diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
new file mode 100644
index 000000000..39800fa83
--- /dev/null
+++ b/.github/workflows/publish-terraform.yaml
@@ -0,0 +1,59 @@
+---
+name: "Publish Terraform"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+    paths: ["terraform/**"]
+
+jobs:
+  publish-terraform:
+    name: Publish Terraform
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write
+    steps:
+      - name: Generate Token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        id: generate-token
+        with:
+          app_id: "${{ secrets.BOT_APP_ID }}"
+          private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.generate-token.outputs.token }}"
+
+      - name: Setup Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Setup Tools
+        shell: bash
+        run: brew install cosign fluxcd/tap/flux
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: "${{ github.actor }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Generate tag
+        id: generate-tag
+        shell: bash
+        run: echo "tag=ghcr.io/${{ github.repository_owner }}/manifests/terraform:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}"
+
+      - name: Publish manifests
+        shell: bash
+        run: |
+          flux push artifact oci://${{ steps.generate-tag.outputs.tag }} \
+              --path="./terraform" \
+              --source="$(git config --get remote.origin.url)" \
+              --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+
+      - name: Tag manifests
+        shell: bash
+        run: flux tag artifact oci://${{ steps.generate-tag.outputs.tag }} --tag main
diff --git a/.sops.yaml b/.sops.yaml
index 58a71ebdd..9f0ee60e7 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,15 +1,15 @@
+---
 creation_rules:
-    - path_regex: kubernetes/.*\.sops\.ya?ml
-      encrypted_regex: ^(data|stringData)$
-      key_groups:
-        - age:
-            - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-    - path_regex: ansible/.*\.sops\.ya?ml
-      unencrypted_regex: ^(kind)$
-      key_groups:
-        - age:
-            - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-    - path_regex: .*\.sops\.ya?ml
-      key_groups:
-        - age:
-            - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+  - path_regex: kubernetes/.*\.sops\.ya?ml
+    encrypted_regex: "^(data|stringData)$"
+    key_groups:
+      - age:
+          - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+  - path_regex: kubernetes/.*\.sops\.(env|ini|json|toml)
+    key_groups:
+      - age:
+          - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+  - path_regex: (ansible|terraform)/.*\.sops\.ya?ml
+    key_groups:
+      - age:
+          - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
diff --git a/terraform/storage/minio/main.tf b/terraform/storage/minio/main.tf
new file mode 100644
index 000000000..fa116a413
--- /dev/null
+++ b/terraform/storage/minio/main.tf
@@ -0,0 +1,28 @@
+terraform {
+  cloud {
+    hostname     = "app.terraform.io"
+    organization = "onedr0p"
+    workspaces {
+      name = "arpa-home-storage"
+    }
+  }
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.23.0"
+    }
+    sops = {
+      source  = "carlpett/sops"
+      version = "1.0.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.9.1"
+    }
+  }
+  required_version = ">= 1.3.0"
+}
+
+data "sops_file" "secrets" {
+  source_file = "secrets.sops.yaml"
+}
diff --git a/terraform/storage/minio/providers.tf b/terraform/storage/minio/providers.tf
new file mode 100644
index 000000000..8067e2347
--- /dev/null
+++ b/terraform/storage/minio/providers.tf
@@ -0,0 +1,12 @@
+provider "aws" {
+  access_key = "your_access_key"
+  secret_key = "your_secret_key"
+  region     = "us-east-1"
+  endpoints {
+    s3 = "base64decode(data.sops_file.secrets.data["minio_endpoint"])"
+  }
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+  s3_force_path_style         = true
+}
diff --git a/terraform/storage/minio/secrets.sops.yaml b/terraform/storage/minio/secrets.sops.yaml
new file mode 100644
index 000000000..826e90cb4
--- /dev/null
+++ b/terraform/storage/minio/secrets.sops.yaml
@@ -0,0 +1,23 @@
+minio_endpoint: ENC[AES256_GCM,data:Lx05cjWbTqmXpGMVjJIuFS0blA7m9P0gJH0p+Z8OteM=,iv:SvcuQojEK4nMXY+80oSGSnovKtN221xgGtRHd0U5OaA=,tag:UrWetEvmP4qkBo5kMfzALg==,type:str]
+minio_root_user: ENC[AES256_GCM,data:9n5EvcU=,iv:hMpFlmvwYcjHdcdg6zNfHimjhltgTUe7nBUMV6HQi/U=,tag:nSwSU0ebzbH1SWR0ULLhKg==,type:str]
+minio_root_password: ENC[AES256_GCM,data:TE4Etq58bqOdB6ya13cLfZBdgnI=,iv:y0UF4eC1Gx6zdNEuXTS5GbiYran45w63YjEu4od+ExY=,tag:Qyk+r8NIMc3NltagK5Rrjw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
+            bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
+            UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
+            ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
+            R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-16T01:41:33Z"
+    mac: ENC[AES256_GCM,data:PBr4A9D6grWs7HgMGloDnDOhhT4/v4PvyqFxhdfzsm38FfZomceh7PpfMbdEH/Fv6Jsv9Z8f7aWTCt4IiSCGENJyZSGIL14ABDw/ao44Q1wtsh2Axjm4KWPr1iWWtu/Cbdv22vdbK2hlM0sXkCfiPboWIkVpaFTQQ5EW7+stryw=,iv:2Vdp7i4EdL/LVo9BD3PVCn5lan/J0khVdOcIIv66ayE=,tag:X5LdJESAcdDRXOQNlYoP3A==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.8.1
diff --git a/terraform/storage/minio/svc_volsync.tf b/terraform/storage/minio/svc_volsync.tf
new file mode 100644
index 000000000..ee51cf042
--- /dev/null
+++ b/terraform/storage/minio/svc_volsync.tf
@@ -0,0 +1,37 @@
+resource "aws_s3_bucket" "volsync" {
+  bucket = "volsync"
+  acl    = "private"
+}
+
+resource "aws_iam_user" "volsync_user" {
+  name = "volsync"
+}
+
+resource "aws_iam_policy" "volsync_private" {
+  name        = "volsync_private"
+  description = "Policy for volsync user to access volsync bucket"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = [
+          "s3:ListBucket",
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject"
+        ],
+        Effect = "Allow",
+        Resource = [
+          "arn:aws:s3:::volsync/*",
+          "arn:aws:s3:::volsync"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "volsync_user_policy_attachment" {
+  user       = aws_iam_user.volsync_user.name
+  policy_arn = aws_iam_policy.volsync_private.arn
+}