monacousa-portal/docker-compose.yml

# Monaco USA Portal - Docker Compose
# PRODUCTION: Only needs this file + .env — all config embedded in custom images.
# Includes: PostgreSQL, Supabase Services, SvelteKit App, and Migration Runner

services:
  # ============================================
  # PostgreSQL Database
  # ============================================
  db:
    image: code.letsbe.solutions/letsbe/monacousa-db:latest
    container_name: monacousa-db
    restart: unless-stopped
    ports:
      - "${POSTGRES_PORT:-5435}:5432"
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-postgres}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
      POSTGRES_DB: ${POSTGRES_DB:-postgres}
      JWT_SECRET: ${JWT_SECRET}
      JWT_EXP: ${JWT_EXPIRY:-3600}
    volumes:
      - db-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - monacousa-network

  # ============================================
  # Supabase Studio (Dashboard)
  # ============================================
  studio:
    image: supabase/studio:20241202-71e5240
    container_name: monacousa-studio
    restart: unless-stopped
    ports:
      - "${STUDIO_PORT:-7454}:3000"
    environment:
      STUDIO_PG_META_URL: http://meta:8080
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
      DEFAULT_ORGANIZATION_NAME: Monaco USA
      DEFAULT_PROJECT_NAME: Monaco USA Portal
      SUPABASE_URL: http://kong:8000
      SUPABASE_PUBLIC_URL: ${SUPABASE_PUBLIC_URL:-http://localhost:7455}
      SUPABASE_ANON_KEY: ${ANON_KEY}
      SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
    depends_on:
      meta:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:3000 || exit 0"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - monacousa-network

  # ============================================
  # Kong API Gateway
  # ============================================
  kong:
    image: code.letsbe.solutions/letsbe/monacousa-kong:latest
    container_name: monacousa-kong
    restart: unless-stopped
    ports:
      - "${KONG_HTTP_PORT:-7455}:8000"
      - "${KONG_HTTPS_PORT:-7456}:8443"
    environment:
      KONG_DATABASE: "off"
      KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
      KONG_DNS_ORDER: LAST,A,CNAME
      KONG_PLUGINS: request-transformer,cors,key-auth,acl,basic-auth
      KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
      KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
      ANON_KEY: ${ANON_KEY}
      SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
    depends_on:
      auth:
        condition: service_healthy
    networks:
      - monacousa-network

  # ============================================
  # GoTrue (Auth)
  # ============================================
  auth:
    image: supabase/gotrue:v2.164.0
    container_name: monacousa-auth
    restart: unless-stopped
    environment:
      GOTRUE_API_HOST: 0.0.0.0
      GOTRUE_API_PORT: 9999
      API_EXTERNAL_URL: ${API_EXTERNAL_URL:-http://localhost:7455}

      GOTRUE_DB_DRIVER: postgres
      GOTRUE_DB_DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-postgres}?search_path=auth

      GOTRUE_SITE_URL: ${SITE_URL:-http://localhost:3000}
      GOTRUE_URI_ALLOW_LIST: ${ADDITIONAL_REDIRECT_URLS}
      GOTRUE_DISABLE_SIGNUP: ${DISABLE_SIGNUP:-false}

      GOTRUE_JWT_ADMIN_ROLES: service_role
      GOTRUE_JWT_AUD: authenticated
      GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
      GOTRUE_JWT_EXP: ${JWT_EXPIRY:-3600}
      GOTRUE_JWT_SECRET: ${JWT_SECRET}

      GOTRUE_EXTERNAL_EMAIL_ENABLED: true
      GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED: false
      GOTRUE_MAILER_AUTOCONFIRM: ${ENABLE_EMAIL_AUTOCONFIRM:-false}

      GOTRUE_SMTP_HOST: ${SMTP_HOST:-}
      GOTRUE_SMTP_PORT: ${SMTP_PORT:-587}
      GOTRUE_SMTP_USER: ${SMTP_USER:-}
      GOTRUE_SMTP_PASS: ${SMTP_PASS:-}
      GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_ADMIN_EMAIL:-noreply@monacousa.org}
      GOTRUE_SMTP_SENDER_NAME: ${SMTP_SENDER_NAME:-Monaco USA}
      GOTRUE_MAILER_URLPATHS_INVITE: ${MAILER_URLPATHS_INVITE:-/auth/verify}
      GOTRUE_MAILER_URLPATHS_CONFIRMATION: ${MAILER_URLPATHS_CONFIRMATION:-/auth/verify}
      GOTRUE_MAILER_URLPATHS_RECOVERY: ${MAILER_URLPATHS_RECOVERY:-/auth/verify}
      GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: ${MAILER_URLPATHS_EMAIL_CHANGE:-/auth/verify}

      GOTRUE_RATE_LIMIT_EMAIL_SENT: ${RATE_LIMIT_EMAIL_SENT:-100}
    depends_on:
      db:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9999/health"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - monacousa-network

  # ============================================
  # PostgREST (REST API)
  # ============================================
  rest:
    image: postgrest/postgrest:v12.2.0
    container_name: monacousa-rest
    restart: unless-stopped
    environment:
      PGRST_DB_URI: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-postgres}
      PGRST_DB_SCHEMAS: ${PGRST_DB_SCHEMAS:-public,storage,graphql_public}
      PGRST_DB_ANON_ROLE: anon
      PGRST_JWT_SECRET: ${JWT_SECRET}
      PGRST_DB_USE_LEGACY_GUCS: "false"
      PGRST_APP_SETTINGS_JWT_SECRET: ${JWT_SECRET}
      PGRST_APP_SETTINGS_JWT_EXP: ${JWT_EXPIRY:-3600}
    depends_on:
      db:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "exit 0"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    networks:
      - monacousa-network

 # ============================================
  # Realtime
  # ============================================
  realtime:
    image: supabase/realtime:v2.33.58
    container_name: monacousa-realtime
    restart: unless-stopped
    environment:
      PORT: 4000
      DB_HOST: db
      DB_PORT: 5432
      DB_USER: ${POSTGRES_USER}
      DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
      DB_NAME: ${POSTGRES_DB:-postgres}
      DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime'
      DB_ENC_KEY: supabaserealtime
      API_JWT_SECRET: ${JWT_SECRET}
      SECRET_KEY_BASE: ${SECRET_KEY_BASE}
      ERL_AFLAGS: -proto_dist inet_tcp
      DNS_NODES: "''"
      RLIMIT_NOFILE: "10000"
      APP_NAME: realtime
      SEED_SELF_HOST: true
    depends_on:
      db:
        condition: service_healthy
    networks:
      - monacousa-network

  # ============================================
  # Storage API
  # ============================================
  storage:
    image: supabase/storage-api:v1.11.13
    container_name: monacousa-storage
    restart: unless-stopped
    environment:
      ANON_KEY: ${ANON_KEY}
      SERVICE_KEY: ${SERVICE_ROLE_KEY}
      POSTGREST_URL: http://rest:3000
      PGRST_JWT_SECRET: ${JWT_SECRET}
      DATABASE_URL: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-postgres}
      FILE_SIZE_LIMIT: 52428800
      STORAGE_BACKEND: file
      FILE_STORAGE_BACKEND_PATH: /var/lib/storage
      TENANT_ID: stub
      REGION: stub
      GLOBAL_S3_BUCKET: stub
      ENABLE_IMAGE_TRANSFORMATION: "true"
      IMGPROXY_URL: http://imgproxy:8080
    volumes:
      - storage-data:/var/lib/storage
    depends_on:
      db:
        condition: service_healthy
      rest:
        condition: service_started
    healthcheck:
      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 0"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      - monacousa-network

  # ============================================
  # Image Proxy (for storage transformations)
  # ============================================
  imgproxy:
    image: darthsim/imgproxy:v3.8.0
    container_name: monacousa-imgproxy
    restart: unless-stopped
    environment:
      IMGPROXY_BIND: ":8080"
      IMGPROXY_LOCAL_FILESYSTEM_ROOT: /
      IMGPROXY_USE_ETAG: "true"
      IMGPROXY_ENABLE_WEBP_DETECTION: "true"
    volumes:
      - storage-data:/var/lib/storage
    healthcheck:
      test: ["CMD", "imgproxy", "health"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - monacousa-network

  # ============================================
  # Postgres Meta (for Studio)
  # ============================================
  meta:
    image: supabase/postgres-meta:v0.84.2
    container_name: monacousa-meta
    restart: unless-stopped
    environment:
      PG_META_PORT: 8080
      PG_META_DB_HOST: db
      PG_META_DB_PORT: 5432
      PG_META_DB_NAME: ${POSTGRES_DB:-postgres}
      PG_META_DB_USER: ${POSTGRES_USER}
      PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
    depends_on:
      db:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "exit 0"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    networks:
      - monacousa-network

  # ============================================
  # Monaco USA Portal (SvelteKit App)
  # ============================================
  portal:
    image: code.letsbe.solutions/letsbe/monacousa-portal:latest
    container_name: monacousa-portal
    restart: unless-stopped
    ports:
      - "${PORTAL_PORT:-7453}:3000"
    environment:
      PUBLIC_SUPABASE_URL: ${PUBLIC_SUPABASE_URL:-http://localhost:7455}
      PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
      SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
      SUPABASE_INTERNAL_URL: http://kong:8000
      NODE_ENV: production
      ORIGIN: http://localhost:7453
      # Body size limit for file uploads (50MB)
      BODY_SIZE_LIMIT: ${BODY_SIZE_LIMIT:-52428800}
    depends_on:
      kong:
        condition: service_started
      db:
        condition: service_healthy
    networks:
      - monacousa-network
    security_opt:
      - "no-new-privileges:true"
    read_only: true
    tmpfs:
      - "/tmp"
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'

  # ============================================
  # Database Migrations (one-shot)
  # Runs post-deploy.sql after storage-api creates its tables.
  # Idempotent - safe to run on every `docker compose up`.
  # ============================================
  migrate:
    image: code.letsbe.solutions/letsbe/monacousa-migrate:latest
    container_name: monacousa-migrate
    depends_on:
      db:
        condition: service_healthy
      storage:
        condition: service_started
    environment:
      PGHOST: db
      PGUSER: ${POSTGRES_USER:-postgres}
      PGPASSWORD: ${POSTGRES_PASSWORD:-postgres}
      PGDATABASE: ${POSTGRES_DB:-postgres}
    networks:
      - monacousa-network
    restart: "no"

# ============================================
# Networks
# ============================================
networks:
  monacousa-network:
    driver: bridge

# ============================================
# Volumes
# ============================================
volumes:
  db-data:
    driver: local
  storage-data:
    driver: local