Architecture
How Unisrv works under the hood.
Unisrv is built from a handful of components that talk to each other. Everything is written in Rust.
Components
Service Backend
The API server. Handles orchestration, scheduling, certificate provisioning flow (with Let's Encrypt), and exposes the REST API that the CLI talk to. It coordinates nodemanagers and prox nodes to provision instances and configure routing.
Fun fact — service-backend itself runs as a Unisrv service on Unisrv instances. Self-hosting all the way down.
Prox
The edge load balancer. Prox terminates public TLS and routes traffic to the right instance. The service backend pushes configuration and certificates to prox as services change.
Nodemanager
The microVM orchestrator running on each node. It drives Firecracker to create and manage microVMs, sets up networking (TAP devices, bridges, NAT), streams logs back to service-backend, and manages the full VM lifecycle.
vmInit
A minimal init process running inside each Firecracker microVM. It sets up the container environment using crun as the OCI runtime and pulls images from container registries.
Routr
A TLS proxy running alongside the nodemanager on each node. Routr is the link between the edge network and the microVMs — it accepts mTLS connections from prox, authenticates them against a private PKI, and forwards traffic directly into the target VM's network. No application-layer inspection needed, just SNI-based routing.
Networking
Traffic flows through two hops to reach an instance:
Internet
│
▼
┌─────────────────────────────────────────────────────────┐
│ Prox (Edge) │
│ Terminates public TLS │
│ Routes by SNI / Host header │
└───────────────────────────┬─────────────────────────────┘
│
mTLS (private PKI)
│
▼
┌─────────────────────────────────────────────────────────┐
│ Routr (Node) │
│ Authenticates the connection, routes into the VM │
└───────────────────────────┬─────────────────────────────┘
│
VM TAP interface
│
▼
┌─────────────────────────────────────────────────────────┐
│ Instance (Firecracker microVM) │
│ Container receives plain HTTP │
└─────────────────────────────────────────────────────────┘The network traffic reaches the container completely unmodified. Prox and routr handle all TLS, so the application inside the VM just sees plain HTTP. The private PKI ensures only authorized prox nodes can route into instances.
This also means instance nodes can be located anywhere in the world unrelated to where we have our ingress. The prox-to-instance traffic can run over the public internet just fine since traffic is encrypted with mTLS 1.3. That's a big part of why we can support self-hosted instance hosting nodes.