App Suggestion: Full Issue Supabase + Stalwart and Roundcube

[rootacc3ss]

Below is a config for Caprover I was trying to write for Supabase's full issue, including vectors and deno based edge functions, but Caprover doesn't support relative mounts ofc:

captainVersion: 4

caproverOneClickApp:
  instructions:
    start: Deploying Supabase Full Stack with Edge Functions integration.
    end: Supabase is ready.

########

version: "3.8"

services:

  supabase-kong:
    image: kong:2.8.1
    entrypoint: bash -c "eval \"echo $(cat /home/kong/temp.yml)\" && kong docker-entrypoint.sh kong docker-start"
    volumes:
      - ./volumes/api/kong.yml:/home/kong/temp.yml:ro
    environment:
      SERVICE_URL_SUPABASE_KONG: "http://supabase-kong:8000"
      KONG_PORT_MAPS: "443:8000"
      JWT_SECRET: "servicepasswordjwt"
      KONG_DATABASE: "off"
      KONG_DECLARATIVE_CONFIG: "/home/kong/kong.yml"
      KONG_DNS_ORDER: "LAST,A,CNAME"
      KONG_PLUGINS: "request-transformer,cors,key-auth,acl,basic-auth"
      SUPABASE_ANON_KEY: "supabaseanonkey"
      SUPABASE_SERVICE_KEY: "supabaseservicekey"
      DASHBOARD_USERNAME: "serviceuseradmin"
      DASHBOARD_PASSWORD: "servicepasswordadmin"
    depends_on:
      supabase-analytics:
        condition: service_healthy

  supabase-db:
    image: supabase/postgres:15.8.1.048
    environment:
      POSTGRES_PASSWORD: "servicepasswordpostgres"
      POSTGRES_DB: "postgresdb-postgres"
      JWT_SECRET: "servicepasswordjwt"
      JWT_EXP: 3600
    volumes:
      - supabase-db-data:/var/lib/postgresql/data
      - ./volumes/db/realtime.sql:/docker-entrypoint-initdb.d/migrations/99-realtime.sql
      - ./volumes/db/supabase.sql:/docker-entrypoint-initdb.d/migrations/97-supabase.sql
      - ./volumes/db/pooler.sql:/docker-entrypoint-initdb.d/migrations/99-pooler.sql
      - ./volumes/db/webhooks.sql:/docker-entrypoint-initdb.d/init-scripts/98-webhooks.sql
      - ./volumes/db/roles.sql:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql
      - ./volumes/db/jwt.sql:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql
      - ./volumes/db/logs.sql:/docker-entrypoint-initdb.d/migrations/99-logs.sql
      - ./volumes/db/postgresql-custom.conf:/etc/postgresql/postgresql.conf
    command:
      - postgres
      - -c
      - config_file=/etc/postgresql/postgresql.conf
      - -c
      - log_min_messages=fatal
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "postgres", "-h", "127.0.0.1"]
      interval: 5s
      timeout: 5s
      retries: 10

  supabase-analytics:
    image: supabase/logflare:1.4.0
    environment:
      LOGFLARE_NODE_HOST: "127.0.0.1"
      DB_USERNAME: "supabaseadmin"
      DB_DATABASE: "supabase"
      DB_HOSTNAME: "supabase-db"
      DB_PORT: 5432
      DB_PASSWORD: "servicepasswordpostgres"
      DB_SCHEMA: "analytics"
      LOGFLARE_API_KEY: "servicepasswordlogflare"
      LOGFLARE_SINGLE_TENANT: "true"
      LOGFLARE_SINGLE_TENANT_MODE: "true"
      LOGFLARE_SUPABASE_MODE: "true"
      LOGFLARE_MIN_CLUSTER_SIZE: 1
    depends_on:
      supabase-db:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-sSfL", "-I", "http://127.0.0.1:4000/health"]
      interval: 5s
      timeout: 5s
      retries: 10

  supabase-minio:
    image: minio/minio:latest
    environment:
      MINIO_ROOT_USER: "serviceusermin.io"
      MINIO_ROOT_PASSWORD: "servicepasswordminio"
    command: server /data --console-address ":9001"
    ports:
      - "9000:9000"
      - "9001:9001"
    volumes:
      - supabase-minio-data:/data
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:9000/minio/health/live"]
      interval: 5s
      timeout: 5s
      retries: 3

  minio-createbucket:
    image: minio/mc
    depends_on:
      supabase-minio:
        condition: service_healthy
    entrypoint: ["/bin/sh", "-c"]
    command: |
      /usr/bin/mc alias set local http://supabase-minio:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD
      sleep 5
      /usr/bin/mc mb local/supabase-storage
      /usr/bin/mc mb local/supabase-storage-tmp
      /usr/bin/mc policy set public local/supabase-storage
      /usr/bin/mc policy set public local/supabase-storage-tmp
    environment:
      MINIO_ROOT_USER: "serviceusermin.io"
      MINIO_ROOT_PASSWORD: "servicepasswordminio"

  supabase-storage:
    image: supabase/storage-api:v1.14.6
    environment:
      SERVER_PORT: 5000
      SERVER_REGION: local
      MULTITENANT: "false"
      AUTH_JWT_SECRET: "servicepasswordjwt"
      DB_INSTALL_ROLES: "false"
      DATABASE_URL: "postgresql://supabasestorageadmin:servicepasswordpostgres@supabase-db:5432/postgresdb-postgres"
      STORAGE_BACKEND: "s3"
      STORAGE_S3_BUCKET: "supabase-storage"
      STORAGE_S3_ENDPOINT: "http://supabase-minio:9000"
      STORAGE_S3_FORCE_PATH_STYLE: "true"
      STORAGE_S3_REGION: "us-east-1"
      AWS_ACCESS_KEY_ID: "serviceusermin.io"
      AWS_SECRET_ACCESS_KEY: "servicepasswordminio"
      UPLOAD_FILE_SIZE_LIMIT: 524288000
      UPLOAD_FILE_SIZE_LIMIT_STANDARD: 524288000
      UPLOAD_SIGNED_URL_EXPIRATION_TIME: 120
      TUS_URL_PATH: "upload/resumable"
      TUS_MAX_SIZE: 3600000
      ENABLE_IMAGE_TRANSFORMATION: "true"
      IMGPROXY_URL: "http://imgproxy:8080"
      IMGPROXY_REQUEST_TIMEOUT: 15
      DATABASE_SEARCH_PATH: "storage"
      NODE_ENV: "production"
      REQUEST_ALLOW_X_FORWARDED_PATH: "true"
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-rest:
        condition: service_started
      imgproxy:
        condition: service_started
    volumes:
      - supabase-storage-data:/var/lib/storage
    ports:
      - "5000:5000"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:5000/status"]
      interval: 5s
      timeout: 5s
      retries: 3

  supabase-rest:
    image: postgrest/postgrest:v12.2.12
    command: postgrest
    environment:
      PGRST_DB_URI: "postgresql://authenticator:servicepasswordpostgres@supabase-db:5432/postgresdb-postgres"
      PGRST_DB_SCHEMAS: "public,storage,graphql_public"
      PGRST_DB_ANON_ROLE: "anon"
      PGRST_JWT_SECRET: "servicepasswordjwt"
      PGRST_DB_USE_LEGACY_GUCS: "false"
      PGRST_APP_SETTINGS_JWT_SECRET: "servicepasswordjwt"
      PGRST_APP_SETTINGS_JWT_EXP: 3600
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-analytics:
        condition: service_healthy
    ports:
      - "3000:3000"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000"]
      interval: 5s
      timeout: 5s
      retries: 3

  supabase-auth:
    image: supabase/gotrue:v2.174.0
    environment:
      GOTRUE_API_HOST: "0.0.0.0"
      GOTRUE_API_PORT: 9999
      API_EXTERNAL_URL: "http://supabase-kong:8000"
      GOTRUE_DB_DRIVER: "postgres"
      GOTRUE_DB_DATABASE_URL: "postgresql://supabaseauthadmin:servicepasswordpostgres@supabase-db:5432/postgresdb-postgres"
      GOTRUE_SITE_URL: "http://supabase-kong:8000"
      GOTRUE_DISABLE_SIGNUP: "false"
      GOTRUE_JWT_ADMIN_ROLES: "service_role"
      GOTRUE_JWT_AUD: "authenticated"
      GOTRUE_JWT_DEFAULT_GROUP_NAME: "authenticated"
      GOTRUE_JWT_EXP: 3600
      GOTRUE_JWT_SECRET: "servicepasswordjwt"
      GOTRUE_EXTERNAL_EMAIL_ENABLED: "true"
      GOTRUE_EXTERNAL_ANONYMOUS_USERS: "false"
      GOTRUE_EMAILER_AUTOCONFIRM: "false"
      GOTRUE_SMTP_ADMIN_EMAIL: "smtpadmin@example.com"
      GOTRUE_SMTP_HOST: "smtp.example.com"
      GOTRUE_SMTP_PORT: 587
      GOTRUE_SMTP_USER: "smtpuser"
      GOTRUE_SMTP_PASS: "smtppassword"
      GOTRUE_SMTP_SENDER_NAME: "supabase"
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-analytics:
        condition: service_healthy
    ports:
      - "9999:9999"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:9999/health"]
      interval: 5s
      timeout: 5s
      retries: 3

  realtime-dev:
    image: supabase/realtime:v2.34.47
    container_name: realtime-dev.supabase-realtime
    environment:
      PORT: 4000
      DB_HOST: "supabase-db"
      DB_PORT: 5432
      DB_USER: "supabaseadmin"
      DB_PASSWORD: "servicepasswordpostgres"
      DB_NAME: "postgresdb-postgres"
      DB_AFTER_CONNECT_QUERY: "SET search_path TO realtime"
      DB_ENC_KEY: "supabaserealtime"
      API_JWT_SECRET: "servicepasswordjwt"
      LOG_LEVEL: "error"
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-analytics:
        condition: service_healthy
    ports:
      - "4000:4000"
    healthcheck:
      test: ["CMD", "curl", "-sSfL", "-I", "-o", "/dev/null", "-H", "Authorization: Bearer SERVICE_SUPABASE_ANON_KEY", "http://127.0.0.1:4000/api/tenants/realtime-dev/health"]
      interval: 5s
      timeout: 5s
      retries: 3

  imgproxy:
    image: darthsim/imgproxy:v3.8.0
    volumes:
      - ./volumes/storage:/var/lib/storage
    environment:
      IMGPROXY_LOCAL_FILESYSTEM_ROOT: ""
      IMGPROXY_USE_ETAG: "true"
      IMGPROXY_ENABLE_WEBP_DETECTION: "true"
    ports:
      - "8080:8080"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8080/health"]
      interval: 5s
      timeout: 5s
      retries: 3

  supabase-meta:
    image: supabase/postgres-meta:v0.89.3
    environment:
      PGMETA_PORT: 8080
      PGMETA_DB_HOST: "supabase-db"
      PGMETA_DB_PORT: 5432
      PGMETA_DB_NAME: "postgresdb-postgres"
      PGMETA_DB_USER: "supabaseadmin"
      PGMETA_DB_PASSWORD: "servicepasswordpostgres"
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-analytics:
        condition: service_healthy
    ports:
      - "8080:8080"

  supabase-edge-functions:
    image: supabase/edge-runtime:v1.67.4
    depends_on:
      supabase-analytics:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "echo", "Edge Functions is healthy"]
      interval: 5s
      timeout: 5s
      retries: 3
    environment:
      JWT_SECRET: "servicepasswordjwt"
      SUPABASE_URL: "http://supabase-kong:8000"
      SUPABASE_ANON_KEY: "supabaseanonkey"
      SUPABASE_SERVICE_ROLE_KEY: "supabaseservicerolekey"
      SUPABASE_DB_URL: "postgresql://postgres:servicepasswordpostgres@supabase-db:5432/postgresdb-postgres"
      VERIFY_JWT: "false"
    volumes:
      - ./volumes/functions:/home/deno/functions
      - ./volumes/functions/mainindex.ts:/home/deno/functions/mainindex.ts:ro
    ports:
      - "9000:9000"

  supabase-supavisor:
    image: supabase/supavisor:v2.5.1
    environment:
      POOLER_TENANT_ID: "dev-tenant"
      POOLER_POOL_MODE: "transaction"
      POOLER_DEFAULT_POOL_SIZE: 20
      POOLER_MAX_CLIENT_CONN: 100
      PORT: 4000
      POSTGRES_PORT: 5432
      POSTGRES_HOSTNAME: "supabase-db"
      POSTGRES_DB: "postgresdb-postgres"
      POSTGRES_PASSWORD: "servicepasswordpostgres"
      DATABASE_URL: "postgresql://supabaseadmin:servicepasswordpostgres@supabase-db:5432/postgresdb-postgres"
      CLUSTER_POSTGRES: "true"
      SECRET_KEY_BASE: "servicepasswordsupavisorsecret"
      VAULT_ENC_KEY: "servicepasswordvault"
      API_JWT_SECRET: "servicepasswordjwt"
      METRICS_JWT_SECRET: "servicepasswordjwt"
      REGION: "local"
      ERL_FLAGS: "-proto_dist inet_tcp"
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-analytics:
        condition: service_healthy
    command: ["/bin/sh", "-c", "app/bin/migrate && app/bin/supavisor eval 'cat etc/pooler/pooler.exs' && app/bin/server"]
    ports:
      - "4001:4001"

  vector:
    image: timberio/vector:0.28.1-alpine
    command: --config /etc/vector/vector.yml
    volumes:
      - ./volumes/logs/vector.yml:/etc/vector/vector.yml:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - supabase-logs:/var/log/supabase
    environment:
      VECTOR_LOG: "info"
    ports:
      - "8686:8686"
    depends_on:
      supabase-db:
        condition: service_healthy
      supabase-analytics:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8686/health"]
      interval: 5s
      timeout: 5s
      retries: 3

volumes:
  supabase-db-data:
  supabase-minio-data:
  supabase-storage-data:
  supabase-imgproxy-data:
  supabase-logs:

This won't work with the nature of how Caprover is set up. If you want to fix it and make a guide, be my guest, but I've spent 3 hrs on this and I'm just going to go back to frustrating ass Coolify as it's simply better right now with the allowance of complex docker-compose/nixpacks. I was really impressed with how easy it was to spin up Caprover and start services that the terrible coolify proxy system would usually spazz on me for or break.

I've also noticed that the only one click email solutions are solutions I hadn't heard of -- because they charge $599 a year to allow you to configure SMTP and DMARC, making them all useless.

It seems a ton of companies that are shilling shit get included in the Caprover repositories, or do the work to make their costly stuff work and suggest their own service.

One click email is amazingly easy on Caprover (HELL ON COOLIFY... F-ING HORRID) but I'm not paying Poste.io or iRedMail $700 a year for bundling open source software with a management portal.

I suggest someone figure out a Stalwart + Roundcube package for Caprover, but I'm done with the platform for the time being.

[githubsaturn]

Is the only problem the relative paths for the volumes? If so, I can help. That's fairly easy to change. Or did you face other issues as well.

One click email is amazingly easy on Caprover

Thanks for the feedback! What one click app specifically you're referring to?

[rootacc3ss]

Thanks for the feedback! What one click app specifically you're referring to?

iRedMail and especially Poste

But sadly both don’t have even 50% of a Stalwart and Roundcube setups settings. They even put DMARC behind a paywall

[githubsaturn]

Admittedly, I'm not a self-hosted email person myself. But I'll definitely look into adding these soon. Stalwart specifically seems straightforward.

Would you be able to help with testing once i have a working version?

[rootacc3ss]

Admittedly, I'm not a self-hosted email person myself. But I'll definitely look into adding these soon. Stalwart specifically seems straightforward.

Would you be able to help with testing once i have a working version?

If you get Stalwart and Roundcube both running, I won't only test it for you, but I will kiss you on the lips. It's harder than you think -- see my docker, you're gonna need to make it specifically for Caprover and use some of those special variables above for containerization and instant deploy. We also need easy access to the docker container to get the password upon it spinning up AND to change the config file with our own openssh passwd hash.

Please bundle Roundcube with it. It's essentially useless without.

[rootacc3ss]

To be clear, I would use Caprover specifically for that.

If you get on a kick, Cryptpad would be an excellent one click app that everywhere else doesn't have too, and could drive some traffic to the project.

[githubsaturn]

Try this one for Stalwart

captainVersion: 4

services:
  $$cap_appname:
    image: stalwartlabs/stalwart:$$cap_STALWART_VERSION
    environment:
      # Add any Stalwart-specific env here if you need (e.g., STALWART_OPTS)
      # STALWART_OPTS: ""
    ports:
      # Mail submission + SMTP/IMAP/POP + Sieve (direct host publishes)
      - "25:25"     # SMTP
      - "587:587"   # Submission (STARTTLS)
      - "465:465"   # SMTPS
      - "110:110"   # POP3
      - "995:995"   # POP3S
      - "143:143"   # IMAP
      - "993:993"   # IMAPS
      - "4190:4190" # ManageSieve
    volumes:
      - $$cap_appname-data:/opt/stalwart
    caproverExtra:
      containerHttpPort: 8080

caproverOneClickApp:
  variables:
    - id: $$cap_STALWART_VERSION
      label: Stalwart Image Version
      defaultValue: "v0.13"
      description: >
        Docker tag for stalwartlabs/stalwart. Do NOT use 'latest'. Check
        https://hub.docker.com/r/stalwartlabs/stalwart/tags for valid versions.

  instructions:
    start: |-
      This will deploy the Stalwart Mail Server (single container) with:
        - Admin UI via CapRover HTTP routing (container port 8080)
        - SMTP/IMAP/POP/ManageSieve ports published directly on the host
        - Persistent data stored in a named volume

      IMPORTANT:
        • Do NOT publish 443 here—CapRover already uses 443 on the host.
        • Many VPS providers block outbound or inbound port 25 by default.
          You may need to request unblocking, and you’ll likely need proper DNS:
          A/AAAA, PTR (reverse DNS), SPF, DKIM, and DMARC for reliable delivery.
        • Open the required firewall ports (25, 465, 587, 110, 995, 143, 993, 4190).
        • After deploy, enable HTTPS on the CapRover app to secure the admin UI.

      Version pinning:
        • The Docker image is pinned via $$cap_STALWART_VERSION (no 'latest').
        • Always choose a specific released tag from Docker Hub.

    end: |-
      Stalwart has been deployed.

      Access:
        • Admin UI: https://$$cap_appname.$$cap_root_domain  (enable HTTPS in the CapRover dashboard)

      Next steps:
        • Configure domains, TLS certificates (for mail protocols), users, relays, and DNS (SPF, DKIM, DMARC, PTR).
        • Verify your host/network allows the published ports, especially 25/465/587.

  displayName: Stalwart Mail Server
  isOfficial: true
  description: Self-hosted email server with SMTP, IMAP/POP3, ManageSieve, and an admin UI.
  documentation: Based on docker run example from Stalwart; see https://docs.stalw.art/ for configuration.

[githubsaturn]

Once you confirm this is working fine, I'll get to Roundcube

[githubsaturn]

I can at least confirm the UI loads, I assume that's a good enough sign

[rootacc3ss]

@githubsaturn So sorry, out of town right now and just say this. Let me get home and spin Caprover up on a node. You got further than most get on Coolify. Have you tested sending?

[githubsaturn]

I just tested the installation, testing things beyond that require someone who knows the app itself.

By the way, the SSL key configuration for mail might require some adjustments. But once you get your instance working we can work together to get everything running. It may require a couple of back and forth.

[rootacc3ss]

@githubsaturn Should get to it today. Working late tn