Bootstrap

Initial setup shown the first time Stalwart starts. Configures the server’s identity, storage, user accounts, logging, and DNS management.

Fields

`serverHostname`

Type: String · required

The public hostname this server answers to, for example mail.example.com. Used in SMTP greetings, outgoing message headers, and TLS certificate requests.

`defaultDomain`

Type: String · required

The primary email domain this installation will serve, for example example.com. Additional domains can be added at any time after setup.

`requestTlsCertificate`

Type: Boolean · default: true

Automatically obtain a free TLS certificate for the server hostname from Let’s Encrypt using the ACME protocol, so clients can connect securely out of the box. Turn this off if you plan to install a certificate manually.

`generateDkimKeys`

Type: Boolean · default: true

Generate DKIM signing keys for the default domain. DKIM cryptographically signs outgoing mail and significantly improves the chances that messages reach the recipient’s inbox instead of spam. Turn this off only if you plan to manage DKIM keys yourself.

`dataStore`

Type: DataStore · default: {"@type":"RocksDb","path":"/var/lib/stalwart/"}

Where structured data is kept: email metadata, calendars, contacts, mailbox state, and server settings. RocksDB is recommended for single-node installations; PostgreSQL, MySQL, SQLite, and FoundationDB are also supported.

`blobStore`

Type: BlobStore · default: {"@type":"Default"}

Where the raw content of email messages, attachments, and other large files is stored. Leave as default to reuse the data store, or point to an object storage service such as S3 for larger deployments.

`searchStore`

Type: SearchStore · default: {"@type":"Default"}

Where the full-text search index is kept, so users can search across message bodies and attachments. Leave as default to reuse the data store, or point to a dedicated search backend for larger deployments.

`inMemoryStore`

Type: InMemoryStore · default: {"@type":"Default"}

Where short-lived data lives: session caches, rate-limit counters, and temporary tokens. Leave as default to reuse the data store, or point to Redis for faster lookups and multi-node deployments.

`directory`

Type: DirectoryBootstrap · default: {"@type":"Internal"}

Where user accounts and credentials come from. The internal directory is recommended for ease of setup and management through the WebUI, but external OIDC or LDAP directories can be used for single sign-on and user provisioning in larger organizations.

`tracer`

Type: Tracer · default: {"@type":"Log","path":"/var/log/stalwart/"}

Where the server writes log messages, traces, and diagnostic events. Defaults to log files on disk; remote destinations such as OpenTelemetry or webhooks can be added after setup.

`dnsServer`

Type: DnsServerBootstrap · default: {"@type":"Manual"}

Optionally automate the DNS records your mail server needs (SPF, DKIM, DMARC, and more) by connecting to your DNS provider’s API. Leave as manual unless your DNS is hosted by a supported provider; this can always be enabled later.

JMAP API

The Bootstrap singleton is available via the urn:stalwart:jmap capability.

`x:Bootstrap/get`

This is a standard Foo/get method as defined in RFC 8620, Section 5.1.

For singletons, the ids argument should be the literal singleton (or null to return the single instance).

This method requires the sysBootstrapGet permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Bootstrap/get",
          {
            "ids": [
              "singleton"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

`x:Bootstrap/set`

This is a standard Foo/set method as defined in RFC 8620, Section 5.3.

For singletons, only the update argument with id singleton is accepted; create and destroy arguments are rejected.

This method requires the sysBootstrapUpdate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Bootstrap/set",
          {
            "update": {
              "singleton": {
                "serverHostname": "updated value"
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

CLI

stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.

Fetch

stalwart-cli get Bootstrap

Update

stalwart-cli update Bootstrap --field serverHostname='updated value'

Nested types

DirectoryBootstrap

External directory service configuration for user authentication and lookup.

Internal: Use the internal directory. No additional fields.
Ldap: LDAP Directory. Carries the fields of LdapDirectory.
Sql: SQL Database. Carries the fields of SqlDirectory.
Oidc: OpenID Connect. Carries the fields of OidcDirectory.

LdapDirectory

LDAP directory connection and mapping settings.

`description`

Type: String · required

Short description of this directory

`url`

Type: Uri · default: "ldap://localhost:389"

URL of the LDAP server

`timeout`

Type: Duration · default: "30s"

Connection timeout to the server

`allowInvalidCerts`

Type: Boolean · default: false

Allow invalid TLS certificates when connecting to the server

`useTls`

Type: Boolean · default: false

Use TLS to connect to the remote server

`baseDn`

Type: String · required

The base distinguished name (DN) from where searches should begin

`bindDn`

Type: String?

The distinguished name of the account that the server will bind as to connect to the LDAP directory

`bindSecret`

Type: SecretKeyOptional · required

The password or secret for the bind DN account

`bindAuthentication`

Type: Boolean · default: true

Whether to use bind authentication. When enabled, the server will use the filterLogin to search for the user account and then attempt to bind as that account using the provided password. When disabled, the server will use the bind DN and secret to connect to the LDAP server and obtain the secret from the account entry using the attrSecret attribute.

`filterLogin`

Type: String · default: "(&(objectClass=inetOrgPerson)(mail=?))"

Searches for user accounts by e-mail address during authentication

`filterMailbox`

Type: String · default: "(|(&(objectClass=inetOrgPerson)(|(mail=?)(mailAlias=?)))(&(objectClass=groupOfNames)(|(mail=?)(mailAlias=?))))"

Searches for users or groups matching a recipient e-mail address or alias

`filterMemberOf`

Type: String? · default: "(&(objectClass=groupOfNames)(member=?))"

Searches for groups that an account is member of. Use when the group membership is not provided in the account entry. The ? in the filter will be replaced with the account DN.

`attrClass`

Type: String[] · default: ["objectClass"]

LDAP attribute for the user’s account type, if missing defaults to individual.

`attrDescription`

Type: String[] · default: ["description"]

LDAP attributes used to store the user’s description

`attrEmail`

Type: String[] · default: ["mail"]

LDAP attribute for the user’s primary email address

`attrEmailAlias`

Type: String[] · default: ["mailAlias"]

LDAP attribute for the user’s email alias(es)

`attrMemberOf`

Type: String[] · default: ["memberOf"]

LDAP attributes for the groups that a user belongs to. Used when filterMemberOf is not configured or when the group membership is also provided in the account entry.

`attrSecret`

Type: String[] · default: ["userPassword"]

LDAP attribute for the user’s password hash. This setting is required when binding as a service user. When using bind authentication, configure the secret-changed attribute instead.

`attrSecretChanged`

Type: String[] · default: ["pwdChangeTime"]

LDAP attribute that provides a password change hash or a timestamp indicating when the password was last changed. When using bind authentication, this attribute is used to determine when to invalidate OAuth tokens.

`groupClass`

Type: String · default: "groupOfNames"

LDAP object class used to identify group entries

`poolMaxConnections`

Type: UnsignedInt · default: 10 · max: 8192

Maximum number of connections that can be maintained simultaneously in the connection pool

`poolTimeoutCreate`

Type: Duration · default: "30s"

Maximum amount of time that the connection pool will wait for a new connection to be created

`poolTimeoutRecycle`

Type: Duration · default: "30s"

Maximum amount of time that the connection pool manager will wait for a connection to be recycled

`poolTimeoutWait`

Type: Duration · default: "30s"

Maximum amount of time that the connection pool will wait for a connection to become available

`memberTenantId`

Type: Id<Tenant>? · enterprise

Identifier for the tenant this directory belongs to

SecretKeyOptional

An optional secret value, or none.

None: No secret. No additional fields.
Value: Secret value. Carries the fields of SecretKeyValue.
EnvironmentVariable: Secret read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
File: Secret read from file. Carries the fields of SecretKeyFile.

SecretKeyValue

A secret value provided directly.

`secret`

Type: String · required · secret

Password or secret value

SecretKeyEnvironmentVariable

A secret value read from an environment variable.

`variableName`

Type: String · required

Environment variable name to read the secret from

SecretKeyFile

A secret value read from a file.

`filePath`

Type: String · required

File path to read the secret from

SqlDirectory

SQL database directory settings.

`description`

Type: String · required

Short description of this directory

`store`

Type: SqlAuthStore · required

Storage backend where accounts and groups are stored

`columnEmail`

Type: String · default: "name"

Column name for e-mail address. Optional, you can use instead a query to obtain the account’s addresses.

`columnSecret`

Type: String · default: "secret"

Column name for the account password.

`columnClass`

Type: String? · default: "type"

Column name for account type

`columnDescription`

Type: String? · default: "description"

Column name for account full name or description

`queryLogin`

Type: String · default: "SELECT name, secret, description, type FROM accounts WHERE name = $1"

Query to obtain the account details by login e-mail address.

`queryRecipient`

Type: String · default: "SELECT name, secret, description, type FROM accounts WHERE name = $1 AND active = true"

Query to obtain the account details by recipient e-mail address or alias.

`queryMemberOf`

Type: String? · default: "SELECT member_of FROM group_members WHERE name = $1"

Query to obtain the groups an account is member of.

`queryEmailAliases`

Type: String? · default: "SELECT address FROM emails WHERE name = $1"

Query to obtain the e-mail aliases of an account.

`memberTenantId`

Type: Id<Tenant>? · enterprise

Identifier for the tenant this directory belongs to

SqlAuthStore

Defines the SQL database used to store account and group information for SQL directories.

Default: Use data store (SQL only). No additional fields.
PostgreSql: PostgreSQL. Carries the fields of PostgreSqlStore.
MySql: mySQL. Carries the fields of MySqlStore.
Sqlite: SQLite. Carries the fields of SqliteStore.

PostgreSqlStore

PostgreSQL data store.

`timeout`

Type: Duration? · default: "15s"

Connection timeout to the database

`useTls`

Type: Boolean · default: false

Use TLS to connect to the store

`allowInvalidCerts`

Type: Boolean · default: false

Allow invalid TLS certificates when connecting to the store

`poolMaxConnections`

Type: UnsignedInt? · default: 10 · max: 8192 · min: 1

Maximum number of connections to the store

`poolRecyclingMethod`

Type: PostgreSqlRecyclingMethod · default: "fast"

Method to use when recycling connections in the pool

`readReplicas`

Type: PostgreSqlSettings[] · enterprise

List of read replicas for the store

`host`

Type: String · required

Hostname of the database server

`port`

Type: UnsignedInt · default: 5432 · max: 65535 · min: 1

Port of the database server

`database`

Type: String · default: "stalwart"

Name of the database

`authUsername`

Type: String? · default: "stalwart"

Username to connect to the store

`authSecret`

Type: SecretKeyOptional · required

Password to connect to the store

`options`

Type: String?

Additional connection options

PostgreSqlSettings

PostgreSQL connection settings.

`host`

Type: String · required

Hostname of the database server

`port`

Type: UnsignedInt · default: 5432 · max: 65535 · min: 1

Port of the database server

`database`

Type: String · default: "stalwart"

Name of the database

`authUsername`

Type: String? · default: "stalwart"

Username to connect to the store

`authSecret`

Type: SecretKeyOptional · required

Password to connect to the store

`options`

Type: String?

Additional connection options

MySqlStore

MySQL data store.

`timeout`

Type: Duration? · default: "15s"

Connection timeout to the database

`useTls`

Type: Boolean · default: false

Use TLS to connect to the store

`allowInvalidCerts`

Type: Boolean · default: false

Allow invalid TLS certificates when connecting to the store

`maxAllowedPacket`

Type: UnsignedInt? · max: 1073741824 · min: 1024

Maximum size of a packet in bytes

`poolMaxConnections`

Type: UnsignedInt? · default: 10 · max: 8192 · min: 1

Maximum number of connections to the store

`poolMinConnections`

Type: UnsignedInt? · default: 5 · max: 8192 · min: 1

Minimum number of connections to the store

`readReplicas`

Type: MySqlSettings[] · enterprise

List of read replicas for the store

`host`

Type: String · required

Hostname of the database server

`port`

Type: UnsignedInt · default: 3306 · max: 65535 · min: 1

Port of the database server

`database`

Type: String · default: "stalwart"

Name of the database

`authUsername`

Type: String? · default: "stalwart"

Username to connect to the store

`authSecret`

Type: SecretKeyOptional · required

Password to connect to the store

MySqlSettings

MySQL connection settings.

`host`

Type: String · required

Hostname of the database server

`port`

Type: UnsignedInt · default: 3306 · max: 65535 · min: 1

Port of the database server

`database`

Type: String · default: "stalwart"

Name of the database

`authUsername`

Type: String? · default: "stalwart"

Username to connect to the store

`authSecret`

Type: SecretKeyOptional · required

Password to connect to the store

SqliteStore

SQLite embedded data store.

`path`

Type: String · required

Path to the SQLite data directory

`poolWorkers`

Type: UnsignedInt? · max: 64 · min: 1

Number of worker threads to use for the store, defaults to the number of cores

`poolMaxConnections`

Type: UnsignedInt · default: 10 · max: 8192 · min: 1

Maximum number of connections to the store

OidcDirectory

OpenID Connect directory settings.

`description`

Type: String · required

Short description of this directory

`issuerUrl`

Type: Uri · required

The base URL of the OpenID Connect provider (e.g. https://sso.example.com/realms/myrealm). Stalwart will use this URL to automatically discover the provider’s endpoints, including the token validation and user info endpoints.

`requireAudience`

Type: String? · default: "stalwart"

If set, Stalwart will reject any token whose aud (audience) claim does not include this value. Set this to the client ID or resource identifier registered for Stalwart in your identity provider to ensure tokens issued for other applications are not accepted.

`requireScopes`

Type: String[] · default: ["openid","email"]

If set, Stalwart will reject any token that does not include all of the specified scopes. Useful for ensuring that only tokens explicitly granted access to the mail server are accepted.

`claimUsername`

Type: String · default: "preferred_username"

The claim name used to retrieve the user’s login name from the token or user info response. Common values are preferred_username, email, or sub depending on your provider’s configuration. If the claim value is not an email address and usernameDomain is set, the domain will be appended automatically (e.g. john becomes [email protected]). If the claim value already contains an @, it is used as-is. If the claim value is not an email address and no usernameDomain is configured, Stalwart will fall back to the email claim. If neither yields a valid email address, authentication will be rejected.

`usernameDomain`

Type: String?

The domain name to append to the username when the value of claimUsername does not contain an @ symbol (e.g. setting this to example.com will turn john into [email protected]). If not set, Stalwart will fall back to the email claim when the username claim does not contain a valid email address.

`claimName`

Type: String? · default: "name"

The claim name used to retrieve the user’s display name from the token or user info response. Common values are name or display_name. If not set, the display name will not be populated.

`claimGroups`

Type: String?

The claim name used to retrieve the user’s group memberships from the token or user info response. Common values are groups or roles depending on your provider’s configuration. If not set, group information will not be populated. Note that some providers omit group claims from the token to keep its size small and only return them via the user info endpoint, if group information is missing, ensure your provider is configured to include it.

`memberTenantId`

Type: Id<Tenant>? · enterprise

Identifier for the tenant this directory belongs to

DnsServerBootstrap

Automatic DNS server management.

Manual: Manual DNS server management. No additional fields.
Tsig: RFC2136 (TSIG). Carries the fields of DnsServerTsig.
Sig0: RFC2136 (SIG0). Carries the fields of DnsServerSig0.
Cloudflare: Cloudflare. Carries the fields of DnsServerCloudflare.
DigitalOcean: DigitalOcean. Carries the fields of DnsServerCloud.
DeSEC: DeSEC. Carries the fields of DnsServerCloud.
Ovh: OVH. Carries the fields of DnsServerOvh.
Bunny: BunnyDNS. Carries the fields of DnsServerCloud.
Porkbun: Porkbun. Carries the fields of DnsServerPorkbun.
Dnsimple: DNSimple. Carries the fields of DnsServerDnsimple.
Spaceship: Spaceship. Carries the fields of DnsServerSpaceship.
Route53: AWS Route53. Carries the fields of DnsServerRoute53.
GoogleCloudDns: Google Cloud DNS. Carries the fields of DnsServerGoogleCloudDns.

DnsServerTsig

RFC2136 TSIG DNS server.

`host`

Type: IpAddr · required

The IP address of the DNS server

`port`

Type: UnsignedInt · default: 53 · max: 65535 · min: 1

The port used to communicate with the DNS server

`keyName`

Type: String · required

The key used to authenticate with the DNS server

`key`

Type: SecretKey · required

The secret or token used to authenticate with the DNS server

`protocol`

Type: IpProtocol · default: "udp"

The protocol used to communicate with the DNS server

`tsigAlgorithm`

Type: TsigAlgorithm · default: "hmac-sha512"

The TSIG algorithm used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

SecretKey

A secret value provided directly, from an environment variable, or from a file.

Value: Secret value. Carries the fields of SecretKeyValue.
EnvironmentVariable: Secret read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
File: Secret read from file. Carries the fields of SecretKeyFile.

DnsServerSig0

RFC2136 SIG0 DNS server.

`host`

Type: IpAddr · required

The IP address of the DNS server

`port`

Type: UnsignedInt · default: 53 · max: 65535 · min: 1

The port used to communicate with the DNS server

`publicKey`

Type: String · required

The public key used to authenticate with the DNS server

`key`

Type: SecretText · required

The secret or token used to authenticate with the DNS server

`signerName`

Type: String · required

The signer name used in the SIG0 records

`protocol`

Type: IpProtocol · default: "udp"

The protocol used to communicate with the DNS server

`sig0Algorithm`

Type: Sig0Algorithm · default: "ed25519"

The SIG0 algorithm used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

SecretText

A secret text value provided directly, from an environment variable, or from a file.

Text: Secret value. Carries the fields of SecretTextValue.
EnvironmentVariable: Secret read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
File: Secret read from file. Carries the fields of SecretKeyFile.

SecretTextValue

A secret text value provided directly.

`secret`

Type: Text · required · secret

Password or secret value

DnsServerCloudflare

Cloudflare DNS server.

`email`

Type: String?

Optional account email to authenticate with Cloudflare

`secret`

Type: SecretKey · required

The secret or token used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerCloud

Cloud DNS server with token authentication.

`secret`

Type: SecretKey · required

The secret or token used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerOvh

OVH DNS server.

`applicationKey`

Type: String · required

The application key used to authenticate with the OVH DNS server

`applicationSecret`

Type: SecretKey · required

The application secret used to authenticate with the OVH DNS server

`consumerKey`

Type: SecretKey · required

The consumer key used to authenticate with the OVH DNS server

`ovhEndpoint`

Type: OvhEndpoint · default: "ovh-eu"

Which OVH endpoint to use

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerPorkbun

Porkbun DNS server.

`apiKey`

Type: String · required

The API key used to authenticate with Porkbun

`secretApiKey`

Type: SecretKey · required

The secret API key used to authenticate with Porkbun

`secret`

Type: SecretKey · required

The secret or token used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerDnsimple

DNSimple DNS server.

`authToken`

Type: SecretKey · required

The authentication token used to authenticate with DNSimple

`accountIdentifier`

Type: String · required

The account ID used to authenticate with DNSimple

`secret`

Type: SecretKey · required

The secret or token used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerSpaceship

Spaceship DNS server.

`apiKey`

Type: String · required

The API key used to authenticate with Spaceship

`secret`

Type: SecretKey · required

The secret or token used to authenticate with the DNS server

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerRoute53

AWS Route53 DNS server.

`accessKeyId`

Type: String · required

The AWS access key ID

`secretAccessKey`

Type: SecretKey · required

The AWS secret access key

`sessionToken`

Type: SecretKeyOptional · required

Optional session token for temporary AWS credentials

`region`

Type: String · default: "us-east-1"

The AWS region

`hostedZoneId`

Type: String?

Hosted zone ID to use (resolved automatically by name if not set)

`privateZoneOnly`

Type: Boolean · default: false

Whether to restrict zone resolution to private zones only

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

DnsServerGoogleCloudDns

Google Cloud DNS server.

`serviceAccountJson`

Type: SecretText · required

Service account JSON credentials used to authenticate with Google Cloud

`projectId`

Type: String · required

The Google Cloud project ID that owns the managed zone

`managedZone`

Type: String?

Managed zone name (resolved automatically by longest suffix match if not set)

`privateZone`

Type: Boolean · default: false

Whether to restrict zone resolution to private zones only

`impersonateServiceAccount`

Type: String?

Optional service account email to impersonate

`description`

Type: String · required

Short description of this DNS server

`memberTenantId`

Type: Id<Tenant>?

Identifier for the tenant this DNS server belongs to

`timeout`

Type: Duration · default: "30s"

Request timeout for the DNS server

`ttl`

Type: Duration · default: "5m"

The TTL for new DNS record

`pollingInterval`

Type: Duration · default: "15s"

How often to check for DNS records to propagate

`propagationTimeout`

Type: Duration · default: "1m"

How long to wait for DNS records to propagate

`propagationDelay`

Type: Duration?

Initial delay before first propagation check (useful for slow providers)

Enums

PostgreSqlRecyclingMethod

Value	Label
`fast`	Fast recycling method
`verified`	Verified recycling method
`clean`	Clean recycling method

IpProtocol

Value	Label
`udp`	UDP
`tcp`	TCP

TsigAlgorithm

Value	Label
`hmac-md5`	HMAC-MD5
`gss`	GSS
`hmac-sha1`	HMAC-SHA1
`hmac-sha224`	HMAC-SHA224
`hmac-sha256`	HMAC-SHA256
`hmac-sha256-128`	HMAC-SHA256-128
`hmac-sha384`	HMAC-SHA384
`hmac-sha384-192`	HMAC-SHA384-192
`hmac-sha512`	HMAC-SHA512
`hmac-sha512-256`	HMAC-SHA512-256

Sig0Algorithm

Value	Label
`ecdsa-p256-sha256`	ECDSA-P256-SHA256
`ecdsa-p384-sha384`	ECDSA-P384-SHA384
`ed25519`	ED25519

OvhEndpoint

Value	Label
`ovh-eu`	OVH EU
`ovh-ca`	OVH CA
`kimsufi-eu`	Kimsufi EU
`kimsufi-ca`	Kimsufi CA
`soyoustart-eu`	Soyoustart EU
`soyoustart-ca`	Soyoustart CA