From 76fc19c1832f62bf1a8bfaee2a36291d73034141 Mon Sep 17 00:00:00 2001
From: Deeman <hendriknote@gmail.com>
Date: Fri, 20 Feb 2026 13:00:29 +0100
Subject: [PATCH] fix: litestream healthcheck gate + 1yr retention
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Re-enable deploy gate on litestream: pgrep-based healthcheck with 6
retries (30s window) after a 15s start period — broken backups now
fail the deploy loudly instead of silently succeeding.

Extend retention from 7d to 1yr (8760h): WAL frames are tiny for a
low-traffic app, R2 free tier covers years of storage.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md               | 3 ++-
 docker-compose.prod.yml    | 6 +++++-
 padelnomics/litestream.yml | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 692f209..d293234 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Fixed
 - Litestream: remove local-path replica — v0.5.8 dropped multi-replica support (`"multiple replicas on a single database are no longer supported"`), keeping only the R2 replica
-- Deploy: disable litestream health check so it no longer blocks `up --wait`
+- Litestream: extend retention from 7 days to 1 year (`8760h`) — WAL frames are tiny, R2 storage cost is negligible
+- Deploy: gate deployment on litestream health (`pgrep -x litestream`, retries 6×5s after 15s start period) so broken backups fail the deploy loudly
 - Deploy: write nginx router config *before* starting containers so the router health check (`nginx -t`) passes on first deploy or after volume wipe
 - Deploy: pre-migration DB backup added to `deploy.sh`; on health-check failure the DB is restored to pre-migration state (prevents old slot from running against new schema)
 - Migrations: removed all `conn.commit()` and `executescript()` calls from `up()` functions in 0000, 0011, 0012, 0013, 0014, 0015 — restores batch-atomicity guarantee (`executescript` issued implicit COMMITs, breaking rollback on failure)
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 93dc722..30a8d69 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -35,7 +35,11 @@ services:
       - app-data:/app/data
       - ./padelnomics/litestream.yml:/etc/litestream.yml:ro
     healthcheck:
-      disable: true
+      test: ["CMD-SHELL", "pgrep -x litestream > /dev/null"]
+      interval: 5s
+      timeout: 5s
+      retries: 6
+      start_period: 15s
 
   # ── Blue slot ─────────────────────────────────────────────
 
diff --git a/padelnomics/litestream.yml b/padelnomics/litestream.yml
index 060a618..3b948e5 100644
--- a/padelnomics/litestream.yml
+++ b/padelnomics/litestream.yml
@@ -17,5 +17,5 @@ dbs:
         access-key-id: ${LITESTREAM_R2_ACCESS_KEY_ID}
         secret-access-key: ${LITESTREAM_R2_SECRET_ACCESS_KEY}
         endpoint: https://${LITESTREAM_R2_ENDPOINT}
-        retention: 168h
+        retention: 8760h
         snapshot-interval: 6h