diff --git a/group_vars/gitea.yml b/host_vars/forgejo.mgrote.net.yml
similarity index 100%
rename from group_vars/gitea.yml
rename to host_vars/forgejo.mgrote.net.yml
diff --git a/host_vars/gitea.mgrote.net.yml b/host_vars/gitea.mgrote.net.yml
new file mode 100644
index 00000000..067964e8
--- /dev/null
+++ b/host_vars/gitea.mgrote.net.yml
@@ -0,0 +1,119 @@
+---
+### mrlesmithjr.ansible-manage-lvm
+lvm_groups:
+  - vgname: vg_gitea_data
+    disks:
+      - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
+    create: true
+    lvnames:
+      - lvname: lv_gitea_data
+        size: +100%FREE
+        create: true
+        filesystem: xfs
+        mount: true
+        mntp: /var/lib/gitea
+manage_lvm: true
+pvresize_to_max: true
+
+### mgrote_restic
+restic_folders_to_backup: "/ /var/lib/gitea" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
+
+### mgrote_apt_manage_packages
+apt_packages_extra:
+  - fail2ban
+
+### oefenweb.ufw
+ufw_rules:
+  - rule: allow
+    to_port: 22
+    protocol: tcp
+    comment: 'ssh'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: 4949
+    protocol: tcp
+    comment: 'munin'
+    from_ip: 192.168.2.0/24
+  - rule: allow
+    to_port: "{{ gitea_http_port }}"
+    protocol: tcp
+    comment: 'gitea'
+    from_ip: 0.0.0.0/0
+  - rule: allow
+    to_port: "{{ gitea_ssh_port }}"
+    protocol: tcp
+    comment: 'gitea'
+    from_ip: 0.0.0.0/0
+
+### l3d.gitea
+# config liegt in /etc/gitea/gitea.ini
+gitea_version: "1.21.7-0"
+gitea_fork: "forgejo"
+gitea_app_name: "Gitea"
+gitea_user: "gitea"
+gitea_home: "/var/lib/gitea"
+gitea_repository_root: "{{ gitea_home }}"
+gitea_user_repo_limit: 300
+gitea_root_url: https://git.mgrote.net
+gitea_offline_mode: true
+gitea_lfs_server_enabled: false
+gitea_secret_key: "{{ lookup('keepass', 'gitea_secret_key', 'password') }}"
+gitea_internal_token: "{{ lookup('keepass', 'gitea_internal_token', 'password') }}"
+gitea_disable_git_hooks: false
+gitea_show_user_email: false
+gitea_disable_gravatar: true
+gitea_enable_captcha: true
+gitea_only_allow_external_registration: false
+gitea_enable_notify_mail: true
+gitea_autowatch_on_change: true
+gitea_force_private: false
+gitea_oauth2_enabled: true
+gitea_repo_indexer_enabled: true
+
+gitea_mailer_enabled: true
+gitea_mailer_protocol: smtp
+gitea_mailer_smtp_addr: docker10.mgrote.net
+gitea_mailer_smtp_port: 1025
+gitea_mailer_from: "gitea@mgrote.net"
+
+gitea_default_branch: 'master'
+
+gitea_db_type: sqlite3
+gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3
+
+gitea_ssh_listen: 0.0.0.0
+gitea_ssh_domain: gitea.mgrote.net
+gitea_ssh_port: 2222
+gitea_start_ssh: true
+
+gitea_http_domain: git.mgrote.net
+gitea_http_listen: 0.0.0.0
+gitea_http_port: 3000
+gitea_disable_http_git: false
+gitea_protocol: http
+
+gitea_show_registration_button: false
+gitea_require_signin: false
+gitea_disable_registration: true
+
+gitea_fail2ban_enabled: true
+gitea_fail2ban_jail_maxretry: 3
+gitea_fail2ban_jail_findtime: 300
+gitea_fail2ban_jail_bantime: 600
+# webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
+# archive_cleanup: https://forum.gitea.com/t/how-to-configure-cron-task-for-delete-all-repositories-archives-zip-tar-gz-etc/4848/3
+gitea_extra_config: |
+  [webhook]
+  ALLOWED_HOST_LIST = *.mgrote.net
+
+  [cron.archive_cleanup]
+  ENABLED = true
+  RUN_AT_START = true
+  SCHEDULE = @midnight
+
+gitea_backup_on_upgrade: false
+gitea_backup_location: "{{ gitea_home }}/backups/"
+
+submodules_versioncheck: true
+gitea_log_systemd: true
+gitea_log_level: "Info"