Rediacc CLI Reference
Overview
The **Rediacc CLI** (`rdc`) is a command-line interface for managing self-hosted infrastructure — machines, repositories, storage, backups, and more.
Installation
Download the latest binary for your platform from the [Rediacc releases page](https://www.rediacc.com) or install via your package manager:
# macOS / Linux
curl -fsSL https://www.rediacc.com | sh
# Or use the packaged binary directly
./rdc --helpGlobal Options
Every command supports these global flags:
| Flag | Description |
|---|---|
--output | Output format (table|json|yaml|csv) |
--config | Use specific config for this command |
--lang | Language override ({{languages}}) |
--force | Skip confirmation prompts |
1. Agent Utilities
Introspection commands for AI agents. Key subcommands: capabilities (list all commands with args/options as JSON), schema (detailed schema for a single command), exec (execute a command with JSON input from stdin, always returns JSON).
1.1 capabilities
List all available commands with arguments and options
rdc agent capabilities1.2 schema
Show detailed schema for a specific command
rdc agent schema [options]| Flag | Description | Required | Default |
|---|---|---|---|
--command <path> | Execute a command instead of interactive shell | Yes | - |
1.3 exec
Execute a command with JSON input from stdin
rdc agent exec [options]| Flag | Description | Required | Default |
|---|---|---|---|
--command <path> | Execute a command instead of interactive shell | Yes | - |
1.4 generate-reference
Generate command reference markdown for Claude skills
rdc agent generate-reference2. Config Management
Manage CLI configuration files stored at ~/.config/rediacc/. CRUD operations for machines, repositories, storage backends, and SSH keys within a config. Key subcommands: init (create named config), show, list, ssh (manage keys), recover (from backup). Nested groups: config machine, config repository, config storage, config infra.
Config files store connection details (API URL, credentials, default team/region/bridge) so you can switch between environments quickly.
2.1 init
Create a new named config file
You can add machines directly:
rdc config init [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
--ssh-key <path> | Path to SSH private key (e.g., ~/.ssh/id_rsa) | No | - |
--renet-path <path> | Path to renet binary (default: renet in PATH) | No | - |
--master-password <password> | Encrypt resources with a master password | No | - |
-u, --api-url <url> | API URL | No | - |
--server <url> | Account server URL | No | - |
2.2 list
List all config files
rdc config list2.3 show
Show current config details
rdc config show [options]| Flag | Description | Required | Default |
|---|---|---|---|
--reveal | Show plaintext for sensitive values (interactive only) | No | - |
2.4 delete
Delete a config file
rdc config delete [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
2.5 set
Set a default value (team, region, bridge)
rdc config set [options]| Flag | Description | Required | Default |
|---|---|---|---|
--key <key> | Configuration key | Yes | - |
--value <value> | Configuration value | Yes | - |
Tip: Setting defaults means you don't need to pass `--team`, `--region`, or `--bridge` with every command.
2.6 clear
Clear defaults (all or specific key)
rdc config clear [options]| Flag | Description | Required | Default |
|---|---|---|---|
--key <key> | Configuration key | No | - |
2.7 recover
Restore config from backup (.bak) file
rdc config recover [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-y, --yes | Skip confirmation prompt | No | - |
2.8 set-ssh
Update SSH configuration for the current config
rdc config set-ssh2.9 set-renet
Set the path to renet binary
rdc config set-renet2.10 ssh
Manage SSH key configuration
set
Set SSH key for the current config
rdc config ssh set [options]| Flag | Description | Required | Default |
|---|---|---|---|
--key <path> | Path to SSH private key file | Yes | - |
--embed | Embed key content in config instead of storing path | No | - |
show
Show current SSH key configuration
rdc config ssh showremove
Remove SSH key from the current config
rdc config ssh remove2.11 remote
Manage remote config storage connection
enable
Link this config to remote encrypted storage
rdc config remote enable [options]| Flag | Description | Required | Default |
|---|---|---|---|
--headless | Use device code flow (for headless servers) | No | - |
--api-url <url> | Account server URL | No | - |
disable
Disconnect from remote storage and save config locally
rdc config remote disablestatus
Show remote connection status
rdc config remote statusrefresh
Force re-fetch config from remote storage
rdc config remote refresh2.12 machine
Manage machines in the current config
add
Add a machine to the current config. Auto-scans SSH host keys. After adding, run: config machine setup <name>
rdc config machine add [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--ip <address> | Machine IP address or hostname | Yes | - |
--user <username> | SSH username | Yes | - |
--port <port> | SSH port | No | 22 |
--datastore <path> | Datastore path on machine | No | /mnt/rediacc |
remove
Remove a machine from the current config
rdc config machine remove [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
list
List machines in the current config
rdc config machine listscan-keys
Scan SSH host keys for machines in the current config
rdc config machine scan-keys [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | No | - |
setup
Provision a remote machine for repositories (installs renet, configures Docker, BTRFS datastore). Idempotent. Required after 'config machine add' and before 'repo create'
rdc config machine setup [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--datastore <path> | Datastore path on remote machine | No | /mnt/rediacc |
--datastore-size <size> | Datastore size (e.g., 95%, 100G) | No | 95% |
--debug | Enable debug output | No | - |
set-ceph
Set Ceph RBD configuration for a machine
rdc config machine set-ceph [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--pool <name> | Ceph pool name (e.g., rbd) | Yes | - |
--image <name> | RBD image name (e.g., datastore-prod1) | Yes | - |
--cluster <name> | Ceph cluster name | No | ceph |
2.13 repository
Manage repository mappings in the current config
add
Add a repository GUID mapping to the current config
rdc config repository add [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--guid <guid> | Repository GUID (UUID from storage backup filenames) | Yes | - |
--tag <tag> | Repository tag | No | latest |
--credential <credential> | Repository credential (encryption passphrase) | No | - |
--network-id <id> | Network ID for Docker isolation (2816, 2880, ...). Auto-assigned if omitted | No | - |
remove
Remove a repository mapping from the current config
rdc config repository remove [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
list
List repository GUID mappings in the current config
rdc config repository listlist-archived
List archived repository credentials
rdc config repository list-archivedrestore-archived
Restore an archived repository credential
rdc config repository restore-archived [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--new-name <name> | New resource name | No | - |
purge-archived
Permanently delete all archived credentials
rdc config repository purge-archived2.14 provider
Manage cloud providers for automated machine provisioning
add
Add a cloud provider
rdc config provider add [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--provider <source> | Known provider source (e.g., linode/linode, hetznercloud/hcloud) | No | - |
--source <source> | Custom OpenTofu provider source (e.g., vultr/vultr) | No | - |
--token <token> | API token for the cloud provider | Yes | - |
--region <region> | Default region for new machines | No | - |
--type <type> | Default instance type/size | No | - |
--image <image> | Default OS image | No | - |
--ssh-user <user> | SSH username for new VMs (default: root) | No | - |
--resource <type> | Custom: OpenTofu resource type for VM | No | - |
--label-attr <attr> | Custom: attribute name for VM label | No | - |
--region-attr <attr> | Custom: attribute name for region | No | - |
--size-attr <attr> | Custom: attribute name for instance type | No | - |
--image-attr <attr> | Custom: attribute name for OS image | No | - |
--ipv4-output <attr> | Custom: output attribute for IPv4 address | No | - |
--ipv6-output <attr> | Custom: output attribute for IPv6 address | No | - |
--ssh-key-attr <attr> | Custom: attribute name for SSH keys | No | - |
--ssh-key-format <format> | Custom: SSH key format (inline_list or resource_id) | No | - |
--ssh-key-resource <type> | Custom: OpenTofu resource type for SSH keys | No | - |
remove
Remove a cloud provider configuration
rdc config provider remove [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
list
List configured cloud providers
rdc config provider list2.15 storage
Manage storage backends in the current config
import
Import storages from an rclone config file
rdc config storage import [options]| Flag | Description | Required | Default |
|---|---|---|---|
--file <path> | Path to file | Yes | - |
--name <name> | Import only this named section | No | - |
remove
Remove a storage from the current config
rdc config storage remove [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
list
List storages in the current config
rdc config storage list2.16 infra
Manage infrastructure configuration (proxy, DNS, certificates)
set
Set infrastructure configuration for a machine (machine-specific: IPs, domain, ports; shared: cert email, CF DNS token)
rdc config infra set [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--public-ipv4 <ip> | Public IPv4 address (per-machine) | No | - |
--public-ipv6 <ip> | Public IPv6 address (per-machine) | No | - |
--base-domain <domain> | Base domain for applications (per-machine) | No | - |
--cert-email <email> | Email for TLS certificate notifications (shared across machines) | No | - |
--cf-dns-token <token> | Cloudflare DNS API token for ACME DNS-01 challenge (shared across machines) | No | - |
--tcp-ports <ports> | TCP ports to forward (comma-separated, e.g., 25,143,465) | No | - |
--udp-ports <ports> | UDP ports to forward (comma-separated, e.g., 53) | No | - |
show
Show infrastructure configuration for a machine
rdc config infra show [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
push
Push infrastructure config to machine (Traefik proxy, router, Cloudflare DNS). Run 'config infra set <machine>' first
rdc config infra push [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--debug | Enable debug output | No | - |
2.17 cert-cache
Manage cached TLS certificates
pull
Download and cache TLS certificates from a machine
rdc config cert-cache pull [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--no-prune | Skip pruning stale network-ID certificates | No | - |
--debug | Enable debug output | No | - |
push
Upload cached TLS certificates to a machine
rdc config cert-cache push [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--debug | Enable debug output | No | - |
status
Show cached certificate inventory
rdc config cert-cache statusclear
Remove the certificate cache
rdc config cert-cache clear2.18 field
Pointer-addressed config field operations (get/set/unset/rotate/list). JSON Pointers (RFC 6901) like /credentials/cfDnsApiToken.
get
Read a single config value by JSON Pointer. Sensitive fields redact unless --reveal (humans only).
rdc config field get [options]| Flag | Description | Required | Default |
|---|---|---|---|
--pointer <pointer> | JSON Pointer to the field (e.g. /credentials/cfDnsApiToken) | Yes | - |
--reveal | Show plaintext for sensitive values (interactive TTY only; audited) | No | - |
--digest | Print the SHA-256 digest instead of the value (safe to share with agents) | No | - |
set
Write a config value at a JSON Pointer. Sensitive paths require --current (knowledge-gate).
rdc config field set [options]| Flag | Description | Required | Default |
|---|---|---|---|
--pointer <pointer> | JSON Pointer to the field (e.g. /credentials/cfDnsApiToken) | Yes | - |
--new <value> | New value (parsed as JSON if it looks like JSON: {, [, ", true/false/null/number) | Yes | - |
--current <value> | Current plaintext value — required for sensitive-path mutations (knowledge-gate proof) | No | - |
unset
Delete a config value at a JSON Pointer. Sensitive paths require --current.
rdc config field unset [options]| Flag | Description | Required | Default |
|---|---|---|---|
--pointer <pointer> | JSON Pointer to the field (e.g. /credentials/cfDnsApiToken) | Yes | - |
--current <value> | Current plaintext value — required for sensitive-path deletions | No | - |
rotate
Rotate a sensitive value without --current. Interactive TTY only; loudly audited.
rdc config field rotate [options]| Flag | Description | Required | Default |
|---|---|---|---|
--pointer <pointer> | JSON Pointer to the sensitive field (e.g. /credentials/cfDnsApiToken) | Yes | - |
--new <value> | New value | Yes | - |
list
List every registered sensitivity pointer template with its kind and commit/encrypt policy.
rdc config field list [options]| Flag | Description | Required | Default |
|---|---|---|---|
--sensitive | Show only sensitive (non-public) templates | No | - |
2.19 edit
Open the active config in $EDITOR as a redacted JSONC projection. Humans only; agents refused.
rdc config edit [options]| Flag | Description | Required | Default |
|---|---|---|---|
--reveal | Show plaintext for sensitive values (interactive TTY only; audited) | No | - |
--dump | Print current config as JSONC to stdout (read-only; safe for agents when redacted) | No | - |
--apply <file> | Apply an edited JSONC file (skips $EDITOR launch) | No | - |
--current-secrets <file> | JSON file mapping pointer→old plaintext for knowledge-gate on --apply | No | - |
--editor <cmd> | Editor command override (follows git precedence: flag > $GIT_EDITOR > git config core.editor > $VISUAL > $EDITOR) | No | - |
2.20 audit
Inspect the config audit log (hash-chained JSONL at ~/.config/rediacc/audit.log.jsonl)
log
Print recent audit entries as JSON
rdc config audit log [options]| Flag | Description | Required | Default |
|---|---|---|---|
--since <spec> | Only show entries newer than (e.g., '24h', '7d', ISO timestamp) | No | - |
--path <glob> | Filter by JSON Pointer glob (e.g., /credentials/*) | No | - |
--actor <kind> | Filter by actor kind (human|agent) | No | - |
tail
Stream new audit entries as they are written (Ctrl+C to stop)
rdc config audit tailverify
Verify the integrity of the SHA-256 hash chain across all audit entries
rdc config audit verify2.21 backup-strategy
Manage named backup strategies (hot/cold modes, destinations, scheduling)
set
Create or update a backup strategy
rdc config backup-strategy set [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Strategy name (required) | Yes | - |
--destination <name> | Destination name within the strategy | No | - |
--storage <name> | Storage config name (rclone credentials) | No | - |
--cron <expression> | Cron schedule (e.g., "0 * * * *" for hourly) | No | - |
--mode <mode> | Backup mode: "hot" (zero downtime) or "cold" (stop, snapshot, restart) | No | - |
--bwlimit <limit> | Rclone bandwidth limit (e.g., "6M", "10M:off", "08:00,3M;22:00,10M") | No | - |
--include <repos> | Only back up these repos (comma-separated names) | No | - |
--exclude <repos> | Exclude these repos from backup (comma-separated names) | No | - |
--folder <path> | Subfolder under the storage bucket for this destination (e.g. hot, cold) | No | - |
--enable | Enable the strategy or destination | No | - |
--disable | Disable the strategy or destination | No | - |
remove
Remove a backup strategy or destination
rdc config backup-strategy remove [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Strategy name (required) | Yes | - |
--destination <name> | Remove only this destination (keeps other destinations) | No | - |
list
List all backup strategies
rdc config backup-strategy listshow
Show backup strategy details
rdc config backup-strategy show [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Strategy name (shows all if omitted) | No | - |
3. Datastore Management
Low-level block storage management for machine datastores (Ceph RBD or local BTRFS). Typically only needed during initial machine setup or cross-machine migration. Key subcommands: init (create datastore), status (health/usage), fork (clone datastore to another machine), unfork (restore from snapshot).
3.1 init
Initialize datastore on a machine (local loop-backed or Ceph RBD)
rdc datastore init [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name (where the Ceph datastore is hosted) | Yes | - |
--size <size> | Datastore size (e.g., 5G, 50G, 100G) | Yes | - |
--backend <type> | Backend type: local (default) or ceph | No | local |
--pool <name> | Ceph pool name (default: from machine config, or rbd) | No | rbd |
--image <name> | Ceph RBD image name (default: from machine config via set-ceph) | No | - |
--cluster <name> | Ceph cluster name (default: ceph) | No | ceph |
--force | Force initialization even if datastore already exists (WARNING: reformats storage) | No | - |
--debug | Enable debug output | No | - |
3.2 fork
Create a local COW copy of a Ceph datastore via RBD snapshot + clone (< 2s). Save snapshot/clone names from output for unfork. Only one fork per target name; unfork before re-forking
rdc datastore fork [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name (where the Ceph datastore is hosted) | Yes | - |
--to <name> | Clone suffix (creates clone named <image>-fork-<name>). The fork stays on the source machine | Yes | - |
--cow-size <size> | COW backing file size (default: auto, grows on demand) | No | - |
--debug | Enable debug output | No | - |
3.3 unfork
Clean up a fork: unmount COW, remove clone, remove snapshot
rdc datastore unfork [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name (where the Ceph datastore is hosted) | Yes | - |
--source <image> | Original RBD image that was forked (from config set-ceph --image, e.g. ds-prod) | Yes | - |
--snapshot <name> | Snapshot to remove (the "Snapshot:" value from fork output, e.g. fork-<timestamp>) | Yes | - |
--dest <image> | Clone image to remove (the "Clone:" value from fork output, e.g. ds-prod-fork-<machine>) | Yes | - |
--pool <name> | Ceph pool name (default: from machine config) | No | - |
--mount-point <path> | Fork mount point to unmount (default: /mnt/rediacc) | No | - |
--force | Continue cleanup even if individual steps fail (e.g. unmount, snapshot removal) | No | - |
--debug | Enable debug output | No | - |
3.4 status
Show datastore backend, size, usage, mount status, and cow_mode (if forked)
rdc datastore status [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name (where the Ceph datastore is hosted) | Yes | - |
--debug | Enable debug output | No | - |
4. Machine Management
Inspect remote machine state: system resources, running containers, systemd services, deployed repositories, and health diagnostics. Read-only queries — to modify repos use `repo`. Key subcommands: query (full status with --system, --containers, --repositories, --services filters), list, create, rename, delete, prune.
4.1 list
List machines
rdc machine list [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
--search <text> | Search in {{field}} | No | - |
--sort <field> | Sort by field | No | - |
--desc | Sort in descending order | No | - |
4.2 create
Create a new machine
rdc machine create [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
-b, --bridge <name> | Bridge name | No | - |
--vault <json> | Machine vault data as JSON string | No | - |
4.3 rename
Rename a machine
rdc machine rename [options]| Flag | Description | Required | Default |
|---|---|---|---|
--current-name <name> | Current resource name | Yes | - |
--new-name <name> | New resource name | Yes | - |
-t, --team <name> | Team name | No | - |
4.4 delete
Delete a machine
rdc machine delete [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
-f, --force | Skip confirmation prompts | No | - |
--dry-run | Show what would be done without making changes | No | - |
4.5 vault
Machine vault management (cloud adapter only)
rdc machine vault4.6 vault-status
{{t:cli.commands.machine.vault-status.description}}
rdc machine vault-status [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
4.7 update
Update machine configuration
rdc machine update4.8 health
Check machine health for CI/CD pipelines
The health command outputs system metrics, container status, service stability, and storage information — useful for CI/CD pipeline checks.
rdc machine health [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
4.9 containers
List containers on a machine with status, health, and domain routing. JSON includes full container details with repository resolved to name (original in repository_guid), domain, and autoRoute
rdc machine containers [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
--health-check | Health check mode - exits with code 2 if any unhealthy | No | - |
4.10 services
List rediacc-managed systemd services on a machine (name, state, sub-state, restart count, memory, repository resolved to name with original in repository_guid). Use --stability-check to exit with code 2 if any failed or restarting (for CI/CD)
rdc machine services [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
--stability-check | Stability check mode - exits with code 2 if any failed/restarting | No | - |
4.11 query
Show full machine status (infra, system, repos with name/guid, containers with repository/repository_guid/domain/autoRoute, services with repository/repository_guid)
rdc machine query [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--debug | Enable debug output | No | - |
--system | Include system info only | No | - |
--repositories | Include repositories only | No | - |
--containers | Include containers only | No | - |
--services | Include services only | No | - |
--network | Include network interfaces only | No | - |
--block-devices | Include block devices only | No | - |
--licenses | Include repository license statuses | No | - |
--storage-health | Show BTRFS fragmentation and reflink savings per repository | No | - |
--sync-certs | Also pull the ACME cert cache from the machine after querying | No | - |
4.12 vault-status
Show parsed vault status for a machine
rdc machine vault-status [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
4.13 repos
List deployed repositories on a machine (name, GUID, size, mount status, Docker state, container count, disk usage, modified date, Rediaccfile present). JSON nests containers and services under each repo. Use --search to filter by name or GUID
rdc machine repos [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
--search <text> | Filter repositories by name | No | - |
4.14 test-connection
Test SSH connection to a machine and capture host key
rdc machine test-connection [options]| Flag | Description | Required | Default |
|---|---|---|---|
--ip <address> | Machine IP address or hostname | Yes | - |
--user <name> | SSH username | Yes | - |
-t, --team <name> | Team name | No | - |
-b, --bridge <name> | Bridge name | No | - |
--port <number> | SSH port | No | 22 |
--password <pwd> | SSH password for initial authentication | No | - |
--datastore <path> | Datastore path on machine | No | /mnt/rediacc |
-m, --machine <name> | Machine name (for updating vault after test) | No | - |
--save | Save known_hosts to machine vault after successful test | No | - |
Tip: Use `--save-known-hosts` to automatically persist the host key to the machine vault after a successful test.
4.15 provision
Provision a new machine on a cloud provider using OpenTofu
rdc machine provision [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--provider <name> | Cloud provider name (from config provider add) | Yes | - |
--region <region> | Override default region | No | - |
--type <type> | Override default instance type | No | - |
--image <image> | Override default OS image | No | - |
--ssh-user <user> | SSH username for the new VM (default: root) | No | - |
--base-domain <domain> | Base domain for infrastructure (e.g., example.com). Implies --infra | No | - |
--no-infra | Skip infrastructure configuration (proxy + DNS) | No | - |
--debug | Enable debug output | No | - |
4.16 deprovision
Destroy a cloud-provisioned machine and remove from config
rdc machine deprovision [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--force | Skip confirmation prompt | No | - |
--debug | Enable debug output | No | - |
4.17 backup
Machine backup management (schedule, trigger, status)
list
List backup strategies bound to all machines
rdc machine backup listschedule
Deploy backup schedule to a remote machine (systemd timers)
rdc machine backup schedule [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--dry-run | Preview generated units without deploying | No | - |
--force | Proceed even if a backup is currently running (new unit applies on next tick; running invocation keeps its old unit) | No | - |
--reset-failed | Clear failed state on touched services after a successful deploy (off by default, preserves failure signal) | No | - |
--debug | Enable debug output | No | - |
now
Trigger a backup immediately on a remote machine
rdc machine backup now [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--strategy <name> | Strategy name (triggers all if omitted) | No | - |
--debug | Enable debug output | No | - |
status
Show backup status and timer state on a remote machine
rdc machine backup status [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--strategy <name> | Show details for a specific strategy | No | - |
--debug | Enable debug output | No | - |
cancel
Cancel a running backup on a remote machine
rdc machine backup cancel [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
--strategy <name> | Strategy name (cancels all if omitted) | No | - |
--debug | Enable debug output | No | - |
4.18 prune
Remove orphaned datastore resources and stale snapshots from a machine
rdc machine prune [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--dry-run | Show what would be removed without making changes | No | - |
--orphaned-repos | Also prune repo images not in any config | No | - |
--force | Skip confirmation prompts | No | - |
--grace-days <days> | Grace period in days for recently archived repos (default: 7) | No | - |
--debug | Enable debug output | No | - |
5. MCP Server
Expose the CLI as a Model Context Protocol (MCP) server for integration with AI agents. The server wraps CLI commands as MCP tools with structured JSON input/output. Key subcommand: serve (start stdio-based MCP server).
5.1 serve
Start MCP server (stdio transport)
rdc mcp serve [options]| Flag | Description | Required | Default |
|---|---|---|---|
--config <name> | Config name to use for all commands | No | - |
--timeout <ms> | Default command timeout in milliseconds | No | 120000 |
--allow-grand | Allow destructive operations on grand (non-fork) repositories. Default: fork-only mode | No | - |
6. Repository Lifecycle
Deploy and manage encrypted repositories on machines. Key subcommands: create, up (deploy), down (stop), fork (instant CoW clone), delete, push/pull (backup), sync (file transfer). Lifecycle: repo create → repo up --mount → repo down. See Key Concepts in rdc --help for architecture, routing, and environment variable details.
6.1 mount
Mount a repository (decrypt and open the LUKS container, making the filesystem accessible). Needed on first deploy, after 'repo push' to a new machine, or after 'repo unmount'. Can also be done via 'repo up --mount'. The volume stays mounted until explicitly unmounted. Omit name to mount all repos on the machine
rdc repo mount [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-m, --machine <name> | Target machine name | Yes | - |
--checkpoint | Restore CRIU container checkpoint after mount (resume processes from saved memory state). Used after 'repo push --checkpoint' for live migration | No | - |
--no-docker | Skip starting Docker daemon after mount | No | - |
--parallel | Start repositories concurrently | No | - |
--concurrency <n> | Max concurrent repositories (default: 3) | No | 3 |
-y, --yes | Skip confirmation for batch operations | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.2 unmount
Unmount a repository (close the LUKS container, detaching the encrypted filesystem). Services must be stopped first ('repo down'). After unmount, repo data is inaccessible until remounted. Required before 'repo resize'. Omit name to unmount all repos on the machine
rdc repo unmount [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-m, --machine <name> | Target machine name | Yes | - |
--checkpoint | Create CRIU container checkpoint before unmount (capture running process memory state for later restore) | No | - |
--parallel | Start repositories concurrently | No | - |
--concurrency <n> | Max concurrent repositories (default: 3) | No | 3 |
-y, --yes | Skip confirmation for batch operations | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.3 up
Deploy or update a repository (mount, run Rediaccfile up which calls renet compose). Proxy routes take ~3s to become active after deploy. Prints the URL pattern for HTTP-exposed services (rediacc.service_port label) on completion. Use --mount for first deploy or forked repos. CRIU checkpoint restore is auto-detected — use --skip-checkpoint to force fresh start. Omit name to deploy all repos on the machine
rdc repo up [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-m, --machine <name> | Target machine name | Yes | - |
--skip-checkpoint | Skip CRIU checkpoint restore even if checkpoint data exists (force fresh start) | No | - |
--tls | Request dedicated TLS cert for this repo (forks use shared machine cert by default) | No | - |
--include-forks | Also mount/start forked repositories | No | - |
--mount-only | Only mount, don't start services | No | - |
--parallel | Start repositories concurrently | No | - |
--concurrency <n> | Max concurrent repositories (default: 3) | No | 3 |
-y, --yes | Skip confirmation for batch operations | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
--dry-run | Show what would be done without making changes | No | - |
6.4 up-all
Deploy all repositories on a machine
rdc repo up-all6.5 down
Stop repository Docker containers (runs Rediaccfile down via renet compose). Does NOT unmount the encrypted volume -- the repo stays mounted and can be restarted with 'repo up'. Use --unmount to also close the LUKS container after stopping. Use --checkpoint to save CRIU process state before stopping (next 'repo up' auto-restores). Omit name to stop all repos on the machine
rdc repo down [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-m, --machine <name> | Target machine name | Yes | - |
--unmount | Also unmount (close LUKS container) after stopping. Equivalent to 'repo down' then 'repo unmount'. Required before 'repo resize' or to fully secure the volume | No | - |
--checkpoint | Create CRIU checkpoint before stopping (save process memory state for later restore via 'repo up') | No | - |
-y, --yes | Skip confirmation for batch operations | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
--dry-run | Show what would be done without making changes | No | - |
6.6 status
Get repository status (mount state, Docker daemon running, container count, disk usage)
rdc repo status [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.7 list
List repositories on a machine
rdc repo list [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Target machine name | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.8 create
Create a new encrypted repository
rdc repo create [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--size <size> | Repository size (e.g., 10G, 100G, 1T) | Yes | - |
--no-docker | Skip starting Docker daemon after creation | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.9 delete
Delete a repository (destroys containers, volumes, and encrypted image). Config entry is preserved. Use --archive-config to move credentials to deletedRepositories for recovery via 'config restore-archived'
rdc repo delete [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--archive-config | Move config entry to deletedRepositories for later recovery | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
--dry-run | Show what would be done without making changes | No | - |
6.10 fork
Create a CoW (Copy-on-Write) fork of a repository. FORK IS NEAR-INSTANT AND CONSTANT-TIME regardless of repo size, BTRFS reflink clones the underlying image so a 100 GB repo and a 1 GB repo fork in the same ~seconds. The fork gets a NEW GUID, networkId, IP range, and auto-route domain ({service}-fork-{tag}.{repo}.{machine}.{baseDomain}) and is a fully independent copy. Online forking is supported, the parent can remain running. Fork inherits the parent's encryption credentials automatically. Use --checkpoint to capture CRIU process state before forking, the fork will auto-restore on first 'repo up' (in-memory state preserved). CROSS-MACHINE FORK: To fork to another machine, first fork locally, then transfer: (1) repo fork --parent <parent> -m <source> --tag <name>, (2) backup push <name> -m <source> --to-machine <target>, (3) repo up <name> -m <target> --mount. WARNING: Do NOT use 'backup push' alone for forking, it creates a raw copy with the SAME GUID (not an independent fork). Always fork first to get a new identity. Auto-routes use the repo name so each fork gets a unique domain automatically.
rdc repo fork [options]| Flag | Description | Required | Default |
|---|---|---|---|
--parent <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--tag <name> | Tag for the fork (creates name:tag) | Yes | - |
--checkpoint | Create CRIU checkpoint on source before forking (capture process memory state for restore on fork) | No | - |
--up | Mount and start services after forking (fork + mount + up in one command) | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.11 takeover
Replace grand repo's data with a fork's data. The grand keeps its identity (GUID, networkId, domains, autostart, backup chain) but gets the fork's upgraded data. The old production data is preserved as a backup fork. Use for: test upgrade on fork → verify → takeover to production.
rdc repo takeover [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--force | Skip modification warnings | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.12 resize
Resize a repository offline (supports both grow and shrink). Repo must be unmounted first ('repo down --unmount'). For zero-downtime growth without stopping, use 'repo expand' instead
rdc repo resize [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--size <size> | New repository size (e.g., 10G, 100G, 1T) | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.13 expand
Expand a mounted repository online (zero downtime, grow-only). Grows the LUKS container and filesystem while containers keep running. Cannot shrink -- use 'repo resize' for that (requires unmount)
rdc repo expand [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--size <size> | New repository size (e.g., 10G, 100G, 1T) | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.14 validate
Validate repository integrity (LUKS container, filesystem consistency, configuration). Use after unexpected shutdowns or to verify backup health
rdc repo validate [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.15 autostart
Manage automatic repository startup on boot
enable
Enable autostart for a repository (omit name to enable all)
rdc repo autostart enable [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-m, --machine <name> | Target machine name | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
disable
Disable autostart for a repository (omit name to disable all)
rdc repo autostart disable [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
-m, --machine <name> | Target machine name | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
list
List repositories with autostart enabled
rdc repo autostart list [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Target machine name | Yes | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.16 ownership
Change repository directory ownership UID on the mounted volume (default: 7111). Use when containers need a specific UID to access repo files
rdc repo ownership [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
--uid <uid> | Owner UID (default: 7111) | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.17 template
Manage and apply deployment templates (writes docker-compose.yml, Rediaccfile, and additional files). Rediaccfile must use 'renet compose' (not 'docker compose'). Restart policies are safe (auto-managed by renet watchdog). Renet auto-injects network_mode:host, CRIU capabilities, and rediacc labels. Dangerous settings (privileged, pid:host) blocked unless --unsafe. Use 'list' to see available built-in templates, 'apply' to deploy one to a repository
list
List all embedded deployment templates shipped with the CLI
rdc repo template listapply
Apply a template to a repository. Use a built-in template name (e.g. app-postgres) or --file for a custom JSON template. Rediaccfile lifecycle: up() starts containers (pull images, generate configs here), down() stops. Minimal Rediaccfile: up() { renet compose -- pull; renet compose -- up -d; } down() { renet compose -- down; }. IMPORTANT: Rediaccfile MUST use 'renet compose' — 'docker compose' is rejected. ENV VARS — two levels: (a) Rediaccfile shell: ${SVCNAME_IP} (e.g. APP_IP), ${REDIACC_WORKING_DIR}, ${REDIACC_NETWORK_ID}. (b) Inside containers: renet auto-injects SERVICE_IP and REDIACC_NETWORK_ID env vars. eBPF bind rewriting handles IP isolation transparently, so apps can bind to 0.0.0.0 and the kernel rewrites it to the correct loopback IP. Health checks can use localhost. network_mode:host is injected and ports: are ignored. STORAGE: Both ${REDIACC_WORKING_DIR}/... bind mounts and Docker named volumes are safe — Docker data-root is inside the encrypted LUKS mount. RESTART POLICY: Restart policies are safe — renet auto-strips them for CRIU compatibility and the watchdog handles recovery. Compose: do NOT add network_mode or rediacc.* labels (renet injects them). Multi-project: place each sub-project in its own subdirectory with its own Rediaccfile — renet auto-discovers and runs them in order. HTTPS routing: (A) Auto-route (fork-friendly, recommended): do NOT add traefik.enable. Renet auto-generates https://{serviceName}.{repoName}.{machineName}.{baseDomain}. Add rediacc.service_port=<port> label for non-80 ports. Each fork gets a unique domain. (B) Traefik labels (custom domain, NOT fork-friendly): traefik.enable=true, traefik.http.routers.<n>.rule=Host(`domain`), traefik.http.routers.<n>.entrypoints=websecure,websecure-v6, traefik.http.routers.<n>.tls.certresolver=letsencrypt, traefik.http.services.<n>.loadbalancer.server.port=<port>. For TCP/UDP: rediacc.tcp_ports=3306 / rediacc.udp_ports=53
rdc repo template apply [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Target machine name | Yes | - |
-r, --repository <name> | Repository name (connects to repository environment) | Yes | - |
--file <path> | Path to custom template JSON file ({"version":"2","files":{"Rediaccfile":"...","docker-compose.yml":"..."}}) — overrides the built-in template name | No | - |
--grand <name> | Parent credential repository (auto-resolves name to GUID). Only for repos sharing secrets with a parent | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.18 push
Push repository to a remote (machine or storage). Omit name to push all repos. The target type is auto-detected from config. For machine-to-machine transfer, the encrypted repo image is copied with the SAME GUID — this is a backup/migration, not a fork. To create an independent fork, use 'repo fork' first, then push. Use --up to deploy after push
rdc repo push [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
--to <remote> | Destination machine or storage name (auto-detected from config) | No | - |
--to-machine <machine> | — | No | - |
--provision <provider> | Auto-provision target machine via cloud provider if it doesn't exist | No | - |
--checkpoint | Create CRIU checkpoint before backup (captures process memory state for live migration) | No | - |
--force | Force overwrite existing backup | No | - |
--up | After push, mount and deploy repository on target machine | No | - |
--tag <tag> | Deployment tag for versioning | No | - |
-m, --machine <name> | Machine name | Yes | - |
-w, --watch | Watch for changes | No | - |
--parallel | Start repositories concurrently | No | - |
--concurrency <n> | Max concurrent repositories (default: 3) | No | 3 |
-y, --yes | Skip confirmation for batch operations | No | - |
--bwlimit <limit> | Bandwidth limit for rsync transfer (e.g., "6M", "10M") | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.19 pull
Pull repository from a remote (machine or storage). Omit name to pull all repos. The source type is auto-detected from config. Use --up to deploy after pull
rdc repo pull [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | No | - |
--from <remote> | Source machine or storage name (auto-detected from config) | No | - |
--from-machine <machine> | — | No | - |
--force | Force overwrite existing repository | No | - |
--up | After pull, mount and deploy repository on this machine | No | - |
-m, --machine <name> | Machine name | Yes | - |
-w, --watch | Watch for changes | No | - |
--parallel | Start repositories concurrently | No | - |
--concurrency <n> | Max concurrent repositories (default: 3) | No | 3 |
-y, --yes | Skip confirmation for batch operations | No | - |
--bwlimit <limit> | Bandwidth limit for rsync transfer (e.g., "6M", "10M") | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.20 migrate
Live-migrate a repository from one machine to another with minimal downtime. Two-phase rsync: bulk transfer while running, then brief stop for delta sync. Supports CRIU checkpoint for process memory migration and auto-provisioning of target machines
rdc repo migrate [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--from <machine> | Source machine name | Yes | - |
--to <machine> | Target machine name | Yes | - |
--provision <provider> | Auto-provision target via cloud provider (e.g., hetzner, linode) | No | - |
--bwlimit <limit> | Bandwidth limit for rsync transfer (e.g., 10M) | No | - |
--checkpoint | CRIU live migration: capture and restore process memory state | No | - |
--skip-dns | Skip DNS record switching after migration | No | - |
--debug | Enable debug output | No | - |
6.21 backup
Manage repository backups
list
List available backups on a remote (machine or storage)
rdc repo backup list [options]| Flag | Description | Required | Default |
|---|---|---|---|
--from <remote> | Source machine or storage name (auto-detected from config) | No | - |
--from-machine <machine> | — | No | - |
-m, --machine <name> | Machine name | Yes | - |
-w, --watch | Watch for changes | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
6.22 sync
Sync repositories and files (bulk push/pull, file transfer)
push
Push repositories to cloud storage (omit name to push all)
rdc repo sync pushpull
Pull repositories from cloud storage (omit name to pull all)
rdc repo sync pullupload
Upload files to a repository via rsync over SSH (delta transfer). Use --mirror to delete extra remote files, --dry-run to preview, --exclude to skip patterns
rdc repo sync upload [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
-m, --machine <name> | Machine name | Yes | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
--local <paths...> | One or more local file or directory paths (default: current directory) | No | - |
--remote <path> | Remote subdirectory path within repository | No | - |
--remote-file <path> | Single remote file path (relative to repo root) to upload to. Mutually exclusive with --remote. | No | - |
--mirror | Mirror mode - delete remote files not present locally | No | - |
--verify | Verify files using checksums after sync | No | - |
--confirm | Preview changes and ask for confirmation before syncing | No | - |
--exclude <patterns...> | Patterns to exclude from sync | No | - |
--dry-run | Show what would be done without making changes | No | - |
download
Download files from a repository via rsync over SSH (delta transfer). Use --mirror to delete extra local files, --dry-run to preview, --exclude to skip patterns
rdc repo sync download [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
-m, --machine <name> | Machine name | Yes | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
--local <path> | Local directory path (default: current directory) | No | - |
--remote <path> | Remote subdirectory path within repository | No | - |
--remote-file <path> | Remote file path within repository (alternative to --remote for single-file transfers) | No | - |
--mirror | Mirror mode - delete local files not present on remote | No | - |
--verify | Verify files using checksums after sync | No | - |
--confirm | Preview changes and ask for confirmation before syncing | No | - |
--exclude <patterns...> | Patterns to exclude from sync | No | - |
--dry-run | Show what would be done without making changes | No | - |
status
Dry-run comparison of local and remote files (shows what would be transferred without actually transferring)
rdc repo sync status [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
-m, --machine <name> | Machine name | Yes | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
--local <path> | Local directory path (default: current directory) | No | - |
--remote <path> | Remote subdirectory path within repository | No | - |
--remote-file <path> | Remote file path within repository (alternative to --remote for single-file transfers) | No | - |
6.23 snapshot
Manage BTRFS snapshots on remote machines
create
Create a point-in-time BTRFS snapshot of a repository (instant, no downtime). Use --snapshot-name for a custom name
rdc repo snapshot createlist
List BTRFS snapshots on a remote machine with name, creation date, and size
rdc repo snapshot listdelete
Delete a snapshot from a remote machine
rdc repo snapshot delete6.24 tunnel
Create an SSH port-forward tunnel to a container's port on a remote machine. Auto-detects container and port when unambiguous. The tunnel stays open until you press Ctrl+C
rdc repo tunnel [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | No | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
-c, --container <name> | Container name (auto-detected if only one running) | No | - |
--port <port> | Remote container port to forward | No | - |
--local <port> | Local port (defaults to same as remote port) | No | - |
7. Storage Management
Manage remote backup storage providers (S3, rclone-compatible). CRUD operations (list, create, rename, delete), vault configuration, browse remote files, and prune orphaned backups.
7.1 list
List storage providers
rdc storage list [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
--search <text> | Search in {{field}} | No | - |
--sort <field> | Sort by field | No | - |
--desc | Sort in descending order | No | - |
7.2 create
Create a new storage provider
rdc storage create [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
7.3 rename
Rename a storage provider
rdc storage rename [options]| Flag | Description | Required | Default |
|---|---|---|---|
--current-name <name> | Current resource name | Yes | - |
--new-name <name> | New resource name | Yes | - |
-t, --team <name> | Team name | No | - |
7.4 delete
Delete a storage provider
rdc storage delete [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-t, --team <name> | Team name | No | - |
-f, --force | Skip confirmation prompts | No | - |
--dry-run | Show what would be done without making changes | No | - |
7.5 vault
Storage vault management (cloud adapter only)
rdc storage vault7.6 browse
Browse files in a storage system
rdc storage browse [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
--path <subpath> | Subdirectory path to list | No | “ |
7.7 prune
Delete orphaned backups from storage that are no longer in any config. Multi-config safe with grace period protection.
rdc storage prune [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Machine name | Yes | - |
--dry-run | Show what would be done without making changes | No | - |
--force | Skip confirmation prompts | No | - |
--grace-days <days> | Grace period in days for recently archived repos (default: 7) | No | - |
--debug | Enable debug output | No | - |
--skip-router-restart | Skip restarting the route server after binary update | No | - |
7.8 pull
Pull a backup from cloud storage to a machine
rdc storage pull8. VS Code Integration
Open VS Code with Remote SSH to a machine or repository with sandboxed per-repo environment. Same SSH connection as `term` but launches VS Code instead. Key subcommands: connect (or positional shorthand), list (show configured connections), cleanup (remove SSH config entries), check (verify VS Code installation).
8.1 connect
Connect to a machine or repository in VS Code
rdc vscode connect [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
-m, --machine <name> | Machine name | No | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
-f, --folder <path> | Remote folder path to open | No | - |
--url-only | Print the VS Code URI instead of launching | No | - |
-n, --new-window | Open in new VS Code window | No | - |
--skip-env-setup | Skip remote environment setup | No | - |
--insiders | Use VS Code Insiders settings | No | - |
8.2 list
List configured VS Code SSH connections
rdc vscode list8.3 cleanup
Remove VS Code SSH configurations
rdc vscode cleanup [options]| Flag | Description | Required | Default |
|---|---|---|---|
--all | Remove all rediacc SSH configurations | No | - |
-c, --connection <name> | Remove specific connection | No | - |
8.4 check
Check VS Code installation and configuration
rdc vscode check [options]| Flag | Description | Required | Default |
|---|---|---|---|
--insiders | Use VS Code Insiders settings | No | - |
9. SSH Terminal Access
Open an SSH terminal to a machine or repository context. Sets up DOCKER_HOST, working directory, and environment automatically. Supports container actions via --container: logs, exec, stats, terminal. Use `-c` to run a single command non-interactively. For VS Code, use `vscode` instead.
9.1 connect
Connect to a machine or repository via SSH
rdc term connect [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --team <name> | Team name | No | - |
-m, --machine <name> | Machine name | No | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
-c, --command <cmd> | Execute a command instead of interactive shell | No | - |
--container <id> | Connect to a specific Docker container | No | - |
--container-action <action> | Container action: terminal, logs, stats, exec | No | - |
--log-lines <lines> | Number of log lines to show (default: 50) | No | - |
--follow | Follow logs output | No | - |
--external | Force launching in external terminal window | No | - |
--reset-home | Reset per-repo home overlay for a fresh start | No | - |
10. Protocol Handler
Register and handle {{scheme}}:// protocol URLs
10.1 register
Register the protocol handler on the system
rdc protocol register [options]| Flag | Description | Required | Default |
|---|---|---|---|
--system | Register system-wide (requires admin privileges) | No | - |
--force | Force re-registration even if already registered | No | - |
10.2 unregister
Unregister the protocol handler from the system
rdc protocol unregister [options]| Flag | Description | Required | Default |
|---|---|---|---|
--system | Unregister system-wide registration (requires admin privileges) | No | - |
10.3 status
Show protocol handler registration status
rdc protocol status10.4 open
Open a {{scheme}}:// URL and execute the action
rdc protocol open <url>10.5 build
Build a {{scheme}}:// URL from components
rdc protocol build [options]| Flag | Description | Required | Default |
|---|---|---|---|
--token <token> | Authentication token | Yes | - |
-t, --team <name> | Team name | Yes | - |
-m, --machine <name> | Machine name | Yes | - |
-r, --repository <name> | Repository name (connects to repository environment) | No | - |
-a, --action <action> | Action ({{actions}}) | No | desktop |
-p, --params <key=value...> | Additional parameters | No | - |
10.6 parse
Parse a {{scheme}}:// URL and show components
rdc protocol parse <url>11. Quick Commands (Shortcuts)
11.1 run
WARNING: Low-level command for debugging and experimentation only. Not for production use. Use higher-level commands (repo up, repo down, etc.) instead. Runs a raw bridge function on a machine.
rdc run11.2 trace
Trace a task (shortcut for: queue trace)
rdc trace11.3 cancel
Cancel a task (shortcut for: queue cancel)
rdc cancel11.4 retry
Retry a failed task (shortcut for: queue retry)
rdc retry12. Subscription Management
Manage licensing and subscription tokens. Key subcommands: login (authenticate with subscription portal), status (show current license state), activation (machine slot status), repo (manage per-repo licenses).
12.1 login
Authenticate via browser or API token
rdc subscription login [options]| Flag | Description | Required | Default |
|---|---|---|---|
-t, --token <token> | API token (rdt_...) | No | - |
--server <url> | Account server URL | No | - |
12.2 logout
Clear stored subscription token
rdc subscription logout12.3 status
Show subscription, machine slots, and repo license status
rdc subscription status12.4 activation
Machine slot management
status
Show machine slot status for one machine
rdc subscription activation status [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
12.5 repo
Repo license management
status
Show installed repo licenses on a machine
rdc subscription repo status [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
12.6 refresh
Refresh repo licenses on a remote machine
activation
Refresh repo licenses on a remote machine
rdc subscription refresh activation [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
repos
Batch-refresh repo licenses on a remote machine
rdc subscription refresh repos [options]| Flag | Description | Required | Default |
|---|---|---|---|
-m, --machine <name> | Machine name | Yes | - |
repo
Refresh the repo license for a specific repository
rdc subscription refresh repo [options]| Flag | Description | Required | Default |
|---|---|---|---|
--name <name> | Resource name | Yes | - |
-m, --machine <name> | Machine name | Yes | - |
13. CLI Updates
Check for new CLI versions and apply updates. Supports --check-only to check without installing, and --force to update even if already on the latest version.
rdc update [options]| Flag | Description | Required | Default |
|---|---|---|---|
--force | Force update even if already up-to-date | No | - |
--check-only | Only check for updates without downloading | No | - |
--rollback | Rollback to the previous version | No | - |
--status | Show auto-update status and diagnostics | No | - |
--channel <channel> | Set release channel (stable or edge) | No | - |
14. System Diagnostics
Run diagnostic checks on the CLI environment: Node.js version, renet binary availability, config file validity, SSH key status, and network connectivity. Outputs a structured health report with pass/fail indicators.
rdc doctor15. Experimental VM Operations
Local VM provisioning and management using KVM/QEMU/Hyper-V (platform auto-detected). Not for remote machines — use `machine` for those. Key subcommands: up (start VMs), down (stop), status (list running VMs), ssh (connect to VM), setup (install prerequisites), check (verify host readiness).
15.1 up
Provision VM cluster locally
rdc ops up [options]| Flag | Description | Required | Default |
|---|---|---|---|
--force | Force restart all VMs | No | - |
--parallel | Create VMs in parallel | No | - |
--basic | Minimal cluster (bridge + 1 worker) | No | - |
--lite | Skip VM provisioning (status only) | No | - |
--skip-orchestration | Skip cluster orchestration | No | - |
--backend <backend> | Virtualization backend (kvm|qemu, auto-detected) | No | - |
--os <name> | VM operating system (e.g., ubuntu-24.04, debian-13) | No | - |
--debug | Enable debug output | No | - |
15.2 down
Destroy VM cluster
rdc ops down [options]| Flag | Description | Required | Default |
|---|---|---|---|
--backend <backend> | Virtualization backend (kvm|qemu, auto-detected) | No | - |
--debug | Enable debug output | No | - |
15.3 status
Show VM cluster status
rdc ops status [options]| Flag | Description | Required | Default |
|---|---|---|---|
--backend <backend> | Virtualization backend (kvm|qemu, auto-detected) | No | - |
15.4 ssh
SSH into a VM
rdc ops ssh [options]| Flag | Description | Required | Default |
|---|---|---|---|
--vm-id <id> | Virtual machine ID | Yes | - |
-c, --command <cmd> | Execute a command instead of interactive shell | No | - |
--backend <backend> | Virtualization backend (kvm|qemu, auto-detected) | No | - |
--user <user> | SSH username for VM connection | No | - |
15.5 setup
Install virtualization prerequisites
rdc ops setup [options]| Flag | Description | Required | Default |
|---|---|---|---|
--debug | Enable debug output | No | - |
15.6 check
Verify virtualization prerequisites
rdc ops checkCommon Error Messages
When something goes wrong, the CLI provides clear error messages:
| Error | Meaning |
|---|---|
| Authentication required. Run: rdc auth login | You need to log in first |
| No active config. Create one with: rdc config init --name <name> | No config is active — create one with `rdc config init` |
| Permission denied | Your account lacks the required permissions |
| Machine name required. Use --machine <name> | Specify a machine with `--machine` or set a config default |
| Team name required. Use --team or set default with: rdc config set --key team --value <name> | Specify a team with `--team` or set a config default |
| Region name required. Use --region or set default with: rdc config set --key region --value <name> | Specify a region with `--region` or set a config default |
Output Formats
All list/get commands support multiple output formats via `--output`:
rdc machine list --output json
rdc machine list --output yaml
rdc machine list --output csv
rdc machine list --output table # defaultThis makes it easy to integrate Rediacc CLI into scripts, CI/CD pipelines, and automation workflows.