feat(capytal,gitea): code.capytal.cc migration

2026-05-21 16:56:53 -03:00
parent 4776960b19
commit ba1e09b62f
6 changed files with 131 additions and 77 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -268,6 +268,24 @@
        "type": "github"
      }
    },
+    "loreddev-gitea": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1765921137,
+        "narHash": "sha256-u4qyEOZm1+2LQDlG24smmEToO/r1T08s7MCYzE/DnjE=",
+        "ref": "refs/heads/main",
+        "rev": "96edd617d6daac89d00c080df561818b2fcd7da2",
+        "revCount": 19980,
+        "type": "git",
+        "url": "https://code.capytal.cc/loreddev/gitea"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://code.capytal.cc/loreddev/gitea"
+      }
+    },
    "mdfmt": {
      "flake": false,
      "locked": {
@@ -288,7 +306,7 @@
      "inputs": {
        "godotdev": "godotdev",
        "mdfmt": "mdfmt",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "nvim-treesitter-main": "nvim-treesitter-main"
      },
      "locked": {
@@ -398,6 +416,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1765779637,
+        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1767892417,
        "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=",
@@ -413,7 +447,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1767379071,
        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
@@ -429,7 +463,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1778737229,
        "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=",
@@ -489,7 +523,7 @@
    },
    "nvim-treesitter-main": {
      "inputs": {
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nvim-treesitter": "nvim-treesitter",
        "nvim-treesitter-textobjects": "nvim-treesitter-textobjects"
      },
@@ -530,10 +564,11 @@
        "favelasmp": "favelasmp",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
+        "loreddev-gitea": "loreddev-gitea",
        "neovim": "neovim",
        "nix-flatpak": "nix-flatpak",
        "nix-minecraft": "nix-minecraft_2",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "sops-nix": "sops-nix",
        "stylix": "stylix",
--- a/flake.nix
+++ b/flake.nix
@@ -38,6 +38,10 @@
      # url = "git+file:///home/guz/Projects/heart-favelasmp";
    };

+    loreddev-gitea = {
+      url = "git+https://code.capytal.cc/loreddev/gitea";
+    };
+
    nix-minecraft = {
      url = "github:infinidoge/nix-minecraft";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -226,6 +230,7 @@
      neovim = inputs.neovim.nixosModules.default;
      playit = ./modules/playit.nix;
      services = {
+        capytal-gitea = ./services/capytal/gitea.nix;
        cloudflared = ./services/cloudflared.nix;
        minecraft-servers = ./services/minecraft-servers.nix;
      };
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,19 +1,24 @@
 services:
    cloudflared:
+        capytalcc-cert: ENC[AES256_GCM,data:Gfys2Tlpk7sQpVkK9RSMQS9TzZVcU3IRoCpL1GOFuBL0ZWPzTgiNfyksBRs3yUph5X+Yc7BHT0qSFZneUwml9EojEuFZZnhxt7gygnQGSUzKHNAHF//fT+P3PpWI/dDfboznLQsNti7GbpflMiOOBdu36xXSai2jt4tFFLp/DoQ5aSXfCcgGx/gB4wLCN1kLcPnldGSHJ4k+Z3U28gJRiCZ/tWtrRO7KdUxh1u9Y71wQbtVP6Xp0jUI/0CgOAxE6+eOFcgeleNSc+vbvN3TB1yl2d/oj9jpsub9b60duMHkq0S5M7iE7aHPNk92i1kIraqVOuUYvlMmlCM4bRZ+vxhGxOujXHqr/BNfR+EhXyRsnZEZxdTCBZpQa,iv:noJUVwrFuHGD/bT0PVFQTjuCj35+viVlHvdM/yJS+6Q=,tag:FoyUbrAiaF75pFy6Fwx5Tw==,type:str]
+        capytalcc-cred: ENC[AES256_GCM,data:AKSM5VhzNUiLrM27fRiB7R+IzsJ1HY3X0VQFi3iqaazUTexxM7JwItW/jfBS8PlPTk7JiwVG++e7RNJapUzLHe0Zs1wwPUb6FkC3Q0GTdj051NhffvSCfpn/8WIGOxZaT9nZKYbWfqJ18oFLa6yX2VqN7DzpmnLgvy4G21SYkGRCFja2g00bVH92kJuLEpM/yVPdHa/RGjy0jQxmSgOpo3SEsHfaaxYk6VoPDd3RZC8=,iv:l3RNQz5lXnsDAcqaTkckL38henO5HaVbAlXt+Zrusk0=,tag:JBflgE+I2by4La46KHzIJQ==,type:str]
        guzone-cert: ENC[AES256_GCM,data:zFwtLBIb5S5XvduuK2hbVsq9YHkvKuyy25KtOHN3YQeHuWMZQzDXw4ICE6/YaJzfDhZNxcpQvRNt6OXqqBzHB74oEeKvOZC9owfMzNufWHxcFRpwNSl5LUq57ciC+6wnizhrdKwtk3v5lZk9ToCjURYbZ/RqkZKgYfrrv7Xh22Qns+H9rYg6B06MtglXSHciXnigc5ofkyd9mY3yoCCooteKaix13ZJYzt+LHfJlur/+tGz8pvAZGN/beOdkX/kp6QD3+7JPeOt6KeNkdGY4TvdM2fpMSK0JZekGHgHQVSQJLDkSlNY9SOPuqgZYleRi0fy2Ve9tA9SpGatWXhcuUZTbbNf0SRf/by5n6mUF9a3kPOjkJq/4Jeoi,iv:0wobompJLwaxVQnJAntKSF2pxIebDxxZ2lgEpw3iT1o=,tag:Ef3QZ6vebHzzSsTLUOWYyw==,type:str]
        guzone-cred: ENC[AES256_GCM,data:UVsBMQMB2yrS2TnzyqSh57Hyr13ONfC81gJO2iT5EDkUu1XoocJcd1G0TEhSODmMvTfx6FrI5GSGRbHX0Z/AK1IBIeLBBQ9zDqhvL/2i+0EltBaIw/HMDusWvFLQMBBQiJ0uDqpBTEUAidUEe/qX248bGdL3d9EfYcxp7ivplMOZ5ocNJhDXqF0M1odfcia6J5xvehBeBeO6B8t5tDoDIIpA39bHge5IgMvQ9GwB4tE=,iv:YFbB8Wmgnzwdw0BZjWIrkP5FQ09iKeiW/eIIbBdNEgk=,tag:v7u6cAf8JM2KT/jxxb0tYg==,type:str]
-    minio:
-        credentialsFile: ENC[AES256_GCM,data:b3ZS3dJOjUMTFNY0vnCr+u5SZaUtf2DR4zCIGH/OpZWWjJIxjRPKp6aPM5ok/XnYu8cv/4FHwMM=,iv:ZnzLCTI0cEVHGy7mMUNGiQlseOXxvNgWrD1mkthwkNE=,tag:8Ii6fNg2syJcyxNAww+6SQ==,type:str]
+    gitea:
+        actions-token: ENC[AES256_GCM,data:SBqyvNKmdAYQ2Yia3c3B6zJ36tV0iLkgmABXuzUXamRLHQAX6vtrUNXqwL5b3fU=,iv:0TQbJFRsAYpy/aKr3LyThFCPT/HOqws9rAVlc/BC064=,tag:AF7SeWmFqjAyDlifNcrY5w==,type:str]
+        env-file: ENC[AES256_GCM,data:GDccCdVJoiFlUhi60j1fp/0gZi34n1Y5sN+liUjnDEhBTia4sIcPGvJ2BoZC25M2YUEz7snuehEatTRxBVzuFEWpc/yKUEhv6X9hVMSG50I0Kom1/9FchGNGGa10WKikrN/d8rxhvDLJf8jdFlRImr+uxA4Ko25BZUs812tQISgxFc5KXR2IUSPA8BfKGgZNbxkTYQSqynz4jzJLV0IDuefbKCp4r+B3EIp2R3kQ/oU5ZB5QSM2hdM+z+eI8HtxXI0Lr29XXSFlXG1s/sZBzHwvqb3jJTlWREwhkuOscN20KM3bweSl8b86oKOnxt1UrEf7jEE5sArSoiqV3hymy1YV9CIr+E9SOxQOfdMDPpTjAvmuduc9A52HwiIqzyxpPTsOSK7l3t924w7UchGRdUdflsD1iUCLd5q0qi0mydvD3Uc2TZVzpuQtZ+uVGMOF7Xaz6sKZ0euO4j4RG7N7kIqBR3WhxsR1wVl0rwBEFfJ8DJh2opRBI,iv:gOst4FJAAVcnpCJ/wmuW7yPdjzGqvkSqHn6qWjEowHk=,tag:EUm568mJlgXfr3fgGthxyg==,type:str]
    minecraft:
        playit-secret: ENC[AES256_GCM,data:dXy11fLDMTYg+aeoHOVVsNxXHry5OvKixWwtF/FWQULQ/KyOH8eshVznSXBazx3MFTO0qm6c5jJecGiN/0Ry0WdtRqzZ7mFqjMnpTck7xDU=,iv:y9PAcD86PlnK8mxjMAS1FMBNW3ZT8uLAFPnxxUaEgm4=,tag:NtnVnknzWDwqzg+4hC65UQ==,type:str]
        proxy-allowed-users: ENC[AES256_GCM,data:nP9qx1xHS8mTXttAEfwX,iv:3afr3MFL7pUqNrq0iLFvs7Rif1Nfxp+/clFsMysawKo=,tag:I8P5SHwAt6n7qszAbeHCRA==,type:str]
        proxy-geyser-config: ENC[AES256_GCM,data:zUtasSljIpn3pya0QmyyckY6xlIexk/j9KjTlGFU5u9Onvrgr2B+ggnsc6tkvgGFoMTk5TF/T6I5CAzoOg0sTkJqGlx8zxfjYpi5ZnW2kLwdrwpzidzTGpl68pA5KMxYAtAmMkv8g10T+DSYvrVpk4o4wU3h5Ud9,iv:DNVOZwND/pS9RmbCDVi1oXqYSZqO/GwoNkUOJJOh5tY=,tag:E7V24sVn78MWD2RYDz2Rgg==,type:str]
        proxy-voicechat-properties: ENC[AES256_GCM,data:khVSVyXsCR6ig+ugQPmsMxYHnlCee5C4GBZLrzzoKuel5l/ieDOaGXw+abcm5RBELy+cOQWd/xD2cq3PM712hkksLpSYUw9gSSlx,iv:Gdc/bCdW6e1ZNFK5FXQGVmLQ1kv0Hklm3hvl79Er55k=,tag:O28pa0cIEDH7H0tuUGXo6Q==,type:str]
        proxy-secret: ENC[AES256_GCM,data:K5GMlzDMD31YKjrJ,iv:1jSAFuPri5DS7foMBSw0rzXimmg3IPN6JXm0WVXqNwI=,tag:X1InctFVT53Ne/b23crnTg==,type:str]
-        favelasmp-ops: ENC[AES256_GCM,data:ifAtvtIQpQV2uZrZp1JZwbK20XCn3F5uEzcs/FJE3etSFT0nd06RzjRUP7HaJnAEpkGz4VAy9p8p1sd8TdLvpZHru2elU1qn1H8YDjl2aj2FxNq+yvT9rfflS3hbdDFkN8Ov+j6vU4c9sEx4omDR70T0mhKJCj3qf6344dBYGRCH47LtCiLqSoGFnqYzN4MPc9hbkkuhH2rXFuhHZ5PYEtPKznkHcbLgf+cZZd/UpgIC28JNq88THDL2pwjKZQknTe1hcf2fmZyHhqBwMO8ZsYQr3r9zvCHRXrOr5XVOd3rX6nVrMKRd+18zaMJ7jxAzeVjNXjm+a4S1GYmyPbifVB6Tyw33+9JIITVfgQNn,iv:nZj95AAJv/ag72cSIOFpWiG5s426Jfov+DAAsP/0oCw=,tag:yfGaGs60I8l2xsWHkpucHw==,type:str]
-        favelasmp-whitelist: ENC[AES256_GCM,data:rmv+LFKMqsRgVCJX7tGNqXVHztU2u1z+QbDYaDw9NImsB526+vpCogXb2ZK71PbZFC+gwX+tw2tqsLDaZmOw8WR9V4e+mkmxjzO255foPdX3X5sLi4zkTP5LGU8kpeLn+FziuMMWCI25GBYUEfNELQigizvfABxiI2WFKMh062YR2aQSxB6pVThJzr3UAyr4pcgH+663iHT9LHW9dZxAu/su1zYI1rh7EE1zfFueiNjujFS1OYuwLRPIPwccPUb/Lk9jB30v6M+lVzWo5DU+RjwQL5HNQOAWyHVf0kcDLQkX082du2tiWGqsmNDzciYKiEMIbJHiRoQtWHfs31HrBt+vGT70EeR9Y0uDAkgID6riHOtLq5plUpGLL4m9gMMdS9V5q68ovvQwBcfMZx93hMMH2VxuZZw+bM/gwhsHoBQAVxw95Hlz2oduLvDQPu/S081NuB99xRLPd3rpMqJY6YZL27fnOXFutQYN3seO+yLiR0xgX83I/CcSgsg8GxDupNYd6bawqEsIzbt+2MALa6eKg/QRi+d5dITTmajSgrkhX3mJx3sSj6T3ItKuHHh6Q7EowGBDqg/JnqaZoa8eWbLjJSxQw6y/voc5xba3/yCb99R3JvbwB9vtWXmOkEtsh/DxkdX8mgEuAMQdtpCf6H0i0wnJtdkZ2pmzh443Dik/8Mztx2rrgDrhd1hr3bzErwY7mMkmNAFJ4UbcaNW+MiRrBB8bIZX02Ev/se1zgE3MVA/1Xxop0YIgS3PrsfCOlDig4Fy6xXHPsgWbYVDm4EDi3s30WZuByxkIwtYkjKeLAmHbDY9E6lMVhP+j7HiwatFSSiKeZcEmqPpctlTYC1FDYZyv40dFHbOUL/lK0fltYsnjjc8019tfIzVe9U3byDCZ+MMPJ9va0dzfwzdwhJQAlenKQDymjiVkeD3S7rByiJRxWOj9QBQMHSRybGHtLMq854DX7iPZcD+WxAl99xmgvhZ1iGZzbpYfnLZfOXfbq7Eh27N6eOHXU5y85CyJwfiIHWigYMvQhTgpeGybAX1osdXz14eG5xzDsrTvZtLXS8+1AeEYhabZXZuOtDNQxiz2Del0YvA/bNsczXlzgZpW+m2QPNEH83IQ6CoGQev/JHdRi+nB0eTv1CljN5ItQNY7hCpj/EizSpqCBoEv+8vB8EtjLV/EgSSsPEQ=,iv:cH7MpF0/VrrdYTU5XJxzXa9n2RA84uWgTcv5wSIHzsc=,tag:S3tlFRkgpj8YhUkedTihBQ==,type:str]
+        favelasmp-ops: ENC[AES256_GCM,data:G3zOP/eST5qyu9UxeI5eaot6IU/yJRcNu/BQQeb5lk1O7LiQaMTfa6aKfeJSf3swl7Jk2R4YwHjYDXnA+BpqDovA6xXIr4epPoQHA1wQq2UkRw+nGHCJDJONS5ZdwQHPa1iwqNg0KjT9ruSNcUZsACtjlfbeaGfzTG7SpFLWoFduYkQNhGdTaBn4s78R9S5xZWbqGRbJrMr7Ak+ja8QDhTU5hfjLQmDidXkT45olCzQ8nq1hPr+JpL9JwSDJyRaB5IrGIbpaWTndZNvGmlWDw3aukg2KKHeu/X4M4MQKATWJEquJLChgy6kqJxFu+58AruChr039HjGOTktCFXyqHR4kLOycStt55puFdecBBVwirfirQaLDH3HMANVoZ2fpy8FEihGIhFxMbxhsgmh/yH4euIVBfYKUeJ7B+o8ttz02C+0wSiENkIzTTTebwgU5aPAU6DTr7I8azRHHXX/4dWHqH6AwhmMEL0KsehxZv/ZKZj9IVau1s6+wZiO5MwcXvKsUKbsRIXqyijUna2dZl9eq,iv:y344lM1tjijqsgaM/NHGJMXJxbJrEK+v0LuF8ZGbI5g=,tag:BtV3E2EdEOU9NwTYiFLVUQ==,type:str]
+        favelasmp-whitelist: ENC[AES256_GCM,data:MKNkAWTm+ocxJW2cOD92WopiOM8PJRjQpuOlXqs7sfVg4vZKX5ivX0vrjcYZjF4Tia+qZCKjH3tJM+xHK5/jPDEQyBwYv5bh0/z7kg/IOvaYsrBgR249D5HniP8avQAmYOVSbG8ja25tmfUoCNcf/WUt7sGIenNUiHNQOKS5S07iFlyJWvCmgES8J7iGfYmc9hntFZ8ZK5GCwGZT1YzwT9p7aLEbTfLNe1c9IzT1ew6iReNCCpIyj33pTjdWA51kWJ1dS4/s5QIxC80eyzG97C66rtS2UzWunGgrN+HPtZmuMoVeIDTbhTEnTLGOGDtVVKZ8vv9fUX4yLaONTH8Bttp6rTMRzVKZHYuZ/1DA+E1BrE0xvBEzLpEKiRLwY1rfztmPB15yJEG/LZjLJPS9rYu0zIr0/UNrcvPwdDA4aDkoh8n+/ABFm7TsHXf38dpWVS+yxfLKEId9/DQ22m+iO5OFObzo4jAM+ajkRcBSv8aT+u9Zh87LBKv2JpiUUePHdL41ZpkWzynbTUyISB7Np1U94vETT1i4QGmBLwZ4SatkA9oAXPS35W5qULsTZ6TR60KW0dQ8bp+R+IICqh0rSl2tzEZtZ02PegvaX3mNBW6HXavnKzvztuEvIR+FQbvlyHKEEY6Ty803rO5WAW4sdI7QoaZnX2f23cXjP+uuVm4+RzfeZXW2U19HZvHOF/kFkM82wvnasMwVqpj1gWEk1HYUDjajqJ4muBvztBqXOYEhF4sNHoVPGiJ2xKMPESs32c5nia4OQy+zV4KviEU5U4TRwX7AkFOHVTDrNbvZ5nLXdJkMzQLPkyiTGecJTKa2hNpAeodALlFfmiRb5jR0MkYmeoFYqhzAfWjFCVB1JxW6HMapGp+D0KAf99sziz8FUs6n+vevafz2n5iyNzomwZqX9DoNFG34Mrgjd2+Tl3OxRFaWt1osGcJFjs4LpcY2MOU74QRixEwHGmzV9wowUpU1ychUOPvyoJWMBRm9vdep6LRCzkd8QU6+6hNIliy2bjMr1TEFGac2gv5SVyyeCa3R/CIPii37+1LGglLHsy8FuFmWQjRnxB9DxL+jaWl7mVLCHy1Fmu99FG2VuISKzqf5i+HI9wupXkoO9Du/H1LvBs7WlkBVMYCfTusxgNW6LLe8aoWDhM/NehXSR6ElJF1Fx1b2+oBZvTIbmemeDiq6Dn+Cp+4smswoXmgtqpzS0umXWzqLlWOag7FdWR+jPYra+GgavFZJ97qKitBw8hOR4xNi/0MsEi5j6SvTkE3LsRH1vEPHF91fn6y1TQaagrrSMA==,iv:s49Os2mYvjjoz8FxBpd9ZZWNMU9gIuC0Wck3czsSYqo=,tag:d/mSpnUjI+d8oSNDSt2Lbg==,type:str]
        favelasmp-pack-manager: ENC[AES256_GCM,data:vogn9uwFiurgx9CQjl5K9RYwSWdftXOijeu4IYRKkjTCo/i6c3vyQfdSa+lZbVd6PIhSHhzVcYcUkfzWtMbU9X3ES5yGqg43cp1yAJSDDLeXxO2FJPU4HOeXgjkUYVZdjLzM4L8QSWX94n494YC8wIryd2K29JeXpWJANcQEYnv1NtO6eSoWDT79vLO0uroqBx9O156fuTvNZmv9wvyBxTs8oRvjN35BH9Vb7oS3r5n+nEPuOFEny95GY1Wkw7ih1HzCxSE44MiJdZvgP/kBFMVbm4W+suqsRPOGNBFA2a8IlGXuSgYZx6ShFMLu9cn6YkYi1rhj2IZzzVEZrGimY9XqybznI6KrcVZ0HU3CZVReJCzyAH+RgVfcPliJNEAzU8XVk/O55kqGNFY6Tu8TBYh/jnq1eyxIceuC8OKGg41+ivwBSInmXmzcCSBnW/zzIT8QcEd46aCLqcjNlfvXHFJhpG4dCWSqRFE75rTkGmMZM3VI76MoFX2ek5GrAm1WuAJGjlB+zptmkQG/PpeT7Yrwl2LdcmrgkjUuXK/hi9Hm8mQ5WKc/qjECLXCTcYSFUyZivBwxMwp75Th6ieQ8TQ6Gds8Tk+UCMfroFbC1DXGGWEIZQsb91RMRMbReez9EeuYnLzAuEdvdTcdELrHrlHVyhyTt+8KFzEaBwhcsHKZXEcQtUFJcjBS/1Ne1FQ8jpHUnx++tNzARM3jc8EaKp5tkshxJjLd9sfG4wVbc4hxvBxYcma9wYQTlPUyKr67ZsxpZIn3Z8OF6bAg5dRxnW5ZCIECZE3Z5WbZ5OTV4ob05OVTks/HpGa5XLgF98w0P4BDPeRd9iSVjQrbMpF9ZsaAMhtbrllmTfgqzmesBR5qKvI23nS48EDDxo83VQ6oG3+5+p4y4OblVMh03afCVAKfFbQAGC6D8W667HbpNpejLpO6foAbhyvlzrpbhY1C+sRzI+k0C8jY+NBjPSwZWvJ76KprSTcwWUHtSGg8odeqFBslW/GVSSz2BwZpP8MeYlcvZM1roKFjXr+yfnc55OZHftxAB9qzTQLuij5aYsPC5nfkuHQigaf/nsjvVIHwxU33pdg8TBCc5djnCi/uaaZFBOHrxmIUgo05NCTjVfg0gAlffxQApIY3YpcdkE8OWT2TJXTUMe88iJqaMiQ2RNVUDY4MdcfxHtM8D1KbTFg7elUDQ1PAKwSG4QcXi8YXs742KKSDv1GjsZiAuqkRHeONOqjdPkAYErt6tBcknzbgVY4lWWNKYaf6949TWCjlYpOCWzhUiWJuXaURvgziDxUM7GcVCkc+yyDnWCDdd8ucOvSHeTPNgQS6kYHj1TLT9CJYwS0djFau7VN4fqdHG+wjibZCgRTPHoHjdAUHN5eUlYLlJuKv1Lm0YMCd6vI0WBZguSM8w2Tg7EQruCtXYNXr+hu7ev2+QaEqG0JX8a5Yq2EPWzIuBXgZstOxdDmTILracC600AG1+knhLDpOM9WkMnRHY92CykhllDKEir+BbX8CkJ+sjytfy1IVQx7lLXivXqVCBBABy1MCmoBJp3i4aChPk75i2RVA1+arjLdSGz9R69fXCT4aNCbLwBGlLc6PKNS68PxknP/dyKl6so5Rs+QIP54NuMfaRIpYyzZ4laHFG4YLHmM4gRSZz7d/b22tqn9f6ozIkSpDdm6cBBtHGp3MUUcQ0ZHTrRirqOkt4ySgxCBk/CSRRfgdylKZwGKqMbv0tKCb9lxYc8MIbiHxXf8PG3OBH/JuN7rGmV1COjC5QIWmxnXBW4BIBMUrkCMK8eqxXT8Vuk/CdKXofU3dap8ymrq8vUAWUaPSwjiE6bvr/xFOyCxVc0oq4kXQxO0rzoo0SZlfufYrcPk81iQwtnjK00vaznOytdmta9xIswdyPCBqYes74DMcBWvWht7zfeHJmAnVNieT++7jh5GsLIWK4QcPbYByVTbVGMYEGtRWwfWxmuVeqQMEQ6+E7Mi7qsWnEYcd8CjTpb6uKEOohnKeV/vMqB83rAv3DuOtVKrfTr5CEubVRt4JtLsKrKPUIf/nVLVYG0f8WVgxNlR76Lyn8gBVaJjGVS2iYAqKWYgxfYNeZ,iv:zrpbgxkEOPkGThzY6o9Tp59ObA6hJUHY5tqZ6v8A9Ac=,tag:YAHFXl5yYOSfsqdaxKqKkA==,type:str]
        favelasmp-discord: ENC[AES256_GCM,data:b3vFKmTz62WSWZW7B7vhTvC/PvUPUuflWBU0GtNJhwujycIf+UZbU1/5nNjgviPH37hZ+QS75ufBlaoLoxsaFJ5PCfAyKnP4LHxQaqhpmdj2tAcN9xSVIXxgRle6k+6RLy+z09U8A2EBUe+M3ke37cjxLMj1SrLW2WgcL1uMax3K2bXGydE83S+Qo9uC3p8fT/UdxmXURTwvOxtXQ9lPsXQoN8mfOS/m/eOvz0JU7ggXtxLR5+FO57jK/NXsXzC+c32ZX6+HvKxPbnMx+GuqeXeBABI9bY9Gnigyq3JPkhMrn9khAvzkcLXXTlVp4pN7OExx9GgawTur47uJzso/TogwUym4MRg8fkd8OYlXdq2EVyAydzL7RAlOu/T3zksYM+TVyGHoaYiGto2l9QLApapk11XTK65RdXCe9kOl+dubZSrmRuOdYXXVkYSC55tO2NOFvHDQW3MiAKLPnnupxPt0UGp9sckjWdBFfE9mNxJ0yI8gtevB7Dm1EiXuYeoMRw8YCGVTkaaQWa35bqZu7AnqN8muDBqr4HpIYxCQBKMTMlqAeBR0namnIEOkbX/5inT59nx8VUksmIgoj786ptRutEghLUp3XyOSJf2WrTJHm7H1cJLwU8w9q3510Dt1jkhId0D3AnRKL3GGDglzGNkGytdzhfnr9tfLTud/dReG9BrhdSW/CgQpK8wjEFZRaeyPPFrJwKSOBgN8fY+j28rbwaD98GRX/MaNBxSAJ4wJIMlobssTVl0p0lpzwcSv0D3ckS6eZ7Vby0bKcJtlumY+oWitTHzmhJwcKe96g9H7oP8zvIyD0lhV7Rm2c+J2MMtdDo1sZNcyJBP+N+moRROatHDLqwXkrUv4Xn1w3DU5/KxG99Uzg7YdZV4oKuuF3ComGWGTUuoTqUxDoxAKppzNyuhKtFB9fXk1c9GiyzBc6jC5pAJdhXaSmgU=,iv:W2kT11X2rsvEChSvJgEuUtmeIqKP1AYgWwXsspg4LUQ=,tag:lEC3vMsNme1vtPxAtDcRRg==,type:str]
+    minio:
+        credentialsFile: ENC[AES256_GCM,data:b3ZS3dJOjUMTFNY0vnCr+u5SZaUtf2DR4zCIGH/OpZWWjJIxjRPKp6aPM5ok/XnYu8cv/4FHwMM=,iv:ZnzLCTI0cEVHGy7mMUNGiQlseOXxvNgWrD1mkthwkNE=,tag:8Ii6fNg2syJcyxNAww+6SQ==,type:str]
 guz:
    password: ENC[AES256_GCM,data:0D9a5w==,iv:+ahN7Y5rsJGCB6/sLgA11yt6YjPDIs1Q7qyTSBqp/No=,tag:pqnd/zAKu4ZFSsrInPPO5g==,type:str]
    git-envs: ENC[AES256_GCM,data:ze7jgpqZ9WFzd6rQds3dTa5FQniZsx31f8qLr1IQ9VpMuEqGlFBLD5vMxeW49XCYQyNJdR0wjLA9QuW6hDN9VXdIm8D4k1GNC7S2Uac2ROslf5sITHjByIM5mKCtt5pttM+Z+MysrvHT6TKiQLdIpSfxYzmLkbEE23/qhBCZ+uK3kqHCJJwCuS19e0s1eTCgvI6gYQXAYU5NI2plSeq7VJc3esug3X3+W4TMn9pveknmjTrJZfXavlCQ5y6yyDIA+aFB5gKJjFWMfKn78GDrMhaw3F8xRt5AOWLh4R5TlZbGnsVLrJK7GK3BwPRB+vS46Di+Je9vog98TXX7ZHRtT8516qnE6J+pYDuh2vRo2gSri/AywSqYKYp8b5iMV+lVvWZBVGUee6USp0ufVUlC1H5qOd2eKysIRXFz2axfRVDu4m17tbjG0XrwjUEo+XkeW5XqRqcQ0V3EmxrUmy2e4RT39394UZUG1Ab2qvowgIYFzmOIRUUPZ4b6IOeKFwnHCbRt2WYFVQto1D8RRRPZO/hU8hc5k/NFBwTxIg8ulr8dCLZPHarkZGaVSTwiHCSOppKlVYlvhgzniaCkJIAYwfaVnjsxGbWKHRuquB3S6YbskUy8qxohAX/0oIjWLihFbqmzBnNmp36cqPC7tFgfJKxCLnlwsveyDVK0AaADBMHhkpcHW7CWb0s9ZwpHrqgIq4XJ37ncieOvQFDgSZ1F8G8/6/avQo42WbeoMkPcbAWrfR/6ZMsps6MK99PeYfju+AbUwfq6m3hcIBIRiko4sn2GsbkkTfmrzOGeMSO/YT4SLJrnYqq67NzQGlh985+8nqPb98LSBxsRQ5umiJyGdytWn5I+Hw1AYXo7WIl4jrV+vhvv4viH0QMZFmIHwTYqCnT7C1zBZwkz1X6j8ZpUHF6vG36U7dxcZcogjhUa5ITqvIe/96OmJ7uGtIQ94ZeuJbrFFAYncRs0Zql8x1bksJkmZ9HX+m09/h6cl3NZ8KPk36cha1MIkQtuOPPwmuVm6fE9jG7gKjNK1Gk/LXR/or9gzX3YWwt5KAfPKRiWz2Bf2y5RmJOCkrN7kSy7iV5yFsUgd64vWQ3jRKwfHsHHJX0XyIGfNYyY2af8kr/iJdzmTqLSilEw5Fs16irHj/yWti7UJR4miDQJydoxfTguv9kLHzoPKpy40iwnZeJS1cnQFQuY6Qf+HyKBWOU141J9kd/w7px1Muu0SN4q+WxdXTGuHYJJqqJsPxkgtpWYdrklaHfd+9XEHqjIZDuqZJ9M5ctptiPvJgJP1n7AzKlnwClEI/RqrLomZMW4JfD63gsIxFFK13BGwggzcOEz7VKRmo08CUFWpnAeOzQDwax6+o6X1jPxQdv2+oFPZRmqyrV9QjvXogG03uOjaO+zMfhj5Ykoom3IQv803hW3xrToshcyg2+qyamfj0c7DAI+h5VPohH+iiBRWiQJCmUJSkPmAgSLFwkuPNfFJ/0CKjWhFVNaXgx4HRQnH0evpHPFFN0JCrgROh14vf0J4bjIMi+v1gerhwBvBjuTNM41ZsTncFnRGMgaaRIp+UwGGSB9aZf7DdXVzcsvFdqRIUgsLSWJApmkvA6W3gyME3Pugp0K6QsADPbg/fJV3HukElC3RIPX89QYLENCFqutTtH0DqEoQKiNhY1TXorS3g==,iv:6vBiIpZvLjWb1X2mQRf/IGDvU60NtJ8TaYPtKA5GepA=,tag:f4sW9OAO4BA3gHwLuaR/rw==,type:str]
@@ -28,7 +33,7 @@ sops:
            TUIyZG5rVC9PM21RR1ZtaXhKUytyL2sKH49RFJJi94RFtbyJMYM2oLETQ3sgpXkJ
            BFyQJClKlbE5In6XnvJ0PjXForr8tYFIZ2YG7/Y2jf/hXMtIHO/02g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-16T00:52:21Z"
-    mac: ENC[AES256_GCM,data:4ewookSW0JwDM+c4aVrMSifZRsLH6D7hMMp9EuEl7ksu6w1azbVyDCdB3t+bBfzeqmulfE6K2c0Bhw6ldESQp3ovv+IV6IYbIhwj6Y7eUq4eH3yYlU00+9LM8o/yreS82kxihWIp7QsvGOwp96Vovdcji4XBw+OGwN1vEsoPYd0=,iv:OCTGPm10V4ZC33MAgTDBEesvZ029x+1ctCTq0PxxJIM=,tag:/GdwOa42MmE1xdCa9c9d1w==,type:str]
+    lastmodified: "2026-05-20T22:34:38Z"
+    mac: ENC[AES256_GCM,data:+ymZYgCol0g0VBTGN9UIHruL79AkUp3IJkxWgiAua8OshRlvcpPtmVf8o80bO7Vr3VSkGYEJQ1Sra4WqDDlBVFS46HqHMYRUlLP6j7Q5kw8GaSrV/j328HgcC+feg7YjHYjzNs/jdNjf8l4WyFAGU/dP07EBPT1/lh6zL+A8ki0=,iv:jApzTmb7R84Y34op/qr9Ykjsg3GUG79NBhMfUeXdC4M=,tag:6D5Ru0MsVQlfse0ZBUCmwg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.1
--- a/services/capytal/gitea.nix
+++ b/services/capytal/gitea.nix
@@ -9,8 +9,8 @@
 in {
  services.gitea = {
    enable = true;
-    package = inputs.lored-gitea.packages.${pkgs.stdenv.hostPlatform.system}.default;
-    lfs.enable = true;
+    package = inputs.loreddev-gitea.packages.${pkgs.stdenv.hostPlatform.system}.default;
+    # lfs.enable = true;
    settings = with lib; let
      initList = l: (concatStringsSep "," l);
    in rec {
@@ -72,7 +72,7 @@ in {
        DOMAIN = "code.capytal.cc";
        ROOT_URL = "https://${server.DOMAIN}";
        PUBLIC_URL_DETECTION = "auto";
-        HTTP_PORT = 9964;
+        HTTP_PORT = 9965;
      };
      database = {
        DB_TYPE = "sqlite3";
@@ -85,6 +85,7 @@ in {
        COOKIE_REMEMBER_NAME = "__Host-capytal_code_forge_incredible";
        PASSWORD_COMPLEXITY = initList ["lower" "upper" "digit" "spec"];
        PASSWORD_CHECK_PWN = true;
+        TWO_FACTOR_AUTH = "";
      };
      qos = {
        ENABLED = true; # For endpoints not protected by Anubis and protect from overload in general.
@@ -118,76 +119,77 @@ in {
      federation = {
        ENABLED = true;
      };
-      lfs = {};
-      storage = {
-        STORAGE_TYPE = "minio";
-        MINIO_USE_SSL = false;
-        MINIO_ENDPOINT = "localhost:3461";
-        MINIO_BUCKET = "gitea";
-        MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region;
-      };
+      # lfs = {};
+      # storage = {
+      #   STORAGE_TYPE = "minio";
+      #   MINIO_USE_SSL = false;
+      #   MINIO_ENDPOINT = "localhost:3461";
+      #   MINIO_BUCKET = "gitea";
+      #   MINIO_LOCATION = config.services.garage.settings.s3_api.s3_region;
+      # };
      "storage.repo-archive" = {};
      "repo-archive" = {};
-      actions = {
-        ENABLE = true;
-        DEFAULT_ACTIONS_URL = "self";
-      };
-    };
-    secrets = {
-      server = {
-        LFS_JWT_SECRET = config.sops.secrets."gitea/server/lfs_jwt_secret".path;
-      };
-      security = {
-        SECRET_KEY = config.sops.secrets."gitea/security/secret_key".path;
-        INTERNAL_TOKEN = config.sops.secrets."gitea/security/internal_token".path;
-      };
-      oauth2 = {
-        JWT_SECRET = config.sops.secrets."gitea/oauth2/jwt_secret".path;
-      };
-      storage = {
-        MINIO_ACCESS_KEY_ID = config.sops.secrets."gitea/storage/access_key_id".path;
-        MINIO_SECRET_ACCESS_KEY = config.sops.secrets."gitea/storage/secret_access_key".path;
-      };
+      # actions = {
+      #   ENABLE = true;
+      #   DEFAULT_ACTIONS_URL = "self";
+      # };
    };
  };

-  services.gitea-actions-runner.instances = {
-    "gitea-runner" = {
-      enable = true;
-      name = "Gitea Runner (${config.networking.hostName}) 1";
-      url = cfg.settings.server.ROOT_URL;
-      tokenFile = config.sops.secrets."gitea/actions/token".path;
-      labels = ["nix-latest:docker://code.capytal.cc/images/nix:2.31.3"];
-    };
+  systemd.services.gitea.serviceConfig = {
+    EnvironmentFile = config.sops.secrets."services/gitea/env-file".path;
  };

-  services.anubis.instances."gitea".settings = {
-    BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}";
-    BIND_NETWORK = "tcp";
-    METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}";
-    METRICS_BIND_NETWORK = "tcp";
-    SERVE_ROBOTS_TXT = true;
-    TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
-    ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/gitea/hex_file".path;
+  # services.gitea-actions-runner.instances = {
+  #   "gitea-runner" = {
+  #     enable = true;
+  #     name = "Gitea Runner (${config.networking.hostName}) 1";
+  #     url = cfg.settings.server.ROOT_URL;
+  #     tokenFile = config.sops.secrets."gitea/actions/token".path;
+  #     labels = ["nix-latest:docker://code.capytal.cc/images/nix:2.31.3"];
+  #   };
+  # };
+
+  # services.anubis.instances."gitea".settings = {
+  #   BIND = ":${toString (cfg.settings.server.HTTP_PORT + 2)}";
+  #   BIND_NETWORK = "tcp";
+  #   METRICS_BIND = ":${toString (cfg.settings.server.HTTP_PORT + 3)}";
+  #   METRICS_BIND_NETWORK = "tcp";
+  #   SERVE_ROBOTS_TXT = true;
+  #   TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
+  #   ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/gitea/hex_file".path;
+  # };
+
+  services.caddy.virtualHosts = {
+    "${cfg.settings.server.DOMAIN}:80".extraConfig = ''
+      header {
+        X-Frame-Options "SAMEORIGIN"
+        X-Content-Type-Options "nosniff"
+        X-XSS-Protection "1; mode=block"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:; upgrade-insecure-requests; report-to csp-endpoint"
+        -Server
+      }
+
+      reverse_proxy http://localhost:${toString cfg.settings.server.HTTP_PORT} {
+        header_up X-Real-Ip {header.Cf-Connecting-Ip}
+        header_up X-Forwarded-For {header.Cf-Connecting-Ip}
+        header_up X-Forwarded-Proto https
+        header_up Host {host}
+      }
+    '';
  };

-  services.caddy.virtualHosts = let
-    redir = {
-      extraConfig = ''
-        redir https://code.capytal.cc{uri} permanent
-      '';
-    };
-  in {
-    ":${toString (cfg.settings.server.HTTP_PORT + 1)}" = {
-      extraConfig = ''
-        request_body {
-          max_size 1GiB
-        }
-        reverse_proxy http://localhost:${toString cfg.settings.server.HTTP_PORT}
-      '';
-    };
-    # Old ports used by legacy https://forge.capytal.company
-    ":9961" = redir;
-    ":9962" = redir;
+  environment.persistence."/persist".directories = [
+    {
+      directory = cfg.stateDir;
+      user = cfg.user;
+      group = cfg.group;
+    }
+  ];
+
+  sops.secrets = {
+    "services/gitea/actions-token" = {owner = cfg.user;};
+    "services/gitea/env-file" = {owner = cfg.user;};
  };
 }
--- a/services/cloudflared.nix
+++ b/services/cloudflared.nix
@@ -9,6 +9,12 @@

  services.cloudflared.enable = true;
  services.cloudflared.tunnels = {
+    "a17157ee-5c16-4522-9d86-15b8f1830aa2" = {
+      certificateFile = config.sops.secrets."services/cloudflared/capytalcc-cert".path;
+      credentialsFile = config.sops.secrets."services/cloudflared/capytalcc-cred".path;
+      caddy-domain = "capytal.cc";
+      default = "http_status:404";
+    };
    "9ed8b48f-9585-4a67-9895-114b162172fb" = {
      certificateFile = config.sops.secrets."services/cloudflared/guzone-cert".path;
      credentialsFile = config.sops.secrets."services/cloudflared/guzone-cred".path;
@@ -20,6 +26,8 @@
  services.caddy.enable = true;

  sops.secrets = {
+    "services/cloudflared/capytalcc-cert" = {};
+    "services/cloudflared/capytalcc-cred" = {};
    "services/cloudflared/guzone-cert" = {};
    "services/cloudflared/guzone-cred" = {};
  };
--- a/services/minecraft-servers.nix
+++ b/services/minecraft-servers.nix
@@ -12,7 +12,6 @@ with lib; let
 in {
  imports = [
    self.nixosModules.playit
-    self.nixosModules.services.cloudflared
    inputs.nix-minecraft.nixosModules.minecraft-servers
  ];