From 988bcb72235f6ca99e260042f4c7fe337bce089b Mon Sep 17 00:00:00 2001 From: Ahson Shaikh Date: Mon, 19 Jan 2026 20:05:13 +0500 Subject: [PATCH] Updated Supabase --- supabase/code/.env.example | 4 +- supabase/code/CHANGELOG.md | 272 +++++++++++++++++++++++ supabase/code/README.md | 88 +++++++- supabase/code/dev/docker-compose.dev.yml | 10 + supabase/code/docker-compose.yml | 52 +++-- supabase/code/reset.sh | 92 +++++--- supabase/code/utils/db-passwd.sh | 157 +++++++++++++ supabase/code/utils/generate-keys.sh | 119 ++++++++++ supabase/code/versions.md | 83 +++++++ supabase/code/volumes/api/kong.yml | 42 ++++ supabase/code/volumes/logs/vector.yml | 13 +- supabase/update.js | 2 +- 12 files changed, 873 insertions(+), 61 deletions(-) create mode 100644 supabase/code/CHANGELOG.md create mode 100644 supabase/code/utils/db-passwd.sh create mode 100644 supabase/code/utils/generate-keys.sh create mode 100644 supabase/code/versions.md diff --git a/supabase/code/.env.example b/supabase/code/.env.example index fcb6310..d89e78a 100644 --- a/supabase/code/.env.example +++ b/supabase/code/.env.example @@ -10,7 +10,8 @@ SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZX DASHBOARD_USERNAME=supabase DASHBOARD_PASSWORD=this_password_is_insecure_and_should_be_updated SECRET_KEY_BASE=UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq -VAULT_ENC_KEY=your-encryption-key-32-chars-min +VAULT_ENC_KEY=your-32-character-encryption-key +PG_META_CRYPTO_KEY=your-encryption-key-32-chars-min ############ @@ -94,7 +95,6 @@ ENABLE_PHONE_AUTOCONFIRM=true STUDIO_DEFAULT_ORGANIZATION=Default Organization STUDIO_DEFAULT_PROJECT=Default Project -STUDIO_PORT=3000 # replace if you intend to use Studio outside of localhost SUPABASE_PUBLIC_URL=http://localhost:8000 diff --git a/supabase/code/CHANGELOG.md b/supabase/code/CHANGELOG.md new file mode 100644 index 0000000..9e6cf88 --- /dev/null +++ b/supabase/code/CHANGELOG.md @@ -0,0 +1,272 @@ +# Changelog + +All notable changes to the Supabase self-hosted Docker configuration. + +Changes are grouped by service rather than by change type. See [versions.md](./versions.md) +for complete image version history and rollback information. + +Check updates for each service to learn more. + +**Note:** Configuration updates marked with "requires [...] update" are already included in the latest version of the repository. Pull the latest changes or refer to the linked PR for manual updates. After updating `docker-compose.yml`, pull latest images and recreate containers - use `docker compose pull && docker compose down && docker compose up -d`. + +--- + +## Unreleased + +--- + +## [2025-12-18] + +### Documentation +- Updated self-hosting installation and configuration guide - PR [#40901](https://github.com/supabase/supabase/pull/40901), PR [#41438](https://github.com/supabase/supabase/pull/41438) + +### Utils +- Added `generate-keys.sh` - PR [#41363](https://github.com/supabase/supabase/pull/41363) +- Added `db-passwd.sh` - PR [#41432](https://github.com/supabase/supabase/pull/41432) +- Changed `reset.sh` to POSIX and added more checks - PR [#41361](https://github.com/supabase/supabase/pull/41361) + +### Studio +- Updated to `2025.12.17-sha-43f4f7f` +- ⚠️ Fixed additional potential issues related to [React2Shell](https://vercel.com/kb/bulletin/react2shell) +- Fixed an issue with the Users page not being updated on changes - PR [#41254](https://github.com/supabase/supabase/pull/41254) + +### MCP Server +- Updated to `v0.5.10` - [Release](https://github.com/supabase-community/supabase-mcp/releases/tag/v0.5.10) + +### Auth +- Updated to `v2.184.0` - [Changelog](https://github.com/supabase/auth/blob/master/CHANGELOG.md) | [Release](https://github.com/supabase/auth/releases/tag/v2.184.0) + +### Postgres Meta +- Updated to `v0.95.1` - [Release](https://github.com/supabase/postgres-meta/releases/tag/v0.95.1) + +### Analytics (Logflare) +- Updated to `v1.27.0` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.27.0) +- Fixed multiple issues, including a race condition + +--- + +## [2025-12-10] + +### Studio + +- Updated to `2025.12.09-sha-434634f` +- ⚠️ Fixed potential issues related to [React2Shell](https://vercel.com/kb/bulletin/react2shell) + +### MCP Server + +- Updated to `v0.5.9` - [Release](https://github.com/supabase-community/supabase-mcp/releases/tag/v0.5.9) +- ⚠️ Changed MCP tool `get_anon_key` to `get_publishable_keys` + +### PostgREST + +- Updated to `v14.1` - [Changelog](https://github.com/PostgREST/postgrest/blob/main/CHANGELOG.md) | [Release](https://github.com/PostgREST/postgrest/releases/tag/v14.1) +- ⚠️ **Major upgrade from v13.x to v14.x** - please report any unexpected behavior + +### Realtime + +- Updated to `v2.68.0` - [Releases](https://github.com/supabase/realtime/releases/tag/v2.68.0) + +### Storage + +- Updated to `v1.33.0` - [Release](https://github.com/supabase/storage/releases/tag/v1.33.0) + +### Edge Runtime + +- Updated to `v1.69.28` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.69.28) + +### Analytics (Logflare) + +- Updated to `v1.26.25` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.26.25) + +--- + +## [2025-12-08] + +### Realtime +- No image update +- Changed boolean values to strings in Docker Compose for better compatibility with Podman - PR [#40994](https://github.com/supabase/supabase/pull/40994), also PR [realtime#1614](https://github.com/supabase/realtime/pull/1614) +- Changed healthcheck in Docker Compose for better compatibility with Podman - PR [#41159](https://github.com/supabase/supabase/pull/41159) + +--- + +## [2025-11-26] + +### Studio +- Updated to `2025.11.26-sha-8f096b5` +- Fixed MCP `get_advisors` tool - PR [#40783](https://github.com/supabase/supabase/pull/40783) +- Fixed AI Assistant request schema - PR [#40830](https://github.com/supabase/supabase/pull/40830) +- Fixed log drains page - PR [#40835](https://github.com/supabase/supabase/pull/40835) + +### Realtime +- Updated to `v2.65.3` - [Release](https://github.com/supabase/realtime/releases/tag/v2.65.3) + +### Analytics (Logflare) +- Updated to `v1.26.13` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.26.13) +- Fixed crashdump when `POSTGRES_BACKEND_URL` is malformed - PR [logflare#2954](https://github.com/Logflare/logflare/pull/2954) + +--- + +## [2025-11-25] + +### Studio +- Updated to `2025.11.24-sha-d990ae8` - [Dashboard updates](https://github.com/orgs/supabase/discussions/40734) +- Fixed Queues configuration UI and added [documentation for exposed queue schema](https://supabase.com/docs/guides/queues/expose-self-hosted-queues) - PR [#40078](https://github.com/supabase/supabase/pull/40078) +- Fixed parameterized SQL queries in MCP tools - PR [#40499](https://github.com/supabase/supabase/pull/40499) +- Fixed Studio showing paid options for log drains - PR [#40510](https://github.com/supabase/supabase/pull/40510) +- Fixed AI Assistant authentication - PR [#40654](https://github.com/supabase/supabase/pull/40654) + +### Auth +- Updated to `v2.183.0` - [Changelog](https://github.com/supabase/auth/blob/master/CHANGELOG.md) | [Release](https://github.com/supabase/auth/releases/tag/v2.183.0) + +### Realtime +- Updated to `v2.65.2` - [Release](https://github.com/supabase/realtime/releases/tag/v2.65.2) +- Fixed handling of boolean configurations options - PR [realtime#1614](https://github.com/supabase/realtime/pull/1614) + +### Storage +- Updated to `v1.32.0` - [Release](https://github.com/supabase/storage/releases/tag/v1.32.0) + +### Edge Runtime +- Updated to `v1.69.25` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.69.25) + +### Analytics (Logflare) +- Updated to `v1.26.12` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.26.12) +- Fixed Auth logs query - PR [logflare#2936](https://github.com/Logflare/logflare/pull/2936) +- Fixed build configuration to prevent crashes with "Illegal instruction (core dumped)" - PR [logflare#2942](https://github.com/Logflare/logflare/pull/2942) + +--- + +## [2025-11-17] + +### Storage +- No image update +- Fixed resumable uploads for files larger than 6MB (requires `docker-compose.yml` update) - PR [#40500](https://github.com/supabase/supabase/pull/40500) + +--- + +## [2025-11-12] + +### Studio +- Updated to `2025.11.10-sha-5291fe3` - [Dashboard updates](https://github.com/orgs/supabase/discussions/40083) +- Added log drains - PR [#28297](https://github.com/supabase/supabase/pull/28297) +- Fixed Studio using `postgres` role instead of `supabase_admin` - PR [#39946](https://github.com/supabase/supabase/pull/39946) + +### Auth +- Updated to `v2.182.1` - [Changelog](https://github.com/supabase/auth/blob/master/CHANGELOG.md#21821-2025-11-05) | [Release](https://github.com/supabase/auth/releases/tag/v2.182.1) + +### Realtime +- Updated to `v2.63.0` - [Release](https://github.com/supabase/realtime/releases/tag/v2.63.0) + +### Storage +- Updated to `v1.29.0` - [Release](https://github.com/supabase/storage/releases/tag/v1.29.0) + +### Edge Runtime +- Updated to `v1.69.23` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.69.23) + +### Supavisor +- Updated to `v2.7.4` - [Release](https://github.com/supabase/supavisor/releases/tag/v2.7.4) + +--- + +## [2025-11-05] + +### Studio +- No image update +- Fixed Studio failing to connect to Postgres with non-default settings (requires `docker-compose.yml` update) - PR [#40169](https://github.com/supabase/supabase/pull/40169) + +### Realtime +- No image update +- Fixed realtime logs not showing in Studio (requires `volumes/logs/vector.yml` update) - PR [#39963](https://github.com/supabase/supabase/pull/39963) + +--- + +## [2025-10-28] + +### Studio +- Updated to `2025.10.27-sha-85b84e0` - [Dashboard updates](https://github.com/orgs/supabase/discussions/40083) +- Fixed broken authentication when uploading files to Storage - PR [#39829](https://github.com/supabase/supabase/pull/39829) + +### Realtime +- Updated to `v2.57.2` - [Release](https://github.com/supabase/realtime/releases/tag/v2.57.2) + +### Storage +- Updated to `v1.28.2` - [Release](https://github.com/supabase/storage/releases/tag/v1.28.2) + +### Postgres Meta +- Updated to `v0.93.1` - [Release](https://github.com/supabase/postgres-meta/releases/tag/v0.93.1) + +### Edge Runtime +- Updated to `v1.69.15` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.69.15) + +--- + +## [2025-10-27] + +### Studio +- No image update +- Added Kong configuration for MCP server routes (requires `volumes/api/kong.yml` update) - PR [#39849](https://github.com/supabase/supabase/pull/39849) +- Added [documentation page](https://supabase.com/docs/guides/self-hosting/enable-mcp) for MCP server configuration - PR [#39952](https://github.com/supabase/supabase/pull/39952) + +--- + +## [2025-10-21] + +### Studio +- Updated to `2025.10.20-sha-5005fc6` - [Dashboard updates](https://github.com/orgs/supabase/discussions/39709) +- Fixed issues with Edge Functions and cron logs not being visible in Studio - PR [#39388](https://github.com/supabase/supabase/pull/39388), PR [#39704](https://github.com/supabase/supabase/pull/39704), PR [#39711](https://github.com/supabase/supabase/pull/39711) + +### Realtime +- Updated to `v2.56.0` - [Release](https://github.com/supabase/realtime/releases/tag/v2.56.0) + +### Storage +- Updated to `v1.28.1` - [Release](https://github.com/supabase/storage/releases/tag/v1.28.1) + +### Postgres Meta +- Updated to `v0.93.0` - [Release](https://github.com/supabase/postgres-meta/releases/tag/v0.93.0) + +### Edge Runtime +- Updated to `v1.69.14` - [Release](https://github.com/supabase/edge-runtime/releases/tag/v1.69.14) + +### Supavisor +- Updated to `v2.7.3` - [Release](https://github.com/supabase/supavisor/releases/tag/v2.7.3) + +--- + +## [2025-10-13] + +### Analytics (Logflare) +- Updated to `v1.22.6` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.22.6) + +--- + +## [2025-10-08] + +### Studio +- Updated to `2025.10.01-sha-8460121` - [Dashboard updates](https://github.com/orgs/supabase/discussions/39709) +- Added "local" remote MCP server - PR [#38797](https://github.com/supabase/supabase/pull/38797), PR [#39041](https://github.com/supabase/supabase/pull/39041) +- ⚠️ Changed Studio connection method to `postgres-meta` - affects non-standard database port configurations + +### Auth +- Updated to `v2.180.0` - [Release](https://github.com/supabase/auth/releases/tag/v2.180.0) + +### PostgREST +- Updated to `v13.0.7` - [Release](https://github.com/PostgREST/postgrest/releases/tag/v13.0.7) | [Changelog](https://github.com/PostgREST/postgrest/blob/main/CHANGELOG.md) + +### Realtime +- Updated to `v2.51.11` - [Release](https://github.com/supabase/realtime/releases/tag/v2.51.11) + +### Storage +- Updated to `v1.28.0` - [Release](https://github.com/supabase/storage/releases/tag/v1.28.0) + +### Postgres Meta +- Updated to `v0.91.6` - [Release](https://github.com/supabase/postgres-meta/releases/tag/v0.91.6) + +### Analytics (Logflare) +- Updated to `v1.22.4` - [Release](https://github.com/Logflare/logflare/releases/tag/v1.22.4) + +### Postgres +- Updated to `15.8.1.085` - [Release](https://github.com/supabase/postgres/releases/tag/15.8.1.085) + +### Supavisor +- Updated to `2.7.0` - [Release](https://github.com/supabase/supavisor/releases/tag/v2.7.0) + +--- diff --git a/supabase/code/README.md b/supabase/code/README.md index 9ab215b..c774254 100644 --- a/supabase/code/README.md +++ b/supabase/code/README.md @@ -1,3 +1,87 @@ -# Supabase Docker +# Self-Hosted Supabase with Docker -This is a minimal Docker Compose setup for self-hosting Supabase. Follow the steps [here](https://supabase.com/docs/guides/hosting/docker) to get started. +This is the official Docker Compose setup for self-hosted Supabase. It provides a complete stack with all Supabase services running locally or on your infrastructure. + +## Getting Started + +Follow the detailed setup guide in our documentation: [Self-Hosting with Docker](https://supabase.com/docs/guides/self-hosting/docker) + +The guide covers: +- Prerequisites (Git and Docker) +- Initial setup and configuration +- Securing your installation +- Accessing services +- Updating your instance + +## What's Included + +This Docker Compose configuration includes the following services: + +- **[Studio](https://github.com/supabase/supabase/tree/master/apps/studio)** - A dashboard for managing your self-hosted Supabase project +- **[Kong](https://github.com/Kong/kong)** - Kong API gateway +- **[Auth](https://github.com/supabase/auth)** - JWT-based authentication API for user sign-ups, logins, and session management +- **[PostgREST](https://github.com/PostgREST/postgrest)** - Web server that turns your PostgreSQL database directly into a RESTful API +- **[Realtime](https://github.com/supabase/realtime)** - Elixir server that listens to PostgreSQL database changes and broadcasts them over websockets +- **[Storage](https://github.com/supabase/storage)** - RESTful API for managing files in S3, with Postgres handling permissions +- **[imgproxy](https://github.com/imgproxy/imgproxy)** - Fast and secure image processing server +- **[postgres-meta](https://github.com/supabase/postgres-meta)** - RESTful API for managing Postgres (fetch tables, add roles, run queries) +- **[PostgreSQL](https://github.com/supabase/postgres)** - Object-relational database with over 30 years of active development +- **[Edge Runtime](https://github.com/supabase/edge-runtime)** - Web server based on Deno runtime for running JavaScript, TypeScript, and WASM services +- **[Logflare](https://github.com/Logflare/logflare)** - Log management and event analytics platform +- **[Vector](https://github.com/vectordotdev/vector)** - High-performance observability data pipeline for logs +- **[Supavisor](https://github.com/supabase/supavisor)** - Supabase's Postgres connection pooler + +## Documentation + +- **[Documentation](https://supabase.com/docs/guides/self-hosting/docker)** - Setup and configuration guides +- **[CHANGELOG.md](./CHANGELOG.md)** - Track recent updates and changes to services +- **[versions.md](./versions.md)** - Complete history of Docker image versions for rollback reference + +## Updates + +To update your self-hosted Supabase instance: + +1. Review [CHANGELOG.md](./CHANGELOG.md) for breaking changes +2. Check [versions.md](./versions.md) for new image versions +3. Update `docker-compose.yml` if there are configuration changes +4. Pull the latest images: `docker compose pull` +5. Stop services: `docker compose down` +6. Start services with new configuration: `docker compose up -d` + +**Note:** Consider to always backup your database before updating. + +## Community & Support + +For troubleshooting common issues, see: +- [GitHub Discussions](https://github.com/orgs/supabase/discussions?discussions_q=is%3Aopen+label%3Aself-hosted) - Questions, feature requests, and workarounds +- [GitHub Issues](https://github.com/supabase/supabase/issues?q=is%3Aissue%20state%3Aopen%20label%3Aself-hosted) - Known issues +- [Documentation](https://supabase.com/docs/guides/self-hosting) - Setup and configuration guides + +Self-hosted Supabase is community-supported. Get help and connect with other users: + +- [Discord](https://discord.supabase.com) - Real-time chat and community support +- [Reddit](https://www.reddit.com/r/Supabase/) - Official Supabase subreddit + +Share your self-hosting experience: + +- [GitHub Discussions](https://github.com/orgs/supabase/discussions/39820) - "Self-hosting: What's working (and what's not)?" + +## Important Notes + +### Security + +⚠️ **The default configuration is not secure for production use.** + +Before deploying to production, you must: +- Update all default passwords and secrets in the `.env` file +- Generate new JWT secrets +- Review and update CORS settings +- Consider setting up a secure proxy in front of self-hosted Supabase +- Review and adjust network security configuration (ACLs, etc.) +- Set up proper backup procedures + +See the [security section](https://supabase.com/docs/guides/self-hosting/docker#configuring-and-securing-supabase) in the documentation. + +## License + +This repository is licensed under the Apache 2.0 License. See the main [Supabase repository](https://github.com/supabase/supabase) for details. diff --git a/supabase/code/dev/docker-compose.dev.yml b/supabase/code/dev/docker-compose.dev.yml index f8b3ba7..e6b2e76 100644 --- a/supabase/code/dev/docker-compose.dev.yml +++ b/supabase/code/dev/docker-compose.dev.yml @@ -8,6 +8,16 @@ services: target: dev ports: - 8082:8082 + develop: + watch: + - action: sync + path: ../apps/studio + target: /app/apps/studio + ignore: + - node_modules/ + - action: rebuild + path: package.json + mail: container_name: supabase-mail image: inbucket/inbucket:3.0.3 diff --git a/supabase/code/docker-compose.yml b/supabase/code/docker-compose.yml index b1fbf86..e493619 100644 --- a/supabase/code/docker-compose.yml +++ b/supabase/code/docker-compose.yml @@ -10,7 +10,7 @@ name: supabase services: studio: - image: supabase/studio:2025.06.30-sha-6f5982d + image: supabase/studio:2025.12.17-sha-43f4f7f restart: unless-stopped healthcheck: test: @@ -28,8 +28,15 @@ services: analytics: condition: service_healthy environment: + # Binds nestjs listener to both IPv4 and IPv6 network interfaces + HOSTNAME: "::" + STUDIO_PG_META_URL: http://meta:8080 + POSTGRES_PORT: ${POSTGRES_PORT} + POSTGRES_HOST: ${POSTGRES_HOST} + POSTGRES_DB: ${POSTGRES_DB} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + PG_META_CRYPTO_KEY: ${PG_META_CRYPTO_KEY} DEFAULT_ORGANIZATION_NAME: ${STUDIO_DEFAULT_ORGANIZATION} DEFAULT_PROJECT_NAME: ${STUDIO_DEFAULT_PROJECT} @@ -41,7 +48,11 @@ services: SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY} AUTH_JWT_SECRET: ${JWT_SECRET} + # LOGFLARE_API_KEY is deprecated + LOGFLARE_API_KEY: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} + LOGFLARE_PUBLIC_ACCESS_TOKEN: ${LOGFLARE_PUBLIC_ACCESS_TOKEN} LOGFLARE_PRIVATE_ACCESS_TOKEN: ${LOGFLARE_PRIVATE_ACCESS_TOKEN} + LOGFLARE_URL: http://analytics:4000 NEXT_PUBLIC_ENABLE_LOGS: true # Comment to use Big Query backend for analytics @@ -63,7 +74,7 @@ services: KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml # https://github.com/supabase/cli/issues/14 KONG_DNS_ORDER: LAST,A,CNAME - KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth + KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth,request-termination,ip-restriction KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k SUPABASE_ANON_KEY: ${ANON_KEY} @@ -75,7 +86,7 @@ services: /docker-entrypoint.sh kong docker-start' auth: - image: supabase/gotrue:v2.177.0 + image: supabase/gotrue:v2.184.0 restart: unless-stopped healthcheck: test: @@ -157,7 +168,7 @@ services: # GOTRUE_HOOK_SEND_EMAIL_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" rest: - image: postgrest/postgrest:v12.2.12 + image: postgrest/postgrest:v14.1 restart: unless-stopped depends_on: db: @@ -177,7 +188,7 @@ services: realtime: # This container name looks inconsistent but is correct because realtime constructs tenant id by parsing the subdomain - image: supabase/realtime:v2.34.47 + image: supabase/realtime:v2.68.0 restart: unless-stopped depends_on: db: @@ -188,15 +199,9 @@ services: healthcheck: test: [ - "CMD", - "curl", - "-sSfL", - "--head", - "-o", - "/dev/null", - "-H", - "Authorization: Bearer ${ANON_KEY}", - "http://localhost:4000/api/tenants/realtime-dev/health" + "CMD-SHELL", + "curl -sSfL --head -o /dev/null -H \"Authorization: Bearer + ${ANON_KEY}\" http://localhost:4000/api/tenants/realtime-dev/health" ] timeout: 5s interval: 5s @@ -216,12 +221,12 @@ services: DNS_NODES: "''" RLIMIT_NOFILE: "10000" APP_NAME: realtime - SEED_SELF_HOST: true - RUN_JANITOR: true + SEED_SELF_HOST: "true" + RUN_JANITOR: "true" # To use S3 backed storage: docker compose -f docker-compose.yml -f docker-compose.s3.yml up storage: - image: supabase/storage-api:v1.25.7 + image: supabase/storage-api:v1.33.0 restart: unless-stopped volumes: - ./volumes/storage:/var/lib/storage:z @@ -252,6 +257,7 @@ services: POSTGREST_URL: http://rest:3000 PGRST_JWT_SECRET: ${JWT_SECRET} DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB} + REQUEST_ALLOW_X_FORWARDED_PATH: "true" FILE_SIZE_LIMIT: 52428800 STORAGE_BACKEND: file FILE_STORAGE_BACKEND_PATH: /var/lib/storage @@ -279,7 +285,7 @@ services: IMGPROXY_ENABLE_WEBP_DETECTION: ${IMGPROXY_ENABLE_WEBP_DETECTION} meta: - image: supabase/postgres-meta:v0.91.0 + image: supabase/postgres-meta:v0.95.1 restart: unless-stopped depends_on: db: @@ -294,9 +300,10 @@ services: PG_META_DB_NAME: ${POSTGRES_DB} PG_META_DB_USER: supabase_admin PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD} + CRYPTO_KEY: ${PG_META_CRYPTO_KEY} functions: - image: supabase/edge-runtime:v1.67.4 + image: supabase/edge-runtime:v1.69.28 restart: unless-stopped volumes: - ./volumes/functions:/home/deno/functions:Z @@ -314,7 +321,7 @@ services: command: [ "start", "--main-service", "/home/deno/functions/main" ] analytics: - image: supabase/logflare:1.14.2 + image: supabase/logflare:1.27.0 restart: unless-stopped # Uncomment to use Big Query backend for analytics # volumes: @@ -343,7 +350,6 @@ services: LOGFLARE_PRIVATE_ACCESS_TOKEN: ${LOGFLARE_PRIVATE_ACCESS_TOKEN} LOGFLARE_SINGLE_TENANT: true LOGFLARE_SUPABASE_MODE: true - LOGFLARE_MIN_CLUSTER_SIZE: 1 # Comment variables to use Big Query backend for analytics POSTGRES_BACKEND_URL: postgresql://supabase_admin:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/_supabase @@ -355,7 +361,7 @@ services: # Comment out everything below this point if you are using an external Postgres database db: - image: supabase/postgres:15.8.1.060 + image: supabase/postgres:15.8.1.085 restart: unless-stopped volumes: - ./volumes/db/realtime.sql:/docker-entrypoint-initdb.d/migrations/99-realtime.sql:Z @@ -429,7 +435,7 @@ services: # Update the DATABASE_URL if you are using an external Postgres database supavisor: - image: supabase/supavisor:2.5.7 + image: supabase/supavisor:2.7.4 restart: unless-stopped volumes: - ./volumes/pooler/pooler.exs:/etc/pooler/pooler.exs:ro,z diff --git a/supabase/code/reset.sh b/supabase/code/reset.sh index d5f3a41..af0302a 100755 --- a/supabase/code/reset.sh +++ b/supabase/code/reset.sh @@ -1,44 +1,76 @@ -#!/bin/bash +#!/bin/sh -echo "WARNING: This will remove all containers and container data, and will reset the .env file. This action cannot be undone!" -read -p "Are you sure you want to proceed? (y/N) " -n 1 -r -echo # Move to a new line -if [[ ! $REPLY =~ ^[Yy]$ ]] -then - echo "Operation cancelled." - exit 1 +set -e + +auto_confirm=0 + +confirm () { + if [ "$auto_confirm" = "1" ]; then + return 0 + fi + + printf "Are you sure you want to proceed? (y/N) " + read -r REPLY + case "$REPLY" in + [Yy]) + ;; + *) + echo "Script canceled." + exit 1 + ;; + esac +} + +if [ "$1" = "-y" ]; then + auto_confirm=1 fi -echo "Stopping and removing all containers..." -docker compose -f docker-compose.yml -f ./dev/docker-compose.dev.yml down -v --remove-orphans +echo "" +echo "*** WARNING: This will remove all containers and container data, and optionally reset .env ***" +echo "" -echo "Cleaning up bind-mounted directories..." -BIND_MOUNTS=( - "./volumes/db/data" -) +confirm -for DIR in "${BIND_MOUNTS[@]}"; do - if [ -d "$DIR" ]; then - echo "Deleting $DIR..." - rm -rf "$DIR" - else - echo "Directory $DIR does not exist. Skipping bind mount deletion step..." - fi +echo "===> Stopping and removing all containers..." + +if [ -f ".env" ]; then + docker compose -f docker-compose.yml -f ./dev/docker-compose.dev.yml down -v --remove-orphans +elif [ -f ".env.example" ]; then + echo "No .env found, using .env.example for docker compose down..." + docker compose --env-file .env.example -f docker-compose.yml -f ./dev/docker-compose.dev.yml down -v --remove-orphans +else + echo "Skipping 'docker compose down' because there's no env-file." +fi + +echo "===> Cleaning up bind-mounted directories..." +BIND_MOUNTS="./volumes/db/data ./volumes/storage" + +for dir in $BIND_MOUNTS; do + if [ -d "$dir" ]; then + echo "Removing $dir..." + confirm + rm -rf "$dir" + else + echo "$dir not found." + fi done -echo "Resetting .env file..." -if [ -f ".env" ]; then - echo "Removing existing .env file..." - rm -f .env +echo "===> Resetting .env file (will save backup to .env.old)..." +confirm +if [ -f ".env" ] || [ -L ".env" ]; then + echo "Renaming existing .env file to .env.old" + mv .env .env.old else - echo "No .env file found. Skipping .env removal step..." + echo "No .env file found." fi if [ -f ".env.example" ]; then - echo "Copying .env.example to .env..." - cp .env.example .env + echo "===> Copying .env.example to .env" + cp .env.example .env else - echo ".env.example file not found. Skipping .env reset step..." + echo "No .env.example found, can't restore .env to default values." fi -echo "Cleanup complete!" \ No newline at end of file +echo "Cleanup complete!" +echo "Re-run 'docker compose pull' to update images." +echo "" diff --git a/supabase/code/utils/db-passwd.sh b/supabase/code/utils/db-passwd.sh new file mode 100644 index 0000000..40c9122 --- /dev/null +++ b/supabase/code/utils/db-passwd.sh @@ -0,0 +1,157 @@ +#!/bin/sh +# +# Portions of this code are derived from Inder Singh's update-db-pass.sh +# Copyright 2025 Inder Singh. Licensed under Apache License 2.0. +# Original source: +# https://github.com/singh-inder/supabase-automated-self-host/blob/main/docker/update-db-pass.sh +# +# GitHub discussion here: +# https://github.com/supabase/supabase/issues/22605#issuecomment-3323382144 +# +# Changed: +# - POSIX shell compatibility +# - No hardcoded values for database service and admin user +# - Use .env for the admin user and database service port +# - Does _not_ set password for supabase_read_only_user (this role is not +# supposed to have a password) +# - Print all values and confirm before updating +# - Stop on any errors +# +# Heads up: +# - Updating _analytics.source_backends is not needed after PR logflare#2069 +# - Newer Logflare versions use a different table and update connection string +# + +set -e + +if ! docker compose version > /dev/null 2>&1; then + echo "Docker Compose not found." + exit 1 +fi + +if [ ! -f .env ]; then + echo "Missing .env file. Exiting." + exit 1 +fi + +# Generate random hex-only password to avoid issues with SQL/shell +new_passwd="$(openssl rand -hex 16)" +# If replacing with a custom password, avoid using @/?#:& +# https://supabase.com/docs/guides/database/postgres/roles#passwords +# new_passwd="d0notUseSpecialSymbolsForPq123-" + +# Check Postgres service +db_image_prefix="supabase.postgres:" + +compose_output=$(docker compose ps \ + --format '{{.Image}}\t{{.Service}}\t{{.Status}}' 2>/dev/null | \ + grep -m1 "^$db_image_prefix" || true) + +if [ -z "$compose_output" ]; then + echo "Postgres container not found. Exiting." + exit 1 +fi + +db_image=$(echo "$compose_output" | cut -f1) +db_srv_name=$(echo "$compose_output" | cut -f2) +db_srv_status=$(echo "$compose_output" | cut -f3) + +case "$db_srv_status" in + Up*) + ;; + *) + echo "Postgres container status: $db_srv_status" + echo "Exiting." + exit 1 + ;; +esac + +db_srv_port=$(grep "^POSTGRES_PORT=" .env | cut -d '=' -f 2) +port_source=" (.env):" +if [ -z "$db_srv_port" ]; then + db_srv_port="5432" + port_source=" (default):" +fi + +db_admin_user="supabase_admin" + +echo "" +echo "*** Check configuration below before updating database passwords! ***" +echo "" +echo "Service name: $db_srv_name" +echo "Service status: $db_srv_status" +echo "Service port${port_source} $db_srv_port" +echo "Image: $db_image" +echo "" +echo "Admin user: $db_admin_user" + +if ! test -t 0; then + echo "" + echo "Running non-interactively. Not updating passwords." + exit 0 +fi + +echo "New database password: $new_passwd" +echo "" + +printf "Update database passwords? (y/N) " +read -r REPLY +case "$REPLY" in + [Yy]) + ;; + *) + echo "Canceled. Not updating passwords." + exit 0 + ;; +esac + +echo "Updating passwords..." +echo "Connecting to the database service container..." + +docker compose exec -T "$db_srv_name" psql -U "$db_admin_user" -d "_supabase" -v ON_ERROR_STOP=1 </dev/null 2>&1; then + echo "Error: openssl is required but not found." + exit 1 +fi + +jwt_secret="$(gen_base64 30)" + +# Used in get_token() +header='{"alg":"HS256","typ":"JWT"}' +iat=$(date +%s) +exp=$((iat + 5 * 3600 * 24 * 365)) # 5 years + +# Normalizes JSON formatting so that the token matches https://www.jwt.io/ results +anon_payload="{\"role\":\"anon\",\"iss\":\"supabase\",\"iat\":$iat,\"exp\":$exp}" +service_role_payload="{\"role\":\"service_role\",\"iss\":\"supabase\",\"iat\":$iat,\"exp\":$exp}" + +#echo "anon_payload=$anon_payload" +#echo "service_role_payload=$service_role_payload" + +anon_key=$(gen_token "$anon_payload") +service_role_key=$(gen_token "$service_role_payload") + +secret_key_base=$(gen_base64 48) +vault_enc_key=$(gen_hex 16) +pg_meta_crypto_key=$(gen_base64 24) + +logflare_public_access_token=$(gen_base64 24) +logflare_private_access_token=$(gen_base64 24) + +s3_protocol_access_key_id=$(gen_hex 16) +s3_protocol_access_key_secret=$(gen_hex 32) + +echo "" +echo "JWT_SECRET=${jwt_secret}" +echo "" +#echo "Issued at: $iat" +#echo "Expire: $exp" +echo "ANON_KEY=${anon_key}" +echo "SERVICE_ROLE_KEY=${service_role_key}" +echo "" +echo "SECRET_KEY_BASE=${secret_key_base}" +echo "VAULT_ENC_KEY=${vault_enc_key}" +echo "PG_META_CRYPTO_KEY=${pg_meta_crypto_key}" +echo "LOGFLARE_PUBLIC_ACCESS_TOKEN=${logflare_public_access_token}" +echo "LOGFLARE_PRIVATE_ACCESS_TOKEN=${logflare_private_access_token}" +echo "S3_PROTOCOL_ACCESS_KEY_ID=${s3_protocol_access_key_id}" +echo "S3_PROTOCOL_ACCESS_KEY_SECRET=${s3_protocol_access_key_secret}" +echo "" + +postgres_password=$(gen_hex 16) +dashboard_password=$(gen_hex 16) + +echo "POSTGRES_PASSWORD=${postgres_password}" +echo "DASHBOARD_PASSWORD=${dashboard_password}" +echo "" + +if ! test -t 0; then + echo "Running non-interactively. Skipping .env update." + exit 0 +fi + +printf "Update .env file? (y/N) " +read -r REPLY +case "$REPLY" in + [Yy]) + ;; + *) + echo "Not updating .env" + exit 0 + ;; +esac + +echo "Updating .env..." + +sed \ + -i.old \ + -e "s|^JWT_SECRET=.*$|JWT_SECRET=${jwt_secret}|" \ + -e "s|^ANON_KEY=.*$|ANON_KEY=${anon_key}|" \ + -e "s|^SERVICE_ROLE_KEY=.*$|SERVICE_ROLE_KEY=${service_role_key}|" \ + -e "s|^SECRET_KEY_BASE=.*$|SECRET_KEY_BASE=${secret_key_base}|" \ + -e "s|^VAULT_ENC_KEY=.*$|VAULT_ENC_KEY=${vault_enc_key}|" \ + -e "s|^PG_META_CRYPTO_KEY=.*$|PG_META_CRYPTO_KEY=${pg_meta_crypto_key}|" \ + -e "s|^LOGFLARE_PUBLIC_ACCESS_TOKEN=.*$|LOGFLARE_PUBLIC_ACCESS_TOKEN=${logflare_public_access_token}|" \ + -e "s|^LOGFLARE_PRIVATE_ACCESS_TOKEN=.*$|LOGFLARE_PRIVATE_ACCESS_TOKEN=${logflare_private_access_token}|" \ + -e "s|^S3_PROTOCOL_ACCESS_KEY_ID=.*$|S3_PROTOCOL_ACCESS_KEY_ID=${s3_protocol_access_key_id}|" \ + -e "s|^S3_PROTOCOL_ACCESS_KEY_SECRET=.*$|S3_PROTOCOL_ACCESS_KEY_SECRET=${s3_protocol_access_key_secret}|" \ + -e "s|^POSTGRES_PASSWORD=.*$|POSTGRES_PASSWORD=${postgres_password}|" \ + -e "s|^DASHBOARD_PASSWORD=.*$|DASHBOARD_PASSWORD=${dashboard_password}|" \ + .env diff --git a/supabase/code/versions.md b/supabase/code/versions.md new file mode 100644 index 0000000..a26aef0 --- /dev/null +++ b/supabase/code/versions.md @@ -0,0 +1,83 @@ +# Docker Image Versions + +## 2025-12-18 +- supabase/studio:2025.12.17-sha-43f4f7f (prev supabase/studio:2025.12.09-sha-434634f) +- supabase/gotrue:v2.184.0 (prev supabase/gotrue:v2.183.0) +- supabase/postgres-meta:v0.95.1 (prev supabase/postgres-meta:v0.93.1) +- supabase/logflare:1.27.0 (prev supabase/logflare:1.26.25) + +## 2025-12-10 +- supabase/studio:2025.12.09-sha-434634f (prev supabase/studio:2025.11.26-sha-8f096b5) +- postgrest/postgrest:v14.1 (prev postgrest/postgrest:v13.0.7) +- supabase/realtime:v2.68.0 (prev supabase/realtime:v2.65.3) +- supabase/storage-api:v1.33.0 (prev supabase/storage-api:v1.32.0) +- supabase/edge-runtime:v1.69.28 (prev supabase/edge-runtime:v1.69.25) +- supabase/logflare:1.26.25 (prev supabase/logflare:1.26.13) + +## 2025-11-26 +- supabase/studio:2025.11.26-sha-8f096b5 (prev supabase/studio:2025.11.24-sha-d990ae8) +- supabase/realtime:v2.65.3 (prev supabase/realtime:v2.65.2) +- supabase/logflare:1.26.13 (prev supabase/logflare:1.26.12) + +## 2025-11-25 +- supabase/studio:2025.11.24-sha-d990ae8 (prev supabase/studio:2025.11.10-sha-5291fe3) +- supabase/gotrue:v2.183.0 (prev supabase/gotrue:v2.182.1) +- supabase/realtime:v2.65.2 (prev supabase/realtime:v2.63.0) +- supabase/storage-api:v1.32.0 (prev supabase/storage-api:v1.29.0) +- supabase/edge-runtime:v1.69.25 (prev supabase/edge-runtime:v1.69.23) +- supabase/logflare:1.26.12 (prev supabase/logflare:1.22.6) + +## 2025-11-12 +- supabase/studio:2025.11.10-sha-5291fe3 (prev 2025.10.27-sha-85b84e0) +- supabase/gotrue:v2.182.1 (prev v2.180.0) +- supabase/realtime:v2.63.0 (prev v2.57.2) +- supabase/storage-api:v1.29.0 (prev v1.28.2) +- supabase/edge-runtime:v1.69.23 (prev v1.69.15) +- supabase/supavisor:2.7.4 (prev 2.7.3) + +## 2025-10-28 +- supabase/studio:2025.10.27-sha-85b84e0 (prev 2025.10.20-sha-5005fc6) +- supabase/realtime:v2.57.2 (prev v2.56.0) +- supabase/storage-api:v1.28.2 (prev v1.28.1) +- supabase/postgres-meta:v0.93.1 (prev v0.93.0) +- supabase/edge-runtime:v1.69.15 (prev v1.69.14) + +## 2025-10-21 +- supabase/studio:2025.10.20-sha-5005fc6 (prev 2025.10.01-sha-8460121) +- supabase/realtime:v2.56.0 (prev v2.51.11) +- supabase/storage-api:v1.28.1 (prev v1.28.0) +- supabase/postgres-meta:v0.93.0 (prev v0.91.6) +- supabase/edge-runtime:v1.69.14 (prev v1.69.6) +- supabase/supavisor:2.7.3 (prev 2.7.0) + +## 2025-10-13 +- supabase/logflare:1.22.6 (prev 1.22.4) + +## 2025-10-08 +- supabase/studio:2025.10.01-sha-8460121 (prev 2025.06.30-sha-6f5982d) +- supabase/gotrue:v2.180.0 (prev v2.177.0) +- postgrest/postgrest:v13.0.7 (prev v12.2.12) +- supabase/realtime:v2.51.11 (prev v2.34.47) +- supabase/storage-api:v1.28.0 (prev v1.25.7) +- supabase/postgres-meta:v0.91.6 (prev v0.91.0) +- supabase/logflare:1.22.4 (prev 1.14.2) +- supabase/postgres:15.8.1.085 (prev 15.8.1.060) +- supabase/supavisor:2.7.0 (prev 2.5.7) + +## 2025-07-15 +- supabase/gotrue:v2.177.0 (prev v2.176.1) +- supabase/storage-api:v1.25.7 (prev v1.24.7) +- supabase/postgres-meta:v0.91.0 (prev v0.89.3) +- supabase/supavisor:2.5.7 (prev 2.5.6) + +## 2025-07-02 +- supabase/studio:2025.06.30-sha-6f5982d (prev 2025.06.02-sha-8f2993d) +- supabase/gotrue:v2.176.1 (prev v2.174.0) +- supabase/storage-api:v1.24.7 (prev v1.23.0) +- supabase/supavisor:2.5.6 (prev 2.5.1) + +## 2025-06-03 +- supabase/studio:2025.06.02-sha-8f2993d (prev 2025.05.19-sha-3487831) +- supabase/gotrue:v2.174.0 (prev v2.172.1) +- supabase/storage-api:v1.23.0 (prev v1.22.17) +- supabase/postgres-meta:v0.89.3 (prev v0.89.0) diff --git a/supabase/code/volumes/api/kong.yml b/supabase/code/volumes/api/kong.yml index 7abf425..168634f 100644 --- a/supabase/code/volumes/api/kong.yml +++ b/supabase/code/volumes/api/kong.yml @@ -225,6 +225,48 @@ services: allow: - admin + ## Block access to /api/mcp + - name: mcp-blocker + _comment: 'Block direct access to /api/mcp' + url: http://studio:3000/api/mcp + routes: + - name: mcp-blocker-route + strip_path: true + paths: + - /api/mcp + plugins: + - name: request-termination + config: + status_code: 403 + message: "Access is forbidden." + + ## MCP endpoint - local access + - name: mcp + _comment: 'MCP: /mcp -> http://studio:3000/api/mcp (local access)' + url: http://studio:3000/api/mcp + routes: + - name: mcp + strip_path: true + paths: + - /mcp + plugins: + # Block access to /mcp by default + - name: request-termination + config: + status_code: 403 + message: "Access is forbidden." + # Enable local access (danger zone!) + # 1. Comment out the 'request-termination' section above + # 2. Uncomment the entire section below, including 'deny' + # 3. Add your local IPs to the 'allow' list + #- name: cors + #- name: ip-restriction + # config: + # allow: + # - 127.0.0.1 + # - ::1 + # deny: [] + ## Protected Dashboard - catch all remaining routes - name: dashboard _comment: 'Studio: /* -> http://studio:3000/*' diff --git a/supabase/code/volumes/logs/vector.yml b/supabase/code/volumes/logs/vector.yml index 1c438a8..f97f8e1 100644 --- a/supabase/code/volumes/logs/vector.yml +++ b/supabase/code/volumes/logs/vector.yml @@ -33,9 +33,9 @@ transforms: kong: '.appname == "supabase-kong"' auth: '.appname == "supabase-auth"' rest: '.appname == "supabase-rest"' - realtime: '.appname == "supabase-realtime"' + realtime: '.appname == "realtime-dev.supabase-realtime"' storage: '.appname == "supabase-storage"' - functions: '.appname == "supabase-functions"' + functions: '.appname == "supabase-edge-functions"' db: '.appname == "supabase-db"' # Ignores non nginx errors since they are related with kong booting up kong_logs: @@ -117,6 +117,13 @@ transforms: .event_message = parsed.msg .metadata.level = parsed.level } + # Function logs are unstructured messages on stderr + functions_logs: + type: remap + inputs: + - router.functions + source: |- + .metadata.project_ref = del(.project) # Storage logs may contain json objects so we parse them for completeness storage_logs: type: remap @@ -210,7 +217,7 @@ sinks: logflare_functions: type: 'http' inputs: - - router.functions + - functions_logs encoding: codec: 'json' method: 'post' diff --git a/supabase/update.js b/supabase/update.js index fdcaa71..8e8ae13 100644 --- a/supabase/update.js +++ b/supabase/update.js @@ -1,6 +1,6 @@ import utils from "../utils.js"; -await utils.cloneOrPullRepo({ repo: "https://github.com/supabase/supabase" }); +await utils.cloneOrPullRepo({ repo: "https://github.com/supabase/supabase", branch: "master" }); await utils.copyDir("./repo/docker", "./code"); await utils.removeContainerNames("./code/docker-compose.yml");