From c8467d2d112e7e901bc5cb58058c0fdefe87c4ce Mon Sep 17 00:00:00 2001 From: Ahson Shaikh Date: Tue, 10 Mar 2026 17:27:09 +0500 Subject: [PATCH] Updated Dify, Supabase and Plane --- dify/code/.env.example | 11 + dify/code/docker-compose-template.yaml | 9 +- dify/code/docker-compose.yaml | 14 +- dify/code/middleware.env.example | 3 + plane/code/.env.example | 2 +- plane/code/docker-compose.yml | 18 +- plane/update.js | 0 supabase/code/.env.example | 232 +++++++++++++++--- supabase/code/CHANGELOG.md | 115 ++++++++- supabase/code/docker-compose.caddy.yml | 34 +++ supabase/code/docker-compose.nginx.yml | 33 +++ supabase/code/docker-compose.s3.yml | 67 +++-- supabase/code/docker-compose.yml | 117 +++++++-- supabase/code/utils/generate-keys.sh | 4 + supabase/code/versions.md | 24 ++ supabase/code/volumes/api/kong.yml | 35 ++- .../code/volumes/functions/hello/index.ts | 4 +- supabase/code/volumes/functions/main/index.ts | 3 +- supabase/code/volumes/logs/vector.yml | 49 ++-- supabase/code/volumes/proxy/caddy/Caddyfile | 36 +++ .../proxy/nginx/supabase-nginx.conf.tpl | 109 ++++++++ supabase/code/volumes/snippets/.gitkeep | 0 22 files changed, 766 insertions(+), 153 deletions(-) mode change 100644 => 100755 plane/update.js create mode 100644 supabase/code/docker-compose.caddy.yml create mode 100644 supabase/code/docker-compose.nginx.yml create mode 100644 supabase/code/volumes/proxy/caddy/Caddyfile create mode 100644 supabase/code/volumes/proxy/nginx/supabase-nginx.conf.tpl create mode 100644 supabase/code/volumes/snippets/.gitkeep diff --git a/dify/code/.env.example b/dify/code/.env.example index dcfc848..5818d29 100644 --- a/dify/code/.env.example +++ b/dify/code/.env.example @@ -62,6 +62,9 @@ LANG=C.UTF-8 LC_ALL=C.UTF-8 PYTHONIOENCODING=utf-8 +# Set UV cache directory to avoid permission issues with non-existent home directory +UV_CACHE_DIR=/tmp/.uv-cache + # ------------------------------ # Server Configuration # ------------------------------ @@ -346,6 +349,9 @@ REDIS_SSL_CERTFILE= REDIS_SSL_KEYFILE= # Path to client private key file for SSL authentication REDIS_DB=0 +# Optional: limit total Redis connections used by API/Worker (unset for default) +# Align with API's REDIS_MAX_CONNECTIONS in configs +REDIS_MAX_CONNECTIONS= # Whether to use Redis Sentinel mode. # If set to true, the application will automatically discover and connect to the master node through Sentinel. @@ -384,6 +390,8 @@ CELERY_USE_SENTINEL=false CELERY_SENTINEL_MASTER_NAME= CELERY_SENTINEL_PASSWORD= CELERY_SENTINEL_SOCKET_TIMEOUT=0.1 +# e.g. {"tasks.add": {"rate_limit": "10/s"}} +CELERY_TASK_ANNOTATIONS=null # ------------------------------ # CORS Configuration @@ -1068,6 +1076,8 @@ WORKFLOW_LOG_CLEANUP_ENABLED=false WORKFLOW_LOG_RETENTION_DAYS=30 # Batch size for workflow log cleanup operations (default: 100) WORKFLOW_LOG_CLEANUP_BATCH_SIZE=100 +# Comma-separated list of workflow IDs to clean logs for +WORKFLOW_LOG_CLEANUP_SPECIFIC_WORKFLOW_IDS= # Aliyun SLS Logstore Configuration # Aliyun Access Key ID @@ -1518,6 +1528,7 @@ AMPLITUDE_API_KEY= # Sandbox expired records clean configuration SANDBOX_EXPIRED_RECORDS_CLEAN_GRACEFUL_PERIOD=21 SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_SIZE=1000 +SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_MAX_INTERVAL=200 SANDBOX_EXPIRED_RECORDS_RETENTION_DAYS=30 diff --git a/dify/code/docker-compose-template.yaml b/dify/code/docker-compose-template.yaml index cb5e2c4..fcd4800 100644 --- a/dify/code/docker-compose-template.yaml +++ b/dify/code/docker-compose-template.yaml @@ -21,7 +21,7 @@ services: # API service api: - image: langgenius/dify-api:1.12.1 + image: langgenius/dify-api:1.13.0 restart: always environment: # Use the shared environment variables. @@ -63,7 +63,7 @@ services: # worker service # The Celery worker for processing all queues (dataset, workflow, mail, etc.) worker: - image: langgenius/dify-api:1.12.1 + image: langgenius/dify-api:1.13.0 restart: always environment: # Use the shared environment variables. @@ -102,7 +102,7 @@ services: # worker_beat service # Celery beat for scheduling periodic tasks. worker_beat: - image: langgenius/dify-api:1.12.1 + image: langgenius/dify-api:1.13.0 restart: always environment: # Use the shared environment variables. @@ -132,7 +132,7 @@ services: # Frontend web application. web: - image: langgenius/dify-web:1.12.1 + image: langgenius/dify-web:1.13.0 restart: always environment: CONSOLE_API_URL: ${CONSOLE_API_URL:-} @@ -149,7 +149,6 @@ services: MARKETPLACE_URL: ${MARKETPLACE_URL:-https://marketplace.dify.ai} TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-} INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH: ${INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH:-} - PM2_INSTANCES: ${PM2_INSTANCES:-2} LOOP_NODE_MAX_COUNT: ${LOOP_NODE_MAX_COUNT:-100} MAX_TOOLS_NUM: ${MAX_TOOLS_NUM:-10} MAX_PARALLEL_LIMIT: ${MAX_PARALLEL_LIMIT:-10} diff --git a/dify/code/docker-compose.yaml b/dify/code/docker-compose.yaml index 8c0136f..836ee76 100644 --- a/dify/code/docker-compose.yaml +++ b/dify/code/docker-compose.yaml @@ -16,6 +16,7 @@ x-shared-env: &shared-api-worker-env LANG: ${LANG:-C.UTF-8} LC_ALL: ${LC_ALL:-C.UTF-8} PYTHONIOENCODING: ${PYTHONIOENCODING:-utf-8} + UV_CACHE_DIR: ${UV_CACHE_DIR:-/tmp/.uv-cache} LOG_LEVEL: ${LOG_LEVEL:-INFO} LOG_OUTPUT_FORMAT: ${LOG_OUTPUT_FORMAT:-text} LOG_FILE: ${LOG_FILE:-/app/logs/server.log} @@ -89,6 +90,7 @@ x-shared-env: &shared-api-worker-env REDIS_SSL_CERTFILE: ${REDIS_SSL_CERTFILE:-} REDIS_SSL_KEYFILE: ${REDIS_SSL_KEYFILE:-} REDIS_DB: ${REDIS_DB:-0} + REDIS_MAX_CONNECTIONS: ${REDIS_MAX_CONNECTIONS:-} REDIS_USE_SENTINEL: ${REDIS_USE_SENTINEL:-false} REDIS_SENTINELS: ${REDIS_SENTINELS:-} REDIS_SENTINEL_SERVICE_NAME: ${REDIS_SENTINEL_SERVICE_NAME:-} @@ -105,6 +107,7 @@ x-shared-env: &shared-api-worker-env CELERY_SENTINEL_MASTER_NAME: ${CELERY_SENTINEL_MASTER_NAME:-} CELERY_SENTINEL_PASSWORD: ${CELERY_SENTINEL_PASSWORD:-} CELERY_SENTINEL_SOCKET_TIMEOUT: ${CELERY_SENTINEL_SOCKET_TIMEOUT:-0.1} + CELERY_TASK_ANNOTATIONS: ${CELERY_TASK_ANNOTATIONS:-null} WEB_API_CORS_ALLOW_ORIGINS: ${WEB_API_CORS_ALLOW_ORIGINS:-*} CONSOLE_CORS_ALLOW_ORIGINS: ${CONSOLE_CORS_ALLOW_ORIGINS:-*} COOKIE_DOMAIN: ${COOKIE_DOMAIN:-} @@ -468,6 +471,7 @@ x-shared-env: &shared-api-worker-env WORKFLOW_LOG_CLEANUP_ENABLED: ${WORKFLOW_LOG_CLEANUP_ENABLED:-false} WORKFLOW_LOG_RETENTION_DAYS: ${WORKFLOW_LOG_RETENTION_DAYS:-30} WORKFLOW_LOG_CLEANUP_BATCH_SIZE: ${WORKFLOW_LOG_CLEANUP_BATCH_SIZE:-100} + WORKFLOW_LOG_CLEANUP_SPECIFIC_WORKFLOW_IDS: ${WORKFLOW_LOG_CLEANUP_SPECIFIC_WORKFLOW_IDS:-} ALIYUN_SLS_ACCESS_KEY_ID: ${ALIYUN_SLS_ACCESS_KEY_ID:-} ALIYUN_SLS_ACCESS_KEY_SECRET: ${ALIYUN_SLS_ACCESS_KEY_SECRET:-} ALIYUN_SLS_ENDPOINT: ${ALIYUN_SLS_ENDPOINT:-} @@ -682,6 +686,7 @@ x-shared-env: &shared-api-worker-env AMPLITUDE_API_KEY: ${AMPLITUDE_API_KEY:-} SANDBOX_EXPIRED_RECORDS_CLEAN_GRACEFUL_PERIOD: ${SANDBOX_EXPIRED_RECORDS_CLEAN_GRACEFUL_PERIOD:-21} SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_SIZE: ${SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_SIZE:-1000} + SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_MAX_INTERVAL: ${SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_MAX_INTERVAL:-200} SANDBOX_EXPIRED_RECORDS_RETENTION_DAYS: ${SANDBOX_EXPIRED_RECORDS_RETENTION_DAYS:-30} PUBSUB_REDIS_URL: ${PUBSUB_REDIS_URL:-} PUBSUB_REDIS_CHANNEL_TYPE: ${PUBSUB_REDIS_CHANNEL_TYPE:-pubsub} @@ -712,7 +717,7 @@ services: # API service api: - image: langgenius/dify-api:1.12.1 + image: langgenius/dify-api:1.13.0 restart: always environment: # Use the shared environment variables. @@ -754,7 +759,7 @@ services: # worker service # The Celery worker for processing all queues (dataset, workflow, mail, etc.) worker: - image: langgenius/dify-api:1.12.1 + image: langgenius/dify-api:1.13.0 restart: always environment: # Use the shared environment variables. @@ -793,7 +798,7 @@ services: # worker_beat service # Celery beat for scheduling periodic tasks. worker_beat: - image: langgenius/dify-api:1.12.1 + image: langgenius/dify-api:1.13.0 restart: always environment: # Use the shared environment variables. @@ -823,7 +828,7 @@ services: # Frontend web application. web: - image: langgenius/dify-web:1.12.1 + image: langgenius/dify-web:1.13.0 restart: always environment: CONSOLE_API_URL: ${CONSOLE_API_URL:-} @@ -840,7 +845,6 @@ services: MARKETPLACE_URL: ${MARKETPLACE_URL:-https://marketplace.dify.ai} TOP_K_MAX_VALUE: ${TOP_K_MAX_VALUE:-} INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH: ${INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH:-} - PM2_INSTANCES: ${PM2_INSTANCES:-2} LOOP_NODE_MAX_COUNT: ${LOOP_NODE_MAX_COUNT:-100} MAX_TOOLS_NUM: ${MAX_TOOLS_NUM:-10} MAX_PARALLEL_LIMIT: ${MAX_PARALLEL_LIMIT:-10} diff --git a/dify/code/middleware.env.example b/dify/code/middleware.env.example index c88dbe5..7b28a77 100644 --- a/dify/code/middleware.env.example +++ b/dify/code/middleware.env.example @@ -91,6 +91,9 @@ MYSQL_INNODB_FLUSH_LOG_AT_TRX_COMMIT=2 # ----------------------------- REDIS_HOST_VOLUME=./volumes/redis/data REDIS_PASSWORD=difyai123456 +# Optional: limit total Redis connections used by API/Worker (unset for default) +# Align with API's REDIS_MAX_CONNECTIONS in configs +REDIS_MAX_CONNECTIONS= # ------------------------------ # Environment Variables for sandbox Service diff --git a/plane/code/.env.example b/plane/code/.env.example index 15eb375..087d2ee 100644 --- a/plane/code/.env.example +++ b/plane/code/.env.example @@ -1,5 +1,5 @@ APP_DOMAIN=$(PRIMARY_DOMAIN) -APP_RELEASE=v1.2.1 +APP_RELEASE=v1.2.3 WEB_REPLICAS=1 SPACE_REPLICAS=1 diff --git a/plane/code/docker-compose.yml b/plane/code/docker-compose.yml index 3619a1b..59845fb 100644 --- a/plane/code/docker-compose.yml +++ b/plane/code/docker-compose.yml @@ -63,7 +63,7 @@ x-app-env: &app-env services: web: - image: artifacts.plane.so/makeplane/plane-frontend:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-frontend:${APP_RELEASE:-v1.2.3} deploy: replicas: ${WEB_REPLICAS:-1} restart_policy: @@ -73,7 +73,7 @@ services: - worker space: - image: artifacts.plane.so/makeplane/plane-space:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-space:${APP_RELEASE:-v1.2.3} deploy: replicas: ${SPACE_REPLICAS:-1} restart_policy: @@ -84,7 +84,7 @@ services: - web admin: - image: artifacts.plane.so/makeplane/plane-admin:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-admin:${APP_RELEASE:-v1.2.3} deploy: replicas: ${ADMIN_REPLICAS:-1} restart_policy: @@ -94,7 +94,7 @@ services: - web live: - image: artifacts.plane.so/makeplane/plane-live:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-live:${APP_RELEASE:-v1.2.3} environment: <<: [ *live-env, *redis-env ] deploy: @@ -106,7 +106,7 @@ services: - web api: - image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} command: ./bin/docker-entrypoint-api.sh deploy: replicas: ${API_REPLICAS:-1} @@ -122,7 +122,7 @@ services: - plane-mq worker: - image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} command: ./bin/docker-entrypoint-worker.sh deploy: replicas: ${WORKER_REPLICAS:-1} @@ -139,7 +139,7 @@ services: - plane-mq beat-worker: - image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} command: ./bin/docker-entrypoint-beat.sh deploy: replicas: ${BEAT_WORKER_REPLICAS:-1} @@ -156,7 +156,7 @@ services: - plane-mq migrator: - image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} command: ./bin/docker-entrypoint-migrator.sh deploy: replicas: 1 @@ -218,7 +218,7 @@ services: # Comment this if you already have a reverse proxy running proxy: - image: artifacts.plane.so/makeplane/plane-proxy:${APP_RELEASE:-v1.2.1} + image: artifacts.plane.so/makeplane/plane-proxy:${APP_RELEASE:-v1.2.3} deploy: replicas: 1 restart_policy: diff --git a/plane/update.js b/plane/update.js old mode 100644 new mode 100755 diff --git a/supabase/code/.env.example b/supabase/code/.env.example index d89e78a..fd52e25 100644 --- a/supabase/code/.env.example +++ b/supabase/code/.env.example @@ -1,70 +1,126 @@ ############ # Secrets -# YOU MUST CHANGE THESE BEFORE GOING INTO PRODUCTION +# +# YOU MUST CHANGE ALL THE DEFAULT VALUES BELOW BEFORE STARTING +# THE CONTAINERS FOR THE FIRST TIME! +# +# Documentation: +# https://supabase.com/docs/guides/self-hosting/docker#configuring-and-securing-supabase +# +# To generate secrets and API keys: +# sh ./utils/generate-keys.sh +# ############ +# Postgres POSTGRES_PASSWORD=your-super-secret-and-long-postgres-password + +# Symmetric encryption key and JWT API keys JWT_SECRET=your-super-secret-jwt-token-with-at-least-32-characters-long ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q + +# Access to Dashboard DASHBOARD_USERNAME=supabase DASHBOARD_PASSWORD=this_password_is_insecure_and_should_be_updated + +# Used by Realtime and Supavisor SECRET_KEY_BASE=UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq + +# Used by Supavisor VAULT_ENC_KEY=your-32-character-encryption-key + +# Used by Studio to access Postgres via postgres-meta PG_META_CRYPTO_KEY=your-encryption-key-32-chars-min +# Analytics - API tokens for log ingestion/querying, and for management +LOGFLARE_PUBLIC_ACCESS_TOKEN=your-super-secret-and-long-logflare-key-public +LOGFLARE_PRIVATE_ACCESS_TOKEN=your-super-secret-and-long-logflare-key-private + +# Access to Storage via S3 protocol endpoint (see below) +S3_PROTOCOL_ACCESS_KEY_ID=625729a08b95bf1b7ff351a663f3a23c +S3_PROTOCOL_ACCESS_KEY_SECRET=850181e4652dd023b7a98c58ae0d2d34bd487ee0cc3254aed6eda37307425907 + ############ -# Database - You can change these to any PostgreSQL database that has logical replication enabled. +# URLs - Configure hostnames below to reflect your actual domain name ############ +# Access to Dashboard and REST API +SUPABASE_PUBLIC_URL=http://localhost:8000 + +# Full external URL of the Auth service, used to construct OAuth callbacks, +# SAML endpoints, and email links +API_EXTERNAL_URL=http://localhost:8000 + +# See also the Auth section below for Site URL and Redirect URLs configuration + + +############ +# Database - Postgres configuration +############ + +# Using default user (postgres) POSTGRES_HOST=db POSTGRES_DB=postgres + +# Default configuration includes Supavisor exposing POSTGRES_PORT +# Postgres uses POSTGRES_PORT inside the container +# Documentation: +# https://supabase.com/docs/guides/self-hosting/docker#accessing-postgres-through-supavisor POSTGRES_PORT=5432 -# default user is postgres ############ -# Supavisor -- Database pooler +# Supavisor - Database pooler ############ -# Port Supavisor listens on for transaction pooling connections + +# Supavisor exposes POSTGRES_PORT and POOLER_PROXY_PORT_TRANSACTION, +# POSTGRES_PORT is used for session mode pooling +# +# Port to use for transaction mode pooling connections POOLER_PROXY_PORT_TRANSACTION=6543 + # Maximum number of PostgreSQL connections Supavisor opens per pool POOLER_DEFAULT_POOL_SIZE=20 + # Maximum number of client connections Supavisor accepts per pool POOLER_MAX_CLIENT_CONN=100 -# Unique tenant identifier + +# Unique Supavisor tenant identifier +# Documentation: +# https://supabase.com/docs/guides/self-hosting/docker#accessing-postgres POOLER_TENANT_ID=your-tenant-id + # Pool size for internal metadata storage used by Supavisor # This is separate from client connections and used only by Supavisor itself POOLER_DB_POOL_SIZE=5 ############ -# API Proxy - Configuration for the Kong Reverse proxy. +# Studio - Configuration for the Dashboard ############ -KONG_HTTP_PORT=8000 -KONG_HTTPS_PORT=8443 +STUDIO_DEFAULT_ORGANIZATION=Default Organization +STUDIO_DEFAULT_PROJECT=Default Project + +# Add your OpenAI API key to enable AI Assistant +OPENAI_API_KEY=sk-proj-xxxxxxxx ############ -# API - Configuration for PostgREST. +# Auth - Configuration for the authentication server ############ -PGRST_DB_SCHEMAS=public,storage,graphql_public +## General settings - -############ -# Auth - Configuration for the GoTrue authentication server. -############ - -## General +# Equivalent to "Site URL" and "Redirect URLs" platform configuration options +# Documentation: https://supabase.com/docs/guides/auth/redirect-urls SITE_URL=https://$(PRIMARY_DOMAIN) ADDITIONAL_REDIRECT_URLS= + JWT_EXPIRY=3600 DISABLE_SIGNUP=false -API_EXTERNAL_URL=http://localhost:8000 ## Mailer Config MAILER_URLPATHS_CONFIRMATION="/auth/v1/verify" @@ -87,40 +143,107 @@ ENABLE_ANONYMOUS_USERS=false ENABLE_PHONE_SIGNUP=true ENABLE_PHONE_AUTOCONFIRM=true +## OAuth / Social login providers -############ -# Studio - Configuration for the Dashboard -############ +# Uncomment and fill in the providers you want to enable. +# You must ALSO uncomment the matching GOTRUE_EXTERNAL_* lines in docker-compose.yml. +# Documentation: https://supabase.com/docs/guides/self-hosting/self-hosted-oauth +# GOOGLE_ENABLED=false +# GOOGLE_CLIENT_ID= +# GOOGLE_SECRET= -STUDIO_DEFAULT_ORGANIZATION=Default Organization -STUDIO_DEFAULT_PROJECT=Default Project +# GITHUB_ENABLED=false +# GITHUB_CLIENT_ID= +# GITHUB_SECRET= -# replace if you intend to use Studio outside of localhost -SUPABASE_PUBLIC_URL=http://localhost:8000 +# AZURE_ENABLED=false +# AZURE_CLIENT_ID= +# AZURE_SECRET= -# Enable webp support -IMGPROXY_ENABLE_WEBP_DETECTION=true +# Phone / SMS provider configuration +# Uncomment to configure SMS delivery for phone auth and phone MFA. +# You must ALSO uncomment the matching GOTRUE_SMS_* lines in docker-compose.yml. +# Documentation: https://supabase.com/docs/guides/self-hosting/self-hosted-phone-mfa +# SMS_PROVIDER=twilio +# SMS_OTP_EXP=60 +# SMS_OTP_LENGTH=6 +# SMS_MAX_FREQUENCY=60s +# SMS_TEMPLATE=Your code is {{ .Code }} -# Add your OpenAI API key to enable SQL Editor Assistant -OPENAI_API_KEY= +# SMS_TWILIO_ACCOUNT_SID= +# SMS_TWILIO_AUTH_TOKEN= +# SMS_TWILIO_MESSAGE_SERVICE_SID= + +# Test OTP: map phone numbers to fixed OTP codes for development +# Format: phone1:code1,phone2:code2 +# SMS_TEST_OTP= + +# Multi-factor authentication (MFA) +# Uncomment to change MFA defaults. +# You must ALSO uncomment the matching GOTRUE_MFA_* lines in docker-compose.yml. + +# App Authenticator (TOTP) - enabled by default +# MFA_TOTP_ENROLL_ENABLED=true +# MFA_TOTP_VERIFY_ENABLED=true + +# Phone MFA - disabled by default (opt-in) +# MFA_PHONE_ENROLL_ENABLED=false +# MFA_PHONE_VERIFY_ENABLED=false + +## Maximum MFA factors a user can enroll +# MFA_MAX_ENROLLED_FACTORS=10 ############ -# Functions - Configuration for Functions +# Storage - Configuration for Storage ############ -# NOTE: VERIFY_JWT applies to all functions. Per-function VERIFY_JWT is not supported yet. + +# Check the S3_PROTOCOL_ACCESS_KEY_ID/SECRET above, and +# refer to the documentation at: +# https://supabase.com/docs/guides/self-hosting/self-hosted-s3 +# to learn how to configure the S3 protocol endpoint + +# S3 bucket when using S3 backend, directory name when using 'file' +GLOBAL_S3_BUCKET=stub + +# Used for S3 protocol endpoint configuration +REGION=stub + +# Used by MinIO when added via: +# docker compose -f docker-compose.yml -f docker-compose.s3.yml up -d +MINIO_ROOT_USER=supa-storage +MINIO_ROOT_PASSWORD=secret1234 + +# Equivalent to project_ref as described here: +# https://supabase.com/docs/guides/storage/s3/authentication#session-token +STORAGE_TENANT_ID=stub + + +############ +# Functions - Configuration for Edge functions +############ + +# Documentation: +# https://supabase.com/docs/guides/self-hosting/self-hosted-functions + +# NOTE: VERIFY_JWT applies to all functions FUNCTIONS_VERIFY_JWT=false ############ -# Logs - Configuration for Analytics -# Please refer to https://supabase.com/docs/reference/self-hosting-analytics/introduction +# API - Configuration for PostgREST ############ -# Change vector.toml sinks to reflect this change -# these cannot be the same value -LOGFLARE_PUBLIC_ACCESS_TOKEN=your-super-secret-and-long-logflare-key-public -LOGFLARE_PRIVATE_ACCESS_TOKEN=your-super-secret-and-long-logflare-key-private +# Postgres schemas exposed via the REST API +PGRST_DB_SCHEMAS=public,storage,graphql_public + + +############ +# Analytics - Configuration for Logflare +############ + +# Check the LOGFLARE_* access token configuration above. +# If Logflare is externally exposed, configure securely! # Docker socket location - this value will differ depending on your OS DOCKER_SOCKET_LOCATION=/var/run/docker.sock @@ -128,3 +251,38 @@ DOCKER_SOCKET_LOCATION=/var/run/docker.sock # Google Cloud Project details GOOGLE_PROJECT_ID=GOOGLE_PROJECT_ID GOOGLE_PROJECT_NUMBER=GOOGLE_PROJECT_NUMBER + + +############ +# API Proxy - Configuration for the Kong API gateway +############ + +KONG_HTTP_PORT=8000 +KONG_HTTPS_PORT=8443 + + +############ +# imgproxy +############ + +# Enable webp support +IMGPROXY_ENABLE_WEBP_DETECTION=true + + +############ +# TLS Proxy - Optional Caddy or Nginx reverse proxy with Let's Encrypt +############ + +# Documentation: +# https://supabase.com/docs/guides/self-hosting/self-hosted-proxy-https + +# Usage: +# docker compose -f docker-compose.yml -f docker-compose.caddy.yml up -d +# docker compose -f docker-compose.yml -f docker-compose.nginx.yml up -d + +# Domain name for the proxy (must point to your server) +PROXY_DOMAIN=your-domain.example.com + +# Email for Let's Encrypt certificate notifications (nginx only, Caddy uses PROXY_DOMAIN). +# This should be a valid email, not a placehoder (otherwise Certbot may fail to start). +CERTBOT_EMAIL=admin@example.com diff --git a/supabase/code/CHANGELOG.md b/supabase/code/CHANGELOG.md index 9e6cf88..e2fc449 100644 --- a/supabase/code/CHANGELOG.md +++ b/supabase/code/CHANGELOG.md @@ -15,6 +15,117 @@ Check updates for each service to learn more. --- +## [2026-02-18] + +### Storage +- Updated `supabase/storage-api` to `v1.37.8` in `docker-compose.s3.yml` +- Changed MinIO image in `docker-compose.s3.yml` to use Chainguard [minio](https://images.chainguard.dev/directory/image/minio/overview) and [minio-client](https://images.chainguard.dev/directory/image/minio-client/overview) (requires `docker-compose.s3.yml` update) - PR [#42942](https://github.com/supabase/supabase/pull/42942) +- Removed `imgproxy` service from `docker-compose.s3.yml` to minimize redundancy - PR [#42942](https://github.com/supabase/supabase/pull/42942) +- Fixed inconsistent `storage` service entry ordering in `docker-compose.yml` and `docker-compose.s3.yml` to improve diff readability (requires `docker-compose.yml` and `docker-compose.s3.yml` update) - PR [#42942](https://github.com/supabase/supabase/pull/42942) + +### Edge Runtime + +- Added a `deno-cache` named volume to to avoid re-downloading dependencies (requires `docker-compose.yml` and `volumes/functions/*` update) - PR [#40822](https://github.com/supabase/supabase/pull/40822) + +--- + +## [2026-02-16] + +⚠️ **Note:** This update includes several breaking changes, including a security fix for Analytics. Please check the details below. The following configuration files have been updated: `docker-compose.yml`, `.env.example`, `docker-compose.s3.yml`, `volumes/api/kong.yml`, and `volumes/logs/vector.yml`. + +### Studio +- Updated to `2026.02.16-sha-26c615c` +- Added Edge Functions management UI (requires `docker-compose.yml` update) - PR [#40690](https://github.com/supabase/supabase/pull/40690), PR [#42322](https://github.com/supabase/supabase/pull/42322), PR [#42349](https://github.com/supabase/supabase/pull/42349), PR [#42350](https://github.com/supabase/supabase/pull/42350) + +### MCP Server +- Updated to `v0.6.3` - [Release](https://github.com/supabase-community/supabase-mcp/releases/tag/v0.6.3) + +### Auth + +- Updated to `v2.186.0` - [Changelog](https://github.com/supabase/auth/blob/master/CHANGELOG.md) | [Release](https://github.com/supabase/auth/releases/tag/v2.186.0) + +### PostgREST + +- Updated to `v14.5` - [Changelog](https://github.com/PostgREST/postgrest/blob/main/CHANGELOG.md) | [Release](https://github.com/PostgREST/postgrest/releases/tag/v14.5) + +### Realtime + +- Updated to `v2.76.5` - [Release](https://github.com/supabase/realtime/releases/tag/v2.76.5) + +### Storage + +- Updated to `v1.37.8` - [Release](https://github.com/supabase/storage/releases/tag/v1.37.8) +- ⚠️ Added configuration to access buckets via `/storage/v1/s3` endpoint (requires `docker-compose.s3.yml` update) - PR [#37185](https://github.com/supabase/supabase/pull/37185) +- ⚠️ Changed environment variable configuration for Storage (requires `docker-compose.yml`, `.env.example` and `.env` update) - PR [#37185](https://github.com/supabase/supabase/pull/37185), PR [#42862](https://github.com/supabase/supabase/pull/42862) + +### Edge Runtime + +- Updated to `v1.70.3` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.70.3) + +### Analytics (Logflare) + +- Updated to `v1.31.2` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.31.2) +- ⚠️ Changed default configuration to disable Logflare on `0.0.0.0:4000` to prevent access to `/dashboard` (requires `docker-compose.yml` update). Read more in "Production Recommendations" section of Logflare [documentation](https://supabase.com/docs/reference/self-hosting-analytics/introduction) - PR [#42857](https://github.com/supabase/supabase/pull/42857) +- ⚠️ Changed Kong routes to not include `/analytics/v1` by default (requires `/volumes/api/kong.yml` update) - PR [#42857](https://github.com/supabase/supabase/pull/42857) + +### Vector + +- Updated to `0.53.0-alpine` - [Changelog](https://vector.dev/releases/0.53.0/) | [Release](https://github.com/vectordotdev/vector/releases/tag/v0.53.0) +- ⚠️ Major version jump from `0.28.1` (requires `volumes/logs/vector.yml` update) - PR [#42525](https://github.com/supabase/supabase/pull/42525) +- ⚠️ Changed Postgres sink configuration to bypass Kong (requires `volumes/logs/vector.yml` update) - PR [#42857](https://github.com/supabase/supabase/pull/42857) +- ⚠️ Changed retry settings for all sinks to increase timeouts (requires `volumes/logs/vector.yml` update) - PR [#42857](https://github.com/supabase/supabase/pull/42857) + +--- + +## [2026-02-05] + +### Storage +- Updated to `v1.37.1` - [Release](https://github.com/supabase/storage/releases/tag/v1.37.1) +- Fixed an issue with Storage not starting because of an issue with migrations - PR [storage#845](https://github.com/supabase/storage/pull/845) + +--- + +## [2026-01-27] + +### Studio +- Updated to `2026.01.27-sha-6aa59ff` +- Added SQL snippets (requires `docker-compose.yml` update) - PR [#41112](https://github.com/supabase/supabase/pull/41112), PR [#41557](https://github.com/supabase/supabase/pull/41557) +- Fixed type generator - PR [#40481](https://github.com/supabase/supabase/pull/40481) +- Fixed minor UI discrepancies - PR [#40579](https://github.com/supabase/supabase/pull/40579), PR [#41936](https://github.com/supabase/supabase/pull/41936), PR [#41970](https://github.com/supabase/supabase/pull/41970), PR [#41971](https://github.com/supabase/supabase/pull/41971), PR [#41972](https://github.com/supabase/supabase/pull/41972), PR [#42015](https://github.com/supabase/supabase/pull/42015) + +### Auth +- Updated to `v2.185.0` - [Changelog](https://github.com/supabase/auth/blob/master/CHANGELOG.md) | [Release](https://github.com/supabase/auth/releases/tag/v2.185.0) +- ⚠️ Fixed security related issues + +### PostgREST +- Updated to `v14.3` - [Changelog](https://github.com/PostgREST/postgrest/blob/main/CHANGELOG.md) | [Release](https://github.com/PostgREST/postgrest/releases/tag/v14.3) + +### Realtime +- Updated to `v2.72.0` - [Release](https://github.com/supabase/realtime/releases/tag/v2.72.0) +- Changed healthchecks logging to off by default (requires `docker-compose.yml` update) - PR [realtime#1677](https://github.com/supabase/realtime/pull/1677), PR [#42156](https://github.com/supabase/supabase/pull/42156) +- Changed logging configuration and healthcheck frequency to reduce log volume (requires `docker-compose.yml` update) - PR [#42112](https://github.com/supabase/supabase/pull/42112) + +### Storage +- Updated to `v1.33.5` - [Release](https://github.com/supabase/storage/releases/tag/v1.33.5) + +### imgproxy +- Updated to `v3.30.1` - [Changelog](https://github.com/imgproxy/imgproxy/blob/master/CHANGELOG.md) | [Release](https://github.com/imgproxy/imgproxy/releases/tag/v3.30.1) + +### Postgres Meta +- Updated to `v0.95.2` - [Release](https://github.com/supabase/postgres-meta/releases/tag/v0.95.2) + +### Edge Runtime +- Updated to `v1.70.0` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.70.0) + +### Analytics (Logflare) +- Updated to `v1.30.3` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.30.3) + +### Postgres +- No image update +- Fixed Postgres logging configuration (requires `volumes/logs/vector.yml` update) - PR [#41800](https://github.com/supabase/supabase/pull/41800) + +--- + ## [2025-12-18] ### Documentation @@ -27,7 +138,7 @@ Check updates for each service to learn more. ### Studio - Updated to `2025.12.17-sha-43f4f7f` -- ⚠️ Fixed additional potential issues related to [React2Shell](https://vercel.com/kb/bulletin/react2shell) +- ⚠️ Fixed additional issues related to [React2Shell](https://vercel.com/kb/bulletin/react2shell) - Fixed an issue with the Users page not being updated on changes - PR [#41254](https://github.com/supabase/supabase/pull/41254) ### MCP Server @@ -50,7 +161,7 @@ Check updates for each service to learn more. ### Studio - Updated to `2025.12.09-sha-434634f` -- ⚠️ Fixed potential issues related to [React2Shell](https://vercel.com/kb/bulletin/react2shell) +- ⚠️ Fixed security issues related to [React2Shell](https://vercel.com/kb/bulletin/react2shell) ### MCP Server diff --git a/supabase/code/docker-compose.caddy.yml b/supabase/code/docker-compose.caddy.yml new file mode 100644 index 0000000..b31ee8d --- /dev/null +++ b/supabase/code/docker-compose.caddy.yml @@ -0,0 +1,34 @@ +services: + + kong: + ports: !reset [] + + caddy: + container_name: supabase-caddy + image: caddy:2 + restart: unless-stopped + ports: + - "80:80" + - "443:443" + - "443:443/udp" + depends_on: + kong: + condition: service_healthy + environment: + PROXY_DOMAIN: ${PROXY_DOMAIN} + PROXY_AUTH_USERNAME: ${DASHBOARD_USERNAME} + PROXY_AUTH_PASSWORD: ${DASHBOARD_PASSWORD} + command: + - /bin/sh + - -c + - | + PROXY_AUTH_PASSWORD=$$(caddy hash-password --plaintext "$$PROXY_AUTH_PASSWORD") && \ + caddy run --config /etc/caddy/Caddyfile --adapter caddyfile + volumes: + - ./volumes/proxy/caddy:/etc/caddy + - caddy_data:/data + - caddy_config:/config + +volumes: + caddy_data: + caddy_config: diff --git a/supabase/code/docker-compose.nginx.yml b/supabase/code/docker-compose.nginx.yml new file mode 100644 index 0000000..e693a86 --- /dev/null +++ b/supabase/code/docker-compose.nginx.yml @@ -0,0 +1,33 @@ +services: + + kong: + ports: !reset [] + + nginx: + container_name: supabase-nginx + image: jonasal/nginx-certbot:6.0.1-nginx1.29.5 + restart: unless-stopped + ports: + - "80:80" + - "443:443" + depends_on: + kong: + condition: service_healthy + environment: + PROXY_DOMAIN: ${PROXY_DOMAIN} + CERTBOT_EMAIL: ${CERTBOT_EMAIL} + PROXY_AUTH_USERNAME: ${DASHBOARD_USERNAME} + PROXY_AUTH_PASSWORD: ${DASHBOARD_PASSWORD} + command: + - /bin/bash + - -c + - | + printf '%s:%s\n' "$${PROXY_AUTH_USERNAME}" "$$(openssl passwd -apr1 "$${PROXY_AUTH_PASSWORD}")" > /etc/nginx/user_conf.d/dashboard-passwd && \ + envsubst '$${PROXY_DOMAIN}' < /etc/nginx/supabase-nginx.conf.tpl > /etc/nginx/user_conf.d/nginx.conf && \ + /scripts/start_nginx_certbot.sh + volumes: + - ./volumes/proxy/nginx/supabase-nginx.conf.tpl:/etc/nginx/supabase-nginx.conf.tpl:ro + - nginx_letsencrypt:/etc/letsencrypt + +volumes: + nginx_letsencrypt: diff --git a/supabase/code/docker-compose.s3.yml b/supabase/code/docker-compose.s3.yml index 043691a..cb3e25c 100644 --- a/supabase/code/docker-compose.s3.yml +++ b/supabase/code/docker-compose.s3.yml @@ -1,16 +1,16 @@ services: minio: - image: minio/minio - ports: - - '9000:9000' - - '9001:9001' + image: cgr.dev/chainguard/minio + #ports: + # - '9000:9000' + # - '9001:9001' environment: - MINIO_ROOT_USER: supa-storage - MINIO_ROOT_PASSWORD: secret1234 + MINIO_ROOT_USER: ${MINIO_ROOT_USER} + MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD} command: server --console-address ":9001" /data healthcheck: - test: [ "CMD", "curl", "-f", "http://minio:9000/minio/health/live" ] + test: [ "CMD", "mc", "ready", "local" ] interval: 2s timeout: 10s retries: 5 @@ -18,20 +18,20 @@ services: - ./volumes/storage:/data:z minio-createbucket: - image: minio/mc + image: cgr.dev/chainguard/minio-client:latest-dev depends_on: minio: condition: service_healthy entrypoint: > - /bin/sh -c " - /usr/bin/mc alias set supa-minio http://minio:9000 supa-storage secret1234; - /usr/bin/mc mb supa-minio/stub; - exit 0; + /bin/sh -ec " + mc alias set supa-minio http://minio:9000 ${MINIO_ROOT_USER} ${MINIO_ROOT_PASSWORD} && + mc mb --ignore-existing supa-minio/${GLOBAL_S3_BUCKET} " storage: container_name: supabase-storage - image: supabase/storage-api:v1.11.13 + image: supabase/storage-api:v1.37.8 + restart: unless-stopped depends_on: db: # Disable this if you are using an external Postgres database @@ -40,6 +40,8 @@ services: condition: service_started imgproxy: condition: service_started + minio-createbucket: + condition: service_completed_successfully minio: condition: service_healthy healthcheck: @@ -50,45 +52,36 @@ services: "--no-verbose", "--tries=1", "--spider", - "http://localhost:5000/status" + "http://storage:5000/status" ] timeout: 5s interval: 5s retries: 3 - restart: unless-stopped environment: ANON_KEY: ${ANON_KEY} SERVICE_KEY: ${SERVICE_ROLE_KEY} POSTGREST_URL: http://rest:3000 PGRST_JWT_SECRET: ${JWT_SECRET} DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} + REQUEST_ALLOW_X_FORWARDED_PATH: "true" FILE_SIZE_LIMIT: 52428800 STORAGE_BACKEND: s3 - GLOBAL_S3_BUCKET: stub + # S3 bucket when using S3 backend, directory name when using 'file' + GLOBAL_S3_BUCKET: ${GLOBAL_S3_BUCKET} + # S3 Backend configuration GLOBAL_S3_ENDPOINT: http://minio:9000 GLOBAL_S3_PROTOCOL: http GLOBAL_S3_FORCE_PATH_STYLE: true - AWS_ACCESS_KEY_ID: supa-storage - AWS_SECRET_ACCESS_KEY: secret1234 - AWS_DEFAULT_REGION: stub - FILE_STORAGE_BACKEND_PATH: /var/lib/storage - TENANT_ID: stub + AWS_ACCESS_KEY_ID: ${MINIO_ROOT_USER} + AWS_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD} + #FILE_STORAGE_BACKEND_PATH: /var/lib/storage + TENANT_ID: ${STORAGE_TENANT_ID} # TODO: https://github.com/supabase/storage-api/issues/55 - REGION: stub + REGION: ${REGION} ENABLE_IMAGE_TRANSFORMATION: "true" IMGPROXY_URL: http://imgproxy:5001 - volumes: - - ./volumes/storage:/var/lib/storage:z - - imgproxy: - container_name: supabase-imgproxy - image: darthsim/imgproxy:v3.8.0 - healthcheck: - test: [ "CMD", "imgproxy", "health" ] - timeout: 5s - interval: 5s - retries: 3 - environment: - IMGPROXY_BIND: ":5001" - IMGPROXY_USE_ETAG: "true" - IMGPROXY_ENABLE_WEBP_DETECTION: ${IMGPROXY_ENABLE_WEBP_DETECTION} + # S3 protocol endpoint configuration + S3_PROTOCOL_ACCESS_KEY_ID: ${S3_PROTOCOL_ACCESS_KEY_ID} + S3_PROTOCOL_ACCESS_KEY_SECRET: ${S3_PROTOCOL_ACCESS_KEY_SECRET} + #volumes: + # - ./volumes/storage:/var/lib/storage:z diff --git a/supabase/code/docker-compose.yml b/supabase/code/docker-compose.yml index e493619..e5fbe1a 100644 --- a/supabase/code/docker-compose.yml +++ b/supabase/code/docker-compose.yml @@ -10,7 +10,7 @@ name: supabase services: studio: - image: supabase/studio:2025.12.17-sha-43f4f7f + image: supabase/studio:2026.02.16-sha-26c615c restart: unless-stopped healthcheck: test: @@ -59,6 +59,11 @@ services: NEXT_ANALYTICS_BACKEND_PROVIDER: postgres # Uncomment to use Big Query backend for analytics # NEXT_ANALYTICS_BACKEND_PROVIDER: bigquery + SNIPPETS_MANAGEMENT_FOLDER: /app/snippets + EDGE_FUNCTIONS_MANAGEMENT_FOLDER: /app/edge-functions + volumes: + - ./volumes/snippets:/app/snippets:Z + - ./volumes/functions:/app/edge-functions:Z kong: image: kong:2.8.1 @@ -66,6 +71,8 @@ services: volumes: # https://github.com/supabase/supabase/issues/12661 - ./volumes/api/kong.yml:/home/kong/temp.yml:ro,z + #- ./volumes/api/server.crt:/home/kong/server.crt:ro + #- ./volumes/api/server.key:/home/kong/server.key:ro depends_on: analytics: condition: service_healthy @@ -77,6 +84,8 @@ services: KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth,request-termination,ip-restriction KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k + #KONG_SSL_CERT: /home/kong/server.crt + #KONG_SSL_CERT_KEY: /home/kong/server.key SUPABASE_ANON_KEY: ${ANON_KEY} SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY} DASHBOARD_USERNAME: ${DASHBOARD_USERNAME} @@ -86,7 +95,7 @@ services: /docker-entrypoint.sh kong docker-start' auth: - image: supabase/gotrue:v2.184.0 + image: supabase/gotrue:v2.186.0 restart: unless-stopped healthcheck: test: @@ -147,7 +156,47 @@ services: GOTRUE_EXTERNAL_PHONE_ENABLED: ${ENABLE_PHONE_SIGNUP} GOTRUE_SMS_AUTOCONFIRM: ${ENABLE_PHONE_AUTOCONFIRM} - # Uncomment to enable custom access token hook. Please see: https://supabase.com/docs/guides/auth/auth-hooks for full list of hooks and additional details about custom_access_token_hook + # Uncomment to enable OAuth / social login providers. + # GOTRUE_EXTERNAL_GOOGLE_ENABLED: ${GOOGLE_ENABLED} + # GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID} + # GOTRUE_EXTERNAL_GOOGLE_SECRET: ${GOOGLE_SECRET} + # GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI: ${API_EXTERNAL_URL}/auth/v1/callback + + # GOTRUE_EXTERNAL_GITHUB_ENABLED: ${GITHUB_ENABLED} + # GOTRUE_EXTERNAL_GITHUB_CLIENT_ID: ${GITHUB_CLIENT_ID} + # GOTRUE_EXTERNAL_GITHUB_SECRET: ${GITHUB_SECRET} + # GOTRUE_EXTERNAL_GITHUB_REDIRECT_URI: ${API_EXTERNAL_URL}/auth/v1/callback + + # GOTRUE_EXTERNAL_AZURE_ENABLED: ${AZURE_ENABLED} + # GOTRUE_EXTERNAL_AZURE_CLIENT_ID: ${AZURE_CLIENT_ID} + # GOTRUE_EXTERNAL_AZURE_SECRET: ${AZURE_SECRET} + # GOTRUE_EXTERNAL_AZURE_REDIRECT_URI: ${API_EXTERNAL_URL}/auth/v1/callback + + # Uncomment to configure SMS delivery (phone auth and phone MFA). + # GOTRUE_SMS_PROVIDER: ${SMS_PROVIDER} + # GOTRUE_SMS_OTP_EXP: ${SMS_OTP_EXP} + # GOTRUE_SMS_OTP_LENGTH: ${SMS_OTP_LENGTH} + # GOTRUE_SMS_MAX_FREQUENCY: ${SMS_MAX_FREQUENCY} + # GOTRUE_SMS_TEMPLATE: ${SMS_TEMPLATE} + + # Twilio credentials (when SMS_PROVIDER=twilio) + # GOTRUE_SMS_TWILIO_ACCOUNT_SID: ${SMS_TWILIO_ACCOUNT_SID} + # GOTRUE_SMS_TWILIO_AUTH_TOKEN: ${SMS_TWILIO_AUTH_TOKEN} + # GOTRUE_SMS_TWILIO_MESSAGE_SERVICE_SID: ${SMS_TWILIO_MESSAGE_SERVICE_SID} + + # Test OTP mappings for development + # GOTRUE_SMS_TEST_OTP: ${SMS_TEST_OTP} + + # Uncomment to configure multi-factor authentication (MFA). + # GOTRUE_MFA_TOTP_ENROLL_ENABLED: ${MFA_TOTP_ENROLL_ENABLED} + # GOTRUE_MFA_TOTP_VERIFY_ENABLED: ${MFA_TOTP_VERIFY_ENABLED} + # GOTRUE_MFA_PHONE_ENROLL_ENABLED: ${MFA_PHONE_ENROLL_ENABLED} + # GOTRUE_MFA_PHONE_VERIFY_ENABLED: ${MFA_PHONE_VERIFY_ENABLED} + # GOTRUE_MFA_MAX_ENROLLED_FACTORS: ${MFA_MAX_ENROLLED_FACTORS} + + # Uncomment to enable custom access token hook. + # See: https://supabase.com/docs/guides/auth/auth-hooks for + # full list of hooks and additional details about custom_access_token_hook # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED: "true" # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI: "pg-functions://postgres/public/custom_access_token_hook" @@ -168,7 +217,7 @@ services: # GOTRUE_HOOK_SEND_EMAIL_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" rest: - image: postgrest/postgrest:v14.1 + image: postgrest/postgrest:v14.5 restart: unless-stopped depends_on: db: @@ -188,7 +237,7 @@ services: realtime: # This container name looks inconsistent but is correct because realtime constructs tenant id by parsing the subdomain - image: supabase/realtime:v2.68.0 + image: supabase/realtime:v2.76.5 restart: unless-stopped depends_on: db: @@ -204,8 +253,9 @@ services: ${ANON_KEY}\" http://localhost:4000/api/tenants/realtime-dev/health" ] timeout: 5s - interval: 5s + interval: 30s retries: 3 + start_period: 10s environment: PORT: 4000 DB_HOST: ${POSTGRES_HOST} @@ -223,13 +273,20 @@ services: APP_NAME: realtime SEED_SELF_HOST: "true" RUN_JANITOR: "true" + DISABLE_HEALTHCHECK_LOGGING: "true" # To use S3 backed storage: docker compose -f docker-compose.yml -f docker-compose.s3.yml up storage: - image: supabase/storage-api:v1.33.0 + image: supabase/storage-api:v1.37.8 restart: unless-stopped - volumes: - - ./volumes/storage:/var/lib/storage:z + depends_on: + db: + # Disable this if you are using an external Postgres database + condition: service_healthy + rest: + condition: service_started + imgproxy: + condition: service_started healthcheck: test: [ @@ -243,14 +300,6 @@ services: timeout: 5s interval: 5s retries: 3 - depends_on: - db: - # Disable this if you are using an external Postgres database - condition: service_healthy - rest: - condition: service_started - imgproxy: - condition: service_started environment: ANON_KEY: ${ANON_KEY} SERVICE_KEY: ${SERVICE_ROLE_KEY} @@ -260,16 +309,28 @@ services: REQUEST_ALLOW_X_FORWARDED_PATH: "true" FILE_SIZE_LIMIT: 52428800 STORAGE_BACKEND: file + # S3 bucket when using S3 backend, directory name when using 'file' + GLOBAL_S3_BUCKET: ${GLOBAL_S3_BUCKET} + # S3 Backend configuration + #GLOBAL_S3_ENDPOINT: https://your-s3-endpoint + #GLOBAL_S3_PROTOCOL: https + #GLOBAL_S3_FORCE_PATH_STYLE: true + #AWS_ACCESS_KEY_ID: your-access-key-id + #AWS_SECRET_ACCESS_KEY: your-secret-access-key FILE_STORAGE_BACKEND_PATH: /var/lib/storage - TENANT_ID: stub + TENANT_ID: ${STORAGE_TENANT_ID} # TODO: https://github.com/supabase/storage-api/issues/55 - REGION: stub - GLOBAL_S3_BUCKET: stub + REGION: ${REGION} ENABLE_IMAGE_TRANSFORMATION: "true" IMGPROXY_URL: http://imgproxy:5001 + # S3 protocol endpoint configuration + S3_PROTOCOL_ACCESS_KEY_ID: ${S3_PROTOCOL_ACCESS_KEY_ID} + S3_PROTOCOL_ACCESS_KEY_SECRET: ${S3_PROTOCOL_ACCESS_KEY_SECRET} + volumes: + - ./volumes/storage:/var/lib/storage:z imgproxy: - image: darthsim/imgproxy:v3.8.0 + image: darthsim/imgproxy:v3.30.1 restart: unless-stopped volumes: - ./volumes/storage:/var/lib/storage:z @@ -283,9 +344,10 @@ services: IMGPROXY_LOCAL_FILESYSTEM_ROOT: / IMGPROXY_USE_ETAG: "true" IMGPROXY_ENABLE_WEBP_DETECTION: ${IMGPROXY_ENABLE_WEBP_DETECTION} + IMGPROXY_MAX_SRC_RESOLUTION: 16.8 meta: - image: supabase/postgres-meta:v0.95.1 + image: supabase/postgres-meta:v0.95.2 restart: unless-stopped depends_on: db: @@ -303,16 +365,18 @@ services: CRYPTO_KEY: ${PG_META_CRYPTO_KEY} functions: - image: supabase/edge-runtime:v1.69.28 + image: supabase/edge-runtime:v1.70.3 restart: unless-stopped volumes: - ./volumes/functions:/home/deno/functions:Z + - deno-cache:/root/.cache/deno depends_on: analytics: condition: service_healthy environment: JWT_SECRET: ${JWT_SECRET} SUPABASE_URL: http://kong:8000 + SUPABASE_PUBLIC_URL: ${SUPABASE_PUBLIC_URL} SUPABASE_ANON_KEY: ${ANON_KEY} SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY} SUPABASE_DB_URL: postgresql://postgres:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} @@ -321,8 +385,10 @@ services: command: [ "start", "--main-service", "/home/deno/functions/main" ] analytics: - image: supabase/logflare:1.27.0 + image: supabase/logflare:1.31.2 restart: unless-stopped + # ports: + # - 4000:4000 # Uncomment to use Big Query backend for analytics # volumes: # - type: bind @@ -409,7 +475,7 @@ services: ] vector: - image: timberio/vector:0.28.1-alpine + image: timberio/vector:0.53.0-alpine restart: unless-stopped volumes: - ./volumes/logs/vector.yml:/etc/vector/vector.yml:ro,z @@ -486,3 +552,4 @@ services: volumes: db-config: + deno-cache: diff --git a/supabase/code/utils/generate-keys.sh b/supabase/code/utils/generate-keys.sh index e67c695..d9a1639 100644 --- a/supabase/code/utils/generate-keys.sh +++ b/supabase/code/utils/generate-keys.sh @@ -60,6 +60,8 @@ logflare_private_access_token=$(gen_base64 24) s3_protocol_access_key_id=$(gen_hex 16) s3_protocol_access_key_secret=$(gen_hex 32) +minio_root_password=$(gen_hex 16) + echo "" echo "JWT_SECRET=${jwt_secret}" echo "" @@ -75,6 +77,7 @@ echo "LOGFLARE_PUBLIC_ACCESS_TOKEN=${logflare_public_access_token}" echo "LOGFLARE_PRIVATE_ACCESS_TOKEN=${logflare_private_access_token}" echo "S3_PROTOCOL_ACCESS_KEY_ID=${s3_protocol_access_key_id}" echo "S3_PROTOCOL_ACCESS_KEY_SECRET=${s3_protocol_access_key_secret}" +echo "MINIO_ROOT_PASSWORD=${minio_root_password}" echo "" postgres_password=$(gen_hex 16) @@ -114,6 +117,7 @@ sed \ -e "s|^LOGFLARE_PRIVATE_ACCESS_TOKEN=.*$|LOGFLARE_PRIVATE_ACCESS_TOKEN=${logflare_private_access_token}|" \ -e "s|^S3_PROTOCOL_ACCESS_KEY_ID=.*$|S3_PROTOCOL_ACCESS_KEY_ID=${s3_protocol_access_key_id}|" \ -e "s|^S3_PROTOCOL_ACCESS_KEY_SECRET=.*$|S3_PROTOCOL_ACCESS_KEY_SECRET=${s3_protocol_access_key_secret}|" \ + -e "s|^MINIO_ROOT_PASSWORD=.*$|MINIO_ROOT_PASSWORD=${minio_root_password}|" \ -e "s|^POSTGRES_PASSWORD=.*$|POSTGRES_PASSWORD=${postgres_password}|" \ -e "s|^DASHBOARD_PASSWORD=.*$|DASHBOARD_PASSWORD=${dashboard_password}|" \ .env diff --git a/supabase/code/versions.md b/supabase/code/versions.md index a26aef0..af00d58 100644 --- a/supabase/code/versions.md +++ b/supabase/code/versions.md @@ -1,5 +1,29 @@ # Docker Image Versions +## 2026-02-16 +- supabase/studio:2026.02.16-sha-26c615c (prev supabase/studio:2026.01.27-sha-6aa59ff) +- supabase/gotrue:v2.186.0 (prev supabase/gotrue:v2.185.0) +- postgrest/postgrest:v14.5 (prev postgrest/postgrest:v14.3) +- supabase/realtime:v2.76.5 (prev supabase/realtime:v2.72.0) +- supabase/storage-api:v1.37.8 (prev supabase/storage-api:v1.37.1) +- supabase/edge-runtime:v1.70.3 (prev supabase/edge-runtime:v1.70.0) +- supabase/logflare:1.31.2 (prev supabase/logflare:1.30.3) +- timberio/vector:0.53.0-alpine (prev timberio/vector:0.28.1-alpine) + +## 2026-02-05 +- supabase/storage-api:v1.37.1 (prev supabase/storage-api:v1.33.5) + +## 2026-01-27 +- supabase/studio:2026.01.27-sha-6aa59ff (prev supabase/studio:2025.12.17-sha-43f4f7f) +- supabase/gotrue:v2.185.0 (prev supabase/gotrue:v2.184.0) +- postgrest/postgrest:v14.3 (prev postgrest/postgrest:v14.1) +- supabase/realtime:v2.72.0 (prev supabase/realtime:v2.68.0) +- supabase/storage-api:v1.33.5 (prev supabase/storage-api:v1.33.0) +- darthsim/imgproxy:v3.30.1 (prev darthsim/imgproxy:v3.8.0) +- supabase/postgres-meta:v0.95.2 (prev supabase/postgres-meta:v0.95.1) +- supabase/edge-runtime:v1.70.0 (prev supabase/edge-runtime:v1.69.28) +- supabase/logflare:1.30.3 (prev supabase/logflare:1.27.0) + ## 2025-12-18 - supabase/studio:2025.12.17-sha-43f4f7f (prev supabase/studio:2025.12.09-sha-434634f) - supabase/gotrue:v2.184.0 (prev supabase/gotrue:v2.183.0) diff --git a/supabase/code/volumes/api/kong.yml b/supabase/code/volumes/api/kong.yml index 168634f..ae69cec 100644 --- a/supabase/code/volumes/api/kong.yml +++ b/supabase/code/volumes/api/kong.yml @@ -27,8 +27,8 @@ acls: ### basicauth_credentials: - consumer: DASHBOARD - username: $DASHBOARD_USERNAME - password: $DASHBOARD_PASSWORD + username: '$DASHBOARD_USERNAME' + password: '$DASHBOARD_PASSWORD' ### ### API Routes @@ -197,14 +197,29 @@ services: - name: cors ## Analytics routes - - name: analytics-v1 - _comment: 'Analytics: /analytics/v1/* -> http://logflare:4000/*' - url: http://analytics:4000/ - routes: - - name: analytics-v1-all - strip_path: true - paths: - - /analytics/v1/ + ## Not used - Studio and Vector talk directly to analytics via Docker networking. + ## If external access is needed, add routes with key-auth matching Logflare's x-api-key auth. + # - name: analytics-v1-api + # _comment: 'Analytics: /analytics/v1/api/endpoints/* -> http://logflare:4000/api/endpoints/*' + # url: http://analytics:4000/api/endpoints + # routes: + # - name: analytics-v1-api + # strip_path: true + # paths: + # - /analytics/v1/api/endpoints/ + # - name: analytics-v1 + # _comment: 'Analytics: /analytics/v1/* -> http://logflare:4000/*' + # url: http://analytics:4000/ + # routes: + # - name: dashboard-v1-all + # strip_path: true + # paths: + # - /analytics/v1 + # plugins: + # - name: cors + # - name: basic-auth + # config: + # hide_credentials: true ## Secure Database routes - name: meta diff --git a/supabase/code/volumes/functions/hello/index.ts b/supabase/code/volumes/functions/hello/index.ts index f1e20b9..e3f138b 100644 --- a/supabase/code/volumes/functions/hello/index.ts +++ b/supabase/code/volumes/functions/hello/index.ts @@ -2,9 +2,7 @@ // https://deno.land/manual/getting_started/setup_your_environment // This enables autocomplete, go to definition, etc. -import { serve } from "https://deno.land/std@0.177.1/http/server.ts" - -serve(async () => { +Deno.serve(async () => { return new Response( `"Hello from Edge Functions!"`, { headers: { "Content-Type": "application/json" } }, diff --git a/supabase/code/volumes/functions/main/index.ts b/supabase/code/volumes/functions/main/index.ts index a094010..b593527 100644 --- a/supabase/code/volumes/functions/main/index.ts +++ b/supabase/code/volumes/functions/main/index.ts @@ -1,4 +1,3 @@ -import { serve } from 'https://deno.land/std@0.131.0/http/server.ts' import * as jose from 'https://deno.land/x/jose@v4.14.4/index.ts' console.log('main function started') @@ -30,7 +29,7 @@ async function verifyJWT(jwt: string): Promise { return true } -serve(async (req: Request) => { +Deno.serve(async (req: Request) => { if (req.method !== 'OPTIONS' && VERIFY_JWT) { try { const token = getAuthToken(req) diff --git a/supabase/code/volumes/logs/vector.yml b/supabase/code/volumes/logs/vector.yml index f97f8e1..d600bf2 100644 --- a/supabase/code/volumes/logs/vector.yml +++ b/supabase/code/volumes/logs/vector.yml @@ -49,10 +49,13 @@ transforms: .metadata.request.headers.referer = req.referer .metadata.request.headers.user_agent = req.agent .metadata.request.headers.cf_connecting_ip = req.client - .metadata.request.method = req.method - .metadata.request.path = req.path - .metadata.request.protocol = req.protocol .metadata.response.status_code = req.status + url, split_err = split(req.request, " ") + if split_err == null { + .metadata.request.method = url[0] + .metadata.request.path = url[1] + .metadata.request.protocol = url[2] + } } if err != null { abort @@ -101,14 +104,20 @@ transforms: parsed, err = parse_regex(.event_message, r'^(?P