Workstation CLI and TUI tooling for proxnix relay-cache publishing and secrets management
Project description
proxnix-workstation
proxnix-workstation packages the workstation-side proxnix tools as a normal
Python distribution that can be published to PyPI and installed with pip.
It requires Python 3.12 or newer.
It installs these user-facing commands:
proxnixproxnix-secretsproxnix-publishproxnix-doctorproxnix-tuiproxnix-lxc-exercise
proxnix is the preferred entrypoint. The split commands remain available as
compatibility aliases.
Layout
workstation/cli/
├── bin/ repo-local command wrappers for development
├── legacy/ shell-era compatibility helpers
├── src/ publishable Python package source
├── tests/ Python tests
├── pyproject.toml
└── uv.lock
If you are working from the repository rather than an installed package, use
the wrappers under workstation/cli/bin/.
Generated local-only paths:
../.venv/for the repo-local development virtualenv../../dist/for release artifacts../../.tmp-workstation-packaging/for packaging scratch space
Install
pip install proxnix-workstation
That installs both the workstation CLI and the terminal UI:
proxnixproxnix-tui
The split commands remain available too:
proxnix-publishproxnix-secretsproxnix-doctorproxnix-lxc-exercise
Or with the repo helper:
./ci/install-workstation.sh
If you want repo-local tooling instead of touching the global Python environment:
./ci/bootstrap-workstation-venv.sh
That prepares workstation/.venv plus the wrappers under workstation/cli/bin/.
Python dependencies are bundled through the package, but these external tools must still be available on the machine:
sopssshrsync
The commands read the same workstation config as the existing shell-based workflow:
~/.config/proxnix/config
Expected settings include:
PROXNIX_SITE_DIRPROXNIX_HOSTSPROXNIX_SSH_IDENTITY(optional)
For source-secret retrieval, the workstation also supports:
PROXNIX_SECRET_PROVIDERPROXNIX_SECRET_PROVIDER_COMMANDwhenPROXNIX_SECRET_PROVIDER=execPROXNIX_SOPS_MASTER_IDENTITYwhen usingembedded-sops
Secret Providers
Runtime publish artifacts always stay SOPS-based. The configurable part is the
workstation source-secret backend used by proxnix-secrets,
proxnix-publish, and proxnix-doctor.
Built-in provider names:
embedded-sopspassgopasspassholepykeepassonepasswordonepassword-clibitwardenbitwarden-clikeepassxcexec
Example:
export PROXNIX_SECRET_PROVIDER=passhole
export PROXNIX_PASSHOLE_DATABASE=~/.local/share/passhole/proxnix.kdbx
export PROXNIX_PASSHOLE_PASSWORD_FILE=~/.config/proxnix/passhole-password
For passhole, proxnix asks ph to keep the database password cached for
10 minutes by default. Override with PROXNIX_PASSHOLE_CACHE_TIMEOUT or disable
with PROXNIX_PASSHOLE_NO_CACHE=1.
Or:
# ~/.config/proxnix/config
PROXNIX_SECRET_PROVIDER='pykeepass'
PROXNIX_PYKEEPASS_DATABASE='~/.local/share/keepass/proxnix.kdbx'
PROXNIX_PYKEEPASS_KEYFILE='~/.config/proxnix/proxnix.keyx'
PROXNIX_PYKEEPASS_AGENT_PUBLIC_KEY='ssh-ed25519 AAAA...'
PROXNIX_PYKEEPASS_AGENT_SOCKET='~/Library/Containers/.../agent.sock'
Or:
# ~/.config/proxnix/config
PROXNIX_SECRET_PROVIDER='onepassword'
PROXNIX_1PASSWORD_VAULT='Engineering'
OP_SERVICE_ACCOUNT_TOKEN='ops_...'
Or:
# ~/.config/proxnix/config
PROXNIX_SECRET_PROVIDER='bitwarden'
PROXNIX_BITWARDEN_ORGANIZATION_ID='00000000-0000-0000-0000-000000000000'
PROXNIX_BITWARDEN_ACCESS_TOKEN='0.secret_access_token'
Those same provider variables can also be written directly into
~/.config/proxnix/config. That is the preferred place for stable proxnix
provider settings.
For providers that have both SDK and CLI implementations, proxnix uses one
canonical provider name for the SDK and the same name plus -cli for the CLI
variant:
onepasswordandonepassword-clibitwardenandbitwarden-cli
For pykeepass, the recommended setup is a static keyfile on disk plus an
optional password derived from an SSH agent signature. You can print the exact
derived password that proxnix will use with:
proxnix-secrets print-keepass-password
This is intended as a bootstrap/recovery path so you can also save the password in a separate personal vault and open the proxnix database directly in KeePassXC or Strongbox.
For pykeepass, the password source is chosen in this order:
PROXNIX_PYKEEPASS_NO_PASSWORD=1PROXNIX_PYKEEPASS_PASSWORDPROXNIX_PYKEEPASS_PASSWORD_FILEPROXNIX_PYKEEPASS_AGENT_PUBLIC_KEY- no password
Those password modes are mutually exclusive in practice. PROXNIX_PYKEEPASS_KEYFILE
is separate and can be combined with any of them.
If your SSH agent is not exposed through the standard SSH_AUTH_SOCK, set
PROXNIX_PYKEEPASS_AGENT_SOCKET in the proxnix config file so proxnix can
talk to the right socket explicitly.
Agent-derived pykeepass passwords are cached locally for 10 minutes by default
so repeated GUI operations do not keep asking the SSH agent to sign. Override
with PROXNIX_PYKEEPASS_CACHE_TIMEOUT or disable with
PROXNIX_PYKEEPASS_NO_CACHE=1.
Examples
proxnix secrets set 120 db_password
proxnix publish
proxnix doctor --site-only
proxnix tui
proxnix exercise lxc --host root@node1 --base-vmid 940
Build
Build source and wheel distributions from the workstation/ directory:
uv build
Artifacts are written to:
workstation/dist/
Publish
Tagged releases publish the package from GitHub Actions.
For a local manual publish to PyPI:
python3 -m pip install --user --upgrade twine
python3 -m twine upload dist/*
Notes
- The package intentionally keeps
sops,ssh, andrsyncas external system tools. - Some optional secret providers also require their own external tools or
Python packages. For example,
keepassxc,onepassword-cli, andbitwarden-cliexpect their respective CLIs to be installed, whilepykeepassexpects thepykeepassPython package to be available and SDK-backed providers expect their Python packages plus SDK authentication:onepasswordexpectsonepassword-sdk, andbitwardenexpectsbitwarden-sdk. - Secret-store mutation and SSH key handling are implemented in Python, with
sopsretained at the encryption boundary for wire-format compatibility. - Release tags are expected to match
[project].versioninpyproject.toml. Proxnix Manageris the Electrobun GUI and ships separately from a Homebrew tap; see../docs/operations/proxnix-manager.md.proxnix-manager-webis the hosted Bun web server package for Nix/NixOS deployments; see../docs/operations/proxnix-manager-web.md.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file proxnix_workstation-0.6.1.tar.gz.
File metadata
- Download URL: proxnix_workstation-0.6.1.tar.gz
- Upload date:
- Size: 119.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b9b89c5c8284437fe7ebce055648a8dd31ef4f03782ae4927bbc1acc44d67cfa
|
|
| MD5 |
866d2902d620fc3d5ceb0b07f7b90412
|
|
| BLAKE2b-256 |
de2a2137240ddeb686c2a787f637a23a191ec7276c638dee2c260a7738151a3c
|
Provenance
The following attestation bundles were made for proxnix_workstation-0.6.1.tar.gz:
Publisher:
pypi-publish.yml on denMaier/proxnix
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
proxnix_workstation-0.6.1.tar.gz -
Subject digest:
b9b89c5c8284437fe7ebce055648a8dd31ef4f03782ae4927bbc1acc44d67cfa - Sigstore transparency entry: 1383922452
- Sigstore integration time:
-
Permalink:
denMaier/proxnix@63498d7c6374af8cd62a7eb77fb336f9969986be -
Branch / Tag:
refs/tags/v0.6.1 - Owner: https://github.com/denMaier
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish.yml@63498d7c6374af8cd62a7eb77fb336f9969986be -
Trigger Event:
push
-
Statement type:
File details
Details for the file proxnix_workstation-0.6.1-py3-none-any.whl.
File metadata
- Download URL: proxnix_workstation-0.6.1-py3-none-any.whl
- Upload date:
- Size: 114.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
47e0c77710a12dc407a51d97dec046e429aa5659a2fb27e91297267891784455
|
|
| MD5 |
8aa1e41d26733de2299e919f254c39c2
|
|
| BLAKE2b-256 |
96919f771a80d96096aac7a8219fb3a90bf5496cf31f89ce7a3d6a4076dfe3d5
|
Provenance
The following attestation bundles were made for proxnix_workstation-0.6.1-py3-none-any.whl:
Publisher:
pypi-publish.yml on denMaier/proxnix
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
proxnix_workstation-0.6.1-py3-none-any.whl -
Subject digest:
47e0c77710a12dc407a51d97dec046e429aa5659a2fb27e91297267891784455 - Sigstore transparency entry: 1383922492
- Sigstore integration time:
-
Permalink:
denMaier/proxnix@63498d7c6374af8cd62a7eb77fb336f9969986be -
Branch / Tag:
refs/tags/v0.6.1 - Owner: https://github.com/denMaier
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish.yml@63498d7c6374af8cd62a7eb77fb336f9969986be -
Trigger Event:
push
-
Statement type: