.
Open-source and self-hostable alternative to Airplane, Pipedream, Superblocks and a simplified Temporal with autogenerated UIs to trigger flows and scripts as internal apps. Convert code to no-code modules and, if the auto-generated UI is not sufficient, use it solely as an highly scalable backend layer. Add automation to your product or build your own no-code tool and delegate the core layer to Windmill .
Join the beta (personal workspaces are free forever): https://app.windmill.dev
Documentation: https://docs.windmill.dev
Discord: https://discord.gg/V7PM2YHsPB
Contributor's guide: https://docs.windmill.dev/docs/contributors_guide
Roadmap: https://github.com/orgs/windmill-labs/projects/2
You can show your support for the project by starring this repo.
Windmill Labs offers commercial licenses and support to convert your existing automation and help you scale it in production. If interested, contact [email protected] (founder of Windmill).
Windmill
Disclaimer: Windmill is in BETA. It is secure to run in production but we are still improving the product fast.
Windmill is fully open-sourced:
community/
,python-client/
anddeno-client/
are Apache 2.0- backend, frontend and everything else under AGPLv3.
What is the general idea behind Windmill
-
Define a minimal and generic script in Python or Typescript that solve a specific task. Here sending an email with SMTP. The code can be defined in the provided Web IDE or synchronized with your own github repo:
-
Your scripts parameters are automatically parsed and generate a frontend. You can narrow down the types during task definition to specify regex for string, an enum or a specific format for objects. Each script correspond to an app by itself:
-
Make it flow! You can chain your scripts or scripts made by the community shared on WindmillHub. There is tight integration between Windmill and the hub to make it easy to build flows from a soon-to-be exhaustive library of generic modules. In flows, one can pipe output to input using "Dynamic" expressions that are just plain Javascript underneath. Flows can contain for-loops, branching (coming soon). As such and coupled with inputs being able to refer to any step's output, they are actual DAG rather than just linear sequences. They are backed by an open JSON spec we call OpenFlow
Both scripts and flows are not restricted to be triggered by the UI. They can be triggered by a schedule, watch for changes (using internal states) or triggered through API with either an async or sync webhook. The latter kind of endpoints make Windmill akin to a self-hostable AWS Lambda. Windmill can be the central place to host, build and run all of your integrations, automation and internal apps. We include credentials management and OAuth integration, groups and much more!
Layout
backend/
: The whole Rust backendfrontend
: The whole Svelte frontendcommunity/
: Scripts and resource types included in every workspace. It is useful for Python scripts since the WindmillHub only allow deno scripts and for sharing resource types that will be included in every workspace.lsp/
: The lsp asssistant for the monaco editornsjail/
: The nsjail configuration files for sandboxing of the scripts' executionpython-client/
: The wmill python client used within scripts to interact with the windmill platformdeno-client/
: The wmill deno client used within scripts to interact with the windmill platform
Stack
- Postgres as the database
- backend in Rust with the following highly-available and horizontally scalable architecture:
- stateless API backend
- workers that pull jobs from a queue in Postgres (and later, Kafka or Redis. Upvote #173 if interested )
- frontend in Svelte
- scripts executions are sandboxed using google's nsjail
- javascript runtime is the deno_core rust library (which itself uses the rusty_v8 and hence V8 underneath)
- typescript runtime is deno
- python runtime is python3
Security
Sandboxing and workload isolation
Windmill uses nsjail on top of the deno sandboxing. It is production multi-tenant grade secure. Do not take our word for it, take fly.io's one
Secrets, credentials and sensitive values
There is one encryption key per workspace to encrypt the credentials and secrets stored in Windmill's K/V store.
In addition, we strongly recommend that you encrypt the whole Postgres database. That is what we do at https://app.windmill.dev.
Performance
The performances are great, as long as you do not exceed the parrallelism of the workers, we are worse than AWS Lambda for small workloads but not by that much
Architecture
Big-picture Architecture
Technical Architecture
How to self-host
We only provide docker-compose setup here. For more advanced setups, like compiling from source or using without a postgres super user, see documentation
Docker compose
docker compose up
with the following docker-compose is sufficient: https://github.com/windmill-labs/windmill/blob/main/docker-compose.yml
For older kernels < 4.18, set DISABLE_NUSER=true
as env variable, otherwise nsjail will not be able to launch the isolated scripts.
To disable nsjail altogether, set DISABLE_NSJAIL=true
.
The default super-admin user is: [email protected] / changeme
From there, you can create other users (do not forget to change the password!)
Commercial license
To self-host Windmill, you must respect the terms of the AGPLv3 license which you do not need to worry about for personal uses. For business uses, you should be fine if you do not re-expose it in any way Windmill to your users and are comfortable with AGPLv3.
To re-expose any Windmill parts to your users as a feature of your product, or to build a feature on top of Windmill, to comply with AGPLv3 your product must be AGPLv3 or you must get a commercial license. Contact us at [email protected] if you have any doubts.
In addition, a commercial license grants you a dedicated engineer to transition your current infrastructure to Windmill, support with tight SLA, audit logs export features, SSO, unlimited users creation, advanced permissioning features such as groups and the ability to create more than one workspace.
OAuth for self-hosting (very optional)
To get the same oauth integrations as Windmill Cloud, mount oauth.json
with the following format:
{
"<client>": {
"id": "<CLIENT_ID>",
"secret": "<CLIENT_SECRET>"
}
}
and mount it at /usr/src/app/oauth.json
.
The list of all possible "connect an app" oauth clients
To add more "connect an app" OAuth clients to the Windmill project, read the Contributor's guide. We welcome contributions!
Resource types
You will also want to import all the approved resource types from WindmillHub. There is no automatic way to do this automatically currently, but it will be possible using a command with the upcoming CLI tool.
Run a local dev setup
only Frontend
This will use the backend of https://app.windmill.dev but your own frontend with hot-code reloading.
- Install caddy
- Go to
frontend/
:npm run install
,npm run generate-backend-client
thennpm run dev
- In another shell
sudo caddy run --config CaddyfileRemote
- Et voilà, windmill should be available at
http://localhost/
Backend + Frontend
- Create a Postgres Database for Windmill and create an admin role inside your Postgres setup.
- Install nsjail and have it accessible in your PATH
- Install deno and python3, have the bins at
/usr/bin/deno
and/usr/local/bin/python3
- Install caddy
- Install the lld linker
- Go to
backend/
:DATABASE_URL=<DATABASE_URL_TO_YOUR_WINDMILL_DB> RUST_LOG=info cargo run
- Go to
frontend/
:npm run install
,npm run generate-backend-client
thennpm run dev
- In another shell
sudo caddy run --config Caddyfile
- Et voilà, windmill should be available at
http://localhost/
Contributors
Copyright
Windmill Labs, Inc 2022