fix(docker): remove host port bindings, add idempotent role passwords, Kong app route
Dokploy deployment fixes: - Remove all host port bindings (Kong 8000/8443/3000, Studio 54323, Inbucket 54324, DB 5432) — Traefik handles external routing in Dokploy, host ports conflict with other services on the shared server - Add idempotent ALTER ROLE password commands to db-migrate service — ensures role passwords are set even when DB volume persists across deployments (docker-entrypoint-initdb.d only runs on empty data dirs) - Add catch-all app route to Kong config — proxies / to localhost:3000 (Next.js app via network_mode: service:supabase-kong)
This commit is contained in:
Zaid Marzguioui
@@ -6,6 +6,9 @@
|
|||||||
# ⚠️ First deploy: `docker compose up -d` creates the DB from scratch with
|
# ⚠️ First deploy: `docker compose up -d` creates the DB from scratch with
|
||||||
# all Supabase roles/schemas via the image's built-in init scripts, then
|
# all Supabase roles/schemas via the image's built-in init scripts, then
|
||||||
# runs app migrations from the mounted volume.
|
# runs app migrations from the mounted volume.
|
||||||
|
#
|
||||||
|
# 🔒 Port bindings are intentionally omitted — in Dokploy, Traefik handles
|
||||||
|
# external routing. Services communicate via the Docker network.
|
||||||
|
|
||||||
services:
|
services:
|
||||||
# =====================================================
|
# =====================================================
|
||||||
@@ -30,7 +33,10 @@ services:
|
|||||||
timeout: 5s
|
timeout: 5s
|
||||||
retries: 10
|
retries: 10
|
||||||
|
|
||||||
# Run app migrations, seed, and dev patches after DB is healthy
|
# Run app migrations, seed, and dev patches after DB is healthy.
|
||||||
|
# Also ensures role passwords are set (idempotent) — covers the case
|
||||||
|
# where the DB volume already existed from a previous deployment and
|
||||||
|
# /docker-entrypoint-initdb.d/ scripts didn't re-run.
|
||||||
supabase-db-migrate:
|
supabase-db-migrate:
|
||||||
image: supabase/postgres:15.8.1.060
|
image: supabase/postgres:15.8.1.060
|
||||||
depends_on:
|
depends_on:
|
||||||
@@ -42,9 +48,22 @@ services:
|
|||||||
- ./docker/db/dev-bootstrap.sh:/app-seed/dev-bootstrap.sh:ro
|
- ./docker/db/dev-bootstrap.sh:/app-seed/dev-bootstrap.sh:ro
|
||||||
environment:
|
environment:
|
||||||
PGPASSWORD: ${POSTGRES_PASSWORD}
|
PGPASSWORD: ${POSTGRES_PASSWORD}
|
||||||
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
||||||
entrypoint: ["/bin/sh", "-c"]
|
entrypoint: ["/bin/sh", "-c"]
|
||||||
command:
|
command:
|
||||||
- |
|
- |
|
||||||
|
echo "🔑 Ensuring role passwords are set (idempotent)..."
|
||||||
|
psql -h supabase-db -U supabase_admin -d postgres -v ON_ERROR_STOP=0 <<-EOSQL
|
||||||
|
ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
|
||||||
|
ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
|
||||||
|
ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
|
||||||
|
ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
|
||||||
|
ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD}';
|
||||||
|
CREATE SCHEMA IF NOT EXISTS _realtime;
|
||||||
|
GRANT ALL ON SCHEMA _realtime TO supabase_admin;
|
||||||
|
GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;
|
||||||
|
EOSQL
|
||||||
|
echo ""
|
||||||
echo "Running app migrations..."
|
echo "Running app migrations..."
|
||||||
for sql in /app-migrations/*.sql; do
|
for sql in /app-migrations/*.sql; do
|
||||||
echo " → $$sql"
|
echo " → $$sql"
|
||||||
@@ -220,8 +239,6 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- supabase-meta
|
- supabase-meta
|
||||||
- supabase-kong
|
- supabase-kong
|
||||||
ports:
|
|
||||||
- "${STUDIO_PORT:-54323}:3000"
|
|
||||||
environment:
|
environment:
|
||||||
STUDIO_PG_META_URL: http://supabase-meta:8080
|
STUDIO_PG_META_URL: http://supabase-meta:8080
|
||||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
||||||
@@ -246,8 +263,6 @@ services:
|
|||||||
supabase-inbucket:
|
supabase-inbucket:
|
||||||
image: inbucket/inbucket:3.0.4
|
image: inbucket/inbucket:3.0.4
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
|
||||||
- "${INBUCKET_PORT:-54324}:9000"
|
|
||||||
volumes:
|
volumes:
|
||||||
- supabase-inbucket-data:/storage
|
- supabase-inbucket-data:/storage
|
||||||
|
|
||||||
@@ -262,10 +277,6 @@ services:
|
|||||||
- supabase-rest
|
- supabase-rest
|
||||||
- supabase-storage
|
- supabase-storage
|
||||||
- supabase-realtime
|
- supabase-realtime
|
||||||
ports:
|
|
||||||
- "${KONG_HTTP_PORT:-8000}:8000"
|
|
||||||
- "${KONG_HTTPS_PORT:-8443}:8443"
|
|
||||||
- "${APP_PORT:-3000}:3000"
|
|
||||||
entrypoint: >
|
entrypoint: >
|
||||||
sh -c "sed 's|\$${SUPABASE_ANON_KEY}|'\"$$SUPABASE_ANON_KEY\"'|g; s|\$${SUPABASE_SERVICE_KEY}|'\"$$SUPABASE_SERVICE_KEY\"'|g' /var/lib/kong/kong.yml.tpl > /tmp/kong.yml && KONG_DECLARATIVE_CONFIG=/tmp/kong.yml /docker-entrypoint.sh kong docker-start"
|
sh -c "sed 's|\$${SUPABASE_ANON_KEY}|'\"$$SUPABASE_ANON_KEY\"'|g; s|\$${SUPABASE_SERVICE_KEY}|'\"$$SUPABASE_SERVICE_KEY\"'|g' /var/lib/kong/kong.yml.tpl > /tmp/kong.yml && KONG_DECLARATIVE_CONFIG=/tmp/kong.yml /docker-entrypoint.sh kong docker-start"
|
||||||
environment:
|
environment:
|
||||||
|
|||||||
@@ -85,3 +85,14 @@ services:
|
|||||||
hide_groups_header: true
|
hide_groups_header: true
|
||||||
allow:
|
allow:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
|
# Next.js App (catch-all — must be last so API routes take priority)
|
||||||
|
- name: app
|
||||||
|
url: http://localhost:3000/
|
||||||
|
routes:
|
||||||
|
- name: app-routes
|
||||||
|
strip_path: false
|
||||||
|
paths:
|
||||||
|
- /
|
||||||
|
plugins:
|
||||||
|
- name: cors
|
||||||
|
|||||||
Reference in New Issue
Block a user