diff --git a/data_bags/credentials/gitea.json b/data_bags/credentials/gitea.json
index f8431b2..f976777 100644
--- a/data_bags/credentials/gitea.json
+++ b/data_bags/credentials/gitea.json
@@ -1,30 +1,51 @@
 {
   "id": "gitea",
   "jwt_secret": {
-    "encrypted_data": "jTNhXpJ1mhUXjfRZ3OAR8lrGgxyyob44kN0TyNec5zO2Wb46hJgYMWwtKlZ9\nohNexOKV+wXCjZNeVw0kNgI=\n",
-    "iv": "NYkJTeTzLilMLptE\n",
-    "auth_tag": "a/PuBmOmhyCx0ooepz7n1w==\n",
+    "encrypted_data": "suy7Vwlg7tyJFBSjlnNRv7qR4jp1o9F0TbwxGcwWqbCpQW2NHl9QS1SCXJml\n4UbKklppjp+7Axvvs7YiOX8=\n",
+    "iv": "ojZAtLDxV6569XHN\n",
+    "auth_tag": "j15eLXjGMIIsXh5dHET/lw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "internal_token": {
-    "encrypted_data": "HbyEfyrupc06vGHhSqKUUT8NAIrlvbK4LbMdqxmJMgeltvDItqGgFa0ZdD51\n0djRqQMrRZ4MEdqVTFSBL+8QVdriKeUcLcummp52Sp9tYZKSQKympJFx3fsS\n49rBJhDKRlc3+jUpejJu4jHY4xR2MMNvWWqkkufTvZHhzg==\n",
-    "iv": "DUSCP7Q3dgjyYXwl\n",
-    "auth_tag": "HkPLLvY8uVNK871OsMshcg==\n",
+    "encrypted_data": "y7VG9w8Gz/jxgz86p/OtpVvJBYjD6yGOPhCM3SEPlbQF/gqI8VuTkJlUQLFB\nrsPiCcjjynuTPJPLvdkVUu1XjOfp5dtbPDc0hqp8KhvBx4DhnH7Mspp/kWfb\n9DWzJ6zeGBB/nrNay0jTV1MoqzKc3Nl0GSkzBLMbr15vVw==\n",
+    "iv": "wcx+w1Ij5Dee/81s\n",
+    "auth_tag": "C7QMXezMU+jcYZAjlm86rg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "secret_key": {
-    "encrypted_data": "bvxdPokzagjZkdGG37hbWBi6ywu+1UuOrlJJ4p5zOG03b4PN4N40ztO4fWr5\ncMHfO7FER779fRc+tA2H7L1SKqSvlJThgk7X8R7AGGQmrQy7Jvc=\n",
-    "iv": "0uTGeUjnbvnW2WGp\n",
-    "auth_tag": "Dzfb3Jiim5eYWfwpN3HO5Q==\n",
+    "encrypted_data": "4DGRaIbqqa5oCzFwNUjRPcP+uauWidjWwmBZY0BNyI3c/XmQBEb8wGV9Leoc\n3avqM5jhS/Ov43SBMpCrR71x4eAPJ3vlSeQ3GnpkgFyWfolmbEg=\n",
+    "iv": "SOTJFH8JkBNtPKyF\n",
+    "auth_tag": "fYSfkMMvGnPdiBOP7NnP8Q==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "yv2gQYUxMTa7eeC0GJqE+fujOvM9GIwj/OL/L1wvn7uNTjJE97Xt1gYXRw==\n",
-    "iv": "F6yrDSav9EShCf2N\n",
-    "auth_tag": "08b4vT71g41qu6A6jZ6opw==\n",
+    "encrypted_data": "tA/mMteX2aO7dozNe/YWB8S9sVDdUgzKDnAdgnsXF5qTVT0slHe3KRg7og==\n",
+    "iv": "3/rdo8uCdhrFOWOf\n",
+    "auth_tag": "uNl4R3T5ylEBgAM8P6fdYA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_key_id": {
+    "encrypted_data": "Pjaw1MM+GNZN68XDbM+PGJUwSSXwu1+ASgm4S0VZ3MvylVG3uBPdqdDUZ9g8\n",
+    "iv": "mPL4HvodGKMD+30N\n",
+    "auth_tag": "nrej5vDLEzAI9HkKJxa/mQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "yBWAUGyyoetZ8EDD+kVffGDQbFPVXxpiWCdWL5xn3ohlclrrcWBQP/cGj2Ts\nlSZ2l4ZIuHX6ZdAHe5O2C1h5nYVtWx+u5kVa9n6EoUbz/6iseHU=\n",
+    "iv": "jmIdQZVMCLLKs1pi\n",
+    "auth_tag": "0Jvgjuvhv11/QNV43zm1LQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_bucket": {
+    "encrypted_data": "MyR5WhJMGfu+StFPVt3wSzVSNsHnEiLfzKXm2xJeb/cEQVw=\n",
+    "iv": "CHmMCjdVzw+qKHIV\n",
+    "auth_tag": "tiQegK0hQfCjcgRxg1G8Rg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/environments/production.json b/environments/production.json
index f746d3e..ac5f7e6 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -5,6 +5,17 @@
       "replication_mode": "2",
       "s3_api_root_domain": ".s3.garage.kosmos.org",
       "s3_web_root_domain": ".web.garage.kosmos.org"
+    },
+    "gitea": {
+      "postgresql_host": "pg.kosmos.local:5432",
+      "config": {
+        "storage": {
+          "type": "minio",
+          "endpoint": "localhost:3900",
+          "location": "garage",
+          "use_ssl": "false"
+        }
+      }
     }
   }
-}
+}
\ No newline at end of file
diff --git a/nodes/gitea-2.json b/nodes/gitea-2.json
index 4aef119..d326adc 100644
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@@ -1,5 +1,6 @@
 {
   "name": "gitea-2",
+  "chef_environment": "production",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.21"
@@ -13,6 +14,7 @@
     "ipaddress": "192.168.122.189",
     "roles": [
       "kvm_guest",
+      "garage_gateway",
       "gitea",
       "postgresql_client"
     ],
@@ -20,6 +22,8 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_garage",
+      "kosmos_garage::default",
       "kosmos_postgresql::hostsfile",
       "kosmos_gitea",
       "kosmos_gitea::default",
@@ -58,8 +62,9 @@
     }
   },
   "run_list": [
-    "recipe[kosmos-base]",
+    "role[base]",
     "role[kvm_guest]",
+    "role[garage_gateway]",
     "role[gitea]"
   ]
-}
\ No newline at end of file
+}
diff --git a/roles/garage_gateway.rb b/roles/garage_gateway.rb
new file mode 100644
index 0000000..fb65920
--- /dev/null
+++ b/roles/garage_gateway.rb
@@ -0,0 +1,6 @@
+name "garage_gateway"
+
+run_list %w(
+  kosmos_garage::default
+  kosmos_garage::firewall_rpc
+)
diff --git a/roles/garage_node.rb b/roles/garage_node.rb
index b1d2183..e9b06fb 100644
--- a/roles/garage_node.rb
+++ b/roles/garage_node.rb
@@ -2,5 +2,6 @@ name "garage_node"
 
 run_list %w(
   kosmos_garage::default
-  kosmos_garage::firewall
+  kosmos_garage::firewall_rpc
+  kosmos_garage::firewall_apis
 )
diff --git a/site-cookbooks/kosmos_garage/recipes/firewall.rb b/site-cookbooks/kosmos_garage/recipes/firewall_apis.rb
similarity index 57%
rename from site-cookbooks/kosmos_garage/recipes/firewall.rb
rename to site-cookbooks/kosmos_garage/recipes/firewall_apis.rb
index d67fa55..3b169c3 100644
--- a/site-cookbooks/kosmos_garage/recipes/firewall.rb
+++ b/site-cookbooks/kosmos_garage/recipes/firewall_apis.rb
@@ -7,13 +7,6 @@ firewall_rule 'garage_s3_api' do
   port     node['garage']['s3_api_port']
 end
 
-firewall_rule 'garage_rpc' do
-  command  :allow
-  protocol :tcp
-  source   "10.1.1.0/24"
-  port     node['garage']['rpc_port']
-end
-
 firewall_rule 'garage_s3_web' do
   command  :allow
   protocol :tcp
@@ -28,9 +21,14 @@ firewall_rule 'garage_admin' do
   port     node['garage']['admin_port']
 end
 
-firewall_rule 'garage_k2v_api' do
-  command  :allow
-  protocol :tcp
-  source   "10.1.1.0/24"
-  port     node['garage']['k2v_api_port']
-end
+# K2V is currently disabled by default in release
+# builds, but may be interesting for RS usage:
+#
+# https://garagehq.deuxfleurs.fr/documentation/reference-manual/k2v/
+#
+# firewall_rule 'garage_k2v_api' do
+#   command  :allow
+#   protocol :tcp
+#   source   "10.1.1.0/24"
+#   port     node['garage']['k2v_api_port']
+# end
diff --git a/site-cookbooks/kosmos_garage/recipes/firewall_rpc.rb b/site-cookbooks/kosmos_garage/recipes/firewall_rpc.rb
new file mode 100644
index 0000000..4f45898
--- /dev/null
+++ b/site-cookbooks/kosmos_garage/recipes/firewall_rpc.rb
@@ -0,0 +1,8 @@
+include_recipe 'firewall'
+
+firewall_rule 'garage_rpc' do
+  command  :allow
+  protocol :tcp
+  source   "10.1.1.0/24"
+  port     node['garage']['rpc_port']
+end
diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb
index 3ab874b..e25126d 100644
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,12 +1,13 @@
-gitea_version = "1.17.2"
-node.default["kosmos_gitea"]["version"] = gitea_version
-node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "d0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57"
-node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
-node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
-node.default["kosmos_gitea"]["port"] = 3000
+gitea_version = "1.17.3"
+node.default["gitea"]["version"] = gitea_version
+node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
+node.default["gitea"]["binary_checksum"] = "38c4e1228cd051b785c556bcadc378280d76c285b70e8761cd3f5051aed61b5e"
+node.default["gitea"]["working_directory"] = "/var/lib/gitea"
+node.default["gitea"]["port"] = 3000
+node.default["gitea"]["postgresql_host"] = "localhost:5432"
+node.default["gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 
-node.default["kosmos_gitea"]["config"] = {
+node.default["gitea"]["config"] = {
   "webhook":  {
     "allowed_host_list" => "external,127.0.1.1"
   }
diff --git a/site-cookbooks/kosmos_gitea/recipes/backup.rb b/site-cookbooks/kosmos_gitea/recipes/backup.rb
index f363577..e929ba3 100644
--- a/site-cookbooks/kosmos_gitea/recipes/backup.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb
@@ -7,6 +7,6 @@
 
 unless node.chef_environment == "development"
   # backup the data dir and the config files
-  node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]
+  node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
   include_recipe "backup"
 end
diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index 8035deb..8327ae1 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -5,7 +5,7 @@
 
 include_recipe "kosmos-dirsrv::hostsfile"
 
-working_directory         = node["kosmos_gitea"]["working_directory"]
+working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
 config_directory          = "/etc/gitea"
@@ -62,15 +62,37 @@ directory config_directory do
   mode "0750"
 end
 
-nginx_proxy_ip_addresses = []
-search(:node, "role:nginx_proxy").each do |node|
-  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
+if node.chef_environment == "production"
+  allowed_webhook_hosts = []
+  search(:node, "role:nginx_proxy OR role:hubot").each do |node|
+    allowed_webhook_hosts << node["knife_zero"]["host"]
+  end
+
+  node.normal["gitea"]["config"] = {
+    "webhook":  {
+      "allowed_host_list" => "external,#{allowed_webhook_hosts.join(",")}"
+    }
+  }
 end
 
-node.default["kosmos_gitea"]["config"] = {
-  "webhook":  {
-    "allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
-  }
+config_variables = {
+  working_directory: working_directory,
+  git_home_directory: git_home_directory,
+  repository_root_directory: repository_root_directory,
+  config_directory: config_directory,
+  gitea_binary_path: gitea_binary_path,
+  jwt_secret: jwt_secret,
+  internal_token: internal_token,
+  secret_key: secret_key,
+  postgresql_host: node["gitea"]["postgresql_host"],
+  postgresql_password: gitea_data_bag_item["postgresql_password"],
+  smtp_host: smtp_credentials["relayhost"],
+  smtp_user: smtp_credentials["user_name"],
+  smtp_password: smtp_credentials["password"],
+  config: node["gitea"]["config"],
+  s3_key_id: gitea_data_bag_item["s3_key_id"],
+  s3_secret_key: gitea_data_bag_item["s3_secret_key"],
+  s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 
 template "#{config_directory}/app.ini" do
@@ -79,26 +101,13 @@ template "#{config_directory}/app.ini" do
   group "git"
   mode "0600"
   sensitive true
-  variables working_directory: working_directory,
-            git_home_directory: git_home_directory,
-            repository_root_directory: repository_root_directory,
-            config_directory: config_directory,
-            gitea_binary_path: gitea_binary_path,
-            jwt_secret: jwt_secret,
-            internal_token: internal_token,
-            secret_key: secret_key,
-            postgresql_host: "pg.kosmos.local:5432",
-            postgresql_password: gitea_data_bag_item["postgresql_password"],
-            smtp_host: smtp_credentials["relayhost"],
-            smtp_user: smtp_credentials["user_name"],
-            smtp_password: smtp_credentials["password"],
-            config: node["kosmos_gitea"]["config"]
+  variables config_variables
   notifies :restart, "service[gitea]", :delayed
 end
 
 remote_file gitea_binary_path do
-  source node['kosmos_gitea']['binary_url']
-  checksum node['kosmos_gitea']['binary_checksum']
+  source node['gitea']['binary_url']
+  checksum node['gitea']['binary_checksum']
   mode "0755"
   notifies :restart, "service[gitea]", :delayed
 end
@@ -121,7 +130,7 @@ service "gitea" do
 end
 
 firewall_rule 'gitea' do
-  port     [node["kosmos_gitea"]["port"]]
+  port     [node["gitea"]["port"]]
   source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
   protocol :tcp
   command  :allow
diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx.rb b/site-cookbooks/kosmos_gitea/recipes/nginx.rb
index 20bd979..e145676 100644
--- a/site-cookbooks/kosmos_gitea/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/nginx.rb
@@ -5,7 +5,7 @@
 
 include_recipe "kosmos-nginx"
 
-domain  = node["kosmos_gitea"]["nginx"]["domain"]
+domain = node["gitea"]["nginx"]["domain"]
 
 # upstream_ip_addresses = []
 # search(:node, "role:gitea").each do |n|
@@ -28,7 +28,7 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
             ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
             ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
             upstream_host: upstream_ip_address,
-            upstream_port: node["kosmos_gitea"]["port"]
+            upstream_port: node["gitea"]["port"]
 
   notifies :reload, 'service[nginx]', :delayed
 end
diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
index 788c45e..a5863a3 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -92,3 +92,16 @@ SCHEDULE = @every 15m
 [webhook]
 <% if c["allowed_host_list"] %>ALLOWED_HOST_LIST = <%= c["allowed_host_list"] %><% end %>
 <% end %>
+
+<% if c = @config["storage"] %>
+[storage]
+<% if c["type"] == "minio" %>
+STORAGE_TYPE=minio
+MINIO_ENDPOINT=<%= c["endpoint"] %>
+MINIO_ACCESS_KEY_ID=<%= @s3_key_id %>
+MINIO_SECRET_ACCESS_KEY=<%= @s3_secret_key %>
+MINIO_BUCKET=<%= @s3_bucket %>
+MINIO_LOCATION=<%= c["location"] %>
+MINIO_USE_SSL=<%= c["use_ssl"] %>
+<% end %>
+<% end %>