Owner-scoped plan/apply/adopt controller for Nginx Proxy Manager resources.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for cobycloud from gravatar.com cobycloud
Meta

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Jacob Stewart
  • Tags nginx-proxy-manager , reverse-proxy , gitops , controller , ssl-certificates , access-lists
  • Requires: Python <3.15, >=3.10
Classifiers
Report project as malware

Project description

npmctl

Owner-scoped GitOps for Nginx Proxy Manager

Validate desired-state YAML, plan safe owner-scoped changes, apply clean reconciles, and adopt existing NPM resources only when you ask for it.

PyPI version Python versions CI Live NPM Gate Apache 2.0 License

npmctl package hits npmctl downloads

npmctl architecture infographic

npmctl is the Python package and console script for declarative, owner-scoped Nginx Proxy Manager automation. It manages proxy hosts, certificates, access lists, redirection hosts, dead hosts, streams, users, settings, and provider-backed DNS records without silently mutating foreign-owned resources.

Supported Python Versions

npmctl supports Python 3.10, 3.11, 3.12, 3.13, and 3.14.

Why npmctl

  • Owner-scoped reconciliation instead of global mutable state
  • Explicit plan, apply, and adopt flows instead of ad hoc API scripting
  • Safe reference handling for certificates and access lists
  • Fail-closed behavior when the target NPM schema does not support a required operation
  • CLI-first workflows that fit GitOps, CI, and controlled repair operations

FAQ

What is npmctl?

Answer: npmctl is a GitOps-style controller for Nginx Proxy Manager that reads desired-state YAML, compares it to the live NPM API, and produces safe owner-scoped plans before any mutation happens.

What problem does npmctl solve?

Answer: npmctl replaces manual NPM clicking and one-off API scripts with repeatable desired state, explicit adoption, conflict detection, and controlled reconciliation for reverse-proxy resources.

Does npmctl modify resources it does not own?

Answer: No. npmctl treats NPM resources as owner-scoped, refuses to mutate foreign-owned resources, and only attaches metadata to unmanaged resources when you run npmctl adopt.

How does npmctl handle certificate issuance and rotation?

Answer: npmctl treats certificates as declarative resources in the same desired state as proxy hosts. Issuance happens when a desired certificate must be created, and rotation happens through explicit reconcile policy rather than hidden mutation of unrelated resources.

Can npmctl adopt existing manually created NPM resources?

Answer: Yes. npmctl adopt can attach npmctl ownership metadata to compatible unmanaged resources so future plans and applies can manage them under explicit owner scope.

Install

Use pipx for an isolated CLI install:

pipx install npmctl
npmctl --version

Use uv if you manage tools with uv:

uv tool install npmctl
npmctl --help

Use pip inside an existing virtual environment:

python -m venv .venv
. .venv/bin/activate
python -m pip install npmctl
npmctl --help

PowerShell activation:

python -m venv .venv
.\.venv\Scripts\Activate.ps1
python -m pip install npmctl
npmctl --help

Configure NPM

Set Nginx Proxy Manager API credentials as environment variables:

export NPM_BASE_URL=http://127.0.0.1:81/api
export NPM_IDENTITY=admin@example.com
export NPM_SECRET=changeme

Or pass them directly:

npmctl --base-url http://127.0.0.1:81/api --identity admin@example.com --secret changeme health

Quick Start

Validate desired state without touching the API:

npmctl validate ./desired-state
npmctl --output json validate ./desired-state

Plan owner-scoped changes:

npmctl plan ./desired-state --owner workload-a

Apply a clean plan:

npmctl apply ./desired-state --owner workload-a

Adopt unmanaged matching resources:

npmctl adopt ./desired-state --owner workload-a
npmctl adopt ./desired-state --owner workload-a --allow-field-drift

Desired State

Every managed resource needs npmctl ownership metadata:

apiVersion: npmctl.com/v1
schemaVersion: 2
proxy_hosts:
  - domain_names: [app.example.com]
    forward_scheme: http
    forward_host: app
    forward_port: 3000
    meta:
      managed_by: npmctl
      owner: workload-a
      resource_id: proxy.app

References use resource_id values:

apiVersion: npmctl.com/v1
schemaVersion: 2
certificates:
  - name: wildcard-example
    domain_names: ["*.example.com", example.com]
    certificate_type: letsencrypt
    api_payload:
      provider: letsencrypt
    meta:
      managed_by: npmctl
      owner: workload-a
      resource_id: cert.wildcard-example
access_lists:
  - name: private-admins
    api_payload:
      satisfy_any: 0
      items: []
      clients: []
    meta:
      managed_by: npmctl
      owner: workload-a
      resource_id: acl.private-admins
proxy_hosts:
  - domain_names: [app.example.com]
    forward_host: app
    forward_port: 3000
    certificate_ref: cert.wildcard-example
    access_list_ref: acl.private-admins
    ssl_forced: 1
    allow_websocket_upgrade: 1
    caching_enabled: 1
    block_exploits: 1
    meta:
      managed_by: npmctl
      owner: workload-a
      resource_id: proxy.app

More Documentation

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for cobycloud from gravatar.com cobycloud
Meta

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Jacob Stewart
  • Tags nginx-proxy-manager , reverse-proxy , gitops , controller , ssl-certificates , access-lists
  • Requires: Python <3.15, >=3.10
Classifiers

Release history Release notifications | RSS feed

0.3.10

0.3.8

This version

0.3.7

0.3.6

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

npmctl-0.3.7.tar.gz (41.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

npmctl-0.3.7-py3-none-any.whl (52.9 kB view details)

Uploaded Python 3

File details

Details for the file npmctl-0.3.7.tar.gz.

File metadata

  • Download URL: npmctl-0.3.7.tar.gz
  • Upload date:
  • Size: 41.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for npmctl-0.3.7.tar.gz
Algorithm Hash digest
SHA256 7565e66b07e72f539a272ccfafc2d0db30546dcf7394a5923354cf8402b5a591
MD5 f31ca547a7154d970fa71b0673ed11f7
BLAKE2b-256 8162c7e69f909b5601fb969f0e5db5071bddae6b936f67f418d0aff1db636414

See more details on using hashes here.

Provenance

The following attestation bundles were made for npmctl-0.3.7.tar.gz:

Publisher: release.yml on groupsum/npmctl

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file npmctl-0.3.7-py3-none-any.whl.

File metadata

  • Download URL: npmctl-0.3.7-py3-none-any.whl
  • Upload date:
  • Size: 52.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for npmctl-0.3.7-py3-none-any.whl
Algorithm Hash digest
SHA256 ba7091bd1ce62d3b2e6ba465715a82a172c62359c6323af533039bdf796e42ad
MD5 f91f99eac8c88e34cc2201a246ca4242
BLAKE2b-256 c09bae7a1b16a1b98f60e6bdc597b64a4c93c0601805f8a490a87885d992394f

See more details on using hashes here.

Provenance

The following attestation bundles were made for npmctl-0.3.7-py3-none-any.whl:

Publisher: release.yml on groupsum/npmctl

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page