a self-hosting experiment

One Postgres box.
A whole backend platform.

Standing up a full self-hosted Supabase stack on a Hetzner VPS — then building three real little apps on top of it, with analytics and simulated traffic, to see what the hype is about.

Postgres 17Auto REST API RealtimeAuth StorageStudio dashboard
first, the basics

What is Supabase?

An open-source backend-as-a-service — often called “the open-source Firebase alternative.” It wraps a real Postgres database with a full suite of backend services, all auto-wired together, so you get a working backend without writing one.

You can use their managed cloud… or self-host the entire thing on your own box — which is exactly what this deck is about.

Open sourceBuilt on Postgres Cloud or self-hostedFirebase alternative
what's in the box

One database, a whole backend

Supabase is really a bundle of services arranged around a single Postgres database. Each piece is a mature open-source project; together they cover most of what an app needs.

🗄️

Postgres database

A full SQL database at the core — not a proprietary store.

🔌

Instant REST API

PostgREST auto-generates an API from your schema. (GraphQL too.)

🔐

Auth

Email, OAuth, magic-link, phone & anonymous sign-in — JWT-based.

Realtime

Subscribe to database changes live over websockets.

📦

Storage

S3-compatible file storage with on-the-fly image transforms.

🧠

Edge Functions

Serverless Deno/TypeScript functions for custom logic.

🛡️

Row-Level Security

Postgres policies decide who can read/write — enforced in the DB.

📊

Studio

A polished web dashboard to manage all of the above.

the core idea

Your table is your backend

  • You write a table. That’s it.
  • Supabase instantly gives you a typed REST API, realtime subscriptions, and RLS-governed access to it — no backend code.
  • It’s “just Postgres” underneath, so triggers, views, extensions and SQL all still work.
  • Frontends talk to it directly with the supabase-js client.
-- 1. you write one table…
create table notes (
  id      bigint primary key,
  body    text,
  user_id uuid
);

-- 2. …and instantly get, with zero backend code:
GET  /rest/v1/notes        → REST API
supabase.channel('notes')  → live updates
RLS policy                 → per-user access
auth · storage · types     → included
how it really works

The logic moves into the database

Traditionally, a hand-written app server is the gatekeeper between users and a “dumb” database. Supabase pushes those jobs down into Postgres and lets the client talk to it through a thin, auto-generated API.

Traditional backend

Browser
Your app serverAPI routes · auth checks · validation · business logic
Databasea dumb store — no defenses of its own

Supabase

Browserholds only a public anon key
Thin auto-generated APIPostgREST · Realtime · Storage · Kong gateway
Postgresdata + access rules + logic, all here
the mapping

Where do the usual backend jobs go?

Traditional job
Its home in Supabase
CRUD API endpoints
Auto-generated from your schema by PostgREST
Authentication
GoTrue issues a signed JWT identifying the user
Authorization — who sees what
Row-Level Security policies, inside Postgres
Validation & business logic
Constraints, triggers, SQL functions & views
Realtime / websockets
Realtime tails the write-ahead log and pushes changes
Scheduled jobs · file storage
pg_cron · Storage (blobs in S3, permissions in Postgres)
the key insight

“Isn’t exposing the database insecure?”

  • The old fear is real: a database had no defenses — the app server was the only guard.
  • Here, Postgres enforces the rules on every query, row by row, using the caller’s verified identity from the JWT.
  • The security boundary moved into the database — so exposing it is safe.
  • That’s the trick that makes everything else possible.
-- a Row-Level Security policy
create policy "own notes only"
on notes for select
using ( auth.uid() = user_id );

-- Postgres checks this on EVERY row,
-- EVERY query, for every caller.
the other 20%

What still needs real backend code

The database-as-backend model covers the boring majority. For the rest, you reach for Edge Functions — serverless TypeScript that runs right next to the database.

🔑

Secrets & 3rd-party APIs

Charging Stripe, sending email, calling an LLM — keys the client must never see.

🧩

Logic that isn’t SQL

Heavy computation, orchestration, or talking to other systems.

🪝

Webhooks & reactions

Custom endpoints, or running code in response to a database change.

Rule of thumb: anything about data and who can touch it → push into Postgres. Anything with secrets, external services, or complex flow → an Edge Function.
the inspiration

The claim

A VPS + self-hosted Supabase can run an absurd amount of stuff for the price of a coffee. So I tried to reproduce a slice of it.

“VPS + self-hosted Supabase is insanely overpowered… multiple sites, analytics, personal tools, some backends and a full Supabase instance with a 24/7 scraper that clones all of Steam, doing constant data transformations on 350k+ row tables — for $7 on a Hetzner VPS + Coolify.” — the tweet that started this
what I built

Three apps, one shared database

Every site is a static page talking to the same Supabase instance through its auto-generated API. No bespoke backend code.

💬

Realtime Guestbook

Anonymous auth + row-level security. Messages stream to every visitor live over websockets.

🎮

GameVault

A “clone Steam” catalogue. A 24/7 scraper feeds a deals table; in-DB transforms roll it up.

📊

Analytics

First-party web analytics for the other two sites — every metric is a SQL function over Postgres.

the cluster

The front door

  • A landing page that pulls live counts straight from Postgres via the REST API.
  • 1,904 games · 3,060 price observations · 4,500+ analytics events.
  • All three apps share one database, one auth system, one dashboard.
supabase-jsanon key + RLS
Landing page
the footprint

The whole platform is ~15 containers and one compose file

11
containers in the core stack
2.3 GiB
total RAM used, idle-ish
1
docker compose up -d
€4/mo
class of VPS this runs on
  • Postgres, PostgREST, GoTrue (auth), Realtime, Storage, imgproxy, Kong gateway, Supavisor pooler, pg-meta, Edge Functions and Studio.
  • Fresh secrets, remapped ports — dropped onto a box already running a dozen other services.
  • It’s just Postgres underneath. Everything else is a thin layer over SQL.
# the entire backend, running
$ docker compose -p supabase-demo ps
supabase-db        healthy   postgres 17
supabase-rest      healthy   auto REST API
supabase-auth      healthy   GoTrue / JWT
realtime           healthy   websockets
supabase-storage   healthy   S3 + imgproxy
supabase-kong      healthy   API gateway
supabase-studio    healthy   dashboard
… + pooler, meta, edge-functions, imgproxy
11 containers · 2.3 GiB RAM
app 1 · realtime

Realtime Guestbook

  • Visitors sign in with anonymous auth — a real JWT, zero friction.
  • New posts appear instantly for everyone, pushed from Postgres over a websocket.
  • Writes are guarded by a Row-Level-Security policy (message 1–280 chars) — enforced in the database, not the client.
  • The “realtime: live” badge is a live postgres_changes subscription.
RealtimeAnon authRLS
Guestbook
app 2 · the “clone Steam” homage

GameVault

  • A Python scraper pages the CheapShark deals API into a raw deals table.
  • An in-database transform rolls 3,060 raw deals up into 1,904 deduped games + materialized views.
  • The catalogue is served straight from /rest/v1/games — no API code written.
  • Designed to run 24/7 and keep growing, exactly like the tweet.
Auto REST APIMaterialized viewsScraper
GameVault
app 2 · query power

Search & sort, for free

  • Type-to-search across 1,900+ rows with .ilike() — full-text indexes are one line of SQL.
  • Sort by discount, price, or recency by swapping .order().
  • It’s all PostgREST: filtering, ordering, pagination and counting come built in.
GameVault search
app 3 · analytics

Analytics, built on the same DB

  • A tiny tracker writes pageviews into a page_events table from every site.
  • Every metric — top pages, referrers, device & country splits, the hourly chart — is a Postgres function exposed as an RPC.
  • The “active now” counter and the live pulse use realtime on the events table.
  • I backfilled ~4,500 events from 375 simulated visitors to give it a heartbeat.
SQL RPCAggregationsRealtime
Analytics dashboard
the dashboard

And then there’s Studio

A full admin UI for the database — “100× better than the Firebase/AWS console,” per the tweet. Here’s the same data, from the operator’s side.

Table editorSQL editorAuth Schema vizAdvisorsClient snippets
studio · table editor

A spreadsheet over your tables

  • Browse, filter and edit the 1,904-row games table like a spreadsheet.
  • Real foreign keys, types and constraints — surfaced visually.
  • Add columns, rows or relationships without touching SQL.
Table editor
studio · sql editor

Full SQL, with results inline

  • A real query console — here ranking storefronts by average discount across all deals.
  • Save queries, chart results, explain plans, export to CSV.
  • This is the “constant data transformation” the tweet talked about — just SQL.
SQL editor
studio · authentication

A users table you don’t have to build

  • Email, OAuth, phone, magic-link and anonymous auth — all included.
  • 10 demo users created here via the admin API in seconds.
  • JWTs flow straight into RLS policies, so auth and authorization are one system.
Auth users
studio · database & advisors

See the schema, mind the guardrails

  • A live schema visualizer of all four tables, keys and column types.
  • The Security Advisor lints the database — 0 errors here, because RLS is on everywhere.
  • Performance advisor + query stats round out the ops story.
Schema visualizer
studio · security advisor

It tells you when you’ve left a door open

  • Automated security lints across every table and function.
  • Catches the classic foot-gun: a table exposed to the API without RLS.
  • Here: 0 errors — every table has row-level security enabled.
Security advisor
studio · connect

Wiring up a new app is copy-paste

  • Ready-made snippets for Next.js, React, Flutter, and more.
  • Direct connection strings, ORM configs, even an MCP endpoint for AI agents.
  • This is how all three demo apps got connected — npm i @supabase/supabase-js and go.
Connect panel
the takeaway

Why this is genuinely useful

🧱

One box, many apps

A single Postgres instance backs every side-project, each isolated by schema + RLS. No per-app infra.

Backend for free

REST API, auth, realtime and storage appear the moment you create a table. You write SQL, not glue.

💸

Flat, tiny cost

No per-request billing, no cold starts, no surprise invoices. It’s a VPS you already pay for.

🛠️

It’s just Postgres

Extensions, triggers, materialized views, cron — the full toolbox, not a walled-garden subset.

🔍

A real dashboard

Studio makes inspecting and editing data pleasant — the bit Firebase/AWS consoles get wrong.

🚪

No lock-in

Standard Postgres + open-source services. Dump it, move it, run it anywhere.

verdict

The tweet was right.

A €4 VPS now runs a full backend platform and three apps and analytics and a 24/7 scraper — all from one Postgres database, with a dashboard that’s genuinely a joy to use.

3
apps on one DB
11
containers
1,904
games scraped
0
backend servers written
← → / space to navigate · F fullscreen