Self-hosting Supabase

A seven-part series on self-hosting Supabase on a single Hetzner VPS. SSH hardening, Traefik, Docker Swarm, Vault secrets, multi-instance isolation, Falco intrusion detection, and k6 load testing. From first docker stack deploy to running three projects on one machine.

Dinh Doan Van Bien

The Series

01

Why we are building this

Why self-host Supabase when the free tier already gives you two projects? To understand what the managed service does on your behalf.

7 min read
02

The server

Setting up a Hetzner CX22 VPS with SSH hardening, ufw firewall, fail2ban, and Docker Swarm.

5 min read
03

Traefik and SSL

Configuring Traefik as a reverse proxy with automatic Let’s Encrypt certificates and security headers.

6 min read
04

The first Supabase instance

Deploying PostgreSQL, Kong, GoTrue, PostgREST, Realtime, Storage, and Studio as a Docker Swarm stack.

13 min read
05

Vault

Moving secrets out of .env files and into HashiCorp Vault with a fetch script for Docker Swarm.

7 min read
06

Two instances

Running a second fully isolated Supabase instance on the same server with shared Traefik routing.

5 min read
07

Security and the load test

Security audit with Falco intrusion detection, and k6 load testing to find the server’s limits.

8 min read

Appendix: Load Tests

08

Soak Test Results

58-minute soak test with 30 virtual users: sustained load results on the CX22.

6 min read
09

Dual-Project Load Test Results

Dual-project concurrent load test: 30 VUs split across two Supabase stacks.

6 min read
10

Triple-Project Load Test Results

Triple-project stress test: pushing the CX22 to find the memory ceiling.

6 min read