nkapp host
The nkapp host command suite provides comprehensive tools for managing network routing, SSL trust, and remote server bootstrapping for your Nanokit environments.
nkapp host <subcommand> [options]Subcommands
host add
Add or update a domain mapping in your nanokit.yml configuration. This command dynamically updates the configuration file and maps domains to either the entire project (root gateway) or specific services.
Usage:
nkapp host add <env> [service] <domain>Examples:
# Map a domain to the 'api' service in the 'local' environment
nkapp host add local api api.my-app.localhost
# Map a domain globally for the whole project (acts as a default for all envs)
nkapp host add global my-app.com
# Map a domain to the 'web' service globally
nkapp host add global web my-app.comHow it works:
- When adding a project-level host (e.g.
global my-app.com), it updates thehostproperty at the root ofnanokit.ymlor inside an environment block. - When adding a service-level host (e.g.
local api api.my-app.local), it updates thehostproperty of that specific service.
host del (alias: rm)
Remove an existing domain mapping from your nanokit.yml.
Usage:
nkapp host del <env> <arg>Examples:
# Remove the domain mapping for the 'api' service in the local environment
nkapp host del local api
# Remove the globally configured project domain
nkapp host del global my-domain.comHow it works:
- If
argmatches the name of a registered service, Nanokit will remove thehostproperty from that service’s configuration. - If
argdoes not match any service, Nanokit assumes you are removing the project-level host configuration.
host trust
Install the Nanokit Root CA (Certificate Authority) into your system’s certificate trust store. This enables secure HTTPS (Green Lock) without browser security warnings when using self-signed certificates locally or on private remote environments.
Usage:
nkapp host trust [-e <env>]| Flag | Type | Default | Description |
|---|---|---|---|
-e, --env <env> | string | local | The environment to trust. Can be local or remote environments (e.g., stage, test-aws). |
Why is this needed?
Nanokit uses Caddy with automatic HTTPS for local development and private .local routing. To avoid “Your connection is not private” errors in modern browsers, your operating system needs to trust the Root CA that Nanokit generated.
Cross-Platform Support:
| Platform | Trust Method |
|---|---|
| macOS | Automatically added to the System Keychain via security add-trusted-cert. |
| Linux | Added to /usr/local/share/ca-certificates and NSS databases (for Chrome/Firefox) via certutil. |
| WSL2 | Full Bridge: Installs in the Linux store AND automatically propagates to the Windows User Certificate Store using certutil.exe. |
Trusting Remote Environments:
If you have deployed a staging environment on AWS or a VPS that uses an internal/private .local domain, Nanokit will securely fetch the Root CA from the remote gateway via SSH or HTTP before installing it on your local machine.
# Trust your remote staging environment
nkapp host trust -e stageNote: You may need to fully restart your browser for the changes to the system trust store to take effect.
host setup
Bootstrap a remote VPS for deployment. This command prepares a raw server to be managed by Nanokit.
Usage:
nkapp host setup <env>Prerequisites:
The environment specified must have a deploy.target defined in nanokit.yml. For example:
environments:
stage:
deploy:
target: root@123.45.67.89What it does:
When you run nkapp host setup stage, Nanokit will:
- Connect to the remote host via SSH.
- Install the Docker Engine and its dependencies if they are missing.
- Configure the UFW firewall to allow HTTP (80), HTTPS (443), and SSH (22) traffic.
- Create the necessary Nanokit project directory structure at
/opt/nanokit/projects/<project-name>.
[!TIP] Automatic Bootstrapping: You rarely need to run
host setupmanually. Thenkapp deploycommand includes an automatic bootstrap check and will perform these steps if it detects the server is uninitialized.