Object Storage

Cloud OS embeds a MinIO server so the node ships with a ready-to-use S3-compatible endpoint. Use it as the destination for the built-in backup engine, as a CDN backend for static assets, or as a drop-in target for any tool that already speaks the S3 API.

The page lives at Infra → Object Storage (/storage/objects).

What you get

An S3 API on 127.0.0.1:9000 plus the MinIO web console on 127.0.0.1:9001.
Per-bucket size + object count, refreshed every 30 seconds.
Service-account access keys (the per-app credentials you give to external tools) with one-click revoke.
One-click “Expose via Reverse Proxy” if the proxy manager is enabled.

Buckets

Click New bucket to mint one. Pick:

Private — clients must sign every request with an access key.
Public — Cloud OS attaches an anonymous s3:GetObject policy so any URL like https://s3.example.com/cdn/logo.png is downloadable without credentials. Use this for static assets, never for sensitive data.

Bucket size + object count come from MinIO’s data-usage scanner. Fresh buckets show 0 / — until the scanner sweeps them (usually a couple of minutes after first write).

The trash icon deletes a bucket. MinIO refuses to drop non-empty buckets — empty the bucket first via the console, the S3 API, or mc rb --force.

Access keys

Object Storage uses MinIO’s service accounts as access keys. Each key is a stand-alone credential pair you can give to one app — when that app is decommissioned, revoke its key without touching anyone else’s.

Click Create key, give it a memorable name (backup-agent, grafana-tempo, ci-pipeline), optionally paste a custom IAM policy JSON, and submit. Cloud OS then shows you the secret exactly once in a modal. Copy it now — there is no way to retrieve it later. If you lose the secret, revoke the key and create a new one.

Field	Description
Access key	The “username” — `quazzar-XXXXXXXXXX` style identifier.
Secret key	The “password” — long random string, shown once.
Policy JSON	Optional. When empty, the key inherits the parent user’s full permissions, which is fine for trusted apps but should be tightened for anything internet-facing.

Example IAM policy

Read-only on a single bucket:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::photos",
        "arn:aws:s3:::photos/*"
      ]
    }
  ]
}

Endpoint info

The Endpoint panel shows the bind addresses Cloud OS uses today:

S3 API — what your tools point at. The default is http://127.0.0.1:9000.
Web console — the official MinIO admin UI for power users (advanced policy editing, replication, etc).
Region — us-east-1 by default. The S3 protocol requires some region; this is the convention.

Expose via Reverse Proxy

By default the S3 API listens only on the loopback. If you want s3.example.com to resolve to it from the public internet:

Make sure DNS for the domain points at this node.
Type the domain into the Endpoint panel and click Expose.
Cloud OS POSTs a route to the Reverse Proxy Manager so traffic for that hostname is forwarded to 127.0.0.1:9000 with TLS terminated by the proxy’s automatic Let’s Encrypt cert.

If the Reverse Proxy Manager is not enabled on the node you’ll see “Reverse Proxy is not enabled on this node” — install it from the Infra → Reverse Proxy page first, then retry.

Connecting an external tool

Most S3 SDKs accept four parameters. For the AWS CLI:


aws configure set aws_access_key_id quazzar-XXXXXXXXXX
aws configure set aws_secret_access_key '<the secret you saved>'
aws --endpoint-url https://s3.example.com s3 ls

For the official MinIO client mc:


mc alias set quazzar https://s3.example.com quazzar-XXXXXXXXXX '<secret>'
mc ls quazzar/photos

Operational notes

Where data lives. All bucket data sits under /var/lib/quazzar/objects/. Snapshot or back up that directory if you need point-in-time recovery — MinIO keeps it self-consistent.
Root credentials. The MinIO root credentials (used internally by the admin client; you generally never touch them) live in /etc/quazzar/minio.env (mode 0600). They are generated on first boot and persist across restarts so clients don’t have to re-pair.
Reload semantics. When Cloud OS mutates MinIO config files, it asks the supervisor to systemctl reload quazzar-minio rather than restart — open S3 connections aren’t dropped.
Binary install. The MinIO single-binary is not vendored in the Cloud OS package. Install it from the official downloads onto $PATH (most packagers drop it at /usr/local/bin/minio). Cloud OS supervises it but does not install it for you.