@smi-digital/create-smi-app 1.0.6 → 2.1.0

package/dist/index.js

@@ -64,8 +64,7 @@ var FRAMEWORK_GENERATORS = {
         "--template",
         "minimal",
         "--install",
-        "--git",
-        "false",
+        "--no-git",
         "--yes"
       ];
     }
@@ -487,6 +486,7 @@ async function createApps(projectRoot, targets) {
 // src/modules/scaffoldActions/createIntegrations.ts
 import { mkdir, readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
 import { dirname as dirname2, join as join4 } from "path";
+import { randomBytes } from "crypto";
 function toTemplateToken(key) {
   const normalized = key.replaceAll(/[^a-zA-Z0-9]+/gv, "_").replaceAll(/^_+|_+$/gv, "").toUpperCase();
   return `__${normalized}__`;
@@ -530,18 +530,48 @@ async function createIntegrations(options, projectRoot, templatesDir) {
     integrationKey
   );
   const integrationRoot = join4(templatesDir, "integrations", integrationKey);
-  const filesToApply = [integrationConfig.workflows.prValidation];
-  if (options.configureCd && integrationConfig.workflows.deploy) {
-    filesToApply.push(integrationConfig.workflows.deploy);
+  const filesToApply = [];
+  if (integrationConfig.workflows) {
+    if (integrationConfig.workflows.prValidation)
+      filesToApply.push(integrationConfig.workflows.prValidation);
+    if (options.configureCd && integrationConfig.workflows.deploy)
+      filesToApply.push(integrationConfig.workflows.deploy);
+  }
+  if (integrationConfig.files) {
+    for (const file of integrationConfig.files) {
+      if (!file.condition || file.condition === options.integrationInputs?.astro_mode) {
+        filesToApply.push(file);
+      }
+    }
+  }
+  if (options.configureCd && integrationConfig.cdFiles) {
+    for (const file of integrationConfig.cdFiles) {
+      if (!file.condition || file.condition === options.integrationInputs?.astro_mode) {
+        filesToApply.push(file);
+      }
+    }
   }
-  const applyFile = async (file) => runStep(
-    `Adding ${file.target}`,
-    async () => copyTemplateFile(
+  const applyFile = async (file) => runStep(`Adding ${file.target}`, async () => {
+    const generateSecret = () => randomBytes(32).toString("base64url");
+    const templateValues = {
+      ...options.integrationInputs,
+      /* eslint-disable camelcase */
+      astro_port: "4321",
+      // Hardcoded to SSR port
+      vault_password: generateSecret(),
+      app_keys: `${generateSecret()},${generateSecret()}`,
+      api_token_salt: generateSecret(),
+      admin_jwt_secret: generateSecret(),
+      transfer_token_salt: generateSecret(),
+      jwt_secret: generateSecret()
+      /* eslint-enable camelcase */
+    };
+    return copyTemplateFile(
       join4(integrationRoot, file.template),
       join4(projectRoot, file.target),
-      options.integrationInputs
-    )
-  );
+      templateValues
+    );
+  });
   const applySequentially = async (index) => {
     const file = filesToApply[index];
     if (!file) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@smi-digital/create-smi-app",
-  "version": "1.0.6",
+  "version": "2.1.0",
   "description": "",
   "main": "dist/index.js",
   "bin": {

package/templates/.husky/pre-commit

@@ -1 +1,28 @@
-npx lint-staged
+#!/usr/bin/env sh
+
+# 1. Run standard linters and formatters
+npx lint-staged
+
+# 2. Ansible-Vault Security Guard
+# Find any staged files that end in .env and start with "production"
+STAGED_ENV_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '^production\..*\.env$')
+
+for file in $STAGED_ENV_FILES; do
+  # Read the first line of the file
+  FIRST_LINE=$(head -n 1 "$file")
+  
+  # Check if the first line indicates it is an Ansible Vault file
+  if [[ "$FIRST_LINE" != "\$ANSIBLE_VAULT;"* ]]; then
+    echo ""
+    echo "🚨 SECURITY ALERT: Unencrypted Production Secrets Detected! 🚨"
+    echo "File: $file"
+    echo ""
+    echo "You are attempting to commit a plain-text production .env file."
+    echo "Please encrypt it using Ansible-Vault before committing:"
+    echo ""
+    echo "  ansible-vault encrypt $file"
+    echo ""
+    echo "Commit aborted."
+    exit 1
+  fi
+done

package/templates/base/gitignore.template

@@ -1,2 +1,7 @@
 node_modules
-*.env
+*.env
+# Allow encrypted production env files to be committed
+!production.*.env
+
+# Ansible Vault Password (NEVER COMMIT THIS)
+.vault-password

package/templates/integrations/strapi-astro/.github/workflows/deploy.yml.template

@@ -1,6 +1,3 @@
-# ==============================================================================
-# COPY THIS FILE TO: .github/workflows/deploy.yml in your project repository
-# ==============================================================================
 name: Deploy Production
 
 on:
@@ -11,16 +8,17 @@ on:
 
 jobs:
   call-central-deployer:
-    uses: smi-digital/cd-library/.github/workflows/deploy-strapi-astro.yml@main
+    uses: smi-digital/cd-library/.github/workflows/deploy-ansible.yml@main
     with:
-      # Replace the following Variables with the actual ones
       project_domain: __PROJECT_DOMAIN__
-      frontend_domain: __FRONTEND_DOMAIN__
       backend_domain: __BACKEND_DOMAIN__
       app_name: __APP_NAME__
-      include_www: __INCLUDE_WWW__
+      image_tag: latest
     secrets:
-      # These secrets MUST be added to your repository settings!
-      # Go to Settings > Secrets and variables > Actions
-      ASTRO_FRONTEND_ENV: ${{ secrets.ASTRO_FRONTEND_ENV }}
-      STRAPI_BACKEND_ENV: ${{ secrets.STRAPI_BACKEND_ENV }}
+      # These secrets must be configured at the Organization or Repository level:
+      SERVER_SSH_KEY: ${{ secrets.SERVER_SSH_KEY }}
+      SERVER_IP: ${{ secrets.SERVER_IP }}
+      SERVER_DEPLOY_USER: ${{ secrets.SERVER_DEPLOY_USER }}
+      VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }}
+      ZOT_USERNAME: ${{ secrets.ZOT_USERNAME }}
+      ZOT_PASSWORD: ${{ secrets.ZOT_PASSWORD }}

package/templates/integrations/strapi-astro/.vault-password.template

@@ -0,0 +1 @@
+__VAULT_PASSWORD__

package/templates/integrations/strapi-astro/Dockerfile.backend.template

@@ -0,0 +1,23 @@
+# ========================================================
+# EXAMPLE: Dockerfile for Strapi Backend
+# Place this in your /backend folder
+# ========================================================
+
+FROM node:18-alpine
+# Installing libvips-dev for sharp Compatibility
+RUN apk update && apk add --no-cache build-base gcc autoconf automake zlib-dev libpng-dev vips-dev > /dev/null 2>&1
+ARG NODE_ENV=production
+ENV NODE_ENV=${NODE_ENV}
+
+WORKDIR /opt/
+COPY package.json ./
+RUN npm install -g node-gyp
+RUN npm config set fetch-retry-maxtimeout 600000 -g && npm install --only=production
+ENV PATH /opt/node_modules/.bin:$PATH
+
+WORKDIR /opt/app
+COPY . .
+RUN npm run build
+
+EXPOSE 1337
+CMD ["npm", "run", "start"]

package/templates/integrations/strapi-astro/Dockerfile.frontend.ssr.template

@@ -0,0 +1,31 @@
+# ========================================================
+# EXAMPLE: Dockerfile for Astro SSR (Server-Side Rendering)
+# Place this in your /frontend folder and name it 'Dockerfile'
+# ========================================================
+
+# Stage 1: Build with Bun
+FROM oven/bun:1 as builder
+WORKDIR /app
+COPY package.json bun.lock ./
+RUN bun install
+COPY . .
+RUN bun run build
+
+# Stage 2: Serve dynamic application using Bun
+FROM oven/bun:1-alpine
+WORKDIR /app
+
+# Copy the built SSR server bundle and node_modules
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/package.json ./
+
+# Expose port 4321 (Matches the 'frontend_port' logic in Ansible for SSR)
+EXPOSE 4321
+
+# Default environment variables
+ENV HOST=0.0.0.0
+ENV PORT=4321
+
+# Start the server (Adjust entrypoint depending on your Astro Node/Bun adapter)
+CMD ["bun", "run", "./dist/server/entry.mjs"]

package/templates/integrations/strapi-astro/backend/src/index.ts.template

@@ -0,0 +1,41 @@
+export default {
+  register(/*{ strapi }*/) {},
+
+  async bootstrap({ strapi }) {
+    // 1. Find the Public Role
+    const publicRole = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: 'public' } });
+
+    if (!publicRole) return;
+
+    // 2. Dynamically find all Custom APIs created by the developer
+    // strapi.api contains all user-generated content types (ignoring system plugins)
+    const customApis = Object.keys(strapi.api);
+    const permissionsToOpen: string[] = [];
+
+    // 3. Build the permission strings (find and findOne) for every custom API
+    for (const apiName of customApis) {
+      permissionsToOpen.push(`api::${apiName}.${apiName}.find`);
+      permissionsToOpen.push(`api::${apiName}.${apiName}.findOne`);
+    }
+
+    // 4. Grant the permissions programmatically
+    for (const action of permissionsToOpen) {
+      const existingPermission = await strapi
+        .query('plugin::users-permissions.permission')
+        .findOne({ where: { role: publicRole.id, action } });
+
+      // If the permission doesn't exist yet, create it
+      if (!existingPermission) {
+        await strapi.query('plugin::users-permissions.permission').create({
+          data: {
+            action: action,
+            role: publicRole.id,
+          },
+        });
+        console.log(`[BOOTSTRAP] Automatically granted public access to: ${action}`);
+      }
+    }
+  },
+};

package/templates/integrations/strapi-astro/docker-compose.yml.template

@@ -0,0 +1,52 @@
+services:
+  __APP_NAME__-strapi:
+    container_name: __APP_NAME__-strapi
+    # The image is built in CI and pushed to Zot
+    image: registry.smi-digital.com/__APP_NAME__-strapi:${IMAGE_TAG:-latest}
+    restart: unless-stopped
+    env_file:
+      - ./backend.env
+    volumes: 
+      - ./data/uploads:/opt/app/public/uploads
+      - ./data/database:/opt/app/.tmp
+    networks:
+      - agency_shared_network
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:1337/admin"]
+      interval: 10s
+      timeout: 5s
+      retries: 15
+    labels:
+      - "traefik.enable=true"
+      # Route traffic from your backend domain to this container
+      - "traefik.http.routers.__APP_NAME__-strapi.rule=Host(`__BACKEND_DOMAIN__`)"
+      # Request an SSL certificate from the global Let's Encrypt resolver
+      - "traefik.http.routers.__APP_NAME__-strapi.tls.certresolver=letsencrypt"
+      # Tell Traefik which port to send traffic to inside the container
+      - "traefik.http.services.__APP_NAME__-strapi.loadbalancer.server.port=1337"
+      # Strapi requires larger body sizes for media uploads (25MB)
+      - "traefik.http.middlewares.__APP_NAME__-strapi-limit.buffering.maxRequestBodyBytes=25000000"
+      - "traefik.http.routers.__APP_NAME__-strapi.middlewares=__APP_NAME__-strapi-limit"
+
+  __APP_NAME__-astro:
+    container_name: __APP_NAME__-astro
+    image: registry.smi-digital.com/__APP_NAME__-astro:${IMAGE_TAG:-latest}
+    restart: unless-stopped
+    env_file:
+      - ./frontend.env
+    networks:
+      - agency_shared_network
+    depends_on:
+      __APP_NAME__-strapi:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=true"
+      # Listen on both www and non-www (If include_www is selected during setup, you can manually adjust this)
+      - "traefik.http.routers.__APP_NAME__-astro.rule=Host(`__PROJECT_DOMAIN__`) || Host(`www.__PROJECT_DOMAIN__`)"
+      - "traefik.http.routers.__APP_NAME__-astro.tls.certresolver=letsencrypt"
+      # Port 4321 for Bun/SSR, Port 80 if pure SSG Nginx container
+      - "traefik.http.services.__APP_NAME__-astro.loadbalancer.server.port=__ASTRO_PORT__"
+
+networks:
+  agency_shared_network:
+    external: true

package/templates/integrations/strapi-astro/frontend/src/middleware.ts.template

@@ -0,0 +1,16 @@
+// This middleware enforces Stale-While-Revalidate (SWR) caching for SSR pages.
+// It ensures pages are fast for users while updating in the background.
+import { defineMiddleware } from 'astro:middleware';
+
+export const onRequest = defineMiddleware(async (context, next) => {
+  const response = await next();
+
+  // Only apply SWR caching to HTML responses (SSR pages)
+  // We do not want to aggressively cache API routes or dynamic forms
+  if (response.headers.get('content-type')?.includes('text/html')) {
+    // Cache for 10 seconds. For the next 1 hour (3600s), serve stale cache while fetching new data.
+    response.headers.set('Cache-Control', 'public, s-maxage=10, stale-while-revalidate=3600');
+  }
+
+  return response;
+});

package/templates/integrations/strapi-astro/integration.config.json

@@ -15,13 +15,6 @@
         "default": "my-new-client.com",
         "required": true
       },
-      {
-        "key": "frontend_domain",
-        "message": "What is the frontend domain?",
-        "type": "input",
-        "default": "my-new-client.com",
-        "required": true
-      },
       {
         "key": "backend_domain",
         "message": "What is the backend domain?",
@@ -53,5 +46,41 @@
       "template": ".github/workflows/deploy.yml.template",
       "target": ".github/workflows/deploy.yml"
     }
-  }
+  },
+  "files": [
+    {
+      "template": "backend/src/index.ts.template",
+      "target": "backend/src/index.ts"
+    }
+  ],
+  "cdFiles": [
+    {
+      "template": "docker-compose.yml.template",
+      "target": "docker-compose.yml"
+    },
+    {
+      "template": "Dockerfile.backend.template",
+      "target": "backend/Dockerfile"
+    },
+    {
+      "template": "Dockerfile.frontend.ssr.template",
+      "target": "frontend/Dockerfile"
+    },
+    {
+      "template": "frontend/src/middleware.ts.template",
+      "target": "frontend/src/middleware.ts"
+    },
+    {
+      "template": ".vault-password.template",
+      "target": ".vault-password"
+    },
+    {
+      "template": "production.frontend.env.template",
+      "target": "production.frontend.env"
+    },
+    {
+      "template": "production.backend.env.template",
+      "target": "production.backend.env"
+    }
+  ]
 }

package/templates/integrations/strapi-astro/production.backend.env.template

@@ -0,0 +1,19 @@
+# ==============================================================================
+# PRODUCTION BACKEND SECRETS (Strapi)
+# 
+# 🚨 SECURITY WARNING 🚨
+# This file MUST be encrypted before committing to Git!
+# Run: ansible-vault encrypt production.backend.env --vault-password-file .vault-password
+# ==============================================================================
+
+# Strapi System Keys (Automatically generated by create-smi-app)
+APP_KEYS=__APP_KEYS__
+API_TOKEN_SALT=__API_TOKEN_SALT__
+ADMIN_JWT_SECRET=__ADMIN_JWT_SECRET__
+TRANSFER_TOKEN_SALT=__TRANSFER_TOKEN_SALT__
+JWT_SECRET=__JWT_SECRET__
+
+# Production Settings
+HOST=0.0.0.0
+PORT=1337
+NODE_ENV=production

package/templates/integrations/strapi-astro/production.frontend.env.template

@@ -0,0 +1,14 @@
+# ==============================================================================
+# PRODUCTION FRONTEND SECRETS (Astro SSR)
+# 
+# 🚨 SECURITY WARNING 🚨
+# This file MUST be encrypted before committing to Git!
+# Run: ansible-vault encrypt production.frontend.env --vault-password-file .vault-password
+# ==============================================================================
+
+# Internal Docker Network routing (Do not change)
+PUBLIC_API_URL=http://__APP_NAME__-strapi:1337
+
+# Add your client-specific 3rd party secrets below
+# STRIPE_SECRET_KEY=sk_live_...
+# SENDGRID_API_KEY=SG...