PocketBase Deploy
Production deployment for PocketBase. Use when deploying PocketBase to a server, setting up Docker, configuring systemd, reverse proxy (nginx/Caddy), TLS, SMTP, backups, S3 storage, rate limiting, or hardening for production. Provides ready-to-use configs.
Best use case
PocketBase Deploy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Production deployment for PocketBase. Use when deploying PocketBase to a server, setting up Docker, configuring systemd, reverse proxy (nginx/Caddy), TLS, SMTP, backups, S3 storage, rate limiting, or hardening for production. Provides ready-to-use configs.
Teams using PocketBase Deploy should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/pb-deploy/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How PocketBase Deploy Compares
| Feature / Agent | PocketBase Deploy | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Production deployment for PocketBase. Use when deploying PocketBase to a server, setting up Docker, configuring systemd, reverse proxy (nginx/Caddy), TLS, SMTP, backups, S3 storage, rate limiting, or hardening for production. Provides ready-to-use configs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
# PocketBase Production Deployment
## Single Binary Deployment
PocketBase is a single binary. No runtime dependencies.
```bash
# Download
wget https://github.com/pocketbase/pocketbase/releases/download/v0.X.X/pocketbase_0.X.X_linux_amd64.zip
unzip pocketbase_*.zip
chmod +x pocketbase
# Run
./pocketbase serve --http="0.0.0.0:8090"
```
Data stored in `pb_data/` (SQLite DB, uploaded files, logs).
## systemd Service
```ini
# /etc/systemd/system/pocketbase.service
[Unit]
Description=PocketBase
After=network.target
[Service]
Type=simple
User=pocketbase
Group=pocketbase
LimitNOFILE=4096
Restart=always
RestartSec=5s
WorkingDirectory=/opt/pocketbase
ExecStart=/opt/pocketbase/pocketbase serve --http="127.0.0.1:8090"
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/pocketbase/pb_data /opt/pocketbase/pb_hooks /opt/pocketbase/pb_migrations
PrivateTmp=true
# Memory limit (adjust to your server)
# MemoryMax=512M
[Install]
WantedBy=multi-user.target
```
```bash
# Setup
sudo useradd --system --no-create-home pocketbase
sudo mkdir -p /opt/pocketbase
sudo cp pocketbase /opt/pocketbase/
sudo chown -R pocketbase:pocketbase /opt/pocketbase
# Enable & start
sudo systemctl daemon-reload
sudo systemctl enable pocketbase
sudo systemctl start pocketbase
sudo systemctl status pocketbase
# Logs
sudo journalctl -u pocketbase -f
```
### File descriptor limit
For high-traffic deployments, increase the limit:
```ini
# In the [Service] section:
LimitNOFILE=65535
```
Also set system-wide in `/etc/security/limits.conf`:
```
pocketbase soft nofile 65535
pocketbase hard nofile 65535
```
### Go memory limit
For constrained environments:
```ini
Environment=GOMEMLIMIT=400MiB
```
## Docker
### Dockerfile
```dockerfile
FROM alpine:latest
ARG PB_VERSION=0.25.0
RUN apk add --no-cache \
unzip \
ca-certificates
# Download and install PocketBase
# NOTE: verify the checksum in production — see https://github.com/pocketbase/pocketbase/releases
ADD https://github.com/pocketbase/pocketbase/releases/download/v${PB_VERSION}/pocketbase_${PB_VERSION}_linux_amd64.zip /tmp/pb.zip
RUN unzip /tmp/pb.zip -d /pb/ && rm /tmp/pb.zip
# Copy hooks and migrations
COPY ./pb_hooks /pb/pb_hooks
COPY ./pb_migrations /pb/pb_migrations
EXPOSE 8090
CMD ["/pb/pocketbase", "serve", "--http=0.0.0.0:8090"]
```
### docker-compose.yml
```yaml
services:
pocketbase:
build: .
ports:
- "127.0.0.1:8090:8090" # bind to localhost only — expose via reverse proxy
volumes:
- pb_data:/pb/pb_data
- ./pb_hooks:/pb/pb_hooks
- ./pb_migrations:/pb/pb_migrations
restart: unless-stopped
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8090/api/health"]
interval: 30s
timeout: 5s
retries: 3
volumes:
pb_data:
```
## Reverse Proxy
### Caddy (recommended — auto TLS)
```
# /etc/caddy/Caddyfile
myapp.com {
reverse_proxy localhost:8090
}
```
That's it. Caddy handles TLS certificates automatically via Let's Encrypt.
### nginx
```nginx
# /etc/nginx/sites-available/pocketbase
server {
listen 80;
server_name myapp.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name myapp.com;
ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
client_max_body_size 50M;
# Block public access to the admin dashboard
location /_/ {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSE support for realtime
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 3600s;
}
}
```
**Critical for realtime**: `proxy_buffering off` and `proxy_read_timeout` must be set for SSE subscriptions to work.
```bash
# Let's Encrypt with nginx
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d myapp.com
```
## SMTP Configuration
Configure in Dashboard > Settings > Mail settings, or via hooks:
```js
// pb_hooks/settings.pb.js
onBootstrap(function(e) {
var settings = e.app.settings()
settings.smtp.enabled = true
settings.smtp.host = $os.getenv("SMTP_HOST")
settings.smtp.port = parseInt($os.getenv("SMTP_PORT") || "587")
settings.smtp.username = $os.getenv("SMTP_USER")
settings.smtp.password = $os.getenv("SMTP_PASS")
settings.smtp.tls = true // STARTTLS
// settings.smtp.authMethod = "PLAIN" // or "LOGIN"
settings.meta.senderName = "My App"
settings.meta.senderAddress = "noreply@myapp.com"
e.app.save(settings)
return e.next()
})
```
## Security Hardening
### Superuser MFA
Always enable MFA for superuser accounts in production:
Dashboard > Superusers > Auth options > MFA > Enable
### Settings encryption key
Encrypt sensitive settings (SMTP passwords, S3 keys) at rest:
```bash
./pocketbase serve --encryptionEnv=PB_ENCRYPTION_KEY
```
Set `PB_ENCRYPTION_KEY` environment variable to a 32+ character random string. Once set, settings are encrypted in the DB. **Do not lose this key** — you won't be able to decrypt settings without it.
### Rate limiting
Built-in rate limiter (enabled by default). Configure in Dashboard > Settings > Rate limits, or:
```js
settings.rateLimits.enabled = true
settings.rateLimits.rules = [
{ label: "*:auth*", maxRequests: 10, duration: 300 }, // 10 auth attempts per 5 min
{ label: "POST:/api/collections/*/records", maxRequests: 50, duration: 60 },
]
```
### Hide the Dashboard in production
```bash
./pocketbase serve --http="127.0.0.1:8090" # bind to localhost only
```
Access the dashboard only via SSH tunnel:
```bash
ssh -L 8090:127.0.0.1:8090 user@server
```
## S3 Storage
For file uploads, offload to S3-compatible storage:
Dashboard > Settings > Files storage > S3
```js
// Or via hooks:
onBootstrap(function(e) {
var settings = e.app.settings()
settings.s3.enabled = true
settings.s3.bucket = $os.getenv("S3_BUCKET")
settings.s3.region = $os.getenv("S3_REGION")
settings.s3.endpoint = $os.getenv("S3_ENDPOINT")
settings.s3.accessKey = $os.getenv("S3_ACCESS_KEY")
settings.s3.secret = $os.getenv("S3_SECRET")
settings.s3.forcePathStyle = true // for MinIO/Backblaze
e.app.save(settings)
return e.next()
})
```
Compatible providers: AWS S3, Backblaze B2, Cloudflare R2, MinIO, DigitalOcean Spaces, Wasabi.
## Backups
### Small databases (< 1GB)
Use the built-in backup feature:
- Dashboard > Settings > Backups
- Or via API: `POST /api/backups`
- Auto-schedule: configure cron in Dashboard
### Large databases
The Dashboard backup uses SQLite's online backup API (locks DB briefly). For large DBs, use:
```bash
# sqlite3 .backup command (hot backup, minimal locking)
sqlite3 /opt/pocketbase/pb_data/data.db ".backup '/tmp/backup.db'"
# Then rsync to remote
rsync -avz /tmp/backup.db backup-server:/backups/pocketbase/data-$(date +%Y%m%d).db
```
**Never copy the `.db` file directly** while PocketBase is running — it may be in an inconsistent state.
### Backup script
```bash
#!/bin/bash
# /opt/pocketbase/backup.sh
set -euo pipefail
BACKUP_DIR="/backups/pocketbase"
DB_PATH="/opt/pocketbase/pb_data/data.db"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p "$BACKUP_DIR"
# Hot backup
sqlite3 "$DB_PATH" ".backup '${BACKUP_DIR}/data_${DATE}.db'"
# Also backup pb_data files (uploads, if not using S3)
tar -czf "${BACKUP_DIR}/pb_data_${DATE}.tar.gz" -C /opt/pocketbase pb_data --exclude='pb_data/data.db*'
# Retain last 30 days
find "$BACKUP_DIR" -name "data_*.db" -mtime +30 -delete
find "$BACKUP_DIR" -name "pb_data_*.tar.gz" -mtime +30 -delete
```
```bash
# Crontab: daily at 2 AM
0 2 * * * /opt/pocketbase/backup.sh >> /var/log/pocketbase-backup.log 2>&1
```
## Health Check
```bash
curl http://localhost:8090/api/health
# {"code":200,"message":"API is healthy."}
```
## Deployment Checklist
1. **Binary**: correct architecture (linux_amd64 / linux_arm64)
2. **systemd**: service enabled, LimitNOFILE set
3. **Reverse proxy**: Caddy or nginx with TLS, proxy_buffering off for SSE
4. **SMTP**: configured and tested (send a test verification email)
5. **Superuser**: strong password + MFA enabled
6. **Encryption key**: `--encryptionEnv` set for sensitive settings
7. **Backups**: automated daily, tested restore procedure
8. **Rate limiting**: enabled with sane defaults
9. **File storage**: S3 configured if expecting many uploads
10. **Monitoring**: health check endpoint monitored, journalctl logs reviewed
11. **Firewall**: only 80/443 exposed, 8090 bound to localhost
12. **GOMEMLIMIT**: set if on constrained VPSRelated Skills
expo-deployment
Deploy Expo apps to production
railway-deployment
Manage Railway deployments - view logs, redeploy, restart, or remove deployments. Use for deployment lifecycle (remove, stop, redeploy, restart), deployment visibility (list, status, history), and troubleshooting (logs, errors, failures, crashes). NOT for deleting services - use railway-environment skill with isDeleted for that.
railway-deploy
Deploy code to Railway using "railway up". Use when user wants to push code, says "railway up", "deploy", "ship", or "push". For initial setup or creating services, use railway-new skill. For Docker images, use railway-environment skill.
PocketBase SDK
JavaScript SDK usage for PocketBase client applications. Use when calling PocketBase from frontend or Node.js, authenticating users, subscribing to realtime events, uploading files, or working with the PocketBase JS/TS SDK. Covers CRUD, auth flows, authStore, realtime SSE, file handling, batch operations, and query syntax.
PocketBase Migrations
Schema migrations and versioning for PocketBase. Use when creating migrations, managing schema versions, syncing collections between environments, using automigrate, or creating collections programmatically. Covers migrate commands, migration file format, snapshot imports, and the _migrations tracking table.
PocketBase Hooks
Server-side JavaScript hooks for PocketBase (pb_hooks). Use when writing custom routes, event hooks, cron jobs, sending emails, making HTTP requests, querying the database, or extending PocketBase with server-side logic. Covers the goja ES5 runtime, routing, middleware, all event hooks, DB queries, record operations, and global APIs.
PocketBase Collections
Collection and schema design for PocketBase. Use when creating collections, designing schemas, adding fields, setting up relations, or choosing between base/auth/view collection types. Prevents wrong field types, documents zero-default behavior, and covers relation cascading.
PocketBase API Rules
API rules and filter expressions for PocketBase access control. Use when setting permissions, writing filter expressions, configuring who can access what, or debugging 403/404 responses. Covers all 5 rule types, filter syntax, operators, request/collection macros, and field modifiers.
vercel-deployment
Expert knowledge for deploying to Vercel with Next.js Use when: vercel, deploy, deployment, hosting, production.
vercel-deploy
Deploy applications and websites to Vercel. Use when the user requests deployment actions like "deploy my app", "deploy and give me the link", "push this live", or "create a preview deployment".
render-deploy
Deploy applications to Render by analyzing codebases, generating render.yaml Blueprints, and providing Dashboard deeplinks. Use when the user wants to deploy, host, publish, or set up their application on Render's cloud platform.
netlify-deploy
Deploy web projects to Netlify using the Netlify CLI (`npx netlify`). Use when the user asks to deploy, host, publish, or link a site/repo on Netlify, including preview and production deploys.