Redesign deployment: only .env + docker-compose.yml needed on server

Custom Docker images embed all config so production servers no longer
need SQL files, kong.yml, or shell scripts. Kong generates config from
env vars at startup. Migrate container auto-detects fresh vs existing
DB and runs appropriate scripts.

New images: monacousa-db, monacousa-kong, monacousa-migrate
New commands: deploy.sh build-images, deploy.sh push-images

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker/db/00-init-schemas.sql

@@ -0,0 +1,93 @@
+-- Initialize required schemas and roles for Supabase services
+-- This runs FIRST (00- prefix) before other init scripts
+
+-- Create roles if they don't exist
+DO $$
+BEGIN
+    -- Create anon role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'anon') THEN
+        CREATE ROLE anon NOLOGIN NOINHERIT;
+    END IF;
+
+    -- Create authenticated role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'authenticated') THEN
+        CREATE ROLE authenticated NOLOGIN NOINHERIT;
+    END IF;
+
+    -- Create service_role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'service_role') THEN
+        CREATE ROLE service_role NOLOGIN NOINHERIT BYPASSRLS;
+    END IF;
+
+    -- Create supabase_admin role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_admin') THEN
+        CREATE ROLE supabase_admin LOGIN SUPERUSER CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+    END IF;
+
+    -- Create authenticator role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'authenticator') THEN
+        CREATE ROLE authenticator NOINHERIT LOGIN;
+    END IF;
+
+    -- Create supabase_auth_admin role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_auth_admin') THEN
+        CREATE ROLE supabase_auth_admin NOLOGIN NOINHERIT;
+    END IF;
+
+    -- Create supabase_storage_admin role
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'supabase_storage_admin') THEN
+        CREATE ROLE supabase_storage_admin NOLOGIN NOINHERIT;
+    END IF;
+END
+$$;
+
+-- Grant roles
+GRANT anon TO authenticator;
+GRANT authenticated TO authenticator;
+GRANT service_role TO authenticator;
+GRANT supabase_admin TO postgres;
+
+-- Set passwords (use the same as postgres password from env)
+-- Note: These are set via ALTER ROLE since we can't use variables in CREATE ROLE
+ALTER ROLE supabase_admin WITH PASSWORD 'postgres';
+ALTER ROLE authenticator WITH PASSWORD 'postgres';
+
+-- Create schemas
+CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION supabase_auth_admin;
+CREATE SCHEMA IF NOT EXISTS storage AUTHORIZATION supabase_storage_admin;
+CREATE SCHEMA IF NOT EXISTS extensions;
+CREATE SCHEMA IF NOT EXISTS _realtime;
+CREATE SCHEMA IF NOT EXISTS graphql;
+CREATE SCHEMA IF NOT EXISTS graphql_public;
+
+-- Grant schema usage
+GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role;
+GRANT USAGE ON SCHEMA auth TO anon, authenticated, service_role, supabase_auth_admin;
+GRANT USAGE ON SCHEMA storage TO anon, authenticated, service_role, supabase_storage_admin;
+GRANT USAGE ON SCHEMA extensions TO anon, authenticated, service_role;
+GRANT USAGE ON SCHEMA graphql_public TO anon, authenticated, service_role;
+
+-- Grant auth schema to supabase_auth_admin
+GRANT ALL ON SCHEMA auth TO supabase_auth_admin;
+GRANT ALL ON ALL TABLES IN SCHEMA auth TO supabase_auth_admin;
+GRANT ALL ON ALL SEQUENCES IN SCHEMA auth TO supabase_auth_admin;
+GRANT ALL ON ALL ROUTINES IN SCHEMA auth TO supabase_auth_admin;
+
+-- Grant storage schema to supabase_storage_admin
+GRANT ALL ON SCHEMA storage TO supabase_storage_admin;
+GRANT ALL ON ALL TABLES IN SCHEMA storage TO supabase_storage_admin;
+GRANT ALL ON ALL SEQUENCES IN SCHEMA storage TO supabase_storage_admin;
+GRANT ALL ON ALL ROUTINES IN SCHEMA storage TO supabase_storage_admin;
+
+-- Set default privileges
+ALTER DEFAULT PRIVILEGES IN SCHEMA auth GRANT ALL ON TABLES TO supabase_auth_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA auth GRANT ALL ON SEQUENCES TO supabase_auth_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA storage GRANT ALL ON TABLES TO supabase_storage_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA storage GRANT ALL ON SEQUENCES TO supabase_storage_admin;
+
+-- Set search path
+ALTER DATABASE postgres SET search_path TO public, extensions;
+
+-- Create extensions in extensions schema
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp" WITH SCHEMA extensions;
+CREATE EXTENSION IF NOT EXISTS "pgcrypto" WITH SCHEMA extensions;

docker/db/Dockerfile

@@ -0,0 +1,5 @@
+FROM supabase/postgres:15.8.1.060
+
+# Embed init scripts into the image so no volume mounts are needed
+COPY 00-init-schemas.sql /docker-entrypoint-initdb.d/00-init-schemas.sql
+COPY migrate.sh /docker-entrypoint-initdb.d/migrate.sh

docker/db/migrate.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# Override the default Supabase migrate.sh
+# Our migrations are handled via init.sql which runs as postgres user
+echo "Skipping built-in migrate.sh - migrations handled by init.sql"
+exit 0