Finish building Postgres support (#133)

This includes: - Building a Docker image for Postgres as well as SQLite - Fuller instructions for usage of the package, including the Postgres builds. A few related things changed here: - `.env` is not used anymore -- the defaults in the Dockerfiles are sufficient - The Rust version in the Dockerfiles is increased to match the MSRV, and with it the Alpine version bumped to one built with that Rust version. - Cargo dependencies on native-tls and openssl updated to include only the `vendored` feature, so as not to require a system openssl installation. - Two GitHub jobs are set up, to build the two different Docker images - The documentation incorrectly suggested using `DELETE .. CASCADE` to delete clients. This syntax does not exist, as the cascading delete is configured in the schema.
2026-04-05 17:20:35 +00:00 · 2025-07-29 21:52:33 -04:00
parent 820aaf363c
commit ab6df362bf
22 changed files with 401 additions and 201 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -4,4 +4,5 @@
 !core/
 !server/
 !sqlite/
-!docker-entrypoint.sh
+!postgres/
 !entrypoint-*
--- a/.env
+++ b/.env
@ -1,3 +0,0 @@
 # Versions must be major.minor
 ALPINE_VERSION=3.19
 RUST_VERSION=1.78
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -6,17 +6,13 @@ on:
      - '*'
 jobs:
-  docker:
+  sqlite:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Load .env file
        uses: xom9ikk/dotenv@v2
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Login to ghcr.io
        uses: docker/login-action@v3
        with:
@ -24,11 +20,11 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
-        id: meta
+        id: meta-sqlite
        uses: docker/metadata-action@v5
        with:
          images: |
-            ghcr.io/${{ github.repository }}
+            ghcr.io/gothenburgbitfactory/taskchampion-sync-server
          tags: |
            type=ref,event=branch
            type=semver,pattern={{version}}
@ -38,10 +34,39 @@ jobs:
        uses: docker/build-push-action@v6
        with:
          context: .
          path: "{context}/Dockerfile-sqlite"
          platforms: linux/amd64,linux/arm64
          push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ steps.meta-sqlite.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta-sqlite.outputs.labels }}
-          build-args: |
+  postgres:
-            ALPINE_VERSION=${{ env.ALPINE_VERSION }}
+    runs-on: ubuntu-latest
-            RUST_VERSION=${{ env.RUST_VERSION }}
+    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to ghcr.io
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: meta-postgres
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/gothenburgbitfactory/taskchampion-sync-server-postgres
          tags: |
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=match,pattern=\d.\d.\d,value=latest
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          path: "{context}/Dockerfile-postgres"
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta-postgres.outputs.tags }}
          labels: ${{ steps.meta-postgres.outputs.labels }}
--- a/Cargo.lock
+++ b/Cargo.lock
@ -337,7 +337,7 @@ dependencies = [
 "miniz_oxide",
 "object",
 "rustc-demangle",
- "windows-targets 0.52.6",
+ "windows-targets",
 ]
 [[package]]
@ -654,7 +654,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
 dependencies = [
 "libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.52.0",
 ]
 [[package]]
@ -1371,7 +1371,7 @@ dependencies = [
 "libc",
 "redox_syscall",
 "smallvec",
- "windows-targets 0.52.6",
+ "windows-targets",
 ]
 [[package]]
@ -1634,7 +1634,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys",
- "windows-sys 0.59.0",
+ "windows-sys 0.52.0",
 ]
 [[package]]
@ -1908,6 +1908,7 @@ dependencies = [
 "env_logger",
 "log",
 "native-tls",
 "openssl",
 "postgres-native-tls",
 "pretty_assertions",
 "taskchampion-sync-server-core",
@ -1953,7 +1954,7 @@ dependencies = [
 "getrandom",
 "once_cell",
 "rustix",
- "windows-sys 0.59.0",
+ "windows-sys 0.52.0",
 ]
 [[package]]
@ -2395,7 +2396,7 @@ version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
 dependencies = [
- "windows-targets 0.52.6",
+ "windows-targets",
 ]
 [[package]]
@ -2404,16 +2405,7 @@ version = "0.59.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
 dependencies = [
- "windows-targets 0.52.6",
+ "windows-targets",
 ]
 [[package]]
 name = "windows-sys"
 version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
 dependencies = [
 "windows-targets 0.53.2",
 ]
 [[package]]
@ -2422,30 +2414,14 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
 dependencies = [
- "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_gnullvm",
- "windows_aarch64_msvc 0.52.6",
+ "windows_aarch64_msvc",
- "windows_i686_gnu 0.52.6",
+ "windows_i686_gnu",
- "windows_i686_gnullvm 0.52.6",
+ "windows_i686_gnullvm",
- "windows_i686_msvc 0.52.6",
+ "windows_i686_msvc",
- "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnu",
- "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_gnullvm",
- "windows_x86_64_msvc 0.52.6",
+ "windows_x86_64_msvc",
 ]
 [[package]]
 name = "windows-targets"
 version = "0.53.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c66f69fcc9ce11da9966ddb31a40968cad001c5bedeb5c2b82ede4253ab48aef"
 dependencies = [
 "windows_aarch64_gnullvm 0.53.0",
 "windows_aarch64_msvc 0.53.0",
 "windows_i686_gnu 0.53.0",
 "windows_i686_gnullvm 0.53.0",
 "windows_i686_msvc 0.53.0",
 "windows_x86_64_gnu 0.53.0",
 "windows_x86_64_gnullvm 0.53.0",
 "windows_x86_64_msvc 0.53.0",
 ]
 [[package]]
@ -2454,96 +2430,48 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 [[package]]
 name = "windows_i686_gnu"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3"
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 [[package]]
 name = "windows_i686_msvc"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.53.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
 [[package]]
 name = "wit-bindgen-rt"
 version = "0.39.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -30,3 +30,6 @@ tokio = { version = "*", features = ["rt", "macros"] }
 tokio-postgres = { version = "0.7.13", features = ["with-uuid-1"] }
 bb8 = "0.9.0"
 bb8-postgres = { version = "0.9.0", features = ["with-uuid-1"] }
 openssl = { version = "0.10.73", default-features = false, features = ["vendored"] }
 native-tls = { version = "0.2.14", default-features = false, features = ["vendored"] }
 postgres-native-tls = "0.5.1"
--- a/26
+++ b/26
@ -0,0 +1,26 @@
 # Versions must be major.minor
 # Default versions are as below
 ARG RUST_VERSION=1.85
 ARG ALPINE_VERSION=3.20
 FROM docker.io/rust:${RUST_VERSION}-alpine${ALPINE_VERSION} AS builder
 # perl and make are required to build openssl.
 RUN apk -U add libc-dev perl make
 COPY Cargo.lock Cargo.toml /data/
 COPY core /data/core/
 COPY server /data/server/
 COPY postgres /data/postgres/
 COPY sqlite /data/sqlite/
 RUN cd /data && \
  cargo build -p taskchampion-sync-server --release --no-default-features --features postgres --bin taskchampion-sync-server-postgres
 FROM docker.io/alpine:${ALPINE_VERSION}
 COPY --from=builder /data/target/release/taskchampion-sync-server-postgres /bin
 RUN apk add --no-cache su-exec && \
  adduser -u 1092 -S -D -H -h /var/lib/taskchampion-sync-server -s /sbin/nologin -G users \
  -g taskchampion taskchampion && \
  install -d -m1755 -o1092 -g1092 "/var/lib/taskchampion-sync-server"
 EXPOSE 8080
 COPY entrypoint-postgres.sh /bin/entrypoint.sh
 ENTRYPOINT [ "/bin/entrypoint.sh" ]
 CMD [ "/bin/taskchampion-sync-server-postgres" ]
--- a/15
+++ b/15
@ -1,16 +1,17 @@
 # Versions must be major.minor
 # Default versions are as below
-ARG RUST_VERSION=1.78
+ARG RUST_VERSION=1.85
-ARG ALPINE_VERSION=3.19
+ARG ALPINE_VERSION=3.20
 FROM docker.io/rust:${RUST_VERSION}-alpine${ALPINE_VERSION} AS builder
 RUN apk -U add libc-dev
 COPY Cargo.lock Cargo.toml /data/
 COPY core /data/core/
 COPY server /data/server/
 COPY postgres /data/postgres/
 COPY sqlite /data/sqlite/
-RUN apk -U add libc-dev && \
+RUN cd /data && \
-  cd /data && \
+  cargo build --release --bin taskchampion-sync-server
  cargo build --release
 FROM docker.io/alpine:${ALPINE_VERSION}
 COPY --from=builder /data/target/release/taskchampion-sync-server /bin
@ -20,6 +21,6 @@ RUN apk add --no-cache su-exec && \
  install -d -m1755 -o1092 -g1092 "/var/lib/taskchampion-sync-server"
 EXPOSE 8080
 VOLUME /var/lib/taskchampion-sync-server/data
-COPY docker-entrypoint.sh /bin
+COPY entrypoint-sqlite.sh /bin/entrypoint.sh
-ENTRYPOINT [ "/bin/docker-entrypoint.sh" ]
+ENTRYPOINT [ "/bin/entrypoint.sh" ]
 CMD [ "/bin/taskchampion-sync-server" ]
--- a/README.md
+++ b/README.md
@ -60,7 +60,7 @@ cargo build --release
 After build the binary is located in
 `target/release/taskchampion-sync-server`.
-#### Building the Postgres backend
+#### Building the Postgres Backend
 The storage backend is controlled by Cargo features `postres` and `sqlite`.
 By default, only the `sqlite` feature is enabled.
--- a/docs/src/SUMMARY.md
+++ b/docs/src/SUMMARY.md
@ -2,4 +2,10 @@
 - [Introduction](./introduction.md)
 - [Usage](./usage.md)
  - [Docker Compose](./usage/docker-compose.md)
  - [Docker Images](./usage/docker-images.md)
  - [Binaries](./usage/binaries.md)
 - [Integration](./integration.md)
  - [Pre-built Images](./integration/pre-built.md)
  - [Rust Crates](./integration/crates.md)
  - [Sync Protocol Implementation](./integration/protocol-impl.md)
--- a/docs/src/integration.md
+++ b/docs/src/integration.md
@ -1,3 +1,16 @@
 # Integration
-TBD (pending Postgres support)
+Taskchampion-sync-server can be integrated into larger applications, such as
 web-based hosting services.
 - Most deployments can simply use the pre-built Docker images to implement the
 sync protocol, handling other aspects of the application in separate
 containers. See [Pre-built Images](./integration/pre-built.md).
 - More complex deployments may wish to modify or extend the operation of the
 server. These can use the Rust crates to build precisely the desired
 functionality. See [Rust Crates](./integration/crates.md).
 - If desired, an integration may completely re-implement the [sync
 protocol](https://gothenburgbitfactory.org/taskchampion/sync.html). See [Sync
 Protocol Implementation](./integration/protocol-impl.md).
--- a/docs/src/integration/crates.md
+++ b/docs/src/integration/crates.md
@ -0,0 +1,17 @@
 # Rust Crates
 This project publishes several Rust crates on `crates.io`:
 - [`taskchampion-sync-server-core`](https://docs.rs/taskchampion-sync-server-core)
 implements the core of the protocol
 - [`taskchampion-sync-server-storage-sqlite`](https://docs.rs/taskchampion-sync-server-storage-sqlite)
 implements an SQLite backend for the core
 - [`taskchampion-sync-server-storage-postgres`](https://docs.rs/taskchampion-sync-server-storage-postgres)
 implements a Postgres backend for the core
 If you are building an integration with, for example, a custom storage system,
 it may be helpful to use the `core` crate and provide a custom implementation
 of its `Storage` trait.
 We suggest that any generally useful extensions, such as additional storage
 backends, be published as open-source packages.
--- a/docs/src/integration/pre-built.md
+++ b/docs/src/integration/pre-built.md
@ -0,0 +1,40 @@
 # Pre-built Images
 The pre-built Postgres Docker image described in [Docker
 Images](../usage/docker-images.md) may be adequate for a production deployment.
 The image is stateless and can be easily scaled horizontally to increase
 capacity.
 ## Database Schema
 The schema defined in
 [`postgres/schema.sql`](https://github.com/GothenburgBitFactory/taskchampion-sync-server/blob/main/postgres/schema.sql)
 must be applied to the database before the container will function.
 The schema is stable, and any changes to the schema will be made in a major
 version with migration instructions provided.
 An integration may:
 - Add additional tables to the database
 - Add additional columns to the `clients` table. If those columns do not have
 default values, ensure the server is configured with `CREATE_CLIENTS=false` as
 described below.
 - Insert rows into the `clients` table, using default values for all columns
 except `client_id` and any application-specific columns.
 - Delete rows from the `clients` table. Note that this table is configured to
 automatically delete all data associated with a client when the client's row is
 deleted.
 ## Managing Clients
 By default, taskchampion-sync-server creates a new, empty client when it
 receives a connection from an unrecognized client ID. Setting
 `CREATE_CLIENTS=false` disables this functionality, and is recommended in
 production deployments to avoid abuse.
 In this configuration, it is the responsibility of the integration to create
 new client rows when desired, using a statement like `INSERT into clients
 (client_id) values ($1)` with the new client ID as a parameter. Similarly,
 clients may be deleted, along with all stored task data, using a statement like
 `DELETE from clients where client_id = $1`.
--- a/docs/src/integration/protocol-impl.md
+++ b/docs/src/integration/protocol-impl.md
@ -0,0 +1,10 @@
 # Sync Protocol Implementation
 The [sync protocol](https://gothenburgbitfactory.org/taskchampion/sync.html) is
 an open specification, and can be re-implemented from that specification as
 desired. This specification is not battle-tested, so refer to
 taskchampion-sync-server's implementation to resolve any ambiguities, and
 please create pull requests to resolve the ambiguity in the specification.
 We suggest that new implementations be published as open-source packages where
 possible.
--- a/docs/src/introduction.md
+++ b/docs/src/introduction.md
@ -1,11 +1,30 @@
 # Introduction
-Taskchampion Sync-Server is an implementation of the TaskChampion [sync
+Taskchampion-sync-server is an implementation of the TaskChampion [sync
 protocol][sync-protocol] server. It supports synchronizing Taskwarrior tasks
 between multiple systems.
 [sync-protocol]: https://gothenburgbitfactory.org/taskchampion/sync.html
 The project provides both pre-built images for common use-cases (see
 [usage](./usage.md)) and Rust libraries that can be used to build more
 sophisticated applications ([integration](./integration.md)).
 It also serves as a reference implementation: where the
 [specification][sync-protocol] is ambiguous, this implementation's
 interpretation is favored in resolving the ambiguity. Other implementations of
 the protocol should interoperate with this implementation.
 ## Sync Overview
 The server identifies each user with a client ID. For example, when
 syncing Taskwarrior tasks between a desktop computer and a laptop, both systems
 would use the same client ID to indicate that they share the same user's task data.
 Task data is encrypted, and the server does not have access to the encryption
 secret. The server sees only encrypted data and cannot read or modify tasks in
 any way.
 To perform a sync, a replica first downloads and decrypts any changes that have
 been sent to the server since its last sync. It then gathers any local changes,
 encrypts them, and uploads them to the server.
 [sync-protocol]: https://gothenburgbitfactory.org/taskchampion/sync.html
--- a/docs/src/usage.md
+++ b/docs/src/usage.md
@ -1,87 +1,22 @@
 # Usage
-## Running the Server
+This repository is flexible and can be used in a number of ways, to suit your
 needs.
-The server is a simple binary that serves HTTP requests on a TCP port. The
+- If you only need a place to sync your tasks, using cloud storage may be
-server does not implement TLS; for public deployments, the recommendation is to
+cheaper and easier than running taskchampion-sync-server. See
-use a reverse proxy such as Nginx, haproxy, or Apache httpd.
+[task-sync(5)](http://taskwarrior.org/docs/man/task-sync.5/) for details on
 cloud storage.
-### Using Docker-Compose
+- If you have a publicly accessible server, such as a VPS, you can use `docker
 compose` to run taskchampion-sync-server as pre-built docker images. See
 [Docker Compose](./usage/docker-compose.md).
-Every release of the server generates a Docker image in
+- If you would like more control, such as to deploy taskchampion-sync-server
-`ghcr.io/gothenburgbitfactory/taskchampion-sync-server`. The tags include
+within an orchestration environment such as Kubernetes, you can deploy the
-`latest` for the latest release, and both minor and patch versions, e.g., `0.5`
+docker images directly. See [Docker Images](./usage/docker-images.md).
 and `0.5.1`.
-The
+- For even more control, or to avoid the overhead of container images, you can
-[`docker-compose.yml`](https://raw.githubusercontent.com/GothenburgBitFactory/taskchampion-sync-server/refs/tags/v0.6.1/docker-compose.yml)
+build and run the taskchampion-sync-server binary directly. See
-file in this repository is sufficient to run taskchampion-sync-server,
+[Binaries](./usage/binaries.md).
 including setting up TLS certificates using Lets Encrypt, thanks to
 [Caddy](https://caddyserver.com/).
 You will need a server with ports 80 and 443 open to the Internet and with a
 fixed, publicly-resolvable hostname. These ports must be available both to your
 Taskwarrior clients and to the Lets Encrypt servers.
 On that server, download `docker-compose.yml` from the link above (it is pinned
 to the latest release) into the current directory. Then run
 ```sh
 TASKCHAMPION_SYNC_SERVER_HOSTNAME=taskwarrior.example.com \
 TASKCHAMPION_SYNC_SERVER_CLIENT_ID=your-client-id \
 docker compose up
 ```
 The `TASKCHAMPION_SYNC_SERVER_CLIENT_ID` limits the server to the given client
 ID; omit it to allow all client IDs.
 It can take a few minutes to obtain the certificate; the caddy container will
 log a message "certificate obtained successfully" when this is complete, or
 error messages if the process fails. Once this process is complete, configure
 your `.taskrc`'s to point to the server:
 ```none
 sync.server.url=https://taskwarrior.example.com
 sync.server.client_id=your-client-id
 sync.encryption_secret=your-encryption-secret
 ```
 The docker-compose images store data in a docker volume named
 `taskchampion-sync-server_data`. This volume contains all of the task data, as
 well as the TLS certificate information. It will persist over restarts, in a
 typical Docker installation. The docker containers will start automatically on
 system startup. See the docker-compose documentation for more information.
 ### Running the Binary
 The server is configured with command-line options. See
 `taskchampion-sync-server --help` for full details.
 The `--listen` option specifies the interface and port the server listens on.
 It must contain an IP-Address or a DNS name and a port number. This option is
 mandatory, but can be repeated to specify multiple interfaces or ports. This
 value can be specified in environment variable `LISTEN`, as a comma-separated
 list of values.
 The `--data-dir` option specifies where the server should store its data. This
 value can be specified in the environment variable `DATA_DIR`.
 By default, the server will allow all clients and create them in the database
 on first contact. There are two ways to limit the clients the server will
 interact with:
 - To limit the accepted client IDs, specify them in the environment variable
 `CLIENT_ID`, as a comma-separated list of UUIDs. Client IDs can be specified
 with `--allow-client-id`, but this should not be used on shared systems, as
 command line arguments are visible to all users on the system. This convenient
 option is suitable for personal and small-scale deployments.
 - To disable the automatic creation of clients, use the `--no-create-clients`
 flag or the `CREATE_CLIENTS=false` environment variable. You are now
 responsible for creating clients in the database manually, so this option is
 more suitable for large scale deployments.
 The server only logs errors by default. To add additional logging output, set
 environment variable `RUST_LOG` to `info` to get a log message for every
 request, or to `debug` to get more verbose debugging output.
--- a/docs/src/usage/binaries.md
+++ b/docs/src/usage/binaries.md
@ -0,0 +1,49 @@
 # Binaries
 Taskchampion-sync-server is a single binary that serves HTTP requests on a TCP
 port. The server does not implement TLS; for public deployments, the
 recommendation is to use a reverse proxy such as Nginx, haproxy, or Apache
 httpd.
 One binary is provided for each storage backend:
 - `taskchampion-sync-server` (SQLite)
 - `taskchampion-sync-server-postgres` (Postgres)
 ### Running the Binary
 The server is configured with command-line options or environment variables.
 See the `--help` output for full details.
 For the SQLite binary, the `--data-dir` option or `DATA_DIR` environment
 variable specifies where the server should store its data. For the Postgres
 binary, the `--connection` option or `CONNECTION` environment variable
 specifies the connection information, in the form of a [LibPQ-style connection
 URI](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING-URIS).
 The remaining options are common to all binaries.
 The `--listen` option specifies the interface and port the server listens on.
 It must contain an IP-Address or a DNS name and a port number. This option is
 mandatory, but can be repeated to specify multiple interfaces or ports. This
 value can be specified in environment variable `LISTEN`, as a comma-separated
 list of values.
 By default, the server will allow all clients and create them in the database
 on first contact. There are two ways to limit the clients the server will
 interact with:
 - To limit the accepted client IDs, specify them in the environment variable
 `CLIENT_ID`, as a comma-separated list of UUIDs. Client IDs can be specified
 with `--allow-client-id`, but this should not be used on shared systems, as
 command line arguments are visible to all users on the system. This convenient
 option is suitable for personal and small-scale deployments.
 - To disable the automatic creation of clients, use the `--no-create-clients`
 flag or the `CREATE_CLIENTS=false` environment variable. You are now
 responsible for creating clients in the database manually, so this option is
 more suitable for large scale deployments. See [Integration](../integration.md)
 for more information on such deployments.
 The server only logs errors by default. To add additional logging output, set
 environment variable `RUST_LOG` to `info` to get a log message for every
 request, or to `debug` to get more verbose debugging output.
--- a/docs/src/usage/docker-compose.md
+++ b/docs/src/usage/docker-compose.md
@ -0,0 +1,43 @@
 # Docker Compose
 The
 [`docker-compose.yml`](https://raw.githubusercontent.com/GothenburgBitFactory/taskchampion-sync-server/refs/tags/v0.6.1/docker-compose.yml)
 file in this repository is sufficient to run taskchampion-sync-server,
 including setting up TLS certificates using Lets Encrypt, thanks to
 [Caddy](https://caddyserver.com/). This setup uses the SQLite backend, which is
 adequate for one or a few clients.
 You will need a server with ports 80 and 443 open to the Internet and with a
 fixed, publicly-resolvable hostname. These ports must be available both to your
 Taskwarrior clients and to the Lets Encrypt servers.
 On that server, download `docker-compose.yml` from the link above (it is pinned
 to the latest release) into the current directory. Then run
 ```sh
 TASKCHAMPION_SYNC_SERVER_HOSTNAME=taskwarrior.example.com \
 TASKCHAMPION_SYNC_SERVER_CLIENT_ID=your-client-id \
 docker compose up
 ```
 The `TASKCHAMPION_SYNC_SERVER_CLIENT_ID` limits the server to the given client
 ID; omit it to allow all client IDs. You may specify multiple client IDs
 separated by commas.
 It can take a few minutes to obtain the certificate; the caddy container will
 log a message "certificate obtained successfully" when this is complete, or
 error messages if the process fails. Once this process is complete, configure
 your `.taskrc`'s to point to the server:
 ```none
 sync.server.url=https://taskwarrior.example.com
 sync.server.client_id=your-client-id
 sync.encryption_secret=your-encryption-secret
 ```
 The docker-compose images store data in a docker volume named
 `taskchampion-sync-server_data`. This volume contains all of the task data, as
 well as the TLS certificate information. It will persist over restarts, in a
 typical Docker installation. The docker containers will start automatically
 when the Docker dameon starts. See the docker-compose documentation for more
 information.
--- a/docs/src/usage/docker-images.md
+++ b/docs/src/usage/docker-images.md
@ -0,0 +1,57 @@
 # Docker Images
 Every release of the server generates Docker images. One image is produced for
 each storage backend:
 - `ghcr.io/gothenburgbitfactory/taskchampion-sync-server` (SQLite)
 - `ghcr.io/gothenburgbitfactory/taskchampion-sync-server-postgres` (Postgres)
 The image tags include `latest` for the latest release, and both minor and
 patch versions, e.g., `0.5` and `0.5.1`.
 ## Running the Image
 At startup, each image applies some default values and runs the relevant binary
 directly. Configuration is typically by environment variables, all of which are
 documented in the `--help` output of the binaries. These include
 - `RUST_LOG` - log level, one of `trace`, `debug`, `info`, `warn` and `error`.
 - `DATA_DIR` (SQLite only; default `/var/lib/taskchampion-sync-server/data`) -
 directory for the synced data.
 - `CONNECTION` (Postgres only) - Postgres connection information, in the form
 of a [LibPQ-style connection
 URI](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING-URIS).
 - `LISTEN` (default `0.0.0.0:8080`) - address and port on which to listen for
 HTTP requests.
 - `CLIENT_ID` - comma-separated list of client IDs that will be allowed, or
 empty to allow all clients.
 - `CREATE_CLIENTS` (default `true`) - if true, automatically create clients on
 first sync. If this is set to false, it is up to you to initialize clients in
 the DB.
 ### Example
 ```shell
 docker run -d \
  --name=taskchampion-sync-server \
  -p 8080:8080 \
  -e RUST_LOG=debug \
  -v /data/taskchampion-sync-server:/var/lib/taskchampion-sync-server/data \
  taskchampion-sync-server
 ```
 ### Image-Specific Setup
 The SQLite image is configured with `VOLUME
 /var/lib/taskchampion-sync-server/data`, persisting the task data in an
 anonymous Docker volume. It is recommended to put this on a named volume, or
 persistent storage in an environment like Kubernetes, so that it is not
 accidentally deleted.
 The Postgres image does not automatically create its database schema. See the
 [integration section](../integration/pre-built.md) for more detail. This
 implementation is tested with Postgres version 17 but should work with any
 recent version.
 Note that the Docker images do not implement TLS. The expectation is that
 another component, such as a Kubernetes ingress, will terminate the TLS
 connection and proxy HTTP traffic to the taskchampion-sync-server container.
--- a/entrypoint-postgres.sh
+++ b/entrypoint-postgres.sh
@ -0,0 +1,29 @@
 #!/bin/sh
 set -e
 echo "starting entrypoint script..."
 if [ "$1" = "/bin/taskchampion-sync-server-postgres" ]; then
    : ${DATA_DIR:=/var/lib/taskchampion-sync-server/data}
    export DATA_DIR
    echo "setting up data directory ${DATA_DIR}"
    mkdir -p "${DATA_DIR}"
    chown -R taskchampion:users "${DATA_DIR}"
    chmod -R 700 "${DATA_DIR}"
    : ${LISTEN:=0.0.0.0:8080}
    export LISTEN
    echo "Listen set to ${LISTEN}"
    if [ -n "${CLIENT_ID}" ]; then
        export CLIENT_ID
        echo "Limiting to client ID ${CLIENT_ID}"
    else
        unset CLIENT_ID
    fi
    if [ "$(id -u)" = "0" ]; then
        echo "Running server as user 'taskchampion'"
        exec su-exec taskchampion "$@"
    fi
 else
    eval "${@}"
 fi
--- a/entrypoint-sqlite.sh
+++ b/entrypoint-sqlite.sh
--- a/postgres/Cargo.toml
+++ b/postgres/Cargo.toml
@ -21,8 +21,9 @@ thiserror.workspace = true
 tokio-postgres.workspace = true
 tokio.workspace = true
 uuid.workspace = true
-native-tls = { version = "0.2.14", features = ["vendored"] }
+openssl.workspace = true
-postgres-native-tls = "0.5.1"
+native-tls.workspace = true
 postgres-native-tls.workspace = true
 [dev-dependencies]
 tempfile.workspace = true
--- a/postgres/src/lib.rs
+++ b/postgres/src/lib.rs
@ -25,7 +25,7 @@
 //!    `taskchampion-sync-server` to never call this method.
 //!  - Insert rows into the `clients` table, using default values for all columns except
 //!    `client_id` and application-specific columns.
-//!  - Delete rows from the `clients` table, using `CASCADE` to ensure any associated data
+//!  - Delete rows from the `clients` table, noting that any associated task data
 //!    is also deleted.
 use anyhow::Context;