- PostgREST: replace wget healthcheck with TCP socket check — PostgREST
v12 is a minimal image without wget/curl
- All services: add start_period to healthchecks to avoid premature
unhealthy marking during initial startup
PostgREST, Auth, Realtime, Storage, and Meta were starting before db-migrate
set role passwords. On existing volumes (where initdb didn't re-run),
these services would fail to authenticate to Postgres. Now all services
wait for db-migrate to complete successfully before starting.
Dokploy deployment fixes:
- Remove all host port bindings (Kong 8000/8443/3000, Studio 54323, Inbucket 54324,
DB 5432) — Traefik handles external routing in Dokploy, host ports conflict
with other services on the shared server
- Add idempotent ALTER ROLE password commands to db-migrate service — ensures
role passwords are set even when DB volume persists across deployments
(docker-entrypoint-initdb.d only runs on empty data dirs)
- Add catch-all app route to Kong config — proxies / to localhost:3000
(Next.js app via network_mode: service:supabase-kong)
- Dockerfile: replace hardcoded NEXT_PUBLIC env vars with ARG+ENV pattern
so the same Dockerfile works for any environment (local dev, Dokploy prod)
- docker-compose.yml: pass SUPABASE_ANON_KEY as build arg to Dockerfile
- docker-compose.yml: remove DB port 5432 exposure (not needed on server,
services communicate via Docker network)
