numerique-gouv
diff --git a/‎.env.example‎
Lines changed: 8 additions & 0 deletions b/‎.env.example‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎ONBOARDING.md‎
Lines changed: 42 additions & 0 deletions b/‎ONBOARDING.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎config/settings.py‎
Lines changed: 45 additions & 11 deletions b/‎config/settings.py‎
Lines changed: 45 additions & 11 deletions
diff --git a/‎config/settings_test.py‎
Lines changed: 5 additions & 0 deletions b/‎config/settings_test.py‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎config/urls.py‎
Lines changed: 8 additions & 1 deletion b/‎config/urls.py‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎db_storage/__init__.py‎ b/‎db_storage/__init__.py‎
diff --git a/‎db_storage/apps.py‎
Lines changed: 6 additions & 0 deletions b/‎db_storage/apps.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎db_storage/management/__init__.py‎ b/‎db_storage/management/__init__.py‎
@@ -15,6 +15,11 @@ USE_DOCKER=0
 USE_UV=0
 # SF_USE_WHITENOISE: Set 1 or True to use Whitenoise
 SF_USE_WHITENOISE=0
+# SF_USE_DB_STORAGE: Set 1 or True to store media files in PostgreSQL
+# instead of the filesystem. Useful for PaaS with ephemeral filesystems.
+# /!\ Not recommended beyond 1 GB of media — prefer S3 for larger volumes.
+# Selection order: S3_HOST wins if set, then SF_USE_DB_STORAGE, then filesystem (default)
+SF_USE_DB_STORAGE=0
 
 DATABASE_NAME=djdb
 DATABASE_USER=dju
@@ -31,6 +36,9 @@ S3_BUCKET_NAME=
 S3_BUCKET_REGION=eu-west-3
 # S3_LOCATION: If the S3 bucket is shared, add a unique folder name
 S3_LOCATION=
+# S3_PUBLIC_HOST: If the S3 bucket has a different public address (for example when using MinIO), specify it
+# This disables the signature on the URLs, so the bucket must allow public read access.
+S3_PUBLIC_HOST=
 
 # (Optional) FORCE_SCRIPT_NAME: used to allow to the site to be served under a sub-path
 FORCE_SCRIPT_NAME=
 
@@ -145,6 +145,9 @@ dmypy.json
 .VSCode
 .vscode/
 
+# AI stuff
+.claude/
+
 # Project-specific stuff
 config.json
 cron.json
 
@@ -113,6 +113,48 @@ psql -c "CREATE USER sitesconformes WITH CREATEDB LOGIN PASSWORD 'votre_mot_de_p
 psql -c "CREATE DATABASE sitesconformes OWNER sitesconformes;" -U postgres
 ```
 
+### Utilisation de MinIO
+
+[MinIO](https://min.io/) permet de simuler un stockage objet compatible S3 en local, utile pour tester la configuration de production sans avoir besoin d'un vrai bucket S3.
+
+#### Lancer MinIO
+
+```sh
+docker run -d \
+  --name minio \
+  -p 9000:9000 \
+  -p 9001:9001 \
+  -v ~/minio-data:/data \
+  -e MINIO_ROOT_USER=admin \
+  -e MINIO_ROOT_PASSWORD=password123 \
+  quay.io/minio/minio server /data --console-address ":9001"
+```
+
+#### Créer le bucket
+
+Accéder à la console MinIO sur <http://localhost:9001> (identifiants : `admin` / `password123`), puis créer un bucket (par exemple `sc-local`).
+
+Pour éviter l'utilisation d'URLs signées (plus simple en local), rendre le bucket public : _Buckets → sc-local → Anonymous → Add Access Rule → Prefix `/`, Access `readonly`_.
+
+#### Variables d'environnement
+
+Ajouter les variables suivantes dans le fichier `.env` :
+
+```sh
+S3_HOST=host.docker.internal:9000
+S3_PUBLIC_HOST=localhost:9000
+S3_PROTOCOL=http
+S3_KEY_ID=admin
+S3_KEY_SECRET=password123
+S3_BUCKET_NAME=sc-local
+S3_BUCKET_REGION=
+S3_LOCATION=medias/
+```
+
+> **Note :** C'est la variable `S3_HOST` qui active le stockage S3 dans l'application. Sans elle, les médias seront stockés sur le système de fichiers local, quelle que soit la configuration MinIO.
+
+Alternativement, il est également possible de passer par un stockage des fichiers directement dans la base PostgreSQL, cf. [documentation](./docs/db-storage.md)
+
 ## Fonctionnement depuis un sous-répertoire
 
 Lorsque la variable `FORCE_SCRIPT_NAME` est configurée, le site tourne dans un sous-répertoire, fonctionnalité qui n’est pas gérée par le serveur de développement de base de Django (`runserver`).
 
@@ -48,6 +48,7 @@ Sites Conformes est développé en utilisant le framework [Django](https://www.d
 - **[django-dsfr](https://github.com/numerique-gouv/django-dsfr)** : Permet d’utiliser facilement le [système de design de l’État](https://www.systeme-de-design.gouv.fr/) dans des templates Django.
 - **events** : Similaire à `blog`, mais permet de gérer des événements et des pages de calendrier, ainsi que les exports iCal correspondants.
 - **forms** : implémentation du [module de création de formulaire](https://docs.wagtail.org/en/stable/reference/contrib/forms/index.html) de Wagtail, par exemple pour les pages de contact. Volontairement assez limité (suffisant pour un formulaire de contact mais pas beaucoup plus), pour les cas complexes il vaut mieux privilégier l’intégration de [Démarches simplifiées](https://www.demarches-simplifiees.fr) ou de [Grist](https://grist.numerique.gouv.fr/).
+- **db_storage** : stockage des médias en base de données PostgreSQL, alternative au S3 pour les PaaS avec filesystem éphémère (cf. [documentation](./docs/db-storage.md))
 - **proconnect** : permet la connexion via [ProConnect](https://www.proconnect.gouv.fr/)
 
 ### Structure du dépôt
 
@@ -58,6 +58,12 @@ def getenv_bool(key: str, default: bool):
 # Allow enabling WhiteNoise via an environment variable (disabled by default)
 SF_USE_WHITENOISE = getenv_bool("SF_USE_WHITENOISE", False)
 
+# Allow storing media files in PostgreSQL instead of the filesystem (disabled by default)
+# Useful for PaaS deployments with ephemeral filesystems (Scalingo, Heroku, etc.)
+# /!\ Not recommended beyond 1 GB of media — prefer S3 for larger volumes.
+# Selection order: S3_HOST wins if set, then SF_USE_DB_STORAGE, then filesystem (default)
+SF_USE_DB_STORAGE = getenv_bool("SF_USE_DB_STORAGE", False)
+
 INTERNAL_IPS = [
     "127.0.0.1",
 ]
@@ -107,6 +113,9 @@ def getenv_bool(key: str, default: bool):
     "wagtail.admin",
 ]
 
+if SF_USE_DB_STORAGE:
+    INSTALLED_APPS.insert(-1, "db_storage")
+
 if SF_USE_WHITENOISE:
     INSTALLED_APPS.insert(0, "whitenoise.runserver_nostatic")
 
@@ -272,22 +281,47 @@ def show_toolbar(request):
 # https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html
 
 if os.getenv("S3_HOST"):
-    endpoint_url = f"{os.getenv('S3_PROTOCOL', 'https')}://{os.getenv('S3_HOST')}"
+    protocol = os.getenv("S3_PROTOCOL", "https")
+    endpoint_url = f"{protocol}://{os.getenv('S3_HOST')}"
+    bucket_name = os.getenv("S3_BUCKET_NAME", "set-bucket-name")
+    public_host = os.getenv("S3_PUBLIC_HOST", "")
+
+    options = {
+        "bucket_name": bucket_name,
+        "access_key": os.getenv("S3_KEY_ID", "123"),
+        "secret_key": os.getenv("S3_KEY_SECRET", "secret"),
+        "endpoint_url": endpoint_url,
+        "region_name": os.getenv("S3_BUCKET_REGION", "fr"),
+        "file_overwrite": False,
+        "location": os.getenv("S3_LOCATION", ""),
+    }
+
+    if public_host:
+        # Presigned URLs bind the signature to the endpoint hostname, so when the
+        # internal endpoint differs from the public one, signing must be disabled.
+        # The bucket is appended to custom_domain to produce path-style URLs for MinIO.
+        options["custom_domain"] = f"{public_host}/{bucket_name}"
+        options["url_protocol"] = f"{protocol}:"
+        options["querystring_auth"] = False
+        public_endpoint = f"{protocol}://{public_host}"
+    else:
+        public_endpoint = endpoint_url
 
     STORAGES["default"] = {
         "BACKEND": "storages.backends.s3.S3Storage",
-        "OPTIONS": {
-            "bucket_name": os.getenv("S3_BUCKET_NAME", "set-bucket-name"),
-            "access_key": os.getenv("S3_KEY_ID", "123"),
-            "secret_key": os.getenv("S3_KEY_SECRET", "secret"),
-            "endpoint_url": endpoint_url,
-            "region_name": os.getenv("S3_BUCKET_REGION", "fr"),
-            "file_overwrite": False,
-            "location": os.getenv("S3_LOCATION", ""),
-        },
+        "OPTIONS": options,
     }
 
-    MEDIA_URL = f"{endpoint_url}/"
+    MEDIA_URL = f"{public_endpoint}/"
+elif SF_USE_DB_STORAGE:
+    STORAGES["default"] = {
+        "BACKEND": "db_storage.storage.DatabaseStorage",
+    }
+    MEDIA_URL = os.getenv("MEDIA_URL", "db-storage/")
+    MEDIA_ROOT = os.path.join(BASE_DIR, os.getenv("MEDIA_ROOT", ""))
+
+    if FORCE_SCRIPT_NAME and not MEDIA_URL.startswith(FORCE_SCRIPT_NAME):
+        MEDIA_URL = f"{FORCE_SCRIPT_NAME}/{MEDIA_URL}"
 else:
     STORAGES["default"] = {
         "BACKEND": "django.core.files.storage.FileSystemStorage",
 
@@ -1,5 +1,10 @@
 from config.settings import *  # NOSONAR # noqa: F401,F403
 
+# Enable db_storage for testing its functionality
+SF_USE_DB_STORAGE = True
+if "db_storage" not in INSTALLED_APPS:  # noqa: F405
+    INSTALLED_APPS.insert(-1, "db_storage")  # noqa: F405
+
 WHITENOISE_AUTOREFRESH = True
 WHITENOISE_MANIFEST_STRICT = False
 
 
@@ -22,7 +22,14 @@
         "robots.txt",
         TemplateView.as_view(template_name="robots.txt", content_type="text/plain"),
     ),
-] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
+]
+
+if settings.SF_USE_DB_STORAGE:
+    urlpatterns += [
+        path("db-storage/", include("db_storage.urls")),
+    ]
+
+urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
 
 # Only add this on a dev machine, outside of tests
 if not settings.TESTING and settings.DEBUG and "localhost" in settings.HOST_URL:
 
@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class DbStorageConfig(AppConfig):
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "db_storage"