Skip to content
Edgible Docs

Devices

A device in Edgible is a machine running the agent. It hosts your workloads — Docker Compose stacks, single containers, managed processes, virtual machines, or pre-existing services — and is reachable from the public internet through Edgible’s managed routing.

You install the agent once per device. From the moment it connects, it appears in your organization, can be assigned applications, and can talk to every other device you own over an encrypted private network.

What runs on a device

Section titled “What runs on a device”

When the agent starts on a device, it brings up four cooperating pieces:

  • The agent process itself — a Node.js daemon that maintains a WebSocket connection to the Edgible control plane and reconciles desired application state.
  • A WireGuard interface — joining the device to a per-organization private network (the device pool).
  • A Caddy reverse proxy — terminates TLS, enforces auth policies, and forwards requests to your workloads.
  • The workloads you’ve declared — started, supervised, and torn down by the agent based on your application YAML.

A device never accepts inbound connections from the public internet. The only network requirement is outbound TCP/443 to the Edgible control plane and outbound UDP for the WireGuard tunnel. Public traffic enters through Edgible’s managed edge and reaches your device over the tunnel.

Devices and the cloud

Section titled “Devices and the cloud”

Not every workload has to run on hardware you own. Edgible can also place applications on cloud hosts — Edgible-operated Firecracker microVMs in the region you choose. Cloud hosts behave like serving devices from your application’s perspective (same WireGuard mesh, same Caddy + workload model), but Edgible provisions and manages them. See Cloud hosting for when to use cloud placement, and Authentication modes for the auth options that apply to both.

You choose between a device you own and cloud placement at the application level, with spec.placement.strategy: serving-device or cloud.

Installing the agent

Section titled “Installing the agent”

Install with:

Terminal window
sudo edgible agent install --device-name my-first --non-interactive

This registers a new device in your organization, generates credentials, lays down a service unit, and brings up the WireGuard interface. Installation typically takes 30–60 seconds.

You can run as many devices as you want, in as many locations as you want. They all share one organization-wide WireGuard subnet.

How devices discover each other

Section titled “How devices discover each other”

Devices in the same organization see each other through the device pool — a per-organization WireGuard subnet (e.g., 10.42.0.0/16). When a new device registers:

  1. The control plane allocates it an IP in the pool.
  2. The control plane pushes the new device’s WireGuard public key and IP to every other device in the same pool.
  3. Each peer adds the new device to its own WireGuard configuration.

Within a few seconds of edgible agent start, every other device in your organization can route packets to the new device over the encrypted tunnel. Device-to-device traffic never leaves the WireGuard mesh.

Device pools and WireGuard goes deeper on the mesh topology.