create-nextblock 0.8.11 → 0.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/bin/create-nextblock.js +101 -35
  2. package/docker-template/.dockerignore +23 -0
  3. package/docker-template/.env.docker.example +56 -0
  4. package/docker-template/Dockerfile +85 -0
  5. package/docker-template/docker/db/init/99-jwt.sql +6 -0
  6. package/docker-template/docker/db/init/99-roles.sql +25 -0
  7. package/docker-template/docker/kong/kong.yml +112 -0
  8. package/docker-template/docker/migrate/run-migrations.sh +51 -0
  9. package/docker-template/docker-compose.yml +219 -0
  10. package/docker-template/scripts/docker-setup.mjs +242 -0
  11. package/package.json +1 -1
  12. package/scripts/sync-template.js +29 -0
  13. package/templates/nextblock-template/.dockerignore +23 -0
  14. package/templates/nextblock-template/Dockerfile +85 -0
  15. package/templates/nextblock-template/app/[slug]/page.tsx +5 -0
  16. package/templates/nextblock-template/app/actions.ts +58 -8
  17. package/templates/nextblock-template/app/api/cron/reset-sandbox/sandboxResetSql.ts +83 -0
  18. package/templates/nextblock-template/app/api/upload/presigned-url/route.ts +9 -9
  19. package/templates/nextblock-template/app/article/[slug]/page.tsx +5 -0
  20. package/templates/nextblock-template/app/cms/settings/security/actions.ts +30 -0
  21. package/templates/nextblock-template/app/cms/settings/security/components/SecurityPanel.tsx +69 -0
  22. package/templates/nextblock-template/app/layout.tsx +57 -3
  23. package/templates/nextblock-template/app/lib/site-settings.ts +22 -7
  24. package/templates/nextblock-template/app/page.tsx +6 -0
  25. package/templates/nextblock-template/app/product/[slug]/page.tsx +5 -0
  26. package/templates/nextblock-template/app/setup/SetupWizard.tsx +771 -0
  27. package/templates/nextblock-template/app/setup/layout.tsx +13 -0
  28. package/templates/nextblock-template/app/setup/page.tsx +103 -0
  29. package/templates/nextblock-template/components/AppShell.tsx +12 -0
  30. package/templates/nextblock-template/components/header-auth.tsx +24 -62
  31. package/templates/nextblock-template/docker/db/init/99-jwt.sql +6 -0
  32. package/templates/nextblock-template/docker/db/init/99-roles.sql +25 -0
  33. package/templates/nextblock-template/docker/kong/kong.yml +112 -0
  34. package/templates/nextblock-template/docker/migrate/run-migrations.sh +51 -0
  35. package/templates/nextblock-template/docker-compose.yml +219 -0
  36. package/templates/nextblock-template/docs/11-SELF-HOSTED-DOCKER.md +173 -0
  37. package/templates/nextblock-template/docs/12-VERCEL-DEPLOYMENT.md +67 -0
  38. package/templates/nextblock-template/docs/README.md +2 -0
  39. package/templates/nextblock-template/lib/blocks/FeaturedProductBlock.tsx +1 -1
  40. package/templates/nextblock-template/lib/blocks/ProductGridBlock.tsx +1 -1
  41. package/templates/nextblock-template/lib/custom-block-r2-upload.test.ts +5 -5
  42. package/templates/nextblock-template/lib/custom-block-r2-upload.ts +2 -2
  43. package/templates/nextblock-template/lib/setup/actions.ts +370 -0
  44. package/templates/nextblock-template/lib/setup/env-status.ts +86 -0
  45. package/templates/nextblock-template/lib/setup/env-write.ts +111 -0
  46. package/templates/nextblock-template/lib/setup/provisioning.ts +59 -0
  47. package/templates/nextblock-template/lib/setup/schema-apply.ts +379 -0
  48. package/templates/nextblock-template/lib/setup/system-config.ts +105 -0
  49. package/templates/nextblock-template/lib/setup/types.ts +18 -0
  50. package/templates/nextblock-template/next.config.js +9 -0
  51. package/templates/nextblock-template/package.json +6 -2
  52. package/templates/nextblock-template/proxy.ts +143 -49
  53. package/templates/nextblock-template/scripts/docker-setup.mjs +242 -0
  54. package/templates/nextblock-template/tsconfig.tsbuildinfo +1 -1
@@ -0,0 +1,173 @@
1
+ # 11 Self-Hosted Docker Mode
2
+
3
+ ## Purpose
4
+
5
+ NextBlock can run as a complete, fully local stack with one command — **no Supabase
6
+ Cloud, Vercel, Cloudflare R2, or SMTP account required**. It mirrors the production
7
+ topology (Next.js 16 app + Supabase API behind a gateway + S3 object storage) on your
8
+ own machine, so the **same application code runs locally and in the cloud with no
9
+ variations** — only environment values differ.
10
+
11
+ This is the "one-click local sandbox": pick Docker, and the installer drop-ships a
12
+ hardened multi-stage app image alongside the core Supabase engines, an automated
13
+ migration runner, and S3-compatible storage.
14
+
15
+ ## Choosing it
16
+
17
+ Both initializers offer the choice up front:
18
+
19
+ - **Monorepo / `git clone`:** `npm run setup` → select **"Local Self-Hosted Docker Mode"**
20
+ - **Standalone CLI:** `npm create nextblock` → the same selector
21
+ - **Direct:** `npm run docker:setup`
22
+
23
+ In every case the work is driven by a single root hook: **`npm run docker:setup`**.
24
+
25
+ ## Prerequisites
26
+
27
+ - **Docker Desktop** installed and running (<https://www.docker.com/products/docker-desktop>).
28
+ - That's it. No cloud accounts, keys, or manual migrations.
29
+
30
+ ## Quick start
31
+
32
+ ```bash
33
+ # Monorepo
34
+ git clone https://github.com/nextblock-cms/nextblock.git
35
+ cd nextblock
36
+ npm install
37
+ npm run docker:setup # or: npm run setup → pick Docker
38
+
39
+ # Standalone project
40
+ npm create nextblock # → pick "Local Self-Hosted Docker Mode"
41
+ ```
42
+
43
+ `docker:setup` then:
44
+
45
+ 1. Verifies Docker is installed and running.
46
+ 2. Asks **two optional questions** (Cloudflare Turnstile, SMTP) — both skippable with Enter.
47
+ 3. Generates a root `.env` with secure random secrets and **properly-signed Supabase
48
+ anon/service keys** (real HS256 JWTs derived from a generated `JWT_SECRET`).
49
+ 4. Builds the app image and boots the whole stack.
50
+
51
+ When it finishes:
52
+
53
+ | What | Where |
54
+ | :--- | :--- |
55
+ | App | <http://localhost:3000> |
56
+ | Sign up | <http://localhost:3000/sign-up> — the **first account becomes ADMIN** |
57
+ | Supabase API gateway | <http://localhost:8000> |
58
+ | MinIO console | <http://localhost:9001> |
59
+
60
+ With no SMTP configured, accounts are **auto-confirmed** and the first sign-up lands
61
+ straight in `/cms/dashboard` — no confirmation email step.
62
+
63
+ ## The two optional prompts
64
+
65
+ | Prompt | If you skip it |
66
+ | :--- | :--- |
67
+ | **Cloudflare Turnstile** site + secret key | Uses Cloudflare's official "always pass" test keys — forms work, with no real bot protection. |
68
+ | **SMTP** host (+ port / user / pass / from) | GoTrue **auto-confirms** sign-ups; no email is sent, and the first admin can sign in immediately. |
69
+
70
+ Provide real SMTP if you want actual confirmation emails — auto-confirm is then disabled,
71
+ exactly like the cloud flow.
72
+
73
+ ## What you get (the stack)
74
+
75
+ The root `docker-compose.yml` runs a trimmed, production-equivalent Supabase stack plus
76
+ the app. Every image tag is pinned and overridable via an env var (e.g. `SUPABASE_DB_IMAGE`).
77
+
78
+ | Service | Image (default) | Role |
79
+ | :--- | :--- | :--- |
80
+ | `db` | `supabase/postgres` | Postgres with the Supabase roles, schemas, and extensions. Named volume `nextblock_db_store`. |
81
+ | `auth` | `supabase/gotrue` | Auth: sessions, JWTs, the `auth.users` table. |
82
+ | `rest` | `postgrest/postgrest` | Instant REST API over the `public` / `graphql_public` schemas. |
83
+ | `kong` | `kong` | Edge gateway — maps `/auth/v1`, `/rest/v1`, `/graphql/v1` to port **8000**. |
84
+ | `minio` + `minio-init` | `minio/minio`, `minio/mc` | S3-compatible media storage + a public `nextblock` bucket. Named volume `nextblock_media`. |
85
+ | `migrate` | `postgres:alpine` | Applies `libs/db/src/supabase/migrations` in order, **once**, then exits. |
86
+ | `nextblock-cms` | built locally | The Next.js standalone app on **3000**. Boots **only after `migrate` succeeds**. |
87
+
88
+ Both named volumes persist your database and uploaded media across restarts.
89
+
90
+ ### Commands
91
+
92
+ | Command | Does |
93
+ | :--- | :--- |
94
+ | `npm run docker:setup` | Generate `.env` → build → up. The one-click entry point. |
95
+ | `npm run docker:up` | Rebuild and (re)start the stack. |
96
+ | `npm run docker:down` | Stop the stack. Add `-v` to also delete the volumes (wipes local data). |
97
+ | `npm run docker:logs` | Follow the app logs (`docker compose logs -f nextblock-cms`). |
98
+
99
+ ### Ports (override with env vars)
100
+
101
+ `APP_PORT` (3000), `KONG_HTTP_PORT` (8000), `MINIO_S3_PORT` (9000),
102
+ `MINIO_CONSOLE_PORT` (9001), `POSTGRES_PORT_EXTERNAL` (54322).
103
+
104
+ ## How it works
105
+
106
+ The interesting part is making one codebase work unchanged in both modes. A few
107
+ mechanisms make that possible:
108
+
109
+ - **Standalone build.** The app Dockerfile is multi-stage (deps → builder → hardened
110
+ non-root runner) and builds with Next.js `output: 'standalone'`, gated on a
111
+ `DOCKER_BUILD` env var so normal/Vercel builds are untouched. The runner ships only the
112
+ traced server tree, `.next/static`, and `public`.
113
+
114
+ - **One URL + an in-container loopback proxy.** The browser reaches Supabase at
115
+ `http://localhost:8000`, and that value is inlined into the build. Server-side code runs
116
+ *inside* the container, where `localhost` has nothing — so the runner starts a tiny
117
+ `socat` proxy that forwards in-container `127.0.0.1:8000 → kong:8000` and
118
+ `127.0.0.1:9000 → minio:9000`. Browser and server therefore use the **same URL**, which
119
+ also keeps the Supabase auth-cookie key (derived from the URL host) identical on both
120
+ sides so SSR can read the session.
121
+
122
+ - **Storage on `127.0.0.1`.** Media URLs use `http://127.0.0.1:9000` (not `localhost`).
123
+ On `localhost`, cookies are not port-scoped, so the browser would otherwise send the
124
+ app's auth cookies to MinIO and trip its header-size limit. `127.0.0.1` is a different
125
+ cookie host, so MinIO always receives clean image requests.
126
+
127
+ - **Migration runner.** The `migrate` service waits for the database to be healthy and
128
+ for GoTrue to create `auth.users` (the schema FKs to it), then applies each migration in
129
+ order inside a transaction. It records applied versions, so restarts never re-run a
130
+ migration.
131
+
132
+ - **Generated keys.** `docker:setup` generates a `JWT_SECRET` and derives valid HS256
133
+ `anon` and `service_role` JWTs from it (using Node's built-in `crypto`), so GoTrue,
134
+ PostgREST, and Kong all validate against the same secret out of the box.
135
+
136
+ ## Cloud vs Docker — same code, different env
137
+
138
+ There are **no application code paths** specific to Docker. The difference is purely
139
+ configuration:
140
+
141
+ | | Managed Cloud | Self-Hosted Docker |
142
+ | :--- | :--- | :--- |
143
+ | Database / Auth | Supabase Cloud | `supabase/postgres` + `supabase/gotrue` |
144
+ | Object storage | Cloudflare R2 | MinIO (S3-compatible) |
145
+ | Email | Required SMTP | Optional — GoTrue auto-confirms without it |
146
+ | Run command | `npx nx serve nextblock` / Vercel | `npm run docker:setup` |
147
+ | Config | `.env.local` (cloud keys) | `.env` (generated local secrets) |
148
+
149
+ > The R2 client already speaks S3, so MinIO is pointed at it via `R2_S3_ENDPOINT` /
150
+ > `R2_FORCE_PATH_STYLE`; uploads are signed for the browser via `R2_S3_PUBLIC_ENDPOINT`.
151
+ > A reference of every key the stack reads lives in `.env.docker.example`.
152
+
153
+ ## Troubleshooting
154
+
155
+ - **"Docker is not installed or not running."** Start Docker Desktop and re-run
156
+ `npm run docker:setup`.
157
+
158
+ - **`port is already allocated`.** Another process (often a previous stack) holds 8000 /
159
+ 9000 / 3000 / 54322. Stop it, or override the port env vars above.
160
+
161
+ - **GoTrue fails with `password authentication failed for user "supabase_auth_admin"`
162
+ (28P01) after a re-clone.** A leftover named volume from a previous install still holds
163
+ the old password, while your new `.env` has fresh secrets. Postgres only runs its
164
+ credential-setting init scripts on an *empty* volume. Fix:
165
+ `docker compose down -v && npm run docker:up`. (`docker:setup` does this automatically
166
+ when it generates a brand-new `.env`.)
167
+
168
+ - **Re-running `docker:setup`.** If a `.env` already exists it **reuses your secrets and
169
+ keeps your data** — safe to re-run to rebuild after pulling changes.
170
+
171
+ - **Wipe everything and start clean.** `docker compose down -v` removes the containers and
172
+ both named volumes (database + media).
173
+ </content>
@@ -0,0 +1,67 @@
1
+ # 12 · Cloud Deployment (Deploy to Vercel)
2
+
3
+ NextBlock ships a one-click **Deploy to Vercel** button (see the README) that brings
4
+ up a production instance already connected to a managed Supabase project. From there,
5
+ the in-app **First-Boot Setup Wizard** (`/setup`) finishes configuration in the
6
+ browser — there is no terminal step.
7
+
8
+ ## How the button works
9
+
10
+ The badge links to `https://vercel.com/new/clone` with these query parameters:
11
+
12
+ | Parameter | Purpose |
13
+ | :--- | :--- |
14
+ | `repository-url` | The NextBlock repo to clone into the user's Git provider. |
15
+ | `integration-ids=oac_VqOgBHqhEoFTPzGkPd7L0iH6` | Vercel's **Supabase integration**. During import, Vercel provisions (or links) a Supabase project and injects its environment variables automatically. |
16
+ | `env=NEXT_PUBLIC_URL,CRON_SECRET,DRAFT_MODE_SECRET,REVALIDATE_SECRET_TOKEN` | The remaining variables Vercel prompts for. Only variable **names** are listed — never secret values. |
17
+ | `envDescription` / `envLink` | Help text + a link back to this doc. |
18
+
19
+ The Supabase integration injects the keys the app needs to boot:
20
+ `NEXT_PUBLIC_SUPABASE_URL`, `NEXT_PUBLIC_SUPABASE_ANON_KEY`,
21
+ `SUPABASE_SERVICE_ROLE_KEY`, and `POSTGRES_URL`. Because those are present on first
22
+ boot, the instance is **Profile A (pre-configured)**: the wizard skips the connection
23
+ step and goes straight to creating the first administrator.
24
+
25
+ ## What the wizard does on Vercel
26
+
27
+ 1. **Database** — already connected (integration-injected). The wizard verifies a
28
+ first admin doesn't exist yet, otherwise it redirects to `/cms/dashboard`.
29
+ 2. **Schema** — apply the migrations to the managed Supabase project. The Supabase
30
+ integration creates the project but does **not** run NextBlock's migrations, so run
31
+ them once after the first deploy (locally against the project, or via the Supabase
32
+ dashboard SQL editor) — see [docs/04](./04-DATABASE-AND-AUTH.md) and
33
+ [docs/05](./05-DEVELOPER-GUIDE.md).
34
+ 3. **Storage** — pre-filled for **Supabase Storage** (S3-compatible). The wizard's
35
+ storage step shows the endpoint derived from your Supabase URL
36
+ (`<project>/storage/v1/s3`). Create an S3 access key in the Supabase dashboard
37
+ (Storage → S3 connection) and set `R2_ACCESS_KEY_ID` / `R2_SECRET_ACCESS_KEY` in
38
+ your Vercel project environment. (Cloudflare R2 remains the default for non-Vercel
39
+ installs — it has a more generous free storage tier; only the one-click Vercel
40
+ path defaults to Supabase Storage.)
41
+ 4. **Email / Bot protection / Sign-ups** — optional steps; bot-protection and the
42
+ sign-up policy persist to the database and work immediately. SMTP, if used, is set
43
+ as Vercel environment variables.
44
+ 5. **Administrator** — create the first admin. The account is created already
45
+ confirmed (`email_confirm: true`), so no verification email is required.
46
+
47
+ > Filesystem is read-only on Vercel, so the wizard never writes `.env.local` there —
48
+ > all configuration is environment variables (platform-managed) plus the database.
49
+
50
+ ## Cron jobs and the free tier
51
+
52
+ `vercel.json` declares two daily crons (`/api/cron/reset-sandbox` and
53
+ `/api/cron/sync-currencies`). Vercel's **Hobby (free) tier allows one cron per day**.
54
+ For a free-tier production deploy, either:
55
+
56
+ - Upgrade to a paid plan (both crons run as declared), **or**
57
+ - Keep only the cron you need (most production sites don't need `reset-sandbox`, which
58
+ exists for the public demo sandbox), **or**
59
+ - Consolidate both jobs into a single cron handler.
60
+
61
+ This is intentionally left as a deploy-time decision rather than changed in the repo,
62
+ since the sandbox/demo deploy relies on both crons.
63
+
64
+ ## After deploy
65
+
66
+ Visit the deployment URL — it redirects to `/setup` until the first admin exists.
67
+ Complete the wizard, then sign in at `/cms/dashboard`.
@@ -16,6 +16,7 @@ library surfaces rather than historical planning notes.
16
16
  - Cortex AI architecture: [08-NEXTBLOCK-CORTEX-AI-ARCHITECTURE.md](./08-NEXTBLOCK-CORTEX-AI-ARCHITECTURE.md)
17
17
  - Live draft (visual editing) mode: [09-LIVE-DRAFT-MODE.md](./09-LIVE-DRAFT-MODE.md)
18
18
  - Custom blocks (data-driven CRUD): [10-CUSTOM-BLOCKS.md](./10-CUSTOM-BLOCKS.md)
19
+ - Self-hosted local Docker stack: [11-SELF-HOSTED-DOCKER.md](./11-SELF-HOSTED-DOCKER.md)
19
20
 
20
21
  ## Audience Guide
21
22
 
@@ -25,6 +26,7 @@ library surfaces rather than historical planning notes.
25
26
  - Custom block work: read `03`, then `10`.
26
27
  - AI / Cortex work: read `08`.
27
28
  - CLI or template work: read `06`.
29
+ - Running everything locally without cloud accounts: read `11`.
28
30
  - AI agents: start with this index, then move directly to the subsystem file that
29
31
  matches the task. Treat `apps/nextblock`, `libs/*`, and
30
32
  `libs/db/src/supabase/migrations` as the final authority if a doc and code ever
@@ -25,7 +25,7 @@ export const FeaturedProductBlock = async ({ content }: { content: FeaturedProdu
25
25
  } else if (process.env.NEXT_PUBLIC_R2_BASE_URL) {
26
26
  imageUrl = `${process.env.NEXT_PUBLIC_R2_BASE_URL}/${mediaItem.file_path}`;
27
27
  } else {
28
- imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/v1/object/public/media/${mediaItem.file_path}`;
28
+ imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL ?? ''}/storage/v1/object/public/media/${mediaItem.file_path}`;
29
29
  }
30
30
  }
31
31
 
@@ -62,7 +62,7 @@ export const ProductGridBlock = async ({
62
62
  } else if (process.env.NEXT_PUBLIC_R2_BASE_URL) {
63
63
  imageUrl = `${process.env.NEXT_PUBLIC_R2_BASE_URL}/${mediaItem.file_path}`;
64
64
  } else {
65
- imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/v1/object/public/media/${mediaItem.file_path}`;
65
+ imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL ?? ''}/storage/v1/object/public/media/${mediaItem.file_path}`;
66
66
  }
67
67
  }
68
68
 
@@ -3,7 +3,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest';
3
3
  vi.mock('server-only', () => ({}));
4
4
 
5
5
  const mocks = vi.hoisted(() => ({
6
- getS3ClientMock: vi.fn(),
6
+ getS3PresignClientMock: vi.fn(),
7
7
  getSignedUrlMock: vi.fn(),
8
8
  getUserMock: vi.fn(),
9
9
  profileSingleMock: vi.fn(),
@@ -28,7 +28,7 @@ vi.mock('@nextblock-cms/db/server', () => ({
28
28
  }));
29
29
 
30
30
  vi.mock('@nextblock-cms/utils/server', () => ({
31
- getS3Client: mocks.getS3ClientMock,
31
+ getS3PresignClient: mocks.getS3PresignClientMock,
32
32
  }));
33
33
 
34
34
  vi.mock('@aws-sdk/client-s3', () => ({
@@ -82,7 +82,7 @@ describe('custom block R2 presigned upload flow', () => {
82
82
  );
83
83
 
84
84
  expect(response.status).toBe(401);
85
- expect(mocks.getS3ClientMock).not.toHaveBeenCalled();
85
+ expect(mocks.getS3PresignClientMock).not.toHaveBeenCalled();
86
86
  });
87
87
 
88
88
  it('rejects oversized files for authorized writers', async () => {
@@ -103,13 +103,13 @@ describe('custom block R2 presigned upload flow', () => {
103
103
 
104
104
  expect(response.status).toBe(400);
105
105
  expect(payload.error).toContain('10 MB');
106
- expect(mocks.getS3ClientMock).not.toHaveBeenCalled();
106
+ expect(mocks.getS3PresignClientMock).not.toHaveBeenCalled();
107
107
  });
108
108
 
109
109
  it('returns a direct PUT upload space for authorized writers', async () => {
110
110
  mocks.getUserMock.mockResolvedValueOnce({ data: { user: { id: 'user-1' } }, error: null });
111
111
  mocks.profileSingleMock.mockResolvedValueOnce({ data: { role: 'ADMIN' }, error: null });
112
- mocks.getS3ClientMock.mockResolvedValueOnce({ send: vi.fn() });
112
+ mocks.getS3PresignClientMock.mockResolvedValueOnce({ send: vi.fn() });
113
113
  mocks.getSignedUrlMock.mockResolvedValueOnce('https://r2.example.test/presigned-put');
114
114
 
115
115
  const response = await POST(
@@ -2,7 +2,7 @@ import 'server-only';
2
2
 
3
3
  import { PutObjectCommand } from '@aws-sdk/client-s3';
4
4
  import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
5
- import { getS3Client } from '@nextblock-cms/utils/server';
5
+ import { getS3PresignClient } from '@nextblock-cms/utils/server';
6
6
 
7
7
  import { resolveMediaUrl } from './media/resolveMediaUrl';
8
8
  import {
@@ -35,7 +35,7 @@ export async function createR2PresignedUpload(
35
35
  throw new R2PresignedUploadError('File uploads are not configured on this server.', 500);
36
36
  }
37
37
 
38
- const s3Client = await getS3Client();
38
+ const s3Client = await getS3PresignClient();
39
39
  if (!s3Client) {
40
40
  throw new R2PresignedUploadError('File uploads are not configured on this server.', 500);
41
41
  }