Server-side code (proxy.ts, SSR, API routes) now uses SUPABASE_INTERNAL_URL
(http://supabase-kong:8000) instead of the external domain. This avoids
hairpin NAT / DNS resolution issues where Docker containers can't reach
their own external domain through the reverse proxy.
Browser-side JS still uses the external URL (baked at build time).
- Restore NEXT_PUBLIC_SUPABASE_URL + NEXT_PUBLIC_SUPABASE_PUBLIC_KEY at runtime
(server code reads from process.env — needs these for SSR)
- Use external URL (API_EXTERNAL_URL) for both build and runtime
- Add NEXT_PUBLIC_DEFAULT_LOCALE=de as Dockerfile build arg so next-intl
compiles with the correct default locale (was falling back to 'en')
- CACHE_BUST=3 to force full rebuild
NEXT_PUBLIC_ vars are baked into the Next.js bundle at build time.
Setting them at runtime with Docker-internal URLs (http://supabase-kong:8000)
causes SSR to fail with 500 because RSC uses the runtime value which
is unreachable from the browser. Let the build-time value
(https://myeasycms.frontieralgorithmics.de) be used everywhere.
Dokploy injects 'networks' into all compose services for Traefik routing,
which is mutually exclusive with 'network_mode: service:supabase-kong'.
Changes:
- Remove network_mode from app service
- App server-side Supabase URL: http://supabase-kong:8000 (Docker DNS)
- App browser-side Supabase URL: ${API_EXTERNAL_URL} (external domain)
- Kong catch-all route: app:3000 instead of localhost:3000
- PostgREST: replace wget healthcheck with TCP socket check — PostgREST
v12 is a minimal image without wget/curl
- All services: add start_period to healthchecks to avoid premature
unhealthy marking during initial startup
PostgREST, Auth, Realtime, Storage, and Meta were starting before db-migrate
set role passwords. On existing volumes (where initdb didn't re-run),
these services would fail to authenticate to Postgres. Now all services
wait for db-migrate to complete successfully before starting.
Dokploy deployment fixes:
- Remove all host port bindings (Kong 8000/8443/3000, Studio 54323, Inbucket 54324,
DB 5432) — Traefik handles external routing in Dokploy, host ports conflict
with other services on the shared server
- Add idempotent ALTER ROLE password commands to db-migrate service — ensures
role passwords are set even when DB volume persists across deployments
(docker-entrypoint-initdb.d only runs on empty data dirs)
- Add catch-all app route to Kong config — proxies / to localhost:3000
(Next.js app via network_mode: service:supabase-kong)
- Dockerfile: replace hardcoded NEXT_PUBLIC env vars with ARG+ENV pattern
so the same Dockerfile works for any environment (local dev, Dokploy prod)
- docker-compose.yml: pass SUPABASE_ANON_KEY as build arg to Dockerfile
- docker-compose.yml: remove DB port 5432 exposure (not needed on server,
services communicate via Docker network)
