create-nextblock 0.8.11 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/create-nextblock.js +91 -5
- package/docker-template/.dockerignore +23 -0
- package/docker-template/.env.docker.example +55 -0
- package/docker-template/Dockerfile +68 -0
- package/docker-template/docker/db/init/99-jwt.sql +6 -0
- package/docker-template/docker/db/init/99-roles.sql +25 -0
- package/docker-template/docker/kong/kong.yml +112 -0
- package/docker-template/docker/migrate/run-migrations.sh +51 -0
- package/docker-template/docker-compose.yml +215 -0
- package/docker-template/scripts/docker-setup.mjs +227 -0
- package/package.json +1 -1
- package/scripts/sync-template.js +29 -0
- package/templates/nextblock-template/.dockerignore +23 -0
- package/templates/nextblock-template/Dockerfile +68 -0
- package/templates/nextblock-template/app/api/upload/presigned-url/route.ts +9 -9
- package/templates/nextblock-template/docker/db/init/99-jwt.sql +6 -0
- package/templates/nextblock-template/docker/db/init/99-roles.sql +25 -0
- package/templates/nextblock-template/docker/kong/kong.yml +112 -0
- package/templates/nextblock-template/docker/migrate/run-migrations.sh +51 -0
- package/templates/nextblock-template/docker-compose.yml +215 -0
- package/templates/nextblock-template/lib/custom-block-r2-upload.test.ts +5 -5
- package/templates/nextblock-template/lib/custom-block-r2-upload.ts +2 -2
- package/templates/nextblock-template/next.config.js +9 -0
- package/templates/nextblock-template/package.json +6 -2
- package/templates/nextblock-template/scripts/docker-setup.mjs +227 -0
|
@@ -0,0 +1,215 @@
|
|
|
1
|
+
# Self-hosted NextBlock CMS stack for a standalone project. Generated/driven by
|
|
2
|
+
# `npm run docker:setup`, which writes the .env this file reads. Mirrors the production Supabase
|
|
3
|
+
# topology: Postgres + GoTrue + PostgREST behind a Kong gateway, plus MinIO for S3 media.
|
|
4
|
+
name: nextblock
|
|
5
|
+
|
|
6
|
+
services:
|
|
7
|
+
db:
|
|
8
|
+
image: ${SUPABASE_DB_IMAGE:-supabase/postgres:15.8.1.085}
|
|
9
|
+
restart: unless-stopped
|
|
10
|
+
environment:
|
|
11
|
+
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
|
12
|
+
POSTGRES_DB: ${POSTGRES_DB:-postgres}
|
|
13
|
+
JWT_SECRET: ${JWT_SECRET}
|
|
14
|
+
JWT_EXP: ${JWT_EXP:-3600}
|
|
15
|
+
volumes:
|
|
16
|
+
- nextblock_db_store:/var/lib/postgresql/data
|
|
17
|
+
- ./docker/db/init/99-roles.sql:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql:ro
|
|
18
|
+
- ./docker/db/init/99-jwt.sql:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql:ro
|
|
19
|
+
healthcheck:
|
|
20
|
+
test: ['CMD', 'pg_isready', '-U', 'postgres', '-h', 'localhost']
|
|
21
|
+
interval: 5s
|
|
22
|
+
timeout: 5s
|
|
23
|
+
retries: 12
|
|
24
|
+
# supabase/postgres runs a heavy first-init; give it time before counting health failures.
|
|
25
|
+
start_period: 60s
|
|
26
|
+
ports:
|
|
27
|
+
- '${POSTGRES_PORT_EXTERNAL:-54322}:5432'
|
|
28
|
+
|
|
29
|
+
auth:
|
|
30
|
+
image: ${SUPABASE_GOTRUE_IMAGE:-supabase/gotrue:v2.189.0}
|
|
31
|
+
restart: unless-stopped
|
|
32
|
+
depends_on:
|
|
33
|
+
db:
|
|
34
|
+
condition: service_healthy
|
|
35
|
+
environment:
|
|
36
|
+
GOTRUE_API_HOST: 0.0.0.0
|
|
37
|
+
GOTRUE_API_PORT: 9999
|
|
38
|
+
API_EXTERNAL_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
|
|
39
|
+
GOTRUE_DB_DRIVER: postgres
|
|
40
|
+
GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-postgres}
|
|
41
|
+
GOTRUE_SITE_URL: ${SITE_URL:-http://localhost:3000}
|
|
42
|
+
GOTRUE_URI_ALLOW_LIST: '*'
|
|
43
|
+
GOTRUE_DISABLE_SIGNUP: 'false'
|
|
44
|
+
GOTRUE_JWT_ADMIN_ROLES: service_role
|
|
45
|
+
GOTRUE_JWT_AUD: authenticated
|
|
46
|
+
GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
|
|
47
|
+
GOTRUE_JWT_EXP: ${JWT_EXP:-3600}
|
|
48
|
+
GOTRUE_JWT_SECRET: ${JWT_SECRET}
|
|
49
|
+
GOTRUE_JWT_ISSUER: ${API_EXTERNAL_URL:-http://localhost:8000}/auth/v1
|
|
50
|
+
GOTRUE_EXTERNAL_EMAIL_ENABLED: 'true'
|
|
51
|
+
GOTRUE_MAILER_AUTOCONFIRM: ${GOTRUE_MAILER_AUTOCONFIRM:-true}
|
|
52
|
+
GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_FROM_EMAIL:-admin@example.com}
|
|
53
|
+
GOTRUE_SMTP_HOST: ${SMTP_HOST:-}
|
|
54
|
+
# Must be a valid integer even when SMTP is skipped (GoTrue parses it as int and crashes on
|
|
55
|
+
# ''). With no host + autoconfirm on, no mail is sent, so the value is otherwise inert.
|
|
56
|
+
GOTRUE_SMTP_PORT: ${SMTP_PORT:-2500}
|
|
57
|
+
GOTRUE_SMTP_USER: ${SMTP_USER:-}
|
|
58
|
+
GOTRUE_SMTP_PASS: ${SMTP_PASS:-}
|
|
59
|
+
GOTRUE_SMTP_SENDER_NAME: ${SMTP_FROM_NAME:-NextBlock}
|
|
60
|
+
GOTRUE_MAILER_URLPATHS_CONFIRMATION: /auth/v1/verify
|
|
61
|
+
GOTRUE_MAILER_URLPATHS_RECOVERY: /auth/v1/verify
|
|
62
|
+
GOTRUE_MAILER_URLPATHS_INVITE: /auth/v1/verify
|
|
63
|
+
GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: /auth/v1/verify
|
|
64
|
+
healthcheck:
|
|
65
|
+
test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:9999/health']
|
|
66
|
+
interval: 5s
|
|
67
|
+
timeout: 5s
|
|
68
|
+
retries: 15
|
|
69
|
+
|
|
70
|
+
rest:
|
|
71
|
+
image: ${SUPABASE_POSTGREST_IMAGE:-postgrest/postgrest:v12.2.12}
|
|
72
|
+
restart: unless-stopped
|
|
73
|
+
depends_on:
|
|
74
|
+
db:
|
|
75
|
+
condition: service_healthy
|
|
76
|
+
environment:
|
|
77
|
+
PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-postgres}
|
|
78
|
+
PGRST_DB_SCHEMAS: public,graphql_public
|
|
79
|
+
PGRST_DB_ANON_ROLE: anon
|
|
80
|
+
PGRST_JWT_SECRET: ${JWT_SECRET}
|
|
81
|
+
PGRST_DB_USE_LEGACY_GUCS: 'false'
|
|
82
|
+
PGRST_APP_SETTINGS_JWT_SECRET: ${JWT_SECRET}
|
|
83
|
+
PGRST_APP_SETTINGS_JWT_EXP: ${JWT_EXP:-3600}
|
|
84
|
+
PGRST_DB_EXTRA_SEARCH_PATH: public,extensions
|
|
85
|
+
|
|
86
|
+
kong:
|
|
87
|
+
image: ${SUPABASE_KONG_IMAGE:-kong:2.8.1}
|
|
88
|
+
restart: unless-stopped
|
|
89
|
+
depends_on:
|
|
90
|
+
auth:
|
|
91
|
+
condition: service_started
|
|
92
|
+
rest:
|
|
93
|
+
condition: service_started
|
|
94
|
+
environment:
|
|
95
|
+
KONG_DATABASE: 'off'
|
|
96
|
+
KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
|
|
97
|
+
KONG_DNS_ORDER: LAST,A,CNAME
|
|
98
|
+
KONG_PLUGINS: request-transformer,cors,key-auth,acl
|
|
99
|
+
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
|
|
100
|
+
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
|
|
101
|
+
SUPABASE_ANON_KEY: ${ANON_KEY}
|
|
102
|
+
SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
|
|
103
|
+
volumes:
|
|
104
|
+
- ./docker/kong/kong.yml:/home/kong/temp.yml:ro
|
|
105
|
+
entrypoint: bash -c 'eval "echo \"$$(cat ~/temp.yml)\"" > ~/kong.yml && /docker-entrypoint.sh kong docker-start'
|
|
106
|
+
ports:
|
|
107
|
+
- '${KONG_HTTP_PORT:-8000}:8000'
|
|
108
|
+
|
|
109
|
+
minio:
|
|
110
|
+
image: ${MINIO_IMAGE:-minio/minio:latest}
|
|
111
|
+
restart: unless-stopped
|
|
112
|
+
command: server /data --console-address ":9001"
|
|
113
|
+
environment:
|
|
114
|
+
MINIO_ROOT_USER: ${MINIO_ROOT_USER}
|
|
115
|
+
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
|
|
116
|
+
volumes:
|
|
117
|
+
- nextblock_media:/data
|
|
118
|
+
ports:
|
|
119
|
+
- '${MINIO_S3_PORT:-9000}:9000'
|
|
120
|
+
- '${MINIO_CONSOLE_PORT:-9001}:9001'
|
|
121
|
+
|
|
122
|
+
minio-init:
|
|
123
|
+
image: ${MINIO_MC_IMAGE:-minio/mc:latest}
|
|
124
|
+
restart: 'no'
|
|
125
|
+
depends_on:
|
|
126
|
+
minio:
|
|
127
|
+
condition: service_started
|
|
128
|
+
environment:
|
|
129
|
+
MINIO_ROOT_USER: ${MINIO_ROOT_USER}
|
|
130
|
+
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
|
|
131
|
+
STORAGE_BUCKET: ${STORAGE_BUCKET:-nextblock}
|
|
132
|
+
entrypoint: >
|
|
133
|
+
/bin/sh -c "
|
|
134
|
+
until mc alias set local http://minio:9000 $$MINIO_ROOT_USER $$MINIO_ROOT_PASSWORD; do echo 'waiting for minio...'; sleep 2; done &&
|
|
135
|
+
mc mb --ignore-existing local/$$STORAGE_BUCKET &&
|
|
136
|
+
mc anonymous set download local/$$STORAGE_BUCKET &&
|
|
137
|
+
echo 'minio bucket ready'
|
|
138
|
+
"
|
|
139
|
+
|
|
140
|
+
migrate:
|
|
141
|
+
image: ${MIGRATE_IMAGE:-postgres:15-alpine}
|
|
142
|
+
restart: 'no'
|
|
143
|
+
depends_on:
|
|
144
|
+
db:
|
|
145
|
+
condition: service_healthy
|
|
146
|
+
auth:
|
|
147
|
+
condition: service_healthy
|
|
148
|
+
environment:
|
|
149
|
+
POSTGRES_HOST: db
|
|
150
|
+
POSTGRES_PORT: 5432
|
|
151
|
+
POSTGRES_DB: ${POSTGRES_DB:-postgres}
|
|
152
|
+
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
|
153
|
+
volumes:
|
|
154
|
+
- ./supabase/migrations:/migrations:ro
|
|
155
|
+
- ./docker/migrate/run-migrations.sh:/run-migrations.sh:ro
|
|
156
|
+
entrypoint: ['sh', '/run-migrations.sh']
|
|
157
|
+
|
|
158
|
+
nextblock-cms:
|
|
159
|
+
build:
|
|
160
|
+
context: .
|
|
161
|
+
dockerfile: Dockerfile
|
|
162
|
+
args:
|
|
163
|
+
NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL:-http://localhost:8000}
|
|
164
|
+
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
|
|
165
|
+
NEXT_PUBLIC_URL: ${NEXT_PUBLIC_URL:-http://localhost:3000}
|
|
166
|
+
NEXT_PUBLIC_R2_PUBLIC_URL: ${NEXT_PUBLIC_R2_PUBLIC_URL}
|
|
167
|
+
NEXT_PUBLIC_R2_BASE_URL: ${NEXT_PUBLIC_R2_BASE_URL}
|
|
168
|
+
NEXT_PUBLIC_TURNSTILE_SITE_KEY: ${NEXT_PUBLIC_TURNSTILE_SITE_KEY:-}
|
|
169
|
+
NEXT_PUBLIC_IS_SANDBOX: ${NEXT_PUBLIC_IS_SANDBOX:-true}
|
|
170
|
+
restart: unless-stopped
|
|
171
|
+
depends_on:
|
|
172
|
+
migrate:
|
|
173
|
+
condition: service_completed_successfully
|
|
174
|
+
kong:
|
|
175
|
+
condition: service_started
|
|
176
|
+
minio-init:
|
|
177
|
+
condition: service_completed_successfully
|
|
178
|
+
environment:
|
|
179
|
+
NODE_ENV: production
|
|
180
|
+
PORT: 3000
|
|
181
|
+
HOSTNAME: 0.0.0.0
|
|
182
|
+
NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL:-http://localhost:8000}
|
|
183
|
+
SUPABASE_INTERNAL_URL: ${SUPABASE_INTERNAL_URL:-http://kong:8000}
|
|
184
|
+
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
|
|
185
|
+
SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
|
|
186
|
+
NEXT_PUBLIC_URL: ${NEXT_PUBLIC_URL:-http://localhost:3000}
|
|
187
|
+
NEXT_PUBLIC_IS_SANDBOX: ${NEXT_PUBLIC_IS_SANDBOX:-true}
|
|
188
|
+
CRON_SECRET: ${CRON_SECRET}
|
|
189
|
+
DRAFT_MODE_SECRET: ${DRAFT_MODE_SECRET}
|
|
190
|
+
REVALIDATE_SECRET_TOKEN: ${REVALIDATE_SECRET_TOKEN}
|
|
191
|
+
CORTEX_AI_ENCRYPTION_KEY: ${CORTEX_AI_ENCRYPTION_KEY:-}
|
|
192
|
+
R2_ACCOUNT_ID: ${R2_ACCOUNT_ID:-minio}
|
|
193
|
+
R2_BUCKET_NAME: ${STORAGE_BUCKET:-nextblock}
|
|
194
|
+
R2_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
|
|
195
|
+
R2_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
|
|
196
|
+
R2_REGION: ${R2_REGION:-us-east-1}
|
|
197
|
+
R2_S3_ENDPOINT: ${R2_S3_ENDPOINT:-http://minio:9000}
|
|
198
|
+
R2_S3_PUBLIC_ENDPOINT: ${R2_S3_PUBLIC_ENDPOINT:-http://localhost:9000}
|
|
199
|
+
R2_FORCE_PATH_STYLE: 'true'
|
|
200
|
+
NEXT_PUBLIC_R2_PUBLIC_URL: ${NEXT_PUBLIC_R2_PUBLIC_URL}
|
|
201
|
+
NEXT_PUBLIC_R2_BASE_URL: ${NEXT_PUBLIC_R2_BASE_URL}
|
|
202
|
+
SMTP_HOST: ${SMTP_HOST:-}
|
|
203
|
+
SMTP_PORT: ${SMTP_PORT:-}
|
|
204
|
+
SMTP_USER: ${SMTP_USER:-}
|
|
205
|
+
SMTP_PASS: ${SMTP_PASS:-}
|
|
206
|
+
SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-}
|
|
207
|
+
SMTP_FROM_NAME: ${SMTP_FROM_NAME:-}
|
|
208
|
+
TURNSTILE_SECRET_KEY: ${TURNSTILE_SECRET_KEY:-}
|
|
209
|
+
NEXT_PUBLIC_TURNSTILE_SITE_KEY: ${NEXT_PUBLIC_TURNSTILE_SITE_KEY:-}
|
|
210
|
+
ports:
|
|
211
|
+
- '${APP_PORT:-3000}:3000'
|
|
212
|
+
|
|
213
|
+
volumes:
|
|
214
|
+
nextblock_db_store:
|
|
215
|
+
nextblock_media:
|
|
@@ -0,0 +1,227 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
// Zero-dependency Docker setup for a standalone NextBlock project. Runs via `npm run docker:setup`
|
|
3
|
+
// (and is invoked automatically when you pick Docker mode in `npm create nextblock`). Uses only
|
|
4
|
+
// Node built-ins so it works before any host `npm install`.
|
|
5
|
+
//
|
|
6
|
+
// Self-hosted Supabase (GoTrue + PostgREST) validates REAL HS256 JWTs, so we generate a JWT
|
|
7
|
+
// secret and derive properly-signed anon/service_role keys from it — a random string is not a
|
|
8
|
+
// usable key. Then it writes .env and boots the stack via docker compose.
|
|
9
|
+
|
|
10
|
+
import { randomBytes, createHmac } from 'node:crypto';
|
|
11
|
+
import { readFile, writeFile, access } from 'node:fs/promises';
|
|
12
|
+
import { resolve, dirname } from 'node:path';
|
|
13
|
+
import { fileURLToPath } from 'node:url';
|
|
14
|
+
import { spawn, spawnSync } from 'node:child_process';
|
|
15
|
+
import { createInterface } from 'node:readline/promises';
|
|
16
|
+
import { stdin as input, stdout as output } from 'node:process';
|
|
17
|
+
|
|
18
|
+
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
19
|
+
const PROJECT_ROOT = resolve(__dirname, '..');
|
|
20
|
+
const ENV_PATH = resolve(PROJECT_ROOT, '.env');
|
|
21
|
+
|
|
22
|
+
const TURNSTILE_TEST_SITE_KEY = '1x00000000000000000000AA';
|
|
23
|
+
const TURNSTILE_TEST_SECRET_KEY = '1x0000000000000000000000000000000AA';
|
|
24
|
+
|
|
25
|
+
const generateSecret = () => randomBytes(32).toString('hex');
|
|
26
|
+
const base64url = (value) =>
|
|
27
|
+
Buffer.from(value).toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
|
|
28
|
+
|
|
29
|
+
function signJwtHS256(payload, secret) {
|
|
30
|
+
const header = base64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
|
|
31
|
+
const body = base64url(JSON.stringify(payload));
|
|
32
|
+
const data = `${header}.${body}`;
|
|
33
|
+
return `${data}.${base64url(createHmac('sha256', secret).update(data).digest())}`;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
function generateSupabaseKeys() {
|
|
37
|
+
const jwtSecret = generateSecret();
|
|
38
|
+
const iat = Math.floor(Date.now() / 1000);
|
|
39
|
+
const exp = iat + 60 * 60 * 24 * 365 * 10;
|
|
40
|
+
return {
|
|
41
|
+
jwtSecret,
|
|
42
|
+
anonKey: signJwtHS256({ role: 'anon', iss: 'supabase', iat, exp }, jwtSecret),
|
|
43
|
+
serviceRoleKey: signJwtHS256({ role: 'service_role', iss: 'supabase', iat, exp }, jwtSecret),
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
function readEnvValue(content, key) {
|
|
48
|
+
for (const line of content.split(/\r?\n/)) {
|
|
49
|
+
if (line.startsWith(`${key}=`)) {
|
|
50
|
+
return line.slice(key.length + 1).trim().replace(/^"(.*)"$/, '$1');
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
return '';
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
function upsertEnv(content, replacements) {
|
|
57
|
+
const applied = new Set();
|
|
58
|
+
const lines = content.split(/\r?\n/).map((line) => {
|
|
59
|
+
for (const [key, value] of Object.entries(replacements)) {
|
|
60
|
+
if (line.startsWith(`${key}=`)) {
|
|
61
|
+
applied.add(key);
|
|
62
|
+
return value;
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
return line;
|
|
66
|
+
});
|
|
67
|
+
for (const [key, value] of Object.entries(replacements)) {
|
|
68
|
+
if (!applied.has(key)) lines.push(value);
|
|
69
|
+
}
|
|
70
|
+
return lines.join('\n');
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
const pathExists = async (p) => {
|
|
74
|
+
try {
|
|
75
|
+
await access(p);
|
|
76
|
+
return true;
|
|
77
|
+
} catch {
|
|
78
|
+
return false;
|
|
79
|
+
}
|
|
80
|
+
};
|
|
81
|
+
|
|
82
|
+
const commandWorks = (cmd, args) => spawnSync(cmd, args, { stdio: 'ignore' }).status === 0;
|
|
83
|
+
|
|
84
|
+
function detectCompose() {
|
|
85
|
+
if (commandWorks('docker', ['compose', 'version'])) return { cmd: 'docker', args: ['compose'] };
|
|
86
|
+
if (commandWorks('docker-compose', ['version'])) return { cmd: 'docker-compose', args: [] };
|
|
87
|
+
return null;
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
const run = (cmd, args, opts = {}) =>
|
|
91
|
+
new Promise((res, rej) => {
|
|
92
|
+
const child = spawn(cmd, args, {
|
|
93
|
+
stdio: 'inherit',
|
|
94
|
+
shell: process.platform === 'win32',
|
|
95
|
+
...opts,
|
|
96
|
+
});
|
|
97
|
+
child.on('error', rej);
|
|
98
|
+
child.on('close', (code) => (code === 0 ? res() : rej(new Error(`${cmd} exited with ${code}`))));
|
|
99
|
+
});
|
|
100
|
+
|
|
101
|
+
async function main() {
|
|
102
|
+
console.log('🐳 NextBlock — Local Self-Hosted Docker Setup\n');
|
|
103
|
+
|
|
104
|
+
if (!commandWorks('docker', ['info'])) {
|
|
105
|
+
console.error('✗ Docker is not installed or not running. Start Docker Desktop, then re-run `npm run docker:setup`.');
|
|
106
|
+
process.exit(1);
|
|
107
|
+
}
|
|
108
|
+
const compose = detectCompose();
|
|
109
|
+
if (!compose) {
|
|
110
|
+
console.error('✗ Docker Compose not found. Update Docker Desktop or install the Compose plugin.');
|
|
111
|
+
process.exit(1);
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
const rl = createInterface({ input, output });
|
|
115
|
+
const ask = async (q, def = '') => (await rl.question(q)).trim() || def;
|
|
116
|
+
|
|
117
|
+
console.log('Optional integrations (press Enter to skip):');
|
|
118
|
+
let turnstileSiteKey = await ask(' Cloudflare Turnstile Site Key (Enter = sandbox test keys): ');
|
|
119
|
+
let turnstileSecretKey = '';
|
|
120
|
+
if (turnstileSiteKey) {
|
|
121
|
+
turnstileSecretKey = await ask(' Cloudflare Turnstile Secret Key: ');
|
|
122
|
+
} else {
|
|
123
|
+
turnstileSiteKey = TURNSTILE_TEST_SITE_KEY;
|
|
124
|
+
turnstileSecretKey = TURNSTILE_TEST_SECRET_KEY;
|
|
125
|
+
console.log(' → Using Cloudflare Turnstile test keys (always pass).');
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
const smtp = { host: await ask(' SMTP Host (Enter = no email, auto-confirm sign-ups): '), port: '', user: '', pass: '', fromEmail: '', fromName: '' };
|
|
129
|
+
let mailerAutoconfirm = 'true';
|
|
130
|
+
if (smtp.host) {
|
|
131
|
+
smtp.port = await ask(' SMTP Port (465 = SSL, 587 = STARTTLS): ', '587');
|
|
132
|
+
smtp.user = await ask(' SMTP User: ');
|
|
133
|
+
smtp.pass = await ask(' SMTP Password: ');
|
|
134
|
+
smtp.fromEmail = await ask(' From Email: ');
|
|
135
|
+
smtp.fromName = await ask(' From Name: ', 'NextBlock');
|
|
136
|
+
mailerAutoconfirm = 'false';
|
|
137
|
+
} else {
|
|
138
|
+
console.log(' → No SMTP: new accounts auto-confirm so your first admin can sign in immediately.');
|
|
139
|
+
}
|
|
140
|
+
rl.close();
|
|
141
|
+
|
|
142
|
+
let existing = '';
|
|
143
|
+
if (await pathExists(ENV_PATH)) {
|
|
144
|
+
existing = await readFile(ENV_PATH, 'utf8');
|
|
145
|
+
console.log('\n✓ Found existing .env — reusing previously generated secrets where present.');
|
|
146
|
+
}
|
|
147
|
+
const reuse = (key, gen) => readEnvValue(existing, key) || gen();
|
|
148
|
+
|
|
149
|
+
const postgresPassword = reuse('POSTGRES_PASSWORD', generateSecret);
|
|
150
|
+
let jwtSecret = readEnvValue(existing, 'JWT_SECRET');
|
|
151
|
+
let anonKey = readEnvValue(existing, 'ANON_KEY');
|
|
152
|
+
let serviceRoleKey = readEnvValue(existing, 'SERVICE_ROLE_KEY');
|
|
153
|
+
if (!jwtSecret || !anonKey || !serviceRoleKey) {
|
|
154
|
+
({ jwtSecret, anonKey, serviceRoleKey } = generateSupabaseKeys());
|
|
155
|
+
}
|
|
156
|
+
const cronSecret = reuse('CRON_SECRET', generateSecret);
|
|
157
|
+
const draftSecret = reuse('DRAFT_MODE_SECRET', generateSecret);
|
|
158
|
+
const revalidateSecret = reuse('REVALIDATE_SECRET_TOKEN', generateSecret);
|
|
159
|
+
const minioUser = readEnvValue(existing, 'MINIO_ROOT_USER') || 'nextblock';
|
|
160
|
+
const minioPassword = reuse('MINIO_ROOT_PASSWORD', generateSecret);
|
|
161
|
+
const bucket = readEnvValue(existing, 'STORAGE_BUCKET') || 'nextblock';
|
|
162
|
+
|
|
163
|
+
const replacements = {
|
|
164
|
+
POSTGRES_PASSWORD: `POSTGRES_PASSWORD=${postgresPassword}`,
|
|
165
|
+
POSTGRES_DB: 'POSTGRES_DB=postgres',
|
|
166
|
+
JWT_SECRET: `JWT_SECRET=${jwtSecret}`,
|
|
167
|
+
JWT_EXP: 'JWT_EXP=3600',
|
|
168
|
+
ANON_KEY: `ANON_KEY=${anonKey}`,
|
|
169
|
+
SERVICE_ROLE_KEY: `SERVICE_ROLE_KEY=${serviceRoleKey}`,
|
|
170
|
+
NEXT_PUBLIC_SUPABASE_URL: 'NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000',
|
|
171
|
+
SUPABASE_INTERNAL_URL: 'SUPABASE_INTERNAL_URL=http://kong:8000',
|
|
172
|
+
NEXT_PUBLIC_SUPABASE_ANON_KEY: `NEXT_PUBLIC_SUPABASE_ANON_KEY=${anonKey}`,
|
|
173
|
+
SUPABASE_SERVICE_ROLE_KEY: `SUPABASE_SERVICE_ROLE_KEY=${serviceRoleKey}`,
|
|
174
|
+
API_EXTERNAL_URL: 'API_EXTERNAL_URL=http://localhost:8000',
|
|
175
|
+
SITE_URL: 'SITE_URL=http://localhost:3000',
|
|
176
|
+
NEXT_PUBLIC_URL: 'NEXT_PUBLIC_URL=http://localhost:3000',
|
|
177
|
+
NEXT_PUBLIC_IS_SANDBOX: 'NEXT_PUBLIC_IS_SANDBOX=true',
|
|
178
|
+
CRON_SECRET: `CRON_SECRET=${cronSecret}`,
|
|
179
|
+
DRAFT_MODE_SECRET: `DRAFT_MODE_SECRET=${draftSecret}`,
|
|
180
|
+
REVALIDATE_SECRET_TOKEN: `REVALIDATE_SECRET_TOKEN=${revalidateSecret}`,
|
|
181
|
+
MINIO_ROOT_USER: `MINIO_ROOT_USER=${minioUser}`,
|
|
182
|
+
MINIO_ROOT_PASSWORD: `MINIO_ROOT_PASSWORD=${minioPassword}`,
|
|
183
|
+
STORAGE_BUCKET: `STORAGE_BUCKET=${bucket}`,
|
|
184
|
+
R2_ACCOUNT_ID: 'R2_ACCOUNT_ID=minio',
|
|
185
|
+
R2_REGION: 'R2_REGION=us-east-1',
|
|
186
|
+
R2_S3_ENDPOINT: 'R2_S3_ENDPOINT=http://minio:9000',
|
|
187
|
+
R2_S3_PUBLIC_ENDPOINT: 'R2_S3_PUBLIC_ENDPOINT=http://localhost:9000',
|
|
188
|
+
R2_FORCE_PATH_STYLE: 'R2_FORCE_PATH_STYLE=true',
|
|
189
|
+
NEXT_PUBLIC_R2_BASE_URL: `NEXT_PUBLIC_R2_BASE_URL=http://localhost:9000/${bucket}`,
|
|
190
|
+
NEXT_PUBLIC_R2_PUBLIC_URL: `NEXT_PUBLIC_R2_PUBLIC_URL=http://localhost:9000/${bucket}`,
|
|
191
|
+
NEXT_PUBLIC_TURNSTILE_SITE_KEY: `NEXT_PUBLIC_TURNSTILE_SITE_KEY=${turnstileSiteKey}`,
|
|
192
|
+
TURNSTILE_SECRET_KEY: `TURNSTILE_SECRET_KEY=${turnstileSecretKey}`,
|
|
193
|
+
GOTRUE_MAILER_AUTOCONFIRM: `GOTRUE_MAILER_AUTOCONFIRM=${mailerAutoconfirm}`,
|
|
194
|
+
SMTP_HOST: `SMTP_HOST=${smtp.host}`,
|
|
195
|
+
SMTP_PORT: `SMTP_PORT=${smtp.port}`,
|
|
196
|
+
SMTP_USER: `SMTP_USER=${smtp.user}`,
|
|
197
|
+
SMTP_PASS: `SMTP_PASS=${smtp.pass}`,
|
|
198
|
+
SMTP_FROM_EMAIL: `SMTP_FROM_EMAIL=${smtp.fromEmail}`,
|
|
199
|
+
SMTP_FROM_NAME: `SMTP_FROM_NAME=${smtp.fromName}`,
|
|
200
|
+
};
|
|
201
|
+
|
|
202
|
+
const seed = existing || '# Generated by `npm run docker:setup` — local self-hosted secrets. Do not commit.\n';
|
|
203
|
+
let nextEnv = upsertEnv(seed, replacements);
|
|
204
|
+
if (!nextEnv.endsWith('\n')) nextEnv += '\n';
|
|
205
|
+
await writeFile(ENV_PATH, nextEnv, 'utf8');
|
|
206
|
+
console.log('✓ Wrote .env (Postgres, JWT secret + signed anon/service keys, MinIO, app secrets).\n');
|
|
207
|
+
|
|
208
|
+
console.log('Building and starting the stack (first run pulls images + builds the app — a few minutes)...');
|
|
209
|
+
await run(compose.cmd, [...compose.args, 'up', '-d', '--build'], { cwd: PROJECT_ROOT });
|
|
210
|
+
|
|
211
|
+
console.log('\n🎉 Stack is up!');
|
|
212
|
+
console.log(' 1. Open the app: http://localhost:3000');
|
|
213
|
+
console.log(' 2. Create account: http://localhost:3000/sign-up (first sign-up becomes ADMIN)');
|
|
214
|
+
console.log(
|
|
215
|
+
mailerAutoconfirm === 'true'
|
|
216
|
+
? ' No SMTP → your account is auto-confirmed; just sign in.'
|
|
217
|
+
: ' Click the confirmation link emailed by your SMTP provider.',
|
|
218
|
+
);
|
|
219
|
+
console.log(' 3. Supabase API: http://localhost:8000 MinIO console: http://localhost:9001');
|
|
220
|
+
const composeStr = `${compose.cmd} ${compose.args.join(' ')}`.trim();
|
|
221
|
+
console.log(`\n Logs: ${composeStr} logs -f nextblock-cms | Stop: ${composeStr} down (add -v to wipe data)`);
|
|
222
|
+
}
|
|
223
|
+
|
|
224
|
+
main().catch((err) => {
|
|
225
|
+
console.error(err);
|
|
226
|
+
process.exit(1);
|
|
227
|
+
});
|
package/package.json
CHANGED
package/scripts/sync-template.js
CHANGED
|
@@ -13,6 +13,9 @@ const TARGET_DIR = resolve(PROJECT_ROOT, 'templates/nextblock-template');
|
|
|
13
13
|
const REPO_ROOT = resolve(PROJECT_ROOT, '..', '..');
|
|
14
14
|
const ROOT_DOCS_DIR = resolve(REPO_ROOT, 'docs');
|
|
15
15
|
const ROOT_PACKAGE_JSON = resolve(REPO_ROOT, 'package.json');
|
|
16
|
+
// Hand-maintained standalone Docker assets (Dockerfile, docker-compose.yml, docker/**, the
|
|
17
|
+
// zero-dep scripts/docker-setup.mjs) that ship into every generated project for Docker mode.
|
|
18
|
+
const DOCKER_TEMPLATE_DIR = resolve(PROJECT_ROOT, 'docker-template');
|
|
16
19
|
const UI_GLOBALS_SOURCE = resolve(
|
|
17
20
|
PROJECT_ROOT,
|
|
18
21
|
'../../libs/ui/src/styles/globals.css',
|
|
@@ -96,6 +99,7 @@ async function ensureTemplateSync() {
|
|
|
96
99
|
await ensureUiProxies();
|
|
97
100
|
await removeBackups();
|
|
98
101
|
await syncPackageVersions();
|
|
102
|
+
await ensureDockerAssets();
|
|
99
103
|
await removeTemplateProjectJson();
|
|
100
104
|
|
|
101
105
|
console.log(chalk.green('Template sync complete.'));
|
|
@@ -335,6 +339,31 @@ async function removeTemplateProjectJson() {
|
|
|
335
339
|
await fs.remove(projectJsonPath).catch(() => undefined);
|
|
336
340
|
}
|
|
337
341
|
|
|
342
|
+
// Copy the standalone Docker assets into the template and register the docker:* npm scripts so a
|
|
343
|
+
// generated project can run `npm run docker:setup` for the one-click local self-hosted sandbox.
|
|
344
|
+
async function ensureDockerAssets() {
|
|
345
|
+
if (!(await fs.pathExists(DOCKER_TEMPLATE_DIR))) {
|
|
346
|
+
return;
|
|
347
|
+
}
|
|
348
|
+
|
|
349
|
+
console.log(chalk.blue('Adding Docker self-hosted assets to the template'));
|
|
350
|
+
await fs.copy(DOCKER_TEMPLATE_DIR, TARGET_DIR, {
|
|
351
|
+
overwrite: true,
|
|
352
|
+
dereference: true,
|
|
353
|
+
});
|
|
354
|
+
|
|
355
|
+
const pkgPath = resolve(TARGET_DIR, 'package.json');
|
|
356
|
+
if (await fs.pathExists(pkgPath)) {
|
|
357
|
+
const pkg = await fs.readJson(pkgPath);
|
|
358
|
+
pkg.scripts = pkg.scripts || {};
|
|
359
|
+
pkg.scripts['docker:setup'] = 'node scripts/docker-setup.mjs';
|
|
360
|
+
pkg.scripts['docker:up'] = 'docker compose up -d --build';
|
|
361
|
+
pkg.scripts['docker:down'] = 'docker compose down';
|
|
362
|
+
pkg.scripts['docker:logs'] = 'docker compose logs -f nextblock-cms';
|
|
363
|
+
await fs.writeJson(pkgPath, pkg, { spaces: 2 });
|
|
364
|
+
}
|
|
365
|
+
}
|
|
366
|
+
|
|
338
367
|
async function syncPackageVersions() {
|
|
339
368
|
const targetPackageJsonPath = resolve(TARGET_DIR, 'package.json');
|
|
340
369
|
const sourcePackageJsonPath = resolve(SOURCE_DIR, 'package.json');
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# Keep the build context lean; deps are reinstalled in the image and secrets stay out.
|
|
2
|
+
node_modules
|
|
3
|
+
.git
|
|
4
|
+
.github
|
|
5
|
+
.next
|
|
6
|
+
out
|
|
7
|
+
dist
|
|
8
|
+
coverage
|
|
9
|
+
tmp
|
|
10
|
+
backup
|
|
11
|
+
backups
|
|
12
|
+
*.log
|
|
13
|
+
npm-debug.log*
|
|
14
|
+
|
|
15
|
+
# Secrets never enter the image (NEXT_PUBLIC_* arrive as build args).
|
|
16
|
+
.env
|
|
17
|
+
.env.*
|
|
18
|
+
!.env.docker.example
|
|
19
|
+
|
|
20
|
+
# Not needed inside the app image (mounted/used by other compose services instead).
|
|
21
|
+
docker
|
|
22
|
+
supabase/.branches
|
|
23
|
+
supabase/.temp
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
# syntax=docker/dockerfile:1.7
|
|
2
|
+
#
|
|
3
|
+
# Production image for a standalone NextBlock CMS project (single Next.js app, not a monorepo).
|
|
4
|
+
# Built with Next.js standalone output, gated on DOCKER_BUILD so a normal `npm run build` / a
|
|
5
|
+
# Vercel deploy is unaffected. Driven by docker-compose.yml (`npm run docker:setup`).
|
|
6
|
+
|
|
7
|
+
###############################################################################
|
|
8
|
+
# Stage 1 — deps
|
|
9
|
+
###############################################################################
|
|
10
|
+
FROM node:22-alpine AS deps
|
|
11
|
+
WORKDIR /app
|
|
12
|
+
RUN apk add --no-cache libc6-compat
|
|
13
|
+
COPY package.json ./
|
|
14
|
+
RUN npm install --no-audit --no-fund
|
|
15
|
+
|
|
16
|
+
###############################################################################
|
|
17
|
+
# Stage 2 — builder (Next.js standalone output)
|
|
18
|
+
###############################################################################
|
|
19
|
+
FROM node:22-alpine AS builder
|
|
20
|
+
WORKDIR /app
|
|
21
|
+
RUN apk add --no-cache libc6-compat
|
|
22
|
+
ENV NEXT_TELEMETRY_DISABLED=1 \
|
|
23
|
+
CI=true \
|
|
24
|
+
DOCKER_BUILD=true \
|
|
25
|
+
NODE_ENV=production
|
|
26
|
+
COPY --from=deps /app/node_modules ./node_modules
|
|
27
|
+
COPY . .
|
|
28
|
+
|
|
29
|
+
# NEXT_PUBLIC_* values are inlined into the browser bundle at build time. Server-only secrets are
|
|
30
|
+
# NOT baked in — they arrive at runtime from docker-compose.yml.
|
|
31
|
+
ARG NEXT_PUBLIC_SUPABASE_URL
|
|
32
|
+
ARG NEXT_PUBLIC_SUPABASE_ANON_KEY
|
|
33
|
+
ARG NEXT_PUBLIC_URL
|
|
34
|
+
ARG NEXT_PUBLIC_R2_PUBLIC_URL
|
|
35
|
+
ARG NEXT_PUBLIC_R2_BASE_URL
|
|
36
|
+
ARG NEXT_PUBLIC_TURNSTILE_SITE_KEY
|
|
37
|
+
ARG NEXT_PUBLIC_IS_SANDBOX
|
|
38
|
+
ENV NEXT_PUBLIC_SUPABASE_URL=$NEXT_PUBLIC_SUPABASE_URL \
|
|
39
|
+
NEXT_PUBLIC_SUPABASE_ANON_KEY=$NEXT_PUBLIC_SUPABASE_ANON_KEY \
|
|
40
|
+
NEXT_PUBLIC_URL=$NEXT_PUBLIC_URL \
|
|
41
|
+
NEXT_PUBLIC_R2_PUBLIC_URL=$NEXT_PUBLIC_R2_PUBLIC_URL \
|
|
42
|
+
NEXT_PUBLIC_R2_BASE_URL=$NEXT_PUBLIC_R2_BASE_URL \
|
|
43
|
+
NEXT_PUBLIC_TURNSTILE_SITE_KEY=$NEXT_PUBLIC_TURNSTILE_SITE_KEY \
|
|
44
|
+
NEXT_PUBLIC_IS_SANDBOX=$NEXT_PUBLIC_IS_SANDBOX
|
|
45
|
+
|
|
46
|
+
RUN npm run build
|
|
47
|
+
|
|
48
|
+
###############################################################################
|
|
49
|
+
# Stage 3 — runner (hardened, non-root)
|
|
50
|
+
###############################################################################
|
|
51
|
+
FROM node:22-alpine AS runner
|
|
52
|
+
WORKDIR /app
|
|
53
|
+
RUN apk add --no-cache libc6-compat \
|
|
54
|
+
&& addgroup -g 1001 -S nodejs \
|
|
55
|
+
&& adduser -u 1001 -S nextjs -G nodejs
|
|
56
|
+
ENV NODE_ENV=production \
|
|
57
|
+
NEXT_TELEMETRY_DISABLED=1 \
|
|
58
|
+
PORT=3000 \
|
|
59
|
+
HOSTNAME=0.0.0.0
|
|
60
|
+
|
|
61
|
+
# A single-app project traces to its own root, so server.js sits at the top of .next/standalone.
|
|
62
|
+
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
|
|
63
|
+
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
|
|
64
|
+
COPY --from=builder --chown=nextjs:nodejs /app/public ./public
|
|
65
|
+
|
|
66
|
+
USER nextjs
|
|
67
|
+
EXPOSE 3000
|
|
68
|
+
CMD ["node", "server.js"]
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
// app/api/upload/presigned-url/route.ts
|
|
2
2
|
import { NextRequest, NextResponse } from "next/server";
|
|
3
|
-
import { createClient } from "@nextblock-cms/db/server"; // Server client for auth
|
|
4
|
-
import {
|
|
3
|
+
import { createClient } from "@nextblock-cms/db/server"; // Server client for auth
|
|
4
|
+
import { getS3PresignClient } from "@nextblock-cms/utils/server";
|
|
5
5
|
import { PutObjectCommand } from "@aws-sdk/client-s3";
|
|
6
6
|
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
|
|
7
7
|
|
|
@@ -32,13 +32,13 @@ export async function POST(request: NextRequest) {
|
|
|
32
32
|
}
|
|
33
33
|
|
|
34
34
|
try {
|
|
35
|
-
const s3Client = await
|
|
36
|
-
if (!s3Client) {
|
|
37
|
-
console.error('R2 client is not configured. Check your R2 environment variables.');
|
|
38
|
-
return NextResponse.json({ error: 'File uploads are not configured on this server.' }, { status: 500 });
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
const { filename, contentType, size, folder: rawFolder } = await request.json();
|
|
35
|
+
const s3Client = await getS3PresignClient();
|
|
36
|
+
if (!s3Client) {
|
|
37
|
+
console.error('R2 client is not configured. Check your R2 environment variables.');
|
|
38
|
+
return NextResponse.json({ error: 'File uploads are not configured on this server.' }, { status: 500 });
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
const { filename, contentType, size, folder: rawFolder } = await request.json();
|
|
42
42
|
|
|
43
43
|
if (!filename || !contentType || !size) {
|
|
44
44
|
return NextResponse.json({ error: "Missing filename, contentType, or size" }, { status: 400 });
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
-- Expose the JWT secret to Postgres as a database GUC, matching Supabase's setup. Runs once.
|
|
2
|
+
\set jwt_secret `echo "$JWT_SECRET"`
|
|
3
|
+
\set jwt_exp `echo "$JWT_EXP"`
|
|
4
|
+
|
|
5
|
+
alter database postgres set "app.settings.jwt_secret" to :'jwt_secret';
|
|
6
|
+
alter database postgres set "app.settings.jwt_exp" to :'jwt_exp';
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
-- Self-hosted Supabase role passwords. The supabase/postgres image creates the platform roles;
|
|
2
|
+
-- GoTrue logs in as supabase_auth_admin and PostgREST as authenticator. Give the roles that exist
|
|
3
|
+
-- the generated POSTGRES_PASSWORD (the set varies by image tag, so each is guarded; the password
|
|
4
|
+
-- is passed via a session GUC because psql variables aren't interpolated inside a dollar block).
|
|
5
|
+
-- Runs once on first init.
|
|
6
|
+
\set pgpass `echo "$POSTGRES_PASSWORD"`
|
|
7
|
+
select set_config('nextblock.pgpass', :'pgpass', false);
|
|
8
|
+
|
|
9
|
+
do $$
|
|
10
|
+
declare
|
|
11
|
+
role_name text;
|
|
12
|
+
begin
|
|
13
|
+
foreach role_name in array array[
|
|
14
|
+
'authenticator',
|
|
15
|
+
'pgbouncer',
|
|
16
|
+
'supabase_auth_admin',
|
|
17
|
+
'supabase_storage_admin',
|
|
18
|
+
'supabase_functions_admin',
|
|
19
|
+
'supabase_read_only_user'
|
|
20
|
+
] loop
|
|
21
|
+
if exists (select 1 from pg_roles where rolname = role_name) then
|
|
22
|
+
execute format('alter role %I with password %L', role_name, current_setting('nextblock.pgpass'));
|
|
23
|
+
end if;
|
|
24
|
+
end loop;
|
|
25
|
+
end $$;
|