elide orb
elide orb is the full network orchestrator. Where elide serve runs your application, elide orb runs your infrastructure: reverse proxy with load balancing, auto-HTTPS via ACME, Tailscale and WireGuard networking, private PKI with mTLS, gRPC proxy, L4 TCP relay, DERP relay, zero-downtime upgrades — all driven by a single PKL configuration file.
Requires an Elide Pro license. See elide.pro for details.
When to use orb vs serve
elide serve is for your application — static files, JS/TS handlers, CGI scripts. It covers the common case of putting a server in front of your code.
elide orb is for your network. If you need to reverse-proxy traffic to backend pools, terminate TLS with auto-provisioned certificates, join a Tailscale network, bridge multiple overlay networks, or perform zero-downtime binary upgrades — that is elide orb territory.
Both commands share the same server engine. orb unlocks the premium configuration surface on top of it.
Prerequisites
- PKL config: A configuration file amending
elide:serve/ElideServer.pklis required (--config). - Platform: Linux or macOS. Windows support is experimental.
---
Quick deploy
A reverse proxy fronting two backend servers, with a static SPA fallback:
amends "elide:serve/ElideServer.pkl"
servers {
["api.example.com"] {
routes {
new {
match { path = "/v1/**" }
handler = new ReverseProxy {
upstreams { "backend-1:8080"; "backend-2:8080" }
loadBalancing = "least_connections"
}
}
}
handler = new StaticFiles { root = "./dist"; spaFallback = true }
}
} elide orb --config server.pklElide reads the config, binds listeners, provisions TLS certificates if configured, and starts serving.
Add Tailscale in one flag
elide orb --config server.pkl --tailscaleThis binds to the node's Tailscale IP, provisions a Tailscale-issued TLS certificate (trusted by all tailnet devices), and registers MagicDNS.
Standalone Tailscale (no daemon)
Run as a self-contained Tailscale node — no tailscaled required. Elide embeds the TS2021 control plane, WireGuard data plane, and DERP relay client:
elide orb --config server.pkl --tailscale-direct --tailscale-auth-key tskey-auth-...Auto-HTTPS with ACME
Provision and auto-renew TLS certificates via Let's Encrypt:
elide orb --config server.pkl --auto-https --domain example.com,www.example.com --acme-email admin@example.comOr declare it entirely in PKL:
amends "elide:serve/ElideServer.pkl"
tls {
acmeEmail = "admin@example.com"
}
servers {
["example.com"] {
domains { "example.com"; "www.example.com" }
handler = new StaticFiles { root = "./dist" }
}
}DERP relay co-hosting
Host a DERP relay alongside the HTTP server for Tailscale-compatible peer relay:
elide orb --config server.pkl --tailscale --derp---
Capability matrix
Everythingelide serve can do, elide orb can do. The reverse is not true.
| Capability | elide serve | elide orb |
|---|---|---|
| Static files, JS/TS handlers, CGI | Yes | Yes |
PKL configuration (—config) | Yes | Yes (required) |
| Admin API | Yes | Yes |
| TUI / plain / JSON output | Yes | Yes |
| Reactor + worker tuning | Yes | Yes |
| Reverse proxy, load balancing | — | Yes |
| L4 TCP relay, gRPC proxy | — | Yes |
| Auto-HTTPS (ACME) | — | Yes |
| Tailscale (daemon, standalone, Funnel) | — | Yes |
| WireGuard / multi-network | — | Yes |
| DERP relay co-hosting | — | Yes |
| Private PKI, mTLS | — | Yes |
| Zero-downtime upgrades | — | Yes |
| WebRTC listeners | — | Yes |
Capabilities
Every capability below is configured through the PKL file, CLI flags, or both — no code changes needed.
Reverse proxy and load balancing
Route requests to upstream pools with round-robin, least-connections, IP-hash, random, first-healthy, or cookie-based session affinity. Health checks, circuit breakers, WebSocket proxying, and header rewriting are all configurable per-route.
handler = new ReverseProxy {
upstreams {
new { address = "backend-1:8080"; weight = 2 }
new { address = "backend-2:8080"; weight = 2 }
new { address = "backend-3:8080"; backup = true }
}
loadBalancing = "least_connections"
timeout = 30.s
preserveHost = true
websocket = true
}See the configuration guide for full ReverseProxy patterns and the serve configuration reference for the complete PKL schema.
Tailscale and WireGuard networking
Three Tailscale modes: local daemon, Tailscale Funnel, and standalone direct mode. Raw WireGuard tunnels for non-Tailscale peers. Multiple named networks can coexist — a production tailnet alongside a staging one, or a WireGuard VPN alongside a Tailscale network.
See Tailscale integration for deployment patterns and configuration.
Multi-network orchestration
Define independent network attachments in a single config. Each network has its own data plane, routing rules, and identity:
networks {
["production"] {
tailscale { direct = true; authKey = env("TS_PROD_KEY") }
tunnel { bridgeInbound = true }
}
["office-vpn"] {
wireguard { configFile = "./wg-office.conf" }
tunnel { bridgeOutbound = true }
}
}L4 relay and gRPC proxy
TCP-level relay for raw throughput. gRPC proxying with HTTP/2 multiplexing. Both operate alongside HTTP routing on the same listeners.
Auto-HTTPS and private PKI
ACME certificate provisioning via HTTP-01, TLS-ALPN-01, and DNS-01 challenges. Wildcard certificates via DNS-01 with Cloudflare or webhook providers. On-demand TLS for dynamic hostname provisioning. Private CA and mTLS for internal services via elide cert.
DERP relay
Co-host a DERP (Designated Encrypted Relay for Packets) relay alongside the HTTP server. The relay operates independently and shuts down gracefully on exit. Useful for self-hosted Tailscale infrastructure or air-gapped environments where public DERP relays are unreachable.
Admin API
A separate HTTP server (isolated from the main pipeline) with health/readiness probes, live configuration view, route table, middleware summary, cache statistics, and an HTMX dashboard. Configurable via --admin-port, --admin-socket, or PKL. When bound to a non-loopback address without an explicit --admin-token, a random bearer token is auto-generated and printed to stderr.
Zero-downtime upgrades
Self-re-exec with inherited file descriptors. On upgrade signal, Elide downloads the new binary via a secure update mechanism, drains in-flight connections (GOAWAY on HTTP/2, WebSocket close frames, 30-second request drain), hands off listener file descriptors via the sidecar, then re-execs with --claim-fds to take over without dropping a single connection.
Middleware pipeline
All middleware from elide serve is available: compression, rate limiting, CORS, basic auth, Tailscale identity auth, header manipulation, path rewriting, request ID injection, access logging, and body size limits.
---
CLI reference
elide orb [OPTIONS]| Flag | Default | Description |
|---|---|---|
-c, —config | none | PKL configuration file (required). Must amend elide:serve/ElideServer.pkl. |
—tailscale | false | Bind to the node's Tailscale IP via the local daemon. Provisions TLS cert and MagicDNS. Unix only. |
—funnel | false | Expose to the public internet via Tailscale Funnel. Implies —tailscale. |
—tailscale-direct | false | Standalone Tailscale node — no daemon. Requires —tailscale-auth-key. |
—tailscale-auth-key | none | Pre-auth key for standalone mode. Also reads TAILSCALE_AUTH_KEY env var. |
—tun | false | Create a TUN device for system-wide tunnel routing. Requires root or CAP_NET_ADMIN. |
—auto-https | none | Enable automatic HTTPS via ACME (Let's Encrypt). |
—domain | none | Domain(s) for ACME certificates. Comma-separated. |
—acme-email | none | ACME contact email for expiry warnings. |
—acme-staging | false | Use Let's Encrypt staging CA. Certificates will not be browser-trusted. |
—dns-challenge | none | DNS-01 challenge provider: cloudflare or webhook. Required for wildcards. |
—derp | false | Co-host a DERP relay alongside the HTTP server. |
—derp-port | 3340 | DERP relay port. Binds 0.0.0.0. |
—admin-port | none | Admin API TCP port. |
—admin-host | 127.0.0.1 | Admin API bind address. |
—admin-socket | none | Admin API Unix socket. Takes precedence over —admin-port. |
—admin-token | none | Admin API bearer token. Auto-generated when binding non-loopback without explicit token. |
—no-tui | false | Disable interactive TUI. Recommended for containers and log aggregation. |
—json | false | Structured JSON output. |
Related commands
| Command | Purpose | License |
|---|---|---|
elide orb | Full network orchestrator (this page) | Pro |
elide fwd | Forward proxy with MITM, access control, L4 relay | Pro |
elide tun | WireGuard tunnel, Tailscale connectivity, DERP relay | Pro |
See also
- Orb configuration guide — real-world config patterns for reverse proxy, TLS, multi-network, and admin API
- Tailscale integration — daemon mode, standalone mode, Funnel, DERP, and multi-network
elide serve— HTTP server for static files, JS handlers, and CGI