diff --git a/host_vars/forgejo.mgrote.net.yml b/host_vars/forgejo.mgrote.net.yml
index 9404dc82..2c4544e9 100644
--- a/host_vars/forgejo.mgrote.net.yml
+++ b/host_vars/forgejo.mgrote.net.yml
@@ -80,12 +80,14 @@ gitea_db_type: postgres
 gitea_db_host: localhost
 gitea_db_name: gitea
 gitea_db_user: gitea
-gitea_db_password: changeme
+gitea_db_password: "{{ lookup('keepass', 'gitea_db_password', 'password') }}"
 # indexer
 gitea_repo_indexer_enabled: true
 # security
 gitea_disable_webhooks: false
 gitea_password_check_pwn: false
+gitea_internal_token: "{{ lookup('keepass', 'gitea_internal_token', 'password') }}"
+gitea_secret_key: "{{ lookup('keepass', 'gitea_secret_key', 'password') }}"
 # service
 gitea_disable_registration: false # true
 gitea_register_email_confirm: true # true
@@ -119,6 +121,8 @@ gitea_actions_enabled: false
 gitea_extra_config: |
   [webhook]
   ALLOWED_HOST_LIST = *.mgrote.net
+# oauth2
+gitea_oauth2_jwt_secret: "{{ lookup('keepass', 'gitea_oauth2_jwt_secret', 'password') }}"
 # Fail2Ban configuration
 gitea_fail2ban_enabled: true
 gitea_fail2ban_jail_maxretry: "3"
diff --git a/keepass_db.kdbx b/keepass_db.kdbx
index bdc0f30d..5f7b6982 100644
Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ