refactor: extract backup/restore into config scripts, trim comments

Move the postgres and clickhouse backup/restore hook logic out of inline
compose labels into dedicated pg_backup.sh / clickhouse_backup.sh config
scripts (the pattern other recipes use), and trim the verbose explanatory
comments down to the essential rationale, now living in the scripts.

.drone.yml

@@ -45,7 +45,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -6,9 +6,6 @@ DOMAIN=plausible.example.com
 #EXTRA_DOMAINS=', `www.plausible.example.com`'
 LETS_ENCRYPT_ENV=production
 
-ADMIN_USER_EMAIL=replace-me
-ADMIN_USER_NAME=replace-me
-ADMIN_USER_PWD=replace-me
 SECRET_KEY_BASE=replace-me
 DISABLE_AUTH=replace-me # true or false
 DISABLE_REGISTRATION=replace-me # true or false

README.md

@@ -7,7 +7,7 @@
 * **Status**: 1, alpha
 * **Image**: [`plausible/analytics`](https://hub.docker.com/plausible/analytics), 4, upstream
 * **Healthcheck**:
-* **Backups**: No
+* **Backups**: Yes
 * **Email**: No
 * **Tests**:
 * **SSO**: No
@@ -26,4 +26,3 @@
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
-p-cloud/traefik

abra.sh

@@ -1,2 +1,5 @@
-export CLICKHOUSE_CONF_VERSION=v1
+export CLICKHOUSE_CONF_VERSION=v2
 export CLICKHOUSE_USER_CONF_VERSION=v2
+export CLICKHOUSE_ENTRYPOINT_VERSION=v6
+export PG_BACKUP_VERSION=v1
+export CLICKHOUSE_BACKUP_SCRIPT_VERSION=v1

clickhouse_backup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+
+# clickhouse-backup output lives inside the event-data volume (snapshotted via
+# backupbot.backup.volumes.event-data.path). Restoring the raw data files under a
+# running server is unsafe, so restore performs a logical restore instead.
+BACKUP_DIR=/var/lib/clickhouse/backup/events
+MIGRATIONS_TSV="$BACKUP_DIR/schema_migrations.tsv"
+
+backup() {
+  clickhouse-backup create events
+  # schema_migrations is a TinyLog table — clickhouse-backup only FREEZEs MergeTree
+  # data, so its rows aren't captured. Export them alongside the backup, else a restore
+  # leaves the ledger empty and the next boot re-runs every migration (DUPLICATE_COLUMN).
+  clickhouse-client --query "SELECT * FROM plausible_events_db.schema_migrations FORMAT TSV" > "$MIGRATIONS_TSV"
+}
+
+backup_cleanup() {
+  rm -rf "$BACKUP_DIR"
+}
+
+restore() {
+  clickhouse-backup restore --rm events
+  clickhouse-client --query "TRUNCATE TABLE plausible_events_db.schema_migrations"
+  clickhouse-client --query "INSERT INTO plausible_events_db.schema_migrations FORMAT TSV" < "$MIGRATIONS_TSV"
+  rm -rf "$BACKUP_DIR"
+}
+
+"$@"

compose.yml

@@ -3,20 +3,22 @@ version: "3.8"
 
 services:
   app:
-    image: plausible/analytics:v1.5.1
-    command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh db init-admin && /entrypoint.sh run"
+    image: plausible/analytics:v2.0.0
+    command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
     depends_on:
       - db
-      - events_db
+      - plausible_events_db
     environment:
       - BASE_URL=https://$DOMAIN
-      - ADMIN_USER_EMAIL
-      - ADMIN_USER_NAME
-      - ADMIN_USER_PWD
       - SECRET_KEY_BASE
       - DATABASE_URL=postgres://plausible:plausible@${STACK_NAME}_db:5432/plausible
+      - CLICKHOUSE_DATABASE_URL=http://${STACK_NAME}_plausible_events_db:8123/plausible_events_db
       - SMTP_HOST_ADDR
       - MAILER_EMAIL
+      - SMTP_HOST_PORT
+      - SMTP_USER_NAME
+      - SMTP_USER_PWD
+      - SMTP_HOST_SSL_ENABLED
       - DISABLE_REGISTRATION
       - DISABLE_AUTH
     networks:
@@ -24,36 +26,72 @@ services:
       - internal
     deploy:
       restart_policy:
-        condition: on-failure
+        # `any`, not `on-failure`: a restore disrupts postgres under the app and Erlang then
+        # shuts down gracefully (exit 0), which on-failure treats as done and never restarts.
+        condition: any
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8000"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - coop-cloud.${STACK_NAME}.version=1.1.0+1.5.1
+        - coop-cloud.${STACK_NAME}.version=3.1.0+v2.0.0
   db:
-    image: postgres:13.11-alpine
+    image: pgautoupgrade/pgautoupgrade:18-alpine
     volumes:
       - db-data:/var/lib/postgresql/data
     environment:
+      # pin legacy PGDATA so the existing cluster on the volume is upgraded in place, not re-init'd
+      - PGDATA=/var/lib/postgresql/data
       - POSTGRES_USER=plausible
       - POSTGRES_PASSWORD=plausible
       - POSTGRES_DB=plausible
     networks:
       - internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U plausible -d plausible"]
+      interval: 5s
+      timeout: 5s
+      retries: 60
+    configs:
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.volumes.db-data.path: "postgres.dump.gz"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.post-hook: "/pg_backup.sh backup_cleanup"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "/pg_backup.sh restore"
 
   plausible_events_db:
     image: clickhouse/clickhouse-server:23.4.2.11-alpine
     volumes:
       - event-data:/var/lib/clickhouse
+    entrypoint: /custom-entrypoint.sh
     configs:
       - source: clickhouse-config
         target: /etc/clickhouse-server/config.d/logging.xml
       - source: clickhouse-user-config
         target: /etc/clickhouse-server/users.d/clickhouse-user-config.xml
+      - source: clickhouse_entrypoint
+        target: /custom-entrypoint.sh
+        mode: 0555
+      - source: clickhouse_backup
+        target: /clickhouse_backup.sh
+        mode: 0555
     networks:
       - internal
+    deploy:
+      labels:
+        backupbot.backup: "true"
+        backupbot.backup.volumes.event-data.path: "backup/events"
+        backupbot.backup.pre-hook: "/clickhouse_backup.sh backup"
+        backupbot.backup.post-hook: "/clickhouse_backup.sh backup_cleanup"
+        backupbot.restore: "true"
+        backupbot.restore.post-hook: "/clickhouse_backup.sh restore"
 
 volumes:
   db-data:
@@ -71,3 +109,12 @@ configs:
   clickhouse-user-config:
     name: ${STACK_NAME}_clickhouse_user_config_${CLICKHOUSE_USER_CONF_VERSION}
     file: clickhouse-user-config.xml
+  clickhouse_entrypoint:
+    name: ${STACK_NAME}_clickhouse_entrypoint_${CLICKHOUSE_ENTRYPOINT_VERSION}
+    file: entrypoint.clickhouse.sh
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
+  clickhouse_backup:
+    name: ${STACK_NAME}_clickhouse_backup_${CLICKHOUSE_BACKUP_SCRIPT_VERSION}
+    file: clickhouse_backup.sh

entrypoint.clickhouse.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Install clickhouse-backup (powers this recipe's backup/restore hooks) before starting the
+# server. The binary is cached on the persistent volume keyed by version (downloaded at most
+# once per app) and fetched with bounded retries + a read timeout; the binary is verified before
+# being trusted or cached. If it truly cannot be installed the deploy fails loudly rather than
+# silently shipping broken backups.
+
+set -e
+
+CLICKHOUSE_BACKUP_VERSION=2.4.2
+
+ARCH=$(uname -m)
+if [[ $ARCH =~ "aarch64" ]]; then
+  ARCH="arm64"
+elif [[ $ARCH =~ "armv5l" ]]; then
+  ARCH="armv5"
+elif [[ $ARCH =~ "armv6l" ]]; then
+  ARCH="armv6"
+elif [[ $ARCH =~ "armv7l" ]]; then
+  ARCH="armv7"
+elif [[ $ARCH =~ "x86_64" ]]; then
+  ARCH="amd64"
+fi
+
+CACHE_DIR=/var/lib/clickhouse/.ccci-bin
+CACHED="${CACHE_DIR}/clickhouse-backup-v${CLICKHOUSE_BACKUP_VERSION}"
+BIN=/usr/local/bin/clickhouse-backup
+URL="https://github.com/Altinity/clickhouse-backup/releases/download/v${CLICKHOUSE_BACKUP_VERSION}/clickhouse-backup-linux-${ARCH}.tar.gz"
+
+binary_ok() {
+  "$1" --version >/dev/null 2>&1
+}
+
+install_clickhouse_backup() {
+  mkdir -p "$CACHE_DIR"
+  if [ -x "$CACHED" ] && binary_ok "$CACHED"; then
+    cp -f "$CACHED" "$BIN"
+    echo "clickhouse-backup: using verified cached binary ($CACHED)"
+    return 0
+  fi
+  rm -f "$CACHED" # absent or fails to execute — re-fetch
+  for attempt in 1 2 3 4 5; do
+    if wget -T 30 --continue --output-document=/tmp/clickhouse-backup.tar.gz "$URL" \
+       && tar -xf /tmp/clickhouse-backup.tar.gz --directory=/usr/local/bin --strip-components=3 \
+       && binary_ok "$BIN"; then
+      cp -f "$BIN" "$CACHED" 2>/dev/null || true
+      echo "clickhouse-backup: downloaded, verified + cached (attempt ${attempt})"
+      return 0
+    fi
+    echo "clickhouse-backup: fetch attempt ${attempt}/5 failed" >&2
+    [ "$attempt" -lt 5 ] && sleep $((attempt * 10))
+  done
+  echo "clickhouse-backup: could not install after 5 attempts — failing the deploy (without it backup/restore would be silently broken)" >&2
+  return 1
+}
+
+install_clickhouse_backup
+
+exec /entrypoint.sh

pg_backup.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -e
+
+# The dump lives at the db-data volume root: backup-bot-two v2 snapshots paths inside
+# named volumes (backupbot.backup.volumes.db-data.path), not the container root fs.
+DUMP=/var/lib/postgresql/data/postgres.dump
+
+backup() {
+  pg_dump -U "$POSTGRES_USER" -Fc "$POSTGRES_DB" | gzip > "$DUMP.gz"
+}
+
+backup_cleanup() {
+  rm -f "$DUMP.gz"
+}
+
+restore() {
+  gzip -d "$DUMP.gz"
+  # --if-exists: otherwise DROPs on objects absent from the live db error out and
+  # pg_restore exits 1, killing the chain and leaving the dump behind.
+  pg_restore --clean --if-exists -U "$POSTGRES_USER" --dbname="$POSTGRES_DB" < "$DUMP"
+  rm -f "$DUMP"
+  # pg_restore --clean recreates objects under the live app, so its pooled connections
+  # keep stale type-OID caches ('cache lookup failed for type ...' crash loops, e.g.
+  # Oban). Terminate them so Ecto reconnects fresh.
+  psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname = current_database() AND pid <> pg_backend_pid();"
+}
+
+"$@"

release/2.0.0+v1.5.1

@@ -0,0 +1,7 @@
+If you're upgrading from a pre-release version, there will be a major Postgresql
+version upgrade -- this should happen automatically, but **please take a
+backup**, at least of the `<stack_name>_db` volume, if not all the data volumes,
+before the upgrade. 
+
+If you haven't taken a backup already, it's probably safest to bail using
+Ctrl+C, take the backup, and re-run your `upgrade` / `deploy` command.

release/3.0.0+v2.0.0

@@ -0,0 +1,8 @@
+⚠ WARNING! ⚠
+
+This major version upgrade of Plausible requires running a manual data migration
+-- otherwise you'll see all historical data disappear (don't worry, it's
+"probably" still there). 
+
+Take a manual docker volume backup, then see here, and strap in: 
+https://github.com/plausible/analytics/discussions/3132