Skip to content

~/.dstack/server/config.yml

The ~/.dstack/server/config.yml file is used to configure backends and other sever-level settings.

Root reference

projects - The list of projects.
encryption - (Optional) The encryption config.
default_permissions - (Optional) The default user permissions.

projects[n]

name - The name of the project.
backends - (Optional) The list of backends.

projects[n].backends

projects[n].backends[type=aws]
type - The type of the backend. Must be aws.
regions - (Optional) The list of AWS regions. Omit to use all regions.
vpc_name - (Optional) The name of custom VPCs. All configured regions must have a VPC with this name. If your custom VPCs don't have names or have different names in different regions, use vpc_ids instead..
vpc_ids - (Optional) The mapping from AWS regions to VPC IDs. If default_vpcs: true, omitted regions will use default VPCs.
default_vpcs - (Optional) A flag to enable/disable using default VPCs in regions not configured by vpc_ids. Set to false if default VPCs should never be used. Defaults to true.
public_ips - (Optional) A flag to enable/disable public IP assigning on instances. public_ips: false requires at least one private subnet with outbound internet connectivity provided by a NAT Gateway or a Transit Gateway. Defaults to true.
iam_instance_profile - (Optional) The name of the IAM instance profile to associate with EC2 instances. You can also specify the IAM role name for roles created via the AWS console. AWS automatically creates an instance profile and gives it the same name as the role.
tags - (Optional) The tags that will be assigned to resources created by dstack.
os_images - (Optional) The mapping of instance categories (CPU, NVIDIA GPU) to AMI configurations.
creds - The credentials.
projects[n].backends[type=aws].creds
type - The type of credentials. Must be access_key.
access_key - The access key.
secret_key - The secret key.
type - The type of credentials. Must be default.
projects[n].backends[type=aws].os_images
cpu - (Optional) The AMI used for CPU instances.
nvidia - (Optional) The AMI used for NVIDIA GPU instances.
projects[n].backends[type=aws].os_images.cpu
name - The AMI name.
owner - (Optional) The AMI owner, account ID or self. Defaults to self.
user - The OS user for provisioning.
projects[n].backends[type=aws].os_images.nvidia
name - The AMI name.
owner - (Optional) The AMI owner, account ID or self. Defaults to self.
user - The OS user for provisioning.
projects[n].backends[type=azure]
type - The type of the backend. Must be azure.
tenant_id - The tenant ID.
subscription_id - The subscription ID.
resource_group - (Optional) The resource group for resources created by dstack. If not specified, dstack will create a new resource group.
regions - (Optional) The list of Azure regions (locations). Omit to use all regions.
vpc_ids - (Optional) The mapping from configured Azure locations to network IDs. A network ID must have a format networkResourceGroup/networkName If not specified, dstack will create a new network for every configured region.
public_ips - (Optional) A flag to enable/disable public IP assigning on instances. public_ips: false requires vpc_ids that specifies custom networks with outbound internet connectivity provided by NAT Gateway or other mechanism. Defaults to true.
tags - (Optional) The tags that will be assigned to resources created by dstack.
creds - The credentials.
projects[n].backends[type=azure].creds
type - The type of credentials. Must be client.
client_id - The client ID.
client_secret - The client secret.
type - The type of credentials. Must be default.
projects[n].backends[type=gcp]
type - The type of backend. Must be gcp.
project_id - The project ID.
regions - (Optional) The list of GCP regions. Omit to use all regions.
vpc_name - (Optional) The name of a custom VPC.
vpc_project_id - (Optional) The shared VPC hosted project ID. Required for shared VPC only.
public_ips - (Optional) A flag to enable/disable public IP assigning on instances. Defaults to true.
nat_check - (Optional) A flag to enable/disable a check that Cloud NAT is configured for the VPC. This should be set to false when public_ips: false and outbound internet connectivity is provided by a mechanism other than Cloud NAT such as a third-party NAT appliance. Defaults to true.
vm_service_account - (Optional) The service account to associate with provisioned VMs.
tags - (Optional) The tags (labels) that will be assigned to resources created by dstack.
creds - The credentials.
projects[n].backends[type=gcp].creds
type - The type of credentials. Must be service_account.
filename - The path to the service account file.
data - (Optional) The contents of the service account file. When configuring via server/config.yml, it's automatically filled from filename. When configuring via UI, it has to be specified explicitly.
Specifying data

To specify service account file contents as a string, use jq:

cat my-service-account-file.json | jq -c | jq -R
projects[n].backends[type=lambda]
type - The type of backend. Must be lambda.
regions - (Optional) The list of Lambda regions. Omit to use all regions.
creds - The credentials.
projects[n].backends[type=lambda].creds
type - The type of credentials. Must be api_key.
api_key - The API key.
projects[n].backends[type=nebius]
type - The type of backend. Must be nebius.
regions - (Optional) The list of Nebius regions. Omit to use all regions.
creds - The credentials.
projects[n].backends[type=nebius].creds
type - The type of credentials. Must be service_account.
service_account_id - Service account ID.
public_key_id - ID of the service account public key.
private_key_file - (Optional) Path to the service account private key.
private_key_content - (Optional) Content of the service account private key. When configuring via server/config.yml, it's automatically filled from private_key_file. When configuring via UI, it has to be specified explicitly..
projects[n].backends[type=runpod]
regions - (Optional) The list of RunPod regions. Omit to use all regions.
community_cloud - (Optional) Whether Community Cloud offers can be suggested in addition to Secure Cloud. Defaults to true.
creds - The credentials.
projects[n].backends[type=runpod].creds
api_key - The API key.
projects[n].backends[type=vastai]
type - The type of backend. Must be vastai.
regions - (Optional) The list of VastAI regions. Omit to use all regions.
creds - The credentials.
projects[n].backends[type=vastai].creds
type - The type of credentials. Must be api_key.
api_key - The API key.
projects[n].backends[type=tensordock]
type - The type of backend. Must be tensordock.
regions - (Optional) The list of TensorDock regions. Omit to use all regions.
creds - The credentials.
projects[n].backends[type=tensordock].creds
type - The type of credentials. Must be api_key.
api_key - The API key.
api_token - The API token.
projects[n].backends[type=oci]
type - The type of backend. Must be oci.
regions - (Optional) The list of OCI regions. Omit to use all regions.
compartment_id - (Optional) Compartment where dstack will create all resources. Omit to instruct dstack to create a new compartment.
creds - The credentials.
projects[n].backends[type=oci].creds
type - The type of credentials. Must be client.
user - User OCID.
tenancy - Tenancy OCID.
key_file - (Optional) Path to the user's private PEM key. Either this or key_content should be set.
key_content - (Optional) Content of the user's private PEM key. Either this or key_file should be set.
pass_phrase - (Optional) Passphrase for the private PEM key if it is encrypted.
fingerprint - User's public key fingerprint.
region - Name or key of any region the tenancy is subscribed to.
type - The type of credentials. Must be default.
file - (Optional) Path to the OCI CLI-compatible config file. Defaults to ~/.oci/config.
profile - (Optional) Profile to load from the config file. Defaults to DEFAULT.
projects[n].backends[type=cudo]
type - The type of backend. Must be cudo.
regions - (Optional) The list of Cudo regions. Omit to use all regions.
project_id - The project ID.
creds - The credentials.
projects[n].backends[type=cudo].creds
type - The type of credentials. Must be api_key.
api_key - The API key.
projects[n].backends[type=datacrunch]
type - The type of backend. Must be datacrunch.
regions - (Optional) The list of DataCrunch regions. Omit to use all regions.
creds - The credentials.
projects[n].backends[type=datacrunch].creds
type - The type of credentials. Must be api_key.
client_id - The client ID.
client_secret - The client secret.
projects[n].backends[type=kubernetes]
type - The type of backend. Must be kubernetes.
networking - (Optional) The networking configuration.
kubeconfig - The kubeconfig configuration.
projects[n].backends[type=kubernetes].kubeconfig
filename - The path to the kubeconfig file.
data - (Optional) The contents of the kubeconfig file. When configuring via server/config.yml, it's automatically filled from filename. When configuring via UI, it has to be specified explicitly.
Specifying data

To specify service account file contents as a string, use jq:

cat my-service-account-file.json | jq -c | jq -R
projects[n].backends[type=kubernetes].networking
ssh_host - (Optional) The external IP address of any node.
ssh_port - (Optional) Any port accessible outside of the cluster.
projects[n].backends[type=vultr]
type - The type of backend. Must be vultr.
regions - (Optional) The list of Vultr regions. Omit to use all regions.
creds - The credentials.
projects[n].backends[type=vultr].creds
type - The type of credentials. Must be api_key.
api_key - The API key.

encryption

keys - The encryption keys.

encryption.keys

encryption.keys[n][type=identity]
type - The type of the key. Must be identity.
encryption.keys[n][type=aes]
type - The type of the key. Must be aes.
name - The key name for key identification.
secret - Base64-encoded AES-256 key.

default_permissions

allow_non_admins_create_projects - (Optional) This flag controls whether regular users (non-global admins) can create and manage their own projects. Defaults to True.
allow_non_admins_manage_ssh_fleets - (Optional) This flag controls whether regular project members (i.e. Users) can add and delete SSH fleets. Defaults to True.