.spin.yml Usage

The .spin.yml file is the main configuration file for using servers with Spin. It is used to configure your users, providers, servers, hardware profiles, environments, and more.

Example .spin.yml file

Here's an example of what the .spin.yml file looks like:

.spin.yml

##############################################################
# 👇 Users - You must set at least one user
##############################################################

users:
  - username: alice
    name: Alice Smith
    groups: ['sudo']
    authorized_keys:
      - public_key: "ssh-ed25519 AAAAC3NzaC1lmyfakeublickeyMVIzwQXBzxxD9b8Erd1FKVvu alice"

  - username: bob
    name: Bob Smith
    state: present
    password: "$6$mysecretsalt$qJbapG68nyRab3gxvKWPUcs2g3t0oMHSHMnSKecYNpSi3CuZm.GbBqXO8BE6EI6P1JUefhA0qvD7b5LSh./PU1"
    groups: ['sudo']
    shell: "/bin/bash"
    authorized_keys:
      - public_key: "ssh-ed25519 AAAAC3NzaC1anotherfakekeyIMVIzwQXBzxxD9b8Erd1FKVvu bob"

##############################################################
# 👇 Providers - You must set at least one provider
##############################################################

providers:
  - name: digitalocean
    api_token: Set token here OR delete this line and set environment variable DO_API_TOKEN

  - name: hetzner
    api_token: Set token here OR delete this line and set environment variable HCLOUD_TOKEN

  - name: vultr
    api_token: Set token here OR delete this line and set environment variable VULTR_API_KEY

##############################################################
# 👇 Servers - You must set at least one server
##############################################################

servers:
  - server_name: ubuntu-2gb-ash-1
    environment: production
    hardware_profile: hetzner_2c_2gb_ubuntu2404

  - server_name: ubuntu-1gb-ord-2
    environment: staging
    hardware_profile: vultr_1c_1gb_ubuntu2404

##############################################################
# 🤖 Hardware Profiles
##############################################################

hardware_profiles:
  # Hetzner
  - name: hetzner_2c_2gb_ubuntu2404
    provider: hetzner
    profile_config:
      location: ash
      server_type: cpx11
      image: ubuntu-24.04
      backups: true

  # Vultr
  - name: vultr_1c_1gb_ubuntu2404
    provider: vultr
    profile_config:
      region: ord
      plan: vc2-1c-1gb
      os: "Ubuntu 24.04 LTS x64"
      backups: true
  
  # DigitalOcean
  - name: digitalocean_1c_1gb_ubuntu2404
    provider: digitalocean
    profile_config:
      region: nyc3
      size: s-1vcpu-1gb
      image: ubuntu-24-04-x64
      backups: true

##############################################################
# 🌎 Environments
##############################################################
environments:
  - name: production
  - name: staging
  - name: development

##############################################################
# 🤓 Advanced Server Configuration
##############################################################

# Timezone and contact settings
server_timezone: "Etc/UTC"
server_contact: [email protected]

# If you the SSH port below, you may need to run `spin provision -p <your-default-ssh-port>`
# to get a connection on your first provision. Otherwise, SSH will try connecting 
# to your new port before the SSH server configuration is updated.
ssh_port: "22"

## You can set this to false to require a password for sudo.
## If you disable passwordless sudo, you must set a password for all sudo users.
## generate an encrypted hash with `spin mkpasswd`. Learn more:
## https://serversideup.net/open-source/spin/docs/command-reference/mkpasswd
use_passwordless_sudo: true

## Email Notifications
postfix_hostname: "{{ inventory_hostname }}"

## Set variables below to enable external SMTP relay
# postfix_relayhost: "smtp.example.com"
# postfix_relayhost_port: "587"
# postfix_relayhost_username: "myusername"
# postfix_relayhost_password: "mysupersecretpassword"

## Deploy user customization - You can customize the deploy user below if you'd like
# docker_user:
#   username: deploy
#   authorized_ssh_keys: 
#     - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNJGtd7a4DBHsQi7HGrC5xz0eAEFHZ3Ogh3FEFI2345 fake@key"
#     - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRfXxUZ8q9vHRcQZ6tLb0KwGHu8xjQHfYopZKLmnopQ anotherfake@key"

Users

You'll need to configure a user for your server. This will be the user that you use to SSH into your server.

.spin.yml Server Users

##############################################################
# 👇 Users - You must set at least one user
##############################################################

users:
  - username: alice
    name: Alice Smith
    groups: ['sudo']
    authorized_keys:
      - public_key: "ssh-ed25519 AAAAC3NzaC1lmyfakeublickeyMVIzwQXBzxxD9b8Erd1FKVvu alice"

  - username: bob
    name: Bob Smith
    state: present
    password: "$6$mysecretsalt$qJbapG68nyRab3gxvKWPUcs2g3t0oMHSHMnSKecYNpSi3CuZm.GbBqXO8BE6EI6P1JUefhA0qvD7b5LSh./PU1"
    groups: ['sudo']
    shell: "/bin/bash"
    authorized_keys:
      - public_key: "ssh-ed25519 AAAAC3NzaC1anotherfakekeyIMVIzwQXBzxxD9b8Erd1FKVvu bob"

The above configuration is creating two users: alice and bob. Both users are added to the sudo group, which allows them to use sudo to run commands with elevated privileges (such as sudo su to get a root shell).

VariableDescriptionExample
usernameThe username of the user.alice
nameThe full name of the user.Alice Smith
groupsThe groups the user belongs to. Default sudo group gives the user root capabilities. Separate multiple groups with a comma.['sudo', 'docker']
authorized_keys.public_keyThe authorized public SSH key that can connect to the server for this user.ssh-ed25519 AAA...d1FKVvu alice
passwordThe encrypted password for the user. Generate an encrypted hash with spin mkpasswd. The user will be prompted to change their password on first login. The password will only be used if use_passwordless_sudo is set to false.$6$mysecretsalt$...

Setting your SSH public key

To get your SSH public key, look for files under your ~/.ssh folder. The filename could be something like id_ed25519.pub or id_rsa.pub. Just make sure the file ends with .pub.

Once you find the file, you can get the contents of the public key by running this command:

Get SSH public key

# Change the filename if your key is named differently
cat ~/.ssh/id_ed25519.pub

You should see something that looks like this:

Example SSH public key

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... [email protected]

Copy the entire line (including the "ssh-ed25519" part) and paste it into your .spin.yml file as shown in the example above.

Generating a new SSH key

If you need to generate a new SSH key, see our guide on generating a secure SSH key.

Providers

The providers: section in your .spin.yml configures connections to supported cloud providers. Spin natively supports these providers:

ProviderConfiguration NameEnvironment Variable
DigitalOceandigitaloceanDO_API_TOKEN
HetznerhetznerHCLOUD_TOKEN
VultrvultrVULTR_API_KEY

Click on any provider name above for detailed configuration instructions.

Hardware Profiles

The hardware_profiles: section defines the server resources and provider for each server. Each hardware profile references a provider and specifies the server's resources.

Each hardware profile structure is slightly different depending on the provider. Click on a provider name above for detailed configuration instructions.

Servers

The servers: section defines the servers that Spin will create and manage. Each server requires a few key properties to determine its configuration.

Here's an example of configuring two servers:

.spin.yml

servers:
  - server_name: ubuntu-2gb-ash-1
    environment: production
    hardware_profile: hetzner_2c_2gb_ubuntu2404

  - server_name: ubuntu-1gb-ord-2
    environment: staging
    hardware_profile: vultr_1c_1gb_ubuntu2404
PropertyDescriptionExampleRequired
server_nameA unique, descriptive name for your server. Use alphanumeric characters and hyphens only (no spaces or special characters).web-server-1Yes
environmentThe deployment environment (production, staging, development). Must match an environment defined in your .spin.yml file.productionYes
hardware_profileReferences a hardware profile defined in your .spin.yml that specifies the server's resources and provider.hetzner_2c_2gb_ubuntu2404Only if you intend to use a provider
addressThe server's IP address or hostname. Leave blank for auto-assigned IPs - Spin will update this after provisioning.

Using existing servers? ⚠️ You must specify the IP address or hostname here.
1.2.3.4Only if you are using existing servers

Environments

Environments are managed under the environments: section in your .spin.yml file. You can define as many environments as you'd like or change the names of the environments.

The most important thing to remember is the environment property in the servers: section must match an environment defined in your .spin.yml file.

You can also set the backups property to true or false to enable or disable backups for the environment. If the backups property is set on a server, it will override the environment setting.

Example environments configuration in .spin.yml

##############################################################
# 🌎 Environments
##############################################################
environments:
  - name: production
  - name: staging
  - name: development
    backups: false

Advanced Server Configuration

We also give you a few other options to configure your servers that will configure the behavior for the Spin Ansible Collection.

.spin.yml Advanced Server Configuration

##############################################################
# 🤓 Advanced Server Configuration
##############################################################

# Timezone and contact settings
server_timezone: "Etc/UTC"
server_contact: [email protected]

# If you the SSH port below, you may need to run `spin provision -p <your-default-ssh-port>`
# to get a connection on your first provision. Otherwise, SSH will try connecting 
# to your new port before the SSH server configuration is updated.
ssh_port: "22"

## You can set this to false to require a password for sudo.
## If you disable passwordless sudo, you must set a password for all sudo users.
## generate an encrypted hash with `spin mkpasswd`. Learn more:
## https://serversideup.net/open-source/spin/docs/command-reference/mkpasswd
use_passwordless_sudo: true

## Email Notifications
postfix_hostname: "{{ inventory_hostname }}"

## Set variables below to enable external SMTP relay
# postfix_relayhost: "smtp.example.com"
# postfix_relayhost_port: "587"
# postfix_relayhost_username: "myusername"
# postfix_relayhost_password: "mysupersecretpassword"

## Deploy user customization - You can customize the deploy user below if you'd like
# docker_user:
#   username: deploy
#   authorized_ssh_keys: 
#     - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNJGtd7a4DBHsQi7HGrC5xz0eAEFHZ3Ogh3FEFI2345 fake@key"
#     - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRfXxUZ8q9vHRcQZ6tLb0KwGHu8xjQHfYopZKLmnopQ anotherfake@key"

Encrypting your .spin.yml file

It is possible that if you want to encrypt your .spin.yml file for security reasons, you can use the spin vault command which will use Ansible Vault to securely encrypt your file.

If you do choose to encrypt your .spin.yml file, just be sure to add the .vault-password file so Ansible can securely decrypt it when it runs.

Learn more about "spin vault" →