diff --git a/flake.lock b/flake.lock
index a7fe143f..5f169972 100644
--- a/flake.lock
+++ b/flake.lock
@@ -470,10 +470,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1723827270,
-        "narHash": "sha256-nBq/Sp7u+riKV7xNWq85+owzUGfWdpKdq3qR/0PYTSU=",
+        "lastModified": 1725269346,
+        "narHash": "sha256-VR/gaksXhlNIrnaQg2+uccKn8ZXag8gx6hh1yHARbE4=",
         "ref": "refs/heads/main",
-        "rev": "f80a6c11f7b27e257e07f294b45c64a1369438a4",
+        "rev": "4f3ddacef411d4c3d59011a3bd6c14a1dcf19c07",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
diff --git a/hosts/idols-aquamarine/caddy.nix b/hosts/idols-aquamarine/caddy.nix
index 05c638b0..25954f2d 100644
--- a/hosts/idols-aquamarine/caddy.nix
+++ b/hosts/idols-aquamarine/caddy.nix
@@ -91,6 +91,38 @@ in {
       encode zstd gzip
       reverse_proxy http://localhost:9093
     '';
+    virtualHosts."minio.writefor.fun".extraConfig = ''
+      ${hostCommonConfig}
+      encode zstd gzip
+      reverse_proxy http://localhost:9096 {
+        header_up Host {http.request.host}
+        header_up X-Real-IP {http.request.remote.host}
+        header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
+        header_up X-Forwarded-Proto {scheme}
+        transport http {
+            dial_timeout 300s
+            read_timeout 300s
+            write_timeout 300s
+        }
+      }
+    '';
+    virtualHosts."minio-ui.writefor.fun".extraConfig = ''
+      ${hostCommonConfig}
+      encode zstd gzip
+      reverse_proxy http://localhost:9097 {
+        header_up Host {http.request.host}
+        header_up X-Real-IP {http.request.remote.host}
+        header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
+        header_up X-Forwarded-Proto {scheme}
+        header_up Upgrade {http.request.header.Upgrade}
+        header_up Connection {http.request.header.Connection}
+        transport http {
+            dial_timeout 300s
+            read_timeout 300s
+            write_timeout 300s
+        }
+      }
+    '';
   };
   networking.firewall.allowedTCPPorts = [80 443];
 
diff --git a/hosts/idols-aquamarine/minio.nix b/hosts/idols-aquamarine/minio.nix
new file mode 100644
index 00000000..a1e23afe
--- /dev/null
+++ b/hosts/idols-aquamarine/minio.nix
@@ -0,0 +1,18 @@
+{config, ...}: let
+  dataDir = ["/data/apps/minio/data"];
+  configDir = "/data/apps/minio/config";
+in {
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/minio.nix
+  services.minio = {
+    enable = true;
+    browser = true; # Enable or disable access to web UI.
+
+    inherit dataDir configDir;
+    listenAddress = "127.0.0.1:9096";
+    consoleAddress = "127.0.0.1:9097"; # Web UI
+    region = "us-east-1"; # default to us-east-1, same as AWS S3.
+
+    # File containing the MINIO_ROOT_USER, default is “minioadmin”, and MINIO_ROOT_PASSWORD (length >= 8), default is “minioadmin”;
+    rootCredentialsFile = config.age.secrets."minio.env".path;
+  };
+}
diff --git a/secrets/nixos.nix b/secrets/nixos.nix
index f9170711..db5fcfc4 100644
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -206,6 +206,11 @@ in {
             mode = "0400";
             owner = "sftpgo";
           };
+          "minio.env" = {
+            file = "${mysecrets}/server/minio.env.age";
+            mode = "0400";
+            owner = "minio";
+          };
         };
       })