Refactor internal services (#915)

2025-01-03 06:08:42 +00:00 · 2024-02-11 18:42:33 +01:00 · 2024-02-11 18:42:33 +01:00 · 82e1ce937c
commit 82e1ce937c
parent e1521ef460
66 changed files with 1163 additions and 993 deletions
--- a/cmd/server/server.go
+++ b/cmd/server/server.go
@ -42,12 +42,11 @@ import (
 	woodpeckerGrpcServer "go.woodpecker-ci.org/woodpecker/v2/server/grpc"
 	"go.woodpecker-ci.org/woodpecker/v2/server/logging"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	// "go.woodpecker-ci.org/woodpecker/v2/server/plugins/encryption"
 	// encryptedStore "go.woodpecker-ci.org/woodpecker/v2/server/plugins/encryption/wrapper/store"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/permissions"
 	"go.woodpecker-ci.org/woodpecker/v2/server/pubsub"
 	"go.woodpecker-ci.org/woodpecker/v2/server/router"
 	"go.woodpecker-ci.org/woodpecker/v2/server/router/middleware"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/permissions"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 	"go.woodpecker-ci.org/woodpecker/v2/server/web"
 	"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
@ -271,48 +270,21 @@ func run(c *cli.Context) error {
 	return g.Wait()
 }
-func setupEvilGlobals(c *cli.Context, v store.Store, f forge.Forge) error {
+func setupEvilGlobals(c *cli.Context, s store.Store, f forge.Forge) error {
 	// forge
 	server.Config.Services.Forge = f
 	server.Config.Services.Timeout = c.Duration("forge-timeout")
 	// services
-	server.Config.Services.Queue = setupQueue(c, v)
+	server.Config.Services.Queue = setupQueue(c, s)
 	server.Config.Services.Logs = logging.New()
 	server.Config.Services.Pubsub = pubsub.New()
 	var err error
 	server.Config.Services.Registries, err = setupRegistryService(c, v)
 	if err != nil {
 		return err
 	}
 	// TODO(1544): fix encrypted store
 	// // encryption
 	// encryptedSecretStore := encryptedStore.NewSecretStore(v)
 	// err := encryption.Encryption(c, v).WithClient(encryptedSecretStore).Build()
 	// if err != nil {
 	// 	log.Fatal().Err(err).Msg("could not create encryption service")
 	// }
 	// server.Config.Services.Secrets = setupSecretService(c, encryptedSecretStore)
 	server.Config.Services.Secrets, err = setupSecretService(c, v)
 	if err != nil {
 		return err
 	}
 	server.Config.Services.Environ, err = setupEnvironService(c, v)
 	if err != nil {
 		return err
 	}
 	server.Config.Services.Membership = setupMembershipService(c, f)
-	server.Config.Services.SignaturePrivateKey, server.Config.Services.SignaturePublicKey, err = setupSignatureKeys(v)
+	serviceMangager, err := services.NewManager(c, s)
 	if err != nil {
-		return err
+		return fmt.Errorf("could not setup service manager: %w", err)
 	}
 	server.Config.Services.ConfigService, err = setupConfigService(c)
 	if err != nil {
 		return err
 	}
 	server.Config.Services.Manager = serviceMangager
 	// authentication
 	server.Config.Pipeline.AuthenticatePublicRepos = c.Bool("authenticate-public-repos")
--- a/cmd/server/setup.go
+++ b/cmd/server/setup.go
@ -17,11 +17,6 @@ package main
 import (
 	"context"
 	"crypto"
 	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/url"
 	"os"
@ -41,15 +36,9 @@ import (
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/gitea"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/github"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/gitlab"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/config"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/environments"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/registry"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/secrets"
 	"go.woodpecker-ci.org/woodpecker/v2/server/queue"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store/datastore"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store/types"
 	"go.woodpecker-ci.org/woodpecker/v2/shared/addon"
 	addonTypes "go.woodpecker-ci.org/woodpecker/v2/shared/addon/types"
 )
@ -111,48 +100,6 @@ func setupQueue(c *cli.Context, s store.Store) queue.Queue {
 	return queue.WithTaskStore(queue.New(c.Context), s)
 }
 func setupSecretService(c *cli.Context, s model.SecretStore) (model.SecretService, error) {
 	addonService, err := addon.Load[model.SecretService](c.StringSlice("addons"), addonTypes.TypeSecretService)
 	if err != nil {
 		return nil, err
 	}
 	if addonService != nil {
 		return addonService.Value, nil
 	}
 	return secrets.New(c.Context, s), nil
 }
 func setupRegistryService(c *cli.Context, s store.Store) (model.RegistryService, error) {
 	addonService, err := addon.Load[model.RegistryService](c.StringSlice("addons"), addonTypes.TypeRegistryService)
 	if err != nil {
 		return nil, err
 	}
 	if addonService != nil {
 		return addonService.Value, nil
 	}
 	if c.String("docker-config") != "" {
 		return registry.Combined(
 			registry.New(s),
 			registry.Filesystem(c.String("docker-config")),
 		), nil
 	}
 	return registry.New(s), nil
 }
 func setupEnvironService(c *cli.Context, _ store.Store) (model.EnvironService, error) {
 	addonService, err := addon.Load[model.EnvironService](c.StringSlice("addons"), addonTypes.TypeEnvironmentService)
 	if err != nil {
 		return nil, err
 	}
 	if addonService != nil {
 		return addonService.Value, nil
 	}
 	return environments.Parse(c.StringSlice("environment")), nil
 }
 func setupMembershipService(_ *cli.Context, r forge.Forge) cache.MembershipService {
 	return cache.NewMembershipService(r)
 }
@ -292,46 +239,3 @@ func setupMetrics(g *errgroup.Group, _store store.Store) {
 		}
 	})
 }
 // setupSignatureKeys generate or load key pair to sign webhooks requests (i.e. used for extensions)
 func setupSignatureKeys(_store store.Store) (crypto.PrivateKey, crypto.PublicKey, error) {
 	privKeyID := "signature-private-key"
 	privKey, err := _store.ServerConfigGet(privKeyID)
 	if errors.Is(err, types.RecordNotExist) {
 		_, privKey, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to generate private key: %w", err)
 		}
 		err = _store.ServerConfigSet(privKeyID, hex.EncodeToString(privKey))
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to store private key: %w", err)
 		}
 		log.Debug().Msg("created private key")
 		return privKey, privKey.Public(), nil
 	} else if err != nil {
 		return nil, nil, fmt.Errorf("failed to load private key: %w", err)
 	}
 	privKeyStr, err := hex.DecodeString(privKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to decode private key: %w", err)
 	}
 	privateKey := ed25519.PrivateKey(privKeyStr)
 	return privateKey, privateKey.Public(), nil
 }
 func setupConfigService(c *cli.Context) (config.Extension, error) {
 	addonExt, err := addon.Load[config.Extension](c.StringSlice("addons"), addonTypes.TypeConfigService)
 	if err != nil {
 		return nil, err
 	}
 	if addonExt != nil {
 		return addonExt.Value, nil
 	}
 	if endpoint := c.String("config-service-endpoint"); endpoint != "" {
 		return config.NewHTTP(endpoint, server.Config.Services.SignaturePrivateKey), nil
 	}
 	return nil, nil
 }
--- a/docs/docs/20-usage/15-terminiology/index.md
+++ b/docs/docs/20-usage/15-terminiology/index.md
@ -31,6 +31,7 @@
 - **YAML File**: A file format used to define and configure [workflows][Workflow].
 - **Dependency**: [Workflows][Workflow] can depend on each other, and if possible, they are executed in parallel.
 - **Status**: Status refers to the outcome of a step or [workflow][Workflow] after it has been executed, determined by the internal command exit code. At the end of a [workflow][Workflow], its status is sent to the [forge][Forge].
 - **Service extension**: Some parts of woodpecker internal services like secrets storage or config fetcher can be replaced through service extensions.
 ## Pipeline events
--- a/docs/docs/30-administration/75-addons/00-overview.md
+++ b/docs/docs/30-administration/75-addons/00-overview.md
@ -13,10 +13,6 @@ To adapt Woodpecker to your needs beyond the [configuration](../10-server-config
 Addons can be used for:
 - Forges
 - Config services
 - Secret services
 - Environment services
 - Registry services
 ## Restrictions
--- a/docs/docs/30-administration/75-addons/20-creating-addons.md
+++ b/docs/docs/30-administration/75-addons/20-creating-addons.md
@ -19,13 +19,9 @@ Directly import Woodpecker's Go package (`go.woodpecker-ci.org/woodpecker/woodpe
 ### Return types
-| Addon type           | Return type                                                            |
+| Addon type | Return type                                                          |
-| -------------------- | ---------------------------------------------------------------------- |
+| ---------- | -------------------------------------------------------------------- |
-| `Forge`              | `"go.woodpecker-ci.org/woodpecker/woodpecker/v2/server/forge".Forge`   |
+| `Forge`    | `"go.woodpecker-ci.org/woodpecker/woodpecker/v2/server/forge".Forge` |
 | `ConfigService`      | `"go.woodpecker-ci.org/woodpecker/v2/server/plugins/config".Extension` |
 | `SecretService`      | `"go.woodpecker-ci.org/woodpecker/v2/server/model".SecretService`      |
 | `EnvironmentService` | `"go.woodpecker-ci.org/woodpecker/v2/server/model".EnvironmentService` |
 | `RegistryService`    | `"go.woodpecker-ci.org/woodpecker/v2/server/model".RegistryService`    |
 ### Using configurations
--- a/server/api/global_secret.go
+++ b/server/api/global_secret.go
@ -35,7 +35,8 @@ import (
 //	@Param		page			query	int		false	"for response pagination, page offset number"	default(1)
 //	@Param		perPage			query	int		false	"for response pagination, max items per page"	default(50)
 func GetGlobalSecretList(c *gin.Context) {
-	list, err := server.Config.Services.Secrets.GlobalSecretList(session.Pagination(c))
+	secretService := server.Config.Services.Manager.SecretService()
 	list, err := secretService.GlobalSecretList(session.Pagination(c))
 	if err != nil {
 		c.String(http.StatusInternalServerError, "Error getting global secret list. %s", err)
 		return
@ -59,7 +60,8 @@ func GetGlobalSecretList(c *gin.Context) {
 //	@Param		secret			path	string	true	"the secret's name"
 func GetGlobalSecret(c *gin.Context) {
 	name := c.Param("secret")
-	secret, err := server.Config.Services.Secrets.GlobalSecretFind(name)
+	secretService := server.Config.Services.Manager.SecretService()
 	secret, err := secretService.GlobalSecretFind(name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -92,7 +94,9 @@ func PostGlobalSecret(c *gin.Context) {
 		c.String(http.StatusBadRequest, "Error inserting global secret. %s", err)
 		return
 	}
-	if err := server.Config.Services.Secrets.GlobalSecretCreate(secret); err != nil {
+
 	secretService := server.Config.Services.Manager.SecretService()
 	if err := secretService.GlobalSecretCreate(secret); err != nil {
 		c.String(http.StatusInternalServerError, "Error inserting global secret %q. %s", in.Name, err)
 		return
 	}
@ -119,7 +123,8 @@ func PatchGlobalSecret(c *gin.Context) {
 		return
 	}
-	secret, err := server.Config.Services.Secrets.GlobalSecretFind(name)
+	secretService := server.Config.Services.Manager.SecretService()
 	secret, err := secretService.GlobalSecretFind(name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -138,7 +143,8 @@ func PatchGlobalSecret(c *gin.Context) {
 		c.String(http.StatusBadRequest, "Error updating global secret. %s", err)
 		return
 	}
-	if err := server.Config.Services.Secrets.GlobalSecretUpdate(secret); err != nil {
+
 	if err := secretService.GlobalSecretUpdate(secret); err != nil {
 		c.String(http.StatusInternalServerError, "Error updating global secret %q. %s", in.Name, err)
 		return
 	}
@ -156,7 +162,8 @@ func PatchGlobalSecret(c *gin.Context) {
 //	@Param		secret			path	string	true	"the secret's name"
 func DeleteGlobalSecret(c *gin.Context) {
 	name := c.Param("secret")
-	if err := server.Config.Services.Secrets.GlobalSecretDelete(name); err != nil {
+	secretService := server.Config.Services.Manager.SecretService()
 	if err := secretService.GlobalSecretDelete(name); err != nil {
 		handleDBError(c, err)
 		return
 	}
--- a/server/api/org_secret.go
+++ b/server/api/org_secret.go
@ -44,7 +44,8 @@ func GetOrgSecret(c *gin.Context) {
 		return
 	}
-	secret, err := server.Config.Services.Secrets.OrgSecretFind(orgID, name)
+	secretService := server.Config.Services.Manager.SecretService()
 	secret, err := secretService.OrgSecretFind(orgID, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -70,7 +71,8 @@ func GetOrgSecretList(c *gin.Context) {
 		return
 	}
-	list, err := server.Config.Services.Secrets.OrgSecretList(orgID, session.Pagination(c))
+	secretService := server.Config.Services.Manager.SecretService()
 	list, err := secretService.OrgSecretList(orgID, session.Pagination(c))
 	if err != nil {
 		c.String(http.StatusInternalServerError, "Error getting secret list for %q. %s", orgID, err)
 		return
@ -116,7 +118,9 @@ func PostOrgSecret(c *gin.Context) {
 		c.String(http.StatusUnprocessableEntity, "Error inserting org %q secret. %s", orgID, err)
 		return
 	}
-	if err := server.Config.Services.Secrets.OrgSecretCreate(orgID, secret); err != nil {
+
 	secretService := server.Config.Services.Manager.SecretService()
 	if err := secretService.OrgSecretCreate(orgID, secret); err != nil {
 		c.String(http.StatusInternalServerError, "Error inserting org %q secret %q. %s", orgID, in.Name, err)
 		return
 	}
@ -149,7 +153,8 @@ func PatchOrgSecret(c *gin.Context) {
 		return
 	}
-	secret, err := server.Config.Services.Secrets.OrgSecretFind(orgID, name)
+	secretService := server.Config.Services.Manager.SecretService()
 	secret, err := secretService.OrgSecretFind(orgID, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -168,7 +173,8 @@ func PatchOrgSecret(c *gin.Context) {
 		c.String(http.StatusUnprocessableEntity, "Error updating org %q secret. %s", orgID, err)
 		return
 	}
-	if err := server.Config.Services.Secrets.OrgSecretUpdate(orgID, secret); err != nil {
+
 	if err := secretService.OrgSecretUpdate(orgID, secret); err != nil {
 		c.String(http.StatusInternalServerError, "Error updating org %q secret %q. %s", orgID, in.Name, err)
 		return
 	}
@ -193,7 +199,8 @@ func DeleteOrgSecret(c *gin.Context) {
 		return
 	}
-	if err := server.Config.Services.Secrets.OrgSecretDelete(orgID, name); err != nil {
+	secretService := server.Config.Services.Manager.SecretService()
 	if err := secretService.OrgSecretDelete(orgID, name); err != nil {
 		handleDBError(c, err)
 		return
 	}
--- a/server/api/pipeline.go
+++ b/server/api/pipeline.go
@ -434,13 +434,7 @@ func PostPipeline(c *gin.Context) {
 		}
 	}
-	netrc, err := server.Config.Services.Forge.Netrc(user, repo)
+	newpipeline, err := pipeline.Restart(c, _store, pl, user, repo, envs)
 	if err != nil {
 		handlePipelineErr(c, err)
 		return
 	}
 	newpipeline, err := pipeline.Restart(c, _store, pl, user, repo, envs, netrc)
 	if err != nil {
 		handlePipelineErr(c, err)
 	} else {
--- a/server/api/registry.go
+++ b/server/api/registry.go
@ -35,11 +35,11 @@ import (
 //	@Param		repo_id			path	int		true	"the repository id"
 //	@Param		registry		path	string	true	"the registry name"
 func GetRegistry(c *gin.Context) {
-	var (
+	repo := session.Repo(c)
-		repo = session.Repo(c)
+	name := c.Param("registry")
-		name = c.Param("registry")
+
-	)
+	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
-	registry, err := server.Config.Services.Registries.RegistryFind(repo, name)
+	registry, err := registryService.RegistryFind(repo, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -75,7 +75,9 @@ func PostRegistry(c *gin.Context) {
 		c.String(http.StatusBadRequest, "Error inserting registry. %s", err)
 		return
 	}
-	if err := server.Config.Services.Registries.RegistryCreate(repo, registry); err != nil {
+
 	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
 	if err := registryService.RegistryCreate(repo, registry); err != nil {
 		c.String(http.StatusInternalServerError, "Error inserting registry %q. %s", in.Address, err)
 		return
 	}
@ -106,7 +108,8 @@ func PatchRegistry(c *gin.Context) {
 		return
 	}
-	registry, err := server.Config.Services.Registries.RegistryFind(repo, name)
+	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
 	registry, err := registryService.RegistryFind(repo, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -122,7 +125,7 @@ func PatchRegistry(c *gin.Context) {
 		c.String(http.StatusUnprocessableEntity, "Error updating registry. %s", err)
 		return
 	}
-	if err := server.Config.Services.Registries.RegistryUpdate(repo, registry); err != nil {
+	if err := registryService.RegistryUpdate(repo, registry); err != nil {
 		c.String(http.StatusInternalServerError, "Error updating registry %q. %s", in.Address, err)
 		return
 	}
@ -142,7 +145,8 @@ func PatchRegistry(c *gin.Context) {
 //	@Param		perPage			query	int		false	"for response pagination, max items per page"	default(50)
 func GetRegistryList(c *gin.Context) {
 	repo := session.Repo(c)
-	list, err := server.Config.Services.Registries.RegistryList(repo, session.Pagination(c))
+	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
 	list, err := registryService.RegistryList(repo, session.Pagination(c))
 	if err != nil {
 		c.String(http.StatusInternalServerError, "Error getting registry list. %s", err)
 		return
@ -166,11 +170,11 @@ func GetRegistryList(c *gin.Context) {
 //	@Param		repo_id			path	int		true	"the repository id"
 //	@Param		registry		path	string	true	"the registry name"
 func DeleteRegistry(c *gin.Context) {
-	var (
+	repo := session.Repo(c)
-		repo = session.Repo(c)
+	name := c.Param("registry")
-		name = c.Param("registry")
+
-	)
+	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
-	err := server.Config.Services.Registries.RegistryDelete(repo, name)
+	err := registryService.RegistryDelete(repo, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
--- a/server/api/repo_secret.go
+++ b/server/api/repo_secret.go
@ -36,11 +36,11 @@ import (
 //	@Param		repo_id			path	int		true	"the repository id"
 //	@Param		secretName		path	string	true	"the secret name"
 func GetSecret(c *gin.Context) {
-	var (
+	repo := session.Repo(c)
-		repo = session.Repo(c)
+	name := c.Param("secret")
-		name = c.Param("secret")
+
-	)
+	secretService := server.Config.Services.Manager.SecretServiceFromRepo(repo)
-	secret, err := server.Config.Services.Secrets.SecretFind(repo, name)
+	secret, err := secretService.SecretFind(repo, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -77,7 +77,9 @@ func PostSecret(c *gin.Context) {
 		c.String(http.StatusUnprocessableEntity, "Error inserting secret. %s", err)
 		return
 	}
-	if err := server.Config.Services.Secrets.SecretCreate(repo, secret); err != nil {
+
 	secretService := server.Config.Services.Manager.SecretServiceFromRepo(repo)
 	if err := secretService.SecretCreate(repo, secret); err != nil {
 		c.String(http.StatusInternalServerError, "Error inserting secret %q. %s", in.Name, err)
 		return
 	}
@ -108,7 +110,8 @@ func PatchSecret(c *gin.Context) {
 		return
 	}
-	secret, err := server.Config.Services.Secrets.SecretFind(repo, name)
+	secretService := server.Config.Services.Manager.SecretServiceFromRepo(repo)
 	secret, err := secretService.SecretFind(repo, name)
 	if err != nil {
 		handleDBError(c, err)
 		return
@ -127,7 +130,7 @@ func PatchSecret(c *gin.Context) {
 		c.String(http.StatusUnprocessableEntity, "Error updating secret. %s", err)
 		return
 	}
-	if err := server.Config.Services.Secrets.SecretUpdate(repo, secret); err != nil {
+	if err := secretService.SecretUpdate(repo, secret); err != nil {
 		c.String(http.StatusInternalServerError, "Error updating secret %q. %s", in.Name, err)
 		return
 	}
@ -147,7 +150,8 @@ func PatchSecret(c *gin.Context) {
 //	@Param		perPage			query	int		false	"for response pagination, max items per page"	default(50)
 func GetSecretList(c *gin.Context) {
 	repo := session.Repo(c)
-	list, err := server.Config.Services.Secrets.SecretList(repo, session.Pagination(c))
+	secretService := server.Config.Services.Manager.SecretServiceFromRepo(repo)
 	list, err := secretService.SecretList(repo, session.Pagination(c))
 	if err != nil {
 		c.String(http.StatusInternalServerError, "Error getting secret list. %s", err)
 		return
@ -171,11 +175,11 @@ func GetSecretList(c *gin.Context) {
 //	@Param		repo_id			path	int		true	"the repository id"
 //	@Param		secretName		path	string	true	"the secret name"
 func DeleteSecret(c *gin.Context) {
-	var (
+	repo := session.Repo(c)
-		repo = session.Repo(c)
+	name := c.Param("secret")
-		name = c.Param("secret")
+
-	)
+	secretService := server.Config.Services.Manager.SecretServiceFromRepo(repo)
-	if err := server.Config.Services.Secrets.SecretDelete(repo, name); err != nil {
+	if err := secretService.SecretDelete(repo, name); err != nil {
 		handleDBError(c, err)
 		return
 	}
--- a/server/api/signature_public_key.go
+++ b/server/api/signature_public_key.go
@ -34,7 +34,7 @@ import (
 //	@Tags		System
 //	@Param		Authorization	header	string	true	"Insert your personal access token"	default(Bearer <personal access token>)
 func GetSignaturePublicKey(c *gin.Context) {
-	b, err := x509.MarshalPKIXPublicKey(server.Config.Services.SignaturePublicKey)
+	b, err := x509.MarshalPKIXPublicKey(server.Config.Services.Manager.SignaturePublicKey())
 	if err != nil {
 		log.Error().Err(err).Msg("can't marshal public key")
 		c.AbortWithStatus(http.StatusInternalServerError)
--- a/server/config.go
+++ b/server/config.go
@ -18,42 +18,26 @@
 package server
 import (
 	"crypto"
 	"time"
 	"go.woodpecker-ci.org/woodpecker/v2/server/cache"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge"
 	"go.woodpecker-ci.org/woodpecker/v2/server/logging"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/config"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/permissions"
 	"go.woodpecker-ci.org/woodpecker/v2/server/pubsub"
 	"go.woodpecker-ci.org/woodpecker/v2/server/queue"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/permissions"
 )
 var Config = struct {
 	Services struct {
-		Pubsub              *pubsub.Publisher
+		Pubsub     *pubsub.Publisher
-		Queue               queue.Queue
+		Queue      queue.Queue
-		Logs                logging.Log
+		Logs       logging.Log
-		Secrets             model.SecretService
+		Forge      forge.Forge
-		Registries          model.RegistryService
+		Membership cache.MembershipService
-		Environ             model.EnvironService
+		Manager    *services.Manager
 		Forge               forge.Forge
 		Timeout             time.Duration
 		Membership          cache.MembershipService
 		ConfigService       config.Extension
 		SignaturePrivateKey crypto.PrivateKey
 		SignaturePublicKey  crypto.PublicKey
 	}
 	Storage struct {
 		// Users  model.UserStore
 		// Repos  model.RepoStore
 		// Builds model.BuildStore
 		// Logs   model.LogStore
 		Steps model.StepStore
 		// Registries model.RegistryStore
 		// Secrets model.SecretStore
 	}
 	Server struct {
 		Key                 string
--- a/server/forge/configFetcher.go
+++ b/server/forge/configFetcher.go
@ -1,190 +0,0 @@
 // Copyright 2022 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package forge
 import (
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/rs/zerolog/log"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/config"
 	"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
 )
 type ConfigFetcher struct {
 	forge           Forge
 	user            *model.User
 	repo            *model.Repo
 	pipeline        *model.Pipeline
 	configExtension config.Extension
 	timeout         time.Duration
 }
 func NewConfigFetcher(forge Forge, timeout time.Duration, configExtension config.Extension, user *model.User, repo *model.Repo, pipeline *model.Pipeline) *ConfigFetcher {
 	return &ConfigFetcher{
 		forge:           forge,
 		user:            user,
 		repo:            repo,
 		pipeline:        pipeline,
 		configExtension: configExtension,
 		timeout:         timeout,
 	}
 }
 // Fetch pipeline config from source forge
 func (cf *ConfigFetcher) Fetch(ctx context.Context) (files []*types.FileMeta, err error) {
 	log.Trace().Msgf("start fetching config for '%s'", cf.repo.FullName)
 	// try to fetch 3 times
 	for i := 0; i < 3; i++ {
 		files, err = cf.fetch(ctx, strings.TrimSpace(cf.repo.Config))
 		if err != nil {
 			log.Trace().Err(err).Msgf("%d. try failed", i+1)
 		}
 		if errors.Is(err, context.DeadlineExceeded) {
 			continue
 		}
 		if cf.configExtension != nil {
 			fetchCtx, cancel := context.WithTimeout(ctx, cf.timeout)
 			defer cancel() // ok here as we only try http fetching once, returning on fail and success
 			log.Trace().Msgf("configFetcher[%s]: getting config from external http service", cf.repo.FullName)
 			netrc, err := cf.forge.Netrc(cf.user, cf.repo)
 			if err != nil {
 				return nil, fmt.Errorf("could not get Netrc data from forge: %w", err)
 			}
 			newConfigs, useOld, err := cf.configExtension.FetchConfig(fetchCtx, cf.repo, cf.pipeline, files, netrc)
 			if err != nil {
 				log.Error().Err(err).Msg("could not fetch config via http")
 				return nil, fmt.Errorf("could not fetch config via http: %w", err)
 			}
 			if !useOld {
 				return newConfigs, nil
 			}
 		}
 		return
 	}
 	return
 }
 // fetch config by timeout
 func (cf *ConfigFetcher) fetch(c context.Context, config string) ([]*types.FileMeta, error) {
 	ctx, cancel := context.WithTimeout(c, cf.timeout)
 	defer cancel()
 	if len(config) > 0 {
 		log.Trace().Msgf("configFetcher[%s]: use user config '%s'", cf.repo.FullName, config)
 		// could be adapted to allow the user to supply a list like we do in the defaults
 		configs := []string{config}
 		fileMeta, err := cf.getFirstAvailableConfig(ctx, configs)
 		if err == nil {
 			return fileMeta, err
 		}
 		return nil, fmt.Errorf("user defined config '%s' not found: %w", config, err)
 	}
 	log.Trace().Msgf("configFetcher[%s]: user did not define own config, following default procedure", cf.repo.FullName)
 	// for the order see shared/constants/constants.go
 	fileMeta, err := cf.getFirstAvailableConfig(ctx, constant.DefaultConfigOrder[:])
 	if err == nil {
 		return fileMeta, err
 	}
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()
 	default:
 		return []*types.FileMeta{}, fmt.Errorf("configFetcher: fallback did not find config: %w", err)
 	}
 }
 func filterPipelineFiles(files []*types.FileMeta) []*types.FileMeta {
 	var res []*types.FileMeta
 	for _, file := range files {
 		if strings.HasSuffix(file.Name, ".yml") || strings.HasSuffix(file.Name, ".yaml") {
 			res = append(res, file)
 		}
 	}
 	return res
 }
 func (cf *ConfigFetcher) checkPipelineFile(c context.Context, config string) ([]*types.FileMeta, error) {
 	file, err := cf.forge.File(c, cf.user, cf.repo, cf.pipeline, config)
 	if err == nil && len(file) != 0 {
 		log.Trace().Msgf("configFetcher[%s]: found file '%s'", cf.repo.FullName, config)
 		return []*types.FileMeta{{
 			Name: config,
 			Data: file,
 		}}, nil
 	}
 	return nil, err
 }
 func (cf *ConfigFetcher) getFirstAvailableConfig(c context.Context, configs []string) ([]*types.FileMeta, error) {
 	var forgeErr []error
 	for _, fileOrFolder := range configs {
 		if strings.HasSuffix(fileOrFolder, "/") {
 			// config is a folder
 			files, err := cf.forge.Dir(c, cf.user, cf.repo, cf.pipeline, strings.TrimSuffix(fileOrFolder, "/"))
 			// if folder is not supported we will get a "Not implemented" error and continue
 			if err != nil {
 				if !(errors.Is(err, types.ErrNotImplemented) || errors.Is(err, &types.ErrConfigNotFound{})) {
 					log.Error().Err(err).Str("repo", cf.repo.FullName).Str("user", cf.user.Login).Msg("could not get folder from forge")
 					forgeErr = append(forgeErr, err)
 				}
 				continue
 			}
 			files = filterPipelineFiles(files)
 			if len(files) != 0 {
 				log.Trace().Msgf("configFetcher[%s]: found %d files in '%s'", cf.repo.FullName, len(files), fileOrFolder)
 				return files, nil
 			}
 		}
 		// config is a file
 		if fileMeta, err := cf.checkPipelineFile(c, fileOrFolder); err == nil {
 			log.Trace().Msgf("configFetcher[%s]: found file: '%s'", cf.repo.FullName, fileOrFolder)
 			return fileMeta, nil
 		} else if !errors.Is(err, &types.ErrConfigNotFound{}) {
 			forgeErr = append(forgeErr, err)
 		}
 	}
 	// got unexpected errors
 	if len(forgeErr) != 0 {
 		return nil, errors.Join(forgeErr...)
 	}
 	// nothing found
 	return nil, &types.ErrConfigNotFound{Configs: configs}
 }
--- a/server/model/environ.go
+++ b/server/model/environ.go
@ -24,11 +24,6 @@ var (
 	errEnvironValueInvalid = errors.New("invalid Environment Variable Value")
 )
 // EnvironService defines a service for managing environment variables.
 type EnvironService interface {
 	EnvironList(*Repo) ([]*Environ, error)
 }
 // EnvironStore persists environment information to storage.
 type EnvironStore interface {
 	EnvironList(*Repo) ([]*Environ, error)
--- a/server/model/registry.go
+++ b/server/model/registry.go
@ -26,21 +26,6 @@ var (
 	errRegistryPasswordInvalid = errors.New("invalid registry password")
 )
 // RegistryService defines a service for managing registries.
 type RegistryService interface {
 	RegistryFind(*Repo, string) (*Registry, error)
 	RegistryList(*Repo, *ListOptions) ([]*Registry, error)
 	RegistryCreate(*Repo, *Registry) error
 	RegistryUpdate(*Repo, *Registry) error
 	RegistryDelete(*Repo, string) error
 }
 // ReadOnlyRegistryService defines a service for managing registries.
 type ReadOnlyRegistryService interface {
 	RegistryFind(*Repo, string) (*Registry, error)
 	RegistryList(*Repo, *ListOptions) ([]*Registry, error)
 }
 // RegistryStore persists registry information to storage.
 type RegistryStore interface {
 	RegistryFind(*Repo, string) (*Registry, error)
--- a/server/model/secret.go
+++ b/server/model/secret.go
@ -29,29 +29,6 @@ var (
 	ErrSecretEventInvalid = errors.New("invalid secret event")
 )
 // SecretService defines a service for managing secrets.
 type SecretService interface {
 	SecretListPipeline(*Repo, *Pipeline, *ListOptions) ([]*Secret, error)
 	// Repository secrets
 	SecretFind(*Repo, string) (*Secret, error)
 	SecretList(*Repo, *ListOptions) ([]*Secret, error)
 	SecretCreate(*Repo, *Secret) error
 	SecretUpdate(*Repo, *Secret) error
 	SecretDelete(*Repo, string) error
 	// Organization secrets
 	OrgSecretFind(int64, string) (*Secret, error)
 	OrgSecretList(int64, *ListOptions) ([]*Secret, error)
 	OrgSecretCreate(int64, *Secret) error
 	OrgSecretUpdate(int64, *Secret) error
 	OrgSecretDelete(int64, string) error
 	// Global secrets
 	GlobalSecretFind(string) (*Secret, error)
 	GlobalSecretList(*ListOptions) ([]*Secret, error)
 	GlobalSecretCreate(*Secret) error
 	GlobalSecretUpdate(*Secret) error
 	GlobalSecretDelete(string) error
 }
 // SecretStore persists secret information to storage.
 type SecretStore interface {
 	SecretFind(*Repo, string) (*Secret, error)
--- a/server/pipeline/create.go
+++ b/server/pipeline/create.go
@ -34,6 +34,7 @@ var skipPipelineRegex = regexp.MustCompile(`\[(?i:ci *skip|skip *ci)\]`)
 // Create a new pipeline and start it
 func Create(ctx context.Context, _store store.Store, repo *model.Repo, pipeline *model.Pipeline) (*model.Pipeline, error) {
 	_forge := server.Config.Services.Forge
 	repoUser, err := _store.GetUser(repo.UserID)
 	if err != nil {
 		msg := fmt.Sprintf("failure to find repo owner via id '%d'", repo.UserID)
@ -54,7 +55,7 @@ func Create(ctx context.Context, _store store.Store, repo *model.Repo, pipeline
 	// If the forge has a refresh token, the current access token
 	// may be stale. Therefore, we should refresh prior to dispatching
 	// the pipeline.
-	forge.Refresh(ctx, server.Config.Services.Forge, _store, repoUser)
+	forge.Refresh(ctx, _forge, _store, repoUser)
 	// update some pipeline fields
 	pipeline.RepoID = repo.ID
@ -68,8 +69,8 @@ func Create(ctx context.Context, _store store.Store, repo *model.Repo, pipeline
 	}
 	// fetch the pipeline file from the forge
-	configFetcher := forge.NewConfigFetcher(server.Config.Services.Forge, server.Config.Services.Timeout, server.Config.Services.ConfigService, repoUser, repo, pipeline)
+	configService := server.Config.Services.Manager.ConfigServiceFromRepo(repo)
-	forgeYamlConfigs, configFetchErr := configFetcher.Fetch(ctx)
+	forgeYamlConfigs, configFetchErr := configService.Fetch(ctx, _forge, repoUser, repo, pipeline, nil, false)
 	if errors.Is(configFetchErr, &forge_types.ErrConfigNotFound{}) {
 		log.Debug().Str("repo", repo.FullName).Err(configFetchErr).Msgf("cannot find config '%s' in '%s' with user: '%s'", repo.Config, pipeline.Ref, repoUser.Login)
 		if err := _store.DeletePipeline(pipeline); err != nil {
--- a/server/pipeline/items.go
+++ b/server/pipeline/items.go
@ -42,12 +42,14 @@ func parsePipeline(store store.Store, currentPipeline *model.Pipeline, user *mod
 		log.Error().Err(err).Str("repo", repo.FullName).Msgf("error getting last pipeline before pipeline number '%d'", currentPipeline.Number)
 	}
-	secs, err := server.Config.Services.Secrets.SecretListPipeline(repo, currentPipeline, &model.ListOptions{All: true})
+	secretService := server.Config.Services.Manager.SecretServiceFromRepo(repo)
 	secs, err := secretService.SecretListPipeline(repo, currentPipeline, &model.ListOptions{All: true})
 	if err != nil {
 		log.Error().Err(err).Msgf("error getting secrets for %s#%d", repo.FullName, currentPipeline.Number)
 	}
-	regs, err := server.Config.Services.Registries.RegistryList(repo, &model.ListOptions{All: true})
+	registryService := server.Config.Services.Manager.RegistryServiceFromRepo(repo)
 	regs, err := registryService.RegistryList(repo, &model.ListOptions{All: true})
 	if err != nil {
 		log.Error().Err(err).Msgf("error getting registry credentials for %s#%d", repo.FullName, currentPipeline.Number)
 	}
@ -55,8 +57,10 @@ func parsePipeline(store store.Store, currentPipeline *model.Pipeline, user *mod
 	if envs == nil {
 		envs = map[string]string{}
 	}
-	if server.Config.Services.Environ != nil {
+
-		globals, _ := server.Config.Services.Environ.EnvironList(repo)
+	environmentService := server.Config.Services.Manager.EnvironmentService()
 	if environmentService != nil {
 		globals, _ := environmentService.EnvironList(repo)
 		for _, global := range globals {
 			envs[global.Name] = global.Value
 		}
--- a/server/pipeline/restart.go
+++ b/server/pipeline/restart.go
@ -28,15 +28,14 @@ import (
 )
 // Restart a pipeline by creating a new one out of the old and start it
-func Restart(ctx context.Context, store store.Store, lastPipeline *model.Pipeline, user *model.User, repo *model.Repo, envs map[string]string, netrc *model.Netrc) (*model.Pipeline, error) {
+func Restart(ctx context.Context, store store.Store, lastPipeline *model.Pipeline, user *model.User, repo *model.Repo, envs map[string]string) (*model.Pipeline, error) {
 	forge := server.Config.Services.Forge
 	switch lastPipeline.Status {
 	case model.StatusDeclined,
 		model.StatusBlocked:
 		return nil, &ErrBadRequest{Msg: fmt.Sprintf("cannot restart a pipeline with status %s", lastPipeline.Status)}
 	}
 	var pipelineFiles []*forge_types.FileMeta
 	// fetch the old pipeline config from the database
 	configs, err := store.ConfigsForPipeline(lastPipeline.ID)
 	if err != nil {
@ -44,25 +43,17 @@ func Restart(ctx context.Context, store store.Store, lastPipeline *model.Pipelin
 		return nil, &ErrNotFound{Msg: fmt.Sprintf("failure to get pipeline config for %s. %s", repo.FullName, err)}
 	}
 	var pipelineFiles []*forge_types.FileMeta
 	for _, y := range configs {
 		pipelineFiles = append(pipelineFiles, &forge_types.FileMeta{Data: y.Data, Name: y.Name})
 	}
-	// If the config extension is active we should refetch the config in case something changed
+	// If the config service is active we should refetch the config in case something changed
-	if server.Config.Services.ConfigService != nil {
+	configService := server.Config.Services.Manager.ConfigServiceFromRepo(repo)
-		currentFileMeta := make([]*forge_types.FileMeta, len(configs))
+	pipelineFiles, err = configService.Fetch(ctx, forge, user, repo, lastPipeline, pipelineFiles, true)
-		for i, cfg := range configs {
+	if err != nil {
-			currentFileMeta[i] = &forge_types.FileMeta{Name: cfg.Name, Data: cfg.Data}
+		return nil, &ErrBadRequest{
-		}
+			Msg: fmt.Sprintf("On fetching external pipeline config: %s", err),
 		newConfig, useOld, err := server.Config.Services.ConfigService.FetchConfig(ctx, repo, lastPipeline, currentFileMeta, netrc)
 		if err != nil {
 			return nil, &ErrBadRequest{
 				Msg: fmt.Sprintf("On fetching external pipeline config: %s", err),
 			}
 		}
 		if !useOld {
 			pipelineFiles = newConfig
 		}
 	}
--- a/server/plugins/config/http.go
+++ b/server/plugins/config/http.go
@ -1,83 +0,0 @@
 // Copyright 2022 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package config
 import (
 	"context"
 	"crypto"
 	"fmt"
 	forge_types "go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/utils"
 )
 type http struct {
 	endpoint   string
 	privateKey crypto.PrivateKey
 }
 // Same as forge.FileMeta but with json tags and string data
 type config struct {
 	Name string `json:"name"`
 	Data string `json:"data"`
 }
 type requestStructure struct {
 	Repo          *model.Repo     `json:"repo"`
 	Pipeline      *model.Pipeline `json:"pipeline"`
 	Configuration []*config       `json:"configs"`
 	Netrc         *model.Netrc    `json:"netrc"`
 }
 type responseStructure struct {
 	Configs []config `json:"configs"`
 }
 func NewHTTP(endpoint string, privateKey crypto.PrivateKey) Extension {
 	return &http{endpoint, privateKey}
 }
 func (cp *http) FetchConfig(ctx context.Context, repo *model.Repo, pipeline *model.Pipeline, currentFileMeta []*forge_types.FileMeta, netrc *model.Netrc) (configData []*forge_types.FileMeta, useOld bool, err error) {
 	currentConfigs := make([]*config, len(currentFileMeta))
 	for i, pipe := range currentFileMeta {
 		currentConfigs[i] = &config{Name: pipe.Name, Data: string(pipe.Data)}
 	}
 	response := new(responseStructure)
 	body := requestStructure{
 		Repo:          repo,
 		Pipeline:      pipeline,
 		Configuration: currentConfigs,
 		Netrc:         netrc,
 	}
 	status, err := utils.Send(ctx, "POST", cp.endpoint, cp.privateKey, body, response)
 	if err != nil && status != 204 {
 		return nil, false, fmt.Errorf("failed to fetch config via http (%d) %w", status, err)
 	}
 	var newFileMeta []*forge_types.FileMeta
 	if status != 200 {
 		newFileMeta = make([]*forge_types.FileMeta, 0)
 	} else {
 		newFileMeta = make([]*forge_types.FileMeta, len(response.Configs))
 		for i, pipe := range response.Configs {
 			newFileMeta[i] = &forge_types.FileMeta{Name: pipe.Name, Data: []byte(pipe.Data)}
 		}
 	}
 	return newFileMeta, status == 204, nil
 }
--- a/server/plugins/secrets/builtin.go
+++ b/server/plugins/secrets/builtin.go
@ -1,136 +0,0 @@
 // Copyright 2022 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package secrets
 import (
 	"context"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 )
 type builtin struct {
 	context.Context
 	store model.SecretStore
 }
 // New returns a new local secret service.
 func New(ctx context.Context, store model.SecretStore) model.SecretService {
 	return &builtin{store: store, Context: ctx}
 }
 func (b *builtin) SecretFind(repo *model.Repo, name string) (*model.Secret, error) {
 	return b.store.SecretFind(repo, name)
 }
 func (b *builtin) SecretList(repo *model.Repo, p *model.ListOptions) ([]*model.Secret, error) {
 	return b.store.SecretList(repo, false, p)
 }
 func (b *builtin) SecretListPipeline(repo *model.Repo, _ *model.Pipeline, p *model.ListOptions) ([]*model.Secret, error) {
 	s, err := b.store.SecretList(repo, true, p)
 	if err != nil {
 		return nil, err
 	}
 	// Return only secrets with unique name
 	// Priority order in case of duplicate names are repository, user/organization, global
 	secrets := make([]*model.Secret, 0, len(s))
 	uniq := make(map[string]struct{})
 	for _, condition := range []struct {
 		IsRepository   bool
 		IsOrganization bool
 		IsGlobal       bool
 	}{
 		{IsRepository: true},
 		{IsOrganization: true},
 		{IsGlobal: true},
 	} {
 		for _, secret := range s {
 			if secret.IsRepository() != condition.IsRepository || secret.IsOrganization() != condition.IsOrganization || secret.IsGlobal() != condition.IsGlobal {
 				continue
 			}
 			if _, ok := uniq[secret.Name]; ok {
 				continue
 			}
 			uniq[secret.Name] = struct{}{}
 			secrets = append(secrets, secret)
 		}
 	}
 	return secrets, nil
 }
 func (b *builtin) SecretCreate(_ *model.Repo, in *model.Secret) error {
 	return b.store.SecretCreate(in)
 }
 func (b *builtin) SecretUpdate(_ *model.Repo, in *model.Secret) error {
 	return b.store.SecretUpdate(in)
 }
 func (b *builtin) SecretDelete(repo *model.Repo, name string) error {
 	secret, err := b.store.SecretFind(repo, name)
 	if err != nil {
 		return err
 	}
 	return b.store.SecretDelete(secret)
 }
 func (b *builtin) OrgSecretFind(owner int64, name string) (*model.Secret, error) {
 	return b.store.OrgSecretFind(owner, name)
 }
 func (b *builtin) OrgSecretList(owner int64, p *model.ListOptions) ([]*model.Secret, error) {
 	return b.store.OrgSecretList(owner, p)
 }
 func (b *builtin) OrgSecretCreate(_ int64, in *model.Secret) error {
 	return b.store.SecretCreate(in)
 }
 func (b *builtin) OrgSecretUpdate(_ int64, in *model.Secret) error {
 	return b.store.SecretUpdate(in)
 }
 func (b *builtin) OrgSecretDelete(owner int64, name string) error {
 	secret, err := b.store.OrgSecretFind(owner, name)
 	if err != nil {
 		return err
 	}
 	return b.store.SecretDelete(secret)
 }
 func (b *builtin) GlobalSecretFind(owner string) (*model.Secret, error) {
 	return b.store.GlobalSecretFind(owner)
 }
 func (b *builtin) GlobalSecretList(p *model.ListOptions) ([]*model.Secret, error) {
 	return b.store.GlobalSecretList(p)
 }
 func (b *builtin) GlobalSecretCreate(in *model.Secret) error {
 	return b.store.SecretCreate(in)
 }
 func (b *builtin) GlobalSecretUpdate(in *model.Secret) error {
 	return b.store.SecretUpdate(in)
 }
 func (b *builtin) GlobalSecretDelete(name string) error {
 	secret, err := b.store.GlobalSecretFind(name)
 	if err != nil {
 		return err
 	}
 	return b.store.SecretDelete(secret)
 }
--- a/server/services/config/combined.go
+++ b/server/services/config/combined.go
@ -0,0 +1,40 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package config
 import (
 	"context"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 )
 type combined struct {
 	services []Service
 }
 func NewCombined(services ...Service) Service {
 	return &combined{services: services}
 }
 func (c *combined) Fetch(ctx context.Context, forge forge.Forge, user *model.User, repo *model.Repo, pipeline *model.Pipeline, oldConfigData []*types.FileMeta, restart bool) (files []*types.FileMeta, err error) {
 	files = oldConfigData
 	for _, s := range c.services {
 		files, err = s.Fetch(ctx, forge, user, repo, pipeline, files, restart)
 	}
 	return files, err
 }
--- a/server/services/config/combined_test.go
+++ b/server/services/config/combined_test.go
@ -0,0 +1,248 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package config_test
 import (
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"testing"
 	"time"
 	"github.com/go-ap/httpsig"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/mocks"
 	forge_types "go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/config"
 )
 func TestFetchFromConfigService(t *testing.T) {
 	t.Parallel()
 	type file struct {
 		name string
 		data []byte
 	}
 	dummyData := []byte("TEST")
 	testTable := []struct {
 		name              string
 		repoConfig        string
 		files             []file
 		expectedFileNames []string
 		expectedError     bool
 	}{
 		{
 			name:              "External Fetch empty repo",
 			repoConfig:        "",
 			files:             []file{},
 			expectedFileNames: []string{"override1", "override2", "override3"},
 			expectedError:     false,
 		},
 		{
 			name:       "Default config - Additional sub-folders",
 			repoConfig: "",
 			files: []file{{
 				name: ".woodpecker/test.yml",
 				data: dummyData,
 			}, {
 				name: ".woodpecker/sub-folder/config.yml",
 				data: dummyData,
 			}},
 			expectedFileNames: []string{"override1", "override2", "override3"},
 			expectedError:     false,
 		},
 		{
 			name:       "Fetch empty",
 			repoConfig: " ",
 			files: []file{{
 				name: ".woodpecker/.keep",
 				data: dummyData,
 			}, {
 				name: ".woodpecker.yml",
 				data: nil,
 			}, {
 				name: ".woodpecker.yaml",
 				data: dummyData,
 			}},
 			expectedFileNames: []string{},
 			expectedError:     true,
 		},
 		{
 			name:       "Use old config",
 			repoConfig: ".my-ci-folder/",
 			files: []file{{
 				name: ".woodpecker/test.yml",
 				data: dummyData,
 			}, {
 				name: ".woodpecker.yml",
 				data: dummyData,
 			}, {
 				name: ".woodpecker.yaml",
 				data: dummyData,
 			}, {
 				name: ".my-ci-folder/test.yml",
 				data: dummyData,
 			}},
 			expectedFileNames: []string{
 				".my-ci-folder/test.yml",
 			},
 			expectedError: false,
 		},
 	}
 	pubEd25519Key, privEd25519Key, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
 		t.Fatal("can't generate ed25519 key pair")
 	}
 	fixtureHandler := func(w http.ResponseWriter, r *http.Request) {
 		// check signature
 		pubKeyID := "woodpecker-ci-plugins"
 		keystore := httpsig.NewMemoryKeyStore()
 		keystore.SetKey(pubKeyID, pubEd25519Key)
 		verifier := httpsig.NewVerifier(keystore)
 		verifier.SetRequiredHeaders([]string{"(request-target)", "date"})
 		keyID, err := verifier.Verify(r)
 		if err != nil {
 			http.Error(w, "Invalid signature", http.StatusBadRequest)
 			return
 		}
 		if keyID != pubKeyID {
 			http.Error(w, "Used wrong key", http.StatusBadRequest)
 			return
 		}
 		type config struct {
 			Name string `json:"name"`
 			Data string `json:"data"`
 		}
 		type incoming struct {
 			Repo          *model.Repo     `json:"repo"`
 			Build         *model.Pipeline `json:"pipeline"`
 			Configuration []*config       `json:"config"`
 		}
 		var req incoming
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
 			http.Error(w, "can't read body", http.StatusBadRequest)
 			return
 		}
 		err = json.Unmarshal(body, &req)
 		if err != nil {
 			http.Error(w, "Failed to parse JSON"+err.Error(), http.StatusBadRequest)
 			return
 		}
 		if req.Repo.Name == "Fetch empty" {
 			w.WriteHeader(404)
 			return
 		}
 		if req.Repo.Name == "Use old config" {
 			w.WriteHeader(204)
 			return
 		}
 		fmt.Fprint(w, `{
 			"configs": [
 					{
 							"name": "override1",
 							"data": "some new pipelineconfig \n pipe, pipe, pipe"
 					},
 					{
 							"name": "override2",
 							"data": "some new pipelineconfig \n pipe, pipe, pipe"
 					},
 					{
 							"name": "override3",
 							"data": "some new pipelineconfig \n pipe, pipe, pipe"
 					}
 			]
 }`)
 	}
 	ts := httptest.NewServer(http.HandlerFunc(fixtureHandler))
 	defer ts.Close()
 	httpFetcher := config.NewHTTP(ts.URL, privEd25519Key)
 	for _, tt := range testTable {
 		t.Run(tt.name, func(t *testing.T) {
 			repo := &model.Repo{Owner: "laszlocph", Name: tt.name, Config: tt.repoConfig} // Using test name as repo name to provide different responses in mock server
 			f := new(mocks.Forge)
 			dirs := map[string][]*forge_types.FileMeta{}
 			for _, file := range tt.files {
 				f.On("File", mock.Anything, mock.Anything, mock.Anything, mock.Anything, file.name).Return(file.data, nil)
 				path := filepath.Dir(file.name)
 				if path != "." {
 					dirs[path] = append(dirs[path], &forge_types.FileMeta{
 						Name: file.name,
 						Data: file.data,
 					})
 				}
 			}
 			for path, files := range dirs {
 				f.On("Dir", mock.Anything, mock.Anything, mock.Anything, mock.Anything, path).Return(files, nil)
 			}
 			// if the previous mocks do not match return not found errors
 			f.On("File", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, fmt.Errorf("file not found"))
 			f.On("Dir", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, fmt.Errorf("directory not found"))
 			f.On("Netrc", mock.Anything, mock.Anything).Return(&model.Netrc{Machine: "mock", Login: "mock", Password: "mock"}, nil)
 			forgeFetcher := config.NewForge(time.Second * 3)
 			configFetcher := config.NewCombined(forgeFetcher, httpFetcher)
 			files, err := configFetcher.Fetch(
 				context.Background(),
 				f,
 				&model.User{Token: "xxx"},
 				repo,
 				&model.Pipeline{Commit: "89ab7b2d6bfb347144ac7c557e638ab402848fee"},
 				[]*forge_types.FileMeta{},
 				false,
 			)
 			if tt.expectedError && err == nil {
 				t.Fatal("expected an error")
 			} else if !tt.expectedError && err != nil {
 				t.Fatal("error fetching config:", err)
 			}
 			matchingFiles := make([]string, len(files))
 			for i := range files {
 				matchingFiles[i] = files[i].Name
 			}
 			assert.ElementsMatch(t, tt.expectedFileNames, matchingFiles, "expected some other pipeline files")
 		})
 	}
 }
--- a/server/services/config/forge.go
+++ b/server/services/config/forge.go
@ -0,0 +1,180 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package config
 import (
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/rs/zerolog/log"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
 )
 const (
 	forgeFetchingRetryCount = 3
 )
 type forgeFetcher struct {
 	timeout time.Duration
 }
 func NewForge(timeout time.Duration) Service {
 	return &forgeFetcher{
 		timeout: timeout,
 	}
 }
 func (f *forgeFetcher) Fetch(ctx context.Context, forge forge.Forge, user *model.User, repo *model.Repo, pipeline *model.Pipeline, oldConfigData []*types.FileMeta, restart bool) (files []*types.FileMeta, err error) {
 	// skip fetching if we are restarting and have the old config
 	if restart && len(oldConfigData) > 0 {
 		return
 	}
 	ffc := &forgeFetcherContext{
 		forge:    forge,
 		user:     user,
 		repo:     repo,
 		pipeline: pipeline,
 		timeout:  f.timeout,
 	}
 	// try to fetch multiple times
 	for i := 0; i < forgeFetchingRetryCount; i++ {
 		files, err = ffc.fetch(ctx, strings.TrimSpace(repo.Config))
 		if err != nil {
 			log.Trace().Err(err).Msgf("%d. try failed", i+1)
 		}
 		if errors.Is(err, context.DeadlineExceeded) {
 			continue
 		}
 	}
 	return
 }
 type forgeFetcherContext struct {
 	forge    forge.Forge
 	user     *model.User
 	repo     *model.Repo
 	pipeline *model.Pipeline
 	timeout  time.Duration
 }
 // fetch config by timeout
 func (f *forgeFetcherContext) fetch(c context.Context, config string) ([]*types.FileMeta, error) {
 	ctx, cancel := context.WithTimeout(c, f.timeout)
 	defer cancel()
 	if len(config) > 0 {
 		log.Trace().Msgf("configFetcher[%s]: use user config '%s'", f.repo.FullName, config)
 		// could be adapted to allow the user to supply a list like we do in the defaults
 		configs := []string{config}
 		fileMetas, err := f.getFirstAvailableConfig(ctx, configs)
 		if err == nil {
 			return fileMetas, err
 		}
 		return nil, fmt.Errorf("user defined config '%s' not found: %w", config, err)
 	}
 	log.Trace().Msgf("configFetcher[%s]: user did not define own config, following default procedure", f.repo.FullName)
 	// for the order see shared/constants/constants.go
 	fileMetas, err := f.getFirstAvailableConfig(ctx, constant.DefaultConfigOrder[:])
 	if err == nil {
 		return fileMetas, err
 	}
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()
 	default:
 		return nil, fmt.Errorf("configFetcher: fallback did not find config: %w", err)
 	}
 }
 func filterPipelineFiles(files []*types.FileMeta) []*types.FileMeta {
 	var res []*types.FileMeta
 	for _, file := range files {
 		if strings.HasSuffix(file.Name, ".yml") || strings.HasSuffix(file.Name, ".yaml") {
 			res = append(res, file)
 		}
 	}
 	return res
 }
 func (f *forgeFetcherContext) checkPipelineFile(c context.Context, config string) ([]*types.FileMeta, error) {
 	file, err := f.forge.File(c, f.user, f.repo, f.pipeline, config)
 	if err == nil && len(file) != 0 {
 		log.Trace().Msgf("configFetcher[%s]: found file '%s'", f.repo.FullName, config)
 		return []*types.FileMeta{{
 			Name: config,
 			Data: file,
 		}}, nil
 	}
 	return nil, err
 }
 func (f *forgeFetcherContext) getFirstAvailableConfig(c context.Context, configs []string) ([]*types.FileMeta, error) {
 	var forgeErr []error
 	for _, fileOrFolder := range configs {
 		if strings.HasSuffix(fileOrFolder, "/") {
 			// config is a folder
 			files, err := f.forge.Dir(c, f.user, f.repo, f.pipeline, strings.TrimSuffix(fileOrFolder, "/"))
 			// if folder is not supported we will get a "Not implemented" error and continue
 			if err != nil {
 				if !(errors.Is(err, types.ErrNotImplemented) || errors.Is(err, &types.ErrConfigNotFound{})) {
 					log.Error().Err(err).Str("repo", f.repo.FullName).Str("user", f.user.Login).Msg("could not get folder from forge")
 					forgeErr = append(forgeErr, err)
 				}
 				continue
 			}
 			files = filterPipelineFiles(files)
 			if len(files) != 0 {
 				log.Trace().Msgf("configFetcher[%s]: found %d files in '%s'", f.repo.FullName, len(files), fileOrFolder)
 				return files, nil
 			}
 		}
 		// config is a file
 		if fileMeta, err := f.checkPipelineFile(c, fileOrFolder); err == nil {
 			log.Trace().Msgf("configFetcher[%s]: found file: '%s'", f.repo.FullName, fileOrFolder)
 			return fileMeta, nil
 		} else if !errors.Is(err, &types.ErrConfigNotFound{}) {
 			forgeErr = append(forgeErr, err)
 		}
 	}
 	// got unexpected errors
 	if len(forgeErr) != 0 {
 		return nil, errors.Join(forgeErr...)
 	}
 	// nothing found
 	return nil, &types.ErrConfigNotFound{Configs: configs}
 }
--- a/server/services/config/forge_test.go
+++ b/server/services/config/forge_test.go
@ -12,30 +12,22 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
-package forge_test
+package config_test
 import (
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
 	"testing"
 	"time"
 	"github.com/go-ap/httpsig"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/mocks"
 	forge_types "go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
-	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/config"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/config"
 )
 func TestFetch(t *testing.T) {
@ -313,223 +305,18 @@ func TestFetch(t *testing.T) {
 			f.On("File", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, fmt.Errorf("file not found"))
 			f.On("Dir", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, fmt.Errorf("directory not found"))
-			configFetcher := forge.NewConfigFetcher(
+			configFetcher := config.NewForge(
 				time.Second * 3,
 			)
 			files, err := configFetcher.Fetch(
 				context.Background(),
 				f,
-				time.Second*3,
+				&model.User{Token: "xxx"},
 				repo,
 				&model.Pipeline{Commit: "89ab7b2d6bfb347144ac7c557e638ab402848fee"},
 				nil,
-				&model.User{Token: "xxx"},
+				false,
 				repo,
 				&model.Pipeline{Commit: "89ab7b2d6bfb347144ac7c557e638ab402848fee"},
 			)
 			files, err := configFetcher.Fetch(context.Background())
 			if tt.expectedError && err == nil {
 				t.Fatal("expected an error")
 			} else if !tt.expectedError && err != nil {
 				t.Fatal("error fetching config:", err)
 			}
 			matchingFiles := make([]string, len(files))
 			for i := range files {
 				matchingFiles[i] = files[i].Name
 			}
 			assert.ElementsMatch(t, tt.expectedFileNames, matchingFiles, "expected some other pipeline files")
 		})
 	}
 }
 func TestFetchFromConfigService(t *testing.T) {
 	t.Parallel()
 	type file struct {
 		name string
 		data []byte
 	}
 	dummyData := []byte("TEST")
 	testTable := []struct {
 		name              string
 		repoConfig        string
 		files             []file
 		expectedFileNames []string
 		expectedError     bool
 	}{
 		{
 			name:              "External Fetch empty repo",
 			repoConfig:        "",
 			files:             []file{},
 			expectedFileNames: []string{"override1", "override2", "override3"},
 			expectedError:     false,
 		},
 		{
 			name:       "Default config - Additional sub-folders",
 			repoConfig: "",
 			files: []file{{
 				name: ".woodpecker/test.yml",
 				data: dummyData,
 			}, {
 				name: ".woodpecker/sub-folder/config.yml",
 				data: dummyData,
 			}},
 			expectedFileNames: []string{"override1", "override2", "override3"},
 			expectedError:     false,
 		},
 		{
 			name:       "Fetch empty",
 			repoConfig: " ",
 			files: []file{{
 				name: ".woodpecker/.keep",
 				data: dummyData,
 			}, {
 				name: ".woodpecker.yml",
 				data: nil,
 			}, {
 				name: ".woodpecker.yaml",
 				data: dummyData,
 			}},
 			expectedFileNames: []string{},
 			expectedError:     true,
 		},
 		{
 			name:       "Use old config",
 			repoConfig: ".my-ci-folder/",
 			files: []file{{
 				name: ".woodpecker/test.yml",
 				data: dummyData,
 			}, {
 				name: ".woodpecker.yml",
 				data: dummyData,
 			}, {
 				name: ".woodpecker.yaml",
 				data: dummyData,
 			}, {
 				name: ".my-ci-folder/test.yml",
 				data: dummyData,
 			}},
 			expectedFileNames: []string{
 				".my-ci-folder/test.yml",
 			},
 			expectedError: false,
 		},
 	}
 	pubEd25519Key, privEd25519Key, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
 		t.Fatal("can't generate ed25519 key pair")
 	}
 	fixtureHandler := func(w http.ResponseWriter, r *http.Request) {
 		// check signature
 		pubKeyID := "woodpecker-ci-plugins"
 		keystore := httpsig.NewMemoryKeyStore()
 		keystore.SetKey(pubKeyID, pubEd25519Key)
 		verifier := httpsig.NewVerifier(keystore)
 		verifier.SetRequiredHeaders([]string{"(request-target)", "date"})
 		keyID, err := verifier.Verify(r)
 		if err != nil {
 			http.Error(w, "Invalid signature", http.StatusBadRequest)
 			return
 		}
 		if keyID != pubKeyID {
 			http.Error(w, "Used wrong key", http.StatusBadRequest)
 			return
 		}
 		type config struct {
 			Name string `json:"name"`
 			Data string `json:"data"`
 		}
 		type incoming struct {
 			Repo          *model.Repo     `json:"repo"`
 			Build         *model.Pipeline `json:"pipeline"`
 			Configuration []*config       `json:"config"`
 		}
 		var req incoming
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
 			http.Error(w, "can't read body", http.StatusBadRequest)
 			return
 		}
 		err = json.Unmarshal(body, &req)
 		if err != nil {
 			http.Error(w, "Failed to parse JSON"+err.Error(), http.StatusBadRequest)
 			return
 		}
 		if req.Repo.Name == "Fetch empty" {
 			w.WriteHeader(404)
 			return
 		}
 		if req.Repo.Name == "Use old config" {
 			w.WriteHeader(204)
 			return
 		}
 		fmt.Fprint(w, `{
 			"configs": [
 					{
 							"name": "override1",
 							"data": "some new pipelineconfig \n pipe, pipe, pipe"
 					},
 					{
 							"name": "override2",
 							"data": "some new pipelineconfig \n pipe, pipe, pipe"
 					},
 					{
 							"name": "override3",
 							"data": "some new pipelineconfig \n pipe, pipe, pipe"
 					}
 			]
 }`)
 	}
 	ts := httptest.NewServer(http.HandlerFunc(fixtureHandler))
 	defer ts.Close()
 	configAPI := config.NewHTTP(ts.URL, privEd25519Key)
 	for _, tt := range testTable {
 		t.Run(tt.name, func(t *testing.T) {
 			repo := &model.Repo{Owner: "laszlocph", Name: tt.name, Config: tt.repoConfig} // Using test name as repo name to provide different responses in mock server
 			f := new(mocks.Forge)
 			dirs := map[string][]*forge_types.FileMeta{}
 			for _, file := range tt.files {
 				f.On("File", mock.Anything, mock.Anything, mock.Anything, mock.Anything, file.name).Return(file.data, nil)
 				path := filepath.Dir(file.name)
 				if path != "." {
 					dirs[path] = append(dirs[path], &forge_types.FileMeta{
 						Name: file.name,
 						Data: file.data,
 					})
 				}
 			}
 			for path, files := range dirs {
 				f.On("Dir", mock.Anything, mock.Anything, mock.Anything, mock.Anything, path).Return(files, nil)
 			}
 			// if the previous mocks do not match return not found errors
 			f.On("File", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, fmt.Errorf("file not found"))
 			f.On("Dir", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, fmt.Errorf("directory not found"))
 			f.On("Netrc", mock.Anything, mock.Anything).Return(&model.Netrc{Machine: "mock", Login: "mock", Password: "mock"}, nil)
 			configFetcher := forge.NewConfigFetcher(
 				f,
 				time.Second*3,
 				configAPI,
 				&model.User{Token: "xxx"},
 				repo,
 				&model.Pipeline{Commit: "89ab7b2d6bfb347144ac7c557e638ab402848fee"},
 			)
 			files, err := configFetcher.Fetch(context.Background())
 			if tt.expectedError && err == nil {
 				t.Fatal("expected an error")
 			} else if !tt.expectedError && err != nil {
--- a/server/services/config/http.go
+++ b/server/services/config/http.go
@ -0,0 +1,88 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package config
 import (
 	"context"
 	"crypto"
 	"fmt"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/utils"
 )
 type http struct {
 	endpoint   string
 	privateKey crypto.PrivateKey
 }
 // configData same as forge.FileMeta but with json tags and string data
 type configData struct {
 	Name string `json:"name"`
 	Data string `json:"data"`
 }
 type requestStructure struct {
 	Repo          *model.Repo     `json:"repo"`
 	Pipeline      *model.Pipeline `json:"pipeline"`
 	Netrc         *model.Netrc    `json:"netrc"`
 	Configuration []*configData   `json:"configs"` // TODO: deprecate in favor of netrc and remove in next major release
 }
 type responseStructure struct {
 	Configs []*configData `json:"configs"`
 }
 func NewHTTP(endpoint string, privateKey crypto.PrivateKey) Service {
 	return &http{endpoint, privateKey}
 }
 func (h *http) Fetch(ctx context.Context, forge forge.Forge, user *model.User, repo *model.Repo, pipeline *model.Pipeline, oldConfigData []*types.FileMeta, _ bool) ([]*types.FileMeta, error) {
 	currentConfigs := make([]*configData, len(oldConfigData))
 	for i, pipe := range oldConfigData {
 		currentConfigs[i] = &configData{Name: pipe.Name, Data: string(pipe.Data)}
 	}
 	netrc, err := forge.Netrc(user, repo)
 	if err != nil {
 		return nil, fmt.Errorf("could not get Netrc data from forge: %w", err)
 	}
 	response := new(responseStructure)
 	body := requestStructure{
 		Repo:          repo,
 		Pipeline:      pipeline,
 		Configuration: currentConfigs,
 		Netrc:         netrc,
 	}
 	status, err := utils.Send(ctx, "POST", h.endpoint, h.privateKey, body, response)
 	if err != nil && status != 204 {
 		return nil, fmt.Errorf("failed to fetch config via http (%d) %w", status, err)
 	}
 	if status != 200 {
 		return oldConfigData, nil
 	}
 	fileMetas := make([]*types.FileMeta, len(response.Configs))
 	for i, config := range response.Configs {
 		fileMetas[i] = &types.FileMeta{Name: config.Name, Data: []byte(config.Data)}
 	}
 	return fileMetas, nil
 }
--- a/server/plugins/config/extension.go
+++ b/server/plugins/config/extension.go
@ -1,4 +1,4 @@
-// Copyright 2022 Woodpecker Authors
+// Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -17,10 +17,11 @@ package config
 import (
 	"context"
-	forge_types "go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
+	"go.woodpecker-ci.org/woodpecker/v2/server/forge"
 	"go.woodpecker-ci.org/woodpecker/v2/server/forge/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 )
-type Extension interface {
+type Service interface {
-	FetchConfig(ctx context.Context, repo *model.Repo, pipeline *model.Pipeline, currentFileMeta []*forge_types.FileMeta, netrc *model.Netrc) (configData []*forge_types.FileMeta, useOld bool, err error)
+	Fetch(ctx context.Context, forge forge.Forge, user *model.User, repo *model.Repo, pipeline *model.Pipeline, oldConfigData []*types.FileMeta, restart bool) (configData []*types.FileMeta, err error)
 }
--- a/server/services/encryption/aes.go
+++ b/server/services/encryption/aes.go
@ -21,7 +21,7 @@ import (
 	"github.com/google/tink/go/subtle/random"
-	"go.woodpecker-ci.org/woodpecker/v2/server/model"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 )
@ -29,7 +29,7 @@ type aesEncryptionService struct {
 	cipher  cipher.AEAD
 	keyID   string
 	store   store.Store
-	clients []model.EncryptionClient
+	clients []types.EncryptionClient
 }
 func (svc *aesEncryptionService) Encrypt(plaintext, associatedData string) (string, error) {
--- a/server/services/encryption/aes_builder.go
+++ b/server/services/encryption/aes_builder.go
@ -20,27 +20,27 @@ import (
 	"github.com/urfave/cli/v2"
-	"go.woodpecker-ci.org/woodpecker/v2/server/model"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 )
 type aesConfiguration struct {
 	password string
 	store    store.Store
-	clients  []model.EncryptionClient
+	clients  []types.EncryptionClient
 }
-func newAES(ctx *cli.Context, s store.Store) model.EncryptionServiceBuilder {
+func newAES(ctx *cli.Context, s store.Store) types.EncryptionServiceBuilder {
 	key := ctx.String(rawKeyConfigFlag)
 	return &aesConfiguration{key, s, nil}
 }
-func (c aesConfiguration) WithClients(clients []model.EncryptionClient) model.EncryptionServiceBuilder {
+func (c aesConfiguration) WithClients(clients []types.EncryptionClient) types.EncryptionServiceBuilder {
 	c.clients = clients
 	return c
 }
-func (c aesConfiguration) Build() (model.EncryptionService, error) {
+func (c aesConfiguration) Build() (types.EncryptionService, error) {
 	svc := &aesEncryptionService{
 		cipher:  nil,
 		store:   c.store,
--- a/server/services/encryption/aes_encryption.go
+++ b/server/services/encryption/aes_encryption.go
--- a/server/services/encryption/aes_state.go
+++ b/server/services/encryption/aes_state.go
--- a/server/services/encryption/aes_test.go
+++ b/server/services/encryption/aes_test.go
--- a/server/services/encryption/constants.go
+++ b/server/services/encryption/constants.go
@ -64,9 +64,9 @@ const (
 	logMessageEncryptionDisabled      = "encryption disabled"
 	logMessageEncryptionKeyRegistered = "registered new encryption key"
 	logMessageClientsInitialized      = "initialized encryption on registered clients"
-	logMessageClientsEnabled          = "enabled encryption on registered services"
+	logMessageClientsEnabled          = "enabled encryption on registered service"
-	logMessageClientsRotated          = "updated encryption key on registered services"
+	logMessageClientsRotated          = "updated encryption key on registered service"
-	logMessageClientsDecrypted        = "disabled encryption on registered services"
+	logMessageClientsDecrypted        = "disabled encryption on registered service"
 )
 // tink
--- a/server/services/encryption/encryption.go
+++ b/server/services/encryption/encryption.go
@ -19,21 +19,21 @@ import (
 	"github.com/urfave/cli/v2"
-	"go.woodpecker-ci.org/woodpecker/v2/server/model"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 )
 type builder struct {
 	store   store.Store
 	ctx     *cli.Context
-	clients []model.EncryptionClient
+	clients []types.EncryptionClient
 }
-func Encryption(ctx *cli.Context, s store.Store) model.EncryptionBuilder {
+func Encryption(ctx *cli.Context, s store.Store) types.EncryptionBuilder {
 	return &builder{store: s, ctx: ctx}
 }
-func (b builder) WithClient(client model.EncryptionClient) model.EncryptionBuilder {
+func (b builder) WithClient(client types.EncryptionClient) types.EncryptionBuilder {
 	b.clients = append(b.clients, client)
 	return b
 }
--- a/server/services/encryption/encryption_builder.go
+++ b/server/services/encryption/encryption_builder.go
@ -18,11 +18,11 @@ import (
 	"errors"
 	"fmt"
-	"go.woodpecker-ci.org/woodpecker/v2/server/model"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
-	"go.woodpecker-ci.org/woodpecker/v2/server/store/types"
+	storeTypes "go.woodpecker-ci.org/woodpecker/v2/server/store/types"
 )
-func (b builder) getService(keyType string) (model.EncryptionService, error) {
+func (b builder) getService(keyType string) (types.EncryptionService, error) {
 	if keyType == keyTypeNone {
 		return nil, errors.New(errMessageNoKeysProvided)
 	}
@ -41,7 +41,7 @@ func (b builder) getService(keyType string) (model.EncryptionService, error) {
 func (b builder) isEnabled() (bool, error) {
 	_, err := b.store.ServerConfigGet(ciphertextSampleConfigKey)
-	if err != nil && !errors.Is(err, types.RecordNotExist) {
+	if err != nil && !errors.Is(err, storeTypes.RecordNotExist) {
 		return false, fmt.Errorf(errTemplateFailedLoadingServerConfig, err)
 	}
 	return err == nil, nil
@ -61,7 +61,7 @@ func (b builder) detectKeyType() (string, error) {
 	return keyTypeNone, nil
 }
-func (b builder) serviceBuilder(keyType string) (model.EncryptionServiceBuilder, error) {
+func (b builder) serviceBuilder(keyType string) (types.EncryptionServiceBuilder, error) {
 	switch {
 	case keyType == keyTypeTink:
 		return newTink(b.ctx, b.store), nil
--- a/server/services/encryption/no_encryption.go
+++ b/server/services/encryption/no_encryption.go
@ -14,18 +14,18 @@
 package encryption
-import "go.woodpecker-ci.org/woodpecker/v2/server/model"
+import "go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 type noEncryptionBuilder struct {
-	clients []model.EncryptionClient
+	clients []types.EncryptionClient
 }
-func (b noEncryptionBuilder) WithClients(clients []model.EncryptionClient) model.EncryptionServiceBuilder {
+func (b noEncryptionBuilder) WithClients(clients []types.EncryptionClient) types.EncryptionServiceBuilder {
 	b.clients = clients
 	return b
 }
-func (b noEncryptionBuilder) Build() (model.EncryptionService, error) {
+func (b noEncryptionBuilder) Build() (types.EncryptionService, error) {
 	svc := &noEncryption{}
 	for _, client := range b.clients {
 		err := client.SetEncryptionService(svc)
--- a/server/services/encryption/tink.go
+++ b/server/services/encryption/tink.go
@ -21,7 +21,7 @@ import (
 	"github.com/fsnotify/fsnotify"
 	"github.com/google/tink/go/tink"
-	"go.woodpecker-ci.org/woodpecker/v2/server/model"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 )
@ -31,7 +31,7 @@ type tinkEncryptionService struct {
 	encryption        tink.AEAD
 	store             store.Store
 	keysetFileWatcher *fsnotify.Watcher
-	clients           []model.EncryptionClient
+	clients           []types.EncryptionClient
 }
 func (svc *tinkEncryptionService) Encrypt(plaintext, associatedData string) (string, error) {
--- a/server/services/encryption/tink_builder.go
+++ b/server/services/encryption/tink_builder.go
@ -20,27 +20,27 @@ import (
 	"github.com/urfave/cli/v2"
-	"go.woodpecker-ci.org/woodpecker/v2/server/model"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 )
 type tinkConfiguration struct {
 	keysetFilePath string
 	store          store.Store
-	clients        []model.EncryptionClient
+	clients        []types.EncryptionClient
 }
-func newTink(ctx *cli.Context, s store.Store) model.EncryptionServiceBuilder {
+func newTink(ctx *cli.Context, s store.Store) types.EncryptionServiceBuilder {
 	filepath := ctx.String(tinkKeysetFilepathConfigFlag)
 	return &tinkConfiguration{filepath, s, nil}
 }
-func (c tinkConfiguration) WithClients(clients []model.EncryptionClient) model.EncryptionServiceBuilder {
+func (c tinkConfiguration) WithClients(clients []types.EncryptionClient) types.EncryptionServiceBuilder {
 	c.clients = clients
 	return c
 }
-func (c tinkConfiguration) Build() (model.EncryptionService, error) {
+func (c tinkConfiguration) Build() (types.EncryptionService, error) {
 	svc := &tinkEncryptionService{
 		keysetFilePath:    c.keysetFilePath,
 		primaryKeyID:      "",
--- a/server/services/encryption/tink_keyset.go
+++ b/server/services/encryption/tink_keyset.go
--- a/server/services/encryption/tink_keyset_watcher.go
+++ b/server/services/encryption/tink_keyset_watcher.go
--- a/server/services/encryption/tink_state.go
+++ b/server/services/encryption/tink_state.go
--- a/server/services/encryption/types/encryption.go
+++ b/server/services/encryption/types/encryption.go
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
-package model
+package types
 // EncryptionBuilder is user API to obtain correctly configured encryption
 type EncryptionBuilder interface {
--- a/server/services/encryption/wrapper/store/constants.go
+++ b/server/services/encryption/wrapper/store/constants.go
--- a/server/services/encryption/wrapper/store/secret_store.go
+++ b/server/services/encryption/wrapper/store/secret_store.go
--- a/server/services/encryption/wrapper/store/secret_store_wrapper.go
+++ b/server/services/encryption/wrapper/store/secret_store_wrapper.go
@ -22,11 +22,12 @@ import (
 	"github.com/rs/zerolog/log"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/encryption/types"
 )
 type EncryptedSecretStore struct {
 	store      model.SecretStore
-	encryption model.EncryptionService
+	encryption types.EncryptionService
 }
 // ensure wrapper match interface
@ -37,7 +38,7 @@ func NewSecretStore(secretStore model.SecretStore) *EncryptedSecretStore {
 	return &wrapper
 }
-func (wrapper *EncryptedSecretStore) SetEncryptionService(service model.EncryptionService) error {
+func (wrapper *EncryptedSecretStore) SetEncryptionService(service types.EncryptionService) error {
 	if wrapper.encryption != nil {
 		return errors.New(errMessageInitSeveralTimes)
 	}
@ -63,7 +64,7 @@ func (wrapper *EncryptedSecretStore) EnableEncryption() error {
 	return nil
 }
-func (wrapper *EncryptedSecretStore) MigrateEncryption(newEncryptionService model.EncryptionService) error {
+func (wrapper *EncryptedSecretStore) MigrateEncryption(newEncryptionService types.EncryptionService) error {
 	log.Warn().Msg(logMessageMigratingSecretsEncryption)
 	secrets, err := wrapper.store.SecretListAll()
 	if err != nil {
--- a/server/services/environment/extension.go
+++ b/server/services/environment/extension.go
@ -0,0 +1,22 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package environment
 import "go.woodpecker-ci.org/woodpecker/v2/server/model"
 // Service defines a service for managing environment variables.
 type Service interface {
 	EnvironList(*model.Repo) ([]*model.Environ, error)
 }
--- a/server/services/environment/parse.go
+++ b/server/services/environment/parse.go
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
-package environments
+package environment
 import (
 	"strings"
@ -26,8 +26,8 @@ type builtin struct {
 	globals []*model.Environ
 }
-// Parse returns a model.EnvironService based on a string slice where key and value are separated by a ":" delimiter.
+// Parse returns a Service based on a string slice where key and value are separated by a ":" delimiter.
-func Parse(params []string) model.EnvironService {
+func Parse(params []string) Service {
 	var globals []*model.Environ
 	for _, item := range params {
--- a/server/services/environment/parse_test.go
+++ b/server/services/environment/parse_test.go
@ -1,4 +1,18 @@
-package environments
+// Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package environment
 import (
 	"testing"
--- a/server/services/manager.go
+++ b/server/services/manager.go
@ -0,0 +1,82 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package services
 import (
 	"crypto"
 	"github.com/urfave/cli/v2"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/config"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/environment"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/registry"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/secret"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 )
 type Manager struct {
 	secret              secret.Service
 	registry            registry.Service
 	config              config.Service
 	environment         environment.Service
 	signaturePrivateKey crypto.PrivateKey
 	signaturePublicKey  crypto.PublicKey
 }
 func NewManager(c *cli.Context, store store.Store) (*Manager, error) {
 	signaturePrivateKey, signaturePublicKey, err := setupSignatureKeys(store)
 	if err != nil {
 		return nil, err
 	}
 	return &Manager{
 		signaturePrivateKey: signaturePrivateKey,
 		signaturePublicKey:  signaturePublicKey,
 		secret:              setupSecretService(store),
 		registry:            setupRegistryService(store, c.String("docker-config")),
 		config:              setupConfigService(c, signaturePrivateKey),
 		environment:         environment.Parse(c.StringSlice("environment")),
 	}, nil
 }
 func (e *Manager) SignaturePublicKey() crypto.PublicKey {
 	return e.signaturePublicKey
 }
 func (e *Manager) SecretServiceFromRepo(_ *model.Repo) secret.Service {
 	return e.SecretService()
 }
 func (e *Manager) SecretService() secret.Service {
 	return e.secret
 }
 func (e *Manager) RegistryServiceFromRepo(_ *model.Repo) registry.Service {
 	return e.RegistryService()
 }
 func (e *Manager) RegistryService() registry.Service {
 	return e.registry
 }
 func (e *Manager) ConfigServiceFromRepo(_ *model.Repo) config.Service {
 	// TODO: decied based on repo property which config service to use
 	return e.config
 }
 func (e *Manager) EnvironmentService() environment.Service {
 	return e.environment
 }
--- a/server/services/permissions/admins.go
+++ b/server/services/permissions/admins.go
--- a/server/services/permissions/admins_test.go
+++ b/server/services/permissions/admins_test.go
--- a/server/services/permissions/orgs.go
+++ b/server/services/permissions/orgs.go
--- a/server/services/permissions/orgs_test.go
+++ b/server/services/permissions/orgs_test.go
--- a/server/services/permissions/repo_owners.go
+++ b/server/services/permissions/repo_owners.go
--- a/server/services/permissions/repo_owners_test.go
+++ b/server/services/permissions/repo_owners_test.go
--- a/server/services/registry/combined.go
+++ b/server/services/registry/combined.go
@ -19,11 +19,11 @@ import (
 )
 type combined struct {
-	registries []model.ReadOnlyRegistryService
+	registries []ReadOnlyService
-	dbRegistry model.RegistryService
+	dbRegistry Service
 }
-func Combined(dbRegistry model.RegistryService, registries ...model.ReadOnlyRegistryService) model.RegistryService {
+func NewCombined(dbRegistry Service, registries ...ReadOnlyService) Service {
 	registries = append(registries, dbRegistry)
 	return &combined{
 		registries: registries,
@ -31,7 +31,7 @@ func Combined(dbRegistry model.RegistryService, registries ...model.ReadOnlyRegi
 	}
 }
-func (c combined) RegistryFind(repo *model.Repo, name string) (*model.Registry, error) {
+func (c *combined) RegistryFind(repo *model.Repo, name string) (*model.Registry, error) {
 	for _, registry := range c.registries {
 		res, err := registry.RegistryFind(repo, name)
 		if err != nil {
@ -44,7 +44,7 @@ func (c combined) RegistryFind(repo *model.Repo, name string) (*model.Registry,
 	return nil, nil
 }
-func (c combined) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*model.Registry, error) {
+func (c *combined) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*model.Registry, error) {
 	var registries []*model.Registry
 	for _, registry := range c.registries {
 		list, err := registry.RegistryList(repo, &model.ListOptions{All: true})
@ -56,14 +56,14 @@ func (c combined) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*model
 	return model.ApplyPagination(p, registries), nil
 }
-func (c combined) RegistryCreate(repo *model.Repo, registry *model.Registry) error {
+func (c *combined) RegistryCreate(repo *model.Repo, registry *model.Registry) error {
 	return c.dbRegistry.RegistryCreate(repo, registry)
 }
-func (c combined) RegistryUpdate(repo *model.Repo, registry *model.Registry) error {
+func (c *combined) RegistryUpdate(repo *model.Repo, registry *model.Registry) error {
 	return c.dbRegistry.RegistryUpdate(repo, registry)
 }
-func (c combined) RegistryDelete(repo *model.Repo, name string) error {
+func (c *combined) RegistryDelete(repo *model.Repo, name string) error {
 	return c.dbRegistry.RegistryDelete(repo, name)
 }
--- a/server/services/registry/db.go
+++ b/server/services/registry/db.go
@ -23,26 +23,26 @@ type db struct {
 }
 // New returns a new local registry service.
-func New(store model.RegistryStore) model.RegistryService {
+func NewDB(store model.RegistryStore) Service {
 	return &db{store}
 }
-func (b *db) RegistryFind(repo *model.Repo, name string) (*model.Registry, error) {
+func (d *db) RegistryFind(repo *model.Repo, name string) (*model.Registry, error) {
-	return b.store.RegistryFind(repo, name)
+	return d.store.RegistryFind(repo, name)
 }
-func (b *db) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*model.Registry, error) {
+func (d *db) RegistryList(repo *model.Repo, p *model.ListOptions) ([]*model.Registry, error) {
-	return b.store.RegistryList(repo, p)
+	return d.store.RegistryList(repo, p)
 }
-func (b *db) RegistryCreate(_ *model.Repo, in *model.Registry) error {
+func (d *db) RegistryCreate(_ *model.Repo, in *model.Registry) error {
-	return b.store.RegistryCreate(in)
+	return d.store.RegistryCreate(in)
 }
-func (b *db) RegistryUpdate(_ *model.Repo, in *model.Registry) error {
+func (d *db) RegistryUpdate(_ *model.Repo, in *model.Registry) error {
-	return b.store.RegistryUpdate(in)
+	return d.store.RegistryUpdate(in)
 }
-func (b *db) RegistryDelete(repo *model.Repo, addr string) error {
+func (d *db) RegistryDelete(repo *model.Repo, addr string) error {
-	return b.store.RegistryDelete(repo, addr)
+	return d.store.RegistryDelete(repo, addr)
 }
--- a/server/services/registry/filesystem.go
+++ b/server/services/registry/filesystem.go
@ -31,7 +31,7 @@ type filesystem struct {
 	path string
 }
-func Filesystem(path string) model.ReadOnlyRegistryService {
+func NewFilesystem(path string) ReadOnlyService {
 	return &filesystem{path}
 }
@ -85,12 +85,12 @@ func parseDockerConfig(path string) ([]*model.Registry, error) {
 	return auths, nil
 }
-func (b *filesystem) RegistryFind(*model.Repo, string) (*model.Registry, error) {
+func (f *filesystem) RegistryFind(*model.Repo, string) (*model.Registry, error) {
 	return nil, nil
 }
-func (b *filesystem) RegistryList(_ *model.Repo, p *model.ListOptions) ([]*model.Registry, error) {
+func (f *filesystem) RegistryList(_ *model.Repo, p *model.ListOptions) ([]*model.Registry, error) {
-	regs, err := parseDockerConfig(b.path)
+	regs, err := parseDockerConfig(f.path)
 	if err != nil {
 		return nil, err
 	}
--- a/server/services/registry/service.go
+++ b/server/services/registry/service.go
@ -0,0 +1,32 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package registry
 import "go.woodpecker-ci.org/woodpecker/v2/server/model"
 // Service defines a service for managing registries.
 type Service interface {
 	RegistryFind(*model.Repo, string) (*model.Registry, error)
 	RegistryList(*model.Repo, *model.ListOptions) ([]*model.Registry, error)
 	RegistryCreate(*model.Repo, *model.Registry) error
 	RegistryUpdate(*model.Repo, *model.Registry) error
 	RegistryDelete(*model.Repo, string) error
 }
 // ReadOnlyService defines a service for managing registries.
 type ReadOnlyService interface {
 	RegistryFind(*model.Repo, string) (*model.Registry, error)
 	RegistryList(*model.Repo, *model.ListOptions) ([]*model.Registry, error)
 }
--- a/server/services/secret/db.go
+++ b/server/services/secret/db.go
@ -0,0 +1,133 @@
 // Copyright 2022 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package secret
 import (
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
 )
 type db struct {
 	store model.SecretStore
 }
 // NewDB returns a new local secret service.
 func NewDB(store model.SecretStore) Service {
 	return &db{store: store}
 }
 func (d *db) SecretFind(repo *model.Repo, name string) (*model.Secret, error) {
 	return d.store.SecretFind(repo, name)
 }
 func (d *db) SecretList(repo *model.Repo, p *model.ListOptions) ([]*model.Secret, error) {
 	return d.store.SecretList(repo, false, p)
 }
 func (d *db) SecretListPipeline(repo *model.Repo, _ *model.Pipeline, p *model.ListOptions) ([]*model.Secret, error) {
 	s, err := d.store.SecretList(repo, true, p)
 	if err != nil {
 		return nil, err
 	}
 	// Return only secrets with unique name
 	// Priority order in case of duplicate names are repository, user/organization, global
 	secrets := make([]*model.Secret, 0, len(s))
 	uniq := make(map[string]struct{})
 	for _, condition := range []struct {
 		IsRepository   bool
 		IsOrganization bool
 		IsGlobal       bool
 	}{
 		{IsRepository: true},
 		{IsOrganization: true},
 		{IsGlobal: true},
 	} {
 		for _, secret := range s {
 			if secret.IsRepository() != condition.IsRepository || secret.IsOrganization() != condition.IsOrganization || secret.IsGlobal() != condition.IsGlobal {
 				continue
 			}
 			if _, ok := uniq[secret.Name]; ok {
 				continue
 			}
 			uniq[secret.Name] = struct{}{}
 			secrets = append(secrets, secret)
 		}
 	}
 	return secrets, nil
 }
 func (d *db) SecretCreate(_ *model.Repo, in *model.Secret) error {
 	return d.store.SecretCreate(in)
 }
 func (d *db) SecretUpdate(_ *model.Repo, in *model.Secret) error {
 	return d.store.SecretUpdate(in)
 }
 func (d *db) SecretDelete(repo *model.Repo, name string) error {
 	secret, err := d.store.SecretFind(repo, name)
 	if err != nil {
 		return err
 	}
 	return d.store.SecretDelete(secret)
 }
 func (d *db) OrgSecretFind(owner int64, name string) (*model.Secret, error) {
 	return d.store.OrgSecretFind(owner, name)
 }
 func (d *db) OrgSecretList(owner int64, p *model.ListOptions) ([]*model.Secret, error) {
 	return d.store.OrgSecretList(owner, p)
 }
 func (d *db) OrgSecretCreate(_ int64, in *model.Secret) error {
 	return d.store.SecretCreate(in)
 }
 func (d *db) OrgSecretUpdate(_ int64, in *model.Secret) error {
 	return d.store.SecretUpdate(in)
 }
 func (d *db) OrgSecretDelete(owner int64, name string) error {
 	secret, err := d.store.OrgSecretFind(owner, name)
 	if err != nil {
 		return err
 	}
 	return d.store.SecretDelete(secret)
 }
 func (d *db) GlobalSecretFind(owner string) (*model.Secret, error) {
 	return d.store.GlobalSecretFind(owner)
 }
 func (d *db) GlobalSecretList(p *model.ListOptions) ([]*model.Secret, error) {
 	return d.store.GlobalSecretList(p)
 }
 func (d *db) GlobalSecretCreate(in *model.Secret) error {
 	return d.store.SecretCreate(in)
 }
 func (d *db) GlobalSecretUpdate(in *model.Secret) error {
 	return d.store.SecretUpdate(in)
 }
 func (d *db) GlobalSecretDelete(name string) error {
 	secret, err := d.store.GlobalSecretFind(name)
 	if err != nil {
 		return err
 	}
 	return d.store.SecretDelete(secret)
 }
--- a/server/plugins/secrets/builtin_test.go
+++ b/server/plugins/secrets/builtin_test.go
@ -12,23 +12,21 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
-package secrets_test
+package secret_test
 import (
 	"context"
 	"testing"
 	"github.com/franela/goblin"
 	"github.com/stretchr/testify/mock"
 	"go.woodpecker-ci.org/woodpecker/v2/server/model"
-	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/secrets"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/secret"
 	mocks_store "go.woodpecker-ci.org/woodpecker/v2/server/store/mocks"
 )
 func TestSecretListPipeline(t *testing.T) {
 	g := goblin.Goblin(t)
 	ctx := context.Background()
 	mockStore := mocks_store.NewStore(t)
 	// global secret
@ -66,7 +64,7 @@ func TestSecretListPipeline(t *testing.T) {
 				repoSecret,
 			}, nil)
-			s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{})
+			s, err := secret.NewDB(mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{})
 			g.Assert(err).IsNil()
 			g.Assert(len(s)).Equal(1)
@ -79,7 +77,7 @@ func TestSecretListPipeline(t *testing.T) {
 				orgSecret,
 			}, nil)
-			s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{})
+			s, err := secret.NewDB(mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{})
 			g.Assert(err).IsNil()
 			g.Assert(len(s)).Equal(1)
@ -91,7 +89,7 @@ func TestSecretListPipeline(t *testing.T) {
 				globalSecret,
 			}, nil)
-			s, err := secrets.New(ctx, mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{})
+			s, err := secret.NewDB(mockStore).SecretListPipeline(&model.Repo{}, &model.Pipeline{}, &model.ListOptions{})
 			g.Assert(err).IsNil()
 			g.Assert(len(s)).Equal(1)
--- a/server/services/secret/service.go
+++ b/server/services/secret/service.go
@ -0,0 +1,40 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package secret
 import "go.woodpecker-ci.org/woodpecker/v2/server/model"
 // Service defines a service for managing secrets.
 type Service interface {
 	SecretListPipeline(*model.Repo, *model.Pipeline, *model.ListOptions) ([]*model.Secret, error)
 	// Repository secrets
 	SecretFind(*model.Repo, string) (*model.Secret, error)
 	SecretList(*model.Repo, *model.ListOptions) ([]*model.Secret, error)
 	SecretCreate(*model.Repo, *model.Secret) error
 	SecretUpdate(*model.Repo, *model.Secret) error
 	SecretDelete(*model.Repo, string) error
 	// Organization secrets
 	OrgSecretFind(int64, string) (*model.Secret, error)
 	OrgSecretList(int64, *model.ListOptions) ([]*model.Secret, error)
 	OrgSecretCreate(int64, *model.Secret) error
 	OrgSecretUpdate(int64, *model.Secret) error
 	OrgSecretDelete(int64, string) error
 	// Global secrets
 	GlobalSecretFind(string) (*model.Secret, error)
 	GlobalSecretList(*model.ListOptions) ([]*model.Secret, error)
 	GlobalSecretCreate(*model.Secret) error
 	GlobalSecretUpdate(*model.Secret) error
 	GlobalSecretDelete(string) error
 }
--- a/server/services/setup.go
+++ b/server/services/setup.go
@ -0,0 +1,95 @@
 // Copyright 2024 Woodpecker Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package services
 import (
 	"crypto"
 	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"github.com/rs/zerolog/log"
 	"github.com/urfave/cli/v2"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/config"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/registry"
 	"go.woodpecker-ci.org/woodpecker/v2/server/services/secret"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store"
 	"go.woodpecker-ci.org/woodpecker/v2/server/store/types"
 )
 func setupRegistryService(store store.Store, dockerConfig string) registry.Service {
 	if dockerConfig != "" {
 		return registry.NewCombined(
 			registry.NewDB(store),
 			registry.NewFilesystem(dockerConfig),
 		)
 	}
 	return registry.NewDB(store)
 }
 func setupSecretService(store store.Store) secret.Service {
 	// TODO(1544): fix encrypted store
 	// // encryption
 	// encryptedSecretStore := encryptedStore.NewSecretStore(v)
 	// err := encryption.Encryption(c, v).WithClient(encryptedSecretStore).Build()
 	// if err != nil {
 	// 	log.Fatal().Err(err).Msg("could not create encryption service")
 	// }
 	return secret.NewDB(store)
 }
 func setupConfigService(c *cli.Context, privateSignatureKey crypto.PrivateKey) config.Service {
 	timeout := c.Duration("forge-timeout")
 	configFetcher := config.NewForge(timeout)
 	if endpoint := c.String("config-extension-endpoint"); endpoint != "" {
 		httpFetcher := config.NewHTTP(endpoint, privateSignatureKey)
 		return config.NewCombined(configFetcher, httpFetcher)
 	}
 	return configFetcher
 }
 // setupSignatureKeys generate or load key pair to sign webhooks requests (i.e. used for service extensions)
 func setupSignatureKeys(_store store.Store) (crypto.PrivateKey, crypto.PublicKey, error) {
 	privKeyID := "signature-private-key"
 	privKey, err := _store.ServerConfigGet(privKeyID)
 	if errors.Is(err, types.RecordNotExist) {
 		_, privKey, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to generate private key: %w", err)
 		}
 		err = _store.ServerConfigSet(privKeyID, hex.EncodeToString(privKey))
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to store private key: %w", err)
 		}
 		log.Debug().Msg("created private key")
 		return privKey, privKey.Public(), nil
 	} else if err != nil {
 		return nil, nil, fmt.Errorf("failed to load private key: %w", err)
 	}
 	privKeyStr, err := hex.DecodeString(privKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to decode private key: %w", err)
 	}
 	privateKey := ed25519.PrivateKey(privKeyStr)
 	return privateKey, privateKey.Public(), nil
 }
--- a/server/services/utils/http.go
+++ b/server/services/utils/http.go
--- a/server/services/utils/http_test.go
+++ b/server/services/utils/http_test.go
@ -25,7 +25,7 @@ import (
 	"github.com/go-ap/httpsig"
 	"github.com/stretchr/testify/assert"
-	"go.woodpecker-ci.org/woodpecker/v2/server/plugins/utils"
+	"go.woodpecker-ci.org/woodpecker/v2/server/services/utils"
 )
 func TestSign(t *testing.T) {
--- a/shared/addon/types/types.go
+++ b/shared/addon/types/types.go
@ -3,9 +3,5 @@ package types
 type Type string
 const (
-	TypeForge              Type = "forge"
+	TypeForge Type = "forge"
 	TypeConfigService      Type = "config_service"
 	TypeSecretService      Type = "secret_service"
 	TypeEnvironmentService Type = "environment_service"
 	TypeRegistryService    Type = "registry_service"
 )