create-nextblock 0.8.11 → 0.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/bin/create-nextblock.js +101 -35
  2. package/docker-template/.dockerignore +23 -0
  3. package/docker-template/.env.docker.example +56 -0
  4. package/docker-template/Dockerfile +85 -0
  5. package/docker-template/docker/db/init/99-jwt.sql +6 -0
  6. package/docker-template/docker/db/init/99-roles.sql +25 -0
  7. package/docker-template/docker/kong/kong.yml +112 -0
  8. package/docker-template/docker/migrate/run-migrations.sh +51 -0
  9. package/docker-template/docker-compose.yml +219 -0
  10. package/docker-template/scripts/docker-setup.mjs +242 -0
  11. package/package.json +1 -1
  12. package/scripts/sync-template.js +29 -0
  13. package/templates/nextblock-template/.dockerignore +23 -0
  14. package/templates/nextblock-template/Dockerfile +85 -0
  15. package/templates/nextblock-template/app/[slug]/page.tsx +5 -0
  16. package/templates/nextblock-template/app/actions.ts +58 -8
  17. package/templates/nextblock-template/app/api/cron/reset-sandbox/sandboxResetSql.ts +83 -0
  18. package/templates/nextblock-template/app/api/upload/presigned-url/route.ts +9 -9
  19. package/templates/nextblock-template/app/article/[slug]/page.tsx +5 -0
  20. package/templates/nextblock-template/app/cms/settings/security/actions.ts +30 -0
  21. package/templates/nextblock-template/app/cms/settings/security/components/SecurityPanel.tsx +69 -0
  22. package/templates/nextblock-template/app/layout.tsx +57 -3
  23. package/templates/nextblock-template/app/lib/site-settings.ts +22 -7
  24. package/templates/nextblock-template/app/page.tsx +6 -0
  25. package/templates/nextblock-template/app/product/[slug]/page.tsx +5 -0
  26. package/templates/nextblock-template/app/setup/SetupWizard.tsx +771 -0
  27. package/templates/nextblock-template/app/setup/layout.tsx +13 -0
  28. package/templates/nextblock-template/app/setup/page.tsx +103 -0
  29. package/templates/nextblock-template/components/AppShell.tsx +12 -0
  30. package/templates/nextblock-template/components/header-auth.tsx +24 -62
  31. package/templates/nextblock-template/docker/db/init/99-jwt.sql +6 -0
  32. package/templates/nextblock-template/docker/db/init/99-roles.sql +25 -0
  33. package/templates/nextblock-template/docker/kong/kong.yml +112 -0
  34. package/templates/nextblock-template/docker/migrate/run-migrations.sh +51 -0
  35. package/templates/nextblock-template/docker-compose.yml +219 -0
  36. package/templates/nextblock-template/docs/11-SELF-HOSTED-DOCKER.md +173 -0
  37. package/templates/nextblock-template/docs/12-VERCEL-DEPLOYMENT.md +67 -0
  38. package/templates/nextblock-template/docs/README.md +2 -0
  39. package/templates/nextblock-template/lib/blocks/FeaturedProductBlock.tsx +1 -1
  40. package/templates/nextblock-template/lib/blocks/ProductGridBlock.tsx +1 -1
  41. package/templates/nextblock-template/lib/custom-block-r2-upload.test.ts +5 -5
  42. package/templates/nextblock-template/lib/custom-block-r2-upload.ts +2 -2
  43. package/templates/nextblock-template/lib/setup/actions.ts +370 -0
  44. package/templates/nextblock-template/lib/setup/env-status.ts +86 -0
  45. package/templates/nextblock-template/lib/setup/env-write.ts +111 -0
  46. package/templates/nextblock-template/lib/setup/provisioning.ts +59 -0
  47. package/templates/nextblock-template/lib/setup/schema-apply.ts +379 -0
  48. package/templates/nextblock-template/lib/setup/system-config.ts +105 -0
  49. package/templates/nextblock-template/lib/setup/types.ts +18 -0
  50. package/templates/nextblock-template/next.config.js +9 -0
  51. package/templates/nextblock-template/package.json +6 -2
  52. package/templates/nextblock-template/proxy.ts +143 -49
  53. package/templates/nextblock-template/scripts/docker-setup.mjs +242 -0
  54. package/templates/nextblock-template/tsconfig.tsbuildinfo +1 -1
@@ -0,0 +1,219 @@
1
+ # Self-hosted NextBlock CMS stack for a standalone project. Generated/driven by
2
+ # `npm run docker:setup`, which writes the .env this file reads. Mirrors the production Supabase
3
+ # topology: Postgres + GoTrue + PostgREST behind a Kong gateway, plus MinIO for S3 media.
4
+ name: nextblock
5
+
6
+ services:
7
+ db:
8
+ image: ${SUPABASE_DB_IMAGE:-supabase/postgres:15.8.1.085}
9
+ restart: unless-stopped
10
+ environment:
11
+ POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
12
+ POSTGRES_DB: ${POSTGRES_DB:-postgres}
13
+ JWT_SECRET: ${JWT_SECRET}
14
+ JWT_EXP: ${JWT_EXP:-3600}
15
+ volumes:
16
+ - nextblock_db_store:/var/lib/postgresql/data
17
+ - ./docker/db/init/99-roles.sql:/docker-entrypoint-initdb.d/init-scripts/99-roles.sql:ro
18
+ - ./docker/db/init/99-jwt.sql:/docker-entrypoint-initdb.d/init-scripts/99-jwt.sql:ro
19
+ healthcheck:
20
+ test: ['CMD', 'pg_isready', '-U', 'postgres', '-h', 'localhost']
21
+ interval: 5s
22
+ timeout: 5s
23
+ retries: 12
24
+ # supabase/postgres runs a heavy first-init; give it time before counting health failures.
25
+ start_period: 60s
26
+ ports:
27
+ - '${POSTGRES_PORT_EXTERNAL:-54322}:5432'
28
+
29
+ auth:
30
+ image: ${SUPABASE_GOTRUE_IMAGE:-supabase/gotrue:v2.189.0}
31
+ restart: unless-stopped
32
+ depends_on:
33
+ db:
34
+ condition: service_healthy
35
+ environment:
36
+ GOTRUE_API_HOST: 0.0.0.0
37
+ GOTRUE_API_PORT: 9999
38
+ API_EXTERNAL_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
39
+ GOTRUE_DB_DRIVER: postgres
40
+ GOTRUE_DB_DATABASE_URL: postgres://supabase_auth_admin:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-postgres}
41
+ GOTRUE_SITE_URL: ${SITE_URL:-http://localhost:3000}
42
+ GOTRUE_URI_ALLOW_LIST: '*'
43
+ GOTRUE_DISABLE_SIGNUP: 'false'
44
+ GOTRUE_JWT_ADMIN_ROLES: service_role
45
+ GOTRUE_JWT_AUD: authenticated
46
+ GOTRUE_JWT_DEFAULT_GROUP_NAME: authenticated
47
+ GOTRUE_JWT_EXP: ${JWT_EXP:-3600}
48
+ GOTRUE_JWT_SECRET: ${JWT_SECRET}
49
+ GOTRUE_JWT_ISSUER: ${API_EXTERNAL_URL:-http://localhost:8000}/auth/v1
50
+ GOTRUE_EXTERNAL_EMAIL_ENABLED: 'true'
51
+ GOTRUE_MAILER_AUTOCONFIRM: ${GOTRUE_MAILER_AUTOCONFIRM:-true}
52
+ GOTRUE_SMTP_ADMIN_EMAIL: ${SMTP_FROM_EMAIL:-admin@example.com}
53
+ GOTRUE_SMTP_HOST: ${SMTP_HOST:-}
54
+ # Must be a valid integer even when SMTP is skipped (GoTrue parses it as int and crashes on
55
+ # ''). With no host + autoconfirm on, no mail is sent, so the value is otherwise inert.
56
+ GOTRUE_SMTP_PORT: ${SMTP_PORT:-2500}
57
+ GOTRUE_SMTP_USER: ${SMTP_USER:-}
58
+ GOTRUE_SMTP_PASS: ${SMTP_PASS:-}
59
+ GOTRUE_SMTP_SENDER_NAME: ${SMTP_FROM_NAME:-NextBlock}
60
+ GOTRUE_MAILER_URLPATHS_CONFIRMATION: /auth/v1/verify
61
+ GOTRUE_MAILER_URLPATHS_RECOVERY: /auth/v1/verify
62
+ GOTRUE_MAILER_URLPATHS_INVITE: /auth/v1/verify
63
+ GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: /auth/v1/verify
64
+ healthcheck:
65
+ test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:9999/health']
66
+ interval: 5s
67
+ timeout: 5s
68
+ retries: 15
69
+
70
+ rest:
71
+ image: ${SUPABASE_POSTGREST_IMAGE:-postgrest/postgrest:v12.2.12}
72
+ restart: unless-stopped
73
+ depends_on:
74
+ db:
75
+ condition: service_healthy
76
+ environment:
77
+ PGRST_DB_URI: postgres://authenticator:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-postgres}
78
+ PGRST_DB_SCHEMAS: public,graphql_public
79
+ PGRST_DB_ANON_ROLE: anon
80
+ PGRST_JWT_SECRET: ${JWT_SECRET}
81
+ PGRST_DB_USE_LEGACY_GUCS: 'false'
82
+ PGRST_APP_SETTINGS_JWT_SECRET: ${JWT_SECRET}
83
+ PGRST_APP_SETTINGS_JWT_EXP: ${JWT_EXP:-3600}
84
+ PGRST_DB_EXTRA_SEARCH_PATH: public,extensions
85
+
86
+ kong:
87
+ image: ${SUPABASE_KONG_IMAGE:-kong:2.8.1}
88
+ restart: unless-stopped
89
+ depends_on:
90
+ auth:
91
+ condition: service_started
92
+ rest:
93
+ condition: service_started
94
+ environment:
95
+ KONG_DATABASE: 'off'
96
+ KONG_DECLARATIVE_CONFIG: /home/kong/kong.yml
97
+ KONG_DNS_ORDER: LAST,A,CNAME
98
+ KONG_PLUGINS: request-transformer,cors,key-auth,acl
99
+ KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
100
+ KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
101
+ # localhost cookies aren't port-scoped, so the app's Supabase auth cookies are also sent to
102
+ # Kong on every supabase-js request — give nginx room so they don't 431.
103
+ KONG_NGINX_HTTP_LARGE_CLIENT_HEADER_BUFFERS: 8 32k
104
+ SUPABASE_ANON_KEY: ${ANON_KEY}
105
+ SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
106
+ volumes:
107
+ - ./docker/kong/kong.yml:/home/kong/temp.yml:ro
108
+ entrypoint: bash -c 'eval "echo \"$$(cat ~/temp.yml)\"" > ~/kong.yml && /docker-entrypoint.sh kong docker-start'
109
+ ports:
110
+ - '${KONG_HTTP_PORT:-8000}:8000'
111
+
112
+ minio:
113
+ image: ${MINIO_IMAGE:-minio/minio:latest}
114
+ restart: unless-stopped
115
+ command: server /data --console-address ":9001"
116
+ environment:
117
+ MINIO_ROOT_USER: ${MINIO_ROOT_USER}
118
+ MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
119
+ volumes:
120
+ - nextblock_media:/data
121
+ ports:
122
+ - '${MINIO_S3_PORT:-9000}:9000'
123
+ - '${MINIO_CONSOLE_PORT:-9001}:9001'
124
+
125
+ minio-init:
126
+ image: ${MINIO_MC_IMAGE:-minio/mc:latest}
127
+ restart: 'no'
128
+ depends_on:
129
+ minio:
130
+ condition: service_started
131
+ environment:
132
+ MINIO_ROOT_USER: ${MINIO_ROOT_USER}
133
+ MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
134
+ STORAGE_BUCKET: ${STORAGE_BUCKET:-nextblock}
135
+ entrypoint: >
136
+ /bin/sh -c "
137
+ until mc alias set local http://minio:9000 $$MINIO_ROOT_USER $$MINIO_ROOT_PASSWORD; do echo 'waiting for minio...'; sleep 2; done &&
138
+ mc mb --ignore-existing local/$$STORAGE_BUCKET &&
139
+ mc anonymous set download local/$$STORAGE_BUCKET &&
140
+ echo 'minio bucket ready'
141
+ "
142
+
143
+ migrate:
144
+ image: ${MIGRATE_IMAGE:-postgres:15-alpine}
145
+ restart: 'no'
146
+ depends_on:
147
+ db:
148
+ condition: service_healthy
149
+ auth:
150
+ condition: service_healthy
151
+ environment:
152
+ POSTGRES_HOST: db
153
+ POSTGRES_PORT: 5432
154
+ POSTGRES_DB: ${POSTGRES_DB:-postgres}
155
+ POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
156
+ volumes:
157
+ - ./supabase/migrations:/migrations:ro
158
+ - ./docker/migrate/run-migrations.sh:/run-migrations.sh:ro
159
+ entrypoint: ['sh', '/run-migrations.sh']
160
+
161
+ nextblock-cms:
162
+ build:
163
+ context: .
164
+ dockerfile: Dockerfile
165
+ args:
166
+ NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL:-http://localhost:8000}
167
+ NEXT_PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
168
+ NEXT_PUBLIC_URL: ${NEXT_PUBLIC_URL:-http://localhost:3000}
169
+ NEXT_PUBLIC_R2_PUBLIC_URL: ${NEXT_PUBLIC_R2_PUBLIC_URL}
170
+ NEXT_PUBLIC_R2_BASE_URL: ${NEXT_PUBLIC_R2_BASE_URL}
171
+ NEXT_PUBLIC_TURNSTILE_SITE_KEY: ${NEXT_PUBLIC_TURNSTILE_SITE_KEY:-}
172
+ NEXT_PUBLIC_IS_SANDBOX: ${NEXT_PUBLIC_IS_SANDBOX:-true}
173
+ restart: unless-stopped
174
+ depends_on:
175
+ migrate:
176
+ condition: service_completed_successfully
177
+ kong:
178
+ condition: service_started
179
+ minio-init:
180
+ condition: service_completed_successfully
181
+ environment:
182
+ NODE_ENV: production
183
+ PORT: 3000
184
+ HOSTNAME: 0.0.0.0
185
+ # Browser AND server both use localhost:8000; the in-container loopback proxy (see Dockerfile)
186
+ # forwards it to Kong, keeping the host-derived Supabase auth cookie key consistent for SSR.
187
+ NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL:-http://localhost:8000}
188
+ NEXT_PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
189
+ SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
190
+ NEXT_PUBLIC_URL: ${NEXT_PUBLIC_URL:-http://localhost:3000}
191
+ NEXT_PUBLIC_IS_SANDBOX: ${NEXT_PUBLIC_IS_SANDBOX:-true}
192
+ CRON_SECRET: ${CRON_SECRET}
193
+ DRAFT_MODE_SECRET: ${DRAFT_MODE_SECRET}
194
+ REVALIDATE_SECRET_TOKEN: ${REVALIDATE_SECRET_TOKEN}
195
+ CORTEX_AI_ENCRYPTION_KEY: ${CORTEX_AI_ENCRYPTION_KEY:-}
196
+ R2_ACCOUNT_ID: ${R2_ACCOUNT_ID:-minio}
197
+ R2_BUCKET_NAME: ${STORAGE_BUCKET:-nextblock}
198
+ R2_ACCESS_KEY_ID: ${MINIO_ROOT_USER}
199
+ R2_SECRET_ACCESS_KEY: ${MINIO_ROOT_PASSWORD}
200
+ R2_REGION: ${R2_REGION:-us-east-1}
201
+ R2_S3_ENDPOINT: ${R2_S3_ENDPOINT:-http://minio:9000}
202
+ R2_S3_PUBLIC_ENDPOINT: ${R2_S3_PUBLIC_ENDPOINT:-http://localhost:9000}
203
+ R2_FORCE_PATH_STYLE: 'true'
204
+ NEXT_PUBLIC_R2_PUBLIC_URL: ${NEXT_PUBLIC_R2_PUBLIC_URL}
205
+ NEXT_PUBLIC_R2_BASE_URL: ${NEXT_PUBLIC_R2_BASE_URL}
206
+ SMTP_HOST: ${SMTP_HOST:-}
207
+ SMTP_PORT: ${SMTP_PORT:-}
208
+ SMTP_USER: ${SMTP_USER:-}
209
+ SMTP_PASS: ${SMTP_PASS:-}
210
+ SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-}
211
+ SMTP_FROM_NAME: ${SMTP_FROM_NAME:-}
212
+ TURNSTILE_SECRET_KEY: ${TURNSTILE_SECRET_KEY:-}
213
+ NEXT_PUBLIC_TURNSTILE_SITE_KEY: ${NEXT_PUBLIC_TURNSTILE_SITE_KEY:-}
214
+ ports:
215
+ - '${APP_PORT:-3000}:3000'
216
+
217
+ volumes:
218
+ nextblock_db_store:
219
+ nextblock_media:
@@ -0,0 +1,242 @@
1
+ #!/usr/bin/env node
2
+ // Zero-dependency Docker setup for a standalone NextBlock project. Runs via `npm run docker:setup`
3
+ // (and is invoked automatically when you pick Docker mode in `npm create nextblock`). Uses only
4
+ // Node built-ins so it works before any host `npm install`.
5
+ //
6
+ // Self-hosted Supabase (GoTrue + PostgREST) validates REAL HS256 JWTs, so we generate a JWT
7
+ // secret and derive properly-signed anon/service_role keys from it — a random string is not a
8
+ // usable key. Then it writes .env and boots the stack via docker compose.
9
+
10
+ import { randomBytes, createHmac } from 'node:crypto';
11
+ import { readFile, writeFile, access } from 'node:fs/promises';
12
+ import { resolve, dirname } from 'node:path';
13
+ import { fileURLToPath } from 'node:url';
14
+ import { spawn, spawnSync } from 'node:child_process';
15
+ import { createInterface } from 'node:readline/promises';
16
+ import { stdin as input, stdout as output } from 'node:process';
17
+
18
+ const __dirname = dirname(fileURLToPath(import.meta.url));
19
+ const PROJECT_ROOT = resolve(__dirname, '..');
20
+ const ENV_PATH = resolve(PROJECT_ROOT, '.env');
21
+
22
+ const TURNSTILE_TEST_SITE_KEY = '1x00000000000000000000AA';
23
+ const TURNSTILE_TEST_SECRET_KEY = '1x0000000000000000000000000000000AA';
24
+
25
+ const generateSecret = () => randomBytes(32).toString('hex');
26
+ const base64url = (value) =>
27
+ Buffer.from(value).toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
28
+
29
+ function signJwtHS256(payload, secret) {
30
+ const header = base64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
31
+ const body = base64url(JSON.stringify(payload));
32
+ const data = `${header}.${body}`;
33
+ return `${data}.${base64url(createHmac('sha256', secret).update(data).digest())}`;
34
+ }
35
+
36
+ function generateSupabaseKeys() {
37
+ const jwtSecret = generateSecret();
38
+ const iat = Math.floor(Date.now() / 1000);
39
+ const exp = iat + 60 * 60 * 24 * 365 * 10;
40
+ return {
41
+ jwtSecret,
42
+ anonKey: signJwtHS256({ role: 'anon', iss: 'supabase', iat, exp }, jwtSecret),
43
+ serviceRoleKey: signJwtHS256({ role: 'service_role', iss: 'supabase', iat, exp }, jwtSecret),
44
+ };
45
+ }
46
+
47
+ function readEnvValue(content, key) {
48
+ for (const line of content.split(/\r?\n/)) {
49
+ if (line.startsWith(`${key}=`)) {
50
+ return line.slice(key.length + 1).trim().replace(/^"(.*)"$/, '$1');
51
+ }
52
+ }
53
+ return '';
54
+ }
55
+
56
+ function upsertEnv(content, replacements) {
57
+ const applied = new Set();
58
+ const lines = content.split(/\r?\n/).map((line) => {
59
+ for (const [key, value] of Object.entries(replacements)) {
60
+ if (line.startsWith(`${key}=`)) {
61
+ applied.add(key);
62
+ return value;
63
+ }
64
+ }
65
+ return line;
66
+ });
67
+ for (const [key, value] of Object.entries(replacements)) {
68
+ if (!applied.has(key)) lines.push(value);
69
+ }
70
+ return lines.join('\n');
71
+ }
72
+
73
+ const pathExists = async (p) => {
74
+ try {
75
+ await access(p);
76
+ return true;
77
+ } catch {
78
+ return false;
79
+ }
80
+ };
81
+
82
+ const commandWorks = (cmd, args) => spawnSync(cmd, args, { stdio: 'ignore' }).status === 0;
83
+
84
+ function detectCompose() {
85
+ if (commandWorks('docker', ['compose', 'version'])) return { cmd: 'docker', args: ['compose'] };
86
+ if (commandWorks('docker-compose', ['version'])) return { cmd: 'docker-compose', args: [] };
87
+ return null;
88
+ }
89
+
90
+ const run = (cmd, args, opts = {}) =>
91
+ new Promise((res, rej) => {
92
+ const child = spawn(cmd, args, {
93
+ stdio: 'inherit',
94
+ shell: process.platform === 'win32',
95
+ ...opts,
96
+ });
97
+ child.on('error', rej);
98
+ child.on('close', (code) => (code === 0 ? res() : rej(new Error(`${cmd} exited with ${code}`))));
99
+ });
100
+
101
+ async function main() {
102
+ console.log('🐳 NextBlock — Local Self-Hosted Docker Setup\n');
103
+
104
+ if (!commandWorks('docker', ['info'])) {
105
+ console.error('✗ Docker is not installed or not running. Start Docker Desktop, then re-run `npm run docker:setup`.');
106
+ process.exit(1);
107
+ }
108
+ const compose = detectCompose();
109
+ if (!compose) {
110
+ console.error('✗ Docker Compose not found. Update Docker Desktop or install the Compose plugin.');
111
+ process.exit(1);
112
+ }
113
+
114
+ const rl = createInterface({ input, output });
115
+ const ask = async (q, def = '') => (await rl.question(q)).trim() || def;
116
+
117
+ console.log('Optional integrations (press Enter to skip):');
118
+ let turnstileSiteKey = await ask(' Cloudflare Turnstile Site Key (Enter = sandbox test keys): ');
119
+ let turnstileSecretKey = '';
120
+ if (turnstileSiteKey) {
121
+ turnstileSecretKey = await ask(' Cloudflare Turnstile Secret Key: ');
122
+ } else {
123
+ turnstileSiteKey = TURNSTILE_TEST_SITE_KEY;
124
+ turnstileSecretKey = TURNSTILE_TEST_SECRET_KEY;
125
+ console.log(' → Using Cloudflare Turnstile test keys (always pass).');
126
+ }
127
+
128
+ const smtp = { host: await ask(' SMTP Host (Enter = no email, auto-confirm sign-ups): '), port: '', user: '', pass: '', fromEmail: '', fromName: '' };
129
+ let mailerAutoconfirm = 'true';
130
+ if (smtp.host) {
131
+ smtp.port = await ask(' SMTP Port (465 = SSL, 587 = STARTTLS): ', '587');
132
+ smtp.user = await ask(' SMTP User: ');
133
+ smtp.pass = await ask(' SMTP Password: ');
134
+ smtp.fromEmail = await ask(' From Email: ');
135
+ smtp.fromName = await ask(' From Name: ', 'NextBlock');
136
+ mailerAutoconfirm = 'false';
137
+ } else {
138
+ console.log(' → No SMTP: new accounts auto-confirm so your first admin can sign in immediately.');
139
+ }
140
+ rl.close();
141
+
142
+ let existing = '';
143
+ if (await pathExists(ENV_PATH)) {
144
+ existing = await readFile(ENV_PATH, 'utf8');
145
+ console.log('\n✓ Found existing .env — reusing previously generated secrets where present.');
146
+ }
147
+ const reuse = (key, gen) => readEnvValue(existing, key) || gen();
148
+
149
+ const postgresPassword = reuse('POSTGRES_PASSWORD', generateSecret);
150
+ let jwtSecret = readEnvValue(existing, 'JWT_SECRET');
151
+ let anonKey = readEnvValue(existing, 'ANON_KEY');
152
+ let serviceRoleKey = readEnvValue(existing, 'SERVICE_ROLE_KEY');
153
+ if (!jwtSecret || !anonKey || !serviceRoleKey) {
154
+ ({ jwtSecret, anonKey, serviceRoleKey } = generateSupabaseKeys());
155
+ }
156
+ const cronSecret = reuse('CRON_SECRET', generateSecret);
157
+ const draftSecret = reuse('DRAFT_MODE_SECRET', generateSecret);
158
+ const revalidateSecret = reuse('REVALIDATE_SECRET_TOKEN', generateSecret);
159
+ const minioUser = readEnvValue(existing, 'MINIO_ROOT_USER') || 'nextblock';
160
+ const minioPassword = reuse('MINIO_ROOT_PASSWORD', generateSecret);
161
+ const bucket = readEnvValue(existing, 'STORAGE_BUCKET') || 'nextblock';
162
+
163
+ const replacements = {
164
+ POSTGRES_PASSWORD: `POSTGRES_PASSWORD=${postgresPassword}`,
165
+ POSTGRES_DB: 'POSTGRES_DB=postgres',
166
+ JWT_SECRET: `JWT_SECRET=${jwtSecret}`,
167
+ JWT_EXP: 'JWT_EXP=3600',
168
+ ANON_KEY: `ANON_KEY=${anonKey}`,
169
+ SERVICE_ROLE_KEY: `SERVICE_ROLE_KEY=${serviceRoleKey}`,
170
+ NEXT_PUBLIC_SUPABASE_URL: 'NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000',
171
+ NEXT_PUBLIC_SUPABASE_ANON_KEY: `NEXT_PUBLIC_SUPABASE_ANON_KEY=${anonKey}`,
172
+ SUPABASE_SERVICE_ROLE_KEY: `SUPABASE_SERVICE_ROLE_KEY=${serviceRoleKey}`,
173
+ API_EXTERNAL_URL: 'API_EXTERNAL_URL=http://localhost:8000',
174
+ SITE_URL: 'SITE_URL=http://localhost:3000',
175
+ NEXT_PUBLIC_URL: 'NEXT_PUBLIC_URL=http://localhost:3000',
176
+ NEXT_PUBLIC_IS_SANDBOX: 'NEXT_PUBLIC_IS_SANDBOX=true',
177
+ CRON_SECRET: `CRON_SECRET=${cronSecret}`,
178
+ DRAFT_MODE_SECRET: `DRAFT_MODE_SECRET=${draftSecret}`,
179
+ REVALIDATE_SECRET_TOKEN: `REVALIDATE_SECRET_TOKEN=${revalidateSecret}`,
180
+ MINIO_ROOT_USER: `MINIO_ROOT_USER=${minioUser}`,
181
+ MINIO_ROOT_PASSWORD: `MINIO_ROOT_PASSWORD=${minioPassword}`,
182
+ STORAGE_BUCKET: `STORAGE_BUCKET=${bucket}`,
183
+ R2_ACCOUNT_ID: 'R2_ACCOUNT_ID=minio',
184
+ R2_REGION: 'R2_REGION=us-east-1',
185
+ R2_S3_ENDPOINT: 'R2_S3_ENDPOINT=http://minio:9000',
186
+ // Storage URLs use 127.0.0.1 (NOT localhost) on purpose: on localhost, cookies aren't
187
+ // port-scoped, so the browser would send the app's Supabase auth cookies to MinIO too — and
188
+ // MinIO rejects oversized header sets (MetadataTooLarge), breaking image display once cookies
189
+ // grow. 127.0.0.1 is a different cookie host, so the browser never sends them there.
190
+ R2_S3_PUBLIC_ENDPOINT: 'R2_S3_PUBLIC_ENDPOINT=http://127.0.0.1:9000',
191
+ R2_FORCE_PATH_STYLE: 'R2_FORCE_PATH_STYLE=true',
192
+ NEXT_PUBLIC_R2_BASE_URL: `NEXT_PUBLIC_R2_BASE_URL=http://127.0.0.1:9000/${bucket}`,
193
+ NEXT_PUBLIC_R2_PUBLIC_URL: `NEXT_PUBLIC_R2_PUBLIC_URL=http://127.0.0.1:9000/${bucket}`,
194
+ NEXT_PUBLIC_TURNSTILE_SITE_KEY: `NEXT_PUBLIC_TURNSTILE_SITE_KEY=${turnstileSiteKey}`,
195
+ TURNSTILE_SECRET_KEY: `TURNSTILE_SECRET_KEY=${turnstileSecretKey}`,
196
+ GOTRUE_MAILER_AUTOCONFIRM: `GOTRUE_MAILER_AUTOCONFIRM=${mailerAutoconfirm}`,
197
+ SMTP_HOST: `SMTP_HOST=${smtp.host}`,
198
+ SMTP_PORT: `SMTP_PORT=${smtp.port}`,
199
+ SMTP_USER: `SMTP_USER=${smtp.user}`,
200
+ SMTP_PASS: `SMTP_PASS=${smtp.pass}`,
201
+ SMTP_FROM_EMAIL: `SMTP_FROM_EMAIL=${smtp.fromEmail}`,
202
+ SMTP_FROM_NAME: `SMTP_FROM_NAME=${smtp.fromName}`,
203
+ };
204
+
205
+ const seed = existing || '# Generated by `npm run docker:setup` — local self-hosted secrets. Do not commit.\n';
206
+ let nextEnv = upsertEnv(seed, replacements);
207
+ if (!nextEnv.endsWith('\n')) nextEnv += '\n';
208
+ await writeFile(ENV_PATH, nextEnv, 'utf8');
209
+ console.log('✓ Wrote .env (Postgres, JWT secret + signed anon/service keys, MinIO, app secrets).\n');
210
+
211
+ // A brand-new .env means brand-new secrets. Postgres only runs its init scripts (which set role
212
+ // passwords) on an EMPTY volume, so a leftover volume from a previous install would keep the old
213
+ // credentials and GoTrue/PostgREST could not log in. Reset volumes when the config is fresh.
214
+ if (!existing) {
215
+ console.log('Fresh configuration — clearing any previous local sandbox volume so the database matches the new credentials...');
216
+ try {
217
+ await run(compose.cmd, [...compose.args, 'down', '-v'], { cwd: PROJECT_ROOT });
218
+ } catch {
219
+ /* nothing to tear down */
220
+ }
221
+ }
222
+
223
+ console.log('Building and starting the stack (first run pulls images + builds the app — a few minutes)...');
224
+ await run(compose.cmd, [...compose.args, 'up', '-d', '--build'], { cwd: PROJECT_ROOT });
225
+
226
+ console.log('\n🎉 Stack is up!');
227
+ console.log(' 1. Open the app: http://localhost:3000');
228
+ console.log(' 2. Create account: http://localhost:3000/sign-up (first sign-up becomes ADMIN)');
229
+ console.log(
230
+ mailerAutoconfirm === 'true'
231
+ ? ' No SMTP → your account is auto-confirmed; just sign in.'
232
+ : ' Click the confirmation link emailed by your SMTP provider.',
233
+ );
234
+ console.log(' 3. Supabase API: http://localhost:8000 MinIO console: http://localhost:9001');
235
+ const composeStr = `${compose.cmd} ${compose.args.join(' ')}`.trim();
236
+ console.log(`\n Logs: ${composeStr} logs -f nextblock-cms | Stop: ${composeStr} down (add -v to wipe data)`);
237
+ }
238
+
239
+ main().catch((err) => {
240
+ console.error(err);
241
+ process.exit(1);
242
+ });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-nextblock",
3
- "version": "0.8.11",
3
+ "version": "0.9.5",
4
4
  "description": "",
5
5
  "main": "index.js",
6
6
  "bin": {
@@ -13,6 +13,9 @@ const TARGET_DIR = resolve(PROJECT_ROOT, 'templates/nextblock-template');
13
13
  const REPO_ROOT = resolve(PROJECT_ROOT, '..', '..');
14
14
  const ROOT_DOCS_DIR = resolve(REPO_ROOT, 'docs');
15
15
  const ROOT_PACKAGE_JSON = resolve(REPO_ROOT, 'package.json');
16
+ // Hand-maintained standalone Docker assets (Dockerfile, docker-compose.yml, docker/**, the
17
+ // zero-dep scripts/docker-setup.mjs) that ship into every generated project for Docker mode.
18
+ const DOCKER_TEMPLATE_DIR = resolve(PROJECT_ROOT, 'docker-template');
16
19
  const UI_GLOBALS_SOURCE = resolve(
17
20
  PROJECT_ROOT,
18
21
  '../../libs/ui/src/styles/globals.css',
@@ -96,6 +99,7 @@ async function ensureTemplateSync() {
96
99
  await ensureUiProxies();
97
100
  await removeBackups();
98
101
  await syncPackageVersions();
102
+ await ensureDockerAssets();
99
103
  await removeTemplateProjectJson();
100
104
 
101
105
  console.log(chalk.green('Template sync complete.'));
@@ -335,6 +339,31 @@ async function removeTemplateProjectJson() {
335
339
  await fs.remove(projectJsonPath).catch(() => undefined);
336
340
  }
337
341
 
342
+ // Copy the standalone Docker assets into the template and register the docker:* npm scripts so a
343
+ // generated project can run `npm run docker:setup` for the one-click local self-hosted sandbox.
344
+ async function ensureDockerAssets() {
345
+ if (!(await fs.pathExists(DOCKER_TEMPLATE_DIR))) {
346
+ return;
347
+ }
348
+
349
+ console.log(chalk.blue('Adding Docker self-hosted assets to the template'));
350
+ await fs.copy(DOCKER_TEMPLATE_DIR, TARGET_DIR, {
351
+ overwrite: true,
352
+ dereference: true,
353
+ });
354
+
355
+ const pkgPath = resolve(TARGET_DIR, 'package.json');
356
+ if (await fs.pathExists(pkgPath)) {
357
+ const pkg = await fs.readJson(pkgPath);
358
+ pkg.scripts = pkg.scripts || {};
359
+ pkg.scripts['docker:setup'] = 'node scripts/docker-setup.mjs';
360
+ pkg.scripts['docker:up'] = 'docker compose up -d --build';
361
+ pkg.scripts['docker:down'] = 'docker compose down';
362
+ pkg.scripts['docker:logs'] = 'docker compose logs -f nextblock-cms';
363
+ await fs.writeJson(pkgPath, pkg, { spaces: 2 });
364
+ }
365
+ }
366
+
338
367
  async function syncPackageVersions() {
339
368
  const targetPackageJsonPath = resolve(TARGET_DIR, 'package.json');
340
369
  const sourcePackageJsonPath = resolve(SOURCE_DIR, 'package.json');
@@ -0,0 +1,23 @@
1
+ # Keep the build context lean; deps are reinstalled in the image and secrets stay out.
2
+ node_modules
3
+ .git
4
+ .github
5
+ .next
6
+ out
7
+ dist
8
+ coverage
9
+ tmp
10
+ backup
11
+ backups
12
+ *.log
13
+ npm-debug.log*
14
+
15
+ # Secrets never enter the image (NEXT_PUBLIC_* arrive as build args).
16
+ .env
17
+ .env.*
18
+ !.env.docker.example
19
+
20
+ # Not needed inside the app image (mounted/used by other compose services instead).
21
+ docker
22
+ supabase/.branches
23
+ supabase/.temp
@@ -0,0 +1,85 @@
1
+ # syntax=docker/dockerfile:1.7
2
+ #
3
+ # Production image for a standalone NextBlock CMS project (single Next.js app, not a monorepo).
4
+ # Built with Next.js standalone output, gated on DOCKER_BUILD so a normal `npm run build` / a
5
+ # Vercel deploy is unaffected. Driven by docker-compose.yml (`npm run docker:setup`).
6
+
7
+ ###############################################################################
8
+ # Stage 1 — deps
9
+ ###############################################################################
10
+ FROM node:22-alpine AS deps
11
+ WORKDIR /app
12
+ RUN apk add --no-cache libc6-compat
13
+ COPY package.json ./
14
+ RUN npm install --no-audit --no-fund
15
+
16
+ ###############################################################################
17
+ # Stage 2 — builder (Next.js standalone output)
18
+ ###############################################################################
19
+ FROM node:22-alpine AS builder
20
+ WORKDIR /app
21
+ RUN apk add --no-cache libc6-compat
22
+ ENV NEXT_TELEMETRY_DISABLED=1 \
23
+ CI=true \
24
+ DOCKER_BUILD=true \
25
+ NODE_ENV=production
26
+ COPY --from=deps /app/node_modules ./node_modules
27
+ COPY . .
28
+
29
+ # NEXT_PUBLIC_* values are inlined into the browser bundle at build time. Server-only secrets are
30
+ # NOT baked in — they arrive at runtime from docker-compose.yml.
31
+ ARG NEXT_PUBLIC_SUPABASE_URL
32
+ ARG NEXT_PUBLIC_SUPABASE_ANON_KEY
33
+ ARG NEXT_PUBLIC_URL
34
+ ARG NEXT_PUBLIC_R2_PUBLIC_URL
35
+ ARG NEXT_PUBLIC_R2_BASE_URL
36
+ ARG NEXT_PUBLIC_TURNSTILE_SITE_KEY
37
+ ARG NEXT_PUBLIC_IS_SANDBOX
38
+ ENV NEXT_PUBLIC_SUPABASE_URL=$NEXT_PUBLIC_SUPABASE_URL \
39
+ NEXT_PUBLIC_SUPABASE_ANON_KEY=$NEXT_PUBLIC_SUPABASE_ANON_KEY \
40
+ NEXT_PUBLIC_URL=$NEXT_PUBLIC_URL \
41
+ NEXT_PUBLIC_R2_PUBLIC_URL=$NEXT_PUBLIC_R2_PUBLIC_URL \
42
+ NEXT_PUBLIC_R2_BASE_URL=$NEXT_PUBLIC_R2_BASE_URL \
43
+ NEXT_PUBLIC_TURNSTILE_SITE_KEY=$NEXT_PUBLIC_TURNSTILE_SITE_KEY \
44
+ NEXT_PUBLIC_IS_SANDBOX=$NEXT_PUBLIC_IS_SANDBOX
45
+
46
+ RUN npm run build
47
+
48
+ ###############################################################################
49
+ # Stage 3 — runner (hardened, non-root)
50
+ ###############################################################################
51
+ FROM node:22-alpine AS runner
52
+ WORKDIR /app
53
+ RUN apk add --no-cache libc6-compat socat \
54
+ && addgroup -g 1001 -S nodejs \
55
+ && adduser -u 1001 -S nextjs -G nodejs
56
+ ENV NODE_ENV=production \
57
+ NEXT_TELEMETRY_DISABLED=1 \
58
+ PORT=3000 \
59
+ HOSTNAME=0.0.0.0 \
60
+ # ipv4first so localhost resolves to the socat IPv4 listener; the larger header limit absorbs
61
+ # Supabase auth cookies (on localhost they aren't port-scoped, so they pile onto every request).
62
+ NODE_OPTIONS="--dns-result-order=ipv4first --max-http-header-size=65536"
63
+
64
+ # A single-app project traces to its own root, so server.js sits at the top of .next/standalone.
65
+ COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
66
+ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
67
+ COPY --from=builder --chown=nextjs:nodejs /app/public ./public
68
+
69
+ # Loopback proxy: the browser-facing localhost URLs (Supabase :8000, MinIO :9000) are inlined into
70
+ # the build, but server-side code + next/image run INSIDE this container. Forward those ports to the
71
+ # compose services so SSR + image optimization work, and so the Supabase auth cookie key (derived
72
+ # from the URL host) matches between browser and server. Override targets with LOOPBACK_PROXIES.
73
+ RUN printf '%s\n' \
74
+ '#!/bin/sh' \
75
+ 'set -e' \
76
+ ': "${LOOPBACK_PROXIES:=8000:kong:8000 9000:minio:9000}"' \
77
+ 'for p in $LOOPBACK_PROXIES; do' \
78
+ ' socat "TCP4-LISTEN:${p%%:*},fork,reuseaddr,bind=127.0.0.1" "TCP:${p#*:}" 2>/dev/null &' \
79
+ 'done' \
80
+ 'exec node "$(cat .server-entry 2>/dev/null || echo server.js)"' \
81
+ > /app/docker-entrypoint.sh && chmod +x /app/docker-entrypoint.sh
82
+
83
+ USER nextjs
84
+ EXPOSE 3000
85
+ ENTRYPOINT ["/app/docker-entrypoint.sh"]
@@ -38,6 +38,11 @@ interface PageTranslation {
38
38
  }
39
39
 
40
40
  export async function generateStaticParams(): Promise<ResolvedPageParams[]> {
41
+ // Unconfigured instance (pre-/setup): no DB to read slugs from.
42
+ if (!process.env.NEXT_PUBLIC_SUPABASE_URL || !process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY) {
43
+ return [];
44
+ }
45
+
41
46
  const supabase = getSsgSupabaseClient();
42
47
  const { data: pages, error } = await supabase
43
48
  .from("pages")