https://s3-orchestrator.munchbox.cc/guides/index.htmlStep-by-step tutorials for common operations and deployment patterns. Nomad/k8s Full Stack Demo Stand up a complete environment with Nomad or Kubernetes, three MinIO backends, and full observability in minutes. Maximizing Free Tiers Combine free-tier storage from multiple cloud providers into a single pool without exceeding any provider's limits. Understanding Replication How the replicator works, target selection, side-effects, over-replication cleanup, and monitoring. Local to Cloud Replication Automatically back up a local MinIO instance to the cloud with no sync scripts or additional tooling.Hugoen-ushttps://s3-orchestrator.munchbox.cc/guides/local-demo/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/local-demo/index.htmlThis guide walks through running the S3 Orchestrator demo environment on your local machine. The demo stands up a fully functional instance with three MinIO backends, PostgreSQL, and a complete observability stack (Prometheus, Grafana, Tempo, Loki). Two orchestrators are available: Nomad and Kubernetes (via k3d). Both expose the same functionality — pick whichever you prefer. Prerequisites Both demos require:https://s3-orchestrator.munchbox.cc/guides/encrypting-existing-data/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/encrypting-existing-data/index.htmlThis guide walks through enabling server-side encryption on an S3 Orchestrator instance that already has unencrypted objects stored across its backends. Overview When you enable encryption, only new objects are encrypted automatically. Existing objects remain unencrypted until you explicitly encrypt them via the /admin/api/encrypt-existing endpoint. This is a one-time operation that processes all unencrypted objects in batches.https://s3-orchestrator.munchbox.cc/guides/key-rotation/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/key-rotation/index.htmlThis guide walks through rotating the encryption master key on a running S3 Orchestrator. Key rotation re-wraps data encryption keys (DEKs) with a new master key - it’s a metadata-only operation and is fast regardless of object sizes. Overview S3 Orchestrator uses envelope encryption: each object has its own DEK, and the DEK is encrypted (wrapped) with the master key. Key rotation replaces the master key used to wrap DEKs without touching the object data itself.https://s3-orchestrator.munchbox.cc/guides/maximizing-free-tiers/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/maximizing-free-tiers/index.htmlThis guide walks through combining free-tier object storage from multiple cloud providers into a single, larger storage pool using S3 Orchestrator, from creating provider accounts to connecting your first application. Overview Most S3-compatible providers offer a free tier with a limited amount of storage and API requests. Individually these allocations are small, but S3 Orchestrator lets you stack them behind a single endpoint. The orchestrator handles routing writes to backends with available quota, overflowing to the next backend when one fills up.https://s3-orchestrator.munchbox.cc/guides/replication-guide/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/replication-guide/index.htmlThis guide explains how the S3 Orchestrator replication system works under the hood — how replicas are created, where they are placed, what side-effects to expect, and how to monitor and tune the process. For scenario-based walkthroughs, see Local to Cloud Replication or Simple Multi-Cloud Redundancy. Overview Replication keeps multiple copies of each object across different backends. When a backend becomes unavailable, reads automatically fail over to a replica — no client-side changes required.https://s3-orchestrator.munchbox.cc/guides/event-notifications/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/event-notifications/index.htmlThis guide explains how to configure webhook notifications so external systems are informed when objects are created, deleted, or when operational events occur (circuit breaker trips, capacity warnings, replication completions, etc.). Overview The S3 Orchestrator delivers CloudEvents 1.0 JSON payloads to one or more webhook endpoints via HTTP POST. Events are durably persisted in a notification outbox table before delivery, so notifications survive restarts and are retried with exponential backoff on failure. A background worker drains the outbox every 2 seconds under an advisory lock, making it safe to run multiple orchestrator instances.https://s3-orchestrator.munchbox.cc/guides/minio-cloud-replication/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/minio-cloud-replication/index.htmlThis guide shows how to automatically replicate objects from a local MinIO instance to a cloud backend using S3 Orchestrator, with no additional tooling or sync scripts required. Overview MinIO is a popular self-hosted S3-compatible object store, but local storage carries risk - hardware failures, power loss, or site disasters can cause data loss. By placing S3 Orchestrator in front of your MinIO instance and adding a single cloud backend with a replication factor of 2, every object you write to MinIO is automatically copied to the cloud in the background.https://s3-orchestrator.munchbox.cc/guides/multi-cloud-redundancy/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/multi-cloud-redundancy/index.htmlThis guide shows how to set up transparent multi-cloud redundancy so that every object is stored across multiple providers, with no changes required to your applications or S3 clients. Overview Relying on a single cloud provider for object storage means a provider outage, account suspension, or policy change can make your data inaccessible. S3 Orchestrator solves this by replicating objects across multiple S3-compatible providers behind a single endpoint.https://s3-orchestrator.munchbox.cc/guides/nomad-vault-deployment/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/nomad-vault-deployment/index.htmlThis guide walks through deploying S3 Orchestrator as a HashiCorp Nomad job with secrets managed by HashiCorp Vault. Nomad’s template stanza renders the configuration file at deploy time, pulling credentials from Vault so that no secrets are stored in the job definition or checked into version control. Overview The deployment uses three HashiCorp components: Nomad schedules and runs the orchestrator container Vault stores all secrets (database credentials, backend access keys, UI credentials) and provides Transit encryption keys Consul provides service discovery so the orchestrator can find PostgreSQL, Vault, and Tempo by DNS name The orchestrator runs as a Docker container on Nomad. At startup, Nomad’s template stanza fetches secrets from Vault’s KV store and renders a complete config.yaml into the task’s secrets directory. The container reads this file and never sees Vault directly (except for Transit encryption, which uses a Vault token for ongoing key operations).https://s3-orchestrator.munchbox.cc/guides/systemd-deployment/index.htmlMon, 01 Jan 0001 00:00:00 +0000https://s3-orchestrator.munchbox.cc/guides/systemd-deployment/index.htmlThis guide walks through installing S3 Orchestrator as a systemd service on a bare-metal or virtual machine using the Debian package. The package ships a systemd unit, sample configuration, and maintainer scripts that create a dedicated system user with filesystem hardening out of the box. Overview The Debian package installs: /usr/bin/s3-orchestrator — the statically linked binary /etc/s3-orchestrator/config.yaml — sample configuration (preserved on upgrade) /etc/default/s3-orchestrator — environment variable overrides for secrets /usr/lib/systemd/system/s3-orchestrator.service — systemd unit with security hardening /var/lib/s3-orchestrator/ — working directory for the service user The package maintainer scripts create a dedicated s3-orchestrator system user and group, enable the service, but do not start it — giving you a chance to configure everything first.