diff --git a/nki-personal-do/gitea.nix b/nki-personal-do/gitea.nix
index 2e1612f..237d6d5 100644
--- a/nki-personal-do/gitea.nix
+++ b/nki-personal-do/gitea.nix
@@ -98,6 +98,7 @@ in
   };
   users.groups.${user} = { };
   sops.secrets."gitea/signing-key".owner = user;
+  sops.secrets."gitea/minio-secret-key".owner = user;
   sops.secrets."gitea/mailer-password".owner = user;
   # database
   cloud.postgresql.databases = [ user ];
@@ -174,6 +175,17 @@ in
         PATH = "${pkgs.git}/bin/git";
       };
 
+      storage = {
+        STORAGE_TYPE = "minio";
+        MINIO_USE_SSL = "true";
+        MINIO_ENDPOINT = "60c0807121eb35ef52cdcd4a33735fa6.r2.cloudflarestorage.com";
+        MINIO_ACCESS_KEY_ID = "704c29ade7a8b438b77ab520da2799ca";
+        MINIO_SECRET_ACCESS_KEY = "#miniosecretkey#";
+        MINIO_BUCKET = "dtth-gitea";
+        MINIO_LOCATION = "auto";
+        MINIO_CHECKSUM_ALGORITHM = "md5"; # R2 moment
+      };
+
       federation.ENABLED = true;
       DEFAULT.APP_NAME = "DTTHGit";
     };
@@ -203,17 +215,25 @@ in
     environment.GNUPGHOME = "${config.services.gitea.stateDir}/.gnupg";
     # https://github.com/NixOS/nixpkgs/commit/93c1d370db28ad4573fb9890c90164ba55391ce7
     serviceConfig.SystemCallFilter = mkForce "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
-    preStart = ''
-      # Import the signing subkey
-      if cat ${config.services.gitea.stateDir}/.gnupg/gpg.conf | grep -q ${signingKey}; then
-        echo "Keys already imported"
-        # imported
-      else
-        echo "Import your keys!"
-        ${pkgs.gnupg}/bin/gpg --quiet --import ${secrets."gitea/signing-key".path}
-        echo "trusted-key ${signingKey}" >> ${config.services.gitea.stateDir}/.gnupg/gpg.conf
-        exit 1
-      fi
-    '';
+    preStart =
+      let
+        configFile = "${config.services.forgejo.customDir}/conf/app.ini";
+      in
+      ''
+        # Update minio secret key
+        chmod u+w ${configFile} && \
+        ${lib.getExe pkgs.replace-secret} '#miniosecretkey#' '${config.sops.secrets."gitea/minio-secret-key".path}' '${configFile}' && \
+        chmod u-w ${configFile}
+        # Import the signing subkey
+        if cat ${config.services.forgejo.stateDir}/.gnupg/gpg.conf | grep -q ${signingKey}; then
+          echo "Keys already imported"
+          # imported
+        else
+          echo "Import your keys!"
+          ${pkgs.gnupg}/bin/gpg --quiet --import ${secrets."gitea/signing-key".path}
+          echo "trusted-key ${signingKey}" >> ${config.services.forgejo.stateDir}/.gnupg/gpg.conf
+          exit 1
+        fi
+      '';
   };
 }
diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml
index b3b3e2c..c7b5d29 100644
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@@ -24,6 +24,7 @@ headscale:
         vnm: ENC[AES256_GCM,data:F6rAV5ZZvtUvFC6sF8M9gKVrcnUZGl0IwWzTDyLXITQ/QeXC9VU9ypGSz5a9GAZ78tPgHtUJ2fJFEEpteMz9Ru2/Imh112NrGf1INqvDKCnX0j+3P1Fms/aXdehETPVSprNl0C2u03ygFNX5tjyNDYysI7Bqsu8MtkRkBFjm8x52VPXiLsrK80Gctt9OhBz4Zc9G3RcluMfVr6y2RZHIsJgVgXWm5rG8WQHTsB67D3Uz9c63KOkQ+Ib/5ERtJ7RwjBGollQlFhUSMgc0m6ftmNUt6xNbMnt16bJVUtm3rRD9S+2bkfXObCp7FpqIWBCIYF89,iv:ScBU0FV5wZSlc/p7SSe3PMVRddLEgLeQ8/ghVsw4TM0=,tag:XwvlBiVzl+FTiQOGScVLag==,type:str]
 gitea:
     mailer-password: ENC[AES256_GCM,data:LDW0bpbfanBa2QjqdgtKu6F+zG84xaGuLg1cs6eTJbg=,iv:Kle+czR9Xqi45qWjYJIjRhq87rG2PNoNF6YQ7tQ+HJA=,tag:WUuPgwdnz8F2WtFsgcrw/Q==,type:str]
+    minio-secret-key: ENC[AES256_GCM,data:IRuaRgOgR+7LMSLwg9NxxSqUCbze8qu9cPWJllsA6GTNmllEHrlKA6ywZrlTlVmS16fkmQWCCi5wjZmltw6UCg==,iv:zCtqGkS195f7/ikwnjhYPTxqmUV2y+kI4OMT1OjMtCw=,tag:wMLfU8+zau7VTxRArfm1sg==,type:str]
     signing-key: ENC[AES256_GCM,data:64tLU6rVcCq6CSfVGtFfSc8m89gHFHwGQ4JSHw8p7GqlB7ioHrJVu8o+6u6UPERMfkcHsTG2gTwh7wpblF//bk1+TRyYWSuDnIGl1G7+6FVmJbvLyGJBck0NauW4s5Keiqr2qg38i3y9qy7kPaJGz/2J6cYYSQxB9xy8mtdoxwypGf+zxu1teiUnKmWa89i941s2FZZ+FoQvQCZs/7En3YnxNiDM+lXR4wqbPZPROlYHaVDOgeACBgq8GwNdgAFF7qRLdjxMGgjS3jjlD4QCJlEO6UbqVEBEK7pf4Or4kx/RM2A0rgGNUPpwKu/b5xGTUkA0X7TcZNIcLJ2zred0JIEj0bM7MNrkBIQovHEYLT3m33W1zKTTBC2lgPh90I/tPauIOb1hWHzgjM+LpV8bPkGXIk3BmoxW8eCiFmSjfvxdyS6WVJ6lGOIhaFNl59LyKsljyUmYcauig7/T+ylGyWiPViXuYB4fWxWr1t7Tb6DgY2fJdl5KQHLkDoAylHQ6pOb0l2YUGw1+vvHocMA9KTJeTnhTWAPZLOIFbfZL8sxrWRlpuZvvKdXlOjzKwVgCzWudYJ4jUoPSCmvxpnuCpiPbqaoZyA3Vyx7UCTN7UhKRb99jxEqdTrDPwRL0VlVZUQgLDTMPXHjdoOan06wXmDJEDRDBFsrrpna9wY1uvyPGBBpZ+uQZdxPZfXKQ8HRVHS1dKfyvdIaG/eYUrimF9euhYKYGPH02S6UcU+yQXw5B12HBxLDwS0oF3yWXfTMBsgejWFAuyQkQVJJjAi/Zs+9HJ3FQqr4vl/hUclv/X2XURuPc/jjYziNuOAn6yGhXuNC713SzUOnZlDgEcCkm8DHn5hQ/W4rZGUbSq+y/HUk8GA6XSw8u8H7KDQFnV4l4Chg1cKAf0YSXeinJ2x/RA9GXBvC5FVOM/Cx95arxS57vD578Rkdf/c7UQmuH+6X9YTX8MHVgkpHAGJ+bu2UnQ/hjAvGW6kee4jqefybCTxJm7qcSz1JrG6rS+S+9ZFj8BrXLcSIRlvxotg+FmBjdlqJMj5i0w+cR2f2zXPsmeDC0gmSTV7mYNz9+uMv708xwm26e4/rTT0hS+szLzzz/Ygm9yAkLf9lIS3457IWEjF+LCs9SEq3jfkx5zqpWfOpBCQU9rYKJhvjCVK6a1Hb2PfO4klkuwSNFPwyMHDlEqNmIVUf6uM5p8RVEQy07GsE4ycNtgicC32JGpkotcaU1ByQVbqRXlqJqMJnUEbnWH6qf3Em+wi8eBHmPf1BNjdP3f9BOle+H17/SdKssRbA8o4qQAGVkFzfjybMIh0onB1e15Rt5TUrRDxQAZG+uIsrHEiEOCDED846wO9apeV7wuOKXv2USDhybQhIctcuwxFGQEZWtGGrKzWTlK82Qb8FUM44x2HFj1SK7mIQbU20TcL2bd3b1OZ2kQe16CaT9R0BkpRlPLfiA1ZD7+3DdCyOJxTjutCQgaI1ONQuWn47rDOMbyqZhxs+Gj6bormGEWVRXQpV4VTknN/GyFB2aWQmZF8hGpEBl/t8IfOXDs56kN2Z8W2eKzHZz9u11HQ0eJ05LX2xz5DB+22UZT4bGK6Y3vJtB0+27r7G7hh79Fkapggm61xh3+D593epyW6Ix4hN29KrJWz/s93gi/g==,iv:LlUhINacJf7haxl7i0QI9ALdOFLdLJGbsXgszKVJOVg=,tag:ALkAcUmPFHp8wpI7DVYbiw==,type:str]
 nextcloud:
     admin-password: ENC[AES256_GCM,data:wDL8xCv8/mFQniIRQOR+zl1kArSUXc2KAfCP1jmnidLOYwC4X0d8V60s0hAXCO1gUxNTETjbjBkGlENpvQm8dL94DIshCMyMxFc5gUmrF9qc+omOPT5HF82FgaHnN9N6sH3r19SfoXkMtBROj1V6xlU/lVqx+CiJCSCBfbllYkY=,iv:DGFlXNRXey0dIQVzsg0qkPGxDG+36tcg0BXUQzHfANk=,tag:HdpNO+ikmXo7wtahYwtkDg==,type:str]
@@ -76,8 +77,8 @@ sops:
             by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
             hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-21T00:39:40Z"
-    mac: ENC[AES256_GCM,data:LtQXhFPm8SFuq7GZIRJyYmzUBcQFRP1UkfkZ2K6eGv0BE72cAN7n1XlxU5Ujj9G1rTjumaquCWmD7h0cmh4ufJnAjAatSn2XOwVAK8+2STd52YQE2sidlHJBlrNrvo4TICusIl+m5Z9E97G420SH6E846Wv+tPQBF9t5HQQgo24=,iv:/7vfawv3rzn2l28MrJcEYRNdMV/QDHThbP2gA1b+jZk=,tag:pdpItbrshuzVtrKWQS949g==,type:str]
+    lastmodified: "2024-10-21T01:42:45Z"
+    mac: ENC[AES256_GCM,data:fQKg8LYg5VICITPjTDWsqByeNX0WmtD8TTqzh5WisBpoVG4Ksr1pqDH5bhv8G6G7M8Fk2P++tvwOoebuN3Gi0DvdAnQihm2pH5ufgYffWLQz56paXulOXk7T16f+yEKXDCK1MJpNCbv7GmitZs+b/4Z1M/O9KNCxHegK1y3FfHQ=,iv:RuyS/2qk0mrF7J4brwEArBZfSSPytbiL1w5xtFS9Yr0=,tag:3sFtGxo+tIzbKs8qXG+pcA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1