Index: custom/conf/app.example.ini
--- custom/conf/app.example.ini.orig
+++ custom/conf/app.example.ini
@@ -41,10 +41,10 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; App name that shows in every page title
-APP_NAME = ; Gitea: Git with a cup of tea
+APP_NAME = ; Forgejo: Gitea fork focus on privacy
 ;;
 ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
-RUN_USER = ; git
+RUN_USER = ; _forgejo
 ;;
 ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
 ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
@@ -285,7 +285,7 @@ RUN_USER = ; git
 ;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
 ;;
 ;; Default path for App data
-;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
+APP_DATA_PATH = ${LOCALSTATEDIR}/forgejo/data
 ;;
 ;; Enable gzip compression for runtime-generated content, static resources excluded
 ;ENABLE_GZIP = false
@@ -296,7 +296,7 @@ RUN_USER = ; git
 ;ENABLE_PPROF = false
 ;;
 ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
-;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
+PPROF_DATA_PATH = ${LOCALSTATEDIR}/forgejo/data/tmp/pprof
 ;;
 ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
 ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
@@ -348,10 +348,10 @@ RUN_USER = ; git
 ;;
 ;; MySQL Configuration
 ;;
-DB_TYPE = mysql
-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
-NAME = gitea
-USER = root
+;DB_TYPE = mysql
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+;NAME = forgejo
+;USER = %(RUN_USER)s
 ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
 ;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
@@ -361,9 +361,9 @@ USER = root
 ;; Postgres Configuration
 ;;
 ;DB_TYPE = postgres
-;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
-;NAME = gitea
-;USER = root
+;HOST = 127.0.0.1:5432 ; can use socket e.g. /tmp
+;NAME = forgejo
+;USER = %(RUN_USER)s
 ;PASSWD =
 ;SCHEMA =
 ;SSL_MODE=disable ;either "disable" (default), "require", or "verify-full"
@@ -372,8 +372,8 @@ USER = root
 ;;
 ;; SQLite Configuration
 ;;
-;DB_TYPE = sqlite3
-;PATH= ; defaults to data/forgejo.db
+DB_TYPE = sqlite3
+PATH= ${LOCALSTATEDIR}/forgejo/data/forgejo.db
 ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
 ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
@@ -539,7 +539,7 @@ ENABLED = true
 ;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH.
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512.
 ;; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
-;JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem
+JWT_SIGNING_PRIVATE_KEY_FILE = ${LOCALSTATEDIR}/forgejo/jwt/private.pem
 ;;
 ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
@@ -572,14 +572,14 @@ ENABLED = true
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
-;ROOT_PATH =
+ROOT_PATH = ${LOCALSTATEDIR}/log/forgejo
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Main Logger
 ;;
 ;; Either "console", "file" or "conn", default is "console"
 ;; Use comma to separate multiple modes, e.g. "console, file"
-MODE = console
+MODE = file
 ;;
 ;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
 LEVEL = Info
@@ -760,7 +760,7 @@ LEVEL = Info
 ;EMAIL_DOMAIN_BLOCKLIST =
 ;;
 ;; Disallow registration, only allow admins to create accounts.
-;DISABLE_REGISTRATION = false
+DISABLE_REGISTRATION = true
 ;;
 ;; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
 ;ALLOW_ONLY_INTERNAL_REGISTRATION = false
@@ -769,7 +769,7 @@ LEVEL = Info
 ;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ;;
 ;; User must sign in to view anything.
-;REQUIRE_SIGNIN_VIEW = false
+REQUIRE_SIGNIN_VIEW = true
 ;;
 ;; Mail notification
 ;ENABLE_NOTIFY_MAIL = false
@@ -826,11 +826,11 @@ LEVEL = Info
 ;;
 ;; Default value for KeepEmailPrivate
 ;; Each new user will get the value of this setting copied into their profile
-;DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
 ;;
 ;; Default value for AllowCreateOrganization
 ;; Every new user will have rights set to create organizations depending on this setting
-;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
 ;; Default value for IsRestricted
 ;; Every new user will have restricted permissions depending on this setting
 ;DEFAULT_USER_IS_RESTRICTED = false
@@ -844,7 +844,7 @@ LEVEL = Info
 ;; Limited is for users visible only to signed users
 ;; Private is for users visible only to members of their organizations
 ;; Public is for users visible for everyone
-;DEFAULT_USER_VISIBILITY = public
+DEFAULT_USER_VISIBILITY = private
 ;;
 ;; Set which visibility modes a user can have
 ;ALLOWED_USER_VISIBILITY_MODES = public,limited,private
@@ -935,14 +935,14 @@ LEVEL = Info
 ;GENERATOR_URL_TEMPLATE = https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[repository]
+[repository]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
 ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
-;ROOT =
+ROOT = ${LOCALSTATEDIR}/forgejo/forgejo-repositories
 ;;
 ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
-;SCRIPT_TYPE = bash
+SCRIPT_TYPE = sh
 ;;
 ;; DETECTED_CHARSETS_ORDER tie-break order for detected charsets.
 ;; If the charsets have equal confidence, tie-breaking will be done by order in this list
@@ -957,7 +957,7 @@ LEVEL = Info
 ;FORCE_PRIVATE = false
 ;;
 ;; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
-;DEFAULT_PRIVATE = last
+DEFAULT_PRIVATE = private
 ;;
 ;; Default private when using push-to-create
 ;DEFAULT_PUSH_CREATE_PRIVATE = true
@@ -967,7 +967,7 @@ LEVEL = Info
 ;;
 ;; Preferred Licenses to place at the top of the List
 ;; The name here must match the filename in options/license or custom/options/license
-;PREFERRED_LICENSES = Apache-2.0,MIT
+PREFERRED_LICENSES = ISC,BSD-2-Clause
 ;;
 ;; Disable the ability to interact with repositories using the HTTP protocol
 ;DISABLE_HTTP_GIT = false
@@ -1041,16 +1041,16 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[repository.local]
+[repository.local]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Path for local repository copy. Defaults to `tmp/local-repo` (content gets deleted on gitea restart)
-;LOCAL_COPY_PATH = tmp/local-repo
+LOCAL_COPY_PATH = ${LOCALSTATEDIR}/forgejo/tmp/local-repo
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[repository.upload]
+[repository.upload]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1058,7 +1058,7 @@ LEVEL = Info
 ;ENABLED = true
 ;;
 ;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
-;TEMP_PATH = data/tmp/uploads
+TEMP_PATH = ${LOCALSTATEDIR}/forgejo/data/tmp/uploads
 ;;
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES =
@@ -1226,7 +1226,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[ui]
+[ui]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1267,7 +1267,7 @@ LEVEL = Info
 ;AMBIGUOUS_UNICODE_DETECTION = true
 ;;
 ;; Whether the email of the user should be shown in the Explore Users page
-;SHOW_USER_EMAIL = true
+SHOW_USER_EMAIL = false
 ;;
 ;; Set the default theme for the Gitea install
 ;DEFAULT_THEME = forgejo-auto
@@ -1423,7 +1423,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[indexer]
+[indexer]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1431,10 +1431,10 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Issue indexer type, currently support: bleve, db, elasticsearch or meilisearch default is bleve
-;ISSUE_INDEXER_TYPE = bleve
+ISSUE_INDEXER_TYPE = db
 ;;
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
-;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
+ISSUE_INDEXER_PATH = ${LOCALSTATEDIR}/forgejo/indexers/issues.bleve
 ;;
 ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
 ;ISSUE_INDEXER_CONN_STR =
@@ -1461,7 +1461,7 @@ LEVEL = Info
 ;REPO_INDEXER_TYPE = bleve
 ;;
 ;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
-;REPO_INDEXER_PATH = indexers/repos.bleve
+REPO_INDEXER_PATH = ${LOCALSTATEDIR}/forgejo/indexers/repos.bleve
 ;;
 ;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
 ;REPO_INDEXER_CONN_STR =
@@ -1523,12 +1523,12 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[admin]
+[admin]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Disallow regular (non-admin) users from creating organizations.
-;DISABLE_REGULAR_ORG_CREATION = false
+DISABLE_REGULAR_ORG_CREATION = true
 ;;
 ;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
 ;DEFAULT_EMAIL_NOTIFICATIONS = enabled
@@ -1542,7 +1542,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[openid]
+[openid]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1563,7 +1563,7 @@ LEVEL = Info
 ;;  - <username>.livejournal.com
 ;;
 ;; Whether to allow signin in via OpenID
-;ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNIN = false
 ;;
 ;; Whether to allow registering via OpenID
 ;; Do not include to rely on rhw DISABLE_REGISTRATION setting
@@ -1652,7 +1652,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[mailer]
+[mailer]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1675,7 +1675,7 @@ LEVEL = Info
 ;; If your provider does not explicitly say which protocol it uses but does provide a port,
 ;; you can set SMTP_PORT instead and this will be inferred.
 ;; (Before 1.18, see the notice, this was controlled via MAILER_TYPE and IS_TLS_ENABLED.)
-;PROTOCOL =
+PROTOCOL = sendmail
 ;;
 ;; Mail server address, e.g. smtp.gmail.com.
 ;; For smtp+unix, this should be a path to a unix socket instead.
@@ -1703,11 +1703,11 @@ LEVEL = Info
 ;;
 ;; Use client certificate in connection.
 ;USE_CLIENT_CERT = false
-;CLIENT_CERT_FILE = custom/mailer/cert.pem
-;CLIENT_KEY_FILE = custom/mailer/key.pem
+;CLIENT_CERT_FILE = ${LOCALSTATEDIR}/forgejo/custom/mailer/cert.pem
+;CLIENT_KEY_FILE = ${LOCALSTATEDIR}/forgejo/custom/mailer/key.pem
 ;;
 ;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
-;FROM =
+FROM = forgejo@%(DOMAIN)s
 ;;
 ;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
 ;ENVELOPE_FROM =
@@ -1719,10 +1719,10 @@ LEVEL = Info
 ;PASSWD =
 ;;
 ;; Send mails only in plain text, without HTML alternative
-;SEND_AS_PLAIN_TEXT = false
+SEND_AS_PLAIN_TEXT = true
 ;;
 ;; Specify an alternative sendmail binary
-;SENDMAIL_PATH = sendmail
+SENDMAIL_PATH = /usr/sbin/sendmail
 ;;
 ;; Specify any extra sendmail arguments
 ;; WARNING: if your sendmail program interprets options you should set this to "--" or terminate these args with "--"
@@ -1815,13 +1815,13 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[session]
+[session]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Either "memory", "file", "redis", "redis-cluster", "db", "mysql", "couchbase", "memcache" or "postgres"
 ;; Default is "memory". "db" will reuse the configuration in [database]
-;PROVIDER = memory
+PROVIDER = file
 ;;
 ;; Provider config options
 ;; memory: doesn't have any config yet
@@ -1829,7 +1829,7 @@ LEVEL = Info
 ;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
 ;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
+PROVIDER_CONFIG = ${LOCALSTATEDIR}/forgejo/data/sessions
 ;;
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
@@ -1851,7 +1851,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[picture]
+[picture]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1890,7 +1890,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[attachment]
+[attachment]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1916,7 +1916,7 @@ LEVEL = Info
 ;;
 ;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
 ;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
-;PATH = attachments
+PATH = ${LOCALSTATEDIR}/forgejo/data/attachments
 ;;
 ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ENDPOINT = localhost:9000
@@ -2279,10 +2279,10 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Check for new Gitea versions
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[cron.update_checker]
+[cron.update_checker]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;ENABLED = true
+ENABLED = false
 ;RUN_AT_START = false
 ;ENABLE_SUCCESS_NOTICE = false
 ;SCHEDULE = @every 168h
@@ -2374,13 +2374,13 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[other]
+[other]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Show version information about Gitea and Go in the footer
-;SHOW_FOOTER_VERSION = true
+SHOW_FOOTER_VERSION = false
 ;; Show template execution time in the footer
-;SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
 ;; Generate sitemap. Defaults to `true`.
 ;ENABLE_SITEMAP = true
 ;; Enable/Disable RSS/Atom feed
@@ -2502,7 +2502,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[packages]
+[packages]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -2514,7 +2514,7 @@ LEVEL = Info
 ;MINIO_BASE_PATH = packages/
 ;;
 ;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
-;CHUNKED_UPLOAD_PATH = tmp/package-upload
+CHUNKED_UPLOAD_PATH = ${LOCALSTATEDIR}/forgejo/data/tmp/package-upload
 ;;
 ;; Maximum count of package versions a single owner can have (`-1` means no limits)
 ;LIMIT_TOTAL_OWNER_COUNT = -1
@@ -2581,7 +2581,7 @@ LEVEL = Info
 ;STORAGE_TYPE = local
 ;;
 ;; Where your lfs files reside, default is data/lfs.
-;PATH = data/repo-archive
+;PATH = ${LOCALSTATEDIR}/forgejo/data/lfs
 ;;
 ;; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = repo-archive/
@@ -2659,9 +2659,9 @@ LEVEL = Info
 ;; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
 ;PROXY_HOSTS =
 
-; [actions]
+[actions]
 ;; Enable/Disable actions capabilities
-;ENABLED = true
+ENABLED = false
 ;; Default address to get action plugins, e.g. the default value means downloading from "https://code.forgejo.org/actions/checkout" for "uses: actions/checkout@v3"
 ;DEFAULT_ACTIONS_URL = https://code.forgejo.org
 ;; Default artifact retention time in days, default is 90 days
