NEXT_PUBLIC_ vars are baked into the Next.js bundle at build time.
Setting them at runtime with Docker-internal URLs (http://supabase-kong:8000)
causes SSR to fail with 500 because RSC uses the runtime value which
is unreachable from the browser. Let the build-time value
(https://myeasycms.frontieralgorithmics.de) be used everywhere.
Dokploy injects 'networks' into all compose services for Traefik routing,
which is mutually exclusive with 'network_mode: service:supabase-kong'.
Changes:
- Remove network_mode from app service
- App server-side Supabase URL: http://supabase-kong:8000 (Docker DNS)
- App browser-side Supabase URL: ${API_EXTERNAL_URL} (external domain)
- Kong catch-all route: app:3000 instead of localhost:3000
- PostgREST: replace wget healthcheck with TCP socket check — PostgREST
v12 is a minimal image without wget/curl
- All services: add start_period to healthchecks to avoid premature
unhealthy marking during initial startup
PostgREST, Auth, Realtime, Storage, and Meta were starting before db-migrate
set role passwords. On existing volumes (where initdb didn't re-run),
these services would fail to authenticate to Postgres. Now all services
wait for db-migrate to complete successfully before starting.
Dokploy deployment fixes:
- Remove all host port bindings (Kong 8000/8443/3000, Studio 54323, Inbucket 54324,
DB 5432) — Traefik handles external routing in Dokploy, host ports conflict
with other services on the shared server
- Add idempotent ALTER ROLE password commands to db-migrate service — ensures
role passwords are set even when DB volume persists across deployments
(docker-entrypoint-initdb.d only runs on empty data dirs)
- Add catch-all app route to Kong config — proxies / to localhost:3000
(Next.js app via network_mode: service:supabase-kong)
- Dockerfile: replace hardcoded NEXT_PUBLIC env vars with ARG+ENV pattern
so the same Dockerfile works for any environment (local dev, Dokploy prod)
- docker-compose.yml: pass SUPABASE_ANON_KEY as build arg to Dockerfile
- docker-compose.yml: remove DB port 5432 exposure (not needed on server,
services communicate via Docker network)
