zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add account hierarchy framework with migrations, RLS policies, and UI components

Browse Source
This commit is contained in:
T. Zehetbauer
2026-03-31 22:18:04 +02:00
parent 7e7da0b465
commit 59546ad6d2
262 changed files with 11671 additions and 3927 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
docker-compose.yml
View File

@@ -6,9 +6,6 @@
# ⚠️ First deploy: `docker compose up -d` creates the DB from scratch with
# all Supabase roles/schemas via the image's built-in init scripts, then
# runs app migrations from the mounted volume.
#
# 🔒 Port bindings are intentionally omitted — in Dokploy, Traefik handles
# external routing. Services communicate via the Docker network.
services:
# =====================================================
@@ -27,16 +24,15 @@ services:
environment:
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: postgres
ports:
- '${DB_PORT:-5432}:5432'
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
test: ['CMD-SHELL', 'pg_isready -U postgres -d postgres']
interval: 10s
timeout: 5s
retries: 10
# Run app migrations, seed, and dev patches after DB is healthy.
# Also ensures role passwords are set (idempotent) — covers the case
# where the DB volume already existed from a previous deployment and
# /docker-entrypoint-initdb.d/ scripts didn't re-run.
# Run app migrations, seed, and dev patches after DB is healthy
supabase-db-migrate:
image: supabase/postgres:15.8.1.060
depends_on:
@@ -48,13 +44,9 @@ services:
- ./docker/db/dev-bootstrap.sh:/app-seed/dev-bootstrap.sh:ro
environment:
PGPASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
entrypoint: ["/bin/sh", "-c"]
entrypoint: ['/bin/sh', '-c']
command:
- |
echo "🔑 Ensuring role passwords are set (idempotent)..."
psql -h supabase-db -U supabase_admin -d postgres -v ON_ERROR_STOP=0 -c "ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';" -c "ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD}';" -c "CREATE SCHEMA IF NOT EXISTS _realtime;" -c "GRANT ALL ON SCHEMA _realtime TO supabase_admin;" -c "GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;" 2>&1 || true
echo ""
echo "Running app migrations..."
for sql in /app-migrations/*.sql; do
echo " → $$sql"
@@ -63,7 +55,7 @@ services:
echo "✅ App migrations complete."
echo ""
sh /app-seed/dev-bootstrap.sh
restart: "no"
restart: 'no'
# =====================================================
# Supabase Auth (GoTrue)
@@ -74,8 +66,6 @@ services:
depends_on:
supabase-db:
condition: service_healthy
supabase-db-migrate:
condition: service_completed_successfully
environment:
GOTRUE_API_HOST: 0.0.0.0
GOTRUE_API_PORT: 9999
@@ -102,7 +92,15 @@ services:
GOTRUE_MAILER_URLPATHS_RECOVERY: /auth/v1/verify
GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: /auth/v1/verify
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9999/health"]
test:
[
'CMD',
'wget',
'--no-verbose',
'--tries=1',
'--spider',
'http://localhost:9999/health',
]
interval: 10s
timeout: 5s
retries: 5
@@ -116,20 +114,21 @@ services:
depends_on:
supabase-db:
condition: service_healthy
supabase-db-migrate:
condition: service_completed_successfully
environment:
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@supabase-db:5432/postgres
PGRST_DB_SCHEMAS: public,storage,graphql_public
PGRST_DB_ANON_ROLE: anon
PGRST_JWT_SECRET: ${JWT_SECRET}
PGRST_DB_USE_LEGACY_GUCS: "false"
PGRST_DB_USE_LEGACY_GUCS: 'false'
healthcheck:
test: ["CMD-SHELL", "head -c0 </dev/tcp/localhost/3000 || exit 1"]
test:
[
'CMD-SHELL',
'wget --no-verbose --tries=1 --spider http://localhost:3000/ || exit 1',
]
interval: 10s
timeout: 5s
retries: 5
start_period: 15s
# =====================================================
# Supabase Realtime
@@ -140,8 +139,6 @@ services:
depends_on:
supabase-db:
condition: service_healthy
supabase-db-migrate:
condition: service_completed_successfully
environment:
PORT: 4000
DB_HOST: supabase-db
@@ -149,20 +146,20 @@ services:
DB_USER: supabase_admin
DB_PASSWORD: ${POSTGRES_PASSWORD}
DB_NAME: postgres
DB_AFTER_CONNECT_QUERY: "SET search_path TO _realtime"
DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime'
DB_ENC_KEY: supabaserealtime
API_JWT_SECRET: ${JWT_SECRET}
SECRET_KEY_BASE: ${SECRET_KEY_BASE:-UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq}
ERL_AFLAGS: "-proto_dist inet_tcp"
ERL_AFLAGS: '-proto_dist inet_tcp'
DNS_NODES: "''"
RLIMIT_NOFILE: "10000"
RLIMIT_NOFILE: '10000'
APP_NAME: realtime
SEED_SELF_HOST: "true"
SEED_SELF_HOST: 'true'
REPLICATION_MODE: RLS
REPLICATION_POLL_INTERVAL: 100
SECURE_CHANNELS: "true"
SECURE_CHANNELS: 'true'
SLOT_NAME: supabase_realtime_rls
TEMPORARY_SLOT: "true"
TEMPORARY_SLOT: 'true'
MAX_RECORD_BYTES: 1048576
# =====================================================
@@ -174,8 +171,6 @@ services:
depends_on:
supabase-db:
condition: service_healthy
supabase-db-migrate:
condition: service_completed_successfully
supabase-rest:
condition: service_started
supabase-imgproxy:
@@ -196,11 +191,14 @@ services:
GLOBAL_S3_BUCKET: stub
IMGPROXY_URL: http://supabase-imgproxy:8080
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 1"]
test:
[
'CMD-SHELL',
'wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 1',
]
interval: 10s
timeout: 5s
retries: 5
start_period: 15s
# =====================================================
# Supabase imgproxy (image transformations)
@@ -209,10 +207,10 @@ services:
image: darthsim/imgproxy:v3.8.0
restart: unless-stopped
environment:
IMGPROXY_BIND: ":8080"
IMGPROXY_BIND: ':8080'
IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
IMGPROXY_USE_ETAG: "true"
IMGPROXY_ENABLE_WEBP_DETECTION: "true"
IMGPROXY_USE_ETAG: 'true'
IMGPROXY_ENABLE_WEBP_DETECTION: 'true'
# =====================================================
# Supabase pg_meta (DB introspection for Studio)
@@ -223,8 +221,6 @@ services:
depends_on:
supabase-db:
condition: service_healthy
supabase-db-migrate:
condition: service_completed_successfully
environment:
PG_META_PORT: 8080
PG_META_DB_HOST: supabase-db
@@ -242,6 +238,8 @@ services:
depends_on:
- supabase-meta
- supabase-kong
ports:
- '${STUDIO_PORT:-54323}:3000'
environment:
STUDIO_PG_META_URL: http://supabase-meta:8080
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
@@ -252,14 +250,19 @@ services:
SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
AUTH_JWT_SECRET: ${JWT_SECRET}
NEXT_PUBLIC_ENABLE_LOGS: "true"
NEXT_PUBLIC_ENABLE_LOGS: 'true'
NEXT_ANALYTICS_BACKEND_PROVIDER: postgres
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/api/profile', (r) => r.statusCode === 200 ? process.exit(0) : process.exit(1))"]
test:
[
'CMD',
'node',
'-e',
"require('http').get('http://localhost:3000/api/profile', (r) => r.statusCode === 200 ? process.exit(0) : process.exit(1))",
]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
# =====================================================
# Supabase Inbucket (Email testing)
@@ -267,6 +270,8 @@ services:
supabase-inbucket:
image: inbucket/inbucket:3.0.4
restart: unless-stopped
ports:
- '${INBUCKET_PORT:-54324}:9000'
volumes:
- supabase-inbucket-data:/storage
@@ -281,10 +286,14 @@ services:
- supabase-rest
- supabase-storage
- supabase-realtime
ports:
- '${KONG_HTTP_PORT:-8000}:8000'
- '${KONG_HTTPS_PORT:-8443}:8443'
- '${APP_PORT:-3000}:3000'
entrypoint: >
sh -c "sed 's|\$${SUPABASE_ANON_KEY}|'\"$$SUPABASE_ANON_KEY\"'|g; s|\$${SUPABASE_SERVICE_KEY}|'\"$$SUPABASE_SERVICE_KEY\"'|g' /var/lib/kong/kong.yml.tpl > /tmp/kong.yml && KONG_DECLARATIVE_CONFIG=/tmp/kong.yml /docker-entrypoint.sh kong docker-start"
environment:
KONG_DATABASE: "off"
KONG_DATABASE: 'off'
KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
KONG_DNS_ORDER: LAST,A,CNAME
KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
@@ -295,7 +304,7 @@ services:
volumes:
- ./docker/kong.yml:/var/lib/kong/kong.yml.tpl:ro
healthcheck:
test: ["CMD", "kong", "health"]
test: ['CMD', 'kong', 'health']
interval: 10s
timeout: 5s
retries: 5
@@ -307,34 +316,32 @@ services:
build:
context: .
dockerfile: Dockerfile
args:
NEXT_PUBLIC_SITE_URL: ${SITE_URL:-https://myeasycms.de}
# Browser-side Supabase URL — goes through external domain (Traefik → Kong)
NEXT_PUBLIC_SUPABASE_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
restart: unless-stopped
depends_on:
supabase-kong:
condition: service_healthy
supabase-db-migrate:
condition: service_completed_successfully
# App shares Kong's network namespace — localhost:8000 inside the container
# reaches Kong directly. This keeps the same URL for browser AND server,
# so Supabase cookie names match without any code changes.
network_mode: 'service:supabase-kong'
environment:
NODE_ENV: production
NEXT_PUBLIC_SITE_URL: ${SITE_URL:-http://localhost:3000}
# Server-side Supabase URL — direct Docker network access to Kong
NEXT_PUBLIC_SUPABASE_URL: http://supabase-kong:8000
NEXT_PUBLIC_SUPABASE_URL: http://localhost:8000
NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
SUPABASE_SECRET_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
SUPABASE_DB_WEBHOOK_SECRET: ${DB_WEBHOOK_SECRET:-webhooksecret}
EMAIL_SENDER: ${EMAIL_SENDER:-noreply@myeasycms.de}
NEXT_PUBLIC_PRODUCT_NAME: MyEasyCMS
NEXT_PUBLIC_DEFAULT_LOCALE: de
NEXT_PUBLIC_ENABLE_THEME_TOGGLE: "true"
NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS: "true"
NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_CREATION: "true"
NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_BILLING: "false"
NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_BILLING: "false"
NEXT_PUBLIC_ENABLE_NOTIFICATIONS: "true"
NEXT_PUBLIC_ENABLE_THEME_TOGGLE: 'true'
NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS: 'true'
NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_CREATION: 'true'
NEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS_BILLING: 'false'
NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_BILLING: 'false'
NEXT_PUBLIC_ENABLE_NOTIFICATIONS: 'true'
volumes:
supabase-db-data: