diff --git a/defaults/main.yml b/defaults/main.yml
index b1fdca2..e3ca04e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -50,3 +50,6 @@ gitea_fail2ban_jail_findtime: 3600
 gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
+gitea_oauth2_enabled: true
+gitea_oauth2_jwt_secret: ChangeMe
+
diff --git a/templates/gitea.ini.j2 b/templates/gitea.ini.j2
index 0952bb0..cc954b6 100644
--- a/templates/gitea.ini.j2
+++ b/templates/gitea.ini.j2
@@ -651,13 +651,13 @@ DEFAULT_GIT_TREES_PER_PAGE = 1000
 
 [oauth2]
 ; Enables OAuth2 provider
-ENABLED = true
+ENABLED = {{ gitea_oauth2_enabled }}
 ; Lifetime of an OAuth2 access token in seconds
 ACCESS_TOKEN_EXPIRATION_TIME=3600
 ; Lifetime of an OAuth2 access token in hours
 REFRESH_TOKEN_EXPIRATION_TIME=730
 ; OAuth2 authentication secret for access and refresh tokens, change this a unique string.
-JWT_SECRET=Bk0yK7Y9g_p56v86KaHqjSbxvNvu3SbKoOdOt2ZcXvU
+JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
 
 [i18n]
 LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR