Thanks! The short answer is that we're super small and folks are using us for really light use-cases. Our total server costs are less than $100 / month.
Eventually, we'll offer paid services for folks that want more processing power or other goodies, but we will always provide a generous free tier.
100$/month for a site that runs random people's code seems great ! Do you mind sharing some details ? What does your architecture look like ? How many "vals" do you have, and how many executions per day ?
We've got one node of 2 vCPU & 8192 MB on Northflank for $72 / month. We were getting away with 1 vCPU & 2048 MB, but increased it yesterday to be extra safe for this launch.
Our database on Supabase is $75 / month, and it's also way overkill but the dollars are small and we'd rather be safe.
So yesterday we were just under $100 / month, but today we're closer to $150.
This is really interesting, but... if you don't mind me asking, how do you prevent people from running malicious code on your server? Are you literally evaluating this code inside a Nodejs loop? It seems almost impossible to secure something like that.
I don't want to say too much, because I know our security isn't perfect, and some about of obfuscation adds some security. Once we move to a more secure model, I will happily tell you all what use used to use to sandbox code.
Soon we'll do real sandboxing, either ourselves through Docker, wasm, bubblewrap[1], etc, or an existing FaaS (Lambda, Deno Deploy, Cloudflare Workers) or FaaSaaS (Deno Subhosting)
FWIW Cloudflare offers Workers for Platforms, which I literally called "FaaSaaS" in my early design docs but for some reason that name didn't stick... :)
Fair enough. I guess a more basic question than how you're preventing people from probing for nodejs packages they could misuse would be the more pedestrian problem of how do you deal with runaway processes, especially if they end up blocking the event loop that should theoretically kill them. Mark/sweep from another process that restarts pm2 or whatever?
The reason I'm curious is that a lot of my private projects rely on evaluating code server side, but it's a big reason I'm not willing to share them with the public, because the overhead of watching for abuse would just make it.. not worth it. It falls into the category of "this is why we can't have nice things".
As a security challenge though (for the defender) I do love something like this. But I doubt dockerizing it would help against CPU abuse unless you want to spin up a docker vm for every request..
Eventually, we'll offer paid services for folks that want more processing power or other goodies, but we will always provide a generous free tier.