Skip to Content
DocsGetting StartedArchitecture

Architecture

System Overview

┌─────────────────────────────────────────────────────────────────┐
│                         Jiji CLI                                │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐            │
│  │ Commands │ │  Config  │ │   SSH    │ │ Services │            │
│  │  Parser  │ │  Loader  │ │ Manager  │ │  Layer   │            │
│  └──────────┘ └──────────┘ └──────────┘ └──────────┘            │
└─────────────────────────────────────────────────────────────────┘

                              │ SSH
                              V
┌─────────────────────────────────────────────────────────────────┐
│                      Target Servers                             │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐           │
│  │   Server 1   │  │   Server 2   │  │   Server N   │           │
│  │              │  │              │  │              │           │
│  │ ┌──────────┐ │  │ ┌──────────┐ │  │ ┌──────────┐ │           │
│  │ │Container │ │  │ │Container │ │  │ │Container │ │           │
│  │ │ Runtime  │ │  │ │ Runtime  │ │  │ │ Runtime  │ │           │
│  │ └──────────┘ │  │ └──────────┘ │  │ └──────────┘ │           │
│  │ ┌──────────┐ │  │ ┌──────────┐ │  │ ┌──────────┐ │           │
│  │ │  Proxy   │ │  │ │  Proxy   │ │  │ │  Proxy   │ │           │
│  │ └──────────┘ │  │ └──────────┘ │  │ └──────────┘ │           │
│  │ ┌──────────┐ │  │ ┌──────────┐ │  │ ┌──────────┐ │           │
│  │ │WireGuard │<┼──┼─┤WireGuard │<┼──┼─┤WireGuard │ │           │
│  │ └──────────┘ │  │ └──────────┘ │  │ └──────────┘ │           │
│  │ ┌──────────┐ │  │ ┌──────────┐ │  │ ┌──────────┐ │           │
│  │ │Corrosion │<┼──┼─┤Corrosion │<┼──┼─┤Corrosion │ │           │
│  │ └──────────┘ │  │ └──────────┘ │  │ └──────────┘ │           │
│  │ ┌──────────┐ │  │ ┌──────────┐ │  │ ┌──────────┐ │           │
│  │ │ jiji-dns │ │  │ │ jiji-dns │ │  │ │ jiji-dns │ │           │
│  │ └──────────┘ │  │ └──────────┘ │  │ └──────────┘ │           │
│  └──────────────┘  └──────────────┘  └──────────────┘           │
└─────────────────────────────────────────────────────────────────┘

Component Details

Jiji CLI

The orchestration engine that runs on your local machine or CI server.

ComponentPurpose
CommandsCLI interface (init, build, deploy, etc.)
ConfigYAML parsing and validation
SSH ManagerConnection pooling, parallel execution
Services LayerBuild, push, deploy, logs operations

Container Runtime

Docker or Podman on each target server. Jiji is runtime-agnostic.

kamal-proxy

HTTP/HTTPS reverse proxy that handles:

  • Zero-downtime deployments
  • SSL/TLS termination
  • Health check routing
  • Path-based routing

WireGuard

Mesh VPN providing encrypted communication between servers:

  • Each server gets a /24 subnet
  • Automatic peer configuration
  • IPv4 for container traffic, IPv6 for management

Corrosion

Distributed CRDT database for service registration:

  • Gossip protocol for data sync
  • Real-time container registration
  • Health status tracking

jiji-dns

DNS server for service discovery:

  • Resolves {project}-{service}.jiji for service discovery (returns all healthy IPs)
  • Resolves {project}-{service}-{server}.jiji for specific instance
  • Only returns healthy containers
  • Subscribes to Corrosion for real-time updates

Deployment Flow

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│    Build    │────>│    Push     │────>│   Deploy    │
│   Image     │     │  to Registry│     │  Container  │
└─────────────┘     └─────────────┘     └─────────────┘

                    ┌──────────────────────────┘
                    V
┌─────────────────────────────────────────────────────┐
│                 Zero-Downtime Deploy                │
│  1. Keep old container running                      │
│  2. Start new container                             │
│  3. Run health checks                               │
│  4. Route traffic to new container                  │
│  5. Stop old container                              │
│  6. Cleanup old images                              │
└─────────────────────────────────────────────────────┘

Network Architecture

IP Allocation

Jiji uses a 10.210.0.0/16 network (configurable):

ServerWireGuard IPContainer Subnet
Server 010.210.0.110.210.0.0/24
Server 110.210.1.110.210.1.0/24
Server N10.210.N.110.210.N.0/24

Service Discovery Flow

Container A                    jiji-dns                    Corrosion
     │                            │                            │
     │  DNS query:                │                            │
     │  myapp-api.jiji            │                            │
     │───────────────────────────>│                            │
     │                            │  Lookup in cache           │
     │                            │  (synced from Corrosion)   │
     │                            │<───────────────────────────│
     │  Response:                 │                            │
     │  10.210.1.5, 10.210.2.5    │                            │
     │<───────────────────────────│                            │
     │                            │                            │
     │  Connect to 10.210.1.5     │                            │
     │────────────────────────────┼────────────────────────────>

Security Model

Network Security

  • WireGuard encryption with Curve25519
  • Perfect forward secrecy
  • Containers isolated in private network

Authentication

  • SSH keys for server access
  • Registry authentication with tokens
  • Secrets loaded from .env files (with optional host env fallback via --host-env)

Firewall Requirements

PortProtocolPurpose
22TCPSSH
80/443TCPHTTP/HTTPS
51820UDPWireGuard
9280TCPCorrosion gossip
Last updated on
Quick StartDeployment