接将被追踪）。

-举例说明：`image.png` 存放在 `custom/public/`中，那么它可以通过链接 http://gitea.domain.tld/image.png 访问。
+举例说明：`image.png` 存放在 `custom/public/`中，那么它可以通过链接 http://gitea.domain.tld/assets/image.png 访问。

 ## 修改默认头像

@@ -61,7 +61,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 "custom/public/"目录下（比如 `custom/public/impressum.html`）并且将它与 `custom/templates/custom/extra_links.tmpl` 链接起来即可。

 这个链接应当使用一个名为“item”的 class 来匹配当前样式，您可以使用 `{{AppSubUrl}}` 来获取 base URL:
-`<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>`
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`

 同理，您可以将页签添加到 `extra_tabs.tmpl` 中，使用同样的方式来添加页签。它的具体样式需要与
 `templates/repo/header.tmpl` 中已有的其他选项卡的样式匹配
--- a/docs/content/doc/advanced/environment-variables.en-us.md
+++ b/docs/content/doc/advanced/environment-variables.en-us.md
@@ -0,0 +1,63 @@
+---
+date: "2017-04-08T11:34:00+02:00"
+title: "Environment variables"
+slug: "environment-variables"
+weight: 20
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "Environment variables"
+    weight: 20
+    identifier: "environment-variables"
+---
+
+# Environment variables
+
+**Table of Contents**
+
+{{< toc >}}
+
+This is an inventory of Gitea environment variables. They change Gitea behaviour.
+
+Initialize them before Gitea command to be effective, for example:
+
+```sh
+GITEA_CUSTOM=/home/gitea/custom ./gitea web
+```
+
+## From Go language
+
+As Gitea is written in Go, it uses some Go variables, such as:
+
+- `GOOS`
+- `GOARCH`
+- [`GOPATH`](https://golang.org/cmd/go/#hdr-GOPATH_environment_variable)
+
+For documentation about each of the variables available, refer to the
+[official Go documentation](https://golang.org/cmd/go/#hdr-Environment_variables).
+
+## Gitea files
+
+- `GITEA_WORK_DIR`: Absolute path of working directory.
+- `GITEA_CUSTOM`: Gitea uses `GITEA_WORK_DIR`/custom folder by default. Use this variable
+  to change _custom_ directory.
+- `GOGS_WORK_DIR`: Deprecated, use `GITEA_WORK_DIR`
+- `GOGS_CUSTOM`: Deprecated, use `GITEA_CUSTOM`
+
+## Operating system specifics
+
+- `USER`: System user that Gitea will run as. Used for some repository access strings.
+- `USERNAME`: if no `USER` found, Gitea will use `USERNAME`
+- `HOME`: User home directory path. The `USERPROFILE` environment variable is used in Windows.
+
+### Only on Windows
+
+- `USERPROFILE`: User home directory path. If empty, uses `HOMEDRIVE` + `HOMEPATH`
+- `HOMEDRIVE`: Main drive path used to access the home directory (C:)
+- `HOMEPATH`: Home relative path in the given home drive path
+
+## Miscellaneous
+
+- `SKIP_MINWINSVC`: If set to 1, do not run as a service on Windows.
--- a/docs/content/doc/advanced/environment-variables.zh-cn.md
+++ b/docs/content/doc/advanced/environment-variables.zh-cn.md
@@ -0,0 +1,55 @@
+---
+date: "2017-04-08T11:34:00+02:00"
+title: "环境变量清单"
+slug: "environment-variables"
+weight: 20
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "环境变量清单"
+    weight: 20
+    identifier: "environment-variables"
+---
+
+# 环境变量清单
+
+这里是用来控制 Gitea 行为表现的的环境变量清单，您需要在执行如下 Gitea 启动命令前设置它们来确保配置生效：
+
+```
+GITEA_CUSTOM=/home/gitea/custom ./gitea web
+```
+
+## Go 的配置
+
+因为 Gitea 使用 Go 语言编写，因此它使用了一些相关的 Go 的配置参数：
+
+  * `GOOS`
+  * `GOARCH`
+  * [`GOPATH`](https://golang.org/cmd/go/#hdr-GOPATH_environment_variable)
+
+您可以在[官方文档](https://golang.org/cmd/go/#hdr-Environment_variables)中查阅这些配置参数的详细信息。
+
+## Gitea 的文件目录
+
+  * `GITEA_WORK_DIR`：工作目录的绝对路径
+  * `GITEA_CUSTOM`：默认情况下 Gitea 使用默认目录 `GITEA_WORK_DIR`/custom，您可以使用这个参数来配置 *custom* 目录
+  * `GOGS_WORK_DIR`： 已废弃，请使用 `GITEA_WORK_DIR` 替代
+  * `GOGS_CUSTOM`： 已废弃，请使用 `GITEA_CUSTOM` 替代
+
+## 操作系统配置
+
+  * `USER`：Gitea 运行时使用的系统用户，它将作为一些 repository 的访问地址的一部分
+  * `USERNAME`： 如果没有配置 `USER`， Gitea 将使用 `USERNAME`
+  * `HOME`： 用户的 home 目录，在 Windows 中会使用 `USERPROFILE` 环境变量
+
+### 仅限于 Windows 的配置
+
+  * `USERPROFILE`： 用户的主目录，如果未配置则会使用 `HOMEDRIVE` + `HOMEPATH`
+  * `HOMEDRIVE`: 用于访问 home 目录的主驱动器路径（C盘）
+  * `HOMEPATH`：在指定主驱动器下的 home 目录相对路径
+
+## Miscellaneous
+
+  * `SKIP_MINWINSVC`：如果设置为 1，在 Windows 上不会以 service 的形式运行。
--- a/docs/content/doc/advanced/external-renderers.en-us.md
+++ b/docs/content/doc/advanced/external-renderers.en-us.md
@@ -3,7 +3,7 @@ date: "2018-11-23:00:00+02:00"
 title: "External renderers"
 slug: "external-renderers"
 weight: 40
-toc: true
+toc: false
 draft: false
 menu:
  sidebar:
@@ -15,33 +15,37 @@ menu:

 # Custom files rendering configuration

-Gitea supports custom file renderings (i.e., Jupyter notebooks, asciidoc, etc.) through external binaries, 
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea supports custom file renderings (i.e., Jupyter notebooks, asciidoc, etc.) through external binaries,
 it is just a matter of:

-* installing external binaries
-* add some configuration to your `app.ini` file
-* restart your Gitea instance
+- installing external binaries
+- add some configuration to your `app.ini` file
+- restart your Gitea instance

 This supports rendering of whole files. If you want to render code blocks in markdown you would need to do something with javascript. See some examples on the [Customizing Gitea](../customizing-gitea) page.

 ## Installing external binaries

-In order to get file rendering through external binaries, their associated packages must be installed. 
+In order to get file rendering through external binaries, their associated packages must be installed.
 If you're using a Docker image, your `Dockerfile` should contain something along this lines:

-```
+```docker
 FROM gitea/gitea:{{< version >}}
 [...]

 COPY custom/app.ini /data/gitea/conf/app.ini
 [...]

-RUN apk --no-cache add asciidoctor freetype freetype-dev gcc g++ libpng python-dev py-pip python3-dev py3-pip py3-pyzmq
+RUN apk --no-cache add asciidoctor freetype freetype-dev gcc g++ libpng libffi-dev py-pip python3-dev py3-pip py3-pyzmq
 # install any other package you need for your external renderers

 RUN pip3 install --upgrade pip
 RUN pip3 install -U setuptools
-RUN pip3 install jupyter matplotlib docutils 
+RUN pip3 install jupyter docutils
 # add above any other python package you may need to install
 ```

@@ -49,24 +53,24 @@ RUN pip3 install jupyter matplotlib docutils

 add one `[markup.XXXXX]` section per external renderer on your custom `app.ini`:

-```
+```ini
 [markup.asciidoc]
 ENABLED = true
 FILE_EXTENSIONS = .adoc,.asciidoc
-RENDER_COMMAND = "asciidoctor -e -a leveloffset=-1 --out-file=- -"
+RENDER_COMMAND = "asciidoctor -s -a showtitle --out-file=- -"
 ; Input is not a standard input but a file
 IS_INPUT_FILE = false

 [markup.jupyter]
 ENABLED = true
 FILE_EXTENSIONS = .ipynb
-RENDER_COMMAND = "jupyter nbconvert --stdout --to html --template basic "
-IS_INPUT_FILE = true
+RENDER_COMMAND = "jupyter nbconvert --stdin --stdout --to html --template basic"
+IS_INPUT_FILE = false

 [markup.restructuredtext]
 ENABLED = true
 FILE_EXTENSIONS = .rst
-RENDER_COMMAND = rst2html.py
+RENDER_COMMAND = "timeout 30s pandoc +RTS -M512M -RTS -f rst"
 IS_INPUT_FILE = false
 ```

@@ -86,11 +90,79 @@ FILE_EXTENSIONS = .md,.markdown
 RENDER_COMMAND  = pandoc -f markdown -t html --katex
 ```

-You must define `ELEMENT`, `ALLOW_ATTR`, and `REGEXP` in each section.
+You must define `ELEMENT` and `ALLOW_ATTR` in each section.

 To define multiple entries, add a unique alphanumeric suffix (e.g., `[markup.sanitizer.1]` and `[markup.sanitizer.something]`).

+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`, `[markup.sanitizer.<renderer>.rule-1]`.
+
+**Note**: If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.
+
 Once your configuration changes have been made, restart Gitea to have changes take effect.

 **Note**: Prior to Gitea 1.12 there was a single `markup.sanitiser` section with keys that were redefined for multiple rules, however,
-there were significant problems with this method of configuration necessitating configuration through multiple sections.
+there were significant problems with this method of configuration necessitating configuration through multiple sections.
+
+### Example: Office DOCX
+
+Display Office DOCX files with [`pandoc`](https://pandoc.org/):
+```ini
+[markup.docx]
+ENABLED = true
+FILE_EXTENSIONS = .docx
+RENDER_COMMAND = "pandoc --from docx --to html --self-contained --template /path/to/basic.html"
+
+[markup.sanitizer.docx.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+The template file has the following content:
+```
+$body$
+```
+
+### Example: Jupyter Notebook
+
+Display Jupyter Notebook files with [`nbconvert`](https://github.com/jupyter/nbconvert):
+```ini
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter-nbconvert --stdin --stdout --to html --template basic"
+
+[markup.sanitizer.jupyter.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+## Customizing CSS
+The external renderer is specified in the .ini in the format `[markup.XXXXX]` and the HTML supplied by your external renderer will be wrapped in a `<div>` with classes `markup` and `XXXXX`. The `markup` class provides out of the box styling (as does `markdown` if `XXXXX` is `markdown`). Otherwise you can use these classes to specifically target the contents of your rendered HTML. 
+
+And so you could write some CSS:
+```css
+.markup.XXXXX html {
+  font-size: 100%;
+  overflow-y: scroll;
+  -webkit-text-size-adjust: 100%;
+  -ms-text-size-adjust: 100%;
+}
+
+.markup.XXXXX body {
+  color: #444;
+  font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif;
+  font-size: 12px;
+  line-height: 1.7;
+  padding: 1em;
+  margin: auto;
+  max-width: 42em;
+  background: #fefefe;
+}
+
+.markup.XXXXX p {
+  color: orangered;
+}
+```
+
+Add your stylesheet to your custom directory e.g `custom/public/css/my-style-XXXXX.css` and import it using a custom header file `custom/templates/custom/header.tmpl`:
+```html
+<link type="text/css" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
+```
--- a/docs/content/doc/advanced/hacking-on-gitea.en-us.md
+++ b/docs/content/doc/advanced/hacking-on-gitea.en-us.md
@@ -1,292 +0,0 @@
---
-date: "2016-12-01T16:00:00+02:00"
-title: "Hacking on Gitea"
-slug: "hacking-on-gitea"
-weight: 10
-toc: false
-draft: false
-menu:
-  sidebar:
-    parent: "advanced"
-    name: "Hacking on Gitea"
-    weight: 10
-    identifier: "hacking-on-gitea"
---
-
-# Hacking on Gitea
-
-## Installing go and setting the GOPATH
-
-You should [install go](https://golang.org/doc/install) and set up your go
-environment correctly. In particular, it is recommended to set the `$GOPATH`
-environment variable and to add the go bin directory or directories
-`${GOPATH//://bin:}/bin` to the `$PATH`. See the Go wiki entry for
-[GOPATH](https://github.com/golang/go/wiki/GOPATH).
-
-Next, [install Node.js with npm](https://nodejs.org/en/download/) which is
-required to build the JavaScript and CSS files. The minimum supported Node.js
-version is {{< min-node-version >}} and the latest LTS version is recommended.
-
-You will also need make.
-<a href='{{< relref "doc/advanced/make.en-us.md" >}}'>(See here how to get Make)</a>
-
-**Note**: When executing make tasks that require external tools, like
-`make misspell-check`, Gitea will automatically download and build these as
-necessary. To be able to use these you must have the `"$GOPATH"/bin` directory
-on the executable path. If you don't add the go bin directory to the
-executable path you will have to manage this yourself.
-
-**Note 2**: Go version {{< min-go-version >}} or higher is required; however, it is important
-to note that our continuous integration will check that the formatting of the
-source code is not changed by `gofmt` using `make fmt-check`. Unfortunately,
-the results of `gofmt` can differ by the version of `go`. It is therefore
-recommended to install the version of Go that our continuous integration is
-running. As of last update, it should be Go version {{< go-version >}}.
-
-## Downloading and cloning the Gitea source code
-
-The recommended method of obtaining the source code is by using `git clone`.
-
-```bash
-git clone https://github.com/go-gitea/gitea
-```
-
-(Since the advent of go modules, it is no longer necessary to build go projects
-from within the `$GOPATH`, hence the `go get` approach is no longer recommended.)
-
-## Forking Gitea
-
-Download the master Gitea source code as above. Then, fork the 
-[Gitea repository](https://github.com/go-gitea/gitea) on GitHub,
-and either switch the git remote origin for your fork or add your fork as another remote:
-
-```bash
-# Rename original Gitea origin to upstream
-git remote rename origin upstream
-git remote add origin "git@github.com:$GITHUB_USERNAME/gitea.git"
-git fetch --all --prune
-```
-
-or:
-
-```bash
-# Add new remote for our fork
-git remote add "$FORK_NAME" "git@github.com:$GITHUB_USERNAME/gitea.git"
-git fetch --all --prune
-```
-
-To be able to create pull requests, the forked repository should be added as a remote
-to the Gitea sources. Otherwise, changes can't be pushed.
-
-## Building Gitea (Basic)
-
-Take a look at our
-<a href='{{< relref "doc/installation/from-source.en-us.md" >}}'>instructions</a>
-for <a href='{{< relref "doc/installation/from-source.en-us.md" >}}'>building
-from source</a>.
-
-The simplest recommended way to build from source is:
-
-```bash
-TAGS="bindata sqlite sqlite_unlock_notify" make build
-```
-
-See `make help` for all available `make` tasks. Also see [`.drone.yml`](https://github.com/go-gitea/gitea/blob/master/.drone.yml) to see how our continuous integration works.
-
-### Formatting, code analysis and spell check
-
-Our continuous integration will reject PRs that are not properly formatted, fail
-code analysis or spell check.
-
-You should format your code with `go fmt` using:
-
-```bash
-make fmt
-```
-
-and can test whether your changes would match the results with:
-
-```bash
-make fmt-check # which runs make fmt internally
-```
-
-**Note**: The results of `go fmt` are dependent on the version of `go` present.
-You should run the same version of go that is on the continuous integration
-server as mentioned above. `make fmt-check` will only check if your `go` would
-format differently - this may be different from the CI server version.
-
-You should run revive, vet and spell-check on the code with:
-
-```bash
-make revive vet misspell-check
-```
-
-### Working on JS and CSS
-
-For simple changes, edit files in `web_src`, run the build and start the server to test:
-
-```bash
-make build && ./gitea
-```
-
-`make build` runs both `make frontend` and `make backend` which can be run individually as well as long as the `bindata` tag is not used (which compiles frontend files into the binary).
-
-For more involved changes use the `watch-frontend` task to continuously rebuild files when their sources change. The `bindata` tag must be absent. First, build and run the backend:
-
-```bash
-make backend && ./gitea
-```
-
-With the backend running, open another terminal and run:
-
-```bash
-make watch-frontend
-```
-
-Before committing, make sure the linters pass:
-
-```bash
-make lint-frontend
-```
-
-Note: When working on frontend code, set `USE_SERVICE_WORKER` to `false` in `app.ini` to prevent undesirable caching of frontend assets.
-
-### Building Images
-
-To build the images, ImageMagick, `inkscape` and `zopflipng` binaries must be available in
-your `PATH` to run `make generate-images`.
-
-### Updating the API
-
-When creating new API routes or modifying existing API routes, you **MUST**
-update and/or create [Swagger](https://swagger.io/docs/specification/2-0/what-is-swagger/)
-documentation for these using [go-swagger](https://goswagger.io/) comments.
-The structure of these comments is described in the [specification](https://goswagger.io/use/spec.html#annotation-syntax).
-If you want more information about the Swagger structure, you can look at the
-[Swagger 2.0 Documentation](https://swagger.io/docs/specification/2-0/basic-structure/)
-or compare with a previous PR adding a new API endpoint, e.g. [PR #5483](https://github.com/go-gitea/gitea/pull/5843/files#diff-2e0a7b644cf31e1c8ef7d76b444fe3aaR20)
-
-You should be careful not to break the API for downstream users which depend
-on a stable API. In general, this means additions are acceptable, but deletions
-or fundamental changes to the API will be rejected.
-
-Once you have created or changed an API endpoint, please regenerate the Swagger
-documentation using:
-
-```bash
-make generate-swagger
-```
-
-You should validate your generated Swagger file and spell-check it with:
-
-```bash
-make swagger-validate misspell-check
-```
-
-You should commit the changed swagger JSON file. The continous integration
-server will check that this has been done using:
-
-```bash
-make swagger-check
-```
-
-**Note**: Please note you should use the Swagger 2.0 documentation, not the
-OpenAPI 3 documentation.
-
-### Creating new configuration options
-
-When creating new configuration options, it is not enough to add them to the
-`modules/setting` files. You should add information to `custom/conf/app.ini`
-and to the
-<a href='{{< relref "doc/advanced/config-cheat-sheet.en-us.md" >}}'>configuration cheat sheet</a>
-found in `docs/content/doc/advanced/config-cheat-sheet.en-us.md`
-
-### Changing the logo
-
-When changing the Gitea logo SVG, you will need to run and commit the results
-of:
-
-```bash
-make generate-images
-```
-
-This will create the necessary Gitea favicon and others.
-
-### Database Migrations
-
-If you make breaking changes to any of the database persisted structs in the
-`models/` directory, you will need to make a new migration. These can be found
-in `models/migrations/`. You can ensure that your migrations work for the main
-database types using:
-
-```bash
-make test-sqlite-migration # with sqlite switched for the appropriate database
-```
-
-## Testing
-
-There are two types of test run by Gitea: Unit tests and Integration Tests.
-
-```bash
-TAGS="bindata sqlite sqlite_unlock_notify" make test # Runs the unit tests
-```
-
-Unit tests will not and cannot completely test Gitea alone. Therefore, we
-have written integration tests; however, these are database dependent.
-
-```bash
-TAGS="bindata sqlite sqlite_unlock_notify" make build test-sqlite
-```
-
-will run the integration tests in an sqlite environment. Integration tests
-require  `git lfs` to be installed. Other database tests are available but
-may need adjustment to the local environment.
-
-Look at
-[`integrations/README.md`](https://github.com/go-gitea/gitea/blob/master/integrations/README.md)
-for more information and how to run a single test.
-
-Our continuous integration will test the code passes its unit tests and that
-all supported databases will pass integration test in a Docker environment.
-Migration from several recent versions of Gitea will also be tested.
-
-Please submit your PR with additional tests and integration tests as
-appropriate.
-
-## Documentation for the website
-
-Documentation for the website is found in `docs/`. If you change this you
-can test your changes to ensure that they pass continuous integration using:
-
-```bash
-# from the docs directory within Gitea
-make trans-copy clean build
-```
-
-You will require a copy of [Hugo](https://gohugo.io/) to run this task. Please
-note: this may generate a number of untracked git objects, which will need to
-be cleaned up.
-
-## Visual Studio Code
-
-A `launch.json` and `tasks.json` are provided within `contrib/ide/vscode` for
-Visual Studio Code. Look at
-[`contrib/ide/README.md`](https://github.com/go-gitea/gitea/blob/master/contrib/ide/README.md)
-for more information.
-
-## Submitting PRs
-
-Once you're happy with your changes, push them up and open a pull request. It
-is recommended that you allow Gitea Managers and Owners to modify your PR
-branches as we will need to update it to master before merging and/or may be
-able to help fix issues directly.
-
-Any PR requires two approvals from the Gitea maintainers and needs to pass the
-continous integration. Take a look at our
-[`CONTRIBUTING.md`](https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md)
-document.
-
-If you need more help pop on to [Discord](https://discord.gg/gitea) #Develop
-and chat there.
-
-That's it! You are ready to hack on Gitea.
--- a/Show More
+++ b/Show More