commital init

Author: stew

.github/workflows/ci.yml

@@ -0,0 +1,19 @@
+on:
+  pull_request:
+  push:
+jobs:
+  check:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+    - uses: nixbuild/nix-quick-install-action@63ca48f939ee3b8d835f4126562537df0fee5b91 # v32
+    - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # 6.1.3
+      with:
+        # restore and save a cache using this key
+        primary-key: nix-${{ runner.os }}-${{ runner.arch }}-check-${{ hashFiles('**/*.nix', '**/flake.lock', '**.*.tf') }}
+        # if there's no cache hit, restore a cache by this prefix
+        restore-prefixes-first-match: |
+          nix-${{ runner.os }}-${{ runner.arch }}-check-
+    - run: |
+        nix flake check
+        nix run .#check

.gitignore

@@ -0,0 +1,14 @@
+*~
+output
+*private
+.terraform/
+unseal_key*
+vault_token
+.vscode
+.direnv
+terraform.tfvars
+terraform.tfstate*
+nimbus-secrets.json
+secrets.env
+.envrc
+outputs/

README.md

@@ -0,0 +1,28 @@
+# Support for running your own unison.cloud cluster
+
+## Overview
+
+This repository contains instructions and configuration for running your own unison.cloud "Bring Your Own Cloud" (BYOC) cluster. There are multiple options based on how you'd like to deploy your cluster:
+
+- [Docker Compose instructions](docker/README.md) for a simple deployment on a local cluster.
+- [EKS instructions](eks/README.md) to use Terraform (or OpenTofu) to deploy on a Kubernetes cluster via AWS Elastic Kubernetes Service (EKS).
+
+
+## Scope
+
+These configurations are intended to demonstrate minimalist deployments of unison.cloud. They are **not production-ready** but serve testing, development, and demonstration purposes. They provide an easy way to test unison.cloud in your own environment, with the expectation that you might later integrate these learnings into an existing production environment.
+
+## Prerequisites
+
+### Cluster name
+
+To register a Unison Cloud cluster, you'll need a cluster name. You can come up with your own or have one generated for you, but it must be unique across all Unison Cloud clusters. It should be a valid DNS subdomain, meaning it must consist of only lowercase letters, numbers, and hyphens, and must start and end with a letter or number.
+
+### Register a BYOC cluster
+
+See [the Unison Cloud BYOC website](https://www.unison.cloud/byoc/) for more info.
+
+
+### Cluster token
+
+Before deploying your cluster you will need a cluster token to authenticate your nodes with the Unison Cloud control plane. You will receive one of these when your cluster is registered.

docker/.env

@@ -0,0 +1,7 @@
+UNISON_CLOUD_DOCKER_IMAGE=unisoncomputing/unison-cloud:cloud_nimbus_releases_41_1_2_20399
+UNISON_CLOUD_ENVIRONMENTS_MOUNT=unison-cloud-environments
+VAULT_PORT=8200
+# TODO we shouldn't assume that the table name is test
+UNISON_CLOUD_STORAGE_TABLE_NAME=test
+UNISON_CLOUD_SERVICES_BUCKET_NAME=unison-cloud-services
+UNISON_CLOUD_USER_BLOBS_BUCKET_NAME=unison-cloud-user-blobs

docker/README.md

@@ -0,0 +1,95 @@
+# Unison Cloud on Docker Compose
+
+**NOTE:** all paths/files in this documentation assume you are already within the `docker` directory (not the project root).
+
+## Scope and disclaimers
+
+** This is not a production setup.**
+
+This Docker Compose configurations is intended to demonstrate minimalist deployments of unison.cloud in a local environment. It is **not production-ready** but serves testing, development, and demonstration purposes. It provides an easy way to test unison.cloud in your own environment, with the expectation that you might later integrate these learnings into an existing production environment. Specifically, please be aware of the following caveats:
+
+- The secret store (used by [Environment.setValue](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/terms/Environment/setValue) and [Environment.Config.lookup](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/types/Environment/Config)) stores values insecurely and in-memory: **they will not persist when the Vault container is terminated**.
+- Your [storage](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/types/Storage), [blobs](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/types/Blobs), and [services](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/types/Services) are persisted only to named Docker volumes on your machine. If your hard drive fails or you perform some overzealous Docker pruning, they are gone forever. The centralized Unison Cloud control plane stores only some metadata like IDs and permissions; it cannot restore your data.
+
+
+## Prerequisites
+
+### Install Docker
+
+See [instructions on docker.com](https://docs.docker.com/engine/install/).
+
+### Register a cluster
+
+See [instructions](../README.md#register-a-byoc-cluster).
+
+## Configure your cluster
+
+1. Copy [nimbus-secrets-example.json](nimbus-secrets-example.json) to `nimbus-secrets.json`.
+2. Replace the `cloudApiToken` value with the token you received when registering your cluster.
+3. In `cloudApiInstances.uri`, replace `YOUR_CLUSTER_NAME` with the cluster name that you registered.
+
+Some insecure development credentials (ex: `INSECURE_DEV_TOKEN`) have been provided for the services running on your local cluster. These are fine for local development, so you can leave them for now, but you will want to change them before opening up your cluster outside of your personal computer.
+
+## Run your cluster
+
+Run this `docker compose` command to start up your cluster:
+
+```sh
+docker compose --env-file secrets-example.env --env-file .env up --remove-orphans
+```
+
+Logs will print to the screen. When you see messages that start with `Starting public HTTP server` from your `unison-cloud-nimbus` instances, your cluster is ready to serve requests!
+
+If you would prefer to run your containers in the background, you can add `--detach` (or `-d`) to the end of the command:
+
+```sh
+docker compose --env-file secrets-example.env --env-file .env up --remove-orphans --detach
+```
+
+In detached mode logs will not print to the screen and you can use your terminal window to run other commands.
+
+See [Tear down your cluster](#tear-down-your-cluster) when you are ready to stop your cluster.
+
+## Use your new cluster!
+
+Now you can point your [Unison Cloud client](https://share.unison-lang.org/@unison/cloud) to your own cluster to submit batch jobs, deploy services and more!
+
+First you'll need to know the control plane endpoint for your cluster. It has the form `{your_cluster_name}.byoc.unison.cloud` (ex: `alice-homelab.byoc.unison.cloud`).
+
+There are two ways to point your cloud client to your cluster: via an environment variable _or_ with a custom [Cloud.ClientConfig](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/types/Cloud/ClientConfig).
+
+### Configure via environment variable
+
+Set the `UNISON_CLOUD_HOST` environment variable to your cluster control plane endpoint. You could set this in your shell init file (ex: `.bashrc`) or you could just set it in the scope of your `ucm` session:
+
+```sh
+UNISON_CLOUD_HOST=alice-homelab.byoc.unison.cloud ucm
+```
+
+You can now use [Cloud.run](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/terms/Cloud/run) and it will point to your cluster.
+
+### Configure via Cloud.ClientConfig
+
+Instead of setting the `UNISON_CLOUD_HOST` environment variable, you can programmatically configure your cloud client to point to your cluster. Note that this approach requires using [Cloud.run.withConfig](https://share.unison-lang.org/@unison/cloud/code/releases/20.16.1/latest/terms/Cloud/run/withConfig) instead of `Cloud.run`.
+
+```unison
+main : '{IO, Exception} Nat
+main = do
+  homelabConfig =
+    Cloud.ClientConfig.default() |> ClientConfig.host.set (HostName "alice-homelab.byoc.unison.cloud")
+  Cloud.run.withConfig homelabConfig do
+    Cloud.submit Environment.default() do
+      1 + 1
+```
+
+## Tear down your cluster
+
+When you are done using your local cluster, you can terminate it. If you ran `docker compose` in attached mode (without the `--detach`/`-d` flag), then you can hit `<ctrl>-c` to stop the running containers.
+
+If you ran `docker compose` in detached mode, then you'll need to run the `down` variant of the `up` command that you previously ran:
+
+```sh
+docker compose --env-file secrets-example.env --env-file .env down
+```
+
+Even if you ran `docker compose` in attached mode you still may want to run the above `down` command to perform some cleanup that `<ctrl>-c` doesn't trigger like removing stopped containers and the cluster network.

docker/caddy/Caddyfile

@@ -0,0 +1,9 @@
+http://:8080 {
+  reverse_proxy {
+    dynamic a {
+      name unison-cloud-nimbus
+      port 8082
+    }
+  }
+}
+

docker/docker-compose.yml

@@ -0,0 +1,155 @@
+# run this with:
+#
+# docker compose -f docker-compose.yml --env-file secrets-example.env --env-file .env up
+
+secrets:
+  nimbus-config.json:
+    file: ./nimbus-config-example.json
+  nimbus-secrets.json:
+    # copy nimbus-secrets-example.json, apply your changes, and save it as nimbus-secrets.json
+    file: ./nimbus-secrets.json
+
+volumes:
+  unison-cloud-s3-data:
+  unison-cloud-dynamodb-data:
+
+networks:
+  default:
+    name: unison-cloud
+
+services:
+
+  # The dynamodb-local docker image runs as a dynamodblocal user, so we need to
+  # change the ownership of the mounted directory to avoid permissions issues.
+  unison-cloud-init-volumes:
+    image: alpine
+    restart: "no"
+    entrypoint: |
+        /bin/sh -c "chown 1000:1000 /home/dynamodblocal/data"
+    volumes:
+      - type: volume
+        source: unison-cloud-dynamodb-data
+        target: /home/dynamodblocal/data
+
+  unison-cloud-vault:
+    image: hashicorp/vault
+    environment:
+      VAULT_ADDR: "http://127.0.0.1:${VAULT_PORT}"
+      VAULT_DEV_ROOT_TOKEN_ID: "$UNISON_CLOUD_VAULT_TOKEN"
+    healthcheck:
+      test: "vault status"
+      start_period: 30s
+      timeout: 1s
+    cap_add:
+      - IPC_LOCK
+
+  unison-cloud-init-vault:
+    image: hashicorp/vault
+    depends_on:
+      unison-cloud-vault:
+        condition: service_healthy
+    environment:
+      VAULT_ADDR: "http://unison-cloud-vault:${VAULT_PORT}"
+      VAULT_TOKEN: "$UNISON_CLOUD_VAULT_TOKEN"
+    command:
+      - /bin/sh
+      - '-c'
+      - 'vault secrets list | grep -q ${UNISON_CLOUD_ENVIRONMENTS_MOUNT} || vault secrets enable -path=${UNISON_CLOUD_ENVIRONMENTS_MOUNT} kv-v2'
+
+  unison-cloud-s3:
+    image: quay.io/minio/minio
+    command: server /data
+    volumes:
+      - type: volume
+        source: unison-cloud-s3-data
+        target: /data
+    healthcheck:
+      test: "mc ready local"
+      start_period: 30s
+      timeout: 1s
+    networks:
+      default:
+        aliases:
+          - ${UNISON_CLOUD_SERVICES_BUCKET_NAME}.unison-cloud-s3
+          - ${UNISON_CLOUD_USER_BLOBS_BUCKET_NAME}.unison-cloud-s3
+    environment:
+      MINIO_ROOT_USER: "unison-cloud"
+      MINIO_ROOT_PASSWORD: "$UNISON_CLOUD_S3_TOKEN"
+      MINIO_DOMAIN: "unison-cloud-s3"
+
+  unison-cloud-init-s3:
+    image: minio/mc
+    depends_on:
+      unison-cloud-s3:
+        condition: service_healthy
+    entrypoint: ""
+    command:
+      - /bin/sh
+      - '-c'
+      - |
+          mc alias set unison-cloud http://unison-cloud-s3:9000 unison-cloud INSECURE_DEV_TOKEN &&
+          mc mb --ignore-existing unison-cloud/${UNISON_CLOUD_SERVICES_BUCKET_NAME} &&
+          mc mb --ignore-existing unison-cloud/${UNISON_CLOUD_USER_BLOBS_BUCKET_NAME}
+
+
+  unison-cloud-dynamo:
+    image: amazon/dynamodb-local:3.0.0
+    command: "-jar DynamoDBLocal.jar -sharedDb -dbPath /home/dynamodblocal/data"
+    volumes:
+      - type: volume
+        source: unison-cloud-dynamodb-data
+        target: /home/dynamodblocal/data
+    depends_on:
+      unison-cloud-init-volumes:
+        condition: service_completed_successfully
+    healthcheck:
+      test: "curl localhost:8000"
+      start_period: 10s
+      timeout: 1s
+
+  unison-cloud-init-dynamo:
+    image: amazon/aws-cli
+    depends_on:
+      unison-cloud-dynamo:
+        condition: service_healthy
+    environment:
+      AWS_REGION: ""
+      AWS_ACCESS_KEY_ID: "$UNISON_CLOUD_AWS_ACCESS_KEY_ID"
+      AWS_SECRET_ACCESS_KEY: "$UNISON_CLOUD_AWS_SECRET_ACCESS_KEY"
+      AWS_ENDPOINT_URL: "http://unison-cloud-dynamo:8000"
+    entrypoint: ""
+    command:
+      - /bin/sh
+      - '-c'
+      - 'aws dynamodb list-tables | grep "\"${UNISON_CLOUD_STORAGE_TABLE_NAME}\"" >/dev/null || aws dynamodb create-table --table-name ${UNISON_CLOUD_STORAGE_TABLE_NAME} --attribute-definitions AttributeName=K,AttributeType=B AttributeName=NS,AttributeType=S --key-schema AttributeName=K,KeyType=HASH AttributeName=NS,KeyType=RANGE --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5'
+
+  unison-cloud-nimbus:
+    image: "$UNISON_CLOUD_DOCKER_IMAGE"
+    deploy:
+      replicas: 2
+    depends_on:
+      unison-cloud-init-s3:
+        condition: service_completed_successfully
+      unison-cloud-init-dynamo:
+        condition: service_completed_successfully
+      unison-cloud-init-vault:
+        condition: service_completed_successfully
+      unison-cloud-s3:
+        condition: service_healthy
+      unison-cloud-dynamo:
+        condition: service_healthy
+      unison-cloud-vault:
+        condition: service_healthy
+    environment:
+      NIMBUS_CONFIG_DIR: '/run/secrets'
+    secrets:
+      - nimbus-config.json
+      - nimbus-secrets.json
+    stop_grace_period: "6m"
+
+  unison-cloud-load-balancer:
+    image: caddy
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./caddy:/etc/caddy

docker/nimbus-config-example.json

@@ -0,0 +1,36 @@
+{
+  "environment" : "local",
+  "bindPorts": {
+    "publicHttp" : 8082,
+    "gossipHttp" : 8081
+  },
+  "blobFetcher": {
+    "bucket": "unison-cloud-services",
+    "awsConfig": {
+      "hostName": "unison-cloud-s3",
+      "port": 9000,
+      "https": false,
+      "region": "us-west-2"
+    }
+  },
+  "userBlobFetcher": {
+    "bucket": "unison-cloud-user-blobs",
+    "awsConfig": {
+      "hostName": "unison-cloud-s3",
+      "port": 9000,
+      "https": false,
+      "region": "us-west-2"
+    }
+  },
+  "vault": {
+    "host": "unison-cloud-vault",
+    "port": 8200,
+    "scheme": "http"
+  },
+  "environmentsMount": "unison-cloud-environments",
+  "dynamo": {
+    "host": "unison-cloud-dynamo",
+    "port": 8000,
+    "type": "local"
+  }
+}