diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix
index 0561897..bef27e6 100644
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@@ -149,6 +149,19 @@
                 };
                 frontend = "virtio-blk";
               }
+              {
+                name = "minio";
+                backend = {
+                  driver = "host_device";
+                  filename = "/dev/ssds/minio";
+                  discard = "unmap";
+                };
+                format = {
+                  driver = "raw";
+                  discard = "unmap";
+                };
+                frontend = "virtio-blk";
+              }
             ]);
           };
         };
diff --git a/nixos/boxes/colony/vms/shill/containers/default.nix b/nixos/boxes/colony/vms/shill/containers/default.nix
index 34376df..7436738 100644
--- a/nixos/boxes/colony/vms/shill/containers/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/default.nix
@@ -5,5 +5,6 @@
     ./colony-psql.nix
     ./chatterbox.nix
     ./jackflix
+    ./object.nix
   ];
 }
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
index d5c60fa..f19c4e2 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -162,6 +162,7 @@
                 "${lib.my.pubDomain}" = {
                   extraDomainNames = [
                     "*.${lib.my.pubDomain}"
+                    "*.s3.${lib.my.pubDomain}"
                   ];
                   dnsProvider = "cloudflare";
                   credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
index 027d143..a237279 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -279,6 +279,26 @@ in
         };
         useACMEHost = lib.my.pubDomain;
       };
+
+      "minio.${lib.my.pubDomain}" = {
+        extraConfig = ''
+          chunked_transfer_encoding off;
+        '';
+        locations = {
+          "/".proxyPass = "http://object-ctr.${config.networking.domain}:9001";
+        };
+        useACMEHost = lib.my.pubDomain;
+      };
+      "s3.${lib.my.pubDomain}" = {
+        serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
+        extraConfig = ''
+          chunked_transfer_encoding off;
+        '';
+        locations = {
+          "/".proxyPass = "http://object-ctr.${config.networking.domain}:9000";
+        };
+        useACMEHost = lib.my.pubDomain;
+      };
     };
   in
   mkMerge [
diff --git a/nixos/boxes/colony/vms/shill/containers/object.nix b/nixos/boxes/colony/vms/shill/containers/object.nix
new file mode 100644
index 0000000..7a01db7
--- /dev/null
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -0,0 +1,74 @@
+{ lib, ... }: {
+  nixos.systems.object = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "object-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}7";
+        ipv6 = {
+          iid = "::7";
+          address = "${lib.my.colony.start.ctrs.v6}7";
+        };
+      };
+    };
+
+    configuration = { lib, config, assignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+      inherit (lib.my) networkdAssignment;
+    in
+    {
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdHbZErWLmTPO/aEWB1Fup/aGMf31Un5Wk66FJwTz/8";
+              files."minio.env" = {};
+            };
+
+            firewall = {
+              tcp.allowed = [ 9000 9001 ];
+            };
+          };
+
+          systemd = {
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+            services = {
+              minio = {
+                environment = {
+                  MINIO_ROOT_USER = "minioadmin";
+                  MINIO_DOMAIN = "s3.nul.ie";
+                  MINIO_SERVER_URL = "https://s3.nul.ie";
+                  MINIO_BROWSER_REDIRECT_URL = "https://minio.nul.ie";
+                };
+              };
+            };
+          };
+
+          services = {
+            minio = {
+              enable = true;
+              region = "eu-central-1";
+              browser = true;
+              rootCredentialsFile = config.age.secrets."minio.env".path;
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 9000; guest.port = 9000; }
+              { from = "host"; host.port = 9001; guest.port = 9001; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}
diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix
index c06c0ea..070441c 100644
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -70,9 +70,14 @@
                 device = "/dev/disk/by-label/media";
                 fsType = "ext4";
               };
+              "/mnt/minio" = {
+                device = "/dev/disk/by-label/minio";
+                fsType = "xfs";
+              };
             };
 
             services = {
+              fstrim.enable = true;
               netdata.enable = true;
             };
 
@@ -140,6 +145,11 @@
                       "/mnt/media".readOnly = false;
                     };
                   };
+                  object = {
+                    bindMounts = {
+                      "/mnt/minio".readOnly = false;
+                    };
+                  };
                 };
               in
               mkMerge [
diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix
index ef2706e..5c499f3 100644
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -298,6 +298,15 @@ in
       (persistSimpleSvc "jackett")
       (persistSimpleSvc "radarr")
       (persistSimpleSvc "sonarr")
+      (mkIf config.services.minio.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = config.services.minio.configDir;
+            user = "minio";
+            group = "minio";
+          }
+        ];
+      })
       (mkIf config.my.build.isDevVM {
         fileSystems = mkVMOverride {
           # Hijack the "root" device for persistence in the VM
diff --git a/secrets/chatterbox/nul.ie.signing.key.age b/secrets/chatterbox/nul.ie.signing.key.age
index a13b4e9..3251231 100644
--- a/secrets/chatterbox/nul.ie.signing.key.age
+++ b/secrets/chatterbox/nul.ie.signing.key.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 ZB3e6Q o3nZEDuOm/JC/EhJ5uRnbMMHPNwRcKwfsPFNBVCjtHk
-cYKUNgQmkpTRSEm9ZINYlslv9O6MM3ujb1rNO7p7gvc
--> X25519 TQ2jWod+e0a3ylj+GL8gPoScvzFdBCZcaYauY2gtsDY
-pP5q3ZYkRYqSeOEHxYXzQXCfltBGKi5jMpCfSP7PPSI
--> `)-v-grease fr R1 W`Y
-pjfwfNM9JTJe0/mYB6OC6LtgJeIvn4RVJogageAl/djWgMVZ4DDr2kakgF3V28xf
-0g
---- 4b27xLN78GCex7VdHqlJj8g+SuUlOOgZjZ4Qj8/RIsk
--‹N/&±ÖË€ÙvÖÌEÖ¶`}œD² áO#ü`ZV·^DÂ"&˜¯Çp
-špÐ/Ý¹äáÄ¬–iqÆlï¿šj@÷i57O×,ëä‡©ø”$F2ôhS
\ No newline at end of file
+-> ssh-ed25519 ZB3e6Q sQJFhvr8FRUhNhBMue77730wcbg28fTFnsszgerwEBo
+7VzmwSkllK2wbSyFSCClvjY4X6sT6vLLPBAcXSbmnRU
+-> X25519 DufjAOGVQtGU2oiDCymV7rv9bdw5Llk3KjbOj5wJxxs
+9sOvYKIfp+fUKcW6zbhAU3kwaUrF9PCBlu56qmGhOss
+-> m-grease s$ A ,2 =sKpm
+lLRsEhRI4PsWw9K6uygWxFznKZSJUXesteKQ7hZ/wWJXkRHq
+--- XYl7iGPy1+YfKOWNoZoiYvfFjctfqhWWzR4hMCWmXYU
+”5à0K¥–Öïš2Rp)wÓ.(rh¡U~w|%jÍ‚°¨‡®Ç 9Ïæ¡VžÃÒ 0d€{µì×îêìñEµ\Vag¶~"T-”À3\­)N®­ßS"I
\ No newline at end of file
diff --git a/secrets/chatterbox/synapse.yaml.age b/secrets/chatterbox/synapse.yaml.age
index 621c8c6..2bea90c 100644
Binary files a/secrets/chatterbox/synapse.yaml.age and b/secrets/chatterbox/synapse.yaml.age differ
diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age
index c27e3a0..a182ab9 100644
Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ
diff --git a/secrets/estuary/netdata/powerdns.conf.age b/secrets/estuary/netdata/powerdns.conf.age
index 60493c3..f4df152 100644
Binary files a/secrets/estuary/netdata/powerdns.conf.age and b/secrets/estuary/netdata/powerdns.conf.age differ
diff --git a/secrets/estuary/netdata/powerdns_recursor.conf.age b/secrets/estuary/netdata/powerdns_recursor.conf.age
index 43f5c76..5168537 100644
Binary files a/secrets/estuary/netdata/powerdns_recursor.conf.age and b/secrets/estuary/netdata/powerdns_recursor.conf.age differ
diff --git a/secrets/estuary/pdns/auth.conf.age b/secrets/estuary/pdns/auth.conf.age
index 9077cb1..1d36fd0 100644
--- a/secrets/estuary/pdns/auth.conf.age
+++ b/secrets/estuary/pdns/auth.conf.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw AcjQZzA4G7pdhn011TXFQmTdDIQuTEfFc0mKjmPWUho
-tecWVMzkggw92meDkh2tZV+lbvQCvrYr0YSV5/fCTRs
--> X25519 JGc6LzCMH2LhJlUSyk4H5IDGfQNjtW9W6rz3SzoV/0Y
-vGNuHYO95z5i+OVkj4TRuCxF122V/shxvD6CnGCT+kw
--> g)n[I4U>-grease ^Tm {G saw
-q/ODO7xmWIcsr2cMaVpEg38
---- VHUzlGz2hT3SbnZ32S0SzBDCn3QwWxEohH9Cw3N2Je0
-Ñ.Ñ=-›˜ÉfÓË¯Íc}Ã}Sza¼½“PÛûÜZ7&g,GH;WVèÇPÛ*»€cÑ™'-Ðs¦†çuh\ÃKJ4äz3áœ
\ No newline at end of file
+-> ssh-ed25519 n8CpUw ACIVtxzORRq2ptG0/MNlBt83MQZJu3Pc3R/5QRpgi2A
+NSO8o2fL/EDLXegZ/kkzMW4/Za79q/6QfMQ1t0Sk9BM
+-> X25519 nHYed6I+w6lIxgQNPUdeO35HlHmd0tKATpvnbtB5WzU
+IWRKvT2csHQplib3ms1akiqdzGS37xQ2ev45yGW5d+w
+-> %YW{-grease
+4/tMk8Gzztby5x5ojQXj3853G0V8t7AoZA
+--- 6vzp2wJk0Eh0O33xXCLrQiNbqeV7oMgvvqrgyRMK9Mg
+2Õ×È¬Gh°¸élðâ)NËºŸÌûÁ[N½Èß‚p–£„…çŒì£|3õ>ùm'N I?î)£ =6³ý·`ÌÕ`‚š¯
\ No newline at end of file
diff --git a/secrets/estuary/pdns/recursor.conf.age b/secrets/estuary/pdns/recursor.conf.age
index de6b1ae..5b9f9dc 100644
Binary files a/secrets/estuary/pdns/recursor.conf.age and b/secrets/estuary/pdns/recursor.conf.age differ
diff --git a/secrets/jackflix/mullvad-privkey.age b/secrets/jackflix/mullvad-privkey.age
index 6c6d52c..6c8856f 100644
Binary files a/secrets/jackflix/mullvad-privkey.age and b/secrets/jackflix/mullvad-privkey.age differ
diff --git a/secrets/middleman/cloudflare-credentials.conf.age b/secrets/middleman/cloudflare-credentials.conf.age
index a19253f..550d4a9 100644
Binary files a/secrets/middleman/cloudflare-credentials.conf.age and b/secrets/middleman/cloudflare-credentials.conf.age differ
diff --git a/secrets/middleman/nginx-sso.yaml.age b/secrets/middleman/nginx-sso.yaml.age
index e14aa75..9b6f53a 100644
Binary files a/secrets/middleman/nginx-sso.yaml.age and b/secrets/middleman/nginx-sso.yaml.age differ
diff --git a/secrets/minio.env.age b/secrets/minio.env.age
new file mode 100644
index 0000000..c941d28
--- /dev/null
+++ b/secrets/minio.env.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 hkbtvg IrwZ+4sEJvFpB/zrFR/8Lu4GgpPppm84IYOAP7QWH0o
+Px7RM+aKmjRQKdr0Ta/v+s9M+rRvRTNs9YYaZnNeORk
+-> X25519 lSIE40xvHLkKFMCgsKjVhbxYfv7ddDJ3xyMlcDdxgxU
+sc+2ibxqyLtlcpFUPCab+x4imPjuedQadA4b1Qg63a4
+-> [J"78S~E-grease S||B(wq} suB8~I ~?E@d}
+/3IplD0a0o3phrEIX85CAVkFRvLcCh3ncK/0Reur0bvKsqOjg37KH+Az5dDh2h9D
+63kpJpGxwNKlRntnWQWxeYN2PN3cZrggH25/EJuJT3td2Q
+--- a+cb3+9Z7WWk6vGGaiXz11G2fKUqLbYuUPyzturVFXY
+ç—îúCEBÏ(c#€ƒY$Jñè4g*t„~Ïãƒ)ð£üh²:“Hñ`ûÙÝ·Ýa'›óìÉ<øA‚råk½+“ÓD›ºw§c‘LK3Ÿ‘mÄ½äÿ‹
\ No newline at end of file
diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age
index 43ad5c1..ed4f193 100644
Binary files a/secrets/pdns-file-records.key.age and b/secrets/pdns-file-records.key.age differ
diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age
index 7a12975..256ca16 100644
Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ
diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age
index 4839fdf..ca5d5f6 100644
Binary files a/secrets/vaultwarden.env.age and b/secrets/vaultwarden.env.age differ