#!/usr/bin/env docker compose --- #==============================================================# # File : docker-compose.yml # Desc : modified supabase docker compose for pigsty pg # Ctime : 2023-09-19 # Mtime : 2025-07-01 # Path : app/supabase/docker-compose.yml # License : Apache-2.0 @ https://pigsty.io/docs/about/license/ # Copyright : 2018-2026 Ruohang Feng / Vonng (rh@vonng.com) #==============================================================# # Dir: https://github.com/supabase/supabase/blob/master/docker/ # Source: https://github.com/supabase/supabase/blob/master/docker/docker-compose.yml # Tutorial: https://supabase.com/docs/guides/self-hosting/docker name: supabase services: #--------------------------------------------------------------# # Studio: the admin GUI dashboard for supabase #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#studio-dashboard studio: container_name: supabase-studio image: supabase/studio:2025.11.10-sha-5291fe3 restart: unless-stopped healthcheck: test: [ "CMD", "node", "-e", "fetch('http://studio:3000/api/platform/profile').then((r) => {if (r.status !== 200) throw new Error(r.status)})"] timeout: 10s interval: 5s retries: 3 depends_on: analytics: condition: service_healthy environment: # Binds nestjs listener to both IPv4 and IPv6 network interfaces HOSTNAME: "::" STUDIO_PG_META_URL: http://meta:8080 POSTGRES_PORT: ${POSTGRES_PORT} POSTGRES_HOST: ${POSTGRES_HOST} POSTGRES_DB: ${POSTGRES_DB} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} PG_META_CRYPTO_KEY: ${PG_META_CRYPTO_KEY} DEFAULT_ORGANIZATION_NAME: ${STUDIO_DEFAULT_ORGANIZATION} DEFAULT_PROJECT_NAME: ${STUDIO_DEFAULT_PROJECT} OPENAI_API_KEY: ${OPENAI_API_KEY:-} SUPABASE_URL: http://kong:8000 SUPABASE_PUBLIC_URL: ${SUPABASE_PUBLIC_URL} SUPABASE_ANON_KEY: ${ANON_KEY} SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY} AUTH_JWT_SECRET: ${JWT_SECRET} LOGFLARE_PRIVATE_ACCESS_TOKEN: ${LOGFLARE_PRIVATE_ACCESS_TOKEN} LOGFLARE_URL: http://analytics:4000 NEXT_PUBLIC_ENABLE_LOGS: true NEXT_ANALYTICS_BACKEND_PROVIDER: postgres extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" #--------------------------------------------------------------# # Kong: the API gateway for all supabase services #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#kong-api-gateway kong: container_name: supabase-kong image: kong:2.8.1 restart: unless-stopped ports: - ${KONG_HTTP_PORT}:8000/tcp - ${KONG_HTTPS_PORT}:8443/tcp volumes: - ./volumes/api/kong.yml:/home/kong/temp.yml:ro depends_on: analytics: condition: service_healthy environment: KONG_DATABASE: "off" KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml # https://github.com/supabase/cli/issues/14 KONG_DNS_ORDER: LAST,A,CNAME KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth,request-termination,ip-restriction KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k SUPABASE_ANON_KEY: ${ANON_KEY} SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY} DASHBOARD_USERNAME: ${DASHBOARD_USERNAME} DASHBOARD_PASSWORD: ${DASHBOARD_PASSWORD} entrypoint: bash -c 'eval "echo \"$$(cat ~/temp.yml)\"" > ~/kong.yml && /docker-entrypoint.sh kong docker-start' #--------------------------------------------------------------# # Auth: JWT-based API for authentication using GoTrue #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#gotrue-auth auth: container_name: supabase-auth image: supabase/gotrue:v2.182.1 restart: unless-stopped depends_on: analytics: condition: service_healthy healthcheck: test: [ "CMD","wget","--no-verbose","--tries=1","--spider","http://localhost:9999/health" ] timeout: 5s interval: 5s retries: 3 environment: GOTRUE_API_HOST: 0.0.0.0 GOTRUE_API_PORT: 9999 API_EXTERNAL_URL: ${API_EXTERNAL_URL} GOTRUE_DB_DRIVER: postgres GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} GOTRUE_SITE_URL: ${SITE_URL} GOTRUE_URI_ALLOW_LIST: ${ADDITIONAL_REDIRECT_URLS} GOTRUE_DISABLE_SIGNUP: ${DISABLE_SIGNUP} GOTRUE_JWT_ADMIN_ROLES: service_role GOTRUE_JWT_AUD: authenticated GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated GOTRUE_JWT_EXP: ${JWT_EXPIRY} GOTRUE_JWT_SECRET: ${JWT_SECRET} GOTRUE_EXTERNAL_EMAIL_ENABLED: ${ENABLE_EMAIL_SIGNUP} GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED: ${ENABLE_ANONYMOUS_USERS} GOTRUE_MAILER_AUTOCONFIRM: ${ENABLE_EMAIL_AUTOCONFIRM} # Uncomment to bypass nonce check in ID Token flow. Commonly set to true when using Google Sign In on mobile. # GOTRUE_EXTERNAL_SKIP_NONCE_CHECK: true # GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED: true # GOTRUE_SMTP_MAX_FREQUENCY: 1s GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_ADMIN_EMAIL} GOTRUE_SMTP_HOST: ${SMTP_HOST} GOTRUE_SMTP_PORT: ${SMTP_PORT} GOTRUE_SMTP_USER: ${SMTP_USER} GOTRUE_SMTP_PASS: ${SMTP_PASS} GOTRUE_SMTP_SENDER_NAME: ${SMTP_SENDER_NAME} # use absolute URLs for mailer URL paths GOTRUE_MAILER_URLPATHS_INVITE: "${SUPABASE_PUBLIC_URL}/${MAILER_URLPATHS_INVITE}" GOTRUE_MAILER_URLPATHS_CONFIRMATION: "${SUPABASE_PUBLIC_URL}/${MAILER_URLPATHS_CONFIRMATION}" GOTRUE_MAILER_URLPATHS_RECOVERY: "${SUPABASE_PUBLIC_URL}/${MAILER_URLPATHS_RECOVERY}" GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: "${SUPABASE_PUBLIC_URL}/${MAILER_URLPATHS_EMAIL_CHANGE}" GOTRUE_EXTERNAL_PHONE_ENABLED: ${ENABLE_PHONE_SIGNUP} GOTRUE_SMS_AUTOCONFIRM: ${ENABLE_PHONE_AUTOCONFIRM} # Uncomment to enable custom access token hook. Please see: https://supabase.com/docs/guides/auth/auth-hooks for full list of hooks and additional details about custom_access_token_hook # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED: "true" # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI: "pg-functions://postgres/public/custom_access_token_hook" # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_SECRETS: "" # GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED: "true" # GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/mfa_verification_attempt" # GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED: "true" # GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/password_verification_attempt" # GOTRUE_HOOK_SEND_SMS_ENABLED: "false" # GOTRUE_HOOK_SEND_SMS_URI: "pg-functions://postgres/public/custom_access_token_hook" # GOTRUE_HOOK_SEND_SMS_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" # GOTRUE_HOOK_SEND_EMAIL_ENABLED: "false" # GOTRUE_HOOK_SEND_EMAIL_URI: "http://host.docker.internal:54321/functions/v1/email_sender" # GOTRUE_HOOK_SEND_EMAIL_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" #--------------------------------------------------------------# # Rest: Turn PostgreSQL into a RESTful API using PostgREST #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#postgrest-api rest: container_name: supabase-rest image: postgrest/postgrest:v13.0.7 restart: unless-stopped depends_on: analytics: condition: service_healthy environment: PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} PGRST_DB_SCHEMAS: ${PGRST_DB_SCHEMAS} PGRST_DB_ANON_ROLE: anon PGRST_JWT_SECRET: ${JWT_SECRET} PGRST_DB_USE_LEGACY_GUCS: "false" PGRST_APP_SETTINGS_JWT_SECRET: ${JWT_SECRET} PGRST_APP_SETTINGS_JWT_EXP: ${JWT_EXPIRY} command: "postgrest" extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" #--------------------------------------------------------------# # Realtime: A scalable websocket engine for realtime msg #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#realtime-api--multiplayer realtime: # This container name looks inconsistent but is correct because realtime constructs tenant id by parsing the subdomain container_name: realtime-dev.supabase-realtime image: supabase/realtime:v2.63.0 restart: unless-stopped depends_on: analytics: condition: service_healthy healthcheck: test: [ "CMD","curl","-sSfL","--head","-o","/dev/null","-H","Authorization: Bearer ${ANON_KEY}","http://localhost:4000/api/tenants/realtime-dev/health" ] timeout: 5s interval: 5s retries: 3 environment: PORT: 4000 DB_HOST: ${POSTGRES_HOST} DB_PORT: ${POSTGRES_PORT} DB_USER: supabase_admin DB_PASSWORD: ${POSTGRES_PASSWORD} DB_NAME: ${POSTGRES_DB} DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime' DB_ENC_KEY: supabaserealtime API_JWT_SECRET: ${JWT_SECRET} SECRET_KEY_BASE: ${SECRET_KEY_BASE} ERL_AFLAGS: -proto_dist inet_tcp DNS_NODES: "''" RLIMIT_NOFILE: "10000" APP_NAME: realtime SEED_SELF_HOST: true RUN_JANITOR: true extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" #--------------------------------------------------------------# # Storage: S3-compatible OSS that stores metadata in Postgres #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#storage-api-large-file-storage storage: container_name: supabase-storage image: supabase/storage-api:v1.29.0 depends_on: rest: condition: service_started imgproxy: condition: service_started healthcheck: test: [ "CMD","wget","--no-verbose","--tries=1","--spider","http://storage:5000/status" ] timeout: 5s interval: 5s retries: 3 restart: unless-stopped environment: ANON_KEY: ${ANON_KEY} SERVICE_KEY: ${SERVICE_ROLE_KEY} POSTGREST_URL: http://rest:3000 PGRST_JWT_SECRET: ${JWT_SECRET} DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} REQUEST_ALLOW_X_FORWARDED_PATH: "true" FILE_SIZE_LIMIT: 52428800 TENANT_ID: stub ENABLE_IMAGE_TRANSFORMATION: "true" IMGPROXY_URL: http://imgproxy:5001 # local file storage (use minio instead) #STORAGE_BACKEND: file #FILE_STORAGE_BACKEND_PATH: /var/lib/storage STORAGE_BACKEND: s3 REGION: ${S3_REGION} GLOBAL_S3_BUCKET: ${S3_BUCKET} GLOBAL_S3_ENDPOINT: ${S3_ENDPOINT} AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} AWS_DEFAULT_REGION: ${S3_REGION} GLOBAL_S3_PROTOCOL: ${S3_PROTOCOL} GLOBAL_S3_FORCE_PATH_STYLE: ${S3_FORCE_PATH_STYLE} # add pigsty ca to the container NODE_EXTRA_CA_CERTS: /etc/pki/ca.crt volumes: - /etc/pki/ca.crt:/etc/pki/ca.crt:ro - ./volumes/storage:/var/lib/storage:z extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" - "sss.pigsty:${MINIO_DOMAIN_IP}" #--------------------------------------------------------------# # imgproxy: the proxy for image #--------------------------------------------------------------# imgproxy: container_name: supabase-imgproxy image: darthsim/imgproxy:v3.8.0 healthcheck: test: [ "CMD", "imgproxy", "health" ] timeout: 5s interval: 5s retries: 3 environment: IMGPROXY_BIND: ":5001" IMGPROXY_LOCAL_FILESYSTEM_ROOT: / IMGPROXY_USE_ETAG: "true" IMGPROXY_ENABLE_WEBP_DETECTION: ${IMGPROXY_ENABLE_WEBP_DETECTION} volumes: - ./volumes/storage:/var/lib/storage:z #--------------------------------------------------------------# # postgres-meta: RESTful API Service to managing your Postgres #--------------------------------------------------------------# meta: container_name: supabase-meta image: supabase/postgres-meta:v0.93.1 restart: unless-stopped depends_on: analytics: condition: service_healthy environment: PG_META_PORT: 8080 PG_META_DB_HOST: ${POSTGRES_HOST} PG_META_DB_PORT: ${POSTGRES_PORT} PG_META_DB_NAME: ${POSTGRES_DB} PG_META_DB_USER: supabase_admin PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD} CRYPTO_KEY: ${PG_META_CRYPTO_KEY} #--------------------------------------------------------------# # Edge Functions: A modern runtime for JavaScript and TypeScript #--------------------------------------------------------------# # https://supabase.com/docs/guides/getting-started/architecture#deno-edge-functions functions: container_name: supabase-edge-functions image: supabase/edge-runtime:v1.69.23 restart: unless-stopped volumes: - ./volumes/functions:/home/deno/functions:Z depends_on: analytics: condition: service_healthy environment: JWT_SECRET: ${JWT_SECRET} SUPABASE_URL: http://kong:8000 SUPABASE_ANON_KEY: ${ANON_KEY} SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY} SUPABASE_DB_URL: postgresql://postgres:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} # Allow configuring VERIFY_JWT per function. This PR might help: https://github.com/supabase/cli/pull/786 VERIFY_JWT: "${FUNCTIONS_VERIFY_JWT}" command: [ "start", "--main-service", "/home/deno/functions/main" ] extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" #--------------------------------------------------------------# # Analytics: analysis log events #--------------------------------------------------------------# # https://docs.logflare.app/self-hosting/ analytics: container_name: supabase-analytics image: supabase/logflare:1.22.6 healthcheck: test: [ "CMD", "curl", "http://localhost:4000/health" ] timeout: 5s interval: 5s retries: 10 restart: unless-stopped environment: LOGFLARE_NODE_HOST: 127.0.0.1 DB_USERNAME: supabase_admin DB_DATABASE: supabase DB_HOSTNAME: ${POSTGRES_HOST} DB_PORT: ${POSTGRES_PORT} DB_PASSWORD: ${POSTGRES_PASSWORD} DB_SCHEMA: _analytics LOGFLARE_LOG_LEVEL: ${LOGFLARE_LOG_LEVEL} LOGFLARE_PUBLIC_ACCESS_TOKEN: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} LOGFLARE_PRIVATE_ACCESS_TOKEN: ${LOGFLARE_PRIVATE_ACCESS_TOKEN} LOGFLARE_SINGLE_TENANT: true LOGFLARE_SUPABASE_MODE: true LOGFLARE_MIN_CLUSTER_SIZE: 1 # Comment variables to use Big Query backend for analytics POSTGRES_BACKEND_URL: postgresql://supabase_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/supabase POSTGRES_BACKEND_SCHEMA: _analytics LOGFLARE_FEATURE_FLAG_OVERRIDE: multibackend=false ports: - 4000:4000 extra_hosts: - "${POSTGRES_DOMAIN}:${POSTGRES_HOST}" #--------------------------------------------------------------# # Vector: collecting logs #--------------------------------------------------------------# vector: container_name: supabase-vector image: timberio/vector:0.28.1-alpine healthcheck: test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider","http://vector:9001/health" ] timeout: 5s interval: 5s retries: 3 environment: LOGFLARE_PUBLIC_ACCESS_TOKEN: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} volumes: - ./volumes/logs/vector.yml:/etc/vector/vector.yml:ro - ${DOCKER_SOCKET_LOCATION}:/var/run/docker.sock:ro command: ["--config", "/etc/vector/vector.yml"] ...