Skip to main content

CLI Reference

All commands support --config (config file path, default: ~/.nimbus/config.json) and --token (JWT bearer token, or NIMBUS_TOKEN env).

nimbus configure

Configure CLI credentials. Import from a JSON config file (downloaded from the GUI or bootstrap) or set individual flags.

# Import from JSON (recommended)
nimbus configure --from nimbus-config.json

# Override the API URL (e.g. when connecting from outside the WireGuard mesh)
nimbus configure --from nimbus-config.json --api-url https://<PUBLIC_IP>:8443

# Manual configuration
nimbus configure --api-url URL --access-key KEY --secret-key SECRET

nimbus bootstrap

Initialize the control plane and create the admin user.

nimbus bootstrap --api-url URL [--insecure]

nimbus version

Show client and server versions.

nimbus node

SubcommandDescriptionKey Flags
addAdd a node via SSH or locally--ip (required), --user, --port, --key, --password, --profile, --name, --local, --gpu-driver
updateUpdate agent binary[node-id], --user, --port, --key, --password, --all, --local
listList all nodes
describeShow node details[id]
drainDrain a node[id]
deleteDelete a node[id]
gpu-overcommitSet GPU overcommit factor[node-id] [factor] (1, 2, 4, or 8)

nimbus swarm

SubcommandDescriptionKey Flags
createCreate a swarm group--name (required), --lb, --cloudflare
add-nodeAdd node to swarm--swarm (required), --node (required)
listList swarms
deleteDelete a swarm[id]
lb setDeploy EasyHAProxy--swarm (required)
lb removeRemove EasyHAProxy--swarm (required)
lb listList load balancers

nimbus compute

SubcommandDescriptionKey Flags
runCreate an instance--name, --image (required), --swarm or --k8s, --type, --replicas, --port, --domain, --volume, --env, --command, --platform, --gpu
scaleScale replicas--id (required), --replicas (required)
listList instances
describeShow instance details[id]
terminateTerminate an instance[id]
stopStop an instance[id]
startStart an instance[id]
logsFetch instance logs[id], -n (lines), -w (follow)
instance-typesList instance types
volume attachAttach volume--instance (required), --volume (required)
volume detachDetach volume--instance (required), --volume (required)

nimbus k8s

SubcommandDescriptionKey Flags
create-clusterCreate a K3s cluster--name (required), --nodes (required, comma-separated)
kubeconfigGet kubeconfig--name (required)
add-nodeAdd worker node--cluster (required), --node (required)
remove-nodeRemove worker node--cluster (required), --node (required)
listList clusters
delete-clusterDelete a cluster[id]
volume attachAttach NFS volume (PV+PVC)--cluster (required), --name (required), --size (required)
volume detachDetach NFS volume--cluster (required), --name (required)

nimbus s3

SubcommandDescriptionKey Flags
createDeploy MinIO instance--name (required), --swarm (required), --volume (required), --password, --license, --certs
listList S3 instances
deleteDelete S3 instance[id]

nimbus volume

SubcommandDescriptionKey Flags
createCreate NFS volume--name (required), --node (required), --folder (required)
listList volumes
deleteDelete volume[id]

nimbus service

SubcommandDescriptionKey Flags
deployDeploy compose stack--file (required), --swarm (required), --name, --env, --volume
listList services
describeShow service details[id]
stopStop a service[id]
startStart a service[id]
removeRemove service[id]

nimbus manifest

SubcommandDescriptionKey Flags
applyProvision from manifest--file (required), --env, --prune
removeRemove manifest resources--file (required), --env

nimbus ssh-profile

Manage SSH profiles — named, reusable SSH credential sets stored encrypted in the database. Sensitive data (private keys, passwords) is encrypted using the control plane's CA key.

SubcommandDescriptionKey Flags
createCreate an SSH profile--name (required), --user, --port, --key, --password
listList SSH profiles
deleteDelete an SSH profile[id]

At least one of --key (path to private key file) or --password is required. The --key flag reads the file and stores its content encrypted — the original file is not needed afterward.

# Create a profile with an SSH key
nimbus ssh-profile create --name prod-servers --user deploy --key ~/.ssh/id_ed25519

# Create a profile with password auth
nimbus ssh-profile create --name staging --user root --password secret123

# List profiles (sensitive data is never shown)
nimbus ssh-profile list

# Delete a profile
nimbus ssh-profile delete sshp-a1b2c3d4

SSH profiles are referenced in manifests via ssh.profile:

nodes:
  web1:
    ip: 192.168.1.10
    ssh:
      profile: prod-servers

nimbus certificate

Manage TLS certificates for SNI-based multi-domain serving. Certificates are stored in the database and served immediately — no restart required. The default WireGuard IP cert (10.106.103.1) is built-in and cannot be deleted.

SubcommandDescriptionKey Flags
listList certificates
addAdd a TLS certificate--domain (required), --cert (required), --key (required), --ca
deleteDelete a certificate[id]
# Add a Let's Encrypt certificate for a public domain
nimbus certificate add \
  --domain nimbus.example.com \
  --cert /etc/letsencrypt/live/nimbus.example.com/fullchain.pem \
  --key  /etc/letsencrypt/live/nimbus.example.com/privkey.pem

# Add a certificate with a custom CA (for internal PKI)
nimbus certificate add \
  --domain internal.example.com \
  --cert /path/to/cert.pem \
  --key  /path/to/key.pem \
  --ca   /path/to/ca.pem

# List all certificates
nimbus certificate list

# Delete a certificate
nimbus certificate delete cert-a1b2c3d4

See Exposing OIDC/OAuth2 Publicly for a full setup guide.

nimbus dns

SubcommandDescriptionKey Flags
setupConfigure local DNS resolution--swarm-id
removeRemove DNS configuration--swarm-id

nimbus gateway

SubcommandDescription
statusShow gateway routing table

nimbus iam

SubcommandDescriptionKey Flags
create-userCreate a user--email (required), --name, --admin
delete-userDelete a user<user-id> (arg)
create-keyGenerate API key pair--user-id (required)
get-tokenGet JWT token (HMAC auth)
set-passwordSet user password--user-id (required), --password (required)
loginLogin with password--email (required), --password (required)

nimbus iam group

SubcommandDescriptionKey Flags
listList all groups
createCreate a group--name (required), --description, --scope (repeatable)
deleteDelete a custom group<group-id> (arg)
set-scopesReplace a group's scope list--group (required), --scope (repeatable)

nimbus iam scope

SubcommandDescriptionKey Flags
listList all registered ARN scopes
registerRegister a new scope--scope (required), --description
unregisterRemove a registered scope<scope> (arg)

nimbus iam client

Manage OAuth2 clients used by external services (Grafana, ArgoCD, Nextcloud, etc.) to authenticate via Nimbus SSO.

SubcommandDescriptionKey Flags
listList all OAuth2 clients
createCreate an OAuth2 client--name (required), --redirect-uri (required, repeatable)
deleteDelete an OAuth2 client<id> (arg — use the ID column from list, not Client ID)

The create command prints the Client ID and Client Secret. The secret is shown only once — save it immediately.

# Register a client for Grafana
nimbus iam client create \
  --name grafana \
  --redirect-uri "https://grafana.example.com/login/generic_oauth"

# Register a client with multiple redirect URIs
nimbus iam client create \
  --name argocd \
  --redirect-uri "https://argocd.example.com/auth/callback" \
  --redirect-uri "https://argocd-staging.example.com/auth/callback"

# List all clients
nimbus iam client list

# Delete a client (use the ID column, not the client_id)
nimbus iam client delete oac-abc123

nimbus iam user-group

SubcommandDescriptionKey Flags
listList a user's groups--user (required)
addAdd user to a group--user (required), --group (required)
removeRemove user from a group--user (required), --group (required)

nimbus cleanup

Force-clean a resource stuck in error state.

nimbus cleanup [resource-type] [resource-id]

Valid resource types: instance, cluster, s3, loadbalancer, swarm, volume.