fix: migration atomicity + deploy hardening + Litestream R2

Migration atomicity: - Remove conn.commit() and executescript() from all up() functions (0000, 0011, 0012, 0013, 0014, 0015); executescript() issued implicit COMMITs which broke the batch-rollback guarantee of the migration runner - Rewrite 0000 with individual conn.execute() calls (was a single executescript block) Deploy hardening: - Add pre-migration DB backup step to deploy.sh: saves app.db.pre-deploy-<timestamp> in the volume before every migration - On health-check failure: restore the backup, then stop + exit - On success: clean up old backups (keep last 3) Litestream: - Enable R2 as primary replica in litestream.yml (env-var placeholders) - Add local /app/data/backups as secondary replica - docker-compose: add auto-restore on empty volume (sh entrypoint runs 'litestream restore' before 'litestream replicate' if app.db missing) - Add LITESTREAM_R2_* vars to .gitlab-ci.yml .env block and .env.example Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 10:28:59 +01:00
parent 363f93885d
commit c0c8607664
12 changed files with 315 additions and 171 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -48,6 +48,10 @@ deploy:
      PADDLE_WEBHOOK_SECRET=$PADDLE_WEBHOOK_SECRET
      PADDLE_PRICE_STARTER=$PADDLE_PRICE_STARTER
      PADDLE_PRICE_PRO=$PADDLE_PRICE_PRO
+      LITESTREAM_R2_BUCKET=$LITESTREAM_R2_BUCKET
+      LITESTREAM_R2_ACCESS_KEY_ID=$LITESTREAM_R2_ACCESS_KEY_ID
+      LITESTREAM_R2_SECRET_ACCESS_KEY=$LITESTREAM_R2_SECRET_ACCESS_KEY
+      LITESTREAM_R2_ENDPOINT=$LITESTREAM_R2_ENDPOINT
      ENVEOF
    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "chmod 600 /opt/padelnomics/padelnomics/.env"
    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/padelnomics && git pull origin master && ./deploy.sh"