feat(capytal,gitea)!: migrate from https://forge.capytal.company to https://code.capytal.cc

A new forge is now used, it is pretty much equal to before, but now we are using (a fork of) Gitea instead of Forgejo. Gitea was choosen because provides more features that we need compared to Forgejo and it has a more modern codebase to fork and customize. The fork can be found at https://code.capytal.cc/loreddev/gitea, it mostly provides a new default theme and custom UI changes.
2026-01-15 23:46:13 -03:00 · 2025-10-11 09:21:21 -03:00
parent 8df6647f9e
commit 470d719f80
6 changed files with 375 additions and 87 deletions
--- a/capytal/forge.nix
+++ b/capytal/forge.nix
@@ -1,118 +1,350 @@
 {
  config,
+  inputs,
  lib,
+  self,
  pkgs,
  ...
 }: let
  cfg = config.services.forgejo;
+  gitea = config.services.gitea;
 in {
-  services.forgejo = {
+  imports = [
+    self.nixosModules.gitea
+  ];
+
+  services.gitea = {
    enable = true;
-    package = pkgs.forgejo;
-    settings = let
-      initList = l: (lib.strings.concatStringsSep "," l);
-    in {
+    package = inputs.loreddev-gitea.packages.${pkgs.system}.default;
+    lfs.enable = true;
+    settings = with lib; let
+      initList = l: (concatStringsSep "," l);
+    in rec {
      DEFAULT = {
        APP_NAME = "Capytal Code";
      };
-      actions = {
-        ENABLED = true;
-        DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
-      };
-      admin = {
-        DISABLE_REGULAR_ORG_CREATION = true;
-        USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
-        EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
-      };
-      database = {
-        HOST = "127.0.0.1:${toString config.services.postgresql.settings.port}";
-        NAME = "forgejo";
-        USER = "forgejo";
-        SSL_MODE = "disable";
-      };
      repository = {
        DEFAULT_REPO_UNITS = initList [
          "repo.code"
          "repo.issues"
          "repo.pulls"
        ];
+        DEFAULT_TEMPLATE_REPO_UNITS = repository.DEFAULT_REPO_UNITS;
+      };
+      "repository.pull-request" = {
+        CLOSE_KEYWORDS = initList [
+          # en-US
+          "close"
+          "closes"
+          "closed"
+          "fix"
+          "fixes"
+          "fixed"
+          "resolve"
+          "resolves"
+          "resolved"
+          # pt-BR
+          "corrige"
+          "completa"
+          "fecha"
+          "implementa"
+          "resolve"
+          "termina"
+        ];
+      };
+      "repository.signing" = {
+        DEFAULT_TRUST_MODEL = "committer";
+      };
+      "ui.meta" = {
+        AUTHOR = "Capytal";
+        DESCRIPTION = replaceString "\n" " " ''
+          Software forge dedicated for hosting official projects from Capytal and it's members.
+          Explore and discover the source-code of our commercial user-facing products, internal
+          developer-focused libraries, and infraestructure setups.
+        '';
+        KEYWORDS = initList [
+          "capytal"
+          "capytal code"
+          "capytal-code"
+          "git"
+          "gitea"
+          "projects"
+          "development"
+          "open source"
+          "open-source"
+        ];
+      };
+      server = {
+        DOMAIN = "code.capytal.cc";
+        ROOT_URL = "https://${server.DOMAIN}";
+        PUBLIC_URL_DETECTION = "auto";
+        HTTP_PORT = 9964;
+      };
+      database = {
+        DB_TYPE = "sqlite3";
+        NAME = "gitea";
+        USER = "gitea";
+        SQLITE_JOURNAL_MODE = "WAL";
      };
      security = {
-        REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
-      };
-      server = rec {
-        HTTP_PORT = 9960;
-        DOMAIN = "forge.capytal.company";
-        ROOT_URL = "https://${DOMAIN}";
+        INSTALL_LOCK = true;
+        COOKIE_REMEMBER_NAME = "__Host-capytal_code_forge_incredible";
+        PASSWORD_COMPLEXITY = initList ["lower" "upper" "digit" "spec"];
+        PASSWORD_CHECK_PWN = true;
      };
      service = {
+        REGISTER_MANUAL_CONFIRM = true;
+        REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
        DISABLE_REGISTRATION = true;
+        DEFAULT_KEEP_EMAIL_PRIVATE = true;
+        DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+        DEFAULT_USER_IS_RESTRICTED = true;
+        SHOW_REGISTRATION_BUTTON = false;
+        ALLOW_ONLY_INTERNAL_REGISTRATION = true;
+        VALID_SITE_URL_SCHEMES = initList ["https"];
      };
+      qos = {
+        # For endpoints not protected by Anubis and protect from overload in general.
+        ENABLED = true;
+      };
+      cache = {
+        ADAPTER = "twoqueue";
+        HOST = builtins.toJSON {
+          size = 1000;
+          recent_ratio = 0.25;
+          ghost_ratio = 0.5;
+        };
+      };
+      session = {
+        COOKIE_SECURE = true;
+        COOKIE_NAME = "__Host-i_like_capytal_code_forge";
+        SAME_SITE = "strict";
+      };
+      picture = {
+        DISABLE_GRAVATAR = true; # Deprecated
+        ENABLE_FEDERATED_AVATAR = false; # Deprecated
+      };
+      "cron.delete_repo_archives" = {
+        ENABLED = true;
+      };
+      "cron.git_gc_repos" = {
+        ENABLED = true;
+      };
+      oauth2 = {
+        ENABLED = true;
+      };
+      federation = {
+        ENABLED = true;
+      };
+      lfs = {};
      storage = {
        STORAGE_TYPE = "minio";
        MINIO_USE_SSL = false;
-        MINIO_ENDPOINT = "127.0.0.1:3461";
-        MINIO_BUCKET = "forgejo";
+        MINIO_ENDPOINT = "localhost:3461";
+        MINIO_BUCKET = "gitea";
        MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region;
      };
-      ui = {
-        # DEFAULT_THEME = "capytal-dark";
+      "storage.repo-archive" = {};
+      "repo-archive" = {};
+      actions = {
+        ENABLE = false; # Temporarily
+        DEFAULT_ACTIONS_URL = "self";
      };
    };
    secrets = {
+      server = {
+        LFS_JWT_SECRET = config.sops.secrets."gitea/server/lfs_jwt_secret".path;
+      };
+      security = {
+        SECRET_KEY = config.sops.secrets."gitea/security/secret_key".path;
+        INTERNAL_TOKEN = config.sops.secrets."gitea/security/internal_token".path;
+      };
+      oauth2 = {
+        JWT_SECRET = config.sops.secrets."gitea/oauth2/jwt_secret".path;
+      };
      storage = {
-        MINIO_ACCESS_KEY_ID = "${config.sops.secrets."forgejo/s3/key".path}";
-        MINIO_SECRET_ACCESS_KEY = "${config.sops.secrets."forgejo/s3/secret".path}";
+        MINIO_ACCESS_KEY_ID = config.sops.secrets."gitea/storage/access_key_id".path;
+        MINIO_SECRET_ACCESS_KEY = config.sops.secrets."gitea/storage/secret_access_key".path;
      };
    };
  };

  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
    instances = {
-      "forgejo-runner-1" = {
+      "gitea-runner-1" = {
        enable = true;
-        name = "Forgejo Runner (${config.networking.hostName}) 1";
-        url = config.services.forgejo.settings.server.ROOT_URL;
-        tokenFile = config.sops.secrets."forgejo/actions/token".path;
+        name = "Gitea Runner (${config.networking.hostName}) 1";
+        url = gitea.settings.server.ROOT_URL;
+        tokenFile = config.sops.secrets."gitea/actions/token".path;
        labels = [
          "alpine-3.22:docker://data.forgejo.org/oci/alpine:3.22"
          "golang-1.24:docker://data.forgejo.org/oci/golang:1.24-alpine3.22"
-          "node-24:docker://node:24-bullseye"
+          "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
        ];
      };
    };
  };

-  users.users."${cfg.user}".packages = [
-    (pkgs.symlinkJoin {
-      paths = [pkgs.forgejo];
-      buildInputs = [pkgs.makeWrapper];
-      postFixup = ''
-        wrapProgram $out/bin/gitea \
-          --add-flags --config '${cfg.customDir}/conf/app.ini'
-      '';
-      inherit (pkgs.forgejo) name pname meta;
-    })
-  ];
+  # systemd.services.gitea-custom = let
+  #   gitea = config.services.gitea;
+  #   rsync = lib.getExe pkgs.rsync;
+  # in {
+  #   before = [
+  #     "gitea-secrets.service"
+  #     "gitea.service"
+  #   ];
+  #   script = ''
+  #     ${rsync} -av "${./assets}" "${gitea.customDir}/public/assets"
+  #   '';
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     RemainAfterExit = true;
+  #     User = gitea.user;
+  #     Group = gitea.group;
+  #     ReadWritePaths = [gitea.customDir];
+  #     UMask = "0077";
+  #   };
+  # };

-  services.anubis.instances."forgejo" = {
+  services.anubis.instances."gitea" = {
    settings = {
-      BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}";
+      BIND = ":${toString (gitea.settings.server.HTTP_PORT + 2)}";
      BIND_NETWORK = "tcp";
-      METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}";
+      METRICS_BIND = ":${toString (gitea.settings.server.HTTP_PORT + 3)}";
      METRICS_BIND_NETWORK = "tcp";
      SERVE_ROBOTS_TXT = true;
-      TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
-      ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/forgejo/hex_file".path;
+      TARGET = "http://localhost:${toString gitea.settings.server.HTTP_PORT}";
+      ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/gitea/hex_file".path;
    };
  };

-  services.caddy.virtualHosts.":${toString (cfg.settings.server.HTTP_PORT + 1)}" = {
-    extraConfig = ''
-      reverse_proxy http://localhost${config.services.anubis.instances."forgejo".settings.BIND} {
-        header_up X-Real-Ip {remote_host}
-      }
-    '';
+  services.caddy.virtualHosts = let
+    redir = {
+      extraConfig = ''
+        redir https://code.capytal.cc{uri} permanent
+      '';
+    };
+  in {
+    ":${toString (gitea.settings.server.HTTP_PORT + 1)}" = {
+      extraConfig = ''
+        reverse_proxy http://localhost${config.services.anubis.instances."gitea".settings.BIND} {
+          header_up X-Http-Version {http.request.proto}
+          header_up X-Real-Ip {remote_host}
+        }
+      '';
+    };
+    # Old ports used by legacy https://forge.capytal.company
+    ":9961" = redir;
+    ":9962" = redir;
  };
+
+  # services.forgejo = {
+  #   enable = true;
+  #   package = pkgs.forgejo;
+  #   settings = let
+  #     initList = l: (lib.strings.concatStringsSep "," l);
+  #   in {
+  #     DEFAULT = {
+  #       APP_NAME = "Capytal Code";
+  #     };
+  #     actions = {
+  #       ENABLED = true;
+  #       DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
+  #     };
+  #     admin = {
+  #       DISABLE_REGULAR_ORG_CREATION = true;
+  #       USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
+  #       EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
+  #     };
+  #     database = {
+  #       HOST = "127.0.0.1:${toString config.services.postgresql.settings.port}";
+  #       NAME = "forgejo";
+  #       USER = "forgejo";
+  #       SSL_MODE = "disable";
+  #     };
+  #     repository = {
+  #       DEFAULT_REPO_UNITS = initList [
+  #         "repo.code"
+  #         "repo.issues"
+  #         "repo.pulls"
+  #       ];
+  #     };
+  #     security = {
+  #       REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
+  #     };
+  #     server = rec {
+  #       HTTP_PORT = 9960;
+  #       DOMAIN = "forge.capytal.company";
+  #       ROOT_URL = "https://${DOMAIN}";
+  #     };
+  #     service = {
+  #       DISABLE_REGISTRATION = true;
+  #     };
+  #     storage = {
+  #       STORAGE_TYPE = "minio";
+  #       MINIO_USE_SSL = false;
+  #       MINIO_ENDPOINT = "127.0.0.1:3461";
+  #       MINIO_BUCKET = "forgejo";
+  #       MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region;
+  #     };
+  #     ui = {
+  #       # DEFAULT_THEME = "capytal-dark";
+  #     };
+  #   };
+  #   secrets = {
+  #     storage = {
+  #       MINIO_ACCESS_KEY_ID = "${config.sops.secrets."forgejo/s3/key".path}";
+  #       MINIO_SECRET_ACCESS_KEY = "${config.sops.secrets."forgejo/s3/secret".path}";
+  #     };
+  #   };
+  # };
+
+  # services.gitea-actions-runner = {
+  #   package = pkgs.forgejo-actions-runner;
+  #   instances = {
+  #     "forgejo-runner-1" = {
+  #       enable = true;
+  #       name = "Forgejo Runner (${config.networking.hostName}) 1";
+  #       url = config.services.forgejo.settings.server.ROOT_URL;
+  #       tokenFile = config.sops.secrets."forgejo/actions/token".path;
+  #       labels = [
+  #         "alpine-3.22:docker://data.forgejo.org/oci/alpine:3.22"
+  #         "golang-1.24:docker://data.forgejo.org/oci/golang:1.24-alpine3.22"
+  #         "node-24:docker://node:24-bullseye"
+  #       ];
+  #     };
+  #   };
+  # };
+  #
+  # users.users."${cfg.user}".packages = [
+  #   (pkgs.symlinkJoin {
+  #     paths = [pkgs.forgejo];
+  #     buildInputs = [pkgs.makeWrapper];
+  #     postFixup = ''
+  #       wrapProgram $out/bin/gitea \
+  #         --add-flags --config '${cfg.customDir}/conf/app.ini'
+  #     '';
+  #     inherit (pkgs.forgejo) name pname meta;
+  #   })
+  # ];
+  #
+  # services.anubis.instances."forgejo" = {
+  #   settings = {
+  #     BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}";
+  #     BIND_NETWORK = "tcp";
+  #     METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}";
+  #     METRICS_BIND_NETWORK = "tcp";
+  #     SERVE_ROBOTS_TXT = true;
+  #     TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
+  #     ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/forgejo/hex_file".path;
+  #   };
+  # };
+
+  # services.caddy.virtualHosts.":${toString (cfg.settings.server.HTTP_PORT + 1)}" = {
+  #   extraConfig = ''
+  #     reverse_proxy http://localhost${config.services.anubis.instances."forgejo".settings.BIND} {
+  #       header_up X-Real-Ip {remote_host}
+  #     }
+  #   '';
+  # };
 }
--- a/flake.lock
+++ b/flake.lock
@@ -145,11 +145,11 @@
        "rev": "305579e103f4ca3e4f891f6e919eac5dab5a0057",
        "revCount": 122,
        "type": "git",
-        "url": "https://forge.capytal.company/capytal/capytal.cc"
+        "url": "https://code.capytal.cc/capytal/capytal.cc"
      },
      "original": {
        "type": "git",
-        "url": "https://forge.capytal.company/capytal/capytal.cc"
+        "url": "https://code.capytal.cc/capytal/capytal.cc"
      }
    },
    "crane": {
@@ -931,11 +931,29 @@
        "rev": "bb9a6c5b18f7124c99a144a7ec18b2d5be75decf",
        "revCount": 57,
        "type": "git",
-        "url": "https://forge.capytal.company/guz013/keikos.work"
+        "url": "https://code.capytal.cc/guz013/keikos.work"
      },
      "original": {
        "type": "git",
-        "url": "https://forge.capytal.company/guz013/keikos.work"
+        "url": "https://code.capytal.cc/guz013/keikos.work"
+      }
+    },
+    "loreddev-gitea": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_9"
+      },
+      "locked": {
+        "lastModified": 1760046992,
+        "narHash": "sha256-gxn4TqMjccch1ULBNlau9t0HANrElrahaRw0r39oROw=",
+        "ref": "refs/heads/main",
+        "rev": "d9021491c727caceb47ec2f5a057e9d197ce6f1d",
+        "revCount": 19905,
+        "type": "git",
+        "url": "https://code.capytal.cc/loreddev/gitea"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://code.capytal.cc/loreddev/gitea"
      }
    },
    "mdfmt": {
@@ -1089,6 +1107,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1757810152,
+        "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9a094440e02a699be5c57453a092a8baf569bdad",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1753489912,
@@ -1203,16 +1237,16 @@
    },
    "nixpkgs_9": {
      "locked": {
-        "lastModified": 1757810152,
-        "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=",
+        "lastModified": 1758690382,
+        "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9a094440e02a699be5c57453a092a8baf569bdad",
+        "rev": "e643668fd71b949c53f8626614b21ff71a07379d",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-25.05",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -1297,7 +1331,8 @@
        "dot013-nix": "dot013-nix",
        "home-manager": "home-manager_3",
        "keikoswork": "keikoswork",
-        "nixpkgs": "nixpkgs_9",
+        "loreddev-gitea": "loreddev-gitea",
+        "nixpkgs": "nixpkgs_10",
        "nixpkgs-unstable": "nixpkgs-unstable_2",
        "sops-nix": "sops-nix_2"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -14,15 +14,19 @@
    };

    capytalcc = {
-      url = "git+https://forge.capytal.company/capytal/capytal.cc";
+      url = "git+https://code.capytal.cc/capytal/capytal.cc";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    keikoswork = {
-      url = "git+https://forge.capytal.company/guz013/keikos.work";
+      url = "git+https://code.capytal.cc/guz013/keikos.work";
      # inputs.nixpkgs.follows = "nixpkgs";
    };

+    loreddev-gitea = {
+      url = "git+https://code.capytal.cc/loreddev/gitea";
+    };
+
    dot013-nix = {
      url = "github:dot013/nix";
    };
--- a/modules/gitea.nix
+++ b/modules/gitea.nix
@@ -141,12 +141,12 @@ in {

    services.gitea.secrets = {
      security = {
-        SECRET_KEY = "${cfg.customDir}/conf/secret_key";
-        INTERNAL_TOKEN = "${cfg.customDir}/conf/internal_token";
+        SECRET_KEY = mkDefault "${cfg.customDir}/conf/secret_key";
+        INTERNAL_TOKEN = mkDefault "${cfg.customDir}/conf/internal_token";
      };

      oauth2 = {
-        JWT_SECRET = "${cfg.customDir}/conf/oauth2_jwt_secret";
+        JWT_SECRET = mkDefault "${cfg.customDir}/conf/oauth2_jwt_secret";
      };

      database = mkIf (cfg.database.passwordFile != null) {
@@ -154,7 +154,7 @@ in {
      };

      server = mkIf cfg.lfs.enable {
-        LFS_JWT_SECRET = "${cfg.customDir}/conf/lfs_jwt_secret";
+        LFS_JWT_SECRET = mkDefault "${cfg.customDir}/conf/lfs_jwt_secret";
      };
    };

--- a/secrets.nix
+++ b/secrets.nix
@@ -32,18 +32,10 @@ with lib; {

      # Anubis
      ${config.services.anubis.defaultOptions.user} = [
-        "anubis/forgejo/hex_file"
+        "anubis/gitea/hex_file"
        "anubis/medama/hex_file"
      ];

-      # Forgejo
-      ${config.services.forgejo.user} = [
-        "forgejo/actions/token"
-        "forgejo/git_password"
-        "forgejo/s3/key"
-        "forgejo/s3/secret"
-      ];
-
      # Garage
      "garage" = [
        "garage/admin_key"
@@ -53,6 +45,16 @@ with lib; {
        "garage/rpc_secret"
      ];

+      # Gitea
+      ${config.services.gitea.user} = [
+        "gitea/actions/token"
+        "gitea/oauth2/jwt_secret"
+        "gitea/security/internal_token"
+        "gitea/security/secret_key"
+        "gitea/server/lfs_jwt_secret"
+        "gitea/storage/access_key_id"
+        "gitea/storage/secret_access_key"
+      ];

      # keikos.work
      ${config.services.keikos.web.user} = [
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,12 +1,14 @@
 anubis:
    forgejo:
        hex_file: ENC[AES256_GCM,data:UlFkdy1MfwaQqDnxtMtg4kH/dMJVl8sk4DMfdaCczHGaPtPuP4ADxcBxqpNkzYnQPxbv5ZXqR4qz8Ur5QHWxUg==,iv:WQHkSMiJEV0IWMVvfxC/EuE/e8QabhJinRHADm7kdSg=,tag:1JRwMp94APRszgBuQ0yaQQ==,type:str]
+    gitea:
+        hex_file: ENC[AES256_GCM,data:VeF2FRqZdsYe3A002QLGG8jc5s+Tfr5V4dpO/aZ4Rbh9T/O3XQznocDsmUOvjIysH9wbVwvBXGdH1U3vd0qmVg==,iv:/3VQLK+C76HoCbpZAUQaxOFsiFKDuuP2KWAV0EBasp4=,tag:brqDAaHv7r9DRLBoMMmRqw==,type:str]
    medama:
        hex_file: ENC[AES256_GCM,data:wLRw34+uPWpR5GJuI8Q+nlX4hEx3sMn5mSl/lF5kX0Z8N99Eb6Qj4Emx2mK4dNukYNO8j9blw1/RAL94I+QCjQ==,iv:/dW5Z+S14dByXIUyOyEIxxRFl7e4lZZfBKtukV4s68M=,tag:fELbLVzwIgMJUjhNJw4kYg==,type:str]
 cloudflared:
    tunnel_env: ENC[AES256_GCM,data:2DYmoNJYIUAgbDzwJO4I4CSEMVoQredhDfiAWkzNTJBzNEuWc3PgYlonr+FwCnu1wU6aep5iNascpscMtN1Y8ef2m4S1p+mef872pBoElgMG1S2suLvwKdwXPafWHaQdxmEbRxMJjWhLGxmbnlExq8w88/VKm6V0TG183bPOjATU+empoGpHWKT6dNoIBOJnjdoeDjoP4fSIW1UVmYWYAePBuwsr6d4y/TjXyoBuCRG02WbCzELFMnkKY3PwamIn0PXs5ifg,iv:vfgzOn4Oo10Uk3gdm3LDo96vBZ87NuILaDjht9btAHA=,tag:Awwx3DdD0BU0H7lsjJQPug==,type:str]
 forgejo:
-    git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str]
+    git_password: ENC[AES256_GCM,data:PLgQBO7ZwApkhWPFDFhTjGxVqWSve2D3mzSVbnOB4YK1jPUSqmE32yQtffEaGQWakFD6c7c4fbtm+eusc81jHYN5gvWh7lwoXA==,iv:D1nypE0CfubCe8J0psJRiJBc0AR9PsZGcXigdXCReQs=,tag:1j8gw//MLKJXScfth8ClOg==,type:str]
    s3:
        key: ENC[AES256_GCM,data:kdzRs/3kBXJt+jOVlFAm5EaRHNWq5XnK/Ts=,iv:qcqXQsxJXX9JlJwCuoz9y6izR9b1gs3xhnhO3tTpwK0=,tag:ikx95iSB/kGZ6/RFL+rvjg==,type:str]
        secret: ENC[AES256_GCM,data:DVF4DB6dnWpVGK4QwStjMcYbvNQlnJn84xmRxI86r5tqDnyPbFDYN8RNlLyjulBQzJH6pMUkfk5vShNpaLaffA==,iv:5aUuyVnNK20y/NTAw2VZNxE+EaN6tfciwtyb7e/vJGg=,tag:+McVG3UdgEp0OfuuKsmOFw==,type:str]
@@ -16,6 +18,19 @@ forgejo:
        email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str]
    actions:
        token: ENC[AES256_GCM,data:tjzIEA+TuwInBwfic7P6ZpN7XyQ2RWC7CZrGEjRtFR/Lj7xb4ysPfZ7d91AjNjw=,iv:e3nWZ3BvDeZvEUiJJ6h7u37UC4GZd/i582MRzE9pkyI=,tag:rZZnz5kGiLtCrUdNwgy8Xw==,type:str]
+gitea:
+    actions:
+        token: ENC[AES256_GCM,data:BrsTb1JNp5+eRtWk1/bqdgEdS7eDhUzZatl68jBSFqyv/4aHy3xzybxotdpmIQM=,iv:Mx+naexdYq1Gy3oCPTjYz5cdf4p2Mx8AFxmhwzfOPXo=,tag:/o2X2BlPwUAPkTo0iumMMw==,type:str]
+    oauth2:
+        jwt_secret: ENC[AES256_GCM,data:Mrdh35mf7zhuNHSrUJNmlRpzC4qPLlMQotZYJDnVcjtSbqi8Vr2Xa0o19Q==,iv:JFjs9rgDqgf7rEtlRhyO8lz71CgiEc1DUO6+w5Xvq00=,tag:fu4K3okXxKfezI+V+s+G6w==,type:str]
+    security:
+        internal_token: ENC[AES256_GCM,data:Wxozs+7XPkTUr6fcOyRGSVbekArrJs1IIdxDB3nUJmESJ5jhhB493r3nw3+Ftj1poZXNDXLBilGjQ5rYi+FW4pjH21pWNyJ2gtXEmwDFG7VMhTa/kqMK0RdvN+m683y91vBmkm4AJmQU,iv:+1Tl8mxhd0YpWvJtW2da3yFmm2aJXES+b9T97WNJqWU=,tag:osq0yeWVOuNpqopVkNDz/Q==,type:str]
+        secret_key: ENC[AES256_GCM,data:PBNDuXo2vLEewr5z5S4ocVDPDcU49v24iFF7TOlpWS9Lawp9Y+/3xMSr8z8v3ajfK8K46sE9GlXuOt1g5QmGqg==,iv:FDG2G4UlFmKLn9S3tDQCpI1I92vaWo8j7Y5mp0x85Bs=,tag:yf15GwQ5HmwOIlSUVzcsPg==,type:str]
+    server:
+        lfs_jwt_secret: ENC[AES256_GCM,data:yY969ZtaVcF7KYT/n1H+ZBM+tNH1Bvx+WwUTXJSVenlz8zzk9SepkDPbdg==,iv:GL17rWtHjzzBZiyrZ/UWkHzrAvHX5vyv4BIhNtq3AL0=,tag:T8weRUemG3b7DVnNtMEFoQ==,type:str]
+    storage:
+        access_key_id: ENC[AES256_GCM,data:lMWloeJmqehgw407FGmUYyj0LUW6ogT5M40=,iv:GCr0EMspwK5ByxEXFSdk+GKkY5YL7nweZeOaVx7XNl8=,tag:2f4C0J5xxsTNDjKmSe/+7g==,type:str]
+        secret_access_key: ENC[AES256_GCM,data:ygQfso7dWktV9BhureOE9JuXePOYGF71YKfs0K0Co8786YxltQEel/zyvAccT/wtM9bcqfcnvYx1E6QqpAA/Ow==,iv:rvPuD2mF+X8TfvL3By6wOrxVC6g3oIPM9BFWX59DAlQ=,tag:1y9wPd34xdrmU+4ECCJP+A==,type:str]
 garage:
    admin_key: ENC[AES256_GCM,data:ORtjXzJrbWITofjNpVsTHE1gHcwNhBcbMNM=,iv:99XCuu5hGa3ZnAqbOsmgjeMouC8EnTzsJ0HuOoHwKEE=,tag:eJVx+A8MJ4g1xXr2F5hTkg==,type:str]
    admin_secret: ENC[AES256_GCM,data:7hMOXJwIr0pkCFBBh5vnDy//R9UwD+eTlddT1VGOpqYaA0andf0jRfGOr0efcX0x/EvlDOrfFqn8ME8icZRRbw==,iv:KGxqXhzNWFWiwBHRSP+aov2fCNHgFuUtpBF4nd40mGw=,tag:ixcehvjzs6CfVyAAl315dw==,type:str]
@@ -42,7 +57,7 @@ sops:
            amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
            4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-10T02:06:29Z"
-    mac: ENC[AES256_GCM,data:/FSwyA7AfbRZgCPfn0MbUaW+OduFpluWX5RntzjJMieJzfdix+NAwFnOThr+vtN24VybepvlayXzfTlf9lWlfotozit/jdZMoPipEifEiO8LoXDrmNUZow8AOJ9cmCOKNx8YdcN0K28mE0nTTkP8aXPumcyWKuLa8+faLEgPs0Q=,iv:uQIHkfTbuM7dy34S4mpYEmLG3B2ff003IaSp07rN50g=,tag:qkFwvjxojtksfEDVpsFAYw==,type:str]
+    lastmodified: "2025-10-10T21:47:17Z"
+    mac: ENC[AES256_GCM,data:4K5fNM05Mm3VCFTx2lntPUcaW/fznjchMdd26VJURBTED3Hr8wpLyNMFtWqWlKZvVuMyk7VQyyBmysb0clmydHpuDR9TtJSJA+IyIyK6IQJi86mQs7IpcSf4Z6uXA33ed3z2aJWhwA8l+5XtwQjYQbDeME1v/ir7xTeqz8P4STI=,iv:iaXcW+3UumdAR/v4/Pp8ZCqJQ2WmL6fucRFJwTugxrc=,tag:sxUajgkMkYjshIgU24o+/w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2