xantiagoma · August 9, 2025 19:58
diff --git a/.env b/.env
 # --- PostgreSQL Database Credentials ---
 POSTGRES_USER=convex
 POSTGRES_PASSWORD=<password>
 POSTGRES_DB=convex_self_hosted

 # --- Convex Backend Connection Details ---
 POSTGRES_URL=postgresql://convex:<password>@db:5432
 PG_CA_FILE=/etc/ssl/certs/convex-ca/root.crt

 # --- Public URLs for Convex ---
 NEXT_PUBLIC_DEPLOYMENT_URL=https://convex-api.domain.dev
 CONVEX_CLOUD_ORIGIN=https://convex-api.domain.dev
 CONVEX_SITE_ORIGIN=https://convex-site.domain.dev
diff --git a/docker-compose.yml b/docker-compose.yml
 services:
  cert-generator:
    image: alpine:latest
    container_name: convex-cert-generator
    volumes:
      - certs:/certs
    command: >
      sh -c "
        apk add --no-cache openssl &&
        if [ ! -f /certs/root.crt ]; then
          echo 'Generating certificates...' &&
          openssl req -new -x509 -days 3650 -nodes -text -out /certs/root.crt -keyout /certs/root.key -subj '/CN=convex-db-ca' &&
          openssl req -new -nodes -text -out /certs/server.csr -keyout /certs/server.key -subj '/CN=db' &&
          echo 'subjectAltName=DNS:db' > /certs/extfile.cnf &&
          openssl x509 -req -in /certs/server.csr -text -days 3650 -CA /certs/root.crt -CAkey /certs/root.key -CAcreateserial -out /certs/server.crt -extfile /certs/extfile.cnf &&
          chown 70:70 /certs/* &&
          chmod 600 /certs/server.key &&
          rm /certs/server.csr &&
          rm /certs/extfile.cnf &&
          echo 'Certificates with correct SAN generated and permissions set successfully.'
        else
          echo 'Certificates already exist. Skipping generation.'
        fi
      "

  db:
    image: postgres:15-alpine
    container_name: convex-db-tls
    restart: unless-stopped
    depends_on:
      cert-generator:
        condition: service_completed_successfully
    command: >
      -c ssl=on
      -c ssl_cert_file=/var/lib/postgresql/certs/server.crt
      -c ssl_key_file=/var/lib/postgresql/certs/server.key
      -c ssl_ca_file=/var/lib/postgresql/certs/root.crt
    volumes:
      - certs:/var/lib/postgresql/certs:ro
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=${POSTGRES_DB}
    healthcheck:
      # THE CORRECTED LINE
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
      interval: 10s
      timeout: 5s
      retries: 5

  backend:
    image: ghcr.io/get-convex/convex-backend:33cef775a8a6228cbacee4a09ac2c4073d62ed13
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    stop_grace_period: 10s
    stop_signal: SIGINT
    ports:
      - "${PORT:-3210}:3210"
      - "${SITE_PROXY_PORT:-3211}:3211"
    volumes:
      - certs:/etc/ssl/certs/convex-ca:ro
      - data:/convex/data
    environment:
      - POSTGRES_URL=${POSTGRES_URL}
      - PG_CA_FILE=${PG_CA_FILE}
      - CONVEX_CLOUD_ORIGIN=${CONVEX_CLOUD_ORIGIN}
      - CONVEX_SITE_ORIGIN=${CONVEX_SITE_ORIGIN}
      - INSTANCE_NAME=${INSTANCE_NAME:-}
      - INSTANCE_SECRET=${INSTANCE_SECRET:-}
      - CONVEX_RELEASE_VERSION_DEV=${CONVEX_RELEASE_VERSION_DEV:-}
      - ACTIONS_USER_TIMEOUT_SECS=${ACTIONS_USER_TIMEOUT_SECS:-}
      - DATABASE_URL=${DATABASE_URL:-}
      - DISABLE_BEACON=${DISABLE_BEACON:-}
      - REDACT_LOGS_TO_CLIENT=${REDACT_LOGS_TO_CLIENT:-}
      - DO_NOT_REQUIRE_SSL=${DO_NOT_REQUIRE_SSL:-}
      - MYSQL_URL=${MYSQL_URL:-}
      - RUST_LOG=${RUST_LOG:-info}
      - RUST_BACKTRACE=${RUST_BACKTRACE:-}
      - AWS_REGION=${AWS_REGION:-}
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
      - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-}
      - AWS_S3_FORCE_PATH_STYLE=${AWS_S3_FORCE_PATH_STYLE:-}
      - S3_STORAGE_EXPORTS_BUCKET=${S3_STORAGE_EXPORTS_BUCKET:-}
      - S3_STORAGE_SNAPSHOT_IMPORTS_BUCKET=${S3_STORAGE_SNAPSHOT_IMPORTS_BUCKET:-}
      - S3_STORAGE_MODULES_BUCKET=${S3_STORAGE_MODULES_BUCKET:-}
      - S3_STORAGE_FILES_BUCKET=${S3_STORAGE_FILES_BUCKET:-}
      - S3_STORAGE_SEARCH_BUCKET=${S3_STORAGE_SEARCH_BUCKET:-}
      - S3_ENDPOINT_URL=${S3_ENDPOINT_URL:-}
    healthcheck:
      test: curl -f http://localhost:3210/version
      interval: 5s
      start_period: 10s

  dashboard:
    image: ghcr.io/get-convex/convex-dashboard:33cef775a8a6228cbacee4a09ac2c4073d62ed13
    restart: unless-stopped
    depends_on:
      backend:
        condition: service_healthy
    stop_grace_period: 10s
    stop_signal: SIGINT
    ports:
      - "${DASHBOARD_PORT:-6791}:6791"
    environment:
      - NEXT_PUBLIC_DEPLOYMENT_URL=${NEXT_PUBLIC_DEPLOYMENT_URL}

 volumes:
  data:
  db-data:
  certs:
diff --git a/next.sh b/next.sh
 docker compose exec <convex-backend-container-id> /bin/bash
 ./generate_admin_key.sh
	# --- PostgreSQL Database Credentials ---
	POSTGRES_USER=convex
	POSTGRES_PASSWORD=<password>
	POSTGRES_DB=convex_self_hosted

	# --- Convex Backend Connection Details ---
	POSTGRES_URL=postgresql://convex:<password>@db:5432
	PG_CA_FILE=/etc/ssl/certs/convex-ca/root.crt

	# --- Public URLs for Convex ---
	NEXT_PUBLIC_DEPLOYMENT_URL=https://convex-api.domain.dev
	CONVEX_CLOUD_ORIGIN=https://convex-api.domain.dev
	CONVEX_SITE_ORIGIN=https://convex-site.domain.dev
	services:
	cert-generator:
	image: alpine:latest
	container_name: convex-cert-generator
	volumes:
	- certs:/certs
	command: >
	sh -c "
	apk add --no-cache openssl &&
	if [ ! -f /certs/root.crt ]; then
	echo 'Generating certificates...' &&
	openssl req -new -x509 -days 3650 -nodes -text -out /certs/root.crt -keyout /certs/root.key -subj '/CN=convex-db-ca' &&
	openssl req -new -nodes -text -out /certs/server.csr -keyout /certs/server.key -subj '/CN=db' &&
	echo 'subjectAltName=DNS:db' > /certs/extfile.cnf &&
	openssl x509 -req -in /certs/server.csr -text -days 3650 -CA /certs/root.crt -CAkey /certs/root.key -CAcreateserial -out /certs/server.crt -extfile /certs/extfile.cnf &&
	chown 70:70 /certs/* &&
	chmod 600 /certs/server.key &&
	rm /certs/server.csr &&
	rm /certs/extfile.cnf &&
	echo 'Certificates with correct SAN generated and permissions set successfully.'
	else
	echo 'Certificates already exist. Skipping generation.'
	fi
	"

	db:
	image: postgres:15-alpine
	container_name: convex-db-tls
	restart: unless-stopped
	depends_on:
	cert-generator:
	condition: service_completed_successfully
	command: >
	-c ssl=on
	-c ssl_cert_file=/var/lib/postgresql/certs/server.crt
	-c ssl_key_file=/var/lib/postgresql/certs/server.key
	-c ssl_ca_file=/var/lib/postgresql/certs/root.crt
	volumes:
	- certs:/var/lib/postgresql/certs:ro
	- db-data:/var/lib/postgresql/data
	environment:
	- POSTGRES_USER=${POSTGRES_USER}
	- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
	- POSTGRES_DB=${POSTGRES_DB}
	healthcheck:
	# THE CORRECTED LINE
	test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
	interval: 10s
	timeout: 5s
	retries: 5

	backend:
	image: ghcr.io/get-convex/convex-backend:33cef775a8a6228cbacee4a09ac2c4073d62ed13
	restart: unless-stopped
	depends_on:
	db:
	condition: service_healthy
	stop_grace_period: 10s
	stop_signal: SIGINT
	ports:
	- "${PORT:-3210}:3210"
	- "${SITE_PROXY_PORT:-3211}:3211"
	volumes:
	- certs:/etc/ssl/certs/convex-ca:ro
	- data:/convex/data
	environment:
	- POSTGRES_URL=${POSTGRES_URL}
	- PG_CA_FILE=${PG_CA_FILE}
	- CONVEX_CLOUD_ORIGIN=${CONVEX_CLOUD_ORIGIN}
	- CONVEX_SITE_ORIGIN=${CONVEX_SITE_ORIGIN}
	- INSTANCE_NAME=${INSTANCE_NAME:-}
	- INSTANCE_SECRET=${INSTANCE_SECRET:-}
	- CONVEX_RELEASE_VERSION_DEV=${CONVEX_RELEASE_VERSION_DEV:-}
	- ACTIONS_USER_TIMEOUT_SECS=${ACTIONS_USER_TIMEOUT_SECS:-}
	- DATABASE_URL=${DATABASE_URL:-}
	- DISABLE_BEACON=${DISABLE_BEACON:-}
	- REDACT_LOGS_TO_CLIENT=${REDACT_LOGS_TO_CLIENT:-}
	- DO_NOT_REQUIRE_SSL=${DO_NOT_REQUIRE_SSL:-}
	- MYSQL_URL=${MYSQL_URL:-}
	- RUST_LOG=${RUST_LOG:-info}
	- RUST_BACKTRACE=${RUST_BACKTRACE:-}
	- AWS_REGION=${AWS_REGION:-}
	- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}
	- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
	- AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-}
	- AWS_S3_FORCE_PATH_STYLE=${AWS_S3_FORCE_PATH_STYLE:-}
	- S3_STORAGE_EXPORTS_BUCKET=${S3_STORAGE_EXPORTS_BUCKET:-}
	- S3_STORAGE_SNAPSHOT_IMPORTS_BUCKET=${S3_STORAGE_SNAPSHOT_IMPORTS_BUCKET:-}
	- S3_STORAGE_MODULES_BUCKET=${S3_STORAGE_MODULES_BUCKET:-}
	- S3_STORAGE_FILES_BUCKET=${S3_STORAGE_FILES_BUCKET:-}
	- S3_STORAGE_SEARCH_BUCKET=${S3_STORAGE_SEARCH_BUCKET:-}
	- S3_ENDPOINT_URL=${S3_ENDPOINT_URL:-}
	healthcheck:
	test: curl -f http://localhost:3210/version
	interval: 5s
	start_period: 10s

	dashboard:
	image: ghcr.io/get-convex/convex-dashboard:33cef775a8a6228cbacee4a09ac2c4073d62ed13
	restart: unless-stopped
	depends_on:
	backend:
	condition: service_healthy
	stop_grace_period: 10s
	stop_signal: SIGINT
	ports:
	- "${DASHBOARD_PORT:-6791}:6791"
	environment:
	- NEXT_PUBLIC_DEPLOYMENT_URL=${NEXT_PUBLIC_DEPLOYMENT_URL}

	volumes:
	data:
	db-data:
	certs:
	docker compose exec <convex-backend-container-id> /bin/bash
	./generate_admin_key.sh