Complete Guide: Self-Host Supabase on Any Ubuntu VPS
Production-ready backend in under 10 minutes — Supabase + PostgreSQL + Docker + Nginx + Free SSL
The supabase_setup.sh script by NG HOST VIP is a one-click solution to deploy a fully self-hosted Supabase backend on any Ubuntu server (22.04 or 24.04). It installs Docker, clones the official Supabase repo, generates all secrets (JWT, ANON, SERVICE_ROLE, ES256 asymmetric keys), configures Nginx as a reverse proxy and obtains a free Let’s Encrypt SSL certificate — all configured automatically.
Prerequisites Before You Start
| Requirement | Details |
|---|---|
| Operating System | Ubuntu 22.04 or 24.04 (fresh, clean installation) |
| Server Specs | Minimum: 2 CPU – 4GB RAM – 40GB SSD (8GB RAM recommended for production) |
| Domain (Optional) | A domain such as supabase.example.com (you can also use the server IP) |
| DNS Record | An A Record pointing your domain to the server IP (only if using a domain) |
| Access | Root SSH access (or a user with sudo) |
| Email Address | Required for Let’s Encrypt SSL registration (only with a domain) |
| Open Ports | Domain mode: 80 & 443. IP mode: 8000 |
Installation Steps
1 Connect to Your Server via SSH
Connect to your server using any SSH client (PuTTY, Terminal, Windows Terminal, etc.):
ssh root@YOUR_SERVER_IP
Replace YOUR_SERVER_IP with your actual server IP address.
2 Download the Script
Download the script from the official NG HOST VIP server:
wget https://download.nghost.vip/supabase_setup.sh
Or with curl:
curl -O https://download.nghost.vip/supabase_setup.sh
3 Grant Execute Permission
chmod +x supabase_setup.sh
4 Run the Script
sudo bash supabase_setup.sh
The NG HOST VIP welcome banner will appear:
+==================================================================+
| NG HOST VIP - SYSTEMS |
| Supabase ONE-CLICK INSTALLER (v3.0) |
+==================================================================+
Preparing your self-hosted Supabase backend...
Server IP: XXX.XXX.XXX.XXX
5 Choose Your Access Method
You’ll be asked how you want to access Supabase:
How would you like to access Supabase? [1] IP Address -> http://YOUR_SERVER_IP:8000 (no SSL) [2] Domain Name -> https://your-domain.com (free SSL) Your choice [1 or 2]:
- Option [1] — IP Address: Quickest. Studio + API accessible on port
8000. No SSL. - Option [2] — Domain Name: Production-ready with free SSL via Let’s Encrypt. Kong is bound to localhost — only Nginx is exposed.
If you choose [2], you’ll then be asked for:
Domain name (e.g. supabase.example.com): supabase.example.com Email for SSL certificate: [email protected]
6 Save Your Credentials
After installation (~5-10 minutes), the script prints all your credentials on the screen and also saves them to:
cat /root/supabase-credentials.txt
What the Script Does Automatically
After you submit your choice, the script executes 6 automated phases:
Phase 1 / 6 System Update & Base Packages
- Refreshes apt and upgrades the OS.
- Installs Nginx, Certbot, Git, OpenSSL, UFW, Python 3 + cryptography library, jq and all needed CLI tools.
Phase 2 / 6 Install Node.js LTS & Docker
- Adds NodeSource repo and installs the latest Node.js LTS.
- Adds the official Docker APT repo (signed GPG) and installs
docker-ce,containerd,docker-compose-plugin. - Enables and starts the Docker daemon.
Phase 3 / 6 Clone Supabase Repository
- Clones the official Supabase repo from GitHub into
/opt/supabase. - Pulls the latest version every time (always up to date).
Phase 4 / 6 Generate Secrets & Configure .env
- Generates secure random secrets: JWT_SECRET, POSTGRES_PASSWORD, DASHBOARD_PASSWORD, VAULT_ENC_KEY, SECRET_KEY_BASE, LOGFLARE_KEY, POOLER_TENANT_ID.
- Builds ANON_KEY and SERVICE_ROLE_KEY as HS256 JWTs valid for 10 years.
- Generates asymmetric ES256 keys (
SUPABASE_PUBLISHABLE_KEY,JWT_KEYS,JWT_JWKS). - Disables BigQuery analytics fallback (prevents the Analytics container from going unhealthy).
Phase 5 / 6 Firewall, Nginx & SSL
- Configures UFW: allows SSH always; allows 80/443 in domain mode or 8000 in IP mode; blocks direct DB access (5432, 6543) and Studio port (3000).
- Domain mode only: deploys an Nginx reverse proxy in front of Kong, with
default_serverblocks that reject IP-based access. - Requests a free SSL certificate from Let’s Encrypt and enables HTTPS redirect + auto-renewal via
certbot.timer. - Binds Kong to
127.0.0.1so it’s only reachable via Nginx.
Phase 6 / 6 — Success Pull Images, Start Services & Health Check
A final success screen displays:
- Studio URL (Supabase dashboard)
- API endpoint
- Dashboard username & password
- PostgreSQL connection string
- ANON_KEY, SERVICE_ROLE_KEY, JWT_SECRET
- Saves everything to
/root/supabase-credentials.txt
Access the Supabase Studio
Open the Studio URL shown in your credentials file:
https://your-domain.com # or http://YOUR_SERVER_IP:8000
- A browser login popup appears.
- Enter the Dashboard Username (
admin) and Dashboard Password from/root/supabase-credentials.txt. - You’re now inside Supabase Studio — create tables, manage auth, write SQL, and build your backend.
Useful Post-Installation Commands
| Command | Purpose |
|---|---|
cd /opt/supabase/docker && docker compose ps |
Show all container statuses |
cd /opt/supabase/docker && docker compose logs -f |
Tail live logs from all services |
cd /opt/supabase/docker && docker compose restart |
Restart all Supabase services |
cd /opt/supabase/docker && docker compose stop |
Stop Supabase |
cd /opt/supabase/docker && docker compose start |
Start Supabase |
cd /opt/supabase && git pull && cd docker && docker compose pull && docker compose up -d |
Update Supabase to the latest version |
sudo certbot renew |
Manually renew SSL certificate |
Key Paths & Files on Your VPS
| Path | Purpose |
|---|---|
/root/supabase-credentials.txt |
All credentials, keys & URLs |
/opt/supabase/docker/.env |
Supabase main environment file |
/opt/supabase/docker/docker-compose.yml |
Docker Compose stack definition |
/etc/nginx/sites-available/supabase |
Nginx reverse proxy config |
/etc/letsencrypt/live/<domain>/ |
SSL certificate files |
/var/log/supabase-setup.log |
Complete installation log |
Common Troubleshooting
SSL Certificate Issuance Failed
Cause: your domain’s A Record isn’t pointing to the server yet. Verify with ping yourdomain.com. Once DNS has propagated, re-run only the SSL step:
certbot certonly --nginx -d your-domain.com --email [email protected] --agree-tos --non-interactive
A Container Shows “unhealthy” in docker compose ps
Most common is the analytics container during first start. Check the logs of that specific service:
cd /opt/supabase/docker docker compose logs --tail=50 analytics docker compose restart
Studio Login Asks for Username/Password Repeatedly
That’s the Kong Basic Auth popup — use admin and the Dashboard Password from your credentials file (NOT the Postgres password).
Lost Your Credentials?
All secrets are in:
cat /root/supabase-credentials.txt cat /opt/supabase/docker/.env
Security Recommendations
- Copy
/root/supabase-credentials.txtto your password manager, then remove it from the server. - Never expose
SERVICE_ROLE_KEYin browser code or public repos. UseANON_KEYon the frontend only. - Disable root password SSH login and use SSH keys only.
- Enable Row-Level Security (RLS) on every Postgres table you expose through the API.
- Schedule daily Postgres backups (
pg_dump) and copy them off-server. - Update regularly:
git pull && docker compose pull && docker compose up -d - UFW is pre-configured — only open extra ports you actually need.
Congratulations — Your Supabase is Live!
With this script you can deploy a self-hosted Supabase backend on any Ubuntu server in under 10 minutes — full ownership of your data, no monthly limits, no vendor lock-in.
NG HOST VIP — Your partner in self-hosted backend infrastructure.