create-nextblock 0.8.11 ā 0.9.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/create-nextblock.js +101 -35
- package/docker-template/.dockerignore +23 -0
- package/docker-template/.env.docker.example +56 -0
- package/docker-template/Dockerfile +85 -0
- package/docker-template/docker/db/init/99-jwt.sql +6 -0
- package/docker-template/docker/db/init/99-roles.sql +25 -0
- package/docker-template/docker/kong/kong.yml +112 -0
- package/docker-template/docker/migrate/run-migrations.sh +51 -0
- package/docker-template/docker-compose.yml +219 -0
- package/docker-template/scripts/docker-setup.mjs +242 -0
- package/package.json +1 -1
- package/scripts/sync-template.js +29 -0
- package/templates/nextblock-template/.dockerignore +23 -0
- package/templates/nextblock-template/Dockerfile +85 -0
- package/templates/nextblock-template/app/[slug]/page.tsx +5 -0
- package/templates/nextblock-template/app/actions.ts +58 -8
- package/templates/nextblock-template/app/api/cron/reset-sandbox/sandboxResetSql.ts +83 -0
- package/templates/nextblock-template/app/api/upload/presigned-url/route.ts +9 -9
- package/templates/nextblock-template/app/article/[slug]/page.tsx +5 -0
- package/templates/nextblock-template/app/cms/settings/security/actions.ts +30 -0
- package/templates/nextblock-template/app/cms/settings/security/components/SecurityPanel.tsx +69 -0
- package/templates/nextblock-template/app/layout.tsx +57 -3
- package/templates/nextblock-template/app/lib/site-settings.ts +22 -7
- package/templates/nextblock-template/app/page.tsx +6 -0
- package/templates/nextblock-template/app/product/[slug]/page.tsx +5 -0
- package/templates/nextblock-template/app/setup/SetupWizard.tsx +771 -0
- package/templates/nextblock-template/app/setup/layout.tsx +13 -0
- package/templates/nextblock-template/app/setup/page.tsx +103 -0
- package/templates/nextblock-template/components/AppShell.tsx +12 -0
- package/templates/nextblock-template/components/header-auth.tsx +24 -62
- package/templates/nextblock-template/docker/db/init/99-jwt.sql +6 -0
- package/templates/nextblock-template/docker/db/init/99-roles.sql +25 -0
- package/templates/nextblock-template/docker/kong/kong.yml +112 -0
- package/templates/nextblock-template/docker/migrate/run-migrations.sh +51 -0
- package/templates/nextblock-template/docker-compose.yml +219 -0
- package/templates/nextblock-template/docs/11-SELF-HOSTED-DOCKER.md +173 -0
- package/templates/nextblock-template/docs/12-VERCEL-DEPLOYMENT.md +67 -0
- package/templates/nextblock-template/docs/README.md +2 -0
- package/templates/nextblock-template/lib/blocks/FeaturedProductBlock.tsx +1 -1
- package/templates/nextblock-template/lib/blocks/ProductGridBlock.tsx +1 -1
- package/templates/nextblock-template/lib/custom-block-r2-upload.test.ts +5 -5
- package/templates/nextblock-template/lib/custom-block-r2-upload.ts +2 -2
- package/templates/nextblock-template/lib/setup/actions.ts +370 -0
- package/templates/nextblock-template/lib/setup/env-status.ts +86 -0
- package/templates/nextblock-template/lib/setup/env-write.ts +111 -0
- package/templates/nextblock-template/lib/setup/provisioning.ts +59 -0
- package/templates/nextblock-template/lib/setup/schema-apply.ts +379 -0
- package/templates/nextblock-template/lib/setup/system-config.ts +105 -0
- package/templates/nextblock-template/lib/setup/types.ts +18 -0
- package/templates/nextblock-template/next.config.js +9 -0
- package/templates/nextblock-template/package.json +6 -2
- package/templates/nextblock-template/proxy.ts +143 -49
- package/templates/nextblock-template/scripts/docker-setup.mjs +242 -0
- package/templates/nextblock-template/tsconfig.tsbuildinfo +1 -1
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { createServerClient, type CookieOptions } from '@supabase/ssr';
|
|
2
2
|
import { NextResponse, type NextRequest } from 'next/server';
|
|
3
|
+
import type { SupabaseClient } from '@supabase/supabase-js';
|
|
3
4
|
import type { Database } from '@nextblock-cms/db';
|
|
4
5
|
|
|
5
6
|
type Profile = Database['public']['Tables']['profiles']['Row'];
|
|
@@ -42,6 +43,63 @@ function getRequiredRolesForPath(pathname: string): UserRole[] | null {
|
|
|
42
43
|
return null;
|
|
43
44
|
}
|
|
44
45
|
|
|
46
|
+
/**
|
|
47
|
+
* Paths that must stay reachable while the instance is unprovisioned: the wizard,
|
|
48
|
+
* its server actions/APIs, the auth callback, and framework internals. Everything
|
|
49
|
+
* else is redirected to /setup until a first admin exists.
|
|
50
|
+
*/
|
|
51
|
+
function isSetupAllowlisted(pathname: string): boolean {
|
|
52
|
+
return (
|
|
53
|
+
pathname === '/setup' ||
|
|
54
|
+
pathname.startsWith('/setup/') ||
|
|
55
|
+
pathname.startsWith('/api/setup') ||
|
|
56
|
+
pathname.startsWith('/auth/') ||
|
|
57
|
+
pathname.startsWith('/_next/') ||
|
|
58
|
+
pathname.startsWith('/favicon')
|
|
59
|
+
);
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
// Module-level cache for the "has the first admin been created?" flag. Middleware
|
|
63
|
+
// modules persist across requests in a worker, so this avoids a per-request DB hit.
|
|
64
|
+
let provisionedAdminCache: { value: boolean; expires: number } | null = null;
|
|
65
|
+
|
|
66
|
+
/**
|
|
67
|
+
* Returns true once the system has a first admin (site_settings.is_admin_created).
|
|
68
|
+
* `is_admin_created` is a non-sensitive, anon-readable key, so the request-scoped
|
|
69
|
+
* anon client can read it. Cached aggressively once true (it never reverts) and
|
|
70
|
+
* briefly while false (so the gate releases promptly after the wizard runs).
|
|
71
|
+
* Fail-open: any read error returns true so a hiccup never traps the whole site.
|
|
72
|
+
*/
|
|
73
|
+
async function hasProvisionedAdmin(supabase: SupabaseClient): Promise<boolean> {
|
|
74
|
+
const now = Date.now();
|
|
75
|
+
if (provisionedAdminCache && provisionedAdminCache.expires > now) {
|
|
76
|
+
return provisionedAdminCache.value;
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
try {
|
|
80
|
+
const { data, error } = await supabase
|
|
81
|
+
.from('site_settings')
|
|
82
|
+
.select('value')
|
|
83
|
+
.eq('key', 'is_admin_created')
|
|
84
|
+
.maybeSingle();
|
|
85
|
+
|
|
86
|
+
if (error) {
|
|
87
|
+
return true;
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
const hasAdmin = data?.value === true || data?.value === 'true';
|
|
91
|
+
// Cache "provisioned" for a long time (it never reverts); keep the unprovisioned
|
|
92
|
+
// window short so the gate releases promptly once the wizard creates the admin.
|
|
93
|
+
provisionedAdminCache = {
|
|
94
|
+
value: hasAdmin,
|
|
95
|
+
expires: now + (hasAdmin ? 10 * 60_000 : 3_000),
|
|
96
|
+
};
|
|
97
|
+
return hasAdmin;
|
|
98
|
+
} catch {
|
|
99
|
+
return true;
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
|
|
45
103
|
function getHttpOrigin(value: string | undefined): string | null {
|
|
46
104
|
if (!value) {
|
|
47
105
|
return null;
|
|
@@ -110,11 +168,21 @@ function createRedirectResponse(
|
|
|
110
168
|
return applySecurityHeaders(NextResponse.redirect(url), contentSecurityPolicy);
|
|
111
169
|
}
|
|
112
170
|
|
|
113
|
-
function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): string {
|
|
171
|
+
function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string | undefined): string {
|
|
114
172
|
const isDev = process.env.NODE_ENV !== 'production';
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
173
|
+
// supabaseUrl is absent on an unconfigured instance (pre-/setup). Build the policy
|
|
174
|
+
// without Supabase origins in that case ā uniqueSources() drops the null entries.
|
|
175
|
+
let supabaseOrigin: string | null = null;
|
|
176
|
+
let supabaseRealtimeOrigin: string | null = null;
|
|
177
|
+
if (supabaseUrl) {
|
|
178
|
+
try {
|
|
179
|
+
const parsedSupabaseUrl = new URL(supabaseUrl);
|
|
180
|
+
supabaseOrigin = parsedSupabaseUrl.origin;
|
|
181
|
+
supabaseRealtimeOrigin = `${parsedSupabaseUrl.protocol === 'https:' ? 'wss:' : 'ws:'}//${parsedSupabaseUrl.host}`;
|
|
182
|
+
} catch {
|
|
183
|
+
// malformed URL ā treat as unconfigured for CSP purposes
|
|
184
|
+
}
|
|
185
|
+
}
|
|
118
186
|
const assetSources = getAssetSources();
|
|
119
187
|
|
|
120
188
|
const googleSources = [
|
|
@@ -126,15 +194,15 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
|
|
|
126
194
|
'https://stats.g.doubleclick.net',
|
|
127
195
|
];
|
|
128
196
|
|
|
129
|
-
const vercelSources = [
|
|
130
|
-
'https://vercel.live',
|
|
131
|
-
'https://vercel.com',
|
|
132
|
-
'https://assets.vercel.com',
|
|
133
|
-
'https://vitals.vercel-insights.com',
|
|
134
|
-
'https://*.vercel-insights.com',
|
|
135
|
-
];
|
|
136
|
-
const vercelToolbarConnectSources = ['wss://ws-us3.pusher.com'];
|
|
137
|
-
const turnstileSources = ['https://challenges.cloudflare.com'];
|
|
197
|
+
const vercelSources = [
|
|
198
|
+
'https://vercel.live',
|
|
199
|
+
'https://vercel.com',
|
|
200
|
+
'https://assets.vercel.com',
|
|
201
|
+
'https://vitals.vercel-insights.com',
|
|
202
|
+
'https://*.vercel-insights.com',
|
|
203
|
+
];
|
|
204
|
+
const vercelToolbarConnectSources = ['wss://ws-us3.pusher.com'];
|
|
205
|
+
const turnstileSources = ['https://challenges.cloudflare.com'];
|
|
138
206
|
|
|
139
207
|
const developmentHttpSources = isDev
|
|
140
208
|
? [
|
|
@@ -161,21 +229,21 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
|
|
|
161
229
|
"'self'",
|
|
162
230
|
`'nonce-${nonceValue}'`,
|
|
163
231
|
"'unsafe-inline'",
|
|
164
|
-
"'unsafe-eval'",
|
|
165
|
-
'blob:',
|
|
166
|
-
'data:',
|
|
167
|
-
...vercelSources,
|
|
168
|
-
...turnstileSources,
|
|
169
|
-
...developmentHttpSources,
|
|
170
|
-
]
|
|
171
|
-
: [
|
|
172
|
-
"'self'",
|
|
173
|
-
`'nonce-${nonceValue}'`,
|
|
174
|
-
'blob:',
|
|
175
|
-
...googleSources,
|
|
176
|
-
...vercelSources,
|
|
177
|
-
...turnstileSources,
|
|
178
|
-
],
|
|
232
|
+
"'unsafe-eval'",
|
|
233
|
+
'blob:',
|
|
234
|
+
'data:',
|
|
235
|
+
...vercelSources,
|
|
236
|
+
...turnstileSources,
|
|
237
|
+
...developmentHttpSources,
|
|
238
|
+
]
|
|
239
|
+
: [
|
|
240
|
+
"'self'",
|
|
241
|
+
`'nonce-${nonceValue}'`,
|
|
242
|
+
'blob:',
|
|
243
|
+
...googleSources,
|
|
244
|
+
...vercelSources,
|
|
245
|
+
...turnstileSources,
|
|
246
|
+
],
|
|
179
247
|
),
|
|
180
248
|
createDirective('script-src-attr', ["'none'"]),
|
|
181
249
|
createDirective('style-src', [
|
|
@@ -205,25 +273,25 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
|
|
|
205
273
|
"'self'",
|
|
206
274
|
supabaseOrigin,
|
|
207
275
|
supabaseRealtimeOrigin,
|
|
208
|
-
...assetSources,
|
|
209
|
-
...googleSources,
|
|
210
|
-
...vercelSources,
|
|
211
|
-
...vercelToolbarConnectSources,
|
|
212
|
-
...turnstileSources,
|
|
213
|
-
...developmentConnectSources,
|
|
214
|
-
]),
|
|
215
|
-
createDirective('frame-src', [
|
|
216
|
-
"'self'",
|
|
217
|
-
'blob:',
|
|
276
|
+
...assetSources,
|
|
277
|
+
...googleSources,
|
|
278
|
+
...vercelSources,
|
|
279
|
+
...vercelToolbarConnectSources,
|
|
280
|
+
...turnstileSources,
|
|
281
|
+
...developmentConnectSources,
|
|
282
|
+
]),
|
|
283
|
+
createDirective('frame-src', [
|
|
284
|
+
"'self'",
|
|
285
|
+
'blob:',
|
|
218
286
|
'data:',
|
|
219
287
|
'https://checkout.freemius.com',
|
|
220
288
|
'https://www.youtube.com',
|
|
221
289
|
'https://www.youtube-nocookie.com',
|
|
222
|
-
'https://player.vimeo.com',
|
|
223
|
-
'https://vercel.live',
|
|
224
|
-
'https://vercel.com',
|
|
225
|
-
...turnstileSources,
|
|
226
|
-
]),
|
|
290
|
+
'https://player.vimeo.com',
|
|
291
|
+
'https://vercel.live',
|
|
292
|
+
'https://vercel.com',
|
|
293
|
+
...turnstileSources,
|
|
294
|
+
]),
|
|
227
295
|
createDirective('media-src', ["'self'", 'data:', 'blob:', supabaseOrigin, ...assetSources]),
|
|
228
296
|
createDirective('worker-src', ["'self'", 'blob:']),
|
|
229
297
|
createDirective('manifest-src', ["'self'"]),
|
|
@@ -238,29 +306,44 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
|
|
|
238
306
|
}
|
|
239
307
|
|
|
240
308
|
export async function proxy(request: NextRequest) {
|
|
309
|
+
const { pathname } = request.nextUrl;
|
|
241
310
|
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
|
|
242
311
|
const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
throw new Error('Missing required Supabase environment variables');
|
|
246
|
-
}
|
|
312
|
+
const configured = Boolean(supabaseUrl && supabaseAnonKey);
|
|
313
|
+
process.env.NEXTBLOCK_UNCONFIGURED = configured ? 'false' : 'true';
|
|
247
314
|
|
|
248
315
|
const requestHeaders = new Headers(request.headers);
|
|
249
316
|
const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
|
|
250
317
|
const contentSecurityPolicy = createContentSecurityPolicy(nonce, supabaseUrl);
|
|
251
318
|
|
|
252
319
|
requestHeaders.set('x-nonce', nonce);
|
|
320
|
+
requestHeaders.set('x-nextblock-path', pathname);
|
|
253
321
|
if (contentSecurityPolicy) {
|
|
254
322
|
requestHeaders.set('Content-Security-Policy', contentSecurityPolicy);
|
|
255
323
|
}
|
|
256
324
|
|
|
325
|
+
const allowlisted = isSetupAllowlisted(pathname);
|
|
326
|
+
|
|
327
|
+
// First-boot setup gate (unconfigured): no Supabase env yet, so the browser /setup
|
|
328
|
+
// wizard is the only thing that can run. Let allowlisted paths render with the
|
|
329
|
+
// nonce/CSP applied; redirect everything else to /setup. No Supabase work happens.
|
|
330
|
+
if (!configured) {
|
|
331
|
+
if (allowlisted) {
|
|
332
|
+
return applySecurityHeaders(
|
|
333
|
+
NextResponse.next({ request: { headers: requestHeaders } }),
|
|
334
|
+
contentSecurityPolicy,
|
|
335
|
+
);
|
|
336
|
+
}
|
|
337
|
+
return createRedirectResponse(new URL('/setup', request.url), contentSecurityPolicy);
|
|
338
|
+
}
|
|
339
|
+
|
|
257
340
|
let response = NextResponse.next({
|
|
258
341
|
request: {
|
|
259
342
|
headers: requestHeaders,
|
|
260
343
|
},
|
|
261
344
|
});
|
|
262
345
|
|
|
263
|
-
const supabase = createServerClient(supabaseUrl, supabaseAnonKey, {
|
|
346
|
+
const supabase = createServerClient(supabaseUrl as string, supabaseAnonKey as string, {
|
|
264
347
|
cookies: {
|
|
265
348
|
get(name: string) {
|
|
266
349
|
return request.cookies.get(name)?.value;
|
|
@@ -293,7 +376,18 @@ export async function proxy(request: NextRequest) {
|
|
|
293
376
|
data: { user },
|
|
294
377
|
error: userError,
|
|
295
378
|
} = await supabase.auth.getUser();
|
|
296
|
-
|
|
379
|
+
|
|
380
|
+
// First-boot setup gate (configured but no admin yet, and nobody signed in): funnel
|
|
381
|
+
// anonymous traffic to /setup so the wizard can create the first admin. A logged-in
|
|
382
|
+
// user is proof the system is provisioned, so never gate them ā this also prevents a
|
|
383
|
+
// redirect loop in the moment right after the wizard signs the new admin in. Cached
|
|
384
|
+
// + fail-open so a transient status error can't trap the whole site.
|
|
385
|
+
if (!user && !allowlisted && !(await hasProvisionedAdmin(supabase))) {
|
|
386
|
+
return createRedirectResponse(
|
|
387
|
+
new URL('/setup', request.url),
|
|
388
|
+
contentSecurityPolicy,
|
|
389
|
+
);
|
|
390
|
+
}
|
|
297
391
|
|
|
298
392
|
if (pathname.startsWith('/cms')) {
|
|
299
393
|
if (userError || !user) {
|
|
@@ -0,0 +1,242 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
// Zero-dependency Docker setup for a standalone NextBlock project. Runs via `npm run docker:setup`
|
|
3
|
+
// (and is invoked automatically when you pick Docker mode in `npm create nextblock`). Uses only
|
|
4
|
+
// Node built-ins so it works before any host `npm install`.
|
|
5
|
+
//
|
|
6
|
+
// Self-hosted Supabase (GoTrue + PostgREST) validates REAL HS256 JWTs, so we generate a JWT
|
|
7
|
+
// secret and derive properly-signed anon/service_role keys from it ā a random string is not a
|
|
8
|
+
// usable key. Then it writes .env and boots the stack via docker compose.
|
|
9
|
+
|
|
10
|
+
import { randomBytes, createHmac } from 'node:crypto';
|
|
11
|
+
import { readFile, writeFile, access } from 'node:fs/promises';
|
|
12
|
+
import { resolve, dirname } from 'node:path';
|
|
13
|
+
import { fileURLToPath } from 'node:url';
|
|
14
|
+
import { spawn, spawnSync } from 'node:child_process';
|
|
15
|
+
import { createInterface } from 'node:readline/promises';
|
|
16
|
+
import { stdin as input, stdout as output } from 'node:process';
|
|
17
|
+
|
|
18
|
+
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
19
|
+
const PROJECT_ROOT = resolve(__dirname, '..');
|
|
20
|
+
const ENV_PATH = resolve(PROJECT_ROOT, '.env');
|
|
21
|
+
|
|
22
|
+
const TURNSTILE_TEST_SITE_KEY = '1x00000000000000000000AA';
|
|
23
|
+
const TURNSTILE_TEST_SECRET_KEY = '1x0000000000000000000000000000000AA';
|
|
24
|
+
|
|
25
|
+
const generateSecret = () => randomBytes(32).toString('hex');
|
|
26
|
+
const base64url = (value) =>
|
|
27
|
+
Buffer.from(value).toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
|
|
28
|
+
|
|
29
|
+
function signJwtHS256(payload, secret) {
|
|
30
|
+
const header = base64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
|
|
31
|
+
const body = base64url(JSON.stringify(payload));
|
|
32
|
+
const data = `${header}.${body}`;
|
|
33
|
+
return `${data}.${base64url(createHmac('sha256', secret).update(data).digest())}`;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
function generateSupabaseKeys() {
|
|
37
|
+
const jwtSecret = generateSecret();
|
|
38
|
+
const iat = Math.floor(Date.now() / 1000);
|
|
39
|
+
const exp = iat + 60 * 60 * 24 * 365 * 10;
|
|
40
|
+
return {
|
|
41
|
+
jwtSecret,
|
|
42
|
+
anonKey: signJwtHS256({ role: 'anon', iss: 'supabase', iat, exp }, jwtSecret),
|
|
43
|
+
serviceRoleKey: signJwtHS256({ role: 'service_role', iss: 'supabase', iat, exp }, jwtSecret),
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
function readEnvValue(content, key) {
|
|
48
|
+
for (const line of content.split(/\r?\n/)) {
|
|
49
|
+
if (line.startsWith(`${key}=`)) {
|
|
50
|
+
return line.slice(key.length + 1).trim().replace(/^"(.*)"$/, '$1');
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
return '';
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
function upsertEnv(content, replacements) {
|
|
57
|
+
const applied = new Set();
|
|
58
|
+
const lines = content.split(/\r?\n/).map((line) => {
|
|
59
|
+
for (const [key, value] of Object.entries(replacements)) {
|
|
60
|
+
if (line.startsWith(`${key}=`)) {
|
|
61
|
+
applied.add(key);
|
|
62
|
+
return value;
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
return line;
|
|
66
|
+
});
|
|
67
|
+
for (const [key, value] of Object.entries(replacements)) {
|
|
68
|
+
if (!applied.has(key)) lines.push(value);
|
|
69
|
+
}
|
|
70
|
+
return lines.join('\n');
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
const pathExists = async (p) => {
|
|
74
|
+
try {
|
|
75
|
+
await access(p);
|
|
76
|
+
return true;
|
|
77
|
+
} catch {
|
|
78
|
+
return false;
|
|
79
|
+
}
|
|
80
|
+
};
|
|
81
|
+
|
|
82
|
+
const commandWorks = (cmd, args) => spawnSync(cmd, args, { stdio: 'ignore' }).status === 0;
|
|
83
|
+
|
|
84
|
+
function detectCompose() {
|
|
85
|
+
if (commandWorks('docker', ['compose', 'version'])) return { cmd: 'docker', args: ['compose'] };
|
|
86
|
+
if (commandWorks('docker-compose', ['version'])) return { cmd: 'docker-compose', args: [] };
|
|
87
|
+
return null;
|
|
88
|
+
}
|
|
89
|
+
|
|
90
|
+
const run = (cmd, args, opts = {}) =>
|
|
91
|
+
new Promise((res, rej) => {
|
|
92
|
+
const child = spawn(cmd, args, {
|
|
93
|
+
stdio: 'inherit',
|
|
94
|
+
shell: process.platform === 'win32',
|
|
95
|
+
...opts,
|
|
96
|
+
});
|
|
97
|
+
child.on('error', rej);
|
|
98
|
+
child.on('close', (code) => (code === 0 ? res() : rej(new Error(`${cmd} exited with ${code}`))));
|
|
99
|
+
});
|
|
100
|
+
|
|
101
|
+
async function main() {
|
|
102
|
+
console.log('š³ NextBlock ā Local Self-Hosted Docker Setup\n');
|
|
103
|
+
|
|
104
|
+
if (!commandWorks('docker', ['info'])) {
|
|
105
|
+
console.error('ā Docker is not installed or not running. Start Docker Desktop, then re-run `npm run docker:setup`.');
|
|
106
|
+
process.exit(1);
|
|
107
|
+
}
|
|
108
|
+
const compose = detectCompose();
|
|
109
|
+
if (!compose) {
|
|
110
|
+
console.error('ā Docker Compose not found. Update Docker Desktop or install the Compose plugin.');
|
|
111
|
+
process.exit(1);
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
const rl = createInterface({ input, output });
|
|
115
|
+
const ask = async (q, def = '') => (await rl.question(q)).trim() || def;
|
|
116
|
+
|
|
117
|
+
console.log('Optional integrations (press Enter to skip):');
|
|
118
|
+
let turnstileSiteKey = await ask(' Cloudflare Turnstile Site Key (Enter = sandbox test keys): ');
|
|
119
|
+
let turnstileSecretKey = '';
|
|
120
|
+
if (turnstileSiteKey) {
|
|
121
|
+
turnstileSecretKey = await ask(' Cloudflare Turnstile Secret Key: ');
|
|
122
|
+
} else {
|
|
123
|
+
turnstileSiteKey = TURNSTILE_TEST_SITE_KEY;
|
|
124
|
+
turnstileSecretKey = TURNSTILE_TEST_SECRET_KEY;
|
|
125
|
+
console.log(' ā Using Cloudflare Turnstile test keys (always pass).');
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
const smtp = { host: await ask(' SMTP Host (Enter = no email, auto-confirm sign-ups): '), port: '', user: '', pass: '', fromEmail: '', fromName: '' };
|
|
129
|
+
let mailerAutoconfirm = 'true';
|
|
130
|
+
if (smtp.host) {
|
|
131
|
+
smtp.port = await ask(' SMTP Port (465 = SSL, 587 = STARTTLS): ', '587');
|
|
132
|
+
smtp.user = await ask(' SMTP User: ');
|
|
133
|
+
smtp.pass = await ask(' SMTP Password: ');
|
|
134
|
+
smtp.fromEmail = await ask(' From Email: ');
|
|
135
|
+
smtp.fromName = await ask(' From Name: ', 'NextBlock');
|
|
136
|
+
mailerAutoconfirm = 'false';
|
|
137
|
+
} else {
|
|
138
|
+
console.log(' ā No SMTP: new accounts auto-confirm so your first admin can sign in immediately.');
|
|
139
|
+
}
|
|
140
|
+
rl.close();
|
|
141
|
+
|
|
142
|
+
let existing = '';
|
|
143
|
+
if (await pathExists(ENV_PATH)) {
|
|
144
|
+
existing = await readFile(ENV_PATH, 'utf8');
|
|
145
|
+
console.log('\nā Found existing .env ā reusing previously generated secrets where present.');
|
|
146
|
+
}
|
|
147
|
+
const reuse = (key, gen) => readEnvValue(existing, key) || gen();
|
|
148
|
+
|
|
149
|
+
const postgresPassword = reuse('POSTGRES_PASSWORD', generateSecret);
|
|
150
|
+
let jwtSecret = readEnvValue(existing, 'JWT_SECRET');
|
|
151
|
+
let anonKey = readEnvValue(existing, 'ANON_KEY');
|
|
152
|
+
let serviceRoleKey = readEnvValue(existing, 'SERVICE_ROLE_KEY');
|
|
153
|
+
if (!jwtSecret || !anonKey || !serviceRoleKey) {
|
|
154
|
+
({ jwtSecret, anonKey, serviceRoleKey } = generateSupabaseKeys());
|
|
155
|
+
}
|
|
156
|
+
const cronSecret = reuse('CRON_SECRET', generateSecret);
|
|
157
|
+
const draftSecret = reuse('DRAFT_MODE_SECRET', generateSecret);
|
|
158
|
+
const revalidateSecret = reuse('REVALIDATE_SECRET_TOKEN', generateSecret);
|
|
159
|
+
const minioUser = readEnvValue(existing, 'MINIO_ROOT_USER') || 'nextblock';
|
|
160
|
+
const minioPassword = reuse('MINIO_ROOT_PASSWORD', generateSecret);
|
|
161
|
+
const bucket = readEnvValue(existing, 'STORAGE_BUCKET') || 'nextblock';
|
|
162
|
+
|
|
163
|
+
const replacements = {
|
|
164
|
+
POSTGRES_PASSWORD: `POSTGRES_PASSWORD=${postgresPassword}`,
|
|
165
|
+
POSTGRES_DB: 'POSTGRES_DB=postgres',
|
|
166
|
+
JWT_SECRET: `JWT_SECRET=${jwtSecret}`,
|
|
167
|
+
JWT_EXP: 'JWT_EXP=3600',
|
|
168
|
+
ANON_KEY: `ANON_KEY=${anonKey}`,
|
|
169
|
+
SERVICE_ROLE_KEY: `SERVICE_ROLE_KEY=${serviceRoleKey}`,
|
|
170
|
+
NEXT_PUBLIC_SUPABASE_URL: 'NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000',
|
|
171
|
+
NEXT_PUBLIC_SUPABASE_ANON_KEY: `NEXT_PUBLIC_SUPABASE_ANON_KEY=${anonKey}`,
|
|
172
|
+
SUPABASE_SERVICE_ROLE_KEY: `SUPABASE_SERVICE_ROLE_KEY=${serviceRoleKey}`,
|
|
173
|
+
API_EXTERNAL_URL: 'API_EXTERNAL_URL=http://localhost:8000',
|
|
174
|
+
SITE_URL: 'SITE_URL=http://localhost:3000',
|
|
175
|
+
NEXT_PUBLIC_URL: 'NEXT_PUBLIC_URL=http://localhost:3000',
|
|
176
|
+
NEXT_PUBLIC_IS_SANDBOX: 'NEXT_PUBLIC_IS_SANDBOX=true',
|
|
177
|
+
CRON_SECRET: `CRON_SECRET=${cronSecret}`,
|
|
178
|
+
DRAFT_MODE_SECRET: `DRAFT_MODE_SECRET=${draftSecret}`,
|
|
179
|
+
REVALIDATE_SECRET_TOKEN: `REVALIDATE_SECRET_TOKEN=${revalidateSecret}`,
|
|
180
|
+
MINIO_ROOT_USER: `MINIO_ROOT_USER=${minioUser}`,
|
|
181
|
+
MINIO_ROOT_PASSWORD: `MINIO_ROOT_PASSWORD=${minioPassword}`,
|
|
182
|
+
STORAGE_BUCKET: `STORAGE_BUCKET=${bucket}`,
|
|
183
|
+
R2_ACCOUNT_ID: 'R2_ACCOUNT_ID=minio',
|
|
184
|
+
R2_REGION: 'R2_REGION=us-east-1',
|
|
185
|
+
R2_S3_ENDPOINT: 'R2_S3_ENDPOINT=http://minio:9000',
|
|
186
|
+
// Storage URLs use 127.0.0.1 (NOT localhost) on purpose: on localhost, cookies aren't
|
|
187
|
+
// port-scoped, so the browser would send the app's Supabase auth cookies to MinIO too ā and
|
|
188
|
+
// MinIO rejects oversized header sets (MetadataTooLarge), breaking image display once cookies
|
|
189
|
+
// grow. 127.0.0.1 is a different cookie host, so the browser never sends them there.
|
|
190
|
+
R2_S3_PUBLIC_ENDPOINT: 'R2_S3_PUBLIC_ENDPOINT=http://127.0.0.1:9000',
|
|
191
|
+
R2_FORCE_PATH_STYLE: 'R2_FORCE_PATH_STYLE=true',
|
|
192
|
+
NEXT_PUBLIC_R2_BASE_URL: `NEXT_PUBLIC_R2_BASE_URL=http://127.0.0.1:9000/${bucket}`,
|
|
193
|
+
NEXT_PUBLIC_R2_PUBLIC_URL: `NEXT_PUBLIC_R2_PUBLIC_URL=http://127.0.0.1:9000/${bucket}`,
|
|
194
|
+
NEXT_PUBLIC_TURNSTILE_SITE_KEY: `NEXT_PUBLIC_TURNSTILE_SITE_KEY=${turnstileSiteKey}`,
|
|
195
|
+
TURNSTILE_SECRET_KEY: `TURNSTILE_SECRET_KEY=${turnstileSecretKey}`,
|
|
196
|
+
GOTRUE_MAILER_AUTOCONFIRM: `GOTRUE_MAILER_AUTOCONFIRM=${mailerAutoconfirm}`,
|
|
197
|
+
SMTP_HOST: `SMTP_HOST=${smtp.host}`,
|
|
198
|
+
SMTP_PORT: `SMTP_PORT=${smtp.port}`,
|
|
199
|
+
SMTP_USER: `SMTP_USER=${smtp.user}`,
|
|
200
|
+
SMTP_PASS: `SMTP_PASS=${smtp.pass}`,
|
|
201
|
+
SMTP_FROM_EMAIL: `SMTP_FROM_EMAIL=${smtp.fromEmail}`,
|
|
202
|
+
SMTP_FROM_NAME: `SMTP_FROM_NAME=${smtp.fromName}`,
|
|
203
|
+
};
|
|
204
|
+
|
|
205
|
+
const seed = existing || '# Generated by `npm run docker:setup` ā local self-hosted secrets. Do not commit.\n';
|
|
206
|
+
let nextEnv = upsertEnv(seed, replacements);
|
|
207
|
+
if (!nextEnv.endsWith('\n')) nextEnv += '\n';
|
|
208
|
+
await writeFile(ENV_PATH, nextEnv, 'utf8');
|
|
209
|
+
console.log('ā Wrote .env (Postgres, JWT secret + signed anon/service keys, MinIO, app secrets).\n');
|
|
210
|
+
|
|
211
|
+
// A brand-new .env means brand-new secrets. Postgres only runs its init scripts (which set role
|
|
212
|
+
// passwords) on an EMPTY volume, so a leftover volume from a previous install would keep the old
|
|
213
|
+
// credentials and GoTrue/PostgREST could not log in. Reset volumes when the config is fresh.
|
|
214
|
+
if (!existing) {
|
|
215
|
+
console.log('Fresh configuration ā clearing any previous local sandbox volume so the database matches the new credentials...');
|
|
216
|
+
try {
|
|
217
|
+
await run(compose.cmd, [...compose.args, 'down', '-v'], { cwd: PROJECT_ROOT });
|
|
218
|
+
} catch {
|
|
219
|
+
/* nothing to tear down */
|
|
220
|
+
}
|
|
221
|
+
}
|
|
222
|
+
|
|
223
|
+
console.log('Building and starting the stack (first run pulls images + builds the app ā a few minutes)...');
|
|
224
|
+
await run(compose.cmd, [...compose.args, 'up', '-d', '--build'], { cwd: PROJECT_ROOT });
|
|
225
|
+
|
|
226
|
+
console.log('\nš Stack is up!');
|
|
227
|
+
console.log(' 1. Open the app: http://localhost:3000');
|
|
228
|
+
console.log(' 2. Create account: http://localhost:3000/sign-up (first sign-up becomes ADMIN)');
|
|
229
|
+
console.log(
|
|
230
|
+
mailerAutoconfirm === 'true'
|
|
231
|
+
? ' No SMTP ā your account is auto-confirmed; just sign in.'
|
|
232
|
+
: ' Click the confirmation link emailed by your SMTP provider.',
|
|
233
|
+
);
|
|
234
|
+
console.log(' 3. Supabase API: http://localhost:8000 MinIO console: http://localhost:9001');
|
|
235
|
+
const composeStr = `${compose.cmd} ${compose.args.join(' ')}`.trim();
|
|
236
|
+
console.log(`\n Logs: ${composeStr} logs -f nextblock-cms | Stop: ${composeStr} down (add -v to wipe data)`);
|
|
237
|
+
}
|
|
238
|
+
|
|
239
|
+
main().catch((err) => {
|
|
240
|
+
console.error(err);
|
|
241
|
+
process.exit(1);
|
|
242
|
+
});
|