Introduction
Procella is a self-hosted backend for Pulumi, the infrastructure-as-code platform. It implements the Pulumi Service API so that the standard Pulumi CLI works against it without modification — pulumi login, pulumi stack init, pulumi up, pulumi destroy, state import/export, secret encryption, and more.
Why Self-Host?
Section titled “Why Self-Host?”Pulumi Cloud is the default backend for managing state, secrets, and collaboration. For teams that need to keep infrastructure state within their own network boundary — whether for compliance, data sovereignty, or cost — Procella provides a drop-in replacement.
- Data sovereignty — state and secrets never leave your infrastructure
- No vendor dependency — run on your own PostgreSQL and S3-compatible storage
- Multi-tenant isolation — organization-scoped access control with role-based permissions
- Horizontal scaling — add replicas behind a load balancer with zero configuration changes
What Works
Section titled “What Works”Procella implements the Pulumi Service API surface that the CLI uses:
| Feature | Status |
|---|---|
pulumi login | ✅ |
pulumi stack init / ls / rm / select | ✅ |
pulumi up / preview / refresh / destroy | ✅ |
pulumi stack export / import | ✅ |
pulumi config set --secret | ✅ |
pulumi stack rename | ✅ |
pulumi stack tag | ✅ |
pulumi cancel | ✅ |
| Concurrent update protection | ✅ |
| Checkpoint versioning | ✅ |
| Delta checkpoints | ✅ |
| Update event history | ✅ |
| Orphan update garbage collection | ✅ |
| Web dashboard | ✅ |
| tRPC dashboard API | ✅ |
| API token management (web) | ✅ |
| Admin settings (users, roles, audit, tenant) | ✅ |
| Browser-based CLI login flow | ✅ |
Tech Stack
Section titled “Tech Stack”| Component | Technology |
|---|---|
| Runtime | Bun 1.2 |
| HTTP Router | Hono v4 |
| Database | PostgreSQL 17 (Drizzle ORM + Bun.sql) |
| Dashboard API | tRPC v11 |
| Authentication | Descope access keys / static dev tokens |
| Encryption | AES-256-GCM + HKDF per-stack key derivation |
| Blob Storage | Local filesystem or S3-compatible (AWS S3, MinIO, Cloudflare R2) |
| Frontend | React 19 + Vite 7 + Tailwind CSS v4 |
| Load Balancer | Caddy 2 |
| Container | bun build --compile → debian-slim |
| Quality | Biome + TypeScript strict + bun:test (320 unit + 89 E2E tests) |
Next Steps
Section titled “Next Steps”- Quick Start — get a local instance running in under 5 minutes
- Configuration — all environment variables and their defaults
- Architecture Overview — how the pieces fit together
- Web Dashboard — pages, navigation, and Descope management widgets