Skip to content
Holden

CLI Reference

The Holden CLI provides tools for managing variables, secrets, and validating configuration.

Installation

Section titled “Installation”

npm

Section titled “npm”
Terminal window
npm install -g @benjick/holden-cli

Docker

Section titled “Docker”

If you don’t want to install Node.js, you can run the CLI as a Docker container:

Terminal window
docker run --rm --network host benjick/holden-cli <command>

To make it feel like a native command, add a persistent alias:

Terminal window
echo "alias holden='docker run --rm --network host benjick/holden-cli'" >> ~/.bashrc

Then use it normally:

Terminal window
holden app list
holden deploy my-app

To update the CLI to the latest version:

Terminal window
docker pull benjick/holden-cli

holden vars

Section titled “holden vars”

Manage configuration values and encrypted secrets in holden.vars.yml.

holden vars set

Section titled “holden vars set”
Terminal window
holden vars set <key> [value] [flags]

Set a configuration variable or encrypted secret. Walks up the directory tree to find holden.yml, then edits the adjacent holden.vars.yml.

FlagDescription
--secretEncrypt the value with age

If --secret is used without a value argument, prompts for hidden input.

Examples:

Terminal window
# Plain config value
holden vars set LOG_LEVEL debug


# Encrypted secret (value as argument)
holden vars set API_KEY --secret sk-secret-key


# Encrypted secret (hidden prompt)
holden vars set API_KEY --secret
Enter value: ****

holden vars get

Section titled “holden vars get”
Terminal window
holden vars get <key> [flags]

Read a configuration variable. Walks up the directory tree to find holden.yml, then reads from the adjacent holden.vars.yml.

FlagDescription
--show-secretsDecrypt and display secret values

Examples:

Terminal window
holden vars get LOG_LEVEL
# debug


holden vars get API_KEY
# [secret]


holden vars get API_KEY --show-secrets
# sk-secret-key

holden config

Section titled “holden config”

Manage CLI configuration. Settings are stored in ~/.holden/config.yml.

holden config set

Section titled “holden config set”
Terminal window
holden config set <key> <value>

Set a CLI configuration value.

KeyDescription
serverSSH address of the Holden server
portAPI port on the server (default: 6021)

Examples:

Terminal window
holden config set server [email protected]
holden config set port 6021

holden config get

Section titled “holden config get”
Terminal window
holden config get <key>

Read a CLI configuration value.

Example:

Terminal window
holden config get server
# [email protected]

SSH Connection

Section titled “SSH Connection”

Commands that connect to the server (holden deploy, fetching encryption keys) shell out to the ssh command. This means:

  • Keys: Uses your SSH agent and default keys (~/.ssh/id_rsa, id_ed25519, etc.)
  • Config: Respects ~/.ssh/config (aliases, jump hosts, custom ports)
  • Auth: Key-based authentication only, no password prompt

If you can run ssh user@server successfully, the CLI will work. No Holden-specific SSH configuration needed.

holden app

Section titled “holden app”

Manage app registrations on the Holden server.

holden app add

Section titled “holden app add”
Terminal window
holden app add <id> --repo <url> [flags]

Register an app. Holden immediately clones the repo and starts reconciling.

FlagDescription
--repo <url>Git repository URL (required)
--branch <branch>Branch to track
--path <path>Path to holden.yml within the repo

Examples:

Terminal window
# Simple app
holden app add my-app --repo https://github.com/you/my-app


# Monorepo
holden app add frontend --repo https://github.com/you/monorepo --path ./apps/frontend

holden app remove

Section titled “holden app remove”
Terminal window
holden app remove <id>

Unregister an app. Removes it from apps.yml. Does not stop running containers — they’ll be cleaned up during the next maintenance window.

holden app list

Section titled “holden app list”
Terminal window
holden app list

List all registered apps with their repo URLs.

holden validate

Section titled “holden validate”
Terminal window
holden validate

Validate holden.yml configuration. Walks up the directory tree to find holden.yml and validates it.

Checks include:

  • YAML syntax
  • Required fields present
  • Valid field values (cron expressions, durations, etc.)

Exit codes:

CodeMeaning
0Configuration is valid
1Validation errors found

Example:

Terminal window
holden validate

holden deploy

Section titled “holden deploy”
Terminal window
holden deploy [app]

Trigger a reconcile cycle on the server. Requires SSH access to the Holden server.

  • No argument: reconciles all apps
  • With app name: reconciles that specific app

Examples:

Terminal window
# Deploy all apps
holden deploy


# Deploy specific app
holden deploy my-app

holden maintenance

Section titled “holden maintenance”
Terminal window
holden maintenance [flags]

Trigger a maintenance cycle on the server. This runs backups, pulls updated images, cleans up stale resources, and reboots Holden via the Overseer.

FlagDescription
--skip-rebootSkip the Holden container reboot after maintenance

Examples:

Terminal window
# Trigger maintenance
holden maintenance


# Trigger maintenance without rebooting
holden maintenance --skip-reboot