Update rendered example

example/images/clickhouse/Dockerfile

@@ -1,2 +1,2 @@
-FROM clickhouse/clickhouse-server:24.3.3.102-alpine
+FROM clickhouse/clickhouse-server:24.12-alpine
 LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"

example/images/plausible-proxmox-backup/Dockerfile

@@ -1,4 +1,4 @@
-FROM danielberteaud/proxmox-backup-client:25.3-1
+FROM danielberteaud/proxmox-backup-client:25.5-1
 
 LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"
 

example/images/plausible/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/plausible/community-edition:v2.1.5
+FROM ghcr.io/plausible/community-edition:v3.0.1
 LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"
 
 USER root

example/init/plausible-vault-database

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-vault write database/roles/plausible \
+vault write database/roles/postgres-plausible \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"plausible\" TO \"{{name}}\"; \

example/plausible.nomad.hcl

@@ -131,7 +131,7 @@ job "plausible" {
       user   = "1053:1053"
 
       config {
-        image           = "danielberteaud/wait-for:25.3-1"
+        image           = "danielberteaud/wait-for:25.5-1"
         readonly_rootfs = true
         pids_limit      = 20
       }
@@ -164,7 +164,7 @@ job "plausible" {
       }
 
       config {
-        image       = "danielberteaud/alpine:25.3-1"
+        image       = "danielberteaud/alpine:25.5-1"
         command     = "/local/chown.sh"
         userns_mode = "host"
       }
@@ -219,7 +219,7 @@ _EOT
       }
 
       config {
-        image      = "danielberteaud/clickhouse:24.3.3.102-1"
+        image      = "danielberteaud/clickhouse:24.12-1"
         pids_limit = 1000
         ulimit {
           nofile = "262144:262144"
@@ -230,7 +230,8 @@ _EOT
       }
 
       env {
-        CLICKHOUSE_DB = "plausible_events_db"
+        CLICKHOUSE_DB              = "plausible_events_db"
+        CLICKHOUSE_SKIP_USER_SETUP = "1"
       }
 
       template {
@@ -307,9 +308,8 @@ _EOT
 
 
       resources {
-        cpu        = 500
-        memory     = 512
-        memory_max = 768
+        cpu    = 500
+        memory = 1024
       }
 
     }
@@ -319,7 +319,7 @@ _EOT
       leader = true
 
       config {
-        image           = "danielberteaud/plausible:2.1.5-1"
+        image           = "danielberteaud/plausible:3.0.1-1"
         readonly_rootfs = true
 
         pids_limit = 500
@@ -366,7 +366,7 @@ _EOT
       template {
         data        = <<_EOT
 CLICKHOUSE_DATABASE_URL=http://127.0.0.1:8123/plausible_events_db
-DATABASE_URL=postgresql://{{ with secret "database/creds/plausible" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/plausible" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/plausible
+DATABASE_URL=postgresql://{{ with secret "database/creds/postgres-plausible" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/postgres-plausible" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/plausible
 _EOT
         destination = "secrets/.env.db"
         uid         = 0

example/prep.d/10-plausible-rand-secrets

@@ -8,27 +8,39 @@ export LC_ALL=C
 VAULT_KV_PATH=kv/service/plausible
 RAND_CMD="openssl rand -base64 48"
 if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
-  vault kv put ${VAULT_KV_PATH} \
-    secret_key_base="$(sh -c "${RAND_CMD}")" \
+  # Another check to be sure it wasn't a transient error as it would overwrite existings KV
+  if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
+    vault kv put ${VAULT_KV_PATH} \
+      secret_key_base="$(sh -c "${RAND_CMD}")" \
 
+  fi
 fi
 for SECRET in secret_key_base; do
   if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
-    vault kv patch ${VAULT_KV_PATH} \
-      ${SECRET}="$(sh -c "${RAND_CMD}")"
+    # Same here, check twice to be sure secrets aren't already here
+    if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
+      vault kv patch ${VAULT_KV_PATH} \
+        ${SECRET}="$(sh -c "${RAND_CMD}")"
+    fi
   fi
 done
 VAULT_KV_PATH=kv/service/plausible
 RAND_CMD="openssl rand -base64 32"
 if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
-  vault kv put ${VAULT_KV_PATH} \
-    totp_vault_key="$(sh -c "${RAND_CMD}")" \
+  # Another check to be sure it wasn't a transient error as it would overwrite existings KV
+  if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
+    vault kv put ${VAULT_KV_PATH} \
+      totp_vault_key="$(sh -c "${RAND_CMD}")" \
 
+  fi
 fi
 for SECRET in totp_vault_key; do
   if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
-    vault kv patch ${VAULT_KV_PATH} \
-      ${SECRET}="$(sh -c "${RAND_CMD}")"
+    # Same here, check twice to be sure secrets aren't already here
+    if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
+      vault kv patch ${VAULT_KV_PATH} \
+        ${SECRET}="$(sh -c "${RAND_CMD}")"
+    fi
   fi
 done
 

example/vault/policies/plausible.hcl

@@ -1,6 +1,6 @@
 path "kv/data/service/plausible" {
   capabilities = ["read"]
 }
-path "database/creds/plausible" {
+path "database/creds/postgres-plausible" {
   capabilities = ["read"]
 }