🎉 Initial Commit

2024-05-17 15:59:51 +08:00
commit 8b71ec2e3f
42 changed files with 2735 additions and 0 deletions
--- a/pkg/cmd/main.go
+++ b/pkg/cmd/main.go
@ -0,0 +1,75 @@
+package main
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/grpc"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/server"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/services"
+	"github.com/robfig/cron/v3"
+
+	paperclip "git.solsynth.dev/hydrogen/paperclip/pkg"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+)
+
+func init() {
+	zerolog.TimeFieldFormat = zerolog.TimeFormatUnix
+	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stdout})
+}
+
+func main() {
+	// Configure settings
+	viper.AddConfigPath(".")
+	viper.AddConfigPath("..")
+	viper.SetConfigName("settings")
+	viper.SetConfigType("toml")
+
+	// Load settings
+	if err := viper.ReadInConfig(); err != nil {
+		log.Panic().Err(err).Msg("An error occurred when loading settings.")
+	}
+
+	// Connect to database
+	if err := database.NewSource(); err != nil {
+		log.Fatal().Err(err).Msg("An error occurred when connect to database.")
+	} else if err := database.RunMigration(database.C); err != nil {
+		log.Fatal().Err(err).Msg("An error occurred when running database auto migration.")
+	}
+
+	// Connect other services
+	if err := grpc.ConnectPassport(); err != nil {
+		log.Fatal().Err(err).Msg("An error occurred when connecting to passport grpc endpoint...")
+	}
+
+	// Configure timed tasks
+	quartz := cron.New(cron.WithLogger(cron.VerbosePrintfLogger(&log.Logger)))
+	quartz.AddFunc("@every 60m", services.DoAutoDatabaseCleanup)
+	quartz.Start()
+
+	// Server
+	server.NewServer()
+	go server.Listen()
+
+	// Grpc Server
+	go func() {
+		if err := grpc.StartGrpc(); err != nil {
+			log.Fatal().Err(err).Msg("An message occurred when starting grpc server.")
+		}
+	}()
+
+	// Messages
+	log.Info().Msgf("Paperclip v%s is started...", paperclip.AppVersion)
+
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
+	<-quit
+
+	log.Info().Msgf("Paperclip v%s is quitting...", paperclip.AppVersion)
+
+	quartz.Stop()
+}
--- a/pkg/database/migrator.go
+++ b/pkg/database/migrator.go
@ -0,0 +1,21 @@
+package database
+
+import (
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	"gorm.io/gorm"
+)
+
+var AutoMaintainRange = []any{
+	&models.Account{},
+	&models.Attachment{},
+}
+
+func RunMigration(source *gorm.DB) error {
+	if err := source.AutoMigrate(
+		AutoMaintainRange...,
+	); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/pkg/database/source.go
+++ b/pkg/database/source.go
@ -0,0 +1,28 @@
+package database
+
+import (
+	"github.com/rs/zerolog/log"
+	"github.com/samber/lo"
+	"github.com/spf13/viper"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+	"gorm.io/gorm/schema"
+)
+
+var C *gorm.DB
+
+func NewSource() error {
+	var err error
+
+	dialector := postgres.Open(viper.GetString("database.dsn"))
+	C, err = gorm.Open(dialector, &gorm.Config{NamingStrategy: schema.NamingStrategy{
+		TablePrefix: viper.GetString("database.prefix"),
+	}, Logger: logger.New(&log.Logger, logger.Config{
+		Colorful:                  true,
+		IgnoreRecordNotFoundError: true,
+		LogLevel:                  lo.Ternary(viper.GetBool("debug.database"), logger.Info, logger.Silent),
+	})})
+
+	return err
+}
--- a/pkg/grpc/attachments.go
+++ b/pkg/grpc/attachments.go
@ -0,0 +1,43 @@
+package grpc
+
+import (
+	"context"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/grpc/proto"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	jsoniter "github.com/json-iterator/go"
+)
+
+func (v *Server) GetAttachment(ctx context.Context, request *proto.AttachmentLookupRequest) (*proto.Attachment, error) {
+	var attachment models.Attachment
+
+	tx := database.C.Model(&models.Attachment{})
+	if request.Id != nil {
+		tx = tx.Where("id = ?", request.GetId())
+	}
+	if request.Uuid != nil {
+		tx = tx.Where("uuid = ?", request.GetUuid())
+	}
+
+	if err := tx.First(&attachment).Error; err != nil {
+		return nil, err
+	}
+
+	rawMetadata, _ := jsoniter.Marshal(attachment.Metadata)
+
+	return &proto.Attachment{
+		Id:          uint64(attachment.ID),
+		Uuid:        attachment.Uuid,
+		Size:        attachment.Size,
+		Name:        attachment.Name,
+		Alt:         attachment.Alternative,
+		Usage:       attachment.Usage,
+		Mimetype:    attachment.MimeType,
+		Hash:        attachment.HashCode,
+		Destination: attachment.Destination,
+		Metadata:    rawMetadata,
+		IsMature:    attachment.IsMature,
+		AccountId:   uint64(attachment.AccountID),
+	}, nil
+}
--- a/pkg/grpc/client.go
+++ b/pkg/grpc/client.go
@ -0,0 +1,28 @@
+package grpc
+
+import (
+	idpb "git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/spf13/viper"
+	"google.golang.org/grpc"
+)
+
+var Realms idpb.RealmsClient
+var Friendships idpb.FriendshipsClient
+var Notify idpb.NotifyClient
+var Auth idpb.AuthClient
+
+func ConnectPassport() error {
+	addr := viper.GetString("passport.grpc_endpoint")
+	if conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(insecure.NewCredentials())); err != nil {
+		return err
+	} else {
+		Realms = idpb.NewRealmsClient(conn)
+		Friendships = idpb.NewFriendshipsClient(conn)
+		Notify = idpb.NewNotifyClient(conn)
+		Auth = idpb.NewAuthClient(conn)
+	}
+
+	return nil
+}
--- a/pkg/grpc/proto/attachments.pb.go
+++ b/pkg/grpc/proto/attachments.pb.go
@ -0,0 +1,328 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.33.0
+// 	protoc        v5.26.1
+// source: attachments.proto
+
+package proto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Attachment struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Id          uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Uuid        string `protobuf:"bytes,2,opt,name=uuid,proto3" json:"uuid,omitempty"`
+	Size        int64  `protobuf:"varint,3,opt,name=size,proto3" json:"size,omitempty"`
+	Name        string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	Alt         string `protobuf:"bytes,5,opt,name=alt,proto3" json:"alt,omitempty"`
+	Usage       string `protobuf:"bytes,6,opt,name=usage,proto3" json:"usage,omitempty"`
+	Mimetype    string `protobuf:"bytes,7,opt,name=mimetype,proto3" json:"mimetype,omitempty"`
+	Hash        string `protobuf:"bytes,8,opt,name=hash,proto3" json:"hash,omitempty"`
+	Destination string `protobuf:"bytes,9,opt,name=destination,proto3" json:"destination,omitempty"`
+	Metadata    []byte `protobuf:"bytes,10,opt,name=metadata,proto3" json:"metadata,omitempty"`
+	IsMature    bool   `protobuf:"varint,11,opt,name=is_mature,json=isMature,proto3" json:"is_mature,omitempty"`
+	AccountId   uint64 `protobuf:"varint,12,opt,name=account_id,json=accountId,proto3" json:"account_id,omitempty"`
+}
+
+func (x *Attachment) Reset() {
+	*x = Attachment{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_attachments_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Attachment) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Attachment) ProtoMessage() {}
+
+func (x *Attachment) ProtoReflect() protoreflect.Message {
+	mi := &file_attachments_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Attachment.ProtoReflect.Descriptor instead.
+func (*Attachment) Descriptor() ([]byte, []int) {
+	return file_attachments_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Attachment) GetId() uint64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *Attachment) GetUuid() string {
+	if x != nil {
+		return x.Uuid
+	}
+	return ""
+}
+
+func (x *Attachment) GetSize() int64 {
+	if x != nil {
+		return x.Size
+	}
+	return 0
+}
+
+func (x *Attachment) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *Attachment) GetAlt() string {
+	if x != nil {
+		return x.Alt
+	}
+	return ""
+}
+
+func (x *Attachment) GetUsage() string {
+	if x != nil {
+		return x.Usage
+	}
+	return ""
+}
+
+func (x *Attachment) GetMimetype() string {
+	if x != nil {
+		return x.Mimetype
+	}
+	return ""
+}
+
+func (x *Attachment) GetHash() string {
+	if x != nil {
+		return x.Hash
+	}
+	return ""
+}
+
+func (x *Attachment) GetDestination() string {
+	if x != nil {
+		return x.Destination
+	}
+	return ""
+}
+
+func (x *Attachment) GetMetadata() []byte {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
+func (x *Attachment) GetIsMature() bool {
+	if x != nil {
+		return x.IsMature
+	}
+	return false
+}
+
+func (x *Attachment) GetAccountId() uint64 {
+	if x != nil {
+		return x.AccountId
+	}
+	return 0
+}
+
+type AttachmentLookupRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Id   *uint64 `protobuf:"varint,1,opt,name=id,proto3,oneof" json:"id,omitempty"`
+	Uuid *string `protobuf:"bytes,2,opt,name=uuid,proto3,oneof" json:"uuid,omitempty"`
+}
+
+func (x *AttachmentLookupRequest) Reset() {
+	*x = AttachmentLookupRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_attachments_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *AttachmentLookupRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AttachmentLookupRequest) ProtoMessage() {}
+
+func (x *AttachmentLookupRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_attachments_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AttachmentLookupRequest.ProtoReflect.Descriptor instead.
+func (*AttachmentLookupRequest) Descriptor() ([]byte, []int) {
+	return file_attachments_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *AttachmentLookupRequest) GetId() uint64 {
+	if x != nil && x.Id != nil {
+		return *x.Id
+	}
+	return 0
+}
+
+func (x *AttachmentLookupRequest) GetUuid() string {
+	if x != nil && x.Uuid != nil {
+		return *x.Uuid
+	}
+	return ""
+}
+
+var File_attachments_proto protoreflect.FileDescriptor
+
+var file_attachments_proto_rawDesc = []byte{
+	0x0a, 0x11, 0x61, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x12, 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xaa, 0x02, 0x0a, 0x0a, 0x41,
+	0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69,
+	0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a,
+	0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x73, 0x69, 0x7a,
+	0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x6c, 0x74, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x03, 0x61, 0x6c, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65,
+	0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1a, 0x0a,
+	0x08, 0x6d, 0x69, 0x6d, 0x65, 0x74, 0x79, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x08, 0x6d, 0x69, 0x6d, 0x65, 0x74, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x61, 0x73,
+	0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x12, 0x20, 0x0a,
+	0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+	0x1a, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x0a, 0x20, 0x01, 0x28,
+	0x0c, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1b, 0x0a, 0x09, 0x69,
+	0x73, 0x5f, 0x6d, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08,
+	0x69, 0x73, 0x4d, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x6f,
+	0x75, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x61, 0x63,
+	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x64, 0x22, 0x57, 0x0a, 0x17, 0x41, 0x74, 0x74, 0x61, 0x63,
+	0x68, 0x6d, 0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x13, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x48, 0x00,
+	0x52, 0x02, 0x69, 0x64, 0x88, 0x01, 0x01, 0x12, 0x17, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x01, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x88, 0x01, 0x01,
+	0x42, 0x05, 0x0a, 0x03, 0x5f, 0x69, 0x64, 0x42, 0x07, 0x0a, 0x05, 0x5f, 0x75, 0x75, 0x69, 0x64,
+	0x32, 0x53, 0x0a, 0x0b, 0x41, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x12,
+	0x44, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d, 0x65, 0x6e, 0x74,
+	0x12, 0x1e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d,
+	0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x11, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x74, 0x74, 0x61, 0x63, 0x68, 0x6d,
+	0x65, 0x6e, 0x74, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_attachments_proto_rawDescOnce sync.Once
+	file_attachments_proto_rawDescData = file_attachments_proto_rawDesc
+)
+
+func file_attachments_proto_rawDescGZIP() []byte {
+	file_attachments_proto_rawDescOnce.Do(func() {
+		file_attachments_proto_rawDescData = protoimpl.X.CompressGZIP(file_attachments_proto_rawDescData)
+	})
+	return file_attachments_proto_rawDescData
+}
+
+var file_attachments_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_attachments_proto_goTypes = []interface{}{
+	(*Attachment)(nil),              // 0: proto.Attachment
+	(*AttachmentLookupRequest)(nil), // 1: proto.AttachmentLookupRequest
+}
+var file_attachments_proto_depIdxs = []int32{
+	1, // 0: proto.Attachments.GetAttachment:input_type -> proto.AttachmentLookupRequest
+	0, // 1: proto.Attachments.GetAttachment:output_type -> proto.Attachment
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_attachments_proto_init() }
+func file_attachments_proto_init() {
+	if File_attachments_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_attachments_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Attachment); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_attachments_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AttachmentLookupRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	file_attachments_proto_msgTypes[1].OneofWrappers = []interface{}{}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_attachments_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_attachments_proto_goTypes,
+		DependencyIndexes: file_attachments_proto_depIdxs,
+		MessageInfos:      file_attachments_proto_msgTypes,
+	}.Build()
+	File_attachments_proto = out.File
+	file_attachments_proto_rawDesc = nil
+	file_attachments_proto_goTypes = nil
+	file_attachments_proto_depIdxs = nil
+}
--- a/pkg/grpc/proto/attachments.proto
+++ b/pkg/grpc/proto/attachments.proto
@ -0,0 +1,29 @@
+syntax = "proto3";
+
+option go_package = ".;proto";
+
+package proto;
+
+service Attachments {
+    rpc GetAttachment(AttachmentLookupRequest) returns (Attachment) {}
+}
+
+message Attachment {
+    uint64 id = 1;
+    string uuid = 2;
+    int64 size = 3;
+    string name = 4;
+    string alt = 5;
+    string usage = 6;
+    string mimetype = 7;
+    string hash = 8;
+    string destination = 9;
+    bytes metadata = 10;
+    bool is_mature = 11;
+    uint64 account_id = 12;
+}
+
+message AttachmentLookupRequest {
+    optional uint64 id = 1;
+    optional string uuid = 2;
+}
--- a/pkg/grpc/proto/attachments_grpc.pb.go
+++ b/pkg/grpc/proto/attachments_grpc.pb.go
@ -0,0 +1,109 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v5.26.1
+// source: attachments.proto
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+const (
+	Attachments_GetAttachment_FullMethodName = "/proto.Attachments/GetAttachment"
+)
+
+// AttachmentsClient is the client API for Attachments service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type AttachmentsClient interface {
+	GetAttachment(ctx context.Context, in *AttachmentLookupRequest, opts ...grpc.CallOption) (*Attachment, error)
+}
+
+type attachmentsClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewAttachmentsClient(cc grpc.ClientConnInterface) AttachmentsClient {
+	return &attachmentsClient{cc}
+}
+
+func (c *attachmentsClient) GetAttachment(ctx context.Context, in *AttachmentLookupRequest, opts ...grpc.CallOption) (*Attachment, error) {
+	out := new(Attachment)
+	err := c.cc.Invoke(ctx, Attachments_GetAttachment_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// AttachmentsServer is the server API for Attachments service.
+// All implementations must embed UnimplementedAttachmentsServer
+// for forward compatibility
+type AttachmentsServer interface {
+	GetAttachment(context.Context, *AttachmentLookupRequest) (*Attachment, error)
+	mustEmbedUnimplementedAttachmentsServer()
+}
+
+// UnimplementedAttachmentsServer must be embedded to have forward compatible implementations.
+type UnimplementedAttachmentsServer struct {
+}
+
+func (UnimplementedAttachmentsServer) GetAttachment(context.Context, *AttachmentLookupRequest) (*Attachment, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetAttachment not implemented")
+}
+func (UnimplementedAttachmentsServer) mustEmbedUnimplementedAttachmentsServer() {}
+
+// UnsafeAttachmentsServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to AttachmentsServer will
+// result in compilation errors.
+type UnsafeAttachmentsServer interface {
+	mustEmbedUnimplementedAttachmentsServer()
+}
+
+func RegisterAttachmentsServer(s grpc.ServiceRegistrar, srv AttachmentsServer) {
+	s.RegisterService(&Attachments_ServiceDesc, srv)
+}
+
+func _Attachments_GetAttachment_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AttachmentLookupRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AttachmentsServer).GetAttachment(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Attachments_GetAttachment_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AttachmentsServer).GetAttachment(ctx, req.(*AttachmentLookupRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// Attachments_ServiceDesc is the grpc.ServiceDesc for Attachments service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Attachments_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "proto.Attachments",
+	HandlerType: (*AttachmentsServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetAttachment",
+			Handler:    _Attachments_GetAttachment_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "attachments.proto",
+}
--- a/pkg/grpc/server.go
+++ b/pkg/grpc/server.go
@ -0,0 +1,29 @@
+package grpc
+
+import (
+	"net"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/grpc/proto"
+	"github.com/spf13/viper"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+)
+
+type Server struct {
+	proto.UnimplementedAttachmentsServer
+}
+
+func StartGrpc() error {
+	listen, err := net.Listen("tcp", viper.GetString("grpc_bind"))
+	if err != nil {
+		return err
+	}
+
+	server := grpc.NewServer()
+
+	proto.RegisterAttachmentsServer(server, &Server{})
+
+	reflection.Register(server)
+
+	return server.Serve(listen)
+}
--- a/pkg/meta.go
+++ b/pkg/meta.go
@ -0,0 +1,5 @@
+package pkg
+
+const (
+	AppVersion = "1.0.0"
+)
--- a/pkg/models/accounts.go
+++ b/pkg/models/accounts.go
@ -0,0 +1,18 @@
+package models
+
+// Account profiles basically fetched from Hydrogen.Passport
+// But cache at here for better usage
+// At the same time this model can make relations between local models
+type Account struct {
+	BaseModel
+
+	Name         string       `json:"name"`
+	Nick         string       `json:"nick"`
+	Avatar       string       `json:"avatar"`
+	Banner       string       `json:"banner"`
+	Description  string       `json:"description"`
+	EmailAddress string       `json:"email_address"`
+	PowerLevel   int          `json:"power_level"`
+	Attachments  []Attachment `json:"attachments"`
+	ExternalID   uint         `json:"external_id"`
+}
--- a/pkg/models/attachments.go
+++ b/pkg/models/attachments.go
@ -0,0 +1,22 @@
+package models
+
+import "gorm.io/datatypes"
+
+type Attachment struct {
+	BaseModel
+
+	Uuid        string `json:"uuid" gorm:"uniqueIndex"`
+	Size        int64  `json:"size"`
+	Name        string `json:"name"`
+	Alternative string `json:"alt"`
+	Usage       string `json:"usage"`
+	MimeType    string `json:"mimetype"`
+	HashCode    string `json:"hash"`
+	Destination string `json:"destination"`
+
+	Metadata datatypes.JSONMap `json:"metadata"`
+	IsMature bool              `json:"is_mature"`
+
+	Account   Account `json:"account"`
+	AccountID uint    `json:"account_id"`
+}
--- a/pkg/models/base.go
+++ b/pkg/models/base.go
@ -0,0 +1,17 @@
+package models
+
+import (
+	"time"
+
+	"gorm.io/datatypes"
+	"gorm.io/gorm"
+)
+
+type JSONMap = datatypes.JSONType[map[string]any]
+
+type BaseModel struct {
+	ID        uint           `json:"id" gorm:"primaryKey"`
+	CreatedAt time.Time      `json:"created_at"`
+	UpdatedAt time.Time      `json:"updated_at"`
+	DeletedAt gorm.DeletedAt `json:"deleted_at" gorm:"index"`
+}
--- a/pkg/models/destination.go
+++ b/pkg/models/destination.go
@ -0,0 +1,27 @@
+package models
+
+const (
+	DestinationTypeLocal = "local"
+	DestinationTypeS3    = "s3"
+)
+
+type BaseDestination struct {
+	Type string `json:"type"`
+}
+
+type LocalDestination struct {
+	BaseDestination
+
+	Path string `json:"path"`
+}
+
+type S3Destination struct {
+	BaseDestination
+
+	Path      string `json:"path"`
+	Bucket    string `json:"bucket"`
+	Endpoint  string `json:"endpoint"`
+	SecretID  string `json:"secret_id"`
+	SecretKey string `json:"secret_key"`
+	EnableSSL bool   `json:"enable_ssl"`
+}
--- a/pkg/models/metadata.go
+++ b/pkg/models/metadata.go
@ -0,0 +1,4 @@
+package models
+
+type MediaMetadata struct {
+}
--- a/pkg/server/attachments_api.go
+++ b/pkg/server/attachments_api.go
@ -0,0 +1,135 @@
+package server
+
+import (
+	"fmt"
+	"net/url"
+	"path/filepath"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/services"
+	"github.com/gofiber/fiber/v2"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/samber/lo"
+	"github.com/spf13/viper"
+	"gorm.io/datatypes"
+)
+
+func openAttachment(c *fiber.Ctx) error {
+	id := c.Params("id")
+
+	metadata, err := services.GetAttachmentByUUID(id)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound)
+	}
+
+	destMap := viper.GetStringMap("destinations")
+	dest, destOk := destMap[metadata.Destination]
+	if !destOk {
+		return fiber.NewError(fiber.StatusInternalServerError, "invalid destination: destination configuration was not found")
+	}
+
+	var destParsed models.BaseDestination
+	rawDest, _ := jsoniter.Marshal(dest)
+	_ = jsoniter.Unmarshal(rawDest, &destParsed)
+
+	switch destParsed.Type {
+	case models.DestinationTypeLocal:
+		var destConfigured models.LocalDestination
+		_ = jsoniter.Unmarshal(rawDest, &destConfigured)
+		return c.SendFile(filepath.Join(destConfigured.Path, metadata.Uuid))
+	case models.DestinationTypeS3:
+		var destConfigured models.S3Destination
+		_ = jsoniter.Unmarshal(rawDest, &destConfigured)
+		protocol := lo.Ternary(destConfigured.EnableSSL, "https", "http")
+		return c.Redirect(fmt.Sprintf(
+			"%s://%s.%s/%s",
+			protocol,
+			destConfigured.Bucket,
+			destConfigured.Endpoint,
+			url.QueryEscape(filepath.Join(destConfigured.Path, metadata.Uuid)),
+		))
+	default:
+		return fmt.Errorf("invalid destination: unsupported protocol %s", destParsed.Type)
+	}
+}
+
+func getAttachmentMeta(c *fiber.Ctx) error {
+	id := c.Params("id")
+
+	metadata, err := services.GetAttachmentByUUID(id)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound)
+	}
+
+	return c.JSON(metadata)
+}
+
+func createAttachment(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	destName := c.Query("destination", viper.GetString("preferred_destination"))
+
+	hash := c.FormValue("hash")
+	if len(hash) != 64 {
+		return fiber.NewError(fiber.StatusBadRequest, "please provide a sha-256 hash code, length should be 64 characters")
+	}
+	usage := c.FormValue("usage")
+	if !lo.Contains(viper.GetStringSlice("accepts_usage"), usage) {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("disallowed usage: %s", usage))
+	}
+
+	// TODO Add file size check with user permissions (BLOCKED BY Passport#3)
+
+	file, err := c.FormFile("file")
+	if err != nil {
+		return err
+	}
+
+	var usermeta = make(map[string]any)
+	_ = jsoniter.UnmarshalFromString(c.FormValue("metadata"), &usermeta)
+
+	tx := database.C.Begin()
+	metadata, linked, err := services.NewAttachmentMetadata(tx, user, file, models.Attachment{
+		Usage:       usage,
+		HashCode:    hash,
+		Alternative: c.FormValue("alt"),
+		MimeType:    c.FormValue("mimetype"),
+		Metadata:    datatypes.JSONMap(usermeta),
+		IsMature:    len(c.FormValue("mature")) > 0,
+		Destination: destName,
+	})
+	if err != nil {
+		tx.Rollback()
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	if !linked {
+		if err := services.UploadFile(destName, c, file, metadata); err != nil {
+			tx.Rollback()
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	}
+
+	tx.Commit()
+
+	return c.JSON(metadata)
+}
+
+func deleteAttachment(c *fiber.Ctx) error {
+	id, _ := c.ParamsInt("id", 0)
+	user := c.Locals("principal").(models.Account)
+
+	attachment, err := services.GetAttachmentByID(uint(id))
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else if attachment.AccountID != user.ID {
+		return fiber.NewError(fiber.StatusNotFound, "record not created by you")
+	}
+
+	if err := services.DeleteAttachment(attachment); err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}
--- a/pkg/server/auth.go
+++ b/pkg/server/auth.go
@ -0,0 +1,50 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/paperclip/pkg/services"
+	"github.com/gofiber/fiber/v2"
+	"strings"
+)
+
+func authMiddleware(c *fiber.Ctx) error {
+	var token string
+	if cookie := c.Cookies(services.CookieAccessKey); len(cookie) > 0 {
+		token = cookie
+	}
+	if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
+		tk := strings.Replace(header, "Bearer", "", 1)
+		token = strings.TrimSpace(tk)
+	}
+
+	c.Locals("token", token)
+
+	if err := authFunc(c); err != nil {
+		return err
+	}
+
+	return c.Next()
+}
+
+func authFunc(c *fiber.Ctx, overrides ...string) error {
+	var token string
+	if len(overrides) > 0 {
+		token = overrides[0]
+	} else {
+		if tk, ok := c.Locals("token").(string); !ok {
+			return fiber.NewError(fiber.StatusUnauthorized)
+		} else {
+			token = tk
+		}
+	}
+
+	rtk := c.Cookies(services.CookieRefreshKey)
+	if user, atk, rtk, err := services.Authenticate(token, rtk); err == nil {
+		if atk != token {
+			services.SetJwtCookieSet(c, atk, rtk)
+		}
+		c.Locals("principal", user)
+		return nil
+	} else {
+		return fiber.NewError(fiber.StatusUnauthorized, err.Error())
+	}
+}
--- a/pkg/server/startup.go
+++ b/pkg/server/startup.go
@ -0,0 +1,68 @@
+package server
+
+import (
+	"strings"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/gofiber/fiber/v2/middleware/cors"
+	"github.com/gofiber/fiber/v2/middleware/idempotency"
+	"github.com/gofiber/fiber/v2/middleware/logger"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+)
+
+var A *fiber.App
+
+func NewServer() {
+	A = fiber.New(fiber.Config{
+		DisableStartupMessage: true,
+		EnableIPValidation:    true,
+		ServerHeader:          "Hydrogen.Paperclip",
+		AppName:               "Hydrogen.Paperclip",
+		ProxyHeader:           fiber.HeaderXForwardedFor,
+		JSONEncoder:           jsoniter.ConfigCompatibleWithStandardLibrary.Marshal,
+		JSONDecoder:           jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal,
+		BodyLimit:             512 * 1024 * 1024 * 1024, // 512 TiB
+		EnablePrintRoutes:     viper.GetBool("debug.print_routes"),
+	})
+
+	A.Use(idempotency.New())
+	A.Use(cors.New(cors.Config{
+		AllowCredentials: true,
+		AllowMethods: strings.Join([]string{
+			fiber.MethodGet,
+			fiber.MethodPost,
+			fiber.MethodHead,
+			fiber.MethodOptions,
+			fiber.MethodPut,
+			fiber.MethodDelete,
+			fiber.MethodPatch,
+		}, ","),
+		AllowOriginsFunc: func(origin string) bool {
+			return true
+		},
+	}))
+
+	A.Use(logger.New(logger.Config{
+		Format: "${status} | ${latency} | ${method} ${path}\n",
+		Output: log.Logger,
+	}))
+
+	A.Get("/.well-known", getMetadata)
+	A.Get("/.well-known/destinations", getDestinations)
+
+	api := A.Group("/api").Name("API")
+	{
+		api.Get("/attachments/i/:id", getAttachmentMeta)
+		api.Get("/attachments/:id", openAttachment)
+		api.Post("/attachments", authMiddleware, createAttachment)
+		api.Delete("/attachments/:id", authMiddleware, deleteAttachment)
+	}
+}
+
+func Listen() {
+	if err := A.Listen(viper.GetString("bind")); err != nil {
+		log.Fatal().Err(err).Msg("An error occurred when starting server...")
+	}
+}
--- a/pkg/server/utils.go
+++ b/pkg/server/utils.go
@ -0,0 +1,18 @@
+package server
+
+import (
+	"github.com/go-playground/validator/v10"
+	"github.com/gofiber/fiber/v2"
+)
+
+var validation = validator.New(validator.WithRequiredStructEnabled())
+
+func BindAndValidate(c *fiber.Ctx, out any) error {
+	if err := c.BodyParser(out); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else if err := validation.Struct(out); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return nil
+}
--- a/pkg/server/well_known_api.go
+++ b/pkg/server/well_known_api.go
@ -0,0 +1,28 @@
+package server
+
+import (
+	"github.com/gofiber/fiber/v2"
+	"github.com/spf13/viper"
+)
+
+func getMetadata(c *fiber.Ctx) error {
+	return c.JSON(fiber.Map{
+		"name":   viper.GetString("name"),
+		"domain": viper.GetString("domain"),
+		"components": fiber.Map{
+			"passport": viper.GetString("passport.endpoint"),
+		},
+	})
+}
+
+func getDestinations(c *fiber.Ctx) error {
+	var data []string
+	for key := range viper.GetStringMap("destinations") {
+		data = append(data, key)
+	}
+
+	return c.JSON(fiber.Map{
+		"data":      data,
+		"preferred": viper.GetString("preferred_destination"),
+	})
+}
--- a/pkg/services/accounts.go
+++ b/pkg/services/accounts.go
@ -0,0 +1,56 @@
+package services
+
+import (
+	"context"
+	"time"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/grpc"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+)
+
+func GetAccountFriend(userId, relatedId uint, status int) (*proto.FriendshipResponse, error) {
+	var user models.Account
+	if err := database.C.Where("id = ?", userId).First(&user).Error; err != nil {
+		return nil, err
+	}
+	var related models.Account
+	if err := database.C.Where("id = ?", relatedId).First(&related).Error; err != nil {
+		return nil, err
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+
+	return grpc.Friendships.GetFriendship(ctx, &proto.FriendshipTwoSideLookupRequest{
+		AccountId: uint64(user.ExternalID),
+		RelatedId: uint64(related.ExternalID),
+		Status:    uint32(status),
+	})
+}
+
+func NotifyAccount(user models.Account, subject, content string, realtime bool, links ...*proto.NotifyLink) error {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+
+	_, err := grpc.Notify.NotifyUser(ctx, &proto.NotifyRequest{
+		ClientId:     viper.GetString("passport.client_id"),
+		ClientSecret: viper.GetString("passport.client_secret"),
+		Subject:      subject,
+		Content:      content,
+		Links:        links,
+		RecipientId:  uint64(user.ExternalID),
+		IsRealtime:   realtime,
+		IsImportant:  false,
+	})
+	if err != nil {
+		log.Warn().Err(err).Msg("An error occurred when notify account...")
+	} else {
+		log.Debug().Uint("external", user.ExternalID).Msg("Notified account.")
+	}
+
+	return err
+}
--- a/pkg/services/attachments.go
+++ b/pkg/services/attachments.go
@ -0,0 +1,110 @@
+package services
+
+import (
+	"fmt"
+	"mime"
+	"mime/multipart"
+	"net/http"
+	"path/filepath"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+func GetAttachmentByID(id uint) (models.Attachment, error) {
+	var attachment models.Attachment
+	if err := database.C.Where(models.Attachment{
+		BaseModel: models.BaseModel{ID: id},
+	}).First(&attachment).Error; err != nil {
+		return attachment, err
+	}
+	return attachment, nil
+}
+
+func GetAttachmentByUUID(id string) (models.Attachment, error) {
+	var attachment models.Attachment
+	if err := database.C.Where(models.Attachment{
+		Uuid: id,
+	}).First(&attachment).Error; err != nil {
+		return attachment, err
+	}
+	return attachment, nil
+}
+
+func GetAttachmentByHash(hash string) (models.Attachment, error) {
+	var attachment models.Attachment
+	if err := database.C.Where(models.Attachment{
+		HashCode: hash,
+	}).First(&attachment).Error; err != nil {
+		return attachment, err
+	}
+	return attachment, nil
+}
+
+func NewAttachmentMetadata(tx *gorm.DB, user models.Account, file *multipart.FileHeader, attachment models.Attachment) (models.Attachment, bool, error) {
+	linked := false
+	exists, pickupErr := GetAttachmentByHash(attachment.HashCode)
+	if pickupErr == nil {
+		linked = true
+		attachment = exists
+		attachment.ID = 0
+		attachment.AccountID = user.ID
+	} else {
+		// Upload the new file
+		attachment.Uuid = uuid.NewString()
+		attachment.Size = file.Size
+		attachment.Name = file.Filename
+		attachment.AccountID = user.ID
+
+		// If user didn't provide file mimetype manually, we gotta to detect it
+		if len(attachment.MimeType) == 0 {
+			if ext := filepath.Ext(attachment.Name); len(ext) > 0 {
+				// Detect mimetype by file extensions
+				attachment.MimeType = mime.TypeByExtension(ext)
+			} else {
+				// Detect mimetype by file header
+				// This method as a fallback method, because this isn't pretty accurate
+				header, err := file.Open()
+				if err != nil {
+					return attachment, false, fmt.Errorf("failed to read file header: %v", err)
+				}
+				defer header.Close()
+
+				fileHeader := make([]byte, 512)
+				_, err = header.Read(fileHeader)
+				if err != nil {
+					return attachment, false, err
+				}
+				attachment.MimeType = http.DetectContentType(fileHeader)
+			}
+		}
+	}
+
+	if err := tx.Save(&attachment).Error; err != nil {
+		return attachment, linked, fmt.Errorf("failed to save attachment record: %v", err)
+	}
+
+	return attachment, linked, nil
+}
+
+func DeleteAttachment(item models.Attachment) error {
+	var dupeCount int64
+	if err := database.C.
+		Where(&models.Attachment{HashCode: item.HashCode}).
+		Model(&models.Attachment{}).
+		Count(&dupeCount).Error; err != nil {
+		dupeCount = -1
+	}
+
+	if err := database.C.Delete(&item).Error; err != nil {
+		return err
+	}
+
+	if dupeCount != -1 && dupeCount <= 1 {
+		return DeleteFile(item)
+	}
+
+	return nil
+}
--- a/pkg/services/auth.go
+++ b/pkg/services/auth.go
@ -0,0 +1,76 @@
+package services
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"reflect"
+	"time"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/grpc"
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"gorm.io/gorm"
+)
+
+func LinkAccount(userinfo *proto.Userinfo) (models.Account, error) {
+	var account models.Account
+	if userinfo == nil {
+		return account, fmt.Errorf("remote userinfo was not found")
+	}
+	if err := database.C.Where(&models.Account{
+		ExternalID: uint(userinfo.Id),
+	}).First(&account).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			account = models.Account{
+				Name:         userinfo.Name,
+				Nick:         userinfo.Nick,
+				Avatar:       userinfo.Avatar,
+				Banner:       userinfo.Banner,
+				Description:  userinfo.GetDescription(),
+				EmailAddress: userinfo.Email,
+				PowerLevel:   0,
+				ExternalID:   uint(userinfo.Id),
+			}
+			return account, database.C.Save(&account).Error
+		}
+		return account, err
+	}
+
+	prev := account
+	account.Name = userinfo.Name
+	account.Nick = userinfo.Nick
+	account.Avatar = userinfo.Avatar
+	account.Banner = userinfo.Banner
+	account.Description = userinfo.GetDescription()
+	account.EmailAddress = userinfo.Email
+
+	var err error
+	if !reflect.DeepEqual(prev, account) {
+		err = database.C.Save(&account).Error
+	}
+
+	return account, err
+}
+
+func Authenticate(atk, rtk string) (models.Account, string, string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+
+	var err error
+	var user models.Account
+	reply, err := grpc.Auth.Authenticate(ctx, &proto.AuthRequest{
+		AccessToken:  atk,
+		RefreshToken: &rtk,
+	})
+	if err != nil {
+		return user, reply.GetAccessToken(), reply.GetRefreshToken(), err
+	} else if !reply.IsValid {
+		return user, reply.GetAccessToken(), reply.GetRefreshToken(), fmt.Errorf("invalid authorization context")
+	}
+
+	user, err = LinkAccount(reply.Userinfo)
+
+	return user, reply.GetAccessToken(), reply.GetRefreshToken(), err
+}
--- a/pkg/services/cleaner.go
+++ b/pkg/services/cleaner.go
@ -0,0 +1,24 @@
+package services
+
+import (
+	"time"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/database"
+	"github.com/rs/zerolog/log"
+)
+
+func DoAutoDatabaseCleanup() {
+	deadline := time.Now().Add(60 * time.Minute)
+	log.Debug().Time("deadline", deadline).Msg("Now cleaning up entire database...")
+
+	var count int64
+	for _, model := range database.AutoMaintainRange {
+		tx := database.C.Unscoped().Delete(model, "deleted_at >= ?", deadline)
+		if tx.Error != nil {
+			log.Error().Err(tx.Error).Msg("An error occurred when running auth context cleanup...")
+		}
+		count += tx.RowsAffected
+	}
+
+	log.Debug().Int64("affected", count).Msg("Clean up entire database accomplished.")
+}
--- a/pkg/services/jwt.go
+++ b/pkg/services/jwt.go
@ -0,0 +1,81 @@
+package services
+
+import (
+	"fmt"
+	"github.com/gofiber/fiber/v2"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/spf13/viper"
+)
+
+type PayloadClaims struct {
+	jwt.RegisteredClaims
+
+	Type string `json:"typ"`
+}
+
+const (
+	JwtAccessType  = "access"
+	JwtRefreshType = "refresh"
+)
+
+const (
+	CookieAccessKey  = "passport_auth_key"
+	CookieRefreshKey = "passport_refresh_key"
+)
+
+func EncodeJwt(id string, typ, sub string, aud []string, exp time.Time) (string, error) {
+	tk := jwt.NewWithClaims(jwt.SigningMethodHS512, PayloadClaims{
+		jwt.RegisteredClaims{
+			Subject:   sub,
+			Audience:  aud,
+			Issuer:    fmt.Sprintf("https://%s", viper.GetString("domain")),
+			ExpiresAt: jwt.NewNumericDate(exp),
+			NotBefore: jwt.NewNumericDate(time.Now()),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			ID:        id,
+		},
+		typ,
+	})
+
+	return tk.SignedString([]byte(viper.GetString("secret")))
+}
+
+func DecodeJwt(str string) (PayloadClaims, error) {
+	var claims PayloadClaims
+	tk, err := jwt.ParseWithClaims(str, &claims, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(viper.GetString("secret")), nil
+	})
+	if err != nil {
+		return claims, err
+	}
+
+	if data, ok := tk.Claims.(*PayloadClaims); ok {
+		return *data, nil
+	} else {
+		return claims, fmt.Errorf("unexpected token payload: not payload claims type")
+	}
+}
+
+func SetJwtCookieSet(c *fiber.Ctx, access, refresh string) {
+	c.Cookie(&fiber.Cookie{
+		Name:     CookieAccessKey,
+		Value:    access,
+		Domain:   viper.GetString("security.cookie_domain"),
+		SameSite: viper.GetString("security.cookie_samesite"),
+		Expires:  time.Now().Add(60 * time.Minute),
+		Path:     "/",
+	})
+	c.Cookie(&fiber.Cookie{
+		Name:     CookieRefreshKey,
+		Value:    refresh,
+		Domain:   viper.GetString("security.cookie_domain"),
+		SameSite: viper.GetString("security.cookie_samesite"),
+		Expires:  time.Now().Add(24 * 30 * time.Hour),
+		Path:     "/",
+	})
+}
--- a/pkg/services/recycler.go
+++ b/pkg/services/recycler.go
@ -0,0 +1,61 @@
+package services
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/spf13/viper"
+)
+
+func DeleteFile(meta models.Attachment) error {
+	destMap := viper.GetStringMap("destinations")
+	dest, destOk := destMap[meta.Destination]
+	if !destOk {
+		return fmt.Errorf("invalid destination: destination configuration was not found")
+	}
+
+	var destParsed models.BaseDestination
+	rawDest, _ := jsoniter.Marshal(dest)
+	_ = jsoniter.Unmarshal(rawDest, &destParsed)
+
+	switch destParsed.Type {
+	case models.DestinationTypeLocal:
+		var destConfigured models.LocalDestination
+		_ = jsoniter.Unmarshal(rawDest, &destConfigured)
+		return DeleteFileFromLocal(destConfigured, meta)
+	case models.DestinationTypeS3:
+		var destConfigured models.S3Destination
+		_ = jsoniter.Unmarshal(rawDest, &destConfigured)
+		return DeleteFileFromS3(destConfigured, meta)
+	default:
+		return fmt.Errorf("invalid destination: unsupported protocol %s", destParsed.Type)
+	}
+}
+
+func DeleteFileFromLocal(config models.LocalDestination, meta models.Attachment) error {
+	fullpath := filepath.Join(config.Path, meta.Uuid)
+	return os.Remove(fullpath)
+}
+
+func DeleteFileFromS3(config models.S3Destination, meta models.Attachment) error {
+	client, err := minio.New(config.Endpoint, &minio.Options{
+		Creds:  credentials.NewStaticV4(config.SecretID, config.SecretKey, ""),
+		Secure: config.EnableSSL,
+	})
+	if err != nil {
+		return fmt.Errorf("unable to configure s3 client: %v", err)
+	}
+
+	err = client.RemoveObject(context.Background(), config.Bucket, filepath.Join(config.Path, meta.Uuid), minio.RemoveObjectOptions{})
+	if err != nil {
+		return fmt.Errorf("unable to upload file to s3: %v", err)
+	}
+
+	return nil
+}
--- a/pkg/services/uploader.go
+++ b/pkg/services/uploader.go
@ -0,0 +1,76 @@
+package services
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"mime/multipart"
+	"path/filepath"
+
+	"git.solsynth.dev/hydrogen/paperclip/pkg/models"
+	"github.com/gofiber/fiber/v2"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/spf13/viper"
+)
+
+func UploadFile(destName string, ctx *fiber.Ctx, file *multipart.FileHeader, meta models.Attachment) error {
+	destMap := viper.GetStringMap("destinations")
+	dest, destOk := destMap[destName]
+	if !destOk {
+		return fmt.Errorf("invalid destination: destination configuration was not found")
+	}
+
+	var destParsed models.BaseDestination
+	rawDest, _ := jsoniter.Marshal(dest)
+	_ = jsoniter.Unmarshal(rawDest, &destParsed)
+
+	switch destParsed.Type {
+	case models.DestinationTypeLocal:
+		var destConfigured models.LocalDestination
+		_ = jsoniter.Unmarshal(rawDest, &destConfigured)
+		return UploadFileToLocal(destConfigured, ctx, file, meta)
+	case models.DestinationTypeS3:
+		var destConfigured models.S3Destination
+		_ = jsoniter.Unmarshal(rawDest, &destConfigured)
+		return UploadFileToS3(destConfigured, file, meta)
+	default:
+		return fmt.Errorf("invalid destination: unsupported protocol %s", destParsed.Type)
+	}
+}
+
+func UploadFileToLocal(config models.LocalDestination, ctx *fiber.Ctx, file *multipart.FileHeader, meta models.Attachment) error {
+	return ctx.SaveFile(file, filepath.Join(config.Path, meta.Uuid))
+}
+
+func UploadFileToS3(config models.S3Destination, file *multipart.FileHeader, meta models.Attachment) error {
+	header, err := file.Open()
+	if err != nil {
+		return fmt.Errorf("read upload file: %v", err)
+	}
+	defer header.Close()
+
+	buffer := bytes.NewBuffer(nil)
+	if _, err := io.Copy(buffer, header); err != nil {
+		return fmt.Errorf("create io reader for upload file: %v", err)
+	}
+
+	client, err := minio.New(config.Endpoint, &minio.Options{
+		Creds:  credentials.NewStaticV4(config.SecretID, config.SecretKey, ""),
+		Secure: config.EnableSSL,
+	})
+	if err != nil {
+		return fmt.Errorf("unable to configure s3 client: %v", err)
+	}
+
+	_, err = client.PutObject(context.Background(), config.Bucket, filepath.Join(config.Path, meta.Uuid), buffer, -1, minio.PutObjectOptions{
+		ContentType: meta.MimeType,
+	})
+	if err != nil {
+		return fmt.Errorf("unable to upload file to s3: %v", err)
+	}
+
+	return nil
+}