create-nextblock 0.9.0 → 0.9.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/bin/create-nextblock.js +40 -60
  2. package/docker-template/.env.docker.example +5 -4
  3. package/docker-template/Dockerfile +20 -3
  4. package/docker-template/docker-compose.yml +5 -1
  5. package/docker-template/scripts/docker-setup.mjs +19 -4
  6. package/package.json +1 -1
  7. package/templates/nextblock-template/Dockerfile +20 -3
  8. package/templates/nextblock-template/app/[slug]/page.tsx +5 -0
  9. package/templates/nextblock-template/app/actions.ts +58 -8
  10. package/templates/nextblock-template/app/api/cron/reset-sandbox/sandboxResetSql.ts +83 -0
  11. package/templates/nextblock-template/app/api/process-image/route.ts +13 -9
  12. package/templates/nextblock-template/app/article/[slug]/page.tsx +5 -0
  13. package/templates/nextblock-template/app/cms/components/ContentLanguageSwitcher.tsx +19 -13
  14. package/templates/nextblock-template/app/cms/settings/security/actions.ts +30 -0
  15. package/templates/nextblock-template/app/cms/settings/security/components/SecurityPanel.tsx +69 -0
  16. package/templates/nextblock-template/app/layout.tsx +49 -3
  17. package/templates/nextblock-template/app/lib/site-settings.ts +22 -7
  18. package/templates/nextblock-template/app/page.tsx +6 -0
  19. package/templates/nextblock-template/app/product/[slug]/page.tsx +5 -0
  20. package/templates/nextblock-template/app/providers.tsx +1 -1
  21. package/templates/nextblock-template/app/setup/SetupWizard.tsx +773 -0
  22. package/templates/nextblock-template/app/setup/layout.tsx +13 -0
  23. package/templates/nextblock-template/app/setup/page.tsx +103 -0
  24. package/templates/nextblock-template/components/AppShell.tsx +12 -0
  25. package/templates/nextblock-template/components/PublicEnvBootstrap.tsx +30 -0
  26. package/templates/nextblock-template/components/header-auth.tsx +24 -62
  27. package/templates/nextblock-template/docker-compose.yml +5 -1
  28. package/templates/nextblock-template/docs/11-SELF-HOSTED-DOCKER.md +173 -0
  29. package/templates/nextblock-template/docs/12-VERCEL-DEPLOYMENT.md +67 -0
  30. package/templates/nextblock-template/docs/README.md +2 -0
  31. package/templates/nextblock-template/lib/blocks/FeaturedProductBlock.tsx +1 -1
  32. package/templates/nextblock-template/lib/blocks/ProductGridBlock.tsx +1 -1
  33. package/templates/nextblock-template/lib/media/resolveMediaUrl.ts +9 -1
  34. package/templates/nextblock-template/lib/setup/actions.ts +370 -0
  35. package/templates/nextblock-template/lib/setup/env-status.ts +86 -0
  36. package/templates/nextblock-template/lib/setup/env-write.ts +111 -0
  37. package/templates/nextblock-template/lib/setup/provisioning.ts +59 -0
  38. package/templates/nextblock-template/lib/setup/schema-apply.ts +392 -0
  39. package/templates/nextblock-template/lib/setup/system-config.ts +105 -0
  40. package/templates/nextblock-template/lib/setup/types.ts +18 -0
  41. package/templates/nextblock-template/next.config.js +13 -0
  42. package/templates/nextblock-template/package.json +1 -1
  43. package/templates/nextblock-template/proxy.ts +143 -49
  44. package/templates/nextblock-template/scripts/docker-setup.mjs +19 -4
  45. package/templates/nextblock-template/tsconfig.tsbuildinfo +1 -1
@@ -0,0 +1,13 @@
1
+ // Minimal layout for the first-boot wizard. Deliberately does NO Supabase work so it
2
+ // renders even on a completely unconfigured instance. (It is still nested inside the
3
+ // root layout, which short-circuits its own data loading when unconfigured.)
4
+ import type { ReactNode } from 'react';
5
+
6
+ export const metadata = {
7
+ title: 'Set up NextBlock',
8
+ robots: { index: false, follow: false },
9
+ };
10
+
11
+ export default function SetupLayout({ children }: { children: ReactNode }) {
12
+ return <div className="mx-auto w-full max-w-3xl px-4 py-10 sm:py-16">{children}</div>;
13
+ }
@@ -0,0 +1,103 @@
1
+ import { redirect } from 'next/navigation';
2
+ import { createClient } from '@nextblock-cms/db/server';
3
+ import {
4
+ detectChannel,
5
+ isLocalWritableEnv,
6
+ isSupabaseConfigured,
7
+ type DeployChannel,
8
+ } from '../../lib/setup/env-status';
9
+ import { getProvisioningStatus } from '../../lib/setup/provisioning';
10
+ import SetupWizard, { type StoragePrefill } from './SetupWizard';
11
+
12
+ // Always evaluate live: the wizard's whole job is to react to the current env state.
13
+ export const dynamic = 'force-dynamic';
14
+
15
+ function buildStoragePrefill(channel: DeployChannel, supabaseUrl: string): StoragePrefill {
16
+ if (channel === 'docker') {
17
+ // The Docker stack ships MinIO as the S3 backend; docker-setup wrote these already.
18
+ return {
19
+ kind: 'minio',
20
+ readOnly: true,
21
+ accountId: process.env.R2_ACCOUNT_ID ?? 'minio',
22
+ bucket: process.env.STORAGE_BUCKET ?? process.env.R2_BUCKET_NAME ?? 'media',
23
+ endpoint: process.env.R2_S3_ENDPOINT ?? 'http://minio:9000',
24
+ publicUrl: process.env.NEXT_PUBLIC_R2_PUBLIC_URL ?? 'http://localhost:9000',
25
+ baseUrl: process.env.NEXT_PUBLIC_R2_BASE_URL ?? '',
26
+ accessKeyId: '',
27
+ secretAccessKey: '',
28
+ };
29
+ }
30
+
31
+ if (channel === 'vercel') {
32
+ // One-click Vercel deploys connect to Supabase Storage's S3-compatible endpoint.
33
+ const base = supabaseUrl.replace(/\/$/, '');
34
+ return {
35
+ kind: 'supabase',
36
+ readOnly: false,
37
+ accountId: 'supabase',
38
+ bucket: 'media',
39
+ endpoint: base ? `${base}/storage/v1/s3` : '',
40
+ publicUrl: base ? `${base}/storage/v1/object/public` : '',
41
+ baseUrl: '',
42
+ accessKeyId: process.env.R2_ACCESS_KEY_ID ?? '',
43
+ secretAccessKey: '',
44
+ };
45
+ }
46
+
47
+ // Local: the user brings their own Cloudflare R2 (higher free-tier storage).
48
+ return {
49
+ kind: 'r2',
50
+ readOnly: false,
51
+ accountId: process.env.R2_ACCOUNT_ID ?? '',
52
+ bucket: process.env.R2_BUCKET_NAME ?? '',
53
+ endpoint: '',
54
+ publicUrl: process.env.NEXT_PUBLIC_R2_PUBLIC_URL ?? '',
55
+ baseUrl: process.env.NEXT_PUBLIC_R2_BASE_URL ?? '',
56
+ accessKeyId: process.env.R2_ACCESS_KEY_ID ?? '',
57
+ secretAccessKey: '',
58
+ };
59
+ }
60
+
61
+ export default async function SetupPage() {
62
+ const status = await getProvisioningStatus();
63
+
64
+ // Already finished — there's a first admin. Get out of the wizard.
65
+ if (status.hasAdmin) {
66
+ redirect('/cms/dashboard');
67
+ }
68
+
69
+ // A signed-in user never needs the wizard. This also closes the brief window right
70
+ // after completion where is_admin_created may still be read-stale: the just-created
71
+ // admin has a session, so send them straight to the CMS. (Only checked when
72
+ // configured — an unconfigured instance has no real auth.)
73
+ if (status.configured) {
74
+ const supabase = createClient();
75
+ const {
76
+ data: { user },
77
+ } = await supabase.auth.getUser();
78
+ if (user) {
79
+ redirect('/cms/dashboard');
80
+ }
81
+ }
82
+
83
+ const channel = detectChannel();
84
+ const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL ?? '';
85
+
86
+ return (
87
+ <SetupWizard
88
+ channel={channel}
89
+ configured={isSupabaseConfigured()}
90
+ writable={isLocalWritableEnv()}
91
+ siteUrl={process.env.NEXT_PUBLIC_URL ?? ''}
92
+ storagePrefill={buildStoragePrefill(channel, supabaseUrl)}
93
+ smtpPrefill={{
94
+ host: process.env.SMTP_HOST ?? '',
95
+ port: process.env.SMTP_PORT ?? '465',
96
+ user: process.env.SMTP_USER ?? '',
97
+ fromEmail: process.env.SMTP_FROM_EMAIL ?? '',
98
+ fromName: process.env.SMTP_FROM_NAME ?? '',
99
+ }}
100
+ turnstilePrefill={{ siteKey: process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY ?? '' }}
101
+ />
102
+ );
103
+ }
@@ -66,8 +66,20 @@ export function AppShell({
66
66
  }: AppShellProps) {
67
67
  const pathname = usePathname() || '';
68
68
  const isCmsRequest = pathname.startsWith('/cms');
69
+ const isSetupRequest = pathname === '/setup' || pathname.startsWith('/setup/');
69
70
  const branding = useMemo(() => ({ logo, siteTitle }), [logo, siteTitle]);
70
71
 
72
+ // The first-boot setup wizard renders on its own clean, chrome-free page: no header
73
+ // or footer, and crucially no EnvVarWarning — the whole point of /setup is to supply
74
+ // the very env vars that warning complains about.
75
+ if (isSetupRequest) {
76
+ return (
77
+ <AppBrandingContext.Provider value={branding}>
78
+ <main className="min-h-screen bg-background">{children}</main>
79
+ </AppBrandingContext.Provider>
80
+ );
81
+ }
82
+
71
83
  return (
72
84
  <AppBrandingContext.Provider value={branding}>
73
85
  {process.env.NEXT_PUBLIC_IS_SANDBOX === 'true' && !isCmsRequest && <SandboxBanner />}
@@ -0,0 +1,30 @@
1
+ 'use client';
2
+
3
+ // Makes the PUBLIC Supabase values available to the browser at runtime via a global,
4
+ // set SYNCHRONOUSLY during render (before any descendant calls the browser createClient).
5
+ //
6
+ // Why: NEXT_PUBLIC_* are inlined into the client bundle at build time. On a fresh local
7
+ // dev setup the dev server starts with no env, so the loaded bundle holds empties; the
8
+ // /setup wizard then writes the env at runtime. Browser-side readers (the Supabase client,
9
+ // env checks, and resolveMediaUrl's R2 base) read `process.env.NEXT_PUBLIC_* ||
10
+ // window.__NEXTBLOCK_PUBLIC_ENV__`, so this fills the gap without a dev-server restart. In
11
+ // production the inlined values win and these props just match them (a harmless no-op). All
12
+ // of these (Supabase url + anon key, R2 public base) are public values (safe to ship).
13
+ //
14
+ // This runs at render time (not in an effect, and not via a nonce'd <script> that could
15
+ // be deferred/blocked in dev), so the global is set before sibling/descendant components
16
+ // render. It's mounted in the root layout, so the value persists across client navigations.
17
+ type PublicEnv = { url: string; anonKey: string; r2Base?: string };
18
+
19
+ declare global {
20
+ interface Window {
21
+ __NEXTBLOCK_PUBLIC_ENV__?: PublicEnv;
22
+ }
23
+ }
24
+
25
+ export function PublicEnvBootstrap({ url, anonKey, r2Base }: PublicEnv) {
26
+ if (typeof window !== 'undefined' && url && anonKey) {
27
+ window.__NEXTBLOCK_PUBLIC_ENV__ = { url, anonKey, r2Base };
28
+ }
29
+ return null;
30
+ }
@@ -1,70 +1,32 @@
1
1
  'use client';
2
2
 
3
- import { hasPublicEnvVars } from "@nextblock-cms/utils";
4
- import Link from "next/link";
5
- import { Avatar, AvatarFallback, AvatarImage } from "@nextblock-cms/ui";
6
- import { Badge } from "@nextblock-cms/ui";
7
- import { Button } from "@nextblock-cms/ui";
8
- import { signOutAction } from "../app/actions";
9
- import { useAuth } from "../context/AuthContext";
10
- import { useTranslations } from "@nextblock-cms/utils";
11
-
12
- import {
13
- DropdownMenu,
14
- DropdownMenuContent,
15
- DropdownMenuItem,
16
- DropdownMenuLabel,
17
- DropdownMenuSeparator,
18
- DropdownMenuTrigger,
19
- } from "@nextblock-cms/ui";
3
+ import Link from "next/link";
4
+ import { Avatar, AvatarFallback, AvatarImage } from "@nextblock-cms/ui";
5
+ import { Button } from "@nextblock-cms/ui";
6
+ import { signOutAction } from "../app/actions";
7
+ import { useAuth } from "../context/AuthContext";
8
+ import { useTranslations } from "@nextblock-cms/utils";
9
+
10
+ import {
11
+ DropdownMenu,
12
+ DropdownMenuContent,
13
+ DropdownMenuItem,
14
+ DropdownMenuLabel,
15
+ DropdownMenuSeparator,
16
+ DropdownMenuTrigger,
17
+ } from "@nextblock-cms/ui";
20
18
  import { User, LogOut, LayoutDashboard } from "lucide-react";
21
19
 
22
- export default function AuthButton() {
23
- const { user, profile, isAdmin, isWriter } = useAuth();
24
- const { t } = useTranslations();
25
- const displayName = profile?.full_name || profile?.github_username || user?.email || null;
26
- const showAdminLink = isAdmin || isWriter;
27
-
28
- const handleSignOut = async () => {
29
- await signOutAction();
30
- };
20
+ export default function AuthButton() {
21
+ const { user, profile, isAdmin, isWriter } = useAuth();
22
+ const { t } = useTranslations();
23
+ const displayName = profile?.full_name || profile?.github_username || user?.email || null;
24
+ const showAdminLink = isAdmin || isWriter;
25
+
26
+ const handleSignOut = async () => {
27
+ await signOutAction();
28
+ };
31
29
 
32
- if (!hasPublicEnvVars) {
33
- return (
34
- <>
35
- <div className="flex gap-4 items-center">
36
- <div>
37
- <Badge
38
- variant={"default"}
39
- className="font-normal pointer-events-none"
40
- >
41
- {t('update_env_file_warning')}
42
- </Badge>
43
- </div>
44
- <div className="flex gap-2">
45
- <Button
46
- asChild
47
- size="sm"
48
- variant={"outline"}
49
- disabled
50
- className="opacity-75 cursor-none pointer-events-none"
51
- >
52
- <Link href="/sign-in">{t('sign_in')}</Link>
53
- </Button>
54
- <Button
55
- asChild
56
- size="sm"
57
- variant={"default"}
58
- disabled
59
- className="opacity-75 cursor-none pointer-events-none"
60
- >
61
- <Link href="/sign-up">{t('sign_up')}</Link>
62
- </Button>
63
- </div>
64
- </div>
65
- </>
66
- );
67
- }
68
30
  return user ? (
69
31
  <div className="flex items-center gap-4">
70
32
  <DropdownMenu>
@@ -98,6 +98,9 @@ services:
98
98
  KONG_PLUGINS: request-transformer,cors,key-auth,acl
99
99
  KONG_NGINX_PROXY_PROXY_BUFFER_SIZE: 160k
100
100
  KONG_NGINX_PROXY_PROXY_BUFFERS: 64 160k
101
+ # localhost cookies aren't port-scoped, so the app's Supabase auth cookies are also sent to
102
+ # Kong on every supabase-js request — give nginx room so they don't 431.
103
+ KONG_NGINX_HTTP_LARGE_CLIENT_HEADER_BUFFERS: 8 32k
101
104
  SUPABASE_ANON_KEY: ${ANON_KEY}
102
105
  SUPABASE_SERVICE_KEY: ${SERVICE_ROLE_KEY}
103
106
  volumes:
@@ -179,8 +182,9 @@ services:
179
182
  NODE_ENV: production
180
183
  PORT: 3000
181
184
  HOSTNAME: 0.0.0.0
185
+ # Browser AND server both use localhost:8000; the in-container loopback proxy (see Dockerfile)
186
+ # forwards it to Kong, keeping the host-derived Supabase auth cookie key consistent for SSR.
182
187
  NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL:-http://localhost:8000}
183
- SUPABASE_INTERNAL_URL: ${SUPABASE_INTERNAL_URL:-http://kong:8000}
184
188
  NEXT_PUBLIC_SUPABASE_ANON_KEY: ${ANON_KEY}
185
189
  SUPABASE_SERVICE_ROLE_KEY: ${SERVICE_ROLE_KEY}
186
190
  NEXT_PUBLIC_URL: ${NEXT_PUBLIC_URL:-http://localhost:3000}
@@ -0,0 +1,173 @@
1
+ # 11 Self-Hosted Docker Mode
2
+
3
+ ## Purpose
4
+
5
+ NextBlock can run as a complete, fully local stack with one command — **no Supabase
6
+ Cloud, Vercel, Cloudflare R2, or SMTP account required**. It mirrors the production
7
+ topology (Next.js 16 app + Supabase API behind a gateway + S3 object storage) on your
8
+ own machine, so the **same application code runs locally and in the cloud with no
9
+ variations** — only environment values differ.
10
+
11
+ This is the "one-click local sandbox": pick Docker, and the installer drop-ships a
12
+ hardened multi-stage app image alongside the core Supabase engines, an automated
13
+ migration runner, and S3-compatible storage.
14
+
15
+ ## Choosing it
16
+
17
+ Both initializers offer the choice up front:
18
+
19
+ - **Monorepo / `git clone`:** `npm run setup` → select **"Local Self-Hosted Docker Mode"**
20
+ - **Standalone CLI:** `npm create nextblock` → the same selector
21
+ - **Direct:** `npm run docker:setup`
22
+
23
+ In every case the work is driven by a single root hook: **`npm run docker:setup`**.
24
+
25
+ ## Prerequisites
26
+
27
+ - **Docker Desktop** installed and running (<https://www.docker.com/products/docker-desktop>).
28
+ - That's it. No cloud accounts, keys, or manual migrations.
29
+
30
+ ## Quick start
31
+
32
+ ```bash
33
+ # Monorepo
34
+ git clone https://github.com/nextblock-cms/nextblock.git
35
+ cd nextblock
36
+ npm install
37
+ npm run docker:setup # or: npm run setup → pick Docker
38
+
39
+ # Standalone project
40
+ npm create nextblock # → pick "Local Self-Hosted Docker Mode"
41
+ ```
42
+
43
+ `docker:setup` then:
44
+
45
+ 1. Verifies Docker is installed and running.
46
+ 2. Asks **two optional questions** (Cloudflare Turnstile, SMTP) — both skippable with Enter.
47
+ 3. Generates a root `.env` with secure random secrets and **properly-signed Supabase
48
+ anon/service keys** (real HS256 JWTs derived from a generated `JWT_SECRET`).
49
+ 4. Builds the app image and boots the whole stack.
50
+
51
+ When it finishes:
52
+
53
+ | What | Where |
54
+ | :--- | :--- |
55
+ | App | <http://localhost:3000> |
56
+ | Sign up | <http://localhost:3000/sign-up> — the **first account becomes ADMIN** |
57
+ | Supabase API gateway | <http://localhost:8000> |
58
+ | MinIO console | <http://localhost:9001> |
59
+
60
+ With no SMTP configured, accounts are **auto-confirmed** and the first sign-up lands
61
+ straight in `/cms/dashboard` — no confirmation email step.
62
+
63
+ ## The two optional prompts
64
+
65
+ | Prompt | If you skip it |
66
+ | :--- | :--- |
67
+ | **Cloudflare Turnstile** site + secret key | Uses Cloudflare's official "always pass" test keys — forms work, with no real bot protection. |
68
+ | **SMTP** host (+ port / user / pass / from) | GoTrue **auto-confirms** sign-ups; no email is sent, and the first admin can sign in immediately. |
69
+
70
+ Provide real SMTP if you want actual confirmation emails — auto-confirm is then disabled,
71
+ exactly like the cloud flow.
72
+
73
+ ## What you get (the stack)
74
+
75
+ The root `docker-compose.yml` runs a trimmed, production-equivalent Supabase stack plus
76
+ the app. Every image tag is pinned and overridable via an env var (e.g. `SUPABASE_DB_IMAGE`).
77
+
78
+ | Service | Image (default) | Role |
79
+ | :--- | :--- | :--- |
80
+ | `db` | `supabase/postgres` | Postgres with the Supabase roles, schemas, and extensions. Named volume `nextblock_db_store`. |
81
+ | `auth` | `supabase/gotrue` | Auth: sessions, JWTs, the `auth.users` table. |
82
+ | `rest` | `postgrest/postgrest` | Instant REST API over the `public` / `graphql_public` schemas. |
83
+ | `kong` | `kong` | Edge gateway — maps `/auth/v1`, `/rest/v1`, `/graphql/v1` to port **8000**. |
84
+ | `minio` + `minio-init` | `minio/minio`, `minio/mc` | S3-compatible media storage + a public `nextblock` bucket. Named volume `nextblock_media`. |
85
+ | `migrate` | `postgres:alpine` | Applies `libs/db/src/supabase/migrations` in order, **once**, then exits. |
86
+ | `nextblock-cms` | built locally | The Next.js standalone app on **3000**. Boots **only after `migrate` succeeds**. |
87
+
88
+ Both named volumes persist your database and uploaded media across restarts.
89
+
90
+ ### Commands
91
+
92
+ | Command | Does |
93
+ | :--- | :--- |
94
+ | `npm run docker:setup` | Generate `.env` → build → up. The one-click entry point. |
95
+ | `npm run docker:up` | Rebuild and (re)start the stack. |
96
+ | `npm run docker:down` | Stop the stack. Add `-v` to also delete the volumes (wipes local data). |
97
+ | `npm run docker:logs` | Follow the app logs (`docker compose logs -f nextblock-cms`). |
98
+
99
+ ### Ports (override with env vars)
100
+
101
+ `APP_PORT` (3000), `KONG_HTTP_PORT` (8000), `MINIO_S3_PORT` (9000),
102
+ `MINIO_CONSOLE_PORT` (9001), `POSTGRES_PORT_EXTERNAL` (54322).
103
+
104
+ ## How it works
105
+
106
+ The interesting part is making one codebase work unchanged in both modes. A few
107
+ mechanisms make that possible:
108
+
109
+ - **Standalone build.** The app Dockerfile is multi-stage (deps → builder → hardened
110
+ non-root runner) and builds with Next.js `output: 'standalone'`, gated on a
111
+ `DOCKER_BUILD` env var so normal/Vercel builds are untouched. The runner ships only the
112
+ traced server tree, `.next/static`, and `public`.
113
+
114
+ - **One URL + an in-container loopback proxy.** The browser reaches Supabase at
115
+ `http://localhost:8000`, and that value is inlined into the build. Server-side code runs
116
+ *inside* the container, where `localhost` has nothing — so the runner starts a tiny
117
+ `socat` proxy that forwards in-container `127.0.0.1:8000 → kong:8000` and
118
+ `127.0.0.1:9000 → minio:9000`. Browser and server therefore use the **same URL**, which
119
+ also keeps the Supabase auth-cookie key (derived from the URL host) identical on both
120
+ sides so SSR can read the session.
121
+
122
+ - **Storage on `127.0.0.1`.** Media URLs use `http://127.0.0.1:9000` (not `localhost`).
123
+ On `localhost`, cookies are not port-scoped, so the browser would otherwise send the
124
+ app's auth cookies to MinIO and trip its header-size limit. `127.0.0.1` is a different
125
+ cookie host, so MinIO always receives clean image requests.
126
+
127
+ - **Migration runner.** The `migrate` service waits for the database to be healthy and
128
+ for GoTrue to create `auth.users` (the schema FKs to it), then applies each migration in
129
+ order inside a transaction. It records applied versions, so restarts never re-run a
130
+ migration.
131
+
132
+ - **Generated keys.** `docker:setup` generates a `JWT_SECRET` and derives valid HS256
133
+ `anon` and `service_role` JWTs from it (using Node's built-in `crypto`), so GoTrue,
134
+ PostgREST, and Kong all validate against the same secret out of the box.
135
+
136
+ ## Cloud vs Docker — same code, different env
137
+
138
+ There are **no application code paths** specific to Docker. The difference is purely
139
+ configuration:
140
+
141
+ | | Managed Cloud | Self-Hosted Docker |
142
+ | :--- | :--- | :--- |
143
+ | Database / Auth | Supabase Cloud | `supabase/postgres` + `supabase/gotrue` |
144
+ | Object storage | Cloudflare R2 | MinIO (S3-compatible) |
145
+ | Email | Required SMTP | Optional — GoTrue auto-confirms without it |
146
+ | Run command | `npx nx serve nextblock` / Vercel | `npm run docker:setup` |
147
+ | Config | `.env.local` (cloud keys) | `.env` (generated local secrets) |
148
+
149
+ > The R2 client already speaks S3, so MinIO is pointed at it via `R2_S3_ENDPOINT` /
150
+ > `R2_FORCE_PATH_STYLE`; uploads are signed for the browser via `R2_S3_PUBLIC_ENDPOINT`.
151
+ > A reference of every key the stack reads lives in `.env.docker.example`.
152
+
153
+ ## Troubleshooting
154
+
155
+ - **"Docker is not installed or not running."** Start Docker Desktop and re-run
156
+ `npm run docker:setup`.
157
+
158
+ - **`port is already allocated`.** Another process (often a previous stack) holds 8000 /
159
+ 9000 / 3000 / 54322. Stop it, or override the port env vars above.
160
+
161
+ - **GoTrue fails with `password authentication failed for user "supabase_auth_admin"`
162
+ (28P01) after a re-clone.** A leftover named volume from a previous install still holds
163
+ the old password, while your new `.env` has fresh secrets. Postgres only runs its
164
+ credential-setting init scripts on an *empty* volume. Fix:
165
+ `docker compose down -v && npm run docker:up`. (`docker:setup` does this automatically
166
+ when it generates a brand-new `.env`.)
167
+
168
+ - **Re-running `docker:setup`.** If a `.env` already exists it **reuses your secrets and
169
+ keeps your data** — safe to re-run to rebuild after pulling changes.
170
+
171
+ - **Wipe everything and start clean.** `docker compose down -v` removes the containers and
172
+ both named volumes (database + media).
173
+ </content>
@@ -0,0 +1,67 @@
1
+ # 12 · Cloud Deployment (Deploy to Vercel)
2
+
3
+ NextBlock ships a one-click **Deploy to Vercel** button (see the README) that brings
4
+ up a production instance already connected to a managed Supabase project. From there,
5
+ the in-app **First-Boot Setup Wizard** (`/setup`) finishes configuration in the
6
+ browser — there is no terminal step.
7
+
8
+ ## How the button works
9
+
10
+ The badge links to `https://vercel.com/new/clone` with these query parameters:
11
+
12
+ | Parameter | Purpose |
13
+ | :--- | :--- |
14
+ | `repository-url` | The NextBlock repo to clone into the user's Git provider. |
15
+ | `integration-ids=oac_VqOgBHqhEoFTPzGkPd7L0iH6` | Vercel's **Supabase integration**. During import, Vercel provisions (or links) a Supabase project and injects its environment variables automatically. |
16
+ | `env=NEXT_PUBLIC_URL,CRON_SECRET,DRAFT_MODE_SECRET,REVALIDATE_SECRET_TOKEN` | The remaining variables Vercel prompts for. Only variable **names** are listed — never secret values. |
17
+ | `envDescription` / `envLink` | Help text + a link back to this doc. |
18
+
19
+ The Supabase integration injects the keys the app needs to boot:
20
+ `NEXT_PUBLIC_SUPABASE_URL`, `NEXT_PUBLIC_SUPABASE_ANON_KEY`,
21
+ `SUPABASE_SERVICE_ROLE_KEY`, and `POSTGRES_URL`. Because those are present on first
22
+ boot, the instance is **Profile A (pre-configured)**: the wizard skips the connection
23
+ step and goes straight to creating the first administrator.
24
+
25
+ ## What the wizard does on Vercel
26
+
27
+ 1. **Database** — already connected (integration-injected). The wizard verifies a
28
+ first admin doesn't exist yet, otherwise it redirects to `/cms/dashboard`.
29
+ 2. **Schema** — apply the migrations to the managed Supabase project. The Supabase
30
+ integration creates the project but does **not** run NextBlock's migrations, so run
31
+ them once after the first deploy (locally against the project, or via the Supabase
32
+ dashboard SQL editor) — see [docs/04](./04-DATABASE-AND-AUTH.md) and
33
+ [docs/05](./05-DEVELOPER-GUIDE.md).
34
+ 3. **Storage** — pre-filled for **Supabase Storage** (S3-compatible). The wizard's
35
+ storage step shows the endpoint derived from your Supabase URL
36
+ (`<project>/storage/v1/s3`). Create an S3 access key in the Supabase dashboard
37
+ (Storage → S3 connection) and set `R2_ACCESS_KEY_ID` / `R2_SECRET_ACCESS_KEY` in
38
+ your Vercel project environment. (Cloudflare R2 remains the default for non-Vercel
39
+ installs — it has a more generous free storage tier; only the one-click Vercel
40
+ path defaults to Supabase Storage.)
41
+ 4. **Email / Bot protection / Sign-ups** — optional steps; bot-protection and the
42
+ sign-up policy persist to the database and work immediately. SMTP, if used, is set
43
+ as Vercel environment variables.
44
+ 5. **Administrator** — create the first admin. The account is created already
45
+ confirmed (`email_confirm: true`), so no verification email is required.
46
+
47
+ > Filesystem is read-only on Vercel, so the wizard never writes `.env.local` there —
48
+ > all configuration is environment variables (platform-managed) plus the database.
49
+
50
+ ## Cron jobs and the free tier
51
+
52
+ `vercel.json` declares two daily crons (`/api/cron/reset-sandbox` and
53
+ `/api/cron/sync-currencies`). Vercel's **Hobby (free) tier allows one cron per day**.
54
+ For a free-tier production deploy, either:
55
+
56
+ - Upgrade to a paid plan (both crons run as declared), **or**
57
+ - Keep only the cron you need (most production sites don't need `reset-sandbox`, which
58
+ exists for the public demo sandbox), **or**
59
+ - Consolidate both jobs into a single cron handler.
60
+
61
+ This is intentionally left as a deploy-time decision rather than changed in the repo,
62
+ since the sandbox/demo deploy relies on both crons.
63
+
64
+ ## After deploy
65
+
66
+ Visit the deployment URL — it redirects to `/setup` until the first admin exists.
67
+ Complete the wizard, then sign in at `/cms/dashboard`.
@@ -16,6 +16,7 @@ library surfaces rather than historical planning notes.
16
16
  - Cortex AI architecture: [08-NEXTBLOCK-CORTEX-AI-ARCHITECTURE.md](./08-NEXTBLOCK-CORTEX-AI-ARCHITECTURE.md)
17
17
  - Live draft (visual editing) mode: [09-LIVE-DRAFT-MODE.md](./09-LIVE-DRAFT-MODE.md)
18
18
  - Custom blocks (data-driven CRUD): [10-CUSTOM-BLOCKS.md](./10-CUSTOM-BLOCKS.md)
19
+ - Self-hosted local Docker stack: [11-SELF-HOSTED-DOCKER.md](./11-SELF-HOSTED-DOCKER.md)
19
20
 
20
21
  ## Audience Guide
21
22
 
@@ -25,6 +26,7 @@ library surfaces rather than historical planning notes.
25
26
  - Custom block work: read `03`, then `10`.
26
27
  - AI / Cortex work: read `08`.
27
28
  - CLI or template work: read `06`.
29
+ - Running everything locally without cloud accounts: read `11`.
28
30
  - AI agents: start with this index, then move directly to the subsystem file that
29
31
  matches the task. Treat `apps/nextblock`, `libs/*`, and
30
32
  `libs/db/src/supabase/migrations` as the final authority if a doc and code ever
@@ -25,7 +25,7 @@ export const FeaturedProductBlock = async ({ content }: { content: FeaturedProdu
25
25
  } else if (process.env.NEXT_PUBLIC_R2_BASE_URL) {
26
26
  imageUrl = `${process.env.NEXT_PUBLIC_R2_BASE_URL}/${mediaItem.file_path}`;
27
27
  } else {
28
- imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/v1/object/public/media/${mediaItem.file_path}`;
28
+ imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL ?? ''}/storage/v1/object/public/media/${mediaItem.file_path}`;
29
29
  }
30
30
  }
31
31
 
@@ -62,7 +62,7 @@ export const ProductGridBlock = async ({
62
62
  } else if (process.env.NEXT_PUBLIC_R2_BASE_URL) {
63
63
  imageUrl = `${process.env.NEXT_PUBLIC_R2_BASE_URL}/${mediaItem.file_path}`;
64
64
  } else {
65
- imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/v1/object/public/media/${mediaItem.file_path}`;
65
+ imageUrl = `${process.env.NEXT_PUBLIC_SUPABASE_URL ?? ''}/storage/v1/object/public/media/${mediaItem.file_path}`;
66
66
  }
67
67
  }
68
68
 
@@ -20,7 +20,15 @@ const BUNDLED_PUBLIC_MEDIA_KEYS = new Set([
20
20
 
21
21
  export function resolveMediaUrl(
22
22
  objectKey?: string | null,
23
- baseUrl = process.env.NEXT_PUBLIC_R2_BASE_URL || ''
23
+ // On the client, NEXT_PUBLIC_R2_BASE_URL is inlined at build time, so a fresh-clone
24
+ // dev bundle built with no env holds an empty string; fall back to the runtime value
25
+ // injected by <PublicEnvBootstrap> (window.__NEXTBLOCK_PUBLIC_ENV__.r2Base). On the
26
+ // server, process.env is always current and the window branch is skipped.
27
+ baseUrl = process.env.NEXT_PUBLIC_R2_BASE_URL ||
28
+ (typeof window !== 'undefined'
29
+ ? (window as { __NEXTBLOCK_PUBLIC_ENV__?: { r2Base?: string } })
30
+ .__NEXTBLOCK_PUBLIC_ENV__?.r2Base || ''
31
+ : '')
24
32
  ) {
25
33
  if (!objectKey) return null;
26
34