templates/blueprints/supabase/template.yml

variables:
  main_domain: ${randomDomain}
  postgres_password: ${password:32}
  jwt_secret: ${base64:32}
  dashboard_password: ${password:32}
  logflare_api_key: ${password:32}

config:
  domains:
    - serviceName: kong
      port: 8000
      host: ${main_domain}

  env:
    SUPABASE_HOST: ${main_domain}
    POSTGRES_PASSWORD: ${postgres_password}
    JWT_SECRET: ${jwt_secret}
    ANON_KEY: ${generateJWT({ role: "anon", iss: "supabase", iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 100 * 365 * 24 * 60 * 60 }, jwt_secret)}
    SERVICE_ROLE_KEY: ${generateJWT({ role: "service_role", iss: "supabase", iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 100 * 365 * 24 * 60 * 60 }, jwt_secret)}
    DASHBOARD_USERNAME: "supabase"
    DASHBOARD_PASSWORD: ${dashboard_password}
    POSTGRES_HOSTNAME: "db"
    POSTGRES_DB: "postgres"
    POSTGRES_PORT: "5432"
    KONG_HTTP_PORT: "8000"
    KONG_HTTPS_PORT: "8443"
    PGRST_DB_SCHEMAS: "public,storage,graphql_public"
    ADDITIONAL_REDIRECT_URLS: ""
    JWT_EXPIRY: "3600"
    DISABLE_SIGNUP: "false"
    MAILER_URLPATHS_CONFIRMATION: "\"/auth/v1/verify\""
    MAILER_URLPATHS_INVITE: "\"/auth/v1/verify\""
    MAILER_URLPATHS_RECOVERY: "\"/auth/v1/verify\""
    MAILER_URLPATHS_EMAIL_CHANGE: "\"/auth/v1/verify\""
    ENABLE_EMAIL_SIGNUP: "true"
    ENABLE_EMAIL_AUTOCONFIRM: "false"
    SMTP_ADMIN_EMAIL: "admin@example.com"
    SMTP_HOSTNAME: "supabase-mail"
    SMTP_PORT: "2500"
    SMTP_USER: "fake_mail_user"
    SMTP_PASS: "fake_mail_password"
    SMTP_SENDER_NAME: "fake_sender"
    ENABLE_ANONYMOUS_USERS: "false"
    ENABLE_PHONE_SIGNUP: "true"
    ENABLE_PHONE_AUTOCONFIRM: "true"
    STUDIO_DEFAULT_ORGANIZATION: "Default Organization"
    STUDIO_DEFAULT_PROJECT: "Default Project"
    STUDIO_PORT: "3000"
    IMGPROXY_ENABLE_WEBP_DETECTION: "true"
    FUNCTIONS_VERIFY_JWT: "false"
    LOGFLARE_LOGGER_BACKEND_API_KEY: ${logflare_api_key}
    LOGFLARE_API_KEY: ${logflare_api_key}
    DOCKER_SOCKET_LOCATION: "/var/run/docker.sock"
    GOOGLE_PROJECT_ID: "GOOGLE_PROJECT_ID"
    GOOGLE_PROJECT_NUMBER: "GOOGLE_PROJECT_NUMBER"

  mounts:
    - filePath: /volumes/api/kong.yml
      content: |
        _format_version: '2.1'
        _transform: true

        ###
        ### Consumers / Users
        ###
        consumers:
          - username: DASHBOARD
          - username: anon
            keyauth_credentials:
              - key: $SUPABASE_ANON_KEY
          - username: service_role
            keyauth_credentials:
              - key: $SUPABASE_SERVICE_KEY

        ###
        ### Access Control List
        ###
        acls:
          - consumer: anon
            group: anon
          - consumer: service_role
            group: admin

        ###
        ### Dashboard credentials
        ###
        basicauth_credentials:
          - consumer: DASHBOARD
            username: $DASHBOARD_USERNAME
            password: $DASHBOARD_PASSWORD

        ###
        ### API Routes
        ###
        services:
          ## Open Auth routes
          - name: auth-v1-open
            url: http://auth:9999/verify
            routes:
              - name: auth-v1-open
                strip_path: true
                paths:
                  - /auth/v1/verify
            plugins:
              - name: cors
          - name: auth-v1-open-callback
            url: http://auth:9999/callback
            routes:
              - name: auth-v1-open-callback
                strip_path: true
                paths:
                  - /auth/v1/callback
            plugins:
              - name: cors
          - name: auth-v1-open-authorize
            url: http://auth:9999/authorize
            routes:
              - name: auth-v1-open-authorize
                strip_path: true
                paths:
                  - /auth/v1/authorize
            plugins:
              - name: cors

          ## Secure Auth routes
          - name: auth-v1
            _comment: 'GoTrue: /auth/v1/* -> http://auth:9999/*'
            url: http://auth:9999/
            routes:
              - name: auth-v1-all
                strip_path: true
                paths:
                  - /auth/v1/
            plugins:
              - name: cors
              - name: key-auth
                config:
                  hide_credentials: false
              - name: acl
                config:
                  hide_groups_header: true
                  allow:
                    - admin
                    - anon

          ## Secure REST routes
          - name: rest-v1
            _comment: 'PostgREST: /rest/v1/* -> http://rest:3000/*'
            url: http://rest:3000/
            routes:
              - name: rest-v1-all
                strip_path: true
                paths:
                  - /rest/v1/
            plugins:
              - name: cors
              - name: key-auth
                config:
                  hide_credentials: true
              - name: acl
                config:
                  hide_groups_header: true
                  allow:
                    - admin
                    - anon

          ## Secure GraphQL routes
          - name: graphql-v1
            _comment: 'PostgREST: /graphql/v1/* -> http://rest:3000/rpc/graphql'
            url: http://rest:3000/rpc/graphql
            routes:
              - name: graphql-v1-all
                strip_path: true
                paths:
                  - /graphql/v1
            plugins:
              - name: cors
              - name: key-auth
                config:
                  hide_credentials: true
              - name: request-transformer