Complete reference for the itsup command-line interface.
itsup [OPTIONS] COMMAND [ARGS]Options:
--help: Show help message and exit--version: Show version and exit--verbose,-v: Enable DEBUG logging (shows detailed operations)
Examples:
itsup --help # Show all commands
itsup --version # Show version
itsup --verbose apply # Deploy with debug outputStart complete infrastructure stack (orchestrated).
Usage:
itsup runWhat it does:
- Start DNS stack (creates proxynet network)
- Start Proxy stack (Traefik + dockerproxy)
- Start API (host process)
- Start Monitor in report-only mode (host process)
Order: Respects dependency order (dns → proxy → api → monitor).
Monitor Mode: Starts monitor in report-only mode (detection without blocking). For full protection with active blocking, use itsup monitor start after infrastructure is running.
Example:
itsup run
# Output:
# ✓ DNS stack started
# ✓ Proxy stack started
# ✓ API started
# ✓ Monitor started in report-only modeStop everything (orchestrated).
Usage:
itsup down [OPTIONS]Options:
--clean: Also remove stopped itsUP containers
What it does:
- Stop Monitor
- Stop API
- Stop all project services (in parallel)
- Stop Proxy stack
- Stop DNS stack
- Optionally: Remove stopped containers (if
--clean)
Examples:
itsup down # Stop everything
itsup down --clean # Stop + cleanup containersInitialize configuration (first-time setup).
Usage:
itsup initWhat it does:
- Prompt for git URLs (if projects/ or secrets/ not present)
- Clone projects/ repository
- Clone secrets/ repository
- Copy sample files (if not already present):
samples/env→.envsamples/itsup.yml→projects/itsup.ymlsamples/traefik.yml→projects/traefik.ymlsamples/example-project/→projects/example-project/samples/secrets/itsup.txt→secrets/itsup.txt
Idempotent: Can be run multiple times safely (won't overwrite existing files).
Example:
itsup init
# Prompts:
# Enter projects git URL: [email protected]:user/projects.git
# Enter secrets git URL: [email protected]:user/secrets.git
# ✓ Cloned projects/
# ✓ Cloned secrets/
# ✓ Copied sample filesUsage:
itsup dns COMMAND [SERVICE]Commands:
up [service]: Start DNS stack or specific servicedown [service]: Stop DNS stack or specific servicerestart [service]: Restart DNS stack or specific servicelogs [service]: Tail logs (optionally for specific service)
Examples:
itsup dns up # Start DNS stack
itsup dns down # Stop DNS stack
itsup dns restart # Restart DNS stack
itsup dns logs # Tail all DNS logsUsage:
itsup proxy COMMAND [SERVICE]Services: traefik, dockerproxy, crowdsec (if enabled)
Commands:
up [service]: Start proxy stack or specific servicedown [service]: Stop proxy stack or specific servicerestart [service]: Restart proxy stack or specific servicelogs [service]: Tail logs (optionally for specific service)
Examples:
itsup proxy up # Start proxy stack
itsup proxy up traefik # Start only Traefik
itsup proxy down # Stop proxy stack
itsup proxy restart traefik # Restart only Traefik
itsup proxy logs # Tail all proxy logs
itsup proxy logs traefik # Tail Traefik logs onlyDeploy project configuration.
Usage:
itsup apply [PROJECT]Arguments:
PROJECT(optional): Project name (deploy specific project)
What it does:
- If
PROJECTspecified: Deploy single project - If no
PROJECT: Deploy all projects in parallel
Smart Rollout:
- Calculates config hash (docker-compose.yml + ingress.yml)
- Compares with stored hash
- Only deploys if changed
Examples:
itsup apply # Deploy all projects (in parallel)
itsup apply my-app # Deploy single project
itsup apply --verbose # Deploy with debug outputOutput:
✓ project-a deployed (config changed)
○ project-b skipped (no changes)
✗ project-c failed (docker error)
Manage project services (docker compose operations).
Usage:
itsup svc PROJECT COMMAND [SERVICE] [OPTIONS]Arguments:
PROJECT: Project name (required)COMMAND: Docker Compose command (required)SERVICE: Service name (optional)
Common Commands:
up [service]: Start servicesdown [service]: Stop servicesrestart [service]: Restart serviceslogs [service]: View logsps: List servicesexec SERVICE CMD: Execute command in service
Examples:
itsup svc my-app up # Start all services
itsup svc my-app up web # Start web service only
itsup svc my-app down # Stop all services
itsup svc my-app restart # Restart all services
itsup svc my-app logs -f # Follow logs (all services)
itsup svc my-app logs -f web # Follow web service logs
itsup svc my-app ps # List services
itsup svc my-app exec web sh # Shell into web serviceTab Completion: Project names, commands, and service names support tab completion.
Validate project configuration.
Usage:
itsup validate [PROJECT]Arguments:
PROJECT(optional): Project name (validate specific project)
What it does:
- Validates YAML syntax (docker-compose.yml, ingress.yml)
- Checks for required fields
- Verifies network configuration
- Validates secrets placeholders
Examples:
itsup validate # Validate all projects
itsup validate my-app # Validate single projectOutput:
✓ my-app: Valid
✗ other-app: Missing required field 'domain' in ingress.yml
Start container security monitor.
Usage:
itsup monitor start [OPTIONS]Options:
--report-only: Detection only, no blocking--use-opensnitch: Enable OpenSnitch integration
Examples:
itsup monitor start # Full protection mode
itsup monitor start --report-only # Detection only
itsup monitor start --use-opensnitch # With OpenSnitchStop container security monitor.
Usage:
itsup monitor stopView monitor logs.
Usage:
itsup monitor logsOutput: Tails logs/monitor.log (follow mode).
Review and cleanup blacklist (interactive).
Usage:
itsup monitor cleanupWhat it does:
- Shows each blacklist entry
- Prompts to keep or remove
- Updates blacklist file
- Removes corresponding iptables rules
Example:
itsup monitor cleanup
# Output:
# Entry: 1.2.3.4 (Malicious connection attempt)
# Keep this entry? [y/n]: n
# ✓ Removed 1.2.3.4Remove iptables rules created by the monitor without touching blacklist files.
Usage:
itsup monitor clear-iptablesGenerate threat intelligence report.
Usage:
itsup monitor report [OPTIONS]Options:
--format: Report format (text, json, html)--output: Output file (default: stdout)
Examples:
itsup monitor report # Text report to stdout
itsup monitor report --format json # JSON report
itsup monitor report --output report.html # HTML report to fileEncrypt secrets file.
Usage:
itsup encrypt PROJECTArguments:
PROJECT: Project name (or "itsup" for shared secrets)
What it does:
- Reads
secrets/{project}.txt(plaintext) - Encrypts with SOPS
- Writes
secrets/{project}.enc.txt(encrypted)
Examples:
itsup encrypt itsup # Encrypt shared secrets
itsup encrypt my-app # Encrypt project secretsDecrypt secrets file.
Usage:
itsup decrypt PROJECTArguments:
PROJECT: Project name (or "itsup" for shared secrets)
What it does:
- Reads
secrets/{project}.enc.txt(encrypted) - Decrypts with SOPS
- Writes
secrets/{project}.txt(plaintext)
Examples:
itsup decrypt itsup # Decrypt shared secrets
itsup decrypt my-app # Decrypt project secretsNote: Plaintext .txt files are gitignored (safe to decrypt).
List all projects.
Usage:
itsup list [OPTIONS]Options:
--enabled-only: Show only enabled projects (ingress.yml hasenabled: true)--format: Output format (text, json, yaml)
Examples:
itsup list # List all projects
itsup list --enabled-only # List only enabled projects
itsup list --format json # JSON outputShow infrastructure status.
Usage:
itsup statusWhat it shows:
- DNS stack status
- Proxy stack status
- API status
- Monitor status
- Project counts (total, enabled, running)
Example:
itsup status
# Output:
# DNS: ✓ Running
# Proxy: ✓ Running (Traefik v3.5.1)
# API: ✓ Running (http://localhost:8080)
# Monitor: ✓ Running (protection mode)
# Projects: 15 total, 12 enabled, 10 runningBash:
source env.sh # Enables completion automaticallyOr manually:
eval "$(_ITSUP_COMPLETE=bash_source itsup)"Zsh:
source env.sh # Enables completion automaticallyOr manually:
eval "$(_ITSUP_COMPLETE=zsh_source itsup)"- Commands: All itsup subcommands
- Options: All command options (--help, --verbose, etc.)
- Projects: Project names from projects/ directory
- Services: Service names from docker-compose.yml
- Stacks: dns, proxy, api, monitor
Examples:
itsup <TAB> # Shows: apply, svc, monitor, encrypt, ...
itsup svc <TAB> # Shows: project names
itsup svc my-app <TAB> # Shows: up, down, restart, logs, ...
itsup svc my-app up <TAB> # Shows: service namesITSUP_VERBOSE: Enable verbose output (same as --verbose)
export ITSUP_VERBOSE=1
itsup apply # Will show debug outputITSUP_CONFIG_DIR: Override config directory (default: ./projects)
export ITSUP_CONFIG_DIR=/path/to/projects
itsup applyITSUP_SECRETS_DIR: Override secrets directory (default: ./secrets)
export ITSUP_SECRETS_DIR=/path/to/secrets
itsup decrypt itsup0: Success
1: General error (invalid arguments, command failed)
2: Configuration error (invalid YAML, missing files)
3: Deployment error (docker compose failed)
130: User interrupt (Ctrl+C)
Example:
itsup apply my-app
echo $? # 0 = success, non-zero = errorPotential aliases for convenience:
itsup a # itsup apply
itsup s # itsup status
itsup l # itsup list
itsup v # itsup validate# Deploy and show status
itsup apply && itsup status
# Validate, deploy, check logs
itsup validate && itsup apply && itsup svc my-app logs -f# Watch project logs
watch -n 1 "itsup svc my-app logs --tail 20"
# Watch status
watch -n 5 "itsup status"#!/bin/bash
# deploy-all.sh
set -e # Exit on error
echo "Validating configuration..."
itsup validate
echo "Deploying projects..."
itsup apply
echo "Checking status..."
itsup status
echo "All deployed successfully!"# .github/workflows/deploy.yml
- name: Deploy
run: |
source env.sh
itsup validate
itsup apply
itsup statusitsup --help # Main help
itsup apply --help # Command-specific help
itsup svc --help # Subcommand helpitsup --verbose apply # Shows detailed operationsUse for:
- Debugging failures
- Understanding what CLI is doing
- Reporting issues
Include:
- Command that failed
- Full output (with
--verbose) - Configuration files (redact secrets)
- System info (
uname -a,docker --version)
Example:
itsup --verbose apply my-app > debug.log 2>&1
# Attach debug.log to issue report