by angristan
Self hosted cloud coding agent with k3s + kata containers + cloud hypervisor microVMs + tailscale + any harness + a nice iOS app
# Add to your Claude Code skills
git clone https://github.com/angristan/netclodeI wanted a self-hosted Claude Code environment I can use from my phone, with the UX I actually want. The existing cloud coding agents were a bit underwhelming when I tried them, so I built my own!
I wrote a blog post about how it works: Building a self-hosted cloud coding agent.
flowchart LR
subgraph CLIENT["Client"]
APP["iOS / macOS<br/><sub>SwiftUI</sub>"]
end
subgraph VPS["VPS - k3s"]
TS["Tailscale Ingress<br/><sub>TLS - HTTP/2</sub>"]
CP["Control Plane<br/><sub>Go</sub>"]
BOT["GitHub Bot<br/><sub>Go</sub>"]
REDIS[("Redis<br/><sub>Sessions</sub>")]
POOL["agent-sandbox<br/><sub>Warm Pool</sub>"]
JFS[("JuiceFS")]
subgraph SANDBOX["Sandbox - Kata VM<br/><sub>Cloud Hypervisor</sub>"]
AGENT["Agent<br/><sub>Claude / OpenCode / Copilot / Codex SDK</sub>"]
DOCKER["Docker"]
end
end
GH["GitHub Webhooks"]
S3[("S3")]
LLM["LLM APIs"]
APP <-->|"Connect RPC<br/>HTTPS/H2"| TS
TS <-->|"Connect RPC<br/>h2c"| CP
GH -->|"Webhooks"| BOT
BOT <-->|"Connect RPC<br/>h2c"| CP
CP <-->|"Redis Streams"| REDIS
CP <-->|"Connect RPC<br/>gRPC/h2c"| AGENT
POOL -.->|"allocate"| SANDBOX
JFS <--> SANDBOX
JFS <-->|"POSIX on S3"| S3
AGENT --> LLM
No comments yet. Be the first to share your thoughts!
The control plane grabs a pre-booted Kata VM from the warm pool (so it's instant), forwards prompts to the agent SDK inside, and streams responses back. Redis persists events so clients can reconnect without losing anything.
When pausing, the VM is deleted but JuiceFS keeps everything in S3: workspace, installed tools, Docker images, SDK session. Resume mounts the same storage and the conversation continues as if nothing happened. Dozens of paused sessions cost practically nothing.
| Layer | Technology | Purpose | | ----------------- | ---------------------------------- | -------------------------------------------- | | Host | Linux VPS + Ansible | Provisioned via playbooks | | Orchestration | k3s | Lightweight Kubernetes, nice for single-node | | Isolation | Kata Containers + Cloud Hypervisor | MicroVM per agent session | | Storage | JuiceFS → S3 | POSIX filesystem on object storage | | State | Redis (Streams) | Real-time, streaming session state | | Network | Tailscale Operator | VPN to host, ingress, sandbox previews | | API | Protobuf + Connect RPC | Type-safe, gRPC-like, streams | | Control Plane | Go | Session and sandbox orchestration | | Agent | TypeScript/Node.js | SDK runner inside sandbox | | GitHub Bot | Go | Webhook-driven bot for @mentions and dep reviews | | Secret Proxy | Go | Injects API keys outside the sandbox | | Local LLM | Ollama | Optional, local models on GPU | | Client | SwiftUI (iOS 26) | Native iOS/macOS app | | CLI | Go | Debug client for development |
netclode/
├── clients/
│ ├── ios/ # iOS/Mac app (SwiftUI)
│ └── cli/ # Debug CLI (Go)
├── services/
│ ├── control-plane/ # Session orchestration (Go)
│ ├── agent/ # SDK runner (Node.js)
│ │ └── auth-proxy/ # Adds SA token to requests (Go)
│ ├── github-bot/ # GitHub webhook bot (Go)
│ └── secret-proxy/ # Injects real API keys (Go)
├── proto/ # Protobuf definitions
├── infra/
│ ├── ansible/ # Server provisioning
│ └── k8s/ # Kubernetes manifests
└── docs/
See docs/deployment.md for full setup. I tried to make it as easy as possible: ideally a single playbook run.
Quick version:
All videos from the blog post:
No cold start, sandboxes are pre-booted
Older sessions are automatically paused to save resources. Resume brings everything back instantly
Run models on your own GPU
Instant sandbox access from the terminal, inspired by sprites.dev