diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix
index 856b13e..a153b64 100644
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@@ -20,6 +20,7 @@
     ./matrix
     ./headscale
     ./auth
+    ./minio
   ];
 
   environment.systemPackages = with pkgs; [arion];
diff --git a/hosts/franz/arion/minio/arion-compose.nix b/hosts/franz/arion/minio/arion-compose.nix
new file mode 100644
index 0000000..0272363
--- /dev/null
+++ b/hosts/franz/arion/minio/arion-compose.nix
@@ -0,0 +1,48 @@
+{
+  project.name = "minio";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    minio.service = {
+      image = "bitnami/minio:2024.5.10";
+      container_name = "minio";
+      labels = {
+        "traefik.enable" = "true";
+
+        # API
+        "traefik.http.routers.minio.rule" = "Host(`files.ghoscht.com`)";
+        "traefik.http.routers.minio.service" = "minio";
+        "traefik.http.routers.minio.entrypoints" = "websecure";
+        "traefik.http.services.minio.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.minio.tls" = "true";
+        "traefik.http.routers.minio.tls.certresolver" = "letsencrypt";
+
+        # Dashboard
+        "traefik.http.routers.minio-dash.rule" = "Host(`minio.ghoscht.com`)";
+        "traefik.http.routers.minio-dash.service" = "minio-dash";
+        "traefik.http.routers.minio-dash.entrypoints" = "websecure";
+        "traefik.http.services.minio-dash.loadbalancer.server.port" = "9001";
+        "traefik.http.routers.minio-dash.tls" = "true";
+        "traefik.http.routers.minio-dash.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/storage/dataset/docker/minio/minio_data:/data"
+      ];
+      environment = {
+        MINIO_DATA_DIR = "/data";
+        MINIO_BROWSER_REDIRECT_URL = "https://minio.ghoscht.com";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/minio/minio.env"
+      ];
+      restart = "unless-stopped";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}
diff --git a/hosts/franz/arion/minio/arion-pkgs.nix b/hosts/franz/arion/minio/arion-pkgs.nix
new file mode 100644
index 0000000..69aad13
--- /dev/null
+++ b/hosts/franz/arion/minio/arion-pkgs.nix
@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
diff --git a/hosts/franz/arion/minio/default.nix b/hosts/franz/arion/minio/default.nix
new file mode 100644
index 0000000..b7549aa
--- /dev/null
+++ b/hosts/franz/arion/minio/default.nix
@@ -0,0 +1,25 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.minio.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+  sops.secrets."minio/root_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."minio/root_password" = {
+    owner = vars.user;
+  };
+
+  sops.templates."minio.env" = {
+    path = "/home/${vars.user}/.docker/minio/minio.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      MINIO_ROOT_USER="${config.sops.placeholder."minio/root_user"}"
+      MINIO_ROOT_PASSWORD="${config.sops.placeholder."minio/root_password"}"
+    '';
+  };
+}
diff --git a/secrets/franz.yaml b/secrets/franz.yaml
index 4c5c5c2..14810c3 100644
--- a/secrets/franz.yaml
+++ b/secrets/franz.yaml
@@ -45,6 +45,9 @@ auth:
 homarr:
     oidc_client_secret: ENC[AES256_GCM,data:ykaMgcS1x/sMFPmi9vF8RdS7Dj8tTpNFybqwJ5MkK3OCIqYt5FtY8si7ZbKC4IMquOA4w3fWpHdygvFJwJOyNNvznWuasR1afhaAHIHb85J41GWCpMLWWZub+NUuU2pSudvUYk9LeDUBTKwtfHgr4DUzoQeBocG0httGFKBAXbo=,iv:vThB7ZCgEB5yQoiOYhDcHiGm0lYXy1LCJWunH5HwFq0=,tag:68jkMBnCc2e3bKWR/Hnnww==,type:str]
     oidc_client_id: ENC[AES256_GCM,data:2KxgJ7rFNru7rf8P9v/LOcA7TjH2ZFerc4PBmetrkB7hre9fHTa+TQ==,iv:9k0YuPNzEjTTBN0l/oyT5mtZKLCGWZ7ZJpE8g2SBu3E=,tag:C/hzffeOVgke1SQZHPjyrA==,type:str]
+minio:
+    root_user: ENC[AES256_GCM,data:Q5yRACtvoQ==,iv:GTLtwwQ5W50w6eDO+PuihNAHWm6xyM9uNa8mbGG3tWI=,tag:O3MUlh2d8iuFTPRq1PvTWw==,type:str]
+    root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -60,8 +63,8 @@ sops:
             VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
             EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-18T21:12:01Z"
-    mac: ENC[AES256_GCM,data:kBGP7V4f8d8JWdMdwPEYM1L2zZ4p6eHfwiepfLpBAr0VyhE9YOpPIdt9Tl+ky3mRyfn/DnX03ThiAKQtTrls3/lJEmJRd1dswRd+Mtls3j1QlxhorHYb8g6QvlmyepNf5j5Egqm9hNX+L3aV29mKoO42VxvfaopKduNGt1BrSFo=,iv:Uq+hQUMF+PBV5f6V9AsnxIxX0fKn84MAPEfTFtOtsus=,tag:6LtblCK7FLnhfS0dHsrcnQ==,type:str]
+    lastmodified: "2024-06-13T21:23:27Z"
+    mac: ENC[AES256_GCM,data:B/2p+VmjLXV6UfJASN3l/q60GUqJfsXBYxMCzgecgAdr4yiKr+1ACgDOCQv3V3ucuK0dhTZMAIs6pGN3+JcooV89xXCH93vfay9LLAxCuCiR4X6wn0U074l53OGz2wmxTmSQSaPp3jLQir1v01Q6jFwi2RI+UZLfzBnM5QmTbIk=,iv:vWbac6RSZ8EcdPhJzo1Hs9P/1tpyCePmxQdhEkN+qBg=,tag:v1fdDqN5gt9v2LfVKWKxlQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1