create Docker builds and add docker-compose config for self-hosting

.dockerignore

@@ -0,0 +1,23 @@
+.changeset
+.git
+.github
+.turbo
+**/.turbo
+.vscode
+
+.env
+.env.*
+**/.env
+**/.env.*
+**/.next
+
+**/dist
+
+examples
+
+node_modules
+**/node_modules
+
+deploy
+!deploy/docker/**/entrypoint.sh
+docker-compose.yaml

.github/workflows/docker-build.yaml

@@ -0,0 +1,87 @@
+name: Docker Build and Push
+
+on:
+  push:
+    branches:
+      - dev
+      - main
+      - docker-build # remove me before PR merge
+    tags:
+      - "*.*.*"
+
+jobs:
+  build-dashboard:
+    name: Docker Build and Push Dashboard
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKER_REPO }}/stack-dashboard
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix=
+            type=match,pattern=\d.\d.\d
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./deploy/docker/dashboard/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  build-backend:
+    name: Docker Build and Push Backend
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKER_REPO }}/stack-backend
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix=
+            type=match,pattern=\d.\d.\d
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./deploy/docker/backend/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

apps/backend/.env.docker

@@ -0,0 +1,34 @@
+
+STACK_BASE_URL=http://host.docker.internal:8102
+STACK_SERVER_SECRET=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
+
+# Postgres connection strings
+STACK_DATABASE_CONNECTION_STRING=postgres://stack:stack123@postgres:5432/stack
+STACK_DIRECT_DATABASE_CONNECTION_STRING=postgres://stack:stack123@postgres:5432/stack
+
+# optionally skip migrations on container startup
+STACK_SKIP_MIGRATIONS="false"
+
+# run Prisma seed script on container startup
+STACK_RUN_SEED_SCRIPT="true"
+
+# Self-host seed script options
+# Optionally create a default admin user and disable signups to the platform when the seed script is run.
+# This can be useful for self hosted deployments where you want to restrict access to the Stack "internal" project.
+# If not specified, no user will be created and you will have to create the first user manually by signing up.
+# [email protected]
+# STACK_DEFAULT_ADMIN_PASSWORD=admin123
+# STACK_DEFAULT_ADMIN_DISPLAY_NAME=Admin
+
+# Sign up
+STACK_SIGN_UP_DISABLED= # set to "true" to disable sign up on the platform ("internal" project). If set to "true", the default admin user above will need to be created to log in
+
+STACK_EMAIL_HOST=inbucket
+STACK_EMAIL_PORT=2500
+STACK_EMAIL_SECURE=false
+STACK_EMAIL_USERNAME=does not matter, ignored by Inbucket
+STACK_EMAIL_PASSWORD=does not matter, ignored by Inbucket
+[email protected]
+
+STACK_SVIX_SERVER_URL=http://host.docker.internal:8113
+STACK_SVIX_API_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NTUxNDA2MzksImV4cCI6MTk3MDUwMDYzOSwibmJmIjoxNjU1MTQwNjM5LCJpc3MiOiJzdml4LXNlcnZlciIsInN1YiI6Im9yZ18yM3JiOFlkR3FNVDBxSXpwZ0d3ZFhmSGlyTXUifQ.En8w77ZJWbd0qrMlHHupHUB-4cx17RfzFykseg95SUk

apps/backend/next.config.mjs

@@ -49,6 +49,10 @@ const withConfiguredSentryConfig = (nextConfig) =>
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+  // optionally set output to "standalone" for Docker builds
+  // https://nextjs.org/docs/pages/api-reference/next-config-js/output
+  output: process.env.NEXT_CONFIG_OUTPUT,
+
   // we're open-source, so we can provide source maps
   productionBrowserSourceMaps: true,
   poweredByHeader: false,

apps/backend/package.json

@@ -9,6 +9,7 @@
     "with-env:prod": "dotenv -c --",
     "dev": "concurrently -n \"dev,codegen,prisma-studio\" -k \"next dev --port 8102\" \"pnpm run codegen:watch\" \"pnpm run prisma-studio\"",
     "build": "pnpm run codegen && next build",
+    "build:self-host-seed-script": "tsup --config prisma/tsup.config.ts",
     "analyze-bundle": "ANALYZE_BUNDLE=1 pnpm run build",
     "start": "next start --port 8102",
     "codegen-prisma": "pnpm run prisma generate",
@@ -41,8 +42,8 @@
     "@opentelemetry/sdk-trace-base": "^1.26.0",
     "@opentelemetry/sdk-trace-node": "^1.26.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
-    "@prisma/client": "^5.9.1",
-    "@prisma/instrumentation": "^5.19.1",
+    "@prisma/client": "^5.20.0",
+    "@prisma/instrumentation": "^5.20.0",
     "@sentry/nextjs": "^7.105.0",
     "@stackframe/stack-emails": "workspace:*",
     "@stackframe/stack-shared": "workspace:*",
@@ -53,6 +54,7 @@
     "dotenv-cli": "^7.3.0",
     "jose": "^5.2.2",
     "next": "^14.2.5",
+    "next-runtime-env": "^3.2.2",
     "nodemailer": "^6.9.10",
     "openid-client": "^5.6.4",
     "oslo": "^1.2.1",
@@ -73,8 +75,9 @@
     "@types/semver": "^7.5.8",
     "concurrently": "^8.2.2",
     "glob": "^10.4.1",
-    "prisma": "^5.9.1",
+    "prisma": "^5.20.0",
     "rimraf": "^5.0.5",
+    "tsup": "^8.3.0",
     "tsx": "^4.7.2"
   }
 }

apps/backend/prisma/seed-self-host.ts

@@ -0,0 +1,164 @@
+/* eslint-disable no-restricted-syntax */
+import { BooleanTrue, PrismaClient } from '@prisma/client';
+import { hashPassword } from '@stackframe/stack-shared/dist/utils/password';
+
+const prisma = new PrismaClient();
+
+async function seed() {
+  console.log('Seeding database...');
+
+  // Optional default admin user
+  const adminDisplayName = process.env.STACK_DEFAULT_ADMIN_DISPLAY_NAME || 'Admin';
+  const adminEmail = process.env.STACK_DEFAULT_ADMIN_EMAIL;
+  const adminPassword = process.env.STACK_DEFAULT_ADMIN_PASSWORD;
+
+  // Optionally disable sign up for "internal" project
+  const signUpEnabled = process.env.STACK_SIGN_UP_DISABLED !== 'true';
+
+  const existingProject = await prisma.project.findUnique({
+    where: {
+      id: 'internal',
+    },
+  });
+
+  if (existingProject) {
+    console.log('Internal project already exists, skipping seed script');
+    return;
+  }
+
+  await prisma.$transaction(async (tx) => {
+    const createdProject = await tx.project.create({
+      data: {
+        id: 'internal',
+        displayName: 'Stack Dashboard',
+        description: 'Stack\'s admin dashboard',
+        isProductionMode: false,
+        apiKeySets: {
+          create: [{
+            description: "Internal API key set",
+            // These keys must match the values used in the Stack dashboard env to be able to login via the UI.
+            publishableClientKey: process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY,
+            secretServerKey: process.env.STACK_SECRET_SERVER_KEY,
+            superSecretAdminKey: process.env.STACK_SUPER_SECRET_ADMIN_KEY,
+            expiresAt: new Date('2099-12-31T23:59:59Z'),
+          }],
+        },
+        config: {
+          create: {
+            allowLocalhost: true,
+            signUpEnabled, // see STACK_SIGN_UP_DISABLED var above
+            emailServiceConfig: {
+              create: {
+                proxiedEmailServiceConfig: {
+                  create: {}
+                }
+              }
+            },
+            createTeamOnSignUp: false,
+            clientTeamCreationEnabled: false,
+            authMethodConfigs: {
+              create: [
+                {
+                  otpConfig: {
+                    create: {
+                      contactChannelType: 'EMAIL',
+                    }
+                  }
+                },
+                {
+                  passwordConfig: {
+                    create: {},
+                  }
+                },
+              ],
+            }
+          }
+        }
+      },
+    });
+
+    console.log('Internal project created');
+
+    // Create optional default admin user if credentials are provided.
+    // This user will be able to login to the dashboard with both email/password and magic link.
+    if (adminEmail && adminPassword) {
+      const newUser = await tx.projectUser.create({
+        data: {
+          projectId: 'internal',
+          displayName: adminDisplayName,
+          serverMetadata: { managedProjectIds: ['internal'] }
+        }
+      });
+
+      await tx.contactChannel.create({
+        data: {
+          projectUserId: newUser.projectUserId,
+          projectId: 'internal',
+          type: 'EMAIL' as const,
+          value: adminEmail as string,
+          isVerified: true,
+          isPrimary: 'TRUE',
+          usedForAuth: BooleanTrue.TRUE,
+        }
+      });
+
+      const otpConfig = await tx.otpAuthMethodConfig.findFirstOrThrow({
+        where: {
+          projectConfigId: createdProject.configId
+        },
+        include: {
+          authMethodConfig: true,
+        }
+      });
+
+      await tx.authMethod.create({
+        data: {
+          projectId: 'internal',
+          projectUserId: newUser.projectUserId,
+          projectConfigId: createdProject.configId,
+          authMethodConfigId: otpConfig.authMethodConfigId,
+          otpAuthMethod: {
+            create: {
+              projectUserId: newUser.projectUserId,
+            }
+          }
+        }
+      });
+
+      const passwordConfig = await tx.passwordAuthMethodConfig.findFirstOrThrow({
+        where: {
+          projectConfigId: createdProject.configId
+        },
+        include: {
+          authMethodConfig: true,
+        }
+      });
+
+      await tx.authMethod.create({
+        data: {
+          projectId: 'internal',
+          projectConfigId: createdProject.configId,
+          projectUserId: newUser.projectUserId,
+          authMethodConfigId: passwordConfig.authMethodConfigId,
+          passwordAuthMethod: {
+            create: {
+              passwordHash: await hashPassword(adminPassword),
+              projectUserId: newUser.projectUserId,
+            }
+          }
+        }
+      });
+
+      console.log('Initial admin user created: ', adminEmail);
+    }
+  });
+
+  console.log('Seeding complete!');
+}
+
+seed().catch(async (e) => {
+  console.error(e);
+  await prisma.$disconnect();
+  process.exit(1);
+// eslint-disable-next-line @typescript-eslint/no-misused-promises
+}).finally(async () => await prisma.$disconnect());

apps/backend/prisma/tsup.config.ts

@@ -0,0 +1,13 @@
+import { defineConfig } from 'tsup';
+
+// tsup config to build the self-hosting seed script so it can be
+// run in the Docker container with no extra dependencies.
+export default defineConfig({
+  entry: ['prisma/seed-self-host.ts'],
+  format: ['cjs'],
+  outDir: 'dist',
+  target: 'node22',
+  platform: 'node',
+  noExternal: ['@stackframe/stack-shared', '@prisma/client'],
+  clean: true
+});

apps/backend/src/analytics.tsx

@@ -1,8 +1,8 @@
-import { getEnvVariable } from '@stackframe/stack-shared/dist/utils/env';
+import { env } from "next-runtime-env";
 import { PostHog } from 'posthog-node';
 
 export default async function withPostHog<T>(callback: (posthog: PostHog) => Promise<T>) {
-  const postHogKey = getEnvVariable("NEXT_PUBLIC_POSTHOG_KEY", "phc_vIUFi0HzHo7oV26OsaZbUASqxvs8qOmap1UBYAutU4k");
+  const postHogKey = env("NEXT_PUBLIC_POSTHOG_KEY") || "phc_vIUFi0HzHo7oV26OsaZbUASqxvs8qOmap1UBYAutU4k";
   const posthogClient = new PostHog(postHogKey, {
     host: "https://eu.i.posthog.com",
     flushAt: 1,

apps/dashboard/.env.docker

@@ -0,0 +1,10 @@
+NEXT_PUBLIC_STACK_URL=http://host.docker.internal:8102
+
+NEXT_PUBLIC_STACK_PROJECT_ID=internal
+NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
+STACK_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
+STACK_SUPER_SECRET_ADMIN_KEY=this-super-secret-admin-key-is-for-local-development-only
+
+NEXT_PUBLIC_INSECURE_COOKIE="true" # required for local docker testing on localhost
+
+NEXT_PUBLIC_STACK_SVIX_SERVER_URL=http://host.docker.internal:8113