Host Management
Organize and manage target PCs with hosts, groups, and tag-based targeting.
Every target PC enrolled through nefia vpn invite becomes a host in your Nefia configuration. This guide covers how to list, inspect, organize, and target hosts for remote operations.
Listing Hosts
View all enrolled hosts with their connection status:
nefia hosts listID ADDR OS USER VPN STATUS TAGS prod-web-1 10.99.0.2 linux deploy active env=production, role=web prod-web-2 10.99.0.3 linux deploy active env=production, role=web staging-api 10.99.0.4 linux deploy active env=staging, role=api dev-box 10.99.0.5 macos admin active env=dev, role=workstation win-desktop 10.99.0.6 windows admin active env=dev, role=workstation
The VPN column reflects the current tunnel status. Hosts with an offline status have no active WireGuard handshake.
Host Details
Inspect a single host for detailed information:
nefia hosts show prod-web-1The output is JSON-formatted, matching the Host struct fields. Use --output json with other commands for consistent machine-readable output.
Removing Hosts
Remove a host from your configuration and revoke its VPN peer entry:
nefia hosts remove prod-web-1Groups
Groups are logical collections of hosts defined by tag filters. They let you target multiple hosts with a single selector.
Listing Groups
nefia groups listNAME TAGS webservers role=web production env=production staging env=staging all-linux os=linux
Groups are defined in your nefia.yaml configuration file:
groups:
- name: webservers
match:
tags:
role: web
- name: production
match:
tags:
env: production
- name: staging
match:
tags:
env: staging
- name: all-linux
match:
tags:
os: linuxTags
Tags are key-value pairs attached to hosts. They power group membership, target selectors, and host discovery.
Tags are assigned during enrollment or added later in configuration:
hosts:
- id: prod-web-1
address: 10.99.0.2
user: deploy
os: linux
tags:
env: production
role: web
region: us-east-1
vpn:
public_key: "aB3d...x7Yz="
endpoint: "203.0.113.10:51820"
local_endpoint: "192.168.1.50:51820" # hairpin NAT fallback
vpn_addr: "10.99.0.2"
status: activeTarget Selectors
Most Nefia commands accept a --target flag to specify which hosts to operate on. There are four selector types:
Single Host
Target a single host by name:
nefia exec --target host:prod-web-1 -- uptimeThe shorthand --host flag also works:
nefia exec --host prod-web-1 -- uptimeGroup Selector
Target all hosts in a named group:
nefia exec --target group:webservers -- systemctl status nginx[prod-web-1] nginx.service - A high performance web server [prod-web-1] Active: active (running) since Mon 2026-02-24 08:00:00 UTC
[prod-web-2] nginx.service - A high performance web server [prod-web-2] Active: active (running) since Mon 2026-02-24 07:55:00 UTC
Tag Selector
Target hosts matching a specific tag:
nefia exec --target tag:env=production -- df -h /All Hosts
Target every enrolled host with an active VPN connection:
nefia exec --target all -- hostnameValidating Configuration
Run a configuration validation check to catch errors before they affect operations:
nefia validateConfig is valid.
Add the --target flag to test actual VPN connectivity to selected hosts:
nefia validate --target allConfig is valid. Selector resolved 3 host(s). Testing connectivity... ✓ prod-web-1 [vpn] (10.99.0.2): OK ✓ prod-web-2 [vpn] (10.99.0.3): OK ✗ staging-api [vpn] (10.99.0.4): dial tcp 10.99.0.4:22: i/o timeout
This attempts a VPN connection to each matched host and reports success or the error encountered.
System Status
Get a high-level overview of your Nefia setup with per-host connectivity:
nefia statusNefia Status Version: 1.0.0 Config: /Users/admin/.config/nefia/nefia.yaml
VPN: enabled (4 active, 1 pending) Policy: warn Audit: enabled (dir: /Users/admin/.local/state/nefia/audit, today: 42 records) Auth: logged in Hosts: 5 configured Groups: 2 configured Sessions: 2 active
Hosts: ID OS VPN CONNECTION LATENCY web-1 linux active online 8ms web-2 linux active online 12ms db-1 linux active online 15ms dev-box macos active offline - staging linux pending - -
3 online, 1 offline, 1 pending
The host table probes each active VPN peer with a TCP dial (3-second timeout). Use --no-check to skip connectivity probing for faster output:
nefia status --no-checkFor deeper diagnostics, use nefia doctor to run comprehensive health checks covering config, auth, audit, VPN, and connectivity:
nefia doctorAgent Management
Check the agent version running on target hosts:
nefia agent version --target allHOST VERSION COMPATIBLE MESSAGE prod-web-1 1.2.0 yes prod-web-2 1.2.0 yes staging-api 1.1.3 NO minimum compatible version is 1.2.0 dev-box 1.2.0 yes
Upgrade agents on hosts running older versions:
nefia agent upgrade --target tag:env=stagingVersion Pinning
Pin an agent to a specific version to hold back a known-good release while testing newer versions on other hosts:
nefia agent pin 1.2.0 --target host:prod-web-1Pinned agents will not auto-update beyond the specified version. This is useful when you want to validate a newer agent release on staging hosts before rolling it out to production.
Remove the pin to allow the agent to resume auto-updates:
nefia agent unpin --target host:prod-web-1MCP Tools
AI agents can manage hosts programmatically:
| Tool | Description |
|---|---|
nefia.hosts.list | List all configured hosts with VPN status, tags, and OS. |
nefia.hosts.show | Show detailed information for a specific host. |
nefia.hosts.update | Update host properties (tags, groups, metadata). |
nefia.hosts.groups | List all host groups. |
nefia.hosts.import | Import hosts from SSH config, Ansible inventory, CSV, or known_hosts. |
nefia.hosts.remove | Remove a host from the configuration. |
nefia.hosts.refresh | Refresh host metadata by reconnecting and gathering system facts. |
nefia.agent.pin | Pin agent to a specific version to prevent auto-updates beyond that version. |
Related
Configure WireGuard tunnels, NAT traversal, and key rotation.
Full reference for all Nefia CLI commands and flags.