create-nextblock 0.9.0 → 0.9.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/create-nextblock.js +40 -60
- package/docker-template/.env.docker.example +5 -4
- package/docker-template/Dockerfile +20 -3
- package/docker-template/docker-compose.yml +5 -1
- package/docker-template/scripts/docker-setup.mjs +19 -4
- package/package.json +1 -1
- package/templates/nextblock-template/Dockerfile +20 -3
- package/templates/nextblock-template/app/[slug]/page.tsx +5 -0
- package/templates/nextblock-template/app/actions.ts +58 -8
- package/templates/nextblock-template/app/api/cron/reset-sandbox/sandboxResetSql.ts +83 -0
- package/templates/nextblock-template/app/api/process-image/route.ts +13 -9
- package/templates/nextblock-template/app/article/[slug]/page.tsx +5 -0
- package/templates/nextblock-template/app/cms/components/ContentLanguageSwitcher.tsx +19 -13
- package/templates/nextblock-template/app/cms/settings/security/actions.ts +30 -0
- package/templates/nextblock-template/app/cms/settings/security/components/SecurityPanel.tsx +69 -0
- package/templates/nextblock-template/app/layout.tsx +49 -3
- package/templates/nextblock-template/app/lib/site-settings.ts +22 -7
- package/templates/nextblock-template/app/page.tsx +6 -0
- package/templates/nextblock-template/app/product/[slug]/page.tsx +5 -0
- package/templates/nextblock-template/app/providers.tsx +1 -1
- package/templates/nextblock-template/app/setup/SetupWizard.tsx +773 -0
- package/templates/nextblock-template/app/setup/layout.tsx +13 -0
- package/templates/nextblock-template/app/setup/page.tsx +103 -0
- package/templates/nextblock-template/components/AppShell.tsx +12 -0
- package/templates/nextblock-template/components/PublicEnvBootstrap.tsx +30 -0
- package/templates/nextblock-template/components/header-auth.tsx +24 -62
- package/templates/nextblock-template/docker-compose.yml +5 -1
- package/templates/nextblock-template/docs/11-SELF-HOSTED-DOCKER.md +173 -0
- package/templates/nextblock-template/docs/12-VERCEL-DEPLOYMENT.md +67 -0
- package/templates/nextblock-template/docs/README.md +2 -0
- package/templates/nextblock-template/lib/blocks/FeaturedProductBlock.tsx +1 -1
- package/templates/nextblock-template/lib/blocks/ProductGridBlock.tsx +1 -1
- package/templates/nextblock-template/lib/media/resolveMediaUrl.ts +9 -1
- package/templates/nextblock-template/lib/setup/actions.ts +370 -0
- package/templates/nextblock-template/lib/setup/env-status.ts +86 -0
- package/templates/nextblock-template/lib/setup/env-write.ts +111 -0
- package/templates/nextblock-template/lib/setup/provisioning.ts +59 -0
- package/templates/nextblock-template/lib/setup/schema-apply.ts +392 -0
- package/templates/nextblock-template/lib/setup/system-config.ts +105 -0
- package/templates/nextblock-template/lib/setup/types.ts +18 -0
- package/templates/nextblock-template/next.config.js +13 -0
- package/templates/nextblock-template/package.json +1 -1
- package/templates/nextblock-template/proxy.ts +143 -49
- package/templates/nextblock-template/scripts/docker-setup.mjs +19 -4
- package/templates/nextblock-template/tsconfig.tsbuildinfo +1 -1
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
// Minimal layout for the first-boot wizard. Deliberately does NO Supabase work so it
|
|
2
|
+
// renders even on a completely unconfigured instance. (It is still nested inside the
|
|
3
|
+
// root layout, which short-circuits its own data loading when unconfigured.)
|
|
4
|
+
import type { ReactNode } from 'react';
|
|
5
|
+
|
|
6
|
+
export const metadata = {
|
|
7
|
+
title: 'Set up NextBlock',
|
|
8
|
+
robots: { index: false, follow: false },
|
|
9
|
+
};
|
|
10
|
+
|
|
11
|
+
export default function SetupLayout({ children }: { children: ReactNode }) {
|
|
12
|
+
return <div className="mx-auto w-full max-w-3xl px-4 py-10 sm:py-16">{children}</div>;
|
|
13
|
+
}
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
import { redirect } from 'next/navigation';
|
|
2
|
+
import { createClient } from '@nextblock-cms/db/server';
|
|
3
|
+
import {
|
|
4
|
+
detectChannel,
|
|
5
|
+
isLocalWritableEnv,
|
|
6
|
+
isSupabaseConfigured,
|
|
7
|
+
type DeployChannel,
|
|
8
|
+
} from '../../lib/setup/env-status';
|
|
9
|
+
import { getProvisioningStatus } from '../../lib/setup/provisioning';
|
|
10
|
+
import SetupWizard, { type StoragePrefill } from './SetupWizard';
|
|
11
|
+
|
|
12
|
+
// Always evaluate live: the wizard's whole job is to react to the current env state.
|
|
13
|
+
export const dynamic = 'force-dynamic';
|
|
14
|
+
|
|
15
|
+
function buildStoragePrefill(channel: DeployChannel, supabaseUrl: string): StoragePrefill {
|
|
16
|
+
if (channel === 'docker') {
|
|
17
|
+
// The Docker stack ships MinIO as the S3 backend; docker-setup wrote these already.
|
|
18
|
+
return {
|
|
19
|
+
kind: 'minio',
|
|
20
|
+
readOnly: true,
|
|
21
|
+
accountId: process.env.R2_ACCOUNT_ID ?? 'minio',
|
|
22
|
+
bucket: process.env.STORAGE_BUCKET ?? process.env.R2_BUCKET_NAME ?? 'media',
|
|
23
|
+
endpoint: process.env.R2_S3_ENDPOINT ?? 'http://minio:9000',
|
|
24
|
+
publicUrl: process.env.NEXT_PUBLIC_R2_PUBLIC_URL ?? 'http://localhost:9000',
|
|
25
|
+
baseUrl: process.env.NEXT_PUBLIC_R2_BASE_URL ?? '',
|
|
26
|
+
accessKeyId: '',
|
|
27
|
+
secretAccessKey: '',
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
if (channel === 'vercel') {
|
|
32
|
+
// One-click Vercel deploys connect to Supabase Storage's S3-compatible endpoint.
|
|
33
|
+
const base = supabaseUrl.replace(/\/$/, '');
|
|
34
|
+
return {
|
|
35
|
+
kind: 'supabase',
|
|
36
|
+
readOnly: false,
|
|
37
|
+
accountId: 'supabase',
|
|
38
|
+
bucket: 'media',
|
|
39
|
+
endpoint: base ? `${base}/storage/v1/s3` : '',
|
|
40
|
+
publicUrl: base ? `${base}/storage/v1/object/public` : '',
|
|
41
|
+
baseUrl: '',
|
|
42
|
+
accessKeyId: process.env.R2_ACCESS_KEY_ID ?? '',
|
|
43
|
+
secretAccessKey: '',
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
// Local: the user brings their own Cloudflare R2 (higher free-tier storage).
|
|
48
|
+
return {
|
|
49
|
+
kind: 'r2',
|
|
50
|
+
readOnly: false,
|
|
51
|
+
accountId: process.env.R2_ACCOUNT_ID ?? '',
|
|
52
|
+
bucket: process.env.R2_BUCKET_NAME ?? '',
|
|
53
|
+
endpoint: '',
|
|
54
|
+
publicUrl: process.env.NEXT_PUBLIC_R2_PUBLIC_URL ?? '',
|
|
55
|
+
baseUrl: process.env.NEXT_PUBLIC_R2_BASE_URL ?? '',
|
|
56
|
+
accessKeyId: process.env.R2_ACCESS_KEY_ID ?? '',
|
|
57
|
+
secretAccessKey: '',
|
|
58
|
+
};
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
export default async function SetupPage() {
|
|
62
|
+
const status = await getProvisioningStatus();
|
|
63
|
+
|
|
64
|
+
// Already finished — there's a first admin. Get out of the wizard.
|
|
65
|
+
if (status.hasAdmin) {
|
|
66
|
+
redirect('/cms/dashboard');
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
// A signed-in user never needs the wizard. This also closes the brief window right
|
|
70
|
+
// after completion where is_admin_created may still be read-stale: the just-created
|
|
71
|
+
// admin has a session, so send them straight to the CMS. (Only checked when
|
|
72
|
+
// configured — an unconfigured instance has no real auth.)
|
|
73
|
+
if (status.configured) {
|
|
74
|
+
const supabase = createClient();
|
|
75
|
+
const {
|
|
76
|
+
data: { user },
|
|
77
|
+
} = await supabase.auth.getUser();
|
|
78
|
+
if (user) {
|
|
79
|
+
redirect('/cms/dashboard');
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
const channel = detectChannel();
|
|
84
|
+
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL ?? '';
|
|
85
|
+
|
|
86
|
+
return (
|
|
87
|
+
<SetupWizard
|
|
88
|
+
channel={channel}
|
|
89
|
+
configured={isSupabaseConfigured()}
|
|
90
|
+
writable={isLocalWritableEnv()}
|
|
91
|
+
siteUrl={process.env.NEXT_PUBLIC_URL ?? ''}
|
|
92
|
+
storagePrefill={buildStoragePrefill(channel, supabaseUrl)}
|
|
93
|
+
smtpPrefill={{
|
|
94
|
+
host: process.env.SMTP_HOST ?? '',
|
|
95
|
+
port: process.env.SMTP_PORT ?? '465',
|
|
96
|
+
user: process.env.SMTP_USER ?? '',
|
|
97
|
+
fromEmail: process.env.SMTP_FROM_EMAIL ?? '',
|
|
98
|
+
fromName: process.env.SMTP_FROM_NAME ?? '',
|
|
99
|
+
}}
|
|
100
|
+
turnstilePrefill={{ siteKey: process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY ?? '' }}
|
|
101
|
+
/>
|
|
102
|
+
);
|
|
103
|
+
}
|
|
@@ -66,8 +66,20 @@ export function AppShell({
|
|
|
66
66
|
}: AppShellProps) {
|
|
67
67
|
const pathname = usePathname() || '';
|
|
68
68
|
const isCmsRequest = pathname.startsWith('/cms');
|
|
69
|
+
const isSetupRequest = pathname === '/setup' || pathname.startsWith('/setup/');
|
|
69
70
|
const branding = useMemo(() => ({ logo, siteTitle }), [logo, siteTitle]);
|
|
70
71
|
|
|
72
|
+
// The first-boot setup wizard renders on its own clean, chrome-free page: no header
|
|
73
|
+
// or footer, and crucially no EnvVarWarning — the whole point of /setup is to supply
|
|
74
|
+
// the very env vars that warning complains about.
|
|
75
|
+
if (isSetupRequest) {
|
|
76
|
+
return (
|
|
77
|
+
<AppBrandingContext.Provider value={branding}>
|
|
78
|
+
<main className="min-h-screen bg-background">{children}</main>
|
|
79
|
+
</AppBrandingContext.Provider>
|
|
80
|
+
);
|
|
81
|
+
}
|
|
82
|
+
|
|
71
83
|
return (
|
|
72
84
|
<AppBrandingContext.Provider value={branding}>
|
|
73
85
|
{process.env.NEXT_PUBLIC_IS_SANDBOX === 'true' && !isCmsRequest && <SandboxBanner />}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
'use client';
|
|
2
|
+
|
|
3
|
+
// Makes the PUBLIC Supabase values available to the browser at runtime via a global,
|
|
4
|
+
// set SYNCHRONOUSLY during render (before any descendant calls the browser createClient).
|
|
5
|
+
//
|
|
6
|
+
// Why: NEXT_PUBLIC_* are inlined into the client bundle at build time. On a fresh local
|
|
7
|
+
// dev setup the dev server starts with no env, so the loaded bundle holds empties; the
|
|
8
|
+
// /setup wizard then writes the env at runtime. Browser-side readers (the Supabase client,
|
|
9
|
+
// env checks, and resolveMediaUrl's R2 base) read `process.env.NEXT_PUBLIC_* ||
|
|
10
|
+
// window.__NEXTBLOCK_PUBLIC_ENV__`, so this fills the gap without a dev-server restart. In
|
|
11
|
+
// production the inlined values win and these props just match them (a harmless no-op). All
|
|
12
|
+
// of these (Supabase url + anon key, R2 public base) are public values (safe to ship).
|
|
13
|
+
//
|
|
14
|
+
// This runs at render time (not in an effect, and not via a nonce'd <script> that could
|
|
15
|
+
// be deferred/blocked in dev), so the global is set before sibling/descendant components
|
|
16
|
+
// render. It's mounted in the root layout, so the value persists across client navigations.
|
|
17
|
+
type PublicEnv = { url: string; anonKey: string; r2Base?: string };
|
|
18
|
+
|
|
19
|
+
declare global {
|
|
20
|
+
interface Window {
|
|
21
|
+
__NEXTBLOCK_PUBLIC_ENV__?: PublicEnv;
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
export function PublicEnvBootstrap({ url, anonKey, r2Base }: PublicEnv) {
|
|
26
|
+
if (typeof window !== 'undefined' && url && anonKey) {
|
|
27
|
+
window.__NEXTBLOCK_PUBLIC_ENV__ = { url, anonKey, r2Base };
|
|
28
|
+
}
|
|
29
|
+
return null;
|
|
30
|
+
}
|
|
@@ -1,70 +1,32 @@
|
|
|
1
1
|
'use client';
|
|
2
2
|
|
|
3
|
-
import
|
|
4
|
-
import
|
|
5
|
-
import {
|
|
6
|
-
import {
|
|
7
|
-
import {
|
|
8
|
-
import {
|
|
9
|
-
|
|
10
|
-
import {
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
DropdownMenuTrigger,
|
|
19
|
-
} from "@nextblock-cms/ui";
|
|
3
|
+
import Link from "next/link";
|
|
4
|
+
import { Avatar, AvatarFallback, AvatarImage } from "@nextblock-cms/ui";
|
|
5
|
+
import { Button } from "@nextblock-cms/ui";
|
|
6
|
+
import { signOutAction } from "../app/actions";
|
|
7
|
+
import { useAuth } from "../context/AuthContext";
|
|
8
|
+
import { useTranslations } from "@nextblock-cms/utils";
|
|
9
|
+
|
|
10
|
+
import {
|
|
11
|
+
DropdownMenu,
|
|
12
|
+
DropdownMenuContent,
|
|
13
|
+
DropdownMenuItem,
|
|
14
|
+
DropdownMenuLabel,
|
|
15
|
+
DropdownMenuSeparator,
|
|
16
|
+
DropdownMenuTrigger,
|
|
17
|
+
} from "@nextblock-cms/ui";
|
|
20
18
|
import { User, LogOut, LayoutDashboard } from "lucide-react";
|
|
21
19
|
|
|
22
|
-
export default function AuthButton() {
|
|
23
|
-
const { user, profile, isAdmin, isWriter } = useAuth();
|
|
24
|
-
const { t } = useTranslations();
|
|
25
|
-
const displayName = profile?.full_name || profile?.github_username || user?.email || null;
|
|
26
|
-
const showAdminLink = isAdmin || isWriter;
|
|
27
|
-
|
|
28
|
-
const handleSignOut = async () => {
|
|
29
|
-
await signOutAction();
|
|
30
|
-
};
|
|
20
|
+
export default function AuthButton() {
|
|
21
|
+
const { user, profile, isAdmin, isWriter } = useAuth();
|
|
22
|
+
const { t } = useTranslations();
|
|
23
|
+
const displayName = profile?.full_name || profile?.github_username || user?.email || null;
|
|
24
|
+
const showAdminLink = isAdmin || isWriter;
|
|
25
|
+
|
|
26
|
+
const handleSignOut = async () => {
|
|
27
|
+
await signOutAction();
|
|
28
|
+
};
|
|
31
29
|
|
|
32
|
-
if (!hasPublicEnvVars) {
|
|
33
|
-
return (
|
|
34
|
-
<>
|
|
35
|
-
<div className="flex gap-4 items-center">
|
|
36
|
-
<div>
|
|
37
|
-
<Badge
|
|
38
|
-
variant={"default"}
|
|
39
|
-
className="font-normal pointer-events-none"
|
|
40
|
-
>
|
|
41
|
-
{t('update_env_file_warning')}
|
|
42
|
-
</Badge>
|
|
43
|
-
</div>
|
|
44
|
-
<div className="flex gap-2">
|
|
45
|
-
<Button
|
|
46
|
-
asChild
|
|
47
|
-
size="sm"
|
|
48
|
-
variant={"outline"}
|
|
49
|
-
disabled
|
|
50
|
-
className="opacity-75 cursor-none pointer-events-none"
|
|
51
|
-
>
|
|
52
|
-
<Link href="/sign-in">{t('sign_in')}</Link>
|
|
53
|
-
</Button>
|
|
54
|
-
<Button
|
|
55
|
-
asChild
|
|
56
|
-
size="sm"
|
|
57
|
-
variant={"default"}
|
|
58
|
-
disabled
|
|
59
|
-
className="opacity-75 cursor-none pointer-events-none"
|
|
60
|
-
>
|
|
61
|
-
<Link href="/sign-up">{t('sign_up')}</Link>
|
|
62
|
-
</Button>
|
|
63
|
-
</div>
|
|
64
|
-
</div>
|
|
65
|
-
</>
|
|
66
|
-
);
|
|
67
|
-
}
|
|
68
30
|
return user ? (
|
|
69
31
|
<div className="flex items-center gap-4">
|
|
70
32
|
<DropdownMenu>
|
|
@@ -98,6 +98,9 @@ services:
|
|
|
98
98
|
KONG_PLUGINS: request-transformer,cors,key-auth,acl
|
|
99
99
|
KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
|
|
100
100
|
KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
|
|
101
|
+
# localhost cookies aren't port-scoped, so the app's Supabase auth cookies are also sent to
|
|
102
|
+
# Kong on every supabase-js request — give nginx room so they don't 431.
|
|
103
|
+
KONG_NGINX_HTTP_LARGE_CLIENT_HEADER_BUFFERS: 8 32k
|
|
101
104
|
SUPABASE_ANON_KEY: ${ANON_KEY}
|
|
102
105
|
SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
|
|
103
106
|
volumes:
|
|
@@ -179,8 +182,9 @@ services:
|
|
|
179
182
|
NODE_ENV: production
|
|
180
183
|
PORT: 3000
|
|
181
184
|
HOSTNAME: 0.0.0.0
|
|
185
|
+
# Browser AND server both use localhost:8000; the in-container loopback proxy (see Dockerfile)
|
|
186
|
+
# forwards it to Kong, keeping the host-derived Supabase auth cookie key consistent for SSR.
|
|
182
187
|
NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL:-http://localhost:8000}
|
|
183
|
-
SUPABASE_INTERNAL_URL: ${SUPABASE_INTERNAL_URL:-http://kong:8000}
|
|
184
188
|
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
|
|
185
189
|
SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
|
|
186
190
|
NEXT_PUBLIC_URL: ${NEXT_PUBLIC_URL:-http://localhost:3000}
|
|
@@ -0,0 +1,173 @@
|
|
|
1
|
+
# 11 Self-Hosted Docker Mode
|
|
2
|
+
|
|
3
|
+
## Purpose
|
|
4
|
+
|
|
5
|
+
NextBlock can run as a complete, fully local stack with one command — **no Supabase
|
|
6
|
+
Cloud, Vercel, Cloudflare R2, or SMTP account required**. It mirrors the production
|
|
7
|
+
topology (Next.js 16 app + Supabase API behind a gateway + S3 object storage) on your
|
|
8
|
+
own machine, so the **same application code runs locally and in the cloud with no
|
|
9
|
+
variations** — only environment values differ.
|
|
10
|
+
|
|
11
|
+
This is the "one-click local sandbox": pick Docker, and the installer drop-ships a
|
|
12
|
+
hardened multi-stage app image alongside the core Supabase engines, an automated
|
|
13
|
+
migration runner, and S3-compatible storage.
|
|
14
|
+
|
|
15
|
+
## Choosing it
|
|
16
|
+
|
|
17
|
+
Both initializers offer the choice up front:
|
|
18
|
+
|
|
19
|
+
- **Monorepo / `git clone`:** `npm run setup` → select **"Local Self-Hosted Docker Mode"**
|
|
20
|
+
- **Standalone CLI:** `npm create nextblock` → the same selector
|
|
21
|
+
- **Direct:** `npm run docker:setup`
|
|
22
|
+
|
|
23
|
+
In every case the work is driven by a single root hook: **`npm run docker:setup`**.
|
|
24
|
+
|
|
25
|
+
## Prerequisites
|
|
26
|
+
|
|
27
|
+
- **Docker Desktop** installed and running (<https://www.docker.com/products/docker-desktop>).
|
|
28
|
+
- That's it. No cloud accounts, keys, or manual migrations.
|
|
29
|
+
|
|
30
|
+
## Quick start
|
|
31
|
+
|
|
32
|
+
```bash
|
|
33
|
+
# Monorepo
|
|
34
|
+
git clone https://github.com/nextblock-cms/nextblock.git
|
|
35
|
+
cd nextblock
|
|
36
|
+
npm install
|
|
37
|
+
npm run docker:setup # or: npm run setup → pick Docker
|
|
38
|
+
|
|
39
|
+
# Standalone project
|
|
40
|
+
npm create nextblock # → pick "Local Self-Hosted Docker Mode"
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
`docker:setup` then:
|
|
44
|
+
|
|
45
|
+
1. Verifies Docker is installed and running.
|
|
46
|
+
2. Asks **two optional questions** (Cloudflare Turnstile, SMTP) — both skippable with Enter.
|
|
47
|
+
3. Generates a root `.env` with secure random secrets and **properly-signed Supabase
|
|
48
|
+
anon/service keys** (real HS256 JWTs derived from a generated `JWT_SECRET`).
|
|
49
|
+
4. Builds the app image and boots the whole stack.
|
|
50
|
+
|
|
51
|
+
When it finishes:
|
|
52
|
+
|
|
53
|
+
| What | Where |
|
|
54
|
+
| :--- | :--- |
|
|
55
|
+
| App | <http://localhost:3000> |
|
|
56
|
+
| Sign up | <http://localhost:3000/sign-up> — the **first account becomes ADMIN** |
|
|
57
|
+
| Supabase API gateway | <http://localhost:8000> |
|
|
58
|
+
| MinIO console | <http://localhost:9001> |
|
|
59
|
+
|
|
60
|
+
With no SMTP configured, accounts are **auto-confirmed** and the first sign-up lands
|
|
61
|
+
straight in `/cms/dashboard` — no confirmation email step.
|
|
62
|
+
|
|
63
|
+
## The two optional prompts
|
|
64
|
+
|
|
65
|
+
| Prompt | If you skip it |
|
|
66
|
+
| :--- | :--- |
|
|
67
|
+
| **Cloudflare Turnstile** site + secret key | Uses Cloudflare's official "always pass" test keys — forms work, with no real bot protection. |
|
|
68
|
+
| **SMTP** host (+ port / user / pass / from) | GoTrue **auto-confirms** sign-ups; no email is sent, and the first admin can sign in immediately. |
|
|
69
|
+
|
|
70
|
+
Provide real SMTP if you want actual confirmation emails — auto-confirm is then disabled,
|
|
71
|
+
exactly like the cloud flow.
|
|
72
|
+
|
|
73
|
+
## What you get (the stack)
|
|
74
|
+
|
|
75
|
+
The root `docker-compose.yml` runs a trimmed, production-equivalent Supabase stack plus
|
|
76
|
+
the app. Every image tag is pinned and overridable via an env var (e.g. `SUPABASE_DB_IMAGE`).
|
|
77
|
+
|
|
78
|
+
| Service | Image (default) | Role |
|
|
79
|
+
| :--- | :--- | :--- |
|
|
80
|
+
| `db` | `supabase/postgres` | Postgres with the Supabase roles, schemas, and extensions. Named volume `nextblock_db_store`. |
|
|
81
|
+
| `auth` | `supabase/gotrue` | Auth: sessions, JWTs, the `auth.users` table. |
|
|
82
|
+
| `rest` | `postgrest/postgrest` | Instant REST API over the `public` / `graphql_public` schemas. |
|
|
83
|
+
| `kong` | `kong` | Edge gateway — maps `/auth/v1`, `/rest/v1`, `/graphql/v1` to port **8000**. |
|
|
84
|
+
| `minio` + `minio-init` | `minio/minio`, `minio/mc` | S3-compatible media storage + a public `nextblock` bucket. Named volume `nextblock_media`. |
|
|
85
|
+
| `migrate` | `postgres:alpine` | Applies `libs/db/src/supabase/migrations` in order, **once**, then exits. |
|
|
86
|
+
| `nextblock-cms` | built locally | The Next.js standalone app on **3000**. Boots **only after `migrate` succeeds**. |
|
|
87
|
+
|
|
88
|
+
Both named volumes persist your database and uploaded media across restarts.
|
|
89
|
+
|
|
90
|
+
### Commands
|
|
91
|
+
|
|
92
|
+
| Command | Does |
|
|
93
|
+
| :--- | :--- |
|
|
94
|
+
| `npm run docker:setup` | Generate `.env` → build → up. The one-click entry point. |
|
|
95
|
+
| `npm run docker:up` | Rebuild and (re)start the stack. |
|
|
96
|
+
| `npm run docker:down` | Stop the stack. Add `-v` to also delete the volumes (wipes local data). |
|
|
97
|
+
| `npm run docker:logs` | Follow the app logs (`docker compose logs -f nextblock-cms`). |
|
|
98
|
+
|
|
99
|
+
### Ports (override with env vars)
|
|
100
|
+
|
|
101
|
+
`APP_PORT` (3000), `KONG_HTTP_PORT` (8000), `MINIO_S3_PORT` (9000),
|
|
102
|
+
`MINIO_CONSOLE_PORT` (9001), `POSTGRES_PORT_EXTERNAL` (54322).
|
|
103
|
+
|
|
104
|
+
## How it works
|
|
105
|
+
|
|
106
|
+
The interesting part is making one codebase work unchanged in both modes. A few
|
|
107
|
+
mechanisms make that possible:
|
|
108
|
+
|
|
109
|
+
- **Standalone build.** The app Dockerfile is multi-stage (deps → builder → hardened
|
|
110
|
+
non-root runner) and builds with Next.js `output: 'standalone'`, gated on a
|
|
111
|
+
`DOCKER_BUILD` env var so normal/Vercel builds are untouched. The runner ships only the
|
|
112
|
+
traced server tree, `.next/static`, and `public`.
|
|
113
|
+
|
|
114
|
+
- **One URL + an in-container loopback proxy.** The browser reaches Supabase at
|
|
115
|
+
`http://localhost:8000`, and that value is inlined into the build. Server-side code runs
|
|
116
|
+
*inside* the container, where `localhost` has nothing — so the runner starts a tiny
|
|
117
|
+
`socat` proxy that forwards in-container `127.0.0.1:8000 → kong:8000` and
|
|
118
|
+
`127.0.0.1:9000 → minio:9000`. Browser and server therefore use the **same URL**, which
|
|
119
|
+
also keeps the Supabase auth-cookie key (derived from the URL host) identical on both
|
|
120
|
+
sides so SSR can read the session.
|
|
121
|
+
|
|
122
|
+
- **Storage on `127.0.0.1`.** Media URLs use `http://127.0.0.1:9000` (not `localhost`).
|
|
123
|
+
On `localhost`, cookies are not port-scoped, so the browser would otherwise send the
|
|
124
|
+
app's auth cookies to MinIO and trip its header-size limit. `127.0.0.1` is a different
|
|
125
|
+
cookie host, so MinIO always receives clean image requests.
|
|
126
|
+
|
|
127
|
+
- **Migration runner.** The `migrate` service waits for the database to be healthy and
|
|
128
|
+
for GoTrue to create `auth.users` (the schema FKs to it), then applies each migration in
|
|
129
|
+
order inside a transaction. It records applied versions, so restarts never re-run a
|
|
130
|
+
migration.
|
|
131
|
+
|
|
132
|
+
- **Generated keys.** `docker:setup` generates a `JWT_SECRET` and derives valid HS256
|
|
133
|
+
`anon` and `service_role` JWTs from it (using Node's built-in `crypto`), so GoTrue,
|
|
134
|
+
PostgREST, and Kong all validate against the same secret out of the box.
|
|
135
|
+
|
|
136
|
+
## Cloud vs Docker — same code, different env
|
|
137
|
+
|
|
138
|
+
There are **no application code paths** specific to Docker. The difference is purely
|
|
139
|
+
configuration:
|
|
140
|
+
|
|
141
|
+
| | Managed Cloud | Self-Hosted Docker |
|
|
142
|
+
| :--- | :--- | :--- |
|
|
143
|
+
| Database / Auth | Supabase Cloud | `supabase/postgres` + `supabase/gotrue` |
|
|
144
|
+
| Object storage | Cloudflare R2 | MinIO (S3-compatible) |
|
|
145
|
+
| Email | Required SMTP | Optional — GoTrue auto-confirms without it |
|
|
146
|
+
| Run command | `npx nx serve nextblock` / Vercel | `npm run docker:setup` |
|
|
147
|
+
| Config | `.env.local` (cloud keys) | `.env` (generated local secrets) |
|
|
148
|
+
|
|
149
|
+
> The R2 client already speaks S3, so MinIO is pointed at it via `R2_S3_ENDPOINT` /
|
|
150
|
+
> `R2_FORCE_PATH_STYLE`; uploads are signed for the browser via `R2_S3_PUBLIC_ENDPOINT`.
|
|
151
|
+
> A reference of every key the stack reads lives in `.env.docker.example`.
|
|
152
|
+
|
|
153
|
+
## Troubleshooting
|
|
154
|
+
|
|
155
|
+
- **"Docker is not installed or not running."** Start Docker Desktop and re-run
|
|
156
|
+
`npm run docker:setup`.
|
|
157
|
+
|
|
158
|
+
- **`port is already allocated`.** Another process (often a previous stack) holds 8000 /
|
|
159
|
+
9000 / 3000 / 54322. Stop it, or override the port env vars above.
|
|
160
|
+
|
|
161
|
+
- **GoTrue fails with `password authentication failed for user "supabase_auth_admin"`
|
|
162
|
+
(28P01) after a re-clone.** A leftover named volume from a previous install still holds
|
|
163
|
+
the old password, while your new `.env` has fresh secrets. Postgres only runs its
|
|
164
|
+
credential-setting init scripts on an *empty* volume. Fix:
|
|
165
|
+
`docker compose down -v && npm run docker:up`. (`docker:setup` does this automatically
|
|
166
|
+
when it generates a brand-new `.env`.)
|
|
167
|
+
|
|
168
|
+
- **Re-running `docker:setup`.** If a `.env` already exists it **reuses your secrets and
|
|
169
|
+
keeps your data** — safe to re-run to rebuild after pulling changes.
|
|
170
|
+
|
|
171
|
+
- **Wipe everything and start clean.** `docker compose down -v` removes the containers and
|
|
172
|
+
both named volumes (database + media).
|
|
173
|
+
</content>
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
# 12 · Cloud Deployment (Deploy to Vercel)
|
|
2
|
+
|
|
3
|
+
NextBlock ships a one-click **Deploy to Vercel** button (see the README) that brings
|
|
4
|
+
up a production instance already connected to a managed Supabase project. From there,
|
|
5
|
+
the in-app **First-Boot Setup Wizard** (`/setup`) finishes configuration in the
|
|
6
|
+
browser — there is no terminal step.
|
|
7
|
+
|
|
8
|
+
## How the button works
|
|
9
|
+
|
|
10
|
+
The badge links to `https://vercel.com/new/clone` with these query parameters:
|
|
11
|
+
|
|
12
|
+
| Parameter | Purpose |
|
|
13
|
+
| :--- | :--- |
|
|
14
|
+
| `repository-url` | The NextBlock repo to clone into the user's Git provider. |
|
|
15
|
+
| `integration-ids=oac_VqOgBHqhEoFTPzGkPd7L0iH6` | Vercel's **Supabase integration**. During import, Vercel provisions (or links) a Supabase project and injects its environment variables automatically. |
|
|
16
|
+
| `env=NEXT_PUBLIC_URL,CRON_SECRET,DRAFT_MODE_SECRET,REVALIDATE_SECRET_TOKEN` | The remaining variables Vercel prompts for. Only variable **names** are listed — never secret values. |
|
|
17
|
+
| `envDescription` / `envLink` | Help text + a link back to this doc. |
|
|
18
|
+
|
|
19
|
+
The Supabase integration injects the keys the app needs to boot:
|
|
20
|
+
`NEXT_PUBLIC_SUPABASE_URL`, `NEXT_PUBLIC_SUPABASE_ANON_KEY`,
|
|
21
|
+
`SUPABASE_SERVICE_ROLE_KEY`, and `POSTGRES_URL`. Because those are present on first
|
|
22
|
+
boot, the instance is **Profile A (pre-configured)**: the wizard skips the connection
|
|
23
|
+
step and goes straight to creating the first administrator.
|
|
24
|
+
|
|
25
|
+
## What the wizard does on Vercel
|
|
26
|
+
|
|
27
|
+
1. **Database** — already connected (integration-injected). The wizard verifies a
|
|
28
|
+
first admin doesn't exist yet, otherwise it redirects to `/cms/dashboard`.
|
|
29
|
+
2. **Schema** — apply the migrations to the managed Supabase project. The Supabase
|
|
30
|
+
integration creates the project but does **not** run NextBlock's migrations, so run
|
|
31
|
+
them once after the first deploy (locally against the project, or via the Supabase
|
|
32
|
+
dashboard SQL editor) — see [docs/04](./04-DATABASE-AND-AUTH.md) and
|
|
33
|
+
[docs/05](./05-DEVELOPER-GUIDE.md).
|
|
34
|
+
3. **Storage** — pre-filled for **Supabase Storage** (S3-compatible). The wizard's
|
|
35
|
+
storage step shows the endpoint derived from your Supabase URL
|
|
36
|
+
(`<project>/storage/v1/s3`). Create an S3 access key in the Supabase dashboard
|
|
37
|
+
(Storage → S3 connection) and set `R2_ACCESS_KEY_ID` / `R2_SECRET_ACCESS_KEY` in
|
|
38
|
+
your Vercel project environment. (Cloudflare R2 remains the default for non-Vercel
|
|
39
|
+
installs — it has a more generous free storage tier; only the one-click Vercel
|
|
40
|
+
path defaults to Supabase Storage.)
|
|
41
|
+
4. **Email / Bot protection / Sign-ups** — optional steps; bot-protection and the
|
|
42
|
+
sign-up policy persist to the database and work immediately. SMTP, if used, is set
|
|
43
|
+
as Vercel environment variables.
|
|
44
|
+
5. **Administrator** — create the first admin. The account is created already
|
|
45
|
+
confirmed (`email_confirm: true`), so no verification email is required.
|
|
46
|
+
|
|
47
|
+
> Filesystem is read-only on Vercel, so the wizard never writes `.env.local` there —
|
|
48
|
+
> all configuration is environment variables (platform-managed) plus the database.
|
|
49
|
+
|
|
50
|
+
## Cron jobs and the free tier
|
|
51
|
+
|
|
52
|
+
`vercel.json` declares two daily crons (`/api/cron/reset-sandbox` and
|
|
53
|
+
`/api/cron/sync-currencies`). Vercel's **Hobby (free) tier allows one cron per day**.
|
|
54
|
+
For a free-tier production deploy, either:
|
|
55
|
+
|
|
56
|
+
- Upgrade to a paid plan (both crons run as declared), **or**
|
|
57
|
+
- Keep only the cron you need (most production sites don't need `reset-sandbox`, which
|
|
58
|
+
exists for the public demo sandbox), **or**
|
|
59
|
+
- Consolidate both jobs into a single cron handler.
|
|
60
|
+
|
|
61
|
+
This is intentionally left as a deploy-time decision rather than changed in the repo,
|
|
62
|
+
since the sandbox/demo deploy relies on both crons.
|
|
63
|
+
|
|
64
|
+
## After deploy
|
|
65
|
+
|
|
66
|
+
Visit the deployment URL — it redirects to `/setup` until the first admin exists.
|
|
67
|
+
Complete the wizard, then sign in at `/cms/dashboard`.
|
|
@@ -16,6 +16,7 @@ library surfaces rather than historical planning notes.
|
|
|
16
16
|
- Cortex AI architecture: [08-NEXTBLOCK-CORTEX-AI-ARCHITECTURE.md](./08-NEXTBLOCK-CORTEX-AI-ARCHITECTURE.md)
|
|
17
17
|
- Live draft (visual editing) mode: [09-LIVE-DRAFT-MODE.md](./09-LIVE-DRAFT-MODE.md)
|
|
18
18
|
- Custom blocks (data-driven CRUD): [10-CUSTOM-BLOCKS.md](./10-CUSTOM-BLOCKS.md)
|
|
19
|
+
- Self-hosted local Docker stack: [11-SELF-HOSTED-DOCKER.md](./11-SELF-HOSTED-DOCKER.md)
|
|
19
20
|
|
|
20
21
|
## Audience Guide
|
|
21
22
|
|
|
@@ -25,6 +26,7 @@ library surfaces rather than historical planning notes.
|
|
|
25
26
|
- Custom block work: read `03`, then `10`.
|
|
26
27
|
- AI / Cortex work: read `08`.
|
|
27
28
|
- CLI or template work: read `06`.
|
|
29
|
+
- Running everything locally without cloud accounts: read `11`.
|
|
28
30
|
- AI agents: start with this index, then move directly to the subsystem file that
|
|
29
31
|
matches the task. Treat `apps/nextblock`, `libs/*`, and
|
|
30
32
|
`libs/db/src/supabase/migrations` as the final authority if a doc and code ever
|
|
@@ -25,7 +25,7 @@ export const FeaturedProductBlock = async ({ content }: { content: FeaturedProdu
|
|
|
25
25
|
} else if (process.env.NEXT_PUBLIC_R2_BASE_URL) {
|
|
26
26
|
imageUrl = `${process.env.NEXT_PUBLIC_R2_BASE_URL}/${mediaItem.file_path}`;
|
|
27
27
|
} else {
|
|
28
|
-
imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/v1/object/public/media/${mediaItem.file_path}`;
|
|
28
|
+
imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL ?? ''}/storage/v1/object/public/media/${mediaItem.file_path}`;
|
|
29
29
|
}
|
|
30
30
|
}
|
|
31
31
|
|
|
@@ -62,7 +62,7 @@ export const ProductGridBlock = async ({
|
|
|
62
62
|
} else if (process.env.NEXT_PUBLIC_R2_BASE_URL) {
|
|
63
63
|
imageUrl = `${process.env.NEXT_PUBLIC_R2_BASE_URL}/${mediaItem.file_path}`;
|
|
64
64
|
} else {
|
|
65
|
-
imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/v1/object/public/media/${mediaItem.file_path}`;
|
|
65
|
+
imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL ?? ''}/storage/v1/object/public/media/${mediaItem.file_path}`;
|
|
66
66
|
}
|
|
67
67
|
}
|
|
68
68
|
|
|
@@ -20,7 +20,15 @@ const BUNDLED_PUBLIC_MEDIA_KEYS = new Set([
|
|
|
20
20
|
|
|
21
21
|
export function resolveMediaUrl(
|
|
22
22
|
objectKey?: string | null,
|
|
23
|
-
|
|
23
|
+
// On the client, NEXT_PUBLIC_R2_BASE_URL is inlined at build time, so a fresh-clone
|
|
24
|
+
// dev bundle built with no env holds an empty string; fall back to the runtime value
|
|
25
|
+
// injected by <PublicEnvBootstrap> (window.__NEXTBLOCK_PUBLIC_ENV__.r2Base). On the
|
|
26
|
+
// server, process.env is always current and the window branch is skipped.
|
|
27
|
+
baseUrl = process.env.NEXT_PUBLIC_R2_BASE_URL ||
|
|
28
|
+
(typeof window !== 'undefined'
|
|
29
|
+
? (window as { __NEXTBLOCK_PUBLIC_ENV__?: { r2Base?: string } })
|
|
30
|
+
.__NEXTBLOCK_PUBLIC_ENV__?.r2Base || ''
|
|
31
|
+
: '')
|
|
24
32
|
) {
|
|
25
33
|
if (!objectKey) return null;
|
|
26
34
|
|