Quick Start

Initialize configuration and VPN keys

Run nefia setup --skip-host to create nefia.yaml and generate the operator WireGuard keypair without creating an invite yet:

nefia setup --skip-host

nefia setup is the canonical command and nefia init is an alias. If you prefer to generate the invite during setup, run nefia setup interactively or pass --non-interactive --host-name ... --host-os ....

Log in to your account

Authenticate with your Nefia account:

nefia login

This opens a browser window for OAuth authentication. Once complete, the CLI stores a refresh token in your system keyring.

Create an invite token

Generate a single-use enrollment token for your target PC:

nefia vpn invite --name my-server --os macos --stun

The --stun flag discovers your public IP automatically via STUN. If you know your public IP, you can use --endpoint your-ip:51820 instead.

Install and enroll the agent on the target PC

Run the one-liner installer with the invite token on the target PC:

curl -fsSL https://www.nefia.ai/install-agent.sh | sh -s -- --token '<INVITE_TOKEN>'

This single command will:

1. Download and install the nefia-agent binary
2. Validate the HMAC-SHA256 signed token
3. Try direct connection to the operator (falls back to cloud relay if needed)
4. Perform a WireGuard key exchange
5. Establish the VPN tunnel
6. Register the SSH host key automatically
7. Register as a system service (launchd / systemd)

Verify the connection

Back on the operator PC, check that the VPN tunnel is active:

nefia vpn status

You should see output like:

Run your first remote command

Execute a command on the target PC:

nefia exec --host my-server -- hostname

Try reading a file and listing a directory:

nefia fs read --host my-server --path /etc/hostname
nefia fs list --host my-server --path /var/log

Target all hosts at once:

nefia exec --target all -- uptime