-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
684 lines (640 loc) · 26.9 KB
/
Copy pathdocker-compose.yml
File metadata and controls
684 lines (640 loc) · 26.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
# Usage
# Start: docker compose up
# With helpers: docker compose -f docker-compose.yml -f ./dev/docker-compose.dev.yml up
# Stop: docker compose down
# Destroy: docker compose -f docker-compose.yml -f ./dev/docker-compose.dev.yml down -v --remove-orphans
# Reset everything: ./reset.sh
#
# Optional overrides (layer with -f, same as the dev helper above):
# docker-compose.pg15.yml - pin Postgres 15 (existing installs not yet upgraded)
# docker-compose.pg17.yml - pin Postgres 17 explicitly (matches the default below)
# docker-compose.logs.yml - adds Logflare + Vector (Studio's Logs page)
# docker-compose.s3.yml - MinIO-backed storage instead of the local filesystem
name: supabase
services:
studio:
container_name: supabase-studio
image: supabase/studio:2026.06.03-sha-0bca601
restart: unless-stopped
healthcheck:
test:
[
"CMD-SHELL",
"node -e \"fetch('http://localhost:3000/api/platform/profile').then((r) => {if (r.status !== 200) throw new Error(r.status)})\""
]
timeout: 10s
interval: 5s
retries: 3
start_period: 20s
environment:
# Listen on all IPv4 interfaces
HOSTNAME: "0.0.0.0"
STUDIO_PG_META_URL: http://meta:8080
POSTGRES_PORT: ${POSTGRES_PORT}
POSTGRES_HOST: ${POSTGRES_HOST}
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
# See: https://supabase.com/docs/guides/self-hosting/remove-superuser-access
POSTGRES_USER_READ_WRITE: postgres
PG_META_CRYPTO_KEY: ${PG_META_CRYPTO_KEY}
PGRST_DB_SCHEMAS: ${PGRST_DB_SCHEMAS}
PGRST_DB_MAX_ROWS: ${PGRST_DB_MAX_ROWS:-1000}
PGRST_DB_EXTRA_SEARCH_PATH: ${PGRST_DB_EXTRA_SEARCH_PATH:-public}
DEFAULT_ORGANIZATION_NAME: ${STUDIO_DEFAULT_ORGANIZATION}
DEFAULT_PROJECT_NAME: ${STUDIO_DEFAULT_PROJECT}
OPENAI_API_KEY: ${OPENAI_API_KEY:-}
SUPABASE_URL: http://kong:8000
SUPABASE_PUBLIC_URL: ${SUPABASE_PUBLIC_URL}
SUPABASE_ANON_KEY: ${ANON_KEY}
SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
AUTH_JWT_SECRET: ${JWT_SECRET}
SUPABASE_PUBLISHABLE_KEY: ${SUPABASE_PUBLISHABLE_KEY:-}
SUPABASE_SECRET_KEY: ${SUPABASE_SECRET_KEY:-}
# Logs page is disabled by default; enable via docker-compose.logs.yml
ENABLED_FEATURES_LOGS_ALL: "false"
SNIPPETS_MANAGEMENT_FOLDER: /app/snippets
EDGE_FUNCTIONS_MANAGEMENT_FOLDER: /app/edge-functions
volumes:
- ./volumes/snippets:/app/snippets:z
- ./volumes/functions:/app/edge-functions:ro,z
kong:
container_name: supabase-kong
image: kong/kong:3.9.1
restart: unless-stopped
networks:
default:
aliases:
- api-gw
healthcheck:
test: ["CMD", "kong", "health"]
interval: 5s
timeout: 5s
retries: 5
depends_on:
studio:
condition: service_healthy
ports:
- ${KONG_HTTP_PORT}:8000/tcp
- ${KONG_HTTPS_PORT}:8443/tcp
volumes:
# https://github.com/supabase/supabase/issues/12661
- ./volumes/api/kong.yml:/home/kong/temp.yml:ro,z
- ./volumes/api/kong-entrypoint.sh:/home/kong/kong-entrypoint.sh:ro,z
environment:
KONG_DATABASE: "off"
KONG_DECLARATIVE_CONFIG: /usr/local/kong/kong.yml
# https://github.com/supabase/cli/issues/14
KONG_DNS_ORDER: LAST,A,CNAME
KONG_DNS_NOT_FOUND_TTL: 1
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth,request-termination,ip-restriction,post-function
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
KONG_PROXY_ACCESS_LOG: /dev/stdout combined
SUPABASE_ANON_KEY: ${ANON_KEY}
SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
SUPABASE_PUBLISHABLE_KEY: ${SUPABASE_PUBLISHABLE_KEY:-}
SUPABASE_SECRET_KEY: ${SUPABASE_SECRET_KEY:-}
ANON_KEY_ASYMMETRIC: ${ANON_KEY_ASYMMETRIC:-}
SERVICE_ROLE_KEY_ASYMMETRIC: ${SERVICE_ROLE_KEY_ASYMMETRIC:-}
DASHBOARD_USERNAME: ${DASHBOARD_USERNAME}
DASHBOARD_PASSWORD: ${DASHBOARD_PASSWORD}
entrypoint: ["/bin/sh", "/home/kong/kong-entrypoint.sh"]
auth:
container_name: supabase-auth
image: supabase/gotrue:v2.189.0
restart: unless-stopped
healthcheck:
test:
[
"CMD",
"wget",
"--no-verbose",
"--tries=1",
"--spider",
"http://localhost:9999/health"
]
timeout: 5s
interval: 5s
retries: 3
depends_on:
db:
# Disable this if you are using an external Postgres database
condition: service_healthy
environment:
GOTRUE_API_HOST: 0.0.0.0
GOTRUE_API_PORT: 9999
API_EXTERNAL_URL: ${API_EXTERNAL_URL}
GOTRUE_DB_DRIVER: postgres
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}
GOTRUE_SITE_URL: ${SITE_URL}
GOTRUE_URI_ALLOW_LIST: ${ADDITIONAL_REDIRECT_URLS}
GOTRUE_DISABLE_SIGNUP: ${DISABLE_SIGNUP}
GOTRUE_JWT_ADMIN_ROLES: service_role
GOTRUE_JWT_AUD: authenticated
GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
GOTRUE_JWT_EXP: ${JWT_EXPIRY}
GOTRUE_JWT_SECRET: ${JWT_SECRET}
GOTRUE_JWT_ISSUER: ${API_EXTERNAL_URL}/auth/v1
GOTRUE_EXTERNAL_EMAIL_ENABLED: ${ENABLE_EMAIL_SIGNUP}
GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED: ${ENABLE_ANONYMOUS_USERS}
GOTRUE_MAILER_AUTOCONFIRM: ${ENABLE_EMAIL_AUTOCONFIRM}
# Uncomment to bypass nonce check in ID Token flow. Commonly set to true when using Google Sign In on mobile.
# GOTRUE_EXTERNAL_SKIP_NONCE_CHECK: true
# GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED: true
# GOTRUE_SMTP_MAX_FREQUENCY: 1s
GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_ADMIN_EMAIL}
GOTRUE_SMTP_HOST: ${SMTP_HOST}
GOTRUE_SMTP_PORT: ${SMTP_PORT}
GOTRUE_SMTP_USER: ${SMTP_USER}
GOTRUE_SMTP_PASS: ${SMTP_PASS}
GOTRUE_SMTP_SENDER_NAME: ${SMTP_SENDER_NAME}
GOTRUE_MAILER_URLPATHS_INVITE: ${MAILER_URLPATHS_INVITE}
GOTRUE_MAILER_URLPATHS_CONFIRMATION: ${MAILER_URLPATHS_CONFIRMATION}
GOTRUE_MAILER_URLPATHS_RECOVERY: ${MAILER_URLPATHS_RECOVERY}
GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: ${MAILER_URLPATHS_EMAIL_CHANGE}
GOTRUE_EXTERNAL_PHONE_ENABLED: ${ENABLE_PHONE_SIGNUP}
GOTRUE_SMS_AUTOCONFIRM: ${ENABLE_PHONE_AUTOCONFIRM}
GOTRUE_EXTERNAL_GOOGLE_ENABLED: ${GOOGLE_ENABLED}
GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
GOTRUE_EXTERNAL_GOOGLE_SECRET: ${GOOGLE_SECRET}
GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI: ${GOOGLE_REDIRECT_URI}
GOTRUE_EXTERNAL_FACEBOOK_ENABLED: ${FACEBOOK_ENABLED}
GOTRUE_EXTERNAL_FACEBOOK_CLIENT_ID: ${FACEBOOK_CLIENT_ID}
GOTRUE_EXTERNAL_FACEBOOK_SECRET: ${FACEBOOK_SECRET}
GOTRUE_EXTERNAL_FACEBOOK_REDIRECT_URI: ${FACEBOOK_REDIRECT_URI}
# Uncomment to enable custom access token hook. Please see: https://supabase.com/docs/guides/auth/auth-hooks for full list of hooks and additional details about custom_access_token_hook
# GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED: "true"
# GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI: "pg-functions://postgres/public/custom_access_token_hook"
# GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_SECRETS: "<standard-base64-secret>"
# GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED: "true"
# GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/mfa_verification_attempt"
# GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED: "true"
# GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/password_verification_attempt"
# GOTRUE_HOOK_SEND_SMS_ENABLED: "false"
# GOTRUE_HOOK_SEND_SMS_URI: "pg-functions://postgres/public/custom_access_token_hook"
# GOTRUE_HOOK_SEND_SMS_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n"
# GOTRUE_HOOK_SEND_EMAIL_ENABLED: "false"
# GOTRUE_HOOK_SEND_EMAIL_URI: "http://host.docker.internal:54321/functions/v1/email_sender"
# GOTRUE_HOOK_SEND_EMAIL_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n"
rest:
container_name: supabase-rest
image: postgrest/postgrest:v14.12
restart: unless-stopped
depends_on:
db:
# Disable this if you are using an external Postgres database
condition: service_healthy
healthcheck:
test: [ "CMD", "postgrest", "--ready" ]
interval: 5s
timeout: 5s
retries: 3
environment:
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}
PGRST_DB_SCHEMAS: ${PGRST_DB_SCHEMAS}
PGRST_DB_MAX_ROWS: ${PGRST_DB_MAX_ROWS:-1000}
PGRST_DB_EXTRA_SEARCH_PATH: ${PGRST_DB_EXTRA_SEARCH_PATH:-public}
PGRST_DB_ANON_ROLE: anon
PGRST_ADMIN_SERVER_PORT: 3001
PGRST_ADMIN_SERVER_HOST: localhost
PGRST_JWT_SECRET: ${JWT_JWKS:-${JWT_SECRET}}
PGRST_DB_USE_LEGACY_GUCS: "false"
PGRST_APP_SETTINGS_JWT_SECRET: ${JWT_SECRET}
PGRST_APP_SETTINGS_JWT_EXP: ${JWT_EXPIRY}
command:
[
"postgrest"
]
realtime:
# This container name looks inconsistent but is correct because realtime constructs tenant id by parsing the subdomain
container_name: realtime-dev.supabase-realtime
image: supabase/realtime:v2.102.3
restart: unless-stopped
depends_on:
db:
# Disable this if you are using an external Postgres database
condition: service_healthy
healthcheck:
test:
[
"CMD",
"curl",
"-sSfL",
"--head",
"-o",
"/dev/null",
"-H",
"Authorization: Bearer ${ANON_KEY}",
"http://localhost:4000/api/tenants/realtime-dev/health"
]
timeout: 5s
interval: 30s
retries: 3
start_period: 10s
environment:
PORT: 4000
DB_HOST: ${POSTGRES_HOST}
DB_PORT: ${POSTGRES_PORT}
DB_USER: supabase_admin
DB_PASSWORD: ${POSTGRES_PASSWORD}
DB_NAME: ${POSTGRES_DB}
DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime'
DB_ENC_KEY: ${REALTIME_DB_ENC_KEY:-supabaserealtime}
API_JWT_SECRET: ${JWT_SECRET}
METRICS_JWT_SECRET: ${JWT_SECRET}
SECRET_KEY_BASE: ${SECRET_KEY_BASE}
ERL_AFLAGS: -proto_dist inet_tcp
DNS_NODES: "''"
RLIMIT_NOFILE: "10000"
APP_NAME: realtime
SEED_SELF_HOST: true
RUN_JANITOR: true
DISABLE_HEALTHCHECK_LOGGING: "true"
# To use S3 backed storage: docker compose -f docker-compose.yml -f docker-compose.s3.yml up
storage:
container_name: supabase-storage
image: supabase/storage-api:v1.60.4
restart: unless-stopped
volumes:
- ./volumes/storage:/var/lib/storage:z
healthcheck:
test:
[
"CMD",
"wget",
"--no-verbose",
"--tries=1",
"--spider",
"http://storage:5000/status"
]
timeout: 5s
interval: 5s
retries: 3
start_period: 10s
depends_on:
db:
# Disable this if you are using an external Postgres database
condition: service_healthy
rest:
condition: service_started
imgproxy:
condition: service_started
environment:
ANON_KEY: ${ANON_KEY}
SERVICE_KEY: ${SERVICE_ROLE_KEY}
POSTGREST_URL: http://rest:3000
AUTH_JWT_SECRET: ${JWT_JWKS:-${JWT_SECRET}}
DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}
STORAGE_PUBLIC_URL: ${SUPABASE_PUBLIC_URL}
REQUEST_ALLOW_X_FORWARDED_PATH: "true"
FILE_SIZE_LIMIT: 52428800
STORAGE_BACKEND: file
# S3 bucket when using S3 backend, directory name when using 'file'
GLOBAL_S3_BUCKET: ${GLOBAL_S3_BUCKET:-stub}
FILE_STORAGE_BACKEND_PATH: /var/lib/storage
TENANT_ID: ${STORAGE_TENANT_ID:-stub}
# TODO: https://github.com/supabase/storage-api/issues/55
REGION: ${REGION:-stub}
ENABLE_IMAGE_TRANSFORMATION: "true"
IMGPROXY_URL: http://imgproxy:5001
# S3 protocol endpoint configuration (for connecting via the S3 API directly)
S3_PROTOCOL_ACCESS_KEY_ID: ${S3_PROTOCOL_ACCESS_KEY_ID:-}
S3_PROTOCOL_ACCESS_KEY_SECRET: ${S3_PROTOCOL_ACCESS_KEY_SECRET:-}
imgproxy:
container_name: supabase-imgproxy
image: darthsim/imgproxy:v3.30.1
restart: unless-stopped
volumes:
- ./volumes/storage:/var/lib/storage:z
healthcheck:
test:
[
"CMD",
"imgproxy",
"health"
]
timeout: 5s
interval: 5s
retries: 3
environment:
IMGPROXY_BIND: ":5001"
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
IMGPROXY_USE_ETAG: "true"
# Falls back to the old IMGPROXY_ENABLE_WEBP_DETECTION var name if IMGPROXY_AUTO_WEBP isn't set
IMGPROXY_AUTO_WEBP: ${IMGPROXY_AUTO_WEBP:-${IMGPROXY_ENABLE_WEBP_DETECTION:-true}}
IMGPROXY_MAX_SRC_RESOLUTION: 16.8
meta:
container_name: supabase-meta
image: supabase/postgres-meta:v0.96.6
restart: unless-stopped
depends_on:
db:
# Disable this if you are using an external Postgres database
condition: service_healthy
environment:
PG_META_PORT: 8080
PG_META_DB_HOST: ${POSTGRES_HOST}
PG_META_DB_PORT: ${POSTGRES_PORT}
PG_META_DB_NAME: ${POSTGRES_DB}
PG_META_DB_USER: postgres
PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD}
CRYPTO_KEY: ${PG_META_CRYPTO_KEY}
functions:
container_name: supabase-edge-functions
image: supabase/edge-runtime:v1.74.0
restart: unless-stopped
volumes:
- ./volumes/functions:/home/deno/functions:Z
- deno-cache:/root/.cache/deno
depends_on:
kong:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "timeout 1 bash -c '</dev/tcp/127.0.0.1/9000'"]
interval: 5s
timeout: 5s
retries: 3
environment:
JWT_SECRET: ${JWT_SECRET}
SUPABASE_URL: http://kong:8000
SUPABASE_PUBLIC_URL: ${SUPABASE_PUBLIC_URL}
SUPABASE_ANON_KEY: ${ANON_KEY}
SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
SUPABASE_PUBLISHABLE_KEYS: "{\"default\":\"${SUPABASE_PUBLISHABLE_KEY:-}\"}"
SUPABASE_SECRET_KEYS: "{\"default\":\"${SUPABASE_SECRET_KEY:-}\"}"
SUPABASE_DB_URL: postgresql://postgres:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}
# TODO: Allow configuring VERIFY_JWT per function. This PR might help: https://github.com/supabase/cli/pull/786
VERIFY_JWT: "${FUNCTIONS_VERIFY_JWT}"
# github function (Support page issue tracker) - leave GITHUB_TOKEN blank to disable
GITHUB_TOKEN: ${GITHUB_TOKEN}
GITHUB_OWNER: ${GITHUB_OWNER}
GITHUB_REPO: ${GITHUB_REPO}
command:
[
"start",
"--main-service",
"/home/deno/functions/main"
]
# Comment out everything below this point if you are using an external Postgres database
db:
container_name: supabase-db
# To upgrade an existing Postgres 15 database in place, see utils/upgrade-pg17.sh.
image: supabase/postgres:17.6.1.136
restart: unless-stopped
volumes:
- ./volumes/db/realtime.sql:/docker-entrypoint-initdb.d/migrations/99-realtime.sql:Z
# supabase/postgres:17.x no longer bundles storage.buckets/storage.objects table
# creation (only the schema/role) - storage-api now creates them itself on first
# connect. Our init scripts insert into storage.buckets synchronously during this
# same initdb pass, before storage-api ever starts, so restore that table creation
# here, in the same slot the image used to occupy on Postgres 15.
- ./volumes/db/storage-tables.sql:/docker-entrypoint-initdb.d/init-scripts/00000000000002-storage-tables.sql:Z
# Must be superuser to create event trigger
- ./volumes/db/webhooks.sql:/docker-entrypoint-initdb.d/init-scripts/98-webhooks.sql:Z
# Must be superuser to alter reserved role
- ./volumes/db/roles.sql:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql:Z
# Initialize the database settings with JWT_SECRET and JWT_EXP
- ./volumes/db/jwt.sql:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql:Z
# Changes required for internal supabase data such as _analytics
- ./volumes/db/_supabase.sql:/docker-entrypoint-initdb.d/migrations/97-_supabase.sql:Z
# Changes required for Analytics support
- ./volumes/db/logs.sql:/docker-entrypoint-initdb.d/migrations/99-logs.sql:Z
# Changes required for Pooler support
- ./volumes/db/pooler.sql:/docker-entrypoint-initdb.d/migrations/99-pooler.sql:Z
# Giftamizer specific scripts
- ./volumes/db/giftamizer/0000-init.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0000-init.sql:Z
- ./volumes/db/giftamizer/0001-profiles.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0001-profiles.sql:Z
- ./volumes/db/giftamizer/0002-notifications.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0002-notifications.sql:Z
- ./volumes/db/giftamizer/0003-groups.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0003-groups.sql:Z
- ./volumes/db/giftamizer/0004-external-invites.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0004-external-invites.sql:Z
- ./volumes/db/giftamizer/0005-items.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0005-items.sql:Z
- ./volumes/db/giftamizer/0007-item-status.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0007-item-status.sql:Z
- ./volumes/db/giftamizer/0008-system.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0008-system.sql:Z
- ./volumes/db/giftamizer/0009-dashboard.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0009-dashboard.sql:Z
- ./volumes/db/giftamizer/0010-cascade-delete-files.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0010-cascade-delete-files.sql:Z
- ./volumes/db/giftamizer/0011-private-storage-policies.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0011-private-storage-policies.sql:Z
- ./volumes/db/giftamizer/0012-child-list-item-status.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0012-child-list-item-status.sql:Z
- ./volumes/db/giftamizer/0013-group-member-access-fixes.sql:/docker-entrypoint-initdb.d/init-scripts/zzzz-0013-group-member-access-fixes.sql:Z
# Use named volume to persist pgsodium decryption key between restarts
- db-config:/etc/postgresql-custom
# PGDATA directory is persisted between restarts
- ./volumes/db/data:/var/lib/postgresql/data:Z
healthcheck:
test:
[
"CMD",
"pg_isready",
"-U",
"postgres",
"-h",
"localhost"
]
interval: 5s
timeout: 5s
retries: 10
environment:
POSTGRES_HOST: /var/run/postgresql
PGPORT: ${POSTGRES_PORT}
POSTGRES_PORT: ${POSTGRES_PORT}
PGPASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
PGDATABASE: ${POSTGRES_DB}
POSTGRES_DB: ${POSTGRES_DB}
JWT_SECRET: ${JWT_SECRET}
JWT_EXP: ${JWT_EXPIRY}
command:
[
"postgres",
"-c",
"config_file=/etc/postgresql/postgresql.conf",
"-c",
"log_min_messages=fatal", # prevents Realtime polling queries from appearing in logs
# Read by public.delete_from_bucket() (volumes/db/giftamizer/0010-cascade-delete-files.sql)
# to authenticate its net.http_delete() calls to the storage service.
"-c",
"custom.service_role_key=${SERVICE_ROLE_KEY}"
]
# Automated Postgres backups. Opt-in via COMPOSE_PROFILES (e.g. giftamizer-extras,backup)
# since local dev throwaway databases don't need scheduled backups.
db-backup:
container_name: supabase-db-backup
image: prodrigestivill/postgres-backup-local:17
restart: unless-stopped
profiles: ["backup"]
depends_on:
db:
condition: service_healthy
volumes:
- ./backups:/backups
environment:
POSTGRES_HOST: ${POSTGRES_HOST}
POSTGRES_PORT: ${POSTGRES_PORT}
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: postgres
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
SCHEDULE: ${BACKUP_SCHEDULE:-@daily}
BACKUP_ON_START: "TRUE"
BACKUP_KEEP_DAYS: ${BACKUP_KEEP_DAYS:-7}
BACKUP_KEEP_WEEKS: ${BACKUP_KEEP_WEEKS:-4}
BACKUP_KEEP_MONTHS: ${BACKUP_KEEP_MONTHS:-6}
# Local restic backup of the db-backup pg_dumps above (./backups) and the
# Storage files (./volumes/storage): encrypted, deduplicated snapshots
# written to ./volumes/restic-repo. On every successful backup,
# POST_COMMANDS_SUCCESS runs `rclone sync` to mirror that local repo to
# whichever remote is configured in RCLONE_REMOTE / ./volumes/rclone -
# rclone supports ~70 backends (S3, B2, R2, SFTP, Google Drive, ...), none
# of which are hardcoded here; the remote itself is defined via
# `rclone config` (see README). db-backup alone only protects against DB
# corruption, not host/disk loss - this is what actually gets a copy off
# the machine. Opt-in via COMPOSE_PROFILES (e.g.
# giftamizer-extras,backup,restic-backup); enable alongside the "backup"
# profile so ./backups has something to read.
restic-backup:
container_name: supabase-restic-backup
image: mazzolino/restic:1.8.2
restart: unless-stopped
profiles: ["restic-backup"]
volumes:
- ./backups:/data/backups:ro
- ./volumes/storage:/data/storage:ro
- ./volumes/restic-repo:/data/restic-repo
# rclone.conf lives here (create via `rclone config`, see README).
# Mounted read-write, not read-only: backends with oauth refresh
# tokens (B2, OneDrive, Google Drive) rewrite this file in place.
- ./volumes/rclone:/root/.config/rclone
environment:
TZ: ${TZ:-Etc/UTC}
RESTIC_REPOSITORY: /data/restic-repo
RESTIC_PASSWORD: ${RESTIC_PASSWORD}
RESTIC_BACKUP_SOURCES: /data/backups /data/storage
RESTIC_BACKUP_ARGS: --tag giftamizer
RESTIC_FORGET_ARGS: --keep-daily ${RESTIC_KEEP_DAYS:-7} --keep-weekly ${RESTIC_KEEP_WEEKS:-4} --keep-monthly ${RESTIC_KEEP_MONTHS:-6}
RUN_ON_STARTUP: "true"
BACKUP_CRON: ${RESTIC_BACKUP_CRON:-0 30 3 * * *}
RCLONE_REMOTE: ${RCLONE_REMOTE}
POST_COMMANDS_SUCCESS: rclone sync /data/restic-repo "$$RCLONE_REMOTE"
# Reclaims space that restic-backup's forget only marked as removable, then
# mirrors the result offsite too (so deleted snapshots disappear remotely,
# not just locally). Shares the local repo and rclone config with
# restic-backup above; SKIP_INIT keeps this container from racing
# restic-backup to initialize a brand-new repository. BACKUP_CRON/
# PRUNE_CRON are mutually exclusive per container - that's why this is a
# separate service instead of another env var on restic-backup.
restic-prune:
container_name: supabase-restic-prune
image: mazzolino/restic:1.8.2
restart: unless-stopped
profiles: ["restic-backup"]
volumes:
- ./volumes/restic-repo:/data/restic-repo
- ./volumes/rclone:/root/.config/rclone
environment:
TZ: ${TZ:-Etc/UTC}
SKIP_INIT: "true"
RESTIC_REPOSITORY: /data/restic-repo
RESTIC_PASSWORD: ${RESTIC_PASSWORD}
RUN_ON_STARTUP: "true"
PRUNE_CRON: ${RESTIC_PRUNE_CRON:-0 0 4 * * *}
RCLONE_REMOTE: ${RCLONE_REMOTE}
POST_COMMANDS_SUCCESS: rclone sync /data/restic-repo "$$RCLONE_REMOTE"
# Update the DATABASE_URL if you are using an external Postgres database
supavisor:
container_name: supabase-pooler
image: supabase/supavisor:2.9.5
restart: unless-stopped
ports:
- ${POSTGRES_PORT}:5432
- ${POOLER_PROXY_PORT_TRANSACTION}:6543
volumes:
- ./volumes/pooler/pooler.exs:/etc/pooler/pooler.exs:ro,z
healthcheck:
test:
[
"CMD",
"curl",
"-sSfL",
"--head",
"-o",
"/dev/null",
"http://127.0.0.1:4000/api/health"
]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
depends_on:
db:
condition: service_healthy
environment:
PORT: 4000
POSTGRES_PORT: ${POSTGRES_PORT}
POSTGRES_HOST: ${POSTGRES_HOST}
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
DATABASE_URL: ecto://supabase_admin:${POSTGRES_PASSWORD}@db:${POSTGRES_PORT}/_supabase
CLUSTER_POSTGRES: true
SECRET_KEY_BASE: ${SECRET_KEY_BASE}
VAULT_ENC_KEY: ${VAULT_ENC_KEY}
API_JWT_SECRET: ${JWT_SECRET}
METRICS_JWT_SECRET: ${JWT_SECRET}
REGION: local
ERL_AFLAGS: -proto_dist inet_tcp
POOLER_TENANT_ID: ${POOLER_TENANT_ID}
POOLER_DEFAULT_POOL_SIZE: ${POOLER_DEFAULT_POOL_SIZE}
POOLER_MAX_CLIENT_CONN: ${POOLER_MAX_CLIENT_CONN}
POOLER_POOL_MODE: transaction
DB_POOL_SIZE: ${POOLER_DB_POOL_SIZE:-5}
command:
[
"/bin/sh",
"-c",
"/app/bin/migrate && /app/bin/supavisor eval \"$$(cat /etc/pooler/pooler.exs)\" && /app/bin/server"
]
# Giftamizer-specific services below are opt-in for local dev.
# Set COMPOSE_PROFILES=giftamizer-extras in .env to start them (always-on in production).
smtp2graph:
container_name: giftamizer-smtp2graph
image: evantrow/smtp2graph:latest@sha256:01adf4ae92ddf7fe04125c2e5de52b427215f2fc76e96725a7a03a180e249c11
restart: unless-stopped
profiles: ["giftamizer-extras"]
healthcheck:
test: ["CMD", "nc", "-z", "localhost", "465"]
timeout: 5s
interval: 5s
retries: 5
ports:
# NOTE: confirmed by direct container inspection that this image always listens
# for SMTP on 465 (implicit TLS), never on plain 25, regardless of DEV_MODE or
# other env vars. The container-side "25" below is not actually listened on.
# GOTRUE_SMTP_PORT / SMTP_PORT in .env should point at 465, not 25, for the
# `auth` service to actually reach this container - worth double-checking that
# prod auth emails (signup/reset) are actually being delivered today.
- ${SMTP2GRAPH_HTTP_PORT}:8080
- ${SMTP2GRAPH_SMTP_PORT}:25
environment:
CLIENT_ID: ${SMTP2GRAPH_CLIENT_ID}
CLIENT_SECRET: ${SMTP2GRAPH_CLIENT_SECRET}
TENANT_ID: ${SMTP2GRAPH_TENANT_ID}
DEV_MODE: ${SMTP2GRAPH_DEV_MODE}
WEB_SERVER: ${SMTP2GRAPH_WEB_SERVER}
WEB_SERVER_MESSAGE_LIMIT: ${SMTP2GRAPH_WEB_SERVER_MESSAGE_LIMIT}
urlmetadata:
container_name: giftamizer-urlmetadata
image: explodedcode/urlmetadata:latest@sha256:cdd26d3af0d660a1faef5a6ff9782ca1711524c6fbcc7de3d725e999e8651675
restart: unless-stopped
profiles: ["giftamizer-extras"]
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:5500/"]
timeout: 5s
interval: 5s
retries: 5
ports:
# NOTE: confirmed by direct container inspection that this image ignores the
# PORT env var and always listens on 5500 internally, so the host-side port is
# intentionally hardcoded here rather than driven by URLMETADATA_HTTP_PORT.
- 5500:5500
environment:
PORT: ${URLMETADATA_HTTP_PORT}
volumes:
db-config:
deno-cache: