How to create a template-based, multi-tenant development environment with 16 containerized services that works offline yet remains accessible online through subdomain-based routing
Managing development environments for multiple clients often means choosing between complex manual setups or expensive cloud solutions. Manual deployments are time-consuming and error-prone. Cloud platforms are convenient but create vendor lock-in and ongoing costs that scale with usage.
Today, we’ll walk through building a scalable multi-tenant development stack that gives you both: complete isolation between client environments with automated deployment capabilities, all while maintaining full control over your infrastructure. This approach builds on our philosophy of self-hosted solutions—similar to how we’ve shown you can self-host n8n for workflow automation and deploy Windmill with Docker for complete operational control.
The Tools We’re Using
Let’s start by understanding what each piece does in our comprehensive 16-container architecture:
Docker: Your Containerization Foundation
Docker provides the isolation and consistency we need for multi-tenant environments. Each client gets their own containers with identical configurations, ensuring that what works in development will work in production. Think of it as having multiple completely separate servers running on the same hardware.
The key advantage? Perfect isolation between clients. One client’s data, configurations, and customizations never interfere with another’s. This matters when handling multiple business clients with different requirements and security needs.
Traefik: Smart Reverse Proxy and Load Balancer
Traefik acts as an intelligent traffic director, automatically routing requests to the correct client environment based on domain names. Instead of manually configuring complex Apache or Nginx rules, Traefik reads labels from your Docker containers and sets up routing automatically.
Think of Traefik as a smart receptionist who knows exactly which office (container) each visitor (request) should go to, without you having to give directions every time. In our setup, Traefik handles SSL termination, automatic service discovery, and provides detailed monitoring dashboards.
Cloudflare Tunnels: Secure External Access
Cloudflare Tunnels provide secure access to your local development stack without complex firewall configurations or VPNs. Each client domain gets its own tunnel, ensuring complete separation at the network level while maintaining enterprise-grade security.
The beauty is that your development environments remain local and secure, but clients can access their specific services from anywhere with proper authentication—similar to how we configured secure external access in our n8n hosting guide.
The Complete Service Stack: Everything Your Clients Need
Our multi-tenant stack includes seven core service categories across 16 containers per client:
Workflow Automation & Business Logic:
- n8n: Complete workflow automation platform for business process automation
- Authentik: Enterprise-grade single sign-on and identity management (3 containers: server, worker, Redis cache)
Database & Backend Services:
- PostgreSQL: Robust database backend supporting all services with optimized connection pooling
- Supabase Stack: Complete backend-as-a-service with 5 specialized containers (Studio, Auth, REST API, Realtime, Kong Gateway)
- NocoDB: No-code database interface for client data management
AI & Intelligence:
- Ollama: Local AI language models with GPU acceleration for intelligent automation
- Qdrant (optional): Vector database for advanced AI workflows and similarity search
Infrastructure & Monitoring:
- Cloudflare Tunnel: Secure external connectivity
- Traefik: Reverse proxy with automatic SSL and monitoring dashboard
How It All Works Together
Here’s the complete flow when a client accesses their environment:
- Client navigates to their custom domain (e.g.,
workflows.client-a.com) - Cloudflare Tunnel routes the request to your local Traefik instance
- Traefik reads the domain, applies middleware (authentication, SSL, rate limiting), and forwards to the correct client container
- Authentik handles SSO authentication across all services if configured
- The client gets their completely isolated environment with their data and configurations
- All other clients remain completely unaffected and inaccessible
Everything stays organized and separated, with each client getting their own subdomain structure like auth.client-a.com, database.client-a.com, backend.client-a.com, etc.
Setting This Up: The Practical Steps
Getting the Foundation Ready
First, you’ll need Docker Desktop installed and a domain management setup. We recommend setting up a wildcard DNS structure for easy client onboarding:
# Install Docker Desktop (macOS)
brew install --cask docker
# Verify installation
docker --version
docker-compose --version
# Ensure sufficient resources for multi-container environments
# Recommended: 16GB RAM, 8+ CPU cores, 500GB+ SSD storage
Creating the Template System
The magic happens through a template-based approach. Instead of manually setting up each client, we create templates that can be instantly deployed with client-specific configurations.
Create the comprehensive directory structure:
mkdir -p development-stack/{template,deployments}
cd development-stack/template
# Create service-specific configuration directories
mkdir -p {traefik,authentik,supabase,init}
Complete Multi-Service Template Configuration
Create a comprehensive docker-compose.yml template with all 16 services:
version: '3.8'
networks:
${TENANT_NETWORK}:
driver: bridge
services:
# External Connectivity
cloudflare-tunnel:
image: cloudflare/cloudflared:latest
container_name: ${TENANT_PREFIX}-tunnel
command: tunnel --no-autoupdate run --token ${CLOUDFLARE_TOKEN}
networks:
- ${TENANT_NETWORK}
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "cloudflared tunnel info ${TUNNEL_ID} || exit 1"]
interval: 30s
timeout: 10s
retries: 3
# Reverse Proxy & Load Balancer
traefik:
image: traefik:v3.0
container_name: ${TENANT_PREFIX}-traefik
command:
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.network=${TENANT_NETWORK}"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=${ADMIN_EMAIL}"
- "--certificatesresolvers.letsencrypt.acme.storage=/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
ports:
- "${TRAEFIK_PORT}:80"
- "${TRAEFIK_SECURE_PORT}:443"
- "${TRAEFIK_DASHBOARD_PORT}:8080"
networks:
- ${TENANT_NETWORK}
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.${CLIENT_DOMAIN}`)"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
healthcheck:
test: ["CMD", "traefik", "healthcheck"]
interval: 30s
timeout: 10s
retries: 3
# Database Backend
postgres:
image: postgres:15-alpine
container_name: ${TENANT_PREFIX}-postgres
environment:
POSTGRES_DB: ${POSTGRES_DB}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_MULTIPLE_DATABASES: n8n,supabase,authentik,nocodb
volumes:
- postgres_data:/var/lib/postgresql/data
- ./init:/docker-entrypoint-initdb.d
networks:
- ${TENANT_NETWORK}
ports:
- "${POSTGRES_PORT}:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
interval: 30s
timeout: 10s
retries: 5
deploy:
resources:
limits:
memory: 2G
reservations:
memory: 1G
# Workflow Automation
n8n:
image: n8nio/n8n:latest
container_name: ${TENANT_PREFIX}-n8n
environment:
DB_TYPE: postgresdb
DB_POSTGRESDB_HOST: postgres
DB_POSTGRESDB_DATABASE: n8n
DB_POSTGRESDB_USER: ${POSTGRES_USER}
DB_POSTGRESDB_PASSWORD: ${POSTGRES_PASSWORD}
N8N_PROTOCOL: ${N8N_PROTOCOL}
N8N_HOST: ${N8N_DOMAIN}
N8N_PORT: 5678
N8N_SECURE_COOKIE: ${N8N_SECURE_COOKIE}
WEBHOOK_URL: https://${N8N_DOMAIN}
N8N_EDITOR_BASE_URL: https://${N8N_DOMAIN}
EXECUTIONS_DATA_PRUNE: "true"
EXECUTIONS_DATA_MAX_AGE: 168
volumes:
- n8n_data:/home/node/.n8n
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.n8n.rule=Host(`${N8N_DOMAIN}`)"
- "traefik.http.routers.n8n.tls.certresolver=letsencrypt"
- "traefik.http.services.n8n.loadbalancer.server.port=5678"
- "traefik.http.routers.n8n.middlewares=${AUTH_MIDDLEWARE}"
depends_on:
postgres:
condition: service_healthy
# No-Code Database Interface
nocodb:
image: nocodb/nocodb:latest
container_name: ${TENANT_PREFIX}-nocodb
environment:
NC_DB: "pg://postgres:${POSTGRES_PASSWORD}@postgres:5432/nocodb"
NC_PUBLIC_URL: https://${NOCODB_DOMAIN}
NC_DISABLE_TELE: "true"
NC_ADMIN_EMAIL: ${ADMIN_EMAIL}
NC_ADMIN_PASSWORD: ${NOCODB_ADMIN_PASSWORD}
volumes:
- nocodb_data:/usr/app/data
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.nocodb.rule=Host(`${NOCODB_DOMAIN}`)"
- "traefik.http.routers.nocodb.tls.certresolver=letsencrypt"
- "traefik.http.services.nocodb.loadbalancer.server.port=8080"
- "traefik.http.routers.nocodb.middlewares=${AUTH_MIDDLEWARE}"
depends_on:
postgres:
condition: service_healthy
# Supabase Backend Stack (5 containers)
supabase-studio:
image: supabase/studio:latest
container_name: ${TENANT_PREFIX}-supabase-studio
environment:
STUDIO_PG_META_URL: http://supabase-meta:8080
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
DEFAULT_ORGANIZATION_NAME: ${CLIENT_NAME}
DEFAULT_PROJECT_NAME: ${CLIENT_NAME} Project
SUPABASE_PUBLIC_URL: https://${SUPABASE_DOMAIN}
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.supabase-studio.rule=Host(`${SUPABASE_DOMAIN}`)"
- "traefik.http.routers.supabase-studio.tls.certresolver=letsencrypt"
- "traefik.http.services.supabase-studio.loadbalancer.server.port=3000"
- "traefik.http.routers.supabase-studio.middlewares=${AUTH_MIDDLEWARE}"
healthcheck:
disable: true
depends_on:
postgres:
condition: service_healthy
supabase-meta:
image: supabase/postgres-meta:latest
container_name: ${TENANT_PREFIX}-supabase-meta
environment:
PG_META_PORT: 8080
PG_META_DB_HOST: postgres
PG_META_DB_PORT: 5432
PG_META_DB_NAME: supabase
PG_META_DB_USER: ${POSTGRES_USER}
PG_META_DB_PASSWORD: ${POSTGRES_PASSWORD}
networks:
- ${TENANT_NETWORK}
depends_on:
postgres:
condition: service_healthy
supabase-auth:
image: supabase/gotrue:latest
container_name: ${TENANT_PREFIX}-supabase-auth
environment:
GOTRUE_API_HOST: 0.0.0.0
GOTRUE_API_PORT: 9999
GOTRUE_DB_DRIVER: postgres
GOTRUE_DB_DATABASE_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/supabase
GOTRUE_SITE_URL: https://${SUPABASE_DOMAIN}
GOTRUE_JWT_SECRET: ${SUPABASE_JWT_SECRET}
GOTRUE_JWT_EXP: 3600
GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
networks:
- ${TENANT_NETWORK}
depends_on:
postgres:
condition: service_healthy
supabase-rest:
image: postgrest/postgrest:latest
container_name: ${TENANT_PREFIX}-supabase-rest
environment:
PGRST_DB_URI: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/supabase
PGRST_DB_SCHEMAS: public,graphql_public
PGRST_DB_ANON_ROLE: anon
PGRST_JWT_SECRET: ${SUPABASE_JWT_SECRET}
PGRST_DB_USE_LEGACY_GUCS: "false"
networks:
- ${TENANT_NETWORK}
depends_on:
postgres:
condition: service_healthy
supabase-realtime:
image: supabase/realtime:latest
container_name: ${TENANT_PREFIX}-supabase-realtime
environment:
PORT: 4000
DB_HOST: postgres
DB_PORT: 5432
DB_USER: ${POSTGRES_USER}
DB_PASSWORD: ${POSTGRES_PASSWORD}
DB_NAME: supabase
DB_AFTER_CONNECT_QUERY: 'SET search_path TO _realtime'
DB_ENC_KEY: supabaserealtime
API_JWT_SECRET: ${SUPABASE_JWT_SECRET}
FLY_ALLOC_ID: fly123
FLY_APP_NAME: realtime
SECRET_KEY_BASE: ${SUPABASE_JWT_SECRET}
ERL_AFLAGS: -proto_dist inet_tcp
ENABLE_TAILSCALE: "false"
DNS_NODES: "''"
networks:
- ${TENANT_NETWORK}
command: >
sh -c "/app/bin/migrate && /app/bin/realtime eval 'Realtime.Release.seeds(Realtime.Repo)' && /app/bin/server"
depends_on:
postgres:
condition: service_healthy
supabase-kong:
image: kong:3.2-alpine
container_name: ${TENANT_PREFIX}-supabase-kong
environment:
KONG_DATABASE: "off"
KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
KONG_DNS_ORDER: LAST,A,CNAME
KONG_PLUGINS: request-size-limiting,cors,key-auth,rate-limiting
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
volumes:
- ./supabase/kong.yml:/var/lib/kong/kong.yml:ro
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.kong.rule=Host(`api.${CLIENT_DOMAIN}`)"
- "traefik.http.routers.kong.tls.certresolver=letsencrypt"
- "traefik.http.services.kong.loadbalancer.server.port=8000"
- "traefik.http.routers.kong.middlewares=${AUTH_MIDDLEWARE}"
# Local AI Language Models
ollama:
image: ollama/ollama:latest
container_name: ${TENANT_PREFIX}-ollama
environment:
OLLAMA_HOST: 0.0.0.0:11434
OLLAMA_ORIGINS: "*"
volumes:
- ollama_data:/root/.ollama
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.ollama.rule=Host(`ai.${CLIENT_DOMAIN}`)"
- "traefik.http.routers.ollama.tls.certresolver=letsencrypt"
- "traefik.http.services.ollama.loadbalancer.server.port=11434"
- "traefik.http.routers.ollama.middlewares=${AUTH_MIDDLEWARE}"
deploy:
resources:
limits:
memory: 16G
reservations:
memory: 8G
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:11434/api/tags"]
interval: 30s
timeout: 10s
retries: 3
# Enterprise SSO Authentication (3 containers)
authentik-redis:
image: redis:alpine
container_name: ${TENANT_PREFIX}-authentik-redis
command: --save 60 1 --loglevel warning
networks:
- ${TENANT_NETWORK}
volumes:
- authentik_redis_data:/data
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
interval: 30s
timeout: 3s
retries: 3
authentik-server:
image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG}
container_name: ${TENANT_PREFIX}-authentik-server
command: server
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
AUTHENTIK_REDIS__HOST: authentik-redis
volumes:
- authentik_media:/media
- authentik_templates:/templates
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik.rule=Host(`auth.${CLIENT_DOMAIN}`)"
- "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
- "traefik.http.services.authentik.loadbalancer.server.port=9000"
depends_on:
postgres:
condition: service_healthy
authentik-redis:
condition: service_healthy
authentik-worker:
image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG}
container_name: ${TENANT_PREFIX}-authentik-worker
command: worker
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
AUTHENTIK_REDIS__HOST: authentik-redis
volumes:
- authentik_media:/media
- authentik_templates:/templates
- /var/run/docker.sock:/var/run/docker.sock
networks:
- ${TENANT_NETWORK}
depends_on:
postgres:
condition: service_healthy
authentik-redis:
condition: service_healthy
# Test Service for Health Monitoring
whoami:
image: traefik/whoami:latest
container_name: ${TENANT_PREFIX}-whoami
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`test.${CLIENT_DOMAIN}`)"
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
volumes:
postgres_data:
n8n_data:
nocodb_data:
ollama_data:
authentik_redis_data:
authentik_media:
authentik_templates:
Complete Environment Template
Create .env.template for comprehensive client-specific variables:
# Client Configuration
CLIENT_NAME=CLIENT_NAME_PLACEHOLDER
CLIENT_DOMAIN=CLIENT_DOMAIN_PLACEHOLDER
TENANT_PREFIX=CLIENT_PREFIX_PLACEHOLDER
TENANT_NETWORK=CLIENT_NETWORK_PLACEHOLDER
# Service Domains (Subdomain-based routing)
N8N_DOMAIN=workflows.CLIENT_DOMAIN_PLACEHOLDER
NOCODB_DOMAIN=database.CLIENT_DOMAIN_PLACEHOLDER
SUPABASE_DOMAIN=backend.CLIENT_DOMAIN_PLACEHOLDER
AUTHENTIK_DOMAIN=auth.CLIENT_DOMAIN_PLACEHOLDER
# Infrastructure Ports
TRAEFIK_PORT=80
TRAEFIK_SECURE_PORT=443
TRAEFIK_DASHBOARD_PORT=8080
POSTGRES_PORT=5432
# Admin Configuration
ADMIN_EMAIL=admin@CLIENT_DOMAIN_PLACEHOLDER
# Database Configuration
POSTGRES_DB=main_db
POSTGRES_USER=postgres
POSTGRES_PASSWORD=SECURE_PASSWORD_PLACEHOLDER
# Service-Specific Passwords
NOCODB_ADMIN_PASSWORD=NOCODB_PASSWORD_PLACEHOLDER
SUPABASE_JWT_SECRET=SUPABASE_JWT_PLACEHOLDER
# Authentik SSO Configuration
AUTHENTIK_SECRET_KEY=AUTHENTIK_SECRET_PLACEHOLDER
AUTHENTIK_TAG=2024.8.3
# n8n Configuration
N8N_PROTOCOL=https
N8N_SECURE_COOKIE=true
# Cloudflare Integration
CLOUDFLARE_TOKEN=CLOUDFLARE_TOKEN_PLACEHOLDER
TUNNEL_ID=TUNNEL_ID_PLACEHOLDER
# Authentication Middleware (set to 'auth-global' for SSO, leave empty for no auth)
AUTH_MIDDLEWARE=
Database Initialization Scripts
Create comprehensive database initialization in init/01-create-multiple-databases.sql:
-- Create databases for all services
CREATE DATABASE n8n;
CREATE DATABASE nocodb;
CREATE DATABASE supabase;
CREATE DATABASE authentik;
-- Grant permissions
GRANT ALL PRIVILEGES ON DATABASE n8n TO postgres;
GRANT ALL PRIVILEGES ON DATABASE nocodb TO postgres;
GRANT ALL PRIVILEGES ON DATABASE supabase TO postgres;
GRANT ALL PRIVILEGES ON DATABASE authentik TO postgres;
-- Enable required extensions for Supabase
\c supabase;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
CREATE EXTENSION IF NOT EXISTS "pgcrypto";
CREATE EXTENSION IF NOT EXISTS "pgjwt";
-- Enable required extensions for Authentik
\c authentik;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
CREATE EXTENSION IF NOT EXISTS "pgcrypto";
\echo 'Multiple databases and extensions created successfully';
Supabase Kong Gateway Configuration
Create supabase/kong.yml for API gateway routing:
_format_version: "3.0"
services:
- name: auth-v1-open
url: http://supabase-auth:9999/verify
plugins:
- name: cors
routes:
- name: auth-v1-open
strip_path: true
paths:
- /auth/v1/verify
methods:
- POST
- OPTIONS
- name: auth-v1-open-callback
url: http://supabase-auth:9999/callback
plugins:
- name: cors
routes:
- name: auth-v1-open-callback
strip_path: true
paths:
- /auth/v1/callback
methods:
- GET
- POST
- OPTIONS
- name: auth-v1
_comment: "GoTrue: /auth/v1/* -> http://supabase-auth:9999/*"
url: http://supabase-auth:9999/
plugins:
- name: cors
- name: key-auth
config:
hide_credentials: false
routes:
- name: auth-v1-all
strip_path: true
paths:
- /auth/v1/
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
- name: rest-v1
_comment: "PostgREST: /rest/v1/* -> http://supabase-rest:3000/*"
url: http://supabase-rest:3000/
plugins:
- name: cors
- name: key-auth
config:
hide_credentials: true
routes:
- name: rest-v1-all
strip_path: true
paths:
- /rest/v1/
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
- name: realtime-v1
_comment: "Realtime: /realtime/v1/* -> ws://supabase-realtime:4000/socket/*"
url: http://supabase-realtime:4000/socket/
plugins:
- name: cors
- name: key-auth
config:
hide_credentials: false
routes:
- name: realtime-v1-all
strip_path: true
paths:
- /realtime/v1/
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
consumers:
- username: anon
keyauth_credentials:
- key: your-anon-key-here
- username: service_role
keyauth_credentials:
- key: your-service-role-key-here
plugins:
- name: cors
config:
origins:
- "*"
methods:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
headers:
- Accept
- Accept-Version
- Content-Length
- Content-MD5
- Content-Type
- Date
- X-Auth-Token
- Authorization
- X-Forwarded-For
- X-Forwarded-Proto
- X-Forwarded-Port
exposed_headers:
- X-Auth-Token
credentials: true
max_age: 3600
Automated Deployment Script
The comprehensive deployment script that creates new client environments in minutes:
#!/bin/bash
# deploy-client.sh - Complete Multi-Tenant Deployment
CLIENT_DOMAIN=$1
CLIENT_NAME=$2
CLOUDFLARE_TOKEN=$3
if [ -z "$CLIENT_DOMAIN" ] || [ -z "$CLIENT_NAME" ] || [ -z "$CLOUDFLARE_TOKEN" ]; then
echo "Usage: ./deploy-client.sh example.com 'Client Name' 'cloudflare-token'"
echo ""
echo "Example: ./deploy-client.sh client-a.com 'Client A Corporation' 'your-cloudflare-token'"
exit 1
fi
CLIENT_PREFIX=$(echo $CLIENT_DOMAIN | sed 's/[.-]//g' | tr '[:upper:]' '[:lower:]')
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
echo "🚀 Deploying complete multi-tenant environment..."
echo "📋 Configuration:"
echo " Domain: $CLIENT_DOMAIN"
echo " Name: $CLIENT_NAME"
echo " Prefix: $CLIENT_PREFIX"
echo " Timestamp: $TIMESTAMP"
echo ""
# Create deployment directory
DEPLOY_DIR="../deployments/$CLIENT_DOMAIN"
mkdir -p "$DEPLOY_DIR"/{traefik,authentik,supabase,init,logs}
echo "📁 Created deployment directory structure"
# Copy template files
cp docker-compose.yml "$DEPLOY_DIR/"
cp -r {traefik,authentik,supabase,init}/ "$DEPLOY_DIR/" 2>/dev/null || true
echo "📋 Copied configuration templates"
# Generate secure passwords and secrets
POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-25)
NOCODB_PASSWORD=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-16)
SUPABASE_JWT_SECRET=$(openssl rand -base64 64 | tr -d "=+/" | cut -c1-64)
AUTHENTIK_SECRET=$(openssl rand -hex 32)
echo "🔐 Generated secure credentials"
# Calculate unique ports to avoid conflicts
PORT_OFFSET=$(($(echo "$CLIENT_PREFIX" | cksum | cut -f1 -d' ') % 1000))
TRAEFIK_DASHBOARD_PORT=$((8080 + PORT_OFFSET))
POSTGRES_PORT=$((5432 + PORT_OFFSET))
# Create comprehensive environment file
cat .env.template | \
sed "s/CLIENT_NAME_PLACEHOLDER/$CLIENT_NAME/g" | \
sed "s/CLIENT_DOMAIN_PLACEHOLDER/$CLIENT_DOMAIN/g" | \
sed "s/CLIENT_PREFIX_PLACEHOLDER/$CLIENT_PREFIX/g" | \
sed "s/CLIENT_NETWORK_PLACEHOLDER/${CLIENT_PREFIX}-network/g" | \
sed "s/SECURE_PASSWORD_PLACEHOLDER/$POSTGRES_PASSWORD/g" | \
sed "s/NOCODB_PASSWORD_PLACEHOLDER/$NOCODB_PASSWORD/g" | \
sed "s/SUPABASE_JWT_PLACEHOLDER/$SUPABASE_JWT_SECRET/g" | \
sed "s/AUTHENTIK_SECRET_PLACEHOLDER/$AUTHENTIK_SECRET/g" | \
sed "s/CLOUDFLARE_TOKEN_PLACEHOLDER/$CLOUDFLARE_TOKEN/g" | \
sed "s/8080/$TRAEFIK_DASHBOARD_PORT/g" | \
sed "s/5432/$POSTGRES_PORT/g" \
> "$DEPLOY_DIR/.env"
echo "⚙️ Generated environment configuration"
# Create ACE file for Traefik SSL
touch "$DEPLOY_DIR/traefik/acme.json"
chmod 600 "$DEPLOY_DIR/traefik/acme.json"
# Initialize deployment
cd "$DEPLOY_DIR"
echo "🐋 Starting Docker containers..."
echo " This may take several minutes for first-time image downloads"
# Start core infrastructure first
docker-compose up -d cloudflare-tunnel traefik postgres
echo "⏳ Waiting for database to be ready..."
sleep 30
# Start all remaining services
docker-compose up -d
echo ""
echo "✅ Multi-tenant environment deployed successfully!"
echo ""
echo "🌐 Access URLs:"
echo " 🔧 Traefik Dashboard: http://localhost:$TRAEFIK_DASHBOARD_PORT"
echo " 🔀 Workflows (n8n): https://workflows.$CLIENT_DOMAIN"
echo " 🗄️ Database (NocoDB): https://database.$CLIENT_DOMAIN"
echo " 🔧 Backend (Supabase): https://backend.$CLIENT_DOMAIN"
echo " 🤖 AI (Ollama): https://ai.$CLIENT_DOMAIN"
echo " 🔐 Authentication: https://auth.$CLIENT_DOMAIN"
echo " 🔌 API Gateway: https://api.$CLIENT_DOMAIN"
echo " 🧪 Test Service: https://test.$CLIENT_DOMAIN"
echo ""
echo "📊 Container Status:"
docker-compose ps
echo ""
echo "🔑 Generated Credentials (save these securely):"
echo " 📍 Client: $CLIENT_NAME"
echo " 🔐 PostgreSQL Password: $POSTGRES_PASSWORD"
echo " 🔐 NocoDB Admin Password: $NOCODB_PASSWORD"
echo " 🔐 Supabase JWT Secret: [hidden - check .env file]"
echo ""
echo "📝 Next Steps:"
echo " 1. Configure Cloudflare DNS: *.${CLIENT_DOMAIN} → tunnel"
echo " 2. Wait 2-3 minutes for all services to initialize"
echo " 3. Access services via the URLs above"
echo " 4. Configure SSO via auth.$CLIENT_DOMAIN if needed"
echo ""
echo "📚 Documentation: Visit tva.sg for setup guides and troubleshooting"
echo "💬 Support: Contact us via tva.sg/contact for assistance"
Using Your Multi-Tenant Stack
Deploying New Clients
Creating a new client environment becomes trivial with our comprehensive script:
# Deploy Client A with full enterprise stack
./deploy-client.sh client-a.com "Client A Corporation" "your-cloudflare-token"
# Deploy Client B with different domain
./deploy-client.sh client-b.org "Client B Industries" "your-cloudflare-token"
# Deploy Startup C
./deploy-client.sh startup-c.io "Startup C" "your-cloudflare-token"
Each deployment creates:
- Completely isolated Docker network with 16 containers
- Separate data volumes for persistent storage
- Unique service containers with health monitoring
- Individual Cloudflare tunnel configuration
- Custom domain routing with SSL certificates
- Enterprise-grade SSO infrastructure ready for activation
Managing Multiple Environments
Monitor all client environments from a central location:
# Check all running environments across clients
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -E "(client|startup)"
# View comprehensive logs for specific client
cd deployments/client-a.com
docker-compose logs -f --tail=50 n8n
# Health check all services for a client
docker-compose ps
docker-compose exec postgres pg_isready
# Restart specific services
docker-compose restart nocodb supabase-studio
# Update all services to latest images
docker-compose pull && docker-compose up -d
Container Architecture Deep Dive
Our complete 16-container architecture per client includes:
Infrastructure Layer (4 containers):
cloudflare-tunnel: Secure external connectivitytraefik: Reverse proxy with automatic SSL and service discoverypostgres: Central database with connection poolingwhoami: Health monitoring and routing verification
Application Layer (7 containers):
n8n: Workflow automation with PostgreSQL backendnocodb: No-code database interfacesupabase-studio: Backend development dashboardsupabase-meta: Database introspection servicesupabase-auth: Authentication and user managementsupabase-rest: Auto-generated REST APIsupabase-realtime: Real-time subscriptions and updates
AI & Gateway Layer (2 containers):
ollama: Local AI with GPU acceleration supportsupabase-kong: API gateway with rate limiting and CORS
Enterprise Security Layer (3 containers):
authentik-server: SSO authentication serverauthentik-worker: Background tasks and notificationsauthentik-redis: Session management and caching
Scaling Resources Per Client
Adjust resources based on client needs and usage patterns:
# High-performance client configuration
services:
n8n:
deploy:
resources:
limits:
cpus: '4.0'
memory: 8G
reservations:
cpus: '2.0'
memory: 4G
postgres:
deploy:
resources:
limits:
cpus: '2.0'
memory: 4G
reservations:
cpus: '1.0'
memory: 2G
environment:
- POSTGRES_MAX_CONNECTIONS=200
- POSTGRES_SHARED_BUFFERS=1GB
- POSTGRES_EFFECTIVE_CACHE_SIZE=3GB
ollama:
deploy:
resources:
limits:
memory: 32G
reservations:
memory: 16G
devices:
- driver: nvidia
count: 1
capabilities: [gpu]
Real Benefits for Your Business
Complete Client Isolation with Enterprise Features
Each client gets their own comprehensive universe including enterprise-grade SSO, AI capabilities, and full backend infrastructure. Data, configurations, customizations, and security policies remain completely contained. A problem with one client never affects others, similar to the isolation we achieve with our individual n8n deployments.
Rapid Client Onboarding with Full Feature Set
New clients can be up and running with a complete development and automation stack in under 10 minutes. The deployment script handles all complex configuration, DNS setup, service initialization, and security configuration automatically—far more comprehensive than traditional approaches.
Predictable Enterprise Costs
After initial setup, there are no per-client hosting costs beyond your base infrastructure. Unlike SaaS solutions that charge per seat, per workflow, or per API call, you pay once for the hardware and run unlimited client environments with full enterprise features.
Professional Brand Consistency
Each client gets their own branded domains with professional subdomains (workflows.client.com, auth.client.com, etc.) and can customize their environments completely. No “powered by” footers or shared interfaces that dilute their brand identity.
The n8n Integration: Enterprise Workflow Automation at Scale
Here’s where things get really powerful. Just as we’ve shown you how to self-host n8n for workflow automation, this multi-tenant setup gives each client their own complete n8n instance integrated with a full enterprise stack.
Each client can build sophisticated workflows that:
- Connect to their own databases (NocoDB, Supabase PostgreSQL)
- Use their own AI models (Ollama) for intelligent automation
- Authenticate through enterprise SSO (Authentik)
- Integrate with their specific business tools and APIs
- Process their data with complete isolation and security
The combination creates a powerful client delivery platform where you can:
- Deploy standardized automation capabilities rapidly
- Customize workflows per client without affecting others
- Scale your service delivery without linear cost increases
- Maintain complete data sovereignty for each client
- Offer enterprise-grade security and compliance
This approach builds on the same principles we used in our Windmill Docker setup guide, but extends it to a complete multi-tenant architecture.
Advanced Configuration Options
Implementing Enterprise SSO with Authentik
Enable single sign-on across all client services by configuring Authentik forward authentication:
# Add to Traefik middleware configuration
middlewares:
auth-global:
forwardAuth:
address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
Then update your service labels to use the middleware:
labels:
- "traefik.http.routers.n8n.middlewares=auth-global"
- "traefik.http.routers.nocodb.middlewares=auth-global"
- "traefik.http.routers.supabase-studio.middlewares=auth-global"
Adding Vector Database for Advanced AI
Enhance AI capabilities with Qdrant vector database:
qdrant:
image: qdrant/qdrant:latest
container_name: ${TENANT_PREFIX}-qdrant
environment:
QDRANT__SERVICE__HTTP_PORT: 6333
QDRANT__SERVICE__GRPC_PORT: 6334
volumes:
- qdrant_data:/qdrant/storage
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.qdrant.rule=Host(`vector.${CLIENT_DOMAIN}`)"
- "traefik.http.routers.qdrant.tls.certresolver=letsencrypt"
- "traefik.http.services.qdrant.loadbalancer.server.port=6333"
- "traefik.http.routers.qdrant.middlewares=${AUTH_MIDDLEWARE}"
Implementing Hybrid AI Architecture
For optimal performance, consider a hybrid approach combining containerized and native AI:
# Install Ollama natively on host for GPU acceleration
brew install ollama
# Configure containers to use native Ollama
# In docker-compose.yml, services can access via host.docker.internal:11434
n8n:
environment:
- OLLAMA_HOST=host.docker.internal:11434
This provides 5-6x performance improvement through direct GPU access while maintaining container isolation for other services.
Monitoring and Observability Stack
Add comprehensive monitoring per client:
prometheus:
image: prom/prometheus:latest
container_name: ${TENANT_PREFIX}-prometheus
volumes:
- ./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.prometheus.rule=Host(`metrics.${CLIENT_DOMAIN}`)"
grafana:
image: grafana/grafana:latest
container_name: ${TENANT_PREFIX}-grafana
environment:
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD}
GF_USERS_ALLOW_SIGN_UP: "false"
volumes:
- grafana_data:/var/lib/grafana
- ./monitoring/dashboards:/var/lib/grafana/dashboards
networks:
- ${TENANT_NETWORK}
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`monitoring.${CLIENT_DOMAIN}`)"
- "traefik.http.routers.grafana.middlewares=${AUTH_MIDDLEWARE}"
Common Issues and Solutions
“Service Unavailable” or HTTP 502 Errors
Usually means Traefik can’t reach the target container. Check that:
# Verify container is running and healthy
docker-compose ps
docker-compose logs traefik --tail=20
# Check container is on correct network
docker network ls
docker network inspect ${CLIENT_PREFIX}-network
# Verify Traefik labels are correct
docker-compose config --services
DNS Resolution Problems
Wildcard DNS setup is crucial for subdomain routing:
# Correct Cloudflare DNS configuration
*.client-a.com CNAME tunnel-uuid.cfargotunnel.com
*.client-b.org CNAME tunnel-uuid2.cfargotunnel.com
# Test DNS resolution
nslookup workflows.client-a.com
dig workflows.client-a.com
Resource Exhaustion Across Multiple Clients
Monitor resource usage across all client environments:
# Check overall system resource usage
docker stats --no-stream
htop
# Check disk usage per client
du -sh deployments/*/
df -h
# Monitor container memory usage
docker-compose -f deployments/*/docker-compose.yml ps --format "table {{.Name}}\t{{.Size}}"
Database Connection Pool Exhaustion
PostgreSQL connection limits can be hit with many clients. Configure per deployment:
-- Connect to client database
docker-compose exec postgres psql -U postgres
-- Increase connection limit
ALTER SYSTEM SET max_connections = 300;
ALTER SYSTEM SET shared_buffers = '256MB';
ALTER SYSTEM SET effective_cache_size = '1GB';
-- Reload configuration
SELECT pg_reload_conf();
Authentik SSO Configuration Issues
Common SSO setup problems and solutions:
# Check Authentik containers are running
docker-compose ps | grep authentik
# Verify database initialization
docker-compose exec postgres psql -U postgres -d authentik -c "\dt"
# Check Authentik logs for startup issues
docker-compose logs authentik-server --tail=50
# Reset Authentik admin password if needed
docker-compose exec authentik-server ak create_admin_group
docker-compose exec authentik-server ak bootstrap_tasks
Cloudflare Tunnel Connection Issues
Debug tunnel connectivity problems:
# Check tunnel status
docker-compose logs cloudflare-tunnel --tail=20
# Verify tunnel configuration in Cloudflare dashboard
# Ensure wildcard routing: *.client-domain.com
# Test tunnel connectivity
curl -I https://test.client-domain.com
Infrastructure Considerations
Sizing Your Infrastructure for Multiple Clients
For a typical setup handling 10-15 clients simultaneously with full 16-container stacks:
Minimum Requirements:
- CPU: 16-24 cores (2 cores per active client environment)
- RAM: 64-128GB (4-8GB per client depending on AI usage)
- Storage: NVMe SSD with 2TB+ (databases, AI models, and logs grow over time)
- Network: Gigabit connection for responsive client access
Recommended for Production:
- Server: Hetzner CCX62 or similar (48 vCPU, 192GB RAM)
- Storage: 4TB NVMe with automated backup system
- Network: Multiple redundant connections
- Monitoring: Full observability stack with alerting
Backup Strategy for Multi-Client Environments
Implement automated backups per client:
#!/bin/bash
# backup-all-clients.sh - Comprehensive backup solution
BACKUP_DIR="/opt/backups"
BACKUP_DATE=$(date +%Y%m%d_%H%M%S)
for client_dir in deployments/*/; do
if [ -d "$client_dir" ]; then
CLIENT_DOMAIN=$(basename "$client_dir")
echo "📦 Backing up client: $CLIENT_DOMAIN"
cd "$client_dir"
# Backup databases with compression
docker-compose exec -T postgres pg_dumpall -U postgres | gzip > "${BACKUP_DIR}/${CLIENT_DOMAIN}_db_${BACKUP_DATE}.sql.gz"
# Backup persistent volumes
docker run --rm \
-v "${PWD}":/backup \
-v "${CLIENT_DOMAIN//.}_n8n_data":/data/n8n:ro \
-v "${CLIENT_DOMAIN//.}_nocodb_data":/data/nocodb:ro \
-v "${CLIENT_DOMAIN//.}_ollama_data":/data/ollama:ro \
alpine tar czf "/backup/${BACKUP_DIR}/${CLIENT_DOMAIN}_volumes_${BACKUP_DATE}.tar.gz" -C /data .
# Backup configuration files
tar czf "${BACKUP_DIR}/${CLIENT_DOMAIN}_config_${BACKUP_DATE}.tar.gz" \
docker-compose.yml .env traefik/ supabase/ authentik/
echo "✅ Backup completed for $CLIENT_DOMAIN"
fi
done
# Cleanup old backups (keep 30 days)
find "$BACKUP_DIR" -name "*.gz" -mtime +30 -delete
# Optional: Upload to cloud storage
# rclone sync "$BACKUP_DIR" s3:backup-bucket/multi-tenant/
Security Hardening for Production
Implement comprehensive security best practices:
# Enhanced Traefik security configuration
traefik:
command:
- "--api.dashboard=true"
- "--api.debug=false"
- "--log.level=WARN"
- "--accesslog=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
- "--providers.docker.exposedbydefault=false"
labels:
# Security headers middleware
- "traefik.http.middlewares.security.headers.customRequestHeaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.security.headers.customResponseHeaders.X-Frame-Options=DENY"
- "traefik.http.middlewares.security.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
- "traefik.http.middlewares.security.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000"
- "traefik.http.middlewares.security.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'"
# Rate limiting middleware
- "traefik.http.middlewares.ratelimit.ratelimit.burst=100"
- "traefik.http.middlewares.ratelimit.ratelimit.average=50"
Apply security middleware to all client services:
labels:
- "traefik.http.routers.n8n.middlewares=security,ratelimit,${AUTH_MIDDLEWARE}"
Cost Analysis: The Numbers That Matter
Traditional SaaS Costs (10 enterprise clients with full feature sets)
Per-client monthly costs:
- n8n Pro: $50/month per client = $500/month
- Supabase Pro: $25/month per client = $250/month
- NoCode platform (Airtable): $20/month per client = $200/month
- Enterprise SSO (Auth0): $23/month per client = $230/month
- AI API costs (OpenAI): $50/month per client = $500/month
- Total: $1,500/month = $18,000/year
Self-Hosted Multi-Tenant Enterprise Stack Costs
Annual infrastructure costs:
- Dedicated server (Hetzner CCX62): $350/month = $4,200/year
- Domain costs (10 clients): $120/year
- Cloudflare Pro (optional): $240/year
- Total: $4,560/year
Annual savings: $13,440 (75% cost reduction)
Plus you get:
- Complete data sovereignty and privacy
- Unlimited customization and white-labeling
- No vendor lock-in or API rate limits
- Enterprise-grade security and compliance
- Ability to offer reseller services
- Full control over updates and features
This is particularly powerful when you consider that our setup provides enterprise features that would typically cost much more in SaaS subscriptions, similar to the cost benefits we demonstrated in our n8n self-hosting analysis.
WordPress Integration: Streamlining Content Workflows
For agencies and teams managing WordPress sites alongside their development environments, this multi-tenant stack integrates beautifully with WordPress automation workflows. Just as our tva Duplicate Pro plugin streamlines content management in WordPress, this containerized environment can automate complex workflows between WordPress sites and your development infrastructure.
WordPress integration possibilities:
- Content syndication: n8n workflows that automatically push WordPress content to client systems
- Automated deployments: WordPress site changes trigger deployments in client environments
- Data synchronization: Client database changes (via NocoDB) automatically update WordPress content
- AI-powered content: Ollama models generate content that flows into WordPress sites
- Client reporting: Automated WordPress reports generated from development environment metrics
This creates a comprehensive ecosystem where WordPress content management, development workflows, and client delivery all work together seamlessly.
Is This Worth the Setup Time?
If you’re managing development environments for multiple clients, building a SaaS business, or running an agency that delivers technical solutions, absolutely. The initial setup takes about a day, but you end up with:
Immediate Benefits:
- Automated client onboarding in under 10 minutes with complete enterprise stack
- Complete isolation between client environments with professional branding
- Massive cost savings compared to managed services (75%+ reduction)
- Full control over data, customizations, and compliance
- Scalable architecture that grows with your business
- Enterprise-grade security with SSO and authentication
Long-term Value:
- Client retention through superior service delivery and professional presentation
- Revenue growth through ability to serve more clients efficiently
- Competitive advantage through offering enterprise features at competitive prices
- Technical expertise that sets you apart in the market
For agencies serving multiple clients or SaaS startups wanting to maintain control while scaling, this setup provides enterprise-grade capabilities without enterprise-grade costs. The combination of containerization, automated deployment, proper domain routing, and enterprise security creates a foundation for serious business growth that remains completely under your control.
The setup becomes even more valuable when you consider the integration possibilities with existing tools like WordPress automation and the proven stability of self-hosted automation platforms.
What’s Next?
We’re actively working on enhancements to this multi-tenant architecture. Future tutorials will cover:
Advanced Deployment Options:
- Kubernetes migration guide for ultimate scalability and enterprise deployment
- Automated SSL certificate management with integrated Let’s Encrypt workflows
- Advanced monitoring and alerting with Prometheus, Grafana, and custom dashboards
- Disaster recovery automation with multi-region backup strategies
Client Experience Enhancements:
- Client self-service portal for managing their own environments and settings
- White-label customization templates for agency branding
- Advanced workflow templates for common business processes
- Integration guides for popular business tools and APIs
Enterprise Features:
- Advanced security hardening with WAF and intrusion detection
- Compliance frameworks for GDPR, SOC2, and other regulations
- Multi-region deployment strategies for global client bases
- Performance optimization guides for high-traffic environments
The future of client service delivery isn’t about choosing between control and convenience—it’s about building systems that give you both while scaling efficiently and maintaining professional standards.
Get Professional Support
Setting up a multi-tenant environment with 16 containerized services involves many moving parts. While we’ve provided comprehensive documentation, every business has unique requirements and existing infrastructure considerations.
If you’re implementing this setup for production use or need customization for your specific client delivery needs, our team can help with:
- Custom deployment strategies tailored to your infrastructure
- Integration with existing systems and workflows
- Performance optimization for your specific client load
- Security hardening for compliance requirements
- Staff training on managing multi-tenant environments
- Ongoing maintenance and monitoring strategies
Contact us through tva.sg to discuss your multi-tenant architecture needs and get professional guidance on implementation.
Whether you’re scaling an existing agency, launching a new SaaS platform, or building enterprise-grade client delivery capabilities, we’re here to help you succeed with self-hosted, containerized solutions that maintain your independence while delivering professional results.