Docker-free · single-node · one binary

Your box.
One binary.
No Docker.

Denia runs your services on its own Linux runtime: namespaces and cgroup v2, in-process ingress and TLS, autoscaling, and a registry. One Rust binary, on one machine you own.

install · Linuxx86_64 / arm64 · server + client
$ curl --proto '=https' --tlsv1.2 -fsSL https://raw.githubusercontent.com/zainokta/denia/main/get.sh | sh

Prebuilt, signed binary. Verifies a pinned minisign signature before it runs.

Read the docsView source

Collapse the stack.

Most self-hosted PaaS tools are a thin layer over Docker. You still run a daemon, a reverse proxy, a cert companion, and a registry, then wire them together.

The usual stack

  • Docker daemon
  • Reverse proxy (nginx / Traefik)
  • Cert companion (certbot)
  • External registry
  • Glue, config, and cron

Denia

One Rust binary + systemd

  • ·runtime isolation
  • ·L7 ingress
  • ·ACME TLS
  • ·autoscaler
  • ·OCI registry
  • ·web console

What the one binary does.

01

No container runtime.

Workloads run under unshare (user, pid, mount, uts, ipc), cgroup v2, no_new_privs, and a dropped capability set. Each replica gets a private overlay rootfs.

02

Its own ingress and TLS.

An in-process Pingora proxy binds :80 and :443 and dials each workload over a Unix socket. Per-SNI certificates issue and renew over ACME. No Traefik, no certbot.

03

Autoscaling, down to zero.

Per-service CPU and memory scaling with a single-flight cold start, bounded by a host resource ledger so the node is never over-committed.

04

Ship from your machine.

denia push packs your working tree and the node builds the Dockerfile. No local Docker, no git remote, no pre-deploy commit.

05

Registry and live console.

A same-origin OCI registry at /v2, and a kubectl-exec-style shell into a running replica over a single-use ticket.

What Denia is not.

v1 is deliberately scoped. Candor up front, so you do not find out the hard way.

Not multi-node.

One node by design. The control plane and node agent are split internally for a future multi-node story, but it is not here yet.

Not a managed plane.

You run the binary on your own machine. No hosted control plane, no vendor in the path.

Not an untrusted sandbox.

Treat a daemon RCE as host root, the same class as dockerd or kubelet. Run untrusted workloads on their own host.