[wip] docs: update self-hosting supabase file

damlayildiz · damlayildiz · commit 82d116e5c476 · 2026-03-24T18:18:25.000+01:00
diff --git a/docs/postgresql/SELF_HOSTING_SUPABASE_FLYIO.md b/docs/postgresql/SELF_HOSTING_SUPABASE_FLYIO.md
@@ -314,6 +314,29 @@ sh ./utils/generate-keys.sh
 
 Review the output. The script updates `.env` with generated `JWT_SECRET`, `ANON_KEY`, and `SERVICE_ROLE_KEY`.
 
+### 6a.1. Get the JWT secret later
+
+If you need the Supabase Auth JWT secret after setup, read the `JWT_SECRET` value from the same `.env` file used by Docker Compose:
+
+```bash
+cd /data/supabase-docker
+grep '^JWT_SECRET=' .env
+```
+
+That value is the secret GoTrue (Supabase Auth) uses to sign and verify access tokens.
+
+If you want to confirm what the running auth container sees, check the container environment:
+
+```bash
+docker compose exec auth printenv GOTRUE_JWT_SECRET
+```
+
+Both commands should return the same value. If they do not, restart the stack after updating `.env`:
+
+```bash
+docker compose up -d
+```
+
 ### 6b. Edit `.env` manually for remaining values
 
 ```bash
@@ -579,24 +602,44 @@ export ORG_API_KEY="<your-org-api-key>"                          # Organization
 
 #### Connection string
 
-The CloudSync server needs to connect to your PostgreSQL database. Since both the CloudSync server and the Supabase VM are in the same Fly org, they can communicate over Fly's **private internal network** using `.internal` addresses — no public port exposure needed.
+The CloudSync server needs a PostgreSQL connection string to reach your database. There are two options depending on where your CloudSync server runs:
 
-The connection goes through **Supavisor** (Supabase's connection pooler) in session mode. The username format is `postgres.<POOLER_TENANT_ID>` (check your `.env` for `POOLER_TENANT_ID`).
+**Option A: CloudSync on the same Fly org (`.internal` network)**
+
+If both the CloudSync server and the Supabase VM are in the same Fly org, they can communicate over Fly's **private internal network** — no public port exposure needed. Connect directly to the `db` container's mapped port (5432 is exposed on the host by default in docker-compose):
 
 ```bash
-# Connection string format:
-# postgres://postgres.<POOLER_TENANT_ID>:<POSTGRES_PASSWORD>@<fly-app-name>.internal:5432/postgres
+# Direct connection (no Supavisor) — recommended for CloudSync server-to-server
+export CONNECTION_STRING="postgres://postgres:$POSTGRES_PASSWORD@<your-fly-app-name>.internal:5432/postgres"
+```
+
+**Option B: CloudSync running outside Fly (e.g., local machine, another cloud)**
+
+Use `fly proxy` to tunnel the Postgres port to your local machine:
 
-export CONNECTION_STRING="postgres://postgres.cloudsync-supabase-test:$POSTGRES_PASSWORD@cloudsync-supabase-test.internal:5432/postgres"
+```bash
+# In a separate terminal — keep this running
+fly proxy 5432:5432 -a <your-fly-app-name>
 ```
 
-To verify the connection works, SSH into the VM and test through Supavisor:
+This makes the remote Postgres available at `localhost:5432`. Then use:
 
 ```bash
-docker compose exec db psql "postgres://postgres.cloudsync-supabase-test:<POSTGRES_PASSWORD>@supabase-pooler:5432/postgres" -c "SELECT 1;"
+export CONNECTION_STRING="postgres://postgres:$POSTGRES_PASSWORD@localhost:5432/postgres"
 ```
 
-> **Note:** Inside Docker, use the container name `supabase-pooler` instead of the `.internal` address. The `.internal` address is for Fly-to-Fly communication.
+> **Note:** The proxy must stay running in a separate terminal for the duration of your session. If the proxy disconnects, just re-run the command.
+
+To verify the connection works:
+
+```bash
+# Option A: SSH into the VM and test locally
+fly ssh console --app <your-fly-app-name>
+docker compose exec db psql -U postgres -c "SELECT 1;"
+
+# Option B: With fly proxy running, test from your local machine
+psql "postgres://postgres:$POSTGRES_PASSWORD@localhost:5432/postgres" -c "SELECT 1;"
+```
 
 ### 10a. Verify CloudSync server is reachable
 
@@ -745,20 +788,29 @@ grep DASHBOARD /data/supabase-docker/.env
 
 The values are `DASHBOARD_USERNAME` (default: `supabase`) and `DASHBOARD_PASSWORD` (default: `this_password_is_insecure_and_should_be_updated`).
 
-> **Note:** Since the Fly VM doesn't expose ports publicly, access Studio via SSH tunnel:
+> **Note:** The Fly VM doesn't expose ports publicly by default. Use `fly proxy` to access services from your local machine:
 > ```bash
-> fly proxy 8000:8000 -a cloudsync-supabase-test
+> fly proxy 8000:8000 -a <your-app-name>
 > ```
 > Then open `http://localhost:8000` in your browser.
 
 ### Connect to Postgres directly
 
-Via Supavisor (connection pooler):
+Use `fly proxy` to tunnel the Postgres port to your local machine:
 
 ```bash
-psql 'postgres://postgres.your-tenant-id:<POSTGRES_PASSWORD>@<your-fly-ip>:5432/postgres'
+# In a separate terminal — keep this running
+fly proxy 5432:5432 -a <your-app-name>
 ```
 
+Then connect from your local machine:
+
+```bash
+psql 'postgres://postgres:<POSTGRES_PASSWORD>@localhost:5432/postgres'
+```
+
+> **Tip:** You can proxy multiple ports at once by running multiple `fly proxy` commands in separate terminals (e.g., `8000` for Studio and `5432` for Postgres).
+
 ---
 
 ## Step 11: Set up HTTPS (production)
