From 8847517d07a33a835ed2bacda3be1cd66c0d8fea Mon Sep 17 00:00:00 2001
From: "Gustavo \"Guz\" L de Mello" <contact@guz.one>
Date: Wed, 17 Sep 2025 22:26:17 -0300
Subject: [PATCH] feat(capytal,forgejo): use S3 as object storage

---
 capytal/forgejo.nix | 33 +++++++++++++++++++++++----------
 secrets.nix         | 18 ++++++++++++------
 secrets.yaml        | 11 +++++++----
 3 files changed, 42 insertions(+), 20 deletions(-)

diff --git a/capytal/forgejo.nix b/capytal/forgejo.nix
index c283256..4bdc796 100644
--- a/capytal/forgejo.nix
+++ b/capytal/forgejo.nix
@@ -15,10 +15,10 @@ in {
       DEFAULT = {
         APP_NAME = "Capytal Code";
       };
-      server = rec {
-        HTTP_PORT = 9960;
-        DOMAIN = "forge.capytal.company";
-        ROOT_URL = "https://${DOMAIN}";
+      admin = {
+        DISABLE_REGULAR_ORG_CREATION = true;
+        USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
+        EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
       };
       repository = {
         DEFAULT_REPO_UNITS = initList [
@@ -27,21 +27,34 @@ in {
           "repo.pulls"
         ];
       };
-      admin = {
-        DISABLE_REGULAR_ORG_CREATION = true;
-        USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
-        EXTERNAL_USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
+      security = {
+        REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
+      };
+      server = rec {
+        HTTP_PORT = 9960;
+        DOMAIN = "forge.capytal.company";
+        ROOT_URL = "https://${DOMAIN}";
       };
       service = {
         DISABLE_REGISTRATION = true;
       };
-      security = {
-        REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128";
+      storage = {
+        STORAGE_TYPE = "minio";
+        MINIO_USE_SSL = false;
+        MINIO_ENDPOINT = "127.0.0.1:3461";
+        MINIO_BUCKET = "forgejo";
+        MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region;
       };
       ui = {
         # DEFAULT_THEME = "capytal-dark";
       };
     };
+    secrets = {
+      storage = {
+        MINIO_ACCESS_KEY_ID = "${config.sops.secrets."forgejo/s3/key".path}";
+        MINIO_SECRET_ACCESS_KEY = "${config.sops.secrets."forgejo/s3/secret".path}";
+      };
+    };
   };
 
   services.anubis.instances."forgejo" = {
diff --git a/secrets.nix b/secrets.nix
index 23e814a..f1dd724 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,18 @@ with lib; {
   sops.secrets = {
     "cloudflared/tunnel-env" = {};
 
+    "forgejo/anubis/hexFile" = {
+      owner = config.services.anubis.instances."forgejo".user;
+    };
+    "forgejo/git-password" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
+    "forgejo/s3/key" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
+    "forgejo/s3/secret" = mkIf config.services.forgejo.enable {
+      owner = config.services.forgejo.user;
+    };
     "forgejo/user1/name" = mkIf config.services.forgejo.enable {
       owner = config.services.forgejo.user;
     };
@@ -29,12 +41,6 @@ with lib; {
     "forgejo/user1/email" = mkIf config.services.forgejo.enable {
       owner = config.services.forgejo.user;
     };
-    "forgejo/git-password" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
-    "forgejo/anubis/hexFile" = {
-      owner = config.services.anubis.instances."forgejo".user;
-    };
 
     "garage/admin_key" = mkIf config.services.garage.enable {
       owner = config.systemd.services.garage.serviceConfig.User;
diff --git a/secrets.yaml b/secrets.yaml
index ef005c7..210baf9 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,13 +1,16 @@
 cloudflared:
     tunnel-env: ENC[AES256_GCM,data:jYtDMez3w5BzSH3/xwqEsAtPo6EMxx6dBcd3bnfdCOm/eZzampXPyUfPsqkO4mtL2dGmjT7W+3prGxrEQtC/Eu9R7ojCflbJBFyH8+BDusomQdqjr5d0Utur/oK7ElKgpl0OF17n8sOngxEXZBtWHTbKoL+v50QzHEO07hPHjhrF5n/P+0I78rXPn9OEvJ1B5u0dg3XxXg3l4rtmkYdSwu+2+cUh6pe0AWNTigkkwy70hwKKaz+5Lb5mAp1mpl4r7xaCUqvP,iv:PVmrMzTq2upZXgu5fHPQMis0cXNipMbXahevF1/zJSU=,tag:F75o8plR7XMAv1ngL65ntQ==,type:str]
 forgejo:
+    anubis:
+        hexFile: ENC[AES256_GCM,data:6hMIQUiSYYNkhrGGHHHIF6Ur+dQeXDuUTHZR4Tnl3O/T/phC7q881Gta6LCUJVvgQJ8hF2aKafggTUDsjcaI3g==,iv:3aGmqM8gV5YsdFNGCgZ4L9t8r9c0zubqZOE1eDBAong=,tag:/nB357mXDJJMRNoQ4E/KQQ==,type:str]
     git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str]
+    s3:
+        key: ENC[AES256_GCM,data:kdzRs/3kBXJt+jOVlFAm5EaRHNWq5XnK/Ts=,iv:qcqXQsxJXX9JlJwCuoz9y6izR9b1gs3xhnhO3tTpwK0=,tag:ikx95iSB/kGZ6/RFL+rvjg==,type:str]
+        secret: ENC[AES256_GCM,data:DVF4DB6dnWpVGK4QwStjMcYbvNQlnJn84xmRxI86r5tqDnyPbFDYN8RNlLyjulBQzJH6pMUkfk5vShNpaLaffA==,iv:5aUuyVnNK20y/NTAw2VZNxE+EaN6tfciwtyb7e/vJGg=,tag:+McVG3UdgEp0OfuuKsmOFw==,type:str]
     user1:
         name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str]
         password: ENC[AES256_GCM,data:9nMuj2/VIB7Pbw==,iv:+96/NZ+gmRkpXr05nFuUfRl2rGqElUA/LuMBYBQHCHQ=,tag:hMEO40iGeyWsMd8VPOV4Yg==,type:str]
         email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str]
-    anubis:
-        hexFile: ENC[AES256_GCM,data:6hMIQUiSYYNkhrGGHHHIF6Ur+dQeXDuUTHZR4Tnl3O/T/phC7q881Gta6LCUJVvgQJ8hF2aKafggTUDsjcaI3g==,iv:3aGmqM8gV5YsdFNGCgZ4L9t8r9c0zubqZOE1eDBAong=,tag:/nB357mXDJJMRNoQ4E/KQQ==,type:str]
 garage:
     admin_key: ENC[AES256_GCM,data:ORtjXzJrbWITofjNpVsTHE1gHcwNhBcbMNM=,iv:99XCuu5hGa3ZnAqbOsmgjeMouC8EnTzsJ0HuOoHwKEE=,tag:eJVx+A8MJ4g1xXr2F5hTkg==,type:str]
     admin_secret: ENC[AES256_GCM,data:7hMOXJwIr0pkCFBBh5vnDy//R9UwD+eTlddT1VGOpqYaA0andf0jRfGOr0efcX0x/EvlDOrfFqn8ME8icZRRbw==,iv:KGxqXhzNWFWiwBHRSP+aov2fCNHgFuUtpBF4nd40mGw=,tag:ixcehvjzs6CfVyAAl315dw==,type:str]
@@ -37,7 +40,7 @@ sops:
             amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
             4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-16T19:15:12Z"
-    mac: ENC[AES256_GCM,data:MhCHZ9QyaA6KlMmienux8Ceznew40vIEw+dACUJ8ewBXB3oGCDQI4dTPEAZH1C4NgVEJZOWUItv6mt8D/WbreoxuGuIkIOOSAeySuM6rUpy+aguTAMcVij9tqgqhoUMovq43YulOzt5pBirWzNtAOsfP6gQMVTjZAi9kiPmJJS0=,iv:6TzDpqPQ55juqjKT3Tlvo2fUd4xguvN8buoGA6oggmE=,tag:LFYv1edoFSmvZupvj3zzFA==,type:str]
+    lastmodified: "2025-09-17T22:34:52Z"
+    mac: ENC[AES256_GCM,data:qCQgzoxRMowRqG8oWUGm3uryAh60HGjgUGsX6piZuBY1mrgzXABDE5AoD5YA5k7d2Nxv7Auzzz/xOSPUcxO+aqYDsjwu9bc6Sl6XzoR3SlFSl/PURPbfSmABlX0iJBfUcOtGlnIDPbIuHASRCFcRpuneQ3+VeQS6MaD5n7BBCRY=,iv:Br2T8/Wq44h6RzO9ht6bUthUt5yL/MFQME0LlTaO7gE=,tag:jdznhfhgBGfqi8hOVJhKkw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2