name: colectivo-dev # Self-hosted Supabase stack + Keycloak for local development. # Based on: https://github.com/supabase/supabase/tree/master/docker # # Start: just dev # Stop: just dev-stop # Reset: just dev-clean (drops volumes) services: # ── PostgreSQL 15 ─────────────────────────────────────────────────────────── db: image: supabase/postgres:15.1.1.78 restart: unless-stopped healthcheck: test: pg_isready -U postgres -h localhost interval: 5s timeout: 5s retries: 10 ports: - "5432:5432" environment: POSTGRES_HOST: /var/run/postgresql POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres} JWT_SECRET: ${SUPABASE_JWT_SECRET} JWT_EXP: 3600 volumes: - db-data:/var/lib/postgresql/data # Sets internal role passwords to POSTGRES_PASSWORD on first init. - ./db-init:/docker-entrypoint-initdb.d:ro # ── GoTrue (Supabase Auth) ────────────────────────────────────────────────── auth: image: supabase/gotrue:v2.158.1 restart: unless-stopped depends_on: db: condition: service_healthy environment: GOTRUE_API_HOST: "0.0.0.0" GOTRUE_API_PORT: 9999 API_EXTERNAL_URL: ${PUBLIC_APP_URL:-http://localhost:5173} GOTRUE_API_EXTERNAL_URL: ${PUBLIC_APP_URL:-http://localhost:5173} GOTRUE_DB_DRIVER: postgres GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres GOTRUE_SITE_URL: ${PUBLIC_APP_URL:-http://localhost:5173} GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET} GOTRUE_JWT_EXP: 3600 GOTRUE_DISABLE_SIGNUP: "true" # OIDC: Keycloak as external provider GOTRUE_EXTERNAL_KEYCLOAK_ENABLED: "true" GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: ${PUBLIC_KEYCLOAK_CLIENT_ID:-colectivo-web} GOTRUE_EXTERNAL_KEYCLOAK_SECRET: "" # GoTrue fetches Keycloak's OIDC discovery doc at this URL (Docker-internal hostname). # The browser also uses this hostname — add "127.0.0.1 keycloak" to /etc/hosts. GOTRUE_EXTERNAL_KEYCLOAK_URL: http://keycloak:8080/realms/colectivo # Keycloak redirects the browser here after login; GoTrue exchanges the code. GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: http://localhost:8001/auth/v1/callback GOTRUE_MAILER_AUTOCONFIRM: "true" # ── PostgREST ─────────────────────────────────────────────────────────────── rest: image: postgrest/postgrest:v12.2.0 restart: unless-stopped depends_on: db: condition: service_healthy environment: PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres PGRST_DB_SCHEMAS: public,storage,graphql_public PGRST_DB_ANON_ROLE: anon PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET} PGRST_DB_USE_LEGACY_GUCS: "false" PGRST_APP_SETTINGS_JWT_SECRET: ${SUPABASE_JWT_SECRET} PGRST_APP_SETTINGS_JWT_EXP: 3600 # ── Realtime ───────────────────────────────────────────────────────────────── realtime: image: supabase/realtime:v2.83.0 restart: unless-stopped depends_on: db: condition: service_healthy environment: PORT: 4000 DB_HOST: db DB_PORT: 5432 DB_USER: supabase_replication_admin DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres} DB_NAME: postgres DB_AFTER_CONNECT_QUERY: SET search_path TO _realtime DB_ENC_KEY: supabaserealtime API_JWT_SECRET: ${SUPABASE_JWT_SECRET} FLY_ALLOC_ID: fly123 FLY_APP_NAME: realtime APP_NAME: realtime SECRET_KEY_BASE: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3bhZkeYTvU ERL_AFLAGS: -proto_dist inet_tcp ENABLE_TAILSCALE: "false" DNS_NODES: "''" RLIMIT_NOFILE: "" METRICS_JWT_SECRET: ${SUPABASE_JWT_SECRET} MAX_HEADER_LENGTH: 4096 command: sh -c "/app/bin/migrate && /app/bin/realtime eval 'Realtime.Release.seeds(Realtime.Repo)' && /app/bin/server" # ── Storage ────────────────────────────────────────────────────────────────── storage: image: supabase/storage-api:v1.11.13 restart: unless-stopped depends_on: db: condition: service_healthy rest: condition: service_started environment: ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY} SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY} POSTGREST_URL: http://rest:3000 PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET} DATABASE_URL: postgres://supabase_storage_admin:${POSTGRES_PASSWORD:-postgres}@db:5432/postgres FILE_SIZE_LIMIT: 52428800 STORAGE_BACKEND: file FILE_STORAGE_BACKEND_PATH: /var/lib/storage TENANT_ID: stub REGION: local GLOBAL_S3_BUCKET: stub ENABLE_IMAGE_TRANSFORMATION: "true" IMGPROXY_URL: http://imgproxy:5001 volumes: - storage-data:/var/lib/storage # ── ImgProxy (image transformations for Storage) ────────────────────────── imgproxy: image: darthsim/imgproxy:v3.8.0 restart: unless-stopped environment: IMGPROXY_BIND: ":5001" IMGPROXY_LOCAL_FILESYSTEM_ROOT: / IMGPROXY_USE_ETAG: "true" IMGPROXY_ENABLE_WEBP_DETECTION: "true" volumes: - storage-data:/var/lib/storage:ro # ── Kong (API Gateway) ──────────────────────────────────────────────────── kong: image: kong:2.8.1 restart: unless-stopped ports: - "8001:8000" # HTTP API (8000 may conflict; use http://localhost:8001) - "8443:8443" # HTTPS API depends_on: db: condition: service_healthy environment: KONG_DATABASE: "off" KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml KONG_DNS_ORDER: LAST,A,CNAME KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY} SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY} volumes: - ./kong.yml:/home/kong/kong.yml:ro # ── Supabase Studio ─────────────────────────────────────────────────────── studio: image: supabase/studio:2026.04.08-sha-205cbe7 restart: unless-stopped ports: - "54323:3000" # Override the built-in healthcheck (it uses node fetch which fails inside the container). # The studio works fine; this just prevents a misleading "unhealthy" status. healthcheck: test: ["CMD-SHELL", "curl -sf http://localhost:3000/api/platform/profile || exit 1"] interval: 10s timeout: 5s retries: 5 start_period: 20s depends_on: db: condition: service_healthy environment: STUDIO_PG_META_URL: http://meta:8080 POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres} DEFAULT_ORGANIZATION_NAME: Colectivo DEFAULT_PROJECT_NAME: colectivo-dev SUPABASE_URL: http://kong:8000 SUPABASE_PUBLIC_URL: ${PUBLIC_SUPABASE_URL:-http://localhost:8001} SUPABASE_ANON_KEY: ${PUBLIC_SUPABASE_ANON_KEY} SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY} AUTH_JWT_SECRET: ${SUPABASE_JWT_SECRET} LOGFLARE_API_KEY: "" LOGFLARE_URL: http://analytics:4000 NEXT_PUBLIC_ENABLE_LOGS: "true" NEXT_ANALYTICS_BACKEND_PROVIDER: postgres # ── pg-meta (metadata API for Studio) ─────────────────────────────────── meta: image: supabase/postgres-meta:v0.83.2 restart: unless-stopped depends_on: db: condition: service_healthy environment: PG_META_PORT: 8080 PG_META_DB_HOST: db PG_META_DB_PORT: 5432 PG_META_DB_NAME: postgres PG_META_DB_USER: supabase PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres} # ── Keycloak 24 ────────────────────────────────────────────────────────── keycloak: image: quay.io/keycloak/keycloak:24.0.5 restart: unless-stopped ports: - "8080:8080" command: start-dev --import-realm environment: KC_DB: dev-file KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin} KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} KC_HTTP_PORT: 8080 KC_HOSTNAME_STRICT: "false" KC_HOSTNAME_STRICT_HTTPS: "false" volumes: - keycloak-data:/opt/keycloak/data - ../keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro volumes: db-data: storage-data: keycloak-data: