Skip to content
Naasson Docs

weldctl CLI

weldctl is a single-binary, open-source DevOps CLI distributed under AGPL-3.0. It’s the same code path the managed Naasson Apps SaaS runs internally — when you weldctl simple deploy nextcloud, you’re exercising the same provisioner the wizard does.

Source: https://github.com/weldctl/weldctl.

Install

The one-liner installer signs and verifies binaries with cosign keyless via GitLab CI OIDC + Sigstore Rekor:

Terminal window
curl -fsSL https://cli.cloud.naasson.com/install.sh | sh

Or via package managers (once the v1.0 release is cut):

Terminal window
brew install weldctl/tap/weldctl       # macOS + Linuxbrew
apt-get install weldctl                # Debian / Ubuntu
dnf install weldctl                    # Fedora / RHEL
scoop install weldctl                  # Windows

Verify the install:

Terminal window
weldctl --version
weldctl verify-self     # cosign signature + SLSA L3 provenance check

First run

Terminal window
weldctl init --provider yandex        # or aws, gcp, azure, hetzner, …

This writes a weld.yml (the source of truth — commit it to your repo) and generates infra/targets/<name>/ with Terraform that targets your chosen provider. The CLI’s job for the rest of the time is to keep that directory consistent with weld.yml.

Daily commands

CommandPurpose
weldctl planShow what would change in the active target
weldctl deploy applyApply the plan (provisions Talos K8s 1.32.1 + Cilium by default)
weldctl simple deploy <slug>Install a marketplace app onto the target
weldctl mcp serve --stdioEmbedded MCP server — wire weldctl into Claude Code or Cursor
weldctl migrate plan --from yc --to awsCost-compare moving the stack to another cloud
weldctl pool scale --size 5Scale the compute pool up/down
weldctl cluster snapshotOne-shot snapshot of the cluster + state
weldctl cluster destroyTear it all down, idempotent

Mode 1: works without an account

weldctl init, plan, deploy apply, simple deploy, pool scale, cluster snapshot, cluster destroy, migrate plan — all of these run without any login. They talk to your cloud provider’s API directly, not to api.cloud.naasson.com.

Login is only required for cross-user operations: Mode 2 peer-mesh, Mode 3 rental, and Mode 5 batch. If a Mode-1 command ever prompts you to log in, that’s a bug — please report it.

TUI

Run weldctl with no arguments to get a full-screen Bubble Tea TUI: nine screens, EN+RU localization, keyboard-only navigation, with non-TUI fallback for SSH/CI environments via --no-tui.

State

State is age-encrypted by default, kept under .weld/state.age in your repo. Decrypt with weldctl state decrypt (requires your private key set in WELDCTL_AGE_KEY or read from ~/.config/weldctl/age.key). The drift detector compares three things: weld.yml (intent), the encrypted state (last known), and the live cloud state (current); any 3-way mismatch surfaces in weldctl status.

Multi-target

One weld.yml can describe many targets:

targets:
  - name: local        # weldctl deploy apply --target local
    provider: local    # QEMU+HVF on macOS or KVM on Linux
  - name: prod-yc      # weldctl deploy apply --target prod-yc
    provider: yandex_cloud
    zone: ru-central1-a
  - name: dr-hetzner   # weldctl deploy apply --target dr-hetzner
    provider: hetzner
    location: fsn1

The CLI keeps a separate infra/targets/<name>/ tree per target; state files are isolated. Switching is one flag away.

Plugin ABI

The gRPC plugin loader is deferred to v1.1 — for now, cloud-provider support is compiled in. T0/T1 providers shipped: Yandex Cloud, GCP, Azure, Hetzner, DigitalOcean, Cloudflare, AWS. T2 (OpenStack, Scaleway, Linode, OVH, Oracle, Alibaba) is queued.

Getting help

  • weldctl <command> --help — full reference
  • TUI splash → ”?” — context-sensitive shortcuts
  • GitHub Discussions for design questions
  • Issues for bugs