Add Plausible Analytics CE v3.2.0

[BookJJun-IJ]

Summary

Add Plausible Analytics CE (v3.2.0), a privacy-friendly web analytics alternative to Google Analytics with PostgreSQL + ClickHouse backend.

Architecture

Service	Image	cpu_shares
plausible	ghcr.io/plausible/community-edition:v3.2.0	70
plausible-db	postgres:16.6-alpine	50
plausible-events-db	clickhouse/clickhouse-server:24.12-alpine	50

• Internal network: plausible-network (bridge, DB isolation)
• External network: pcs (Caddy reverse proxy)

Secret generation

Cryptographic secrets (SECRET_KEY_BASE, TOTP_VAULT_KEY) are auto-generated on first start via the command block. Secrets are persisted in /DATA/AppData/$AppID/secrets/ so they survive container restarts. The $$() escaping prevents Docker Compose from interpreting shell command substitution as variable interpolation.

Database healthchecks

Both PostgreSQL and ClickHouse have healthchecks, and the Plausible service uses depends_on with condition: service_healthy. Without this, Plausible's db createdb && db migrate commands race the database startup and fail with connection errors.

Network isolation

Both database services are only on plausible-network — not on pcs. Only the Plausible web UI service is on both networks.

Registration

DISABLE_REGISTRATION: invite_only is set so only the admin can invite new users. The first user to register becomes the admin via the app's onboarding flow.

Submission Checklist

Tech Checklist

• Proper file permissions — user: 0:0 on all services, volumes mapped to /DATA/AppData/$AppID/
• Migration path — Plausible runs db migrate on every start
• Pre-install/post-install commands — N/A

Security Checklist

• Default authentication — first user becomes admin via app onboarding, invite-only registration
• No hardcoded credentials — uses $APP_DEFAULT_PASSWORD for PostgreSQL
• Specific version tags — plausible:v3.2.0, postgres:16.6-alpine, clickhouse-server:24.12-alpine

Functionality Checklist

• Works immediately after installation
• Data mapped to /DATA/AppData/$AppID/ — db/, event-data/, event-logs/, secrets/
• No manual configuration required — secrets auto-generated, DB auto-created
• Data persistence — databases and secrets persist across reinstall
• cpu_shares set on all services — plausible: 70, plausible-db: 50, plausible-events-db: 50
• Fresh installation tested
• Uninstall/reinstall tested

Documentation Checklist

• Clear description — en_us, ko_kr, zh_cn, fr_fr, es_es
• Tagline in 5 languages
• Icon and screenshots provided, CDN URLs point to Yundera/AppStore@main

[Maelisse2002]

🤖 AI Pre-Check

Decision: ⚠️ ai-reviewed:needs-review
Tech review (incl. security): needed — new app submission (human flow owns the decision; AI pre-check is advisory)
Commit: 856f9bc | Checklist source: CONTRIBUTING.md@main

Apps in this PR

• plausible — new app (Plausible Analytics CE v3.2.0)

AI static checks

• ✅ Specific version tags (no :latest) — postgres:16.6-alpine, clickhouse/clickhouse-server:24.12-alpine, community-edition:v3.2.0
• ✅ No hardcoded credentials — uses $APP_DEFAULT_PASSWORD; secret_key_base/totp_vault_key generated at runtime from /dev/urandom
• ✅ Volumes under /DATA/AppData/$AppID/ (db, event-data, event-logs, secrets)
• ✅ cpu_shares set on all services (50 / 50 / 70)
• ✅ x-casaos metadata complete — description, icon, 3 screenshots, thumbnail (5 locales)
• ✅ Asset URLs point to Yundera/AppStore@main
• ✅ pre-install-cmd writes only to AppData (no user dirs; Style-A shell, no images to pin)
• ➖ user: field set on all services (running as 0:0) — see note

→ Tier 2 must verify (human)

• Works immediately after installation (no manual config; sensible defaults)
• Fresh installation tested
• Uninstall / reinstall preserves data (Postgres + ClickHouse volumes)
• Authentication gate works — Plausible's built-in onboarding with DISABLE_REGISTRATION: invite_only (first user becomes admin)

Notes for reviewers

New app → stays on the human flow (advisory AI pass only). All three services run as user: "0:0" but the PR ships no rationale.md; CONTRIBUTING states a rationale is required when "The app runs as user: 0:0". Volumes map exclusively to /DATA/AppData/$AppID/, so root is acceptable per the Permission Strategy — but the missing rationale.md should be confirmed/requested. Auth relies on Plausible's own invite-only onboarding (an acceptable alternative per the Security checklist); verify it's actually gated at runtime.

Next step

→ Tier 2 functional review, then tech + security review (reason: new app submission).

---

_{Generated by AI pre-check. Checklist read live from CONTRIBUTING.md on main. Labels are the machine-readable verdict; this comment is the human-readable explanation. Humans own the merge.}

[BookJJun-IJ]

Only the minimum memory value was set in the resource section.
I used limits to set the maximum memory value.

postgresql : 512M
clickhouse : 1G
Plausible : 1G