Replaces the previous best-effort (|| true) approach: a deploy without
clickhouse-backup would have silently broken backup/restore, so the
entrypoint now hard-fails (visibly, in service logs) if the tool truly
cannot be installed — but makes that case effectively unreachable:
- cache the VERIFIED binary on the persistent clickhouse volume, keyed
by version: downloaded at most once per app; container restarts never
re-fetch (kills the re-download amplification that turned a GitHub
throttle into a permanent crash-loop)
- canonical Altinity release URL (project moved; old path is a redirect)
- bounded retries with backoff + wget read timeout (a stalled connection
can no longer hang the deploy)
- verify the binary executes before trusting or caching it (catches
truncated downloads and a corrupt cache)
- compose: fix app depends_on to the real service name
(plausible_events_db) — docker compose config was failing on it, which
disabled CI image prepull and pushed pulls into the deploy window
- bump CLICKHOUSE_ENTRYPOINT_VERSION v4 -> v5 (swarm configs immutable)
Verified on a dev deploy: fresh download path, cached-restart path,
clickhouse-backup create/list/delete, and /api/health all green.
The previous entrypoint treated clickhouse-backup as required: a download failure
(rate-limit or transient network) caused install_clickhouse_backup to return 1 which
with set -e exited the entrypoint before /entrypoint.sh ran. ClickHouse never started,
the swarm restarted it, the download was retried, amplifying the throttle -> crash-loop
-> deploy timeout (cc-ci Q4.7b).
Fix: install_clickhouse_backup || true — the server starts even if the backup tool
cannot be fetched. Backup/restore degrades until a later restart fetches it.
Also: fix stray trailing quote in backupbot.restore.post-hook; bump
CLICKHOUSE_ENTRYPOINT_VERSION v3->v4 (config content changed).
Minor bump — no operator action required (Postgres/ClickHouse changes are automatic).
- Postgres: use pgautoupgrade/pgautoupgrade:18-alpine in place of the custom
pg_upgrade entrypoint. The existing cluster is upgraded in place automatically
on deploy; PGDATA pinned to the legacy path; adds a pg_isready healthcheck.
Removes entrypoint.postgres.sh.tmpl and DB_ENTRYPOINT_VERSION.
- ClickHouse backup fetch: cache the clickhouse-backup binary on the persistent
volume and retry with backoff to avoid the download crash-loop. The tool is
required — if it can't be installed after retries the entrypoint aborts and
the server does not start, rather than coming up without backup/restore.
- Add CLICKHOUSE_DATABASE_URL; bump the clickhouse entrypoint config version.
- Remove a stray broken link reference in the README.
