Uncloud is a self-hosted container orchestration tool designed for developers who want the simplicity of PaaS platforms like Heroku with the control of self-hosted infrastructure. It eliminates the need for Kubernetes by providing automatic service discovery, load balancing, HTTPS, and cross-machine deployment through a decentralized, peer-to-peer architecture built on WireGuard and CRDTs. Ideal for individuals, small teams, and organizations running apps on mixed environments—ranging from $5 VPS instances to on-premises servers.
Technically, Uncloud uses a gRPC-based daemon (uncloudd) and Corrosion (a CRDT-based distributed SQLite) to synchronize cluster state across machines without a central control plane. It leverages WireGuard for secure, NAT-traversing mesh networking, Caddy for automatic HTTPS, and Unregistry for efficient image distribution. Deployments are managed via a Docker-like CLI that works over SSH, requiring no open ports or complex YAML configurations.
What You Get
- Docker Compose Support - Define multi-container apps using standard docker-compose.yaml files without learning a new DSL or custom resource formats.
- Decentralized Cluster Architecture - No central control plane; each node maintains a synchronized state via Corrosion CRDTs, ensuring availability even if nodes go offline.
- Automatic WireGuard Mesh Network - Secure, encrypted peer-to-peer networking with automatic NAT traversal and per-machine subnets (e.g., 10.210.0.0/24) for direct container-to-container communication.
- Built-in Caddy Reverse Proxy with Automatic HTTPS - Every exposed service gets free TLS certificates via Let’s Encrypt with zero configuration, serving traffic over HTTPS by default.
- Unregistry Integration - Push and pull Docker images directly between cluster nodes without an external registry, transferring only missing layers for efficiency.
- Service Discovery via DNS - Containers can resolve service names (e.g.,
db, web) to dynamic IPs across machines using an internal DNS server that auto-updates on changes.
- Zero-Downtime Deployments - Rolling updates with built-in health checks ensure your apps stay online during upgrades (rollback automation in development).
- Remote Management via SSH - Control your entire cluster from a single machine using standard SSH; no need to open inbound ports or manage API keys.
- Multi-Provider Support - Combine AWS, DigitalOcean, Hetzner, bare metal, or home servers into one unified cluster without vendor lock-in.
- Managed DNS for Public Access - Automatically provision and update DNS records for services via Uncloud DNS (uncloud-dns) to expose apps on custom domains like
app.example.com.
Common Use Cases
- Running a self-hosted SaaS app on mixed cloud and home servers - A developer deploys a web app using Docker Compose across a DigitalOcean VPS and a home server, using Uncloud to handle HTTPS, load balancing, and service discovery without Kubernetes YAML.
- Deploying a high-availability blog or CMS with automatic TLS - A content creator runs WordPress or Ghost on two geographically distributed VPS instances, using Uncloud to auto-provision Let’s Encrypt certs and balance traffic between them.
- Managing a private development cluster with bare metal nodes - A DevOps engineer uses Uncloud to orchestrate microservices across three on-premises servers, avoiding the overhead of Kubernetes while maintaining service isolation and scaling.
- Scaling a media processing pipeline across cloud and edge devices - A video processing startup runs FFmpeg containers on AWS and a Raspberry Pi cluster, using Uncloud to distribute workloads and auto-restart failed tasks with no central orchestrator.
Under The Hood
Architecture
- Monolithic daemon design with tightly coupled command, API, and service layers, lacking clear separation of concerns or inversion of control
- Hardcoded package-level variables replace dependency injection, limiting flexibility and testability
- CLI and daemon share internal packages without modular boundaries, creating circular dependencies
- gRPC APIs are defined but not decoupled from implementation, with no repository or service patterns
- Tooling is robust but focused on operational automation rather than architectural extensibility
Tech Stack
- Go 1.26.1 as the core language, leveraging standard library and gRPC for inter-service communication
- Docker multi-stage builds with minimal base images ensure secure, lightweight deployments across platforms
- Comprehensive Go tooling stack including linters, mock generators, and release automation for consistent development workflows
- Mise replaces traditional Makefiles for cross-platform dependency and build task management
- End-to-end testing relies on Docker-in-Docker and custom cluster simulation images for realistic validation
Code Quality
- Extensive test coverage across unit, integration, and end-to-end scenarios with clear isolation of dependencies
- Standardized error handling with context-preserving wrapping and well-defined API error types
- Clean, domain-driven package structure promoting single-responsibility and maintainability
- Strong type safety through precise struct definitions and built-in validation for network and configuration data
- Comprehensive mocking strategy enables deterministic, fast tests without external dependencies
What Makes It Unique
- Native Caddy integration via protobuf enables dynamic, code-driven reverse proxy configuration without file-based templating
- Distributed cluster orchestration powered by WireGuard creates secure, self-healing overlay networks with built-in membership states
- Container management through serialized JSON over gRPC eliminates Docker daemon dependencies for platform-agnostic deployment
- Domain and DNS records treated as first-class cluster resources with atomic reservation workflows
- Unified machine API consolidates cluster, container, and network operations into a single service layer, enabling zero-touch provisioning