diff --git a/roles/authelia-for-forgejo/defaults/main.json b/roles/authelia-for-forgejo/defaults/main.json
new file mode 100644
index 0000000..211419e
--- /dev/null
+++ b/roles/authelia-for-forgejo/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_forgejo_forgejo_url_base": "https://forgejo.example.org",
+	"var_authelia_for_forgejo_client_id": "forgejo",
+	"var_authelia_for_forgejo_client_secret": "REPLACE_ME"
+}
diff --git a/roles/authelia-for-forgejo/info.md b/roles/authelia-for-forgejo/info.md
new file mode 100644
index 0000000..14a539f
--- /dev/null
+++ b/roles/authelia-for-forgejo/info.md
@@ -0,0 +1,9 @@
+## Beschreibung
+
+Um [Forgejo](../forgejo) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Forgejo-Dokumentation | Configuration | OpenID](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#openid-openid)
+- [Authelia-Dokumentation | Gitea Integration](https://www.authelia.com/integration/openid-connect/gitea/)
diff --git a/roles/authelia-for-forgejo/tasks/main.json b/roles/authelia-for-forgejo/tasks/main.json
new file mode 100644
index 0000000..a0aa05d
--- /dev/null
+++ b/roles/authelia-for-forgejo/tasks/main.json
@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/forgejo.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]
diff --git a/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2 b/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2
new file mode 100644
index 0000000..3f0e1c7
--- /dev/null
+++ b/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2
@@ -0,0 +1,17 @@
+{
+	"client_id": "{{var_authelia_for_forgejo_client_id}}",
+	"client_secret": "{{var_authelia_for_forgejo_client_secret}}",
+	"client_name": "Forgejo",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"redirect_uris": [
+		"{{var_authelia_for_forgejo_forgejo_url_base}}/user/oauth2/authelia/callback"
+	],
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"userinfo_signed_response_alg": "none",
+	"token_endpoint_auth_method": "client_secret_basic"
+}
diff --git a/roles/authelia-for-owncloud/defaults/main.json b/roles/authelia-for-owncloud/defaults/main.json
new file mode 100644
index 0000000..b12d86f
--- /dev/null
+++ b/roles/authelia-for-owncloud/defaults/main.json
@@ -0,0 +1,8 @@
+{
+	"var_authelia_for_owncloud_owncloud_url_base": "https://owncloud.example.org",
+	"var_authelia_for_owncloud_web_client_id": "owncloud_web",
+	"var_authelia_for_owncloud_android_client_id": "owncloud_android",
+	"var_authelia_for_owncloud_android_client_secret": "REPLACE_ME",
+	"var_authelia_for_owncloud_ios_client_id": "owncloud_ios",
+	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME"
+}
diff --git a/roles/authelia-for-owncloud/info.md b/roles/authelia-for-owncloud/info.md
new file mode 100644
index 0000000..54e275f
--- /dev/null
+++ b/roles/authelia-for-owncloud/info.md
@@ -0,0 +1,10 @@
+## Beschreibung
+
+Um [ownCloud](../owncloud) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | ownCloud Infinite Scale Integration](https://www.authelia.com/integration/openid-connect/ocis/)
+- [Helge Klein | SSO via Authelia: ownCloud OpenID Connect Authentication](https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/#sso-via-authelia-owncloud-openid-connect-authentication)
+- [ownCloud Forums | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222)
diff --git a/roles/authelia-for-owncloud/tasks/main.json b/roles/authelia-for-owncloud/tasks/main.json
new file mode 100644
index 0000000..1272bc8
--- /dev/null
+++ b/roles/authelia-for-owncloud/tasks/main.json
@@ -0,0 +1,31 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"loop": [
+			{"src": "authelia-client-conf-web.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-web.json"},
+			{"src": "authelia-client-conf-desktop.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"},
+			{"src": "authelia-client-conf-android.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-android.json"},
+			{"src": "authelia-client-conf-ios.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"}
+		],
+		"ansible.builtin.template": {
+			"src": "{{item.src}}",
+			"dest": "{{item.dest}}"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]
diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2
new file mode 100644
index 0000000..fab1372
--- /dev/null
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2
@@ -0,0 +1,16 @@
+{
+	"client_id": "{{var_authelia_for_owncloud_android_client_id}}",
+	"client_secret": "{{var_authelia_for_owncloud_android_client_secret}}",
+	"client_name": "ownCloud | Android Client",
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"groups",
+		"profile",
+		"email",
+		"offline_access"
+	],
+	"redirect_uris": [
+		"oc://android.owncloud.com"
+	]
+}
diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2
new file mode 100644
index 0000000..61b3e43
--- /dev/null
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2
@@ -0,0 +1,17 @@
+{
+	"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+	"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
+	"client_name": "ownCloud | Desktop Client",
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"groups",
+		"profile",
+		"email",
+		"offline_access"
+	],
+	"redirect_uris": [
+		"http://127.0.0.1",
+		"http://localhost"
+	]
+}
diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2
new file mode 100644
index 0000000..ce465a9
--- /dev/null
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2
@@ -0,0 +1,17 @@
+{
+	"client_id": "{{var_authelia_for_owncloud_ios_client_id}}",
+	"client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}",
+	"client_name": "ownCloud | iOS Client",
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"groups",
+		"profile",
+		"email",
+		"offline_access"
+	],
+	"redirect_uris": [
+		"oc://ios.owncloud.com",
+		"oc.ios://ios.owncloud.com"
+	]
+}
diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2
new file mode 100644
index 0000000..45b6983
--- /dev/null
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2
@@ -0,0 +1,20 @@
+{
+	"client_id": "{{var_authelia_for_owncloud_web_client_id}}",
+	"client_name": "ownCloud | Web Client",
+	"public": true,
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"email",
+		"profile",
+		"groups"
+	],
+	"response_types": [
+		"code"
+	],
+	"redirect_uris": [
+		"{{var_authelia_for_owncloud_owncloud_url_base}}",
+		"{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html",
+		"{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html"
+	]
+}
diff --git a/roles/authelia-for-owncloud/vardef.json b/roles/authelia-for-owncloud/vardef.json
new file mode 100644
index 0000000..8bf599d
--- /dev/null
+++ b/roles/authelia-for-owncloud/vardef.json
@@ -0,0 +1,26 @@
+{
+	"owncloud_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"web_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"android_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"android_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ios_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ios_client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}
diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json
index 47b1e01..04a1f7f 100644
--- a/roles/authelia/defaults/main.json
+++ b/roles/authelia/defaults/main.json
@@ -32,5 +32,8 @@
 	"var_authelia_notification_smtp_username": "authelia",
 	"var_authelia_notification_smtp_password": "REPLACE_ME",
 	"var_authelia_notification_smtp_sender": "authelia@example.org",
-	"var_authelia_oidc_hmac_secret": "REPLACE_ME"
+	"var_authelia_oidc_hmac_secret": "REPLACE_ME",
+	"var_authelia_oidc_lifespan_access_token": "1h",
+	"var_authelia_oidc_lifespan_refresh_token": "1m",
+	"var_authelia_oidc_cors_endpoints": null
 }
diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2
index 475cda4..81bee44 100644
--- a/roles/authelia/templates/conf-main.json.j2
+++ b/roles/authelia/templates/conf-main.json.j2
@@ -190,8 +190,16 @@
 		"oidc": {
 			"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
 			"issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}",
+			"lifespans": {
+				"access_token": "{{var_authelia_oidc_lifespan_access_token}}",
+				"refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}"
+			},
 			"cors": {
 				"allowed_origins_from_client_redirect_uris": true
+{% if var_authelia_oidc_cors_endpoints == None %}
+{% else %}
+				,"endpoints": {{var_authelia_oidc_cors_endpoints | to_json}}
+{% endif %}
 			},
 			"clients": [
 			]
diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json
index 9b7d5bc..9b651a1 100644
--- a/roles/authelia/vardef.json
+++ b/roles/authelia/vardef.json
@@ -139,5 +139,31 @@
 	"oidc_hmac_secret": {
 		"type": "string",
 		"mandatory": true
+	},
+	"oidc_lifespan_access_token": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_lifespan_refresh_token": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_cors_endpoints": {
+		"nullable": true,
+		"type": "array",
+		"items": {
+			"type": "string",
+			"enum": [
+				"authorization",
+				"pushed-authorization-request",
+				"token",
+				"revocation",
+				"introspection",
+				"userinfo"
+			]
+		},
+		"mandatory": false
 	}
 }
diff --git a/roles/forgejo-and-nginx/defaults/main.json b/roles/forgejo-and-nginx/defaults/main.json
new file mode 100644
index 0000000..fadcf82
--- /dev/null
+++ b/roles/forgejo-and-nginx/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_forgejo_and_nginx_domain": "forgejo.example.org",
+	"var_forgejo_and_nginx_port": 2378,
+	"var_forgejo_and_nginx_tls_mode": "force"
+}
diff --git a/roles/forgejo-and-nginx/info.md b/roles/forgejo-and-nginx/info.md
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/roles/forgejo-and-nginx/info.md
@@ -0,0 +1 @@
+
diff --git a/roles/forgejo-and-nginx/tasks/main.json b/roles/forgejo-and-nginx/tasks/main.json
new file mode 100644
index 0000000..7dc3b80
--- /dev/null
+++ b/roles/forgejo-and-nginx/tasks/main.json
@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_forgejo_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_forgejo_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_forgejo_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
diff --git a/roles/forgejo-and-nginx/templates/conf.j2 b/roles/forgejo-and-nginx/templates/conf.j2
new file mode 100644
index 0000000..4e78b94
--- /dev/null
+++ b/roles/forgejo-and-nginx/templates/conf.j2
@@ -0,0 +1,34 @@
+{% macro forgejo_common() %}
+	location / {
+		proxy_pass http://localhost:{{var_forgejo_and_nginx_port | string}};
+		client_max_body_size 20M;
+	}
+{% endmacro %}
+
+server {
+	listen 80;
+	listen [::]:80;
+	
+	server_name {{var_forgejo_and_nginx_domain}};
+	
+{% if var_forgejo_and_nginx_tls_mode == 'force' %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ forgejo_common() }}
+{% endif %}
+}
+
+{% if var_forgejo_and_nginx_tls_mode != 'disable' %}
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	
+	server_name {{var_forgejo_and_nginx_domain}};
+	
+	ssl_certificate_key /etc/ssl/private/{{var_forgejo_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_forgejo_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ forgejo_common() }}
+}
+{% endif %}
diff --git a/roles/forgejo-and-nginx/vardef.json b/roles/forgejo-and-nginx/vardef.json
new file mode 100644
index 0000000..882b53b
--- /dev/null
+++ b/roles/forgejo-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"port": {
+		"mandatory": false,
+		"type": "integer"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/forgejo/defaults/main.json b/roles/forgejo/defaults/main.json
new file mode 100644
index 0000000..fb59d7b
--- /dev/null
+++ b/roles/forgejo/defaults/main.json
@@ -0,0 +1,31 @@
+{
+	"var_forgejo_user": "forgejo",
+	"var_forgejo_directory_main": "/opt/forgejo",
+	"var_forgejo_directory_repositories": "/var/forgejo/repositories",
+	"var_forgejo_version": "7.0.5",
+	"var_forgejo_platform": "linux-amd64",
+	"var_forgejo_secret_key": "REPLACE_ME",
+	"var_forgejo_internal_token": "REPLACE_ME",
+	"var_forgejo_domain": "forgejo.example.org",
+	"var_forgejo_listen_address": "0.0.0.0",
+	"var_forgejo_listen_port": 2378,
+	"var_forgejo_database_kind": "sqlite",
+	"var_forgejo_database_data_sqlite_path": "/var/forgejo/data.sqlite",
+	"var_forgejo_database_data_postgresql_host": "postgresql.example.org",
+	"var_forgejo_database_data_postgresql_port": 5432,
+	"var_forgejo_database_data_postgresql_username": "forgejo_user",
+	"var_forgejo_database_data_postgresql_password": "REPLACE_ME",
+	"var_forgejo_database_data_postgresql_scheme": "forgejo",
+	"var_forgejo_authentication_kind": "internal",
+	"var_forgejo_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_forgejo_authentication_data_authelia_client_id": "forgejo",
+	"var_forgejo_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_forgejo_smtp_host": "smtp.example.org",
+	"var_forgejo_smtp_port": 465,
+	"var_forgejo_smtp_username": "REPLACE_ME",
+	"var_forgejo_smtp_password": "REPLACE_ME",
+	"var_forgejo_email_sending_enabled": false,
+	"var_forgejo_email_sending_sender": "forgejo@example.org",
+	"var_forgejo_email_sending_html": false,
+	"var_forgejo_title": "Forgejo: Beyond coding. We Forge."
+}
diff --git a/roles/forgejo/info.md b/roles/forgejo/info.md
new file mode 100644
index 0000000..db535da
--- /dev/null
+++ b/roles/forgejo/info.md
@@ -0,0 +1,14 @@
+## Beschreibung
+
+Zur Einrichtung der DevOps-Platform [Forgejo](https://forgejo.org/)
+
+
+## Verweise
+
+- [Forgejo | Documentation | Administrator Guide](https://forgejo.org/docs/latest/admin/)
+- [Forgejo | Documentation | Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/)
+
+
+## ToDo
+
+- Download verfizieren
diff --git a/roles/forgejo/tasks/main.json b/roles/forgejo/tasks/main.json
new file mode 100644
index 0000000..5905488
--- /dev/null
+++ b/roles/forgejo/tasks/main.json
@@ -0,0 +1,101 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"git"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_forgejo_user}}",
+			"create_home": true,
+			"home": "{{var_forgejo_directory_main}}"
+		}
+	},
+	{
+		"name": "directories | external",
+		"become": true,
+		"loop": [
+			"{{var_forgejo_database_data_sqlite_path | dirname}}",
+			"{{var_forgejo_directory_repositories}}"
+		],
+		"ansible.builtin.file": {
+			"path": "{{item}}",
+			"state": "directory",
+			"owner": "{{var_forgejo_user}}"
+		}
+	},
+	{
+		"name": "directories | internal",
+		"become": true,
+		"become_user": "{{var_forgejo_user}}",
+		"loop": [
+			"{{var_forgejo_directory_main}}/custom/conf"
+		],
+		"ansible.builtin.file": {
+			"path": "{{item}}",
+			"state": "directory"
+		}
+	},
+	{
+		"name": "download",
+		"become": true,
+		"become_user": "{{var_forgejo_user}}",
+		"ansible.builtin.get_url": {
+			"url": "https://codeberg.org/forgejo/forgejo/releases/download/v{{var_forgejo_version}}/forgejo-{{var_forgejo_version}}-{{var_forgejo_platform}}",
+			"dest": "{{var_forgejo_directory_main}}/forgejo",
+			"mode": "u+rx"
+		}
+	},
+	{
+		"name": "config | base",
+		"become": true,
+		"become_user": "{{var_forgejo_user}}",
+		"ansible.builtin.template": {
+			"src": "config.ini.j2",
+			"dest": "{{var_forgejo_directory_main}}/custom/conf/app.ini"
+		}
+	},
+	{
+		"name": "config | database",
+		"become": true,
+		"become_user": "{{var_forgejo_user}}",
+		"ansible.builtin.command": {
+			"chdir": "{{var_forgejo_directory_main}}",
+			"cmd": "./forgejo migrate"
+		}
+	},
+	{
+		"name": "config | authelia",
+		"when": "var_forgejo_authentication_kind == 'authelia'",
+		"become": true,
+		"become_user": "{{var_forgejo_user}}",
+		"ansible.builtin.shell": {
+			"chdir": "{{var_forgejo_directory_main}}",
+			"cmd": "(./forgejo admin auth list | grep authelia) || ./forgejo admin auth add-oauth --provider='openidConnect' --name='authelia' --key={{var_forgejo_authentication_data_authelia_client_id}} --secret={{var_forgejo_authentication_data_authelia_client_secret}} --auto-discover-url='{{var_forgejo_authentication_data_authelia_url_base}}/.well-known/openid-configuration' --scopes='openid email profile'"
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd-unit.j2",
+			"dest": "/etc/systemd/system/forgejo.service"
+		}
+	},
+	{
+		"name": "start",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"enabled": true,
+			"state": "restarted",
+			"name": "forgejo"
+		}
+	}
+]
diff --git a/roles/forgejo/templates/config.ini.j2 b/roles/forgejo/templates/config.ini.j2
new file mode 100644
index 0000000..524cfd8
--- /dev/null
+++ b/roles/forgejo/templates/config.ini.j2
@@ -0,0 +1,123 @@
+APP_NAME = {{var_forgejo_title}}
+RUN_USER = {{var_forgejo_user}}
+RUN_MODE = prod
+
+[server]
+DOMAIN = {{var_forgejo_domain}}
+ROOT_URL = https://{{var_forgejo_domain}}
+;HTTP_ADDR = {{var_forgejo_listen_address}}
+HTTP_PORT = {{var_forgejo_listen_port | string}}
+;LANDING_PAGE = home
+
+[database]
+{% if var_forgejo_database_kind == 'sqlite' %}
+DB_TYPE = sqlite3
+PATH = {{var_forgejo_database_data_sqlite_path}}
+{% endif %}
+{% if var_forgejo_database_kind == 'postgresql' %}
+DB_TYPE = postgres
+HOST = {{var_forgejo_database_data_postgresql_host}}:{{var_forgejo_database_data_postgresql_port | string}}
+USER = {{var_forgejo_database_data_postgresql_username}}
+PASSWD = {{var_forgejo_database_data_postgresql_password}}
+NAME = {{var_forgejo_database_data_postgresql_scheme}}
+{% endif %}
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = {{var_forgejo_secret_key}}
+INTERNAL_TOKEN = {{var_forgejo_internal_token}}
+DISABLE_GIT_HOOKS = true
+
+[oauth2]
+ENABLED = false
+
+[log]
+MODE = console
+LEVEL = Info
+
+[git]
+HOME_PATH = {{var_forgejo_directory_main}}
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+
+{% if var_forgejo_authentication_kind == 'internal' %}
+DISABLE_REGISTRATION = false
+ALLOW_ONLY_INTERNAL_REGISTRATION = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+SHOW_REGISTRATION_BUTTON = true
+{% else %}
+DISABLE_REGISTRATION = false
+ALLOW_ONLY_INTERNAL_REGISTRATION = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = true
+SHOW_REGISTRATION_BUTTON = false
+{% endif %}
+
+;REQUIRE_SIGNIN_VIEW = false
+ENABLE_NOTIFY_MAIL = true
+
+;ENABLE_BASIC_AUTHENTICATION = true
+;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false
+;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
+;ENABLE_REVERSE_PROXY_EMAIL = false
+;ENABLE_REVERSE_PROXY_FULL_NAME = false
+
+;DEFAULT_KEEP_EMAIL_PRIVATE = false
+;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+;DEFAULT_USER_IS_RESTRICTED = false
+;DEFAULT_USER_VISIBILITY = public
+;ALLOWED_USER_VISIBILITY_MODES = public,limited,private
+;DEFAULT_ORG_VISIBILITY = public
+;DEFAULT_ORG_MEMBER_VISIBLE = false
+;DEFAULT_ENABLE_DEPENDENCIES = true
+;ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
+ENABLE_USER_HEATMAP = false
+ENABLE_TIMETRACKING = false
+DEFAULT_ENABLE_TIMETRACKING = false
+
+{% if var_forgejo_authentication_kind == 'internal' %}
+SHOW_REGISTRATION_BUTTON = true
+{% else %}
+SHOW_REGISTRATION_BUTTON = false
+{% endif %}
+
+AUTO_WATCH_NEW_REPOS = false
+AUTO_WATCH_ON_CHANGES = false
+
+[repository]
+ROOT = {{var_forgejo_directory_repositories}}
+
+{% if var_forgejo_authentication_kind == 'internal' %}
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+{% else %}
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = true
+WHITELISTED_URIS = {{var_forgejo_authentication_data_authelia_url_base}}
+
+[oauth2_client]
+REGISTER_EMAIL_CONFIRM = false
+OPENID_CONNECT_SCOPES = openid email profile
+ENABLE_AUTO_REGISTRATION = true
+USERNAME = nickname
+{% endif %}
+
+[mailer]
+{% if var_forgejo_email_sending_enabled %}
+ENABLED = true
+SMTP_ADDR = {{var_forgejo_smtp_host}}
+SMTP_PORT = {{var_forgejo_smtp_port | string}}
+FROM = {{var_forgejo_email_sending_sender}}
+USER = {{var_forgejo_smtp_username}}
+PASSWD = {{var_forgejo_smtp_password}}
+{% if var_forgejo_email_sending_html %}
+SEND_AS_PLAIN_TEXT = false
+{% else %}
+SEND_AS_PLAIN_TEXT = true
+{% endif %}
+{% else %}
+ENABLED = false
+{% endif %}
diff --git a/roles/forgejo/templates/systemd-unit.j2 b/roles/forgejo/templates/systemd-unit.j2
new file mode 100644
index 0000000..8e2ed2e
--- /dev/null
+++ b/roles/forgejo/templates/systemd-unit.j2
@@ -0,0 +1,21 @@
+[Unit]
+Description=Forgejo
+After=network.target
+{% if var_forgejo_database_kind == 'postgresql' %}
+Wants=postgresql.service
+After=postgresql.service
+{% endif %}
+
+[Service]
+RestartSec=2s
+Type=simple
+User={{var_forgejo_user}}
+Group={{var_forgejo_user}}
+WorkingDirectory={{var_forgejo_directory_main}}
+ExecStart={{var_forgejo_directory_main}}/forgejo web --config {{var_forgejo_directory_main}}/custom/conf/app.ini
+Restart=always
+# Environment=USER=git HOME=/home/git FORGEJO_WORK_DIR=/var/lib/forgejo
+# Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/forgejo/vardef.json b/roles/forgejo/vardef.json
new file mode 100644
index 0000000..025ef2e
--- /dev/null
+++ b/roles/forgejo/vardef.json
@@ -0,0 +1,126 @@
+{
+	"user": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory_main": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory_repositories": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"platform": {
+		"type": "string",
+		"mandatory": false
+	},
+	"secret_key": {
+		"type": "string",
+		"mandatory": true
+	},
+	"internal_token": {
+		"type": "string",
+		"mandatory": true
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"listen_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"listen_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"database_kind": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"sqlite",
+			"postgresql"
+		]
+	},
+	"database_data_sqlite_path": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"database_data_postgresql_host": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"database_data_postgresql_port": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"database_data_postgresql_username": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"database_data_postgresql_password": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"database_data_postgresql_schema": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"authentication_kind": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_url_base": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"authentication_data_authelia_client_id": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"authentication_data_authelia_client_secret": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"smtp_host": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"smtp_port": {
+		"mandatory": false,
+		"type": "integer"
+	},
+	"smtp_username": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"smtp_password": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"email_sending_enabled": {
+		"mandatory": false,
+		"type": "boolean"
+	},
+	"email_sending_sender": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"email_sending_html": {
+		"mandatory": false,
+		"type": "boolean"
+	},
+	"title": {
+		"mandatory": false,
+		"type": "string"
+	}
+}
diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2
index e8fe34b..b9c6601 100644
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@@ -49,3 +49,4 @@ server {
 	
 {{ hedgedoc_common() }}
 }
+{% endif %}
diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json
index b4fd779..5347cc1 100644
--- a/roles/hedgedoc/tasks/main.json
+++ b/roles/hedgedoc/tasks/main.json
@@ -27,7 +27,8 @@
 		"become": true,
 		"ansible.builtin.user": {
 			"name": "{{var_hedgedoc_user_name}}",
-			"create_home": true
+			"create_home": true,
+			"home": "{{var_hedgedoc_directory}}"
 		}
 	},
 	{
diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json
index 5b61756..f6c84a6 100644
--- a/roles/murmur/tasks/main.json
+++ b/roles/murmur/tasks/main.json
@@ -15,7 +15,7 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
-			"path": "/var/murmur"
+			"path": "/var/murmurd"
 		}
 	},
 	{
@@ -23,11 +23,10 @@
 		"when": "var_murmur_tls",
 		"become": true,
 		"loop": [
-			{"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-key.pem"},
-			{"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-fullchain.pem"}
+			{"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmurd/tls-key.pem"},
+			{"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmurd/tls-fullchain.pem"}
 		],
 		"ansible.builtin.copy": {
-			"state": "directory",
 			"remote_src": true,
 			"src": "{{item.from}}",
 			"dest": "{{item.to}}",
diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json
new file mode 100644
index 0000000..9ad192e
--- /dev/null
+++ b/roles/owncloud-and-nginx/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_owncloud_and_nginx_domain": "owncloud.example.org",
+	"var_owncloud_and_nginx_tls_mode": "force",
+	"var_owncloud_and_nginx_maximum_upload_size": "1G"
+}
diff --git a/roles/owncloud-and-nginx/tasks/main.json b/roles/owncloud-and-nginx/tasks/main.json
new file mode 100644
index 0000000..004dfa3
--- /dev/null
+++ b/roles/owncloud-and-nginx/tasks/main.json
@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2
new file mode 100644
index 0000000..85e67ab
--- /dev/null
+++ b/roles/owncloud-and-nginx/templates/conf.j2
@@ -0,0 +1,34 @@
+{% macro owncloud_common() %}
+	location / {
+		proxy_pass http://localhost:9200;
+		client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}};
+	}
+{% endmacro %}
+
+server {
+	listen 80;
+	listen [::]:80;
+	
+	server_name {{var_owncloud_and_nginx_domain}};
+	
+{% if var_owncloud_and_nginx_tls_mode == 'force' %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+	{{ owncloud_common() }}
+{% endif %}
+}
+
+{% if var_owncloud_and_nginx_tls_mode != 'disable' %}
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	
+	server_name {{var_owncloud_and_nginx_domain}};
+	
+	ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	{{ owncloud_common() }}
+}
+{% endif %}
diff --git a/roles/owncloud-and-nginx/vardef.json b/roles/owncloud-and-nginx/vardef.json
new file mode 100644
index 0000000..7872cb8
--- /dev/null
+++ b/roles/owncloud-and-nginx/vardef.json
@@ -0,0 +1,20 @@
+
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	},
+	"maximum_upload_size": {
+		"type": "string",
+		"mandatory": false
+	}
+}
diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json
new file mode 100644
index 0000000..1101e12
--- /dev/null
+++ b/roles/owncloud/defaults/main.json
@@ -0,0 +1,18 @@
+{
+	"var_owncloud_user": "owncloud",
+	"var_owncloud_directory": "/opt/owncloud",
+	"var_owncloud_version": "5.0.0",
+	"var_owncloud_platform": "linux-amd64",
+	"var_owncloud_domain": "owncloud.example.org",
+	"var_owncloud_admin_password": "REPLACE_ME",
+	"var_owncloud_authentication_kind": "internal",
+	"var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web",
+	"var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME",
+	"var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android",
+	"var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME",
+	"var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios",
+	"var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME",
+	"var_owncloud_public_share_password_necessity": "writable",
+	"var_owncloud_public_share_password_policy_active": true
+}
diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md
new file mode 100644
index 0000000..b74ee6d
--- /dev/null
+++ b/roles/owncloud/info.md
@@ -0,0 +1,19 @@
+## Beschreibung
+
+Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infinite Scale")
+
+
+## Verweise
+
+- [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/)
+- [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/)
+- [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html)
+- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html)
+- [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html)
+- [GitHub | ocis](https://github.com/owncloud/ocis/)
+- [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222)
+
+
+## ToDo
+
+- Download prüfen
diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json
new file mode 100644
index 0000000..0a6e356
--- /dev/null
+++ b/roles/owncloud/tasks/main.json
@@ -0,0 +1,56 @@
+[
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_owncloud_user}}",
+			"create_home": true,
+			"home": "{{var_owncloud_directory}}"
+		}
+	},
+	{
+		"name": "download",
+		"become": true,
+		"become_user": "{{var_owncloud_user}}",
+		"ansible.builtin.get_url": {
+			"url": "https://download.owncloud.com/ocis/ocis/stable/{{var_owncloud_version}}/ocis-{{var_owncloud_version}}-{{var_owncloud_platform}}",
+			"dest": "{{var_owncloud_directory}}/ocis",
+			"mode": "u+rx"
+		}
+	},
+	{
+		"name": "setup",
+		"become": true,
+		"become_user": "{{var_owncloud_user}}",
+		"ansible.builtin.shell": {
+			"chdir": "{{var_owncloud_directory}}",
+			"cmd": "rm -f {{var_owncloud_directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"become_user": "{{var_owncloud_user}}",
+		"ansible.builtin.template": {
+			"src": "env.j2",
+			"dest": "{{var_owncloud_directory}}/.env"
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd_unit.j2",
+			"dest": "/etc/systemd/system/owncloud.service"
+		}
+	},
+	{
+		"name": "run",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"name": "owncloud",
+			"enabled": true,
+			"state": "restarted"
+		}
+	}
+]
diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2
new file mode 100644
index 0000000..1c53400
--- /dev/null
+++ b/roles/owncloud/templates/env.j2
@@ -0,0 +1,44 @@
+OCIS_URL="https://{{var_owncloud_domain}}"
+OCIS_INSECURE="false"
+
+PROXY_TLS="false"
+
+{% if var_owncloud_authentication_kind == 'internal' %}
+PROXY_AUTOPROVISION_ACCOUNTS="false"
+{% endif %}
+
+{% if var_owncloud_authentication_kind == 'authelia' %}
+OCIS_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}"
+OCIS_OIDC_ISSUER="{{var_owncloud_authentication_data_authelia_url_base}}"
+
+PROXY_AUTOPROVISION_ACCOUNTS="true"
+PROXY_OIDC_REWRITE_WELLKNOWN="true"
+PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD="none"
+PROXY_OIDC_INSECURE="false"
+PROXY_USER_OIDC_CLAIM="name"
+PROXY_USER_CS3_CLAIM="username"
+
+WEB_OIDC_AUTHORITY="{{var_owncloud_authentication_data_authelia_url_base}}"
+WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.well-known/openid-configuration"
+WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}"
+WEB_OIDC_SCOPE="openid profile email groups"
+{% endif %}
+
+{% if var_owncloud_public_share_password_necessity == 'nothing' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false"
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false"
+{% endif %}
+{% if var_owncloud_public_share_password_necessity == 'writable' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false"
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true"
+{% endif %}
+{% if var_owncloud_public_share_password_necessity == 'all' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true"
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true"
+{% endif %}
+
+{% if var_owncloud_public_share_password_policy_active %}
+OCIS_SHARING_PASSWORD_POLICY_DISABLED="false"
+{% else %}
+OCIS_SHARING_PASSWORD_POLICY_DISABLED="true"
+{% endif %}
diff --git a/roles/owncloud/templates/systemd_unit.j2 b/roles/owncloud/templates/systemd_unit.j2
new file mode 100644
index 0000000..7e43971
--- /dev/null
+++ b/roles/owncloud/templates/systemd_unit.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=ownCloud
+After=network.target
+
+[Service]
+WorkingDirectory={{var_owncloud_directory}}
+EnvironmentFile={{var_owncloud_directory}}/.env
+ExecStart={{var_owncloud_directory}}/ocis server
+Type=simple
+Restart=always
+User={{var_owncloud_user}}
+
+[Install]
+WantedBy=default.target
+RequiredBy=network.target
diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json
new file mode 100644
index 0000000..6641a03
--- /dev/null
+++ b/roles/owncloud/vardef.json
@@ -0,0 +1,75 @@
+{
+	"user": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"platform": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_password": {
+		"type": "string",
+		"mandatory": true
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_web_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_web_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_android_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_android_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_ios_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_ios_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"public_share_password_necessity": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"nothing",
+			"writable",
+			"all"
+		]
+	},
+	"public_share_password_policy_active": {
+		"type": "boolean",
+		"mandatory": false
+	}
+}
diff --git a/roles/postgresql-for-forgejo/defaults/main.json b/roles/postgresql-for-forgejo/defaults/main.json
new file mode 100644
index 0000000..2fecd7a
--- /dev/null
+++ b/roles/postgresql-for-forgejo/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_forgejo_username": "forgejo_user",
+	"var_postgresql_for_forgejo_password": "REPLACE_ME",
+	"var_postgresql_for_forgejo_schema": "forgejo"
+}
diff --git a/roles/postgresql-for-forgejo/tasks/main.json b/roles/postgresql-for-forgejo/tasks/main.json
new file mode 100644
index 0000000..6427c07
--- /dev/null
+++ b/roles/postgresql-for-forgejo/tasks/main.json
@@ -0,0 +1,49 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"acl",
+				"python3-psycopg2"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_forgejo_username}}",
+			"password": "{{var_postgresql_for_forgejo_password}}"
+		},
+		"environment": {
+			"PGOPTIONS": "-c password_encryption=scram-sha-256"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_forgejo_schema}}",
+			"owner": "{{var_postgresql_for_forgejo_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_forgejo_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_forgejo_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]
diff --git a/roles/synapse/defaults/main.json b/roles/synapse/defaults/main.json
index b9b9a60..791dd98 100644
--- a/roles/synapse/defaults/main.json
+++ b/roles/synapse/defaults/main.json
@@ -24,6 +24,8 @@
 	"var_synapse_smtp_port": 587,
 	"var_synapse_smtp_username": "synapse@smtp.example.org",
 	"var_synapse_smtp_password": "REPLACE_ME",
+	"var_synapse_notifications_via_email_enabled_by_default": false,
+	"var_synapse_notifications_via_email_delay": "1h",
 	"var_synapse_admin_user_define": true,
 	"var_synapse_admin_user_name": "admin",
 	"var_synapse_admin_user_password": "REPLACE_ME"
diff --git a/roles/synapse/templates/homeserver.yaml.j2 b/roles/synapse/templates/homeserver.yaml.j2
index d46f115..a9c6729 100644
--- a/roles/synapse/templates/homeserver.yaml.j2
+++ b/roles/synapse/templates/homeserver.yaml.j2
@@ -172,7 +172,8 @@ email:
   require_transport_security: true
   notif_from: "%(app)s | {{var_synapse_title}}"
   enable_notifs: true
-  notif_for_new_users: false
+  notif_for_new_users: {{var_synapse_notifications_via_email_enabled_by_default | to_yaml}}
+  notif_delay_before_mail: {{var_synapse_notifications_via_email_delay}}
   subjects:
     password_reset: "[%(server_name)s] Passwort zurücksetzen"
     email_validation: "[%(server_name)s] Nutzer-Konto-Freischaltung"
diff --git a/roles/synapse/vardef.json b/roles/synapse/vardef.json
index ebf6005..8c4e584 100644
--- a/roles/synapse/vardef.json
+++ b/roles/synapse/vardef.json
@@ -110,6 +110,14 @@
 		"type": "string",
 		"mandatory": true
 	},
+	"notifications_via_email_enabled_by_default": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"notifications_via_email_delay": {
+		"type": "string",
+		"mandatory": false
+	},
 	"admin_user_define": {
 		"type": "boolean",
 		"mandatory": false
diff --git a/todo.md b/todo.md
index 414e546..fa8064d 100644
--- a/todo.md
+++ b/todo.md
@@ -1,4 +1,3 @@
 - postgresql:hba-setup
-- [Gitea](https://about.gitea.com/)
 - [Seafile](https://www.seafile.com/en/home/)