Multi-tenant control plane for self-hosted Supabase — provision and manage many isolated projects, each on shared local Docker infrastructure or its own dedicated AWS EC2 instance, from one dashboard.
See DEPLOY.md for setup, configuration, and running the console.
| Piece | Where |
|---|---|
| Control-plane backend (Hono + better-auth) | src/ |
| Dashboard (forked Supabase Studio) | separate repo — notpointless/supabase, branch chore/console-fork |
| Per-project Supabase stack template | src/projects/stack/compose.base.yml |
| Provisioners (shared Docker / dedicated EC2) | src/projects/ |
| Background jobs (graphile-worker) | src/jobs/ |
| Database schema & migrations (Drizzle) | src/db/, drizzle.config.ts |
| CLI manifest | pointless.toml |
| Deployment guide | DEPLOY.md |
| Service | Port |
|---|---|
| Control-plane backend | 3000 |
| Dashboard (forked Studio) | 8082 |
| Control-plane Postgres | 5432 |
| Mailpit (dev inbox) | 8025 (SMTP 1025) |
| Provisioned project stacks | 20000+ (PORT_BASE, a block of 4 per project) |
Each provisioned project claims a contiguous block from PORT_BASE — Kong API, Kong
HTTPS, and direct Postgres, with the pooler port reserved — so the first project takes
20000–20003, the next 20004–20007, and so on.
- Two processes. This repo is the control-plane backend (
:3000); the dashboard is a forked Supabase Studio (:8082) that proxies to it. Run both — seeDEPLOY.md. - Shared or dedicated. A project runs either as a local Docker Compose stack on shared infrastructure or on its own AWS EC2 instance in your account, using per-organization AWS credentials.
- First run.
http://localhost:8082/dashboardredirects to/setup/installto create the first admin. Auth is better-auth: sessions, scoped API tokens, SAML SSO, TOTP MFA, and organizations with role-based access. - Deploy from GitHub. Connect a repo to apply
supabase/migrationson push; every pull request gets an isolated preview branch, torn down when the PR closes. - Lifecycle as jobs. Provision, pause/resume, restart, resize compute & disk, branches, and backups all run as graphile-worker tasks, serialized per project.
- Secrets at rest (AWS credentials, OAuth/GitHub/SMTP secrets) are encrypted with
ENCRYPTION_KEY; nothing sensitive is committed.