Self-host docker

.dockerignore

@@ -0,0 +1,139 @@
+# Git ignore rules
+*.untracked
+*.untracked.*
+
+.vercel
+
+# Misc
+.DS_Store
+.eslintcache
+.env.local
+.env.*.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+firebase-debug.log
+ui-debug.log
+.pnpm-debug.log
+.husky
+tmp
+
+vitest.config.ts.timestamp-*
+tsup.config.bundled_*
+
+# Dependencies
+node_modules
+
+# Build dirs
+.next
+build
+dist
+
+# Generated files
+.docusaurus
+.cache-loader
+**.tsbuildinfo
+
+.xata*
+
+# VS
+/.vs/slnx.sqlite-journal
+/.vs/slnx.sqlite
+/.vs
+.vscode/generated*
+
+# Jetbrains
+.idea
+
+# GitHub Actions runner
+/actions-runner
+/_work
+
+# DB
+dev.db*
+packages/adapter-prisma/prisma/dev.db
+packages/adapter-prisma/prisma/migrations
+db.sqlite
+packages/adapter-supabase/supabase/.branches
+packages/adapter-drizzle/.drizzle
+
+# Tests
+coverage
+dynamodblocal-bin
+firestore-debug.log
+test.schema.gql
+test-results
+playwright-report
+blob-report
+playwright/.cache
+
+# Turborepo
+.turbo
+
+# docusaurus
+docs/.docusaurus
+docs/manifest.mjs
+
+# Core
+packages/core/src/providers/oauth-types.ts
+packages/core/lib
+packages/core/providers
+docs/docs/reference/core
+
+# Next.js
+docs/docs/reference/nextjs
+next-env.d.ts
+
+# SvelteKit
+packages/frameworks-sveltekit/index.*
+packages/frameworks-sveltekit/client.*
+packages/frameworks-sveltekit/.svelte-kit
+packages/frameworks-sveltekit/package
+packages/frameworks-sveltekit/vite.config.js.timestamp-*
+packages/frameworks-sveltekit/vite.config.ts.timestamp-*
+docs/docs/reference/sveltekit
+
+# SolidStart
+docs/docs/reference/solidstart
+
+# Express
+docs/docs/reference/express
+
+# Adapters
+docs/docs/reference/adapter
+
+## Drizzle migration folder
+.drizzle
+
+# Sentry Config File
+.sentryclirc
+
+# Python
+__pycache__/
+.venv/
+
+# Docker ignore rules
+.changeset
+.git
+.github
+.turbo
+**/.turbo
+.vscode
+
+.env
+.env.*
+**/.env
+**/.env.*
+**/.next
+
+**/dist
+
+examples
+
+node_modules
+**/node_modules
+
+deploy
+!deploy/docker/**/entrypoint.sh
+docker-compose.yaml

.github/workflows/docker-build.yaml

@@ -0,0 +1,48 @@
+name: Docker Build and Push
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+    tags:
+      - "*.*.*"
+
+jobs:
+  build-server:
+    name: Docker Build and Push Server
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKER_REPO }}/server
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix=
+            type=match,pattern=\d.\d.\d
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/server/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -113,6 +113,6 @@ docs/docs/reference/adapter
 # Sentry Config File
 .sentryclirc
 
-# python
+# Python
 __pycache__/
 .venv/

.vscode/settings.json

@@ -43,6 +43,7 @@
     "pageview",
     "pkcco",
     "PKCE",
+    "pooler",
     "posthog",
     "Proxied",
     "psql",

apps/backend/next.config.mjs

@@ -47,6 +47,10 @@ const withConfiguredSentryConfig = (nextConfig) =>
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+  // optionally set output to "standalone" for Docker builds
+  // https://nextjs.org/docs/pages/api-reference/next-config-js/output
+  output: process.env.NEXT_CONFIG_OUTPUT,
+
   // we're open-source, so we can provide source maps
   productionBrowserSourceMaps: true,
   poweredByHeader: false,

apps/backend/package.json

@@ -9,6 +9,8 @@
     "with-env:prod": "dotenv -c --",
     "dev": "concurrently -n \"dev,codegen,prisma-studio\" -k \"next dev --port 8102\" \"pnpm run codegen:watch\" \"pnpm run prisma-studio\"",
     "build": "pnpm run codegen && next build",
+    "docker-build": "pnpm run codegen && next build --experimental-build-mode compile",
+    "self-host-seed-script": "tsup --config prisma/tsup.config.ts",
     "analyze-bundle": "ANALYZE_BUNDLE=1 pnpm run build",
     "start": "next start --port 8102",
     "codegen-prisma": "pnpm run prisma generate",
@@ -76,8 +78,9 @@
     "@types/semver": "^7.5.8",
     "concurrently": "^8.2.2",
     "glob": "^10.4.1",
-    "prisma": "^5.9.1",
+    "prisma": "^5.20.0",
     "rimraf": "^5.0.5",
+    "tsup": "^8.3.0",
     "tsx": "^4.7.2"
   }
 }

apps/backend/prisma/seed-self-host.ts

@@ -0,0 +1,135 @@
+/* eslint-disable no-restricted-syntax */
+import { PrismaClient } from '@prisma/client';
+import { hashPassword } from "@stackframe/stack-shared/dist/utils/hashes";
+
+const prisma = new PrismaClient();
+
+async function seed() {
+  console.log('Seeding database...');
+
+  // Optional default admin user
+  const adminEmail = process.env.STACK_DEFAULT_DASHBOARD_USER_EMAIL;
+  const adminPassword = process.env.STACK_DEFAULT_DASHBOARD_USER_PASSWORD;
+  const adminInternalAccess = process.env.STACK_DEFAULT_DASHBOARD_USER_INTERNAL_ACCESS === 'true';
+
+  // Optionally disable sign up for "internal" project
+  const signUpEnabled = process.env.STACK_INTERNAL_SIGN_UP_ENABLED === 'true';
+
+  const existingProject = await prisma.project.findUnique({
+    where: {
+      id: 'internal',
+    },
+  });
+
+  if (existingProject) {
+    console.log('Internal project already exists, skipping seed script');
+    return;
+  }
+
+  await prisma.$transaction(async (tx) => {
+    const createdProject = await tx.project.create({
+      data: {
+        id: 'internal',
+        displayName: 'Stack Dashboard',
+        description: 'Stack\'s admin dashboard',
+        isProductionMode: false,
+        apiKeySets: {
+          create: [{
+            description: "Internal API key set",
+            // These keys must match the values used in the Stack dashboard env to be able to login via the UI.
+            publishableClientKey: process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY,
+            secretServerKey: process.env.STACK_SECRET_SERVER_KEY,
+            superSecretAdminKey: process.env.STACK_SUPER_SECRET_ADMIN_KEY,
+            expiresAt: new Date('2099-12-31T23:59:59Z'),
+          }],
+        },
+        config: {
+          create: {
+            allowLocalhost: true,
+            signUpEnabled, // see STACK_SIGN_UP_DISABLED var above
+            emailServiceConfig: {
+              create: {
+                proxiedEmailServiceConfig: {
+                  create: {}
+                }
+              }
+            },
+            createTeamOnSignUp: false,
+            clientTeamCreationEnabled: false,
+            authMethodConfigs: {
+              create: [
+                {
+                  passwordConfig: {
+                    create: {},
+                  }
+                },
+              ],
+            }
+          }
+        }
+      },
+    });
+
+    console.log('Internal project created');
+
+    // Create optional default admin user if credentials are provided.
+    // This user will be able to login to the dashboard with both email/password and magic link.
+    if (adminEmail && adminPassword) {
+      const newUser = await tx.projectUser.create({
+        data: {
+          projectId: 'internal',
+          serverMetadata: adminInternalAccess
+            ? { managedProjectIds: ['internal'] }
+            : undefined,
+        }
+      });
+
+      await tx.contactChannel.create({
+        data: {
+          projectUserId: newUser.projectUserId,
+          projectId: 'internal',
+          type: 'EMAIL' as const,
+          value: adminEmail as string,
+          isVerified: false,
+          isPrimary: 'TRUE',
+          usedForAuth: 'TRUE',
+        }
+      });
+
+      const passwordConfig = await tx.passwordAuthMethodConfig.findFirstOrThrow({
+        where: {
+          projectConfigId: createdProject.configId
+        },
+        include: {
+          authMethodConfig: true,
+        }
+      });
+
+      await tx.authMethod.create({
+        data: {
+          projectId: 'internal',
+          projectConfigId: createdProject.configId,
+          projectUserId: newUser.projectUserId,
+          authMethodConfigId: passwordConfig.authMethodConfigId,
+          passwordAuthMethod: {
+            create: {
+              passwordHash: await hashPassword(adminPassword),
+              projectUserId: newUser.projectUserId,
+            }
+          }
+        }
+      });
+
+      console.log('Initial admin user created: ', adminEmail);
+    }
+  });
+
+  console.log('Seeding complete!');
+}
+
+seed().catch(async (e) => {
+  console.error(e);
+  await prisma.$disconnect();
+  process.exit(1);
+// eslint-disable-next-line @typescript-eslint/no-misused-promises
+}).finally(async () => await prisma.$disconnect());

apps/backend/prisma/tsup.config.ts

@@ -0,0 +1,13 @@
+import { defineConfig } from 'tsup';
+
+// tsup config to build the self-hosting seed script so it can be
+// run in the Docker container with no extra dependencies.
+export default defineConfig({
+  entry: ['prisma/seed-self-host.ts'],
+  format: ['cjs'],
+  outDir: 'dist',
+  target: 'node22',
+  platform: 'node',
+  noExternal: ['@stackframe/stack-shared', '@prisma/client'],
+  clean: true
+});

apps/dashboard/next.config.mjs

@@ -61,6 +61,10 @@ const withConfiguredSentryConfig = (nextConfig) =>
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+  // optionally set output to "standalone" for Docker builds
+  // https://nextjs.org/docs/pages/api-reference/next-config-js/output
+  output: process.env.NEXT_CONFIG_OUTPUT,
+
   pageExtensions: ["js", "jsx", "mdx", "ts", "tsx"],
 
   // we're open-source, so we can provide source maps