CLI Reference¶
finchctl is the command-line controller for Finch. It manages the remote
Finch service and enrolled agents over SSH and gRPC.
Synopsis¶
Global flags¶
These flags apply to every command.
| Flag | Default | Description |
|---|---|---|
--run.cmd-timeout |
300 |
Timeout in seconds for SSH commands |
--tls.skip-verify |
false |
Skip TLS certificate verification (not recommended) |
service - Manage the Finch service¶
service deploy¶
Deploy the Finch service to a remote host over SSH. Installs Docker if absent,
copies all service configuration, starts the stack, and sets up the mTLS trust
for this client: generates an ECDSA P-256 CA and client certificate pair
locally, uploads the CA certificate to the server for authentication, and saves
the client certificate and private key to ~/.config/finch.json. The CA key is
locally discarded after signing the client certificate.
| Flag | Default | Description |
|---|---|---|
--service.host |
(auto-detected) | Public hostname or IP of the service; derived from the SSH target if omitted |
--service.letsencrypt |
false |
Obtain a TLS certificate from Let's Encrypt |
--service.letsencrypt.email |
Email address for Let's Encrypt registration (required with --service.letsencrypt) |
|
--service.customtls |
false |
Use a custom TLS certificate |
--service.customtls.cert |
Path to the custom TLS certificate file (required with --service.customtls) |
|
--service.customtls.key |
Path to the custom TLS key file (required with --service.customtls) |
|
--run.dry-run |
false |
Print the commands that would be run without deploying |
--run.format |
progress |
Output format (progress, json, or text) |
Example
# Deploy with a given hostname and Let's Encrypt TLS certificate.
# Requires port 80 to be public open and a DNS record for the HTTP challenge.
finchctl service deploy \
--service.host finch.example.com \
--service.letsencrypt \
--service.letsencrypt.email acme@finch.example.com \
root@10.19.80.100
service register¶
Register an additional client with an already deployed service. Generates an
ECDSA P-256 CA and client certificate pair locally, uploads the CA certificate
to the server for authentication, and saves the client certificate and private
key to ~/.config/finch.json. The CA key is locally discarded after signing.
Each client gets its own CA slot on the server.
| Flag | Default | Description |
|---|---|---|
--run.dry-run |
false |
Print the commands that would be run without registering |
--run.format |
progress |
Output format |
Example
service deregister¶
Remove this client's registration from a remote service. Deletes the client's
CA certificate from the server immediately revoking this client's ability to
connect and removes the stored credentials from ~/.config/finch.json.
| Flag | Default | Description |
|---|---|---|
--run.dry-run |
false |
Print the commands that would be run without deregistering |
--run.format |
progress |
Output format |
Example
service info¶
Show detailed information about a registered service, including its Id, Hostname, creation datetime, and the running version (release tag and git commit hash).
| Flag | Default | Description |
|---|---|---|
--output.json |
false |
Output in JSON format |
Example
service update¶
Update a running service on a remote host (copy configurations, pull new images, restart containers).
| Flag | Default | Description |
|---|---|---|
--service.customtls |
false |
Use a custom TLS certificate |
--service.customtls.cert |
Path to the custom TLS certificate file | |
--service.customtls.key |
Path to the custom TLS key file | |
--run.dry-run |
false |
Print the commands that would be run without updating |
--run.format |
progress |
Output format |
Example
service teardown¶
Stop and remove the Finch service stack from a remote host. Docker is left intact and must be removed manually if desired.
| Flag | Default | Description |
|---|---|---|
--service.host |
(auto-detected) | Public hostname or IP of the service |
--run.dry-run |
false |
Print the commands that would be run without tearing down |
--run.format |
progress |
Output format |
Example
service rotate-certificate¶
Rotate the mTLS certificates of this client. Issues new ECDSA P-256 certificates and uploads the new CA certificate to the server, replacing the old one. Other registered clients are unaffected.
| Flag | Default | Description |
|---|---|---|
--run.dry-run |
false |
Print the commands that would be run without rotating |
--run.format |
progress |
Output format |
Example
service rotate-secret¶
Rotate the JWT signing secret of a running service. All existing agent tokens are immediately invalidated and agents must be re-enrolled afterwards.
Warning
This is a break-glass operation. Every enrolled agent loses its token and stops sending data until re-enrolled. See Rotate the Signing Secret for the full recovery workflow.
| Flag | Default | Description |
|---|---|---|
--run.dry-run |
false |
Print the commands that would be run without rotating |
--run.format |
progress |
Output format |
Example
service dashboard¶
Generate a short-lived dashboard access token and optionally open it in the browser.
| Flag | Default | Description |
|---|---|---|
--permission.role |
viewer |
Dashboard role: viewer, operator, or admin |
--permission.scope |
(all agents) | Comma-separated list of agent RIDs to restrict access |
--permission.session-timeout |
1800 |
Session duration in seconds |
--web |
false |
Open the dashboard URL in the default browser |
Example
# Open dashboard as admin for 1 hour
finchctl service dashboard finch.example.com \
--permission.role admin \
--permission.session-timeout 3600 \
--web
agent - Manage Finch agents¶
agent register¶
Register a new agent with a Finch service. Creates the agent record and generates a 365-day JWT, saved to the generated agent configuration file.
| Flag | Default | Description |
|---|---|---|
--agent.hostname |
Hostname to register the agent under | |
--agent.node |
unix |
Node type: unix or windows |
--agent.labels |
Comma-separated labels for grouping agents | |
--agent.file |
Path to a YAML file containing all agent options | |
--agent.config |
finch-agent.cfg |
Path where the generated agent config is saved |
--agent.logs.journal |
false |
Collect systemd journal logs |
--agent.logs.docker |
false |
Collect Docker container logs |
--agent.logs.files |
Comma-separated file paths to collect logs from | |
--agent.logs.events |
Windows event log channels (Windows agents only) | |
--agent.metrics |
false |
Collect node metrics |
--agent.metrics.targets |
Comma-separated scrape targets for metrics | |
--agent.profiles |
false |
Enable continuous profiling |
Example
finchctl agent register finch.example.com \
--agent.hostname web-01 \
--agent.logs.journal \
--agent.logs.docker \
--agent.metrics
agent config¶
Download the current agent configuration from the service to a local file (used to bootstrap or refresh the Alloy configuration or token on an agent host).
| Flag | Default | Description |
|---|---|---|
--agent.rid |
Resource identifier of the agent | |
--agent.config |
finch-agent.cfg |
Local path to save the downloaded configuration |
Example
agent deploy¶
Deploy the Alloy agent binary and configuration to a remote host over SSH.
| Flag | Default | Description |
|---|---|---|
--agent.config |
Path to the local agent configuration file | |
--alloy.version |
latest |
Version of Alloy to install |
--run.dry-run |
false |
Print the commands that would be run without deploying |
--run.format |
progress |
Output format |
Example
agent edit¶
Edit the configuration of an already registered agent. Flags mirror
agent register except --agent.node which cannot be changed after
registration.
| Flag | Default | Description |
|---|---|---|
--agent.rid |
Resource identifier of the agent to edit | |
--agent.labels |
Updated labels | |
--agent.file |
Path to a YAML file with updated agent data | |
--agent.logs.journal |
false |
Collect systemd journal logs |
--agent.logs.docker |
false |
Collect Docker container logs |
--agent.logs.files |
File paths to collect logs from | |
--agent.metrics |
false |
Collect node metrics |
--agent.metrics.targets |
Scrape targets for metrics | |
--agent.profiles |
false |
Enable continuous profiling |
Example
agent list¶
List all agents registered with a service.
| Flag | Default | Description |
|---|---|---|
--output.json |
false |
Output in JSON format |
Example
agent describe¶
Show detailed information about a specific agent.
| Flag | Default | Description |
|---|---|---|
--agent.rid |
Resource identifier of the agent | |
--output.json |
false |
Output in JSON format |
Example
agent deregister¶
Remove an agent from the service. Any agent's JWT is immediately invalidated.
| Flag | Default | Description |
|---|---|---|
--agent.rid |
Resource identifier of the agent to deregister |
Example
agent update¶
Update the Alloy binary and/or configuration on a remote agent host over SSH.
| Flag | Default | Description |
|---|---|---|
--agent.config |
Path to the local agent configuration file | |
--alloy.version |
latest |
Version of Alloy to install |
--skip.binaries |
false |
Skip binary update, only update configuration |
--skip.config |
false |
Skip configuration update, only update binaries |
--run.dry-run |
false |
Print the commands that would be run without updating |
--run.format |
progress |
Output format |
Example
agent teardown¶
Uninstall Alloy and remove its configuration from a remote host.
| Flag | Default | Description |
|---|---|---|
--run.dry-run |
false |
Print the commands that would be run without tearing down |
--run.format |
progress |
Output format |
Example
version¶
Print the finchctl version.
completion¶
Generate shell autocompletion scripts. Supported shells:
bash, fish, powershell, zsh.
Example - zsh
Example - bash