Ubicloud is an open source infrastructure-as-a-service (IaaS) platform that replicates core AWS services—such as elastic compute, block storage, managed PostgreSQL, and networking—on bare metal servers from providers like Hetzner, Leaseweb, and AWS Bare Metal. It’s designed for developers and teams seeking to reduce cloud costs by up to 70%, avoid vendor lock-in, and regain control over their infrastructure without sacrificing cloud convenience. Built with Ruby, PostgreSQL, and Roda, it provides a control plane that manages Linux-based data plane nodes using Cloud Hypervisor and SPDK.
Ubicloud supports both self-hosted and managed deployments. The control plane uses SSH to provision VMs via Cloud Hypervisor, implements IPsec for encrypted networking, and leverages nftables for firewalls and load balancers. Block storage is powered by SPDK with encryption at rest. The web console is built with Tailwind CSS and Roda, and authentication is handled by Rodauth. It integrates natively with GitHub Actions for ephemeral CI runners and supports ABAC for fine-grained access control.
What You Get
- Elastic Compute - Provision isolated VMs on bare metal using Cloud Hypervisor within Linux namespaces for security and isolation, with support for IPv4/IPv6 dual-stack networking.
- Block Storage (non-replicated) - Virtualized block devices powered by SPDK (Storage Performance Development Toolkit) with encryption at rest and extensible for future snapshot and replication features.
- Managed PostgreSQL - Fully managed PostgreSQL with automatic backups, point-in-time restore (PITR), high availability, and performance matching or exceeding RDS at 3x lower cost.
- Attribute-Based Access Control (ABAC) - Fine-grained user permissions based on attributes and roles, with documented architecture for dynamic policy enforcement across resources.
- Virtual Networking with nftables - Private and public networks with IPv4/IPv6 dual-stack, IPsec tunneling for encryption in transit, and flexible firewall rules using Linux nftables.
- GitHub Actions Integration - Managed CI runners that replace AWS CodeBuild/GitHub-hosted runners, offering isolated, ephemeral VMs per job with 10x cost reduction and Arm support.
- IPv6 & Tunnel Broker Support - Automatic IPv6 assignment to VMs with built-in support for Hurricane Electric and Mullvad tunnel brokers for IPv4-limited ISPs.
- Self-Hosted Control Plane - Deploy Ubicloud’s Ruby-based control plane (Roda + Sequel + Rodauth) on your own infrastructure using Docker Compose or bare metal, with full API and CLI access.
Common Use Cases
- Running CI/CD pipelines with GitHub Actions - Engineering teams replace expensive GitHub-hosted runners with Ubicloud’s ephemeral VMs, cutting CI costs by 10x while gaining faster CPUs and full isolation.
- Deploying high-performance PostgreSQL workloads - Data teams migrate from AWS RDS to Ubicloud’s managed PostgreSQL to reduce costs by 3x while maintaining PITR, HA, and performance without vendor lock-in.
- Hosting compute-intensive workloads on bare metal - ML engineers and data scientists run memory-heavy training jobs or data processing tasks on dedicated VMs with lower latency and higher IOPS than public cloud.
- Building compliant, private clouds for regulated industries - Organizations with data sovereignty requirements deploy Ubicloud on local Hetzner or Leaseweb servers to maintain full control over infrastructure and encryption keys.
Under The Hood
Architecture
- Modular design using Roda with a hierarchical routing system that cleanly separates API endpoints, authentication, and resource handling via plugin-based provider dispatchers
- Domain-specific libraries enforce separation of concerns, including recursive RBAC, billing logic, and async monitoring with thread-safe queue management
- Dependency injection through Ruby module inclusion enables dynamic, contract-driven loading of cloud provider implementations
- ORM layer built on Sequel with explicit access patterns, encrypted columns, and avoidance of monolithic models
- Event-driven monitoring system decouples data collection from reporting using dedicated resource types and thread pools
- Multi-stage Docker builds isolate frontend and backend environments with non-root execution for enhanced security
Tech Stack
- Ruby backend powered by Roda and Rodauth for routing and authentication, with Sequel and PostgreSQL as the core data layer
- Frontend built with Tailwind CSS and Node.js, leveraging modern utility-first styling and asset pipeline tooling
- Comprehensive testing suite with RSpec, Capybara, and WebMock, including parallelized execution and cache-aware test configuration
- Deep AWS integration via official SDKs and custom IAM-based database authentication
- Production deployment uses Puma with Foreman and environment-aware configuration via Ruby-based .env files
- Code quality maintained through StandardRB, RuboCop with custom plugins, and automated formatting and static analysis
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with golden-file validation and robust mocking
- Clear modular structure using domain-focused Ruby modules and metaprogrammed models to reduce boilerplate
- Robust error handling with custom exception hierarchies and runtime validations to prevent invalid state transitions
- Consistent naming, type-safe modeling, and database-enforced integrity through UUIDs and constraints
- Automated linting, spec helpers, and CLI output validation ensure uniformity and reliability across the codebase
What Makes It Unique
- Recursive tag-based access control using SQL CTEs to detect circular dependencies without application-level recursion
- Distributed resource processing coordinated via PostgreSQL NOTIFY/LISTEN, enabling horizontal scaling without centralized coordination
- Unified monitoring and telemetry framework with thread-pooled job processing and stuck-pulse detection
- Built-in self-signed certificate generation with EC/RSA and CA extensions, eliminating external TLS tooling dependencies
- Metaprogrammed access control that dynamically resolves permissions across heterogeneous resources with zero boilerplate
- Atomic file operations and SSH-based privilege escalation embedded in core utilities for system-level reliability