diff --git a/community/gitea/PKGBUILD b/community/gitea/PKGBUILD
index 2f76f7c45..2bc913e61 100644
--- a/community/gitea/PKGBUILD
+++ b/community/gitea/PKGBUILD
@@ -9,7 +9,7 @@
 #  - don't check repo signature until author puts his keys on keyservers
 
 pkgname=gitea
-pkgver=1.14.5
+pkgver=1.15.4
 pkgrel=1
 pkgdesc="Painless self-hosted Git service, community managed."
 arch=(x86_64)
@@ -26,18 +26,15 @@ optdepends=(
   'redis: Redis support'
   'sqlite: SQLite support'
 )
-backup=('etc/gitea/app.ini')
-_tag=7da5c8ff95a0ed5877a4a54014fdca432ed0adf7 # git rev-parse v${pkgver}
+_tag=d2bddf294c98da0e88822dfcd972e01e564d17f4 # git rev-parse v${pkgver}
 source=("git+https://github.com/go-gitea/gitea.git#tag=${_tag}"
         gitea.tmpfiles
         gitea.service
-        gitea.sysusers
-        gitea-arch-defaults.patch)
+        gitea.sysusers)
 sha256sums=(SKIP
-            1521fd7edc3830c695698ffe9835709f1408040b5ec989f07410972c894fa8ba
-            d4e6b0dc3d5b40c3f1254b5a8bc8f62e0b1126e0559b1f024b3ebf0ccda91af8
-            7e7b798b8ce035c1fb55993ece41c5efb6cad5922708866804fa50ada0cf9fa5
-            912b5c41a6ca0b5be948a4eff0475e596cdc685bfd3da2aa914b5f762aaf272c)
+            9f63a517e8da6865fa6d9e87f6b08fe25ea56285304115e052809663c48dc3d7
+            b16d02a9f32a17cc14dfa46a980bad795a4ed744627e6342248f60236dc2be43
+            7e7b798b8ce035c1fb55993ece41c5efb6cad5922708866804fa50ada0cf9fa5)
 validpgpkeys=(
   8C4033A23895237CB27D52D9D9B5613BEB813F99  # Matti Ranta <matti@mdranta.net> old RSA2048, retrieved from https://github.com/techknowlogick.gpg
   B56E3C7437A49E136862F5DE9D8A57ADAA232E95  # Matti Ranta <matti@mdranta.net> new RSA4096, retrieved from https://github.com/techknowlogick.gpg
@@ -48,11 +45,10 @@ validpgpkeys=(
   B5F0915813554C32C1D599C2C99B82E40B027BAE  # '6543' <6543@obermui.de>
   D2CF76DA95F201E9901532AB3CDE74631F13A748  # Andrew Thornton <art27@cantab.net>, retrieved from https://github.com/zeripath.gpg
 )
+install=gitea.install
 
 prepare() {
   cd ${pkgname}
-  # Change some defaults for ArchLinux
-  patch -Np1 -i ../gitea-arch-defaults.patch
   # Fetch dependency using go mod
   make vendor
 }
@@ -72,7 +68,7 @@ build() {
   export CGO_CXXFLAGS="${CXXFLAGS}"
   export CGO_LDFLAGS="${LDFLAGS}"
   export EXTRA_GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-  export LDFLAGS="-X 'code.gitea.io/gitea/modules/setting.AppWorkPath=/var/lib/gitea/'"
+  export LDFLAGS="-X 'code.gitea.io/gitea/modules/setting.AppWorkPath=/var/lib/gitea/' -X 'code.gitea.io/gitea/modules/setting.CustomConf=/etc/gitea/app.ini'"
   export TAGS="bindata sqlite sqlite_unlock_notify pam"
   make -j1
 }
@@ -83,5 +79,5 @@ package() {
   install -Dm644 ${pkgname}.service -t "${pkgdir}"/usr/lib/systemd/system/
   install -Dm644 ${pkgname}.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/${pkgname}.conf
   install -Dm644 ${pkgname}.sysusers "${pkgdir}"/usr/lib/sysusers.d/${pkgname}.conf
-  install -D ${pkgname}/custom/conf/app.example.ini "${pkgdir}"/etc/gitea/app.ini
+  install -D ${pkgname}/custom/conf/app.example.ini -t "${pkgdir}"/etc/gitea/
 }
diff --git a/community/gitea/gitea-arch-defaults.patch b/community/gitea/gitea-arch-defaults.patch
deleted file mode 100644
index 50e5de85e..000000000
--- a/community/gitea/gitea-arch-defaults.patch
+++ /dev/null
@@ -1,51 +0,0 @@
---- a/custom/conf/app.example.ini
-+++ b/custom/conf/app.example.ini
-@@ -9,7 +9,7 @@
- ; App name that shows in every page title
- APP_NAME = Gitea: Git with a cup of tea
- ; Change it if you run locally
--RUN_USER = git
-+RUN_USER = gitea
- ; Application run mode, affects performance and debugging. Either "dev", "prod" or "test", default is "prod"
- RUN_MODE = prod
- 
-@@ -20,7 +20,7 @@ PROJECT_BOARD_BUG_TRIAGE_TYPE = Needs Triage, High Priority, Low Priority, Close
- 
- [repository]
- ; Root path for storing all repository data. It must be an absolute path. By default it is stored in a sub-directory of `APP_DATA_PATH`.
--ROOT =
-+ROOT = /var/lib/gitea/repos
- ; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
- SCRIPT_TYPE = bash
- ; DETECTED_CHARSETS_ORDER tie-break order for detected charsets.
-@@ -442,7 +442,7 @@ SQLITE_TIMEOUT = 500
- ; For iterate buffer, default is 50
- ITERATE_BUFFER_SIZE = 50
- ; Show the database generated SQL
--LOG_SQL = true
-+LOG_SQL = false
- ; Maximum number of DB Connect retries
- DB_RETRIES = 10
- ; Backoff time per DB retry (time.Duration)
-@@ -875,10 +875,10 @@ FORMAT =
- DEFAULT_UI_LOCATION =
- 
- [log]
--ROOT_PATH =
-+ROOT_PATH = /var/log/gitea/
- ; Either "console", "file", "conn", "smtp" or "database", default is "console"
- ; Use comma to separate multiple modes, e.g. "console, file"
--MODE = console
-+MODE = console, file
- ; Buffer length of the channel, keep it as it is if you don't know what it is.
- BUFFER_LEN = 10000
- ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info"
-@@ -901,7 +901,7 @@ COLORIZE = false
- 
- ; For "console" mode only
- [log.console]
--LEVEL =
-+LEVEL = Info
- STDERR = false
- 
- ; For "file" mode only
diff --git a/community/gitea/gitea.install b/community/gitea/gitea.install
new file mode 100644
index 000000000..b252fc71c
--- /dev/null
+++ b/community/gitea/gitea.install
@@ -0,0 +1,8 @@
+post_upgrade() {
+  if [ "$(vercmp "$2" "1.15.0")" -le 0 ]; then
+    echo "The app.ini configuration file is not prefilled anymore. The current"
+    echo "one has been saved to .pacsave, you need to at least rename it before"
+    echo "restarting gitea. The app.example.ini file is provided for a reference"
+    echo "of settings."
+  fi
+}
diff --git a/community/gitea/gitea.service b/community/gitea/gitea.service
index dfc1d7353..126ea945e 100644
--- a/community/gitea/gitea.service
+++ b/community/gitea/gitea.service
@@ -19,24 +19,28 @@ Environment=USER=gitea HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea
 ExecStart=/usr/bin/gitea web -c /etc/gitea/app.ini
 Restart=always
 RestartSec=2s
+ReadWritePaths=/etc/gitea/app.ini
+AmbientCapabilities=
 CapabilityBoundingSet=
+LockPersonality=true
+#Required by commit search
+#MemoryDenyWriteExecute=true
 NoNewPrivileges=True
 #SecureBits=noroot-locked
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/etc/gitea/app.ini
-PrivateTmp=true
 PrivateDevices=true
+PrivateTmp=true
 PrivateUsers=true
-ProtectHostname=true
 ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
 ProtectControlGroups=true
-LockPersonality=true
-MemoryDenyWriteExecute=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
diff --git a/community/gitea/gitea.tmpfiles b/community/gitea/gitea.tmpfiles
index 7d92761cd..ad1997071 100644
--- a/community/gitea/gitea.tmpfiles
+++ b/community/gitea/gitea.tmpfiles
@@ -6,5 +6,5 @@ d /var/lib/gitea/repos 0750
 d /var/lib/gitea/tmp 0750
 Z /var/lib/gitea - gitea gitea
 d /var/log/gitea 0750 gitea gitea
-z /etc/gitea 0755 root gitea
-z /etc/gitea/app.ini 0660 root gitea
+z /etc/gitea 0755 gitea gitea
+z /etc/gitea/app.ini 0600 gitea gitea