clofour · clofour · Apr 25, 2026 · Apr 24, 2026 · Apr 25, 2026 · Apr 25, 2026
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -31,10 +31,14 @@ jobs:
       TF_VAR_email: ${{ secrets.EMAIL }}
       TF_VAR_do_token: ${{ secrets.DO_TOKEN }}
       TF_VAR_do_dns_token: ${{ secrets.DO_DNS_TOKEN }}
-      TF_VAR_spaces_access_id: ${{ secrets.SPACES_ACCESS_ID }}
-      TF_VAR_spaces_secret_key: ${{ secrets.SPACES_SECRET_KEY }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }}
+      TF_VAR_cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      TF_VAR_cloudflare_r2_endpoint: ${{ secrets.R2_ENDPOINT }}
+      TF_VAR_cloudflare_r2_access_key_id: ${{ secrets.R2_ACCESS_KEY_ID }}
+      TF_VAR_cloudflare_r2_secret_access_key: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+      TF_VAR_sendgrid_api_key: ${{ secrets.SENDGRID_API_KEY }}
     if: github.ref == 'refs/heads/main'
     needs: validate
     steps:

diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,5 @@
 .env
-
+TODO.md
 
 # Terraform
 

diff --git a/helm/gitlab/values.yaml b/helm/gitlab/values.yaml
@@ -74,6 +74,24 @@ global:
   minio:
     enabled: false
 
+  email:
+    display_name: GitLab
+    from: gitlab@${domain}
+    reply_to: noreply@${domain}
+
+  smtp:
+    enabled: true
+    domain: smtp.sendgrid.net
+    address: smtp.sendgrid.net
+    port: 587
+    user_name: apikey
+    password:
+      secret: gitlab-sendgrid-secret
+      key: password
+    tls: false
+    starttls_auto: true
+    openssl_verify_mode: peer
+
   time_zone: UTC
 
   extraEnv:

diff --git a/terraform/helm.tf b/terraform/helm.tf
@@ -101,7 +101,7 @@ resource "helm_release" "gitlab" {
             postgres_username = digitalocean_database_cluster.postgres.user
             redis_host = digitalocean_database_cluster.valkey.private_host
             redis_port = digitalocean_database_cluster.valkey.port
-            buckets = {for key, bucket in digitalocean_spaces_bucket.gitlab : key => bucket.name}
+            buckets = {for key, bucket in cloudflare_r2_bucket.gitlab : key => bucket.name}
         })
     ]
 
@@ -121,7 +121,8 @@ resource "helm_release" "gitlab" {
         kubernetes_secret_v1.gitlab_initial_root_password,
         kubernetes_secret_v1.gitlab_postgres,
         kubernetes_secret_v1.gitlab_redis,
-        kubernetes_secret_v1.gitlab_s3_main
+        kubernetes_secret_v1.gitlab_s3_main,
+        kubernetes_secret_v1.gitlab_sendgrid_secret
     ]
 }
 

diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf
@@ -104,9 +104,9 @@ resource "kubernetes_secret_v1" "gitlab_s3_main" {
         connection = yamlencode({
             provider = "AWS"
             region = var.region
-            endpoint = "https://${var.region}.digitaloceanspaces.com"
-            aws_access_key_id = var.spaces_access_id
-            aws_secret_access_key = var.spaces_secret_key
+            endpoint = var.cloudflare_r2_endpoint
+            aws_access_key_id = var.cloudflare_account_id
+            aws_secret_access_key = var.cloudflare_api_token
             path_style = true
         })
     }
@@ -125,7 +125,7 @@ resource "kubernetes_secret_v1" "gitlab_s3_main" {
 #            accesskey = var.spaces_access_id
 #            secretkey = var.spaces_secret_key
 #            region = var.region
-#            regionendpoint = "https://${var.region}.digitaloceanspaces.com"
+#            regionendpoint = ${{ secrets.R2_ACCESS_KEY_ID }}
 #            bucket = digitalocean_spaces_bucket.gitlab["registry"].name
 #         })
 #     }
@@ -143,16 +143,29 @@ resource "kubernetes_secret_v1" "gitlab_s3_backup" {
         connection = yamlencode({
             provider = "AWS"
             region = var.region
-            endpoint = "https://${var.region}.digitaloceanspaces.com"
-            aws_access_key_id = var.spaces_access_id
-            aws_secret_access_key = var.spaces_secret_key
+            endpoint = var.cloudflare_r2_endpoint
+            aws_access_key_id = var.cloudflare_account_id
+            aws_secret_access_key = var.cloudflare_api_token
             path_style = true
         })
     }
 
     type = "Opaque"
 }
 
+resource "kubernetes_secret_v1" "gitlab_sendgrid_secret" {
+    metadata {
+        name = "gitlab-sendgrid-secret"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
+
+    data = {
+        password = var.sendgrid_api_key
+    }
+
+    type = "Opaque"
+}
+
 resource "time_sleep" "wait_for_lb" {
     depends_on = [ helm_release.ingress_nginx ]
     create_duration = "120s"

diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -41,10 +41,6 @@ output "valkey_password" {
 }
 
 
-output "spaces_endpoint" {
-    value = "${var.region}.digitaloceanspaces.com"
-}
-
-output "spaces_buckets" {
-    value = { for k, b in digitalocean_spaces_bucket.gitlab : k => b.name }
+output "r2_buckets" {
+    value = { for k, b in cloudflare_r2_bucket.gitlab : k => b.name }
 }
diff --git a/terraform/providers.tf b/terraform/providers.tf
@@ -1,7 +1,9 @@
 provider "digitalocean" {
     token = var.do_token
-    spaces_access_id = var.spaces_access_id
-    spaces_secret_key = var.spaces_secret_key
+}
+
+provider "cloudflare" {
+    api_token = var.cloudflare_api_token
 }
 
 provider "kubernetes" {

diff --git a/terraform/s3.tf b/terraform/s3.tf
@@ -0,0 +1,21 @@
+locals {
+    buckets = toset([
+        "artifacts", "lfs", "uploads", "packages",
+        "registry", "pages", "backups", "tmp", "ci-secure-files",
+        "dependency-proxy", "terraform-state"
+    ])
+}
+
+resource "random_id" "suffix" {
+    byte_length = 3
+}
+
+resource "cloudflare_r2_bucket" "gitlab" {
+    for_each = local.buckets
+    account_id = var.cloudflare_account_id
+    name = "${var.cluster_name}-${each.key}-${random_id.suffix.hex}"
+    jurisdiction = var.r2_jurisdiction
+    lifecycle {
+      prevent_destroy = true
+    }
+}
diff --git a/terraform/spaces.tf b/terraform/spaces.tf
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -8,12 +8,32 @@ variable "do_dns_token" {
     sensitive = true
 }
 
-variable "spaces_access_id" {
+variable "cloudflare_account_id" {
     type = string
     sensitive = true
 }
 
-variable "spaces_secret_key" {
+variable "cloudflare_api_token" {
+    type = string
+    sensitive = true
+}
+
+variable "cloudflare_r2_endpoint" {
+    type = string
+    sensitive = true
+}
+
+variable "cloudflare_r2_access_key_id" {
+    type = string
+    sensitive = true
+}
+
+variable "cloudflare_r2_secret_access_key" {
+    type = string
+    sensitive = true
+}
+
+variable "sendgrid_api_key" {
     type = string
     sensitive = true
 }
@@ -24,6 +44,11 @@ variable "region" {
     default = "ams3"
 }
 
+variable "r2_jurisdiction" {
+    type = string
+    default = "eu"
+}
-variable "r2_jurisdiction" {
-    type = string
-    default = "eu"
-}
+variable "r2_jurisdiction" {
+    type = string
+    default = "eu"
+    validation {
+      condition     = contains(["default", "eu", "fedramp"], var.r2_jurisdiction)
+      error_message = "r2_jurisdiction must be one of: default, eu, fedramp."
+    }
+}
-variable "r2_jurisdiction" {
-    type = string
-    default = "eu"
-}
+variable "r2_jurisdiction" {
+    type = string
+    default = "eu"
+    validation {
+      condition     = contains(["default", "eu", "fedramp"], var.r2_jurisdiction)
+      error_message = "r2_jurisdiction must be one of: default, eu, fedramp."
+    }
+}
+
 variable "cluster_name" {
     type = string
     default = "gitlab"

diff --git a/terraform/versions.tf b/terraform/versions.tf
@@ -6,6 +6,10 @@ terraform {
         source = "digitalocean/digitalocean"
         version = "~> 2.81.0"
       }
+      cloudflare = {
+        source = "cloudflare/cloudflare"
+        version = "~> 5.19.0"
+      }
       kubernetes = {
         source = "hashicorp/kubernetes"
         version = "~> 3.0.1"
-Original file line number
+Diff line change
@@ -1,5 +1,5 @@
     .env
+    TODO.md
     # Terraform
@@ Expand Down @@