feat: Add self-hosted Betterbase deployment support

Author: ZiadKhaled999

BetterBase_SelfHosted_Spec.md

@@ -226,7 +226,40 @@ betterbase/
 │   │       ├── constants.ts       # Shared constants
 │   │       └── utils.ts           # Utility functions
 │   │
+│   ├── server/                    # @betterbase/server - Self-hosted server
+│   │   ├── package.json
+│   │   ├── tsconfig.json
+│   │   ├── Dockerfile
+│   │   ├── migrations/            # Database migrations
+│   │   │   ├── 001_initial_schema.sql
+│   │   │   ├── 002_admin_users.sql
+│   │   │   ├── 003_projects.sql
+│   │   │   └── 004_logs.sql
+│   │   └── src/
+│   │       ├── index.ts           # Server entry point
+│   │       ├── lib/
+│   │       │   ├── db.ts          # Database connection
+│   │       │   ├── migrate.ts    # Migration runner
+│   │       │   ├── env.ts         # Environment validation
+│   │       │   ├── auth.ts        # Auth utilities
+│   │       │   └── admin-middleware.ts  # Admin auth middleware
+│   │       └── routes/
+│   │           ├── admin/         # Admin API routes
+│   │           │   ├── index.ts
+│   │           │   ├── auth.ts
+│   │           │   ├── projects.ts
+│   │           │   ├── users.ts
+│   │           │   ├── metrics.ts
+│   │           │   ├── storage.ts
+│   │           │   ├── webhooks.ts
+│   │           │   ├── functions.ts
+│   │           │   └── logs.ts
+│   │           └── device/        # Device auth routes
+│   │               └── index.ts
+│   │
 ├── apps/
+│   ├── dashboard/                  # Admin dashboard for self-hosted
+│   │   ├── Dockerfile
 │   └── test-project/              # Example/test project
 │       ├── betterbase.config.ts   # Project configuration
 │       ├── drizzle.config.ts     # Drizzle configuration

CODEBASE_MAP.md

@@ -1015,6 +1015,83 @@ STORAGE_PROVIDER=r2 STORAGE_BUCKET=my-bucket docker-compose -f docker-compose.pr
 - **External database support** - Neon, Supabase, RDS, etc.
 - **S3-compatible storage** - R2, S3, B2, MinIO
 
+### Self-Hosted Deployment
+
+Betterbase can be self-hosted on your own infrastructure using Docker. This is ideal for teams wanting full control over their data and infrastructure.
+
+#### Quick Start
+
+```bash
+# Clone the repository
+git clone https://github.com/betterbase/betterbase.git
+cd betterbase
+
+# Start self-hosted deployment
+docker-compose -f docker-compose.self-hosted.yml up -d
+```
+
+The self-hosted version includes:
+- **Admin Dashboard** - Web UI for managing projects, users, and settings
+- **Device Authentication** - CLI login flow for self-hosted instances
+- **Admin API** - Full API for administrative tasks
+- **Metrics** - Usage and performance tracking
+
+#### Configuration
+
+Copy the example environment file and configure:
+
+```bash
+cp .env.self-hosted.example .env
+```
+
+Key environment variables:
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `DATABASE_URL` | PostgreSQL connection string | Yes |
+| `AUTH_SECRET` | Secret for auth tokens (min 32 chars) | Yes |
+| `SERVER_URL` | Public URL of your instance | Yes |
+| `ADMIN_EMAIL` | Initial admin email | Yes |
+| `ADMIN_PASSWORD` | Initial admin password | Yes |
+| `STORAGE_PROVIDER` | Storage provider (local, s3, r2, backblaze, minio) | No |
+| `STORAGE_BUCKET` | Storage bucket name | No |
+
+#### CLI Login with Self-Hosted
+
+```bash
+# Login to your self-hosted instance
+bb login --url https://your-instance.com
+
+# This will initiate device authentication flow
+# 1. You'll be given a device code
+# 2. Open the admin dashboard
+# 3. Approve the device
+# 4. CLI will receive credentials automatically
+```
+
+#### Docker Compose Services
+
+| Service | Port | Description |
+|---------|------|-------------|
+| server | 3000 | Main API server |
+| dashboard | 3001 | Admin dashboard |
+| nginx | 80, 443 | Reverse proxy |
+
+#### For Development
+
+```bash
+# Start all services
+docker-compose -f docker-compose.self-hosted.yml up
+
+# View logs
+docker-compose -f docker-compose.self-hosted.yml logs -f
+
+# Stop services
+docker-compose -f docker-compose.self-hosted.yml down
+```
+
+See [SELF_HOSTED.md](SELF_HOSTED.md) for detailed documentation.
+
 ### Cloud Providers
 
 | Provider | Deployment Method |

README.md

@@ -0,0 +1,88 @@
+# Self-Hosting Betterbase
+
+## Prerequisites
+
+- Docker and Docker Compose
+- Ports 80 (or your chosen `HTTP_PORT`) available
+
+## Quick Start
+
+**1. Copy the example env file:**
+```bash
+cp .env.self-hosted.example .env
+```
+
+**2. Edit `.env` — at minimum set these two values:**
+```bash
+BETTERBASE_JWT_SECRET=your-random-string-here   # min 32 chars
+BETTERBASE_ADMIN_EMAIL=you@example.com
+BETTERBASE_ADMIN_PASSWORD=yourpassword
+```
+Generate a secret: `openssl rand -base64 32`
+
+**3. Start everything:**
+```bash
+docker compose -f docker-compose.self-hosted.yml up -d
+```
+
+**4. Open the dashboard:**
+Navigate to `http://localhost` (or your configured `BETTERBASE_PUBLIC_URL`).
+
+**5. Connect your CLI:**
+```bash
+bb login --url http://localhost
+```
+
+---
+
+## What Runs
+
+| Service | Internal Port | Description |
+|---------|--------------|-------------|
+| nginx | 80 (public) | Reverse proxy — only public-facing port |
+| betterbase-server | 3001 (internal) | API server |
+| betterbase-dashboard | 80 (internal) | Dashboard UI |
+| postgres | 5432 (internal) | Betterbase metadata database |
+| minio | 9000 (internal) | S3-compatible object storage |
+
+---
+
+## CLI Usage Against Self-Hosted
+
+After `bb login --url http://your-server`, all CLI commands automatically target your server.
+
+```bash
+bb login --url http://localhost    # authenticate
+bb init my-project                 # create a project (registered to your local instance)
+bb sync                            # sync local project to server
+```
+
+---
+
+## Production Checklist
+
+- [ ] `BETTERBASE_JWT_SECRET` is a random 32+ character string
+- [ ] `POSTGRES_PASSWORD` changed from default
+- [ ] `STORAGE_ACCESS_KEY` and `STORAGE_SECRET_KEY` changed from defaults
+- [ ] `BETTERBASE_PUBLIC_URL` set to your actual domain
+- [ ] SSL/TLS termination configured (add HTTPS to the nginx config or use a load balancer)
+- [ ] Remove `BETTERBASE_ADMIN_EMAIL` / `BETTERBASE_ADMIN_PASSWORD` from `.env` after first start (or keep — seeding is idempotent)
+
+---
+
+## Troubleshooting
+
+**Server won't start:**
+Check that `BETTERBASE_JWT_SECRET` is set (minimum 32 characters). Run:
+```bash
+docker compose -f docker-compose.self-hosted.yml logs betterbase-server
+```
+
+**Can't log in with CLI:**
+Ensure `BETTERBASE_PUBLIC_URL` in your `.env` matches the URL you pass to `bb login --url`.
+
+**Storage not working:**
+The `minio-init` container initialises the default bucket on first start. Check its logs:
+```bash
+docker compose -f docker-compose.self-hosted.yml logs minio-init
+```

SELF_HOSTED.md

@@ -0,0 +1,45 @@
+# Dashboard Dockerfile placeholder
+# This is a placeholder. The actual dashboard needs to be created first.
+# If the dashboard uses Bun instead of npm, replace node:20-alpine with oven/bun:1.2-alpine
+# and replace npm install with bun install and npm run build with bun run build
+
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+COPY apps/dashboard/package.json apps/dashboard/package-lock.json* ./
+RUN npm ci
+
+COPY apps/dashboard ./
+
+# Inject API URL at build time
+ARG VITE_API_URL=http://localhost
+ENV VITE_API_URL=$VITE_API_URL
+
+RUN npm run build
+
+# --- Runtime: serve static files with nginx ---
+FROM nginx:alpine
+
+# Create non-root user for nginx
+RUN addgroup -g 1000 -S appgroup && \
+    adduser -u 1000 -S appuser -G appgroup
+
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+# Ensure non-root user can read the html directory
+RUN chown -R appuser:appgroup /usr/share/nginx/html && \
+    chown -R appuser:appgroup /etc/nginx/conf.d
+
+# SPA routing: serve index.html for all unknown paths
+RUN echo 'server { \
+  listen 80; \
+  root /usr/share/nginx/html; \
+  index index.html; \
+  location / { try_files $uri $uri/ /index.html; } \
+}' > /etc/nginx/conf.d/default.conf
+
+# Switch to non-root user
+USER appuser
+
+EXPOSE 80

apps/dashboard/Dockerfile

@@ -0,0 +1,133 @@
+version: "3.9"
+
+services:
+  # ─── Postgres ──────────────────────────────────────────────────────────────
+  postgres:
+    image: postgres:16-alpine
+    container_name: betterbase-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: betterbase
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-betterbase}
+      POSTGRES_DB: betterbase
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U betterbase"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - betterbase-internal
+
+  # ─── MinIO (S3-compatible storage) ─────────────────────────────────────────
+  minio:
+    image: minio/minio:RELEASE.2024-01-16T16-07-38Z
+    container_name: betterbase-minio
+    restart: unless-stopped
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: ${STORAGE_ACCESS_KEY:-minioadmin}
+      MINIO_ROOT_PASSWORD: ${STORAGE_SECRET_KEY:-minioadmin}
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - betterbase-internal
+
+  # ─── MinIO bucket init (runs once, exits) ──────────────────────────────────
+  minio-init:
+    image: minio/mc:RELEASE.2024-01-06T18-51-57Z
+    container_name: betterbase-minio-init
+    depends_on:
+      minio:
+        condition: service_healthy
+    entrypoint: >
+      /bin/sh -c "
+        mc alias set local http://minio:9000 ${STORAGE_ACCESS_KEY:-minioadmin} ${STORAGE_SECRET_KEY:-minioadmin};
+        mc mb --ignore-existing local/betterbase;
+        echo 'MinIO bucket initialized.';
+      "
+    networks:
+      - betterbase-internal
+
+  # ─── Betterbase Server ─────────────────────────────────────────────────────
+  betterbase-server:
+    build:
+      context: .
+      dockerfile: packages/server/Dockerfile
+    container_name: betterbase-server
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      minio:
+        condition: service_healthy
+      minio-init:
+        condition: service_completed_successfully
+    environment:
+      DATABASE_URL: postgresql://betterbase:${POSTGRES_PASSWORD:-betterbase}@postgres:5432/betterbase
+      BETTERBASE_JWT_SECRET: ${BETTERBASE_JWT_SECRET:?JWT secret required - set BETTERBASE_JWT_SECRET in .env}
+      BETTERBASE_ADMIN_EMAIL: ${BETTERBASE_ADMIN_EMAIL:-}
+      BETTERBASE_ADMIN_PASSWORD: ${BETTERBASE_ADMIN_PASSWORD:-}
+      BETTERBASE_PUBLIC_URL: ${BETTERBASE_PUBLIC_URL:-http://localhost}
+      STORAGE_ENDPOINT: http://minio:9000
+      STORAGE_ACCESS_KEY: ${STORAGE_ACCESS_KEY:-minioadmin}
+      STORAGE_SECRET_KEY: ${STORAGE_SECRET_KEY:-minioadmin}
+      PORT: "3001"
+      NODE_ENV: production
+      CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost}
+    networks:
+      - betterbase-internal
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3001/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # ─── Dashboard ─────────────────────────────────────────────────────────────
+  betterbase-dashboard:
+    build:
+      context: .
+      dockerfile: apps/dashboard/Dockerfile   # Dashboard Dockerfile — see SH-25
+      args:
+        VITE_API_URL: ${BETTERBASE_PUBLIC_URL:-http://localhost}
+    container_name: betterbase-dashboard
+    restart: unless-stopped
+    depends_on:
+      betterbase-server:
+        condition: service_healthy
+    networks:
+      - betterbase-internal
+
+  # ─── Nginx Reverse Proxy ───────────────────────────────────────────────────
+  nginx:
+    image: nginx:alpine
+    container_name: betterbase-nginx
+    restart: unless-stopped
+    depends_on:
+      - betterbase-server
+      - betterbase-dashboard
+    ports:
+      - "${HTTP_PORT:-80}:80"
+    volumes:
+      - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+    networks:
+      - betterbase-internal
+    healthcheck:
+      test: ["CMD", "nginx", "-t"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+volumes:
+  postgres_data:
+  minio_data:
+
+networks:
+  betterbase-internal:
+    driver: bridge