diff --git a/k8s/gitlab/gitlab.cue b/k8s/gitlab/gitlab.cue
index 3c312fb..b3f6ff1 100644
--- a/k8s/gitlab/gitlab.cue
+++ b/k8s/gitlab/gitlab.cue
@@ -3,13 +3,26 @@ package netserv
 import (
   dcsi "pythoner6.dev/netserv/k8s/democratic-csi:netserv"
   cnpg "pythoner6.dev/netserv/k8s/cnpg:netserv"
+  rook "pythoner6.dev/netserv/k8s/rook:netserv"
   clusters "postgresql.cnpg.io/cluster/v1"
+  bucketclaims "objectbucket.io/objectbucketclaim/v1alpha1"
+  //secretstores "external-secrets.io/secretstore/v1beta1"
+  externalsecrets "external-secrets.io/externalsecret/v1beta1"
+  //corev1 "k8s.io/api/core/v1"
+  //rbacv1 "k8s.io/api/rbac/v1"
 )
 
 appName: "gitlab"
 #Charts: _
 
-kustomizations: $default: #dependsOn: [dcsi.kustomizations.helm, cnpg.kustomizations.helm]
+#BucketClaim: this=(bucketclaims.#ObjectBucketClaim & {
+  spec: {
+    bucketName: this.metadata.name
+    storageClassName: rook.kustomizations.cluster.manifest.bucketStorageClass.metadata.name
+  }
+})
+
+kustomizations: $default: #dependsOn: [dcsi.kustomizations.helm, cnpg.kustomizations.helm, rook.kustomizations.cluster]
 kustomizations: $default: manifest: {
   ns: #AppNamespace
   db: clusters.#Cluster & {
@@ -50,6 +63,80 @@ kustomizations: $default: manifest: {
       }]
     }
   }
+  //storeServiceAccount: corev1.#ServiceAccount & {
+  //  metadata: name: "bucket-secrets-store"
+  //}
+  //storeRole: rbacv1.#Role & {
+  //  metadata: name: "bucket-secrets-store"
+  //}
+  //storeRoleBinding: rbacv1.#RoleBinding & {
+  //  metadata: name: "bucket-secrets-store"
+  //}
+  store="bucket-secrets-store": {
+    apiVersion: "external-secrets.io/v1beta1"
+    kind: "SecretStore"
+    spec: provider: kubernetes: {
+      remoteNamespace: store.metadata.namespace
+      server: caProvider: {
+        type: "ConfigMap"
+        name: "kube-root-ca.crt"
+        key: "ca.crt"
+      }
+      auth: serviceAccount: name: "default"
+    }
+  }
+
+  lfsBucket: #BucketClaim & { metadata: name: "git-lfs" }
+  lfsSecret: externalsecrets.#ExternalSecret & {
+    metadata: name: lfsBucket.metadata.name
+    spec: {
+      secretStoreRef: {
+        name: store.metadata.name
+        kind: store.kind
+      }
+      refreshInterval: "0"
+      target: {
+        name: metadata.name
+        deletionPolicy: "Delete"
+        template: {
+          engineVersion: "v2"
+          data:
+            connection: """
+              provider: AWS
+              path_style: true
+              host: ""
+              endpoint: ""
+              region: ""
+              aws_signature_version: 4
+              aws_access_key_id: {{ .aws_access_key_id | quote }}
+              aws_secret_access_key: {{ .aws_secret_access_key | quote }}
+            """
+        }
+      }
+      data: [
+        {
+          secretKey: "aws_access_key_id"
+          remoteRef: {
+            key: store.metadata.name
+            property: "AWS_ACCESS_KEY_ID"
+          }
+        },
+        {
+          secretKey: "aws_secret_access_key"
+          remoteRef: {
+            key: store.metadata.name
+            property: "AWS_SECRET_ACCESS_KEY"
+          }
+        },
+      ]
+    }
+  }
+
+  artifactsBucket: #BucketClaim & { metadata: name: "gitlab-artifacts" }
+
+  uploadsBucket: #BucketClaim & { metadata: name: "gitlab-uploads" }
+
+  packagesBucket: #BucketClaim & { metadata: name: "gitlab-packages" }
 }
 
 //kustomizations: helm: #dependsOn: [kustomizations["$default"]]