test: add rollback error condition tests

Add tests for Rollback method error paths:
- No previous image available
- Empty previous image string
- App deployment lock held
- App lock already acquired

Relates to #71

internal/database/migrations/006_add_previous_image_id.sql

@@ -0,0 +1,2 @@
+-- Add previous_image_id to apps for deployment rollback support
+ALTER TABLE apps ADD COLUMN previous_image_id TEXT;

internal/handlers/app.go

@@ -335,7 +335,7 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 		deployCtx := context.WithoutCancel(request.Context())
 
 		go func(ctx context.Context, appToDeploy *models.App) {
-			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil)
+			deployErr := h.deploy.Deploy(ctx, appToDeploy, nil, false)
 			if deployErr != nil {
 				h.log.Error(
 					"deployment failed",
@@ -354,6 +354,56 @@ func (h *Handlers) HandleAppDeploy() http.HandlerFunc {
 	}
 }
 
+// HandleCancelDeploy cancels an in-progress deployment for an app.
+func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		cancelled := h.deploy.CancelDeploy(application.ID)
+		if cancelled {
+			h.log.Info("deployment cancelled by user", "app", application.Name)
+		}
+
+		http.Redirect(
+			writer,
+			request,
+			"/apps/"+application.ID,
+			http.StatusSeeOther,
+		)
+	}
+}
+
+// HandleAppRollback handles rolling back to the previous deployment image.
+func (h *Handlers) HandleAppRollback() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		rollbackErr := h.deploy.Rollback(request.Context(), application)
+		if rollbackErr != nil {
+			h.log.Error("rollback failed", "error", rollbackErr, "app", application.Name)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
+		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
+	}
+}
+
 // HandleAppDeployments returns the deployments history handler.
 func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 	tmpl := templates.GetParsed()

internal/handlers/handlers_test.go

@@ -684,6 +684,47 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
 	assert.NotNil(t, found, "port should still exist after IDOR attempt")
 }
 
+func TestHandleCancelDeployRedirects(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	createdApp := createTestApp(t, testCtx, "cancel-deploy-app")
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/"+createdApp.ID+"/deployments/cancel",
+		nil,
+	)
+	request = addChiURLParams(request, map[string]string{"id": createdApp.ID})
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleCancelDeploy()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusSeeOther, recorder.Code)
+	assert.Equal(t, "/apps/"+createdApp.ID, recorder.Header().Get("Location"))
+}
+
+func TestHandleCancelDeployReturns404ForUnknownApp(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/apps/nonexistent/deployments/cancel",
+		nil,
+	)
+	request = addChiURLParams(request, map[string]string{"id": "nonexistent"})
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleCancelDeploy()
+	handler.ServeHTTP(recorder, request)
+
+	assert.Equal(t, http.StatusNotFound, recorder.Code)
+}
+
 func TestHandleWebhookReturns404ForUnknownSecret(t *testing.T) {
 	t.Parallel()
 

internal/middleware/middleware.go

@@ -235,9 +235,9 @@ func (m *Middleware) CSRF() func(http.Handler) http.Handler {
 // loginRateLimit configures the login rate limiter.
 const (
 	loginRateLimit      = rate.Limit(5.0 / 60.0) // 5 requests per 60 seconds
-	loginBurst          = 5                       // allow burst of 5
+	loginBurst          = 5                      // allow burst of 5
-	limiterExpiry       = 10 * time.Minute        // evict entries not seen in 10 minutes
+	limiterExpiry       = 10 * time.Minute       // evict entries not seen in 10 minutes
-	limiterCleanupEvery = 1 * time.Minute         // sweep interval
+	limiterCleanupEvery = 1 * time.Minute        // sweep interval
 )
 
 // ipLimiterEntry stores a rate limiter with its last-seen timestamp.
@@ -249,8 +249,8 @@ type ipLimiterEntry struct {
 // ipLimiter tracks per-IP rate limiters for login attempts with automatic
 // eviction of stale entries to prevent unbounded memory growth.
 type ipLimiter struct {
-	mu       sync.Mutex
+	mu        sync.Mutex
-	limiters map[string]*ipLimiterEntry
+	limiters  map[string]*ipLimiterEntry
 	lastSweep time.Time
 }
 

internal/models/app.go

@@ -14,7 +14,7 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			created_at, updated_at`
+			previous_image_id, created_at, updated_at`
 
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -32,22 +32,23 @@ const (
 type App struct {
 	db *database.Database
 
-	ID             string
+	ID                string
-	Name           string
+	Name              string
-	RepoURL        string
+	RepoURL           string
-	Branch         string
+	Branch            string
-	DockerfilePath string
+	DockerfilePath    string
 	WebhookSecret     string
 	WebhookSecretHash string
 	SSHPrivateKey     string
-	SSHPublicKey   string
+	SSHPublicKey      string
-	ImageID        sql.NullString
+	ImageID           sql.NullString
-	Status         AppStatus
+	PreviousImageID   sql.NullString
-	DockerNetwork  sql.NullString
+	Status            AppStatus
-	NtfyTopic      sql.NullString
+	DockerNetwork     sql.NullString
-	SlackWebhook   sql.NullString
+	NtfyTopic         sql.NullString
-	CreatedAt      time.Time
+	SlackWebhook      sql.NullString
-	UpdatedAt      time.Time
+	CreatedAt         time.Time
+	UpdatedAt         time.Time
 }
 
 // NewApp creates a new App with a database reference.
@@ -140,13 +141,15 @@ func (a *App) insert(ctx context.Context) error {
 		INSERT INTO apps (
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash
+			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+			previous_image_id
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
+		a.PreviousImageID,
 	)
 	if err != nil {
 		return err
@@ -161,6 +164,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
+			previous_image_id = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -168,6 +172,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
+		a.PreviousImageID,
 		a.ID,
 	)
 
@@ -182,6 +187,7 @@ func (a *App) scan(row *sql.Row) error {
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
+		&a.PreviousImageID,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -199,6 +205,7 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
+			&app.PreviousImageID,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {

internal/models/deployment.go

@@ -19,6 +19,7 @@ const (
 	DeploymentStatusDeploying DeploymentStatus = "deploying"
 	DeploymentStatusSuccess   DeploymentStatus = "success"
 	DeploymentStatusFailed    DeploymentStatus = "failed"
+	DeploymentStatusCancelled DeploymentStatus = "cancelled"
 )
 
 // Display constants.

internal/server/routes.go

@@ -54,46 +54,48 @@ func (s *Server) SetupRoutes() {
 		r.Group(func(r chi.Router) {
 			r.Use(s.mw.SessionAuth())
 
-		// Dashboard
+			// Dashboard
-		r.Get("/", s.handlers.HandleDashboard())
+			r.Get("/", s.handlers.HandleDashboard())
 
-		// Logout
+			// Logout
-		r.Post("/logout", s.handlers.HandleLogout())
+			r.Post("/logout", s.handlers.HandleLogout())
 
-		// App routes
+			// App routes
-		r.Get("/apps/new", s.handlers.HandleAppNew())
+			r.Get("/apps/new", s.handlers.HandleAppNew())
-		r.Post("/apps", s.handlers.HandleAppCreate())
+			r.Post("/apps", s.handlers.HandleAppCreate())
-		r.Get("/apps/{id}", s.handlers.HandleAppDetail())
+			r.Get("/apps/{id}", s.handlers.HandleAppDetail())
-		r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
+			r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
-		r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
+			r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
-		r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
+			r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
-		r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
-		r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
+			r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
-		r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
-		r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
+			r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
-		r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
+			r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
-		r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
+			r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
-		r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
+			r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
-		r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
+			r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
-		r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
+			r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
-		r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
+			r.Post("/apps/{id}/rollback", s.handlers.HandleAppRollback())
-		r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
+			r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
+			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
+			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-		// Environment variables
+			// Environment variables
-		r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
+			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
-		r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
+			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 
-		// Labels
+			// Labels
-		r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
+			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
-		r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
+			r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
 
-		// Volumes
+			// Volumes
-		r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
+			r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
-		r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
+			r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
 
-		// Ports
+			// Ports
-		r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
+			r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
-		r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
+			r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
 		})
 	})
 

internal/service/deploy/deploy.go

@@ -43,10 +43,14 @@ var (
 	ErrContainerUnhealthy = errors.New("container unhealthy after 60 seconds")
 	// ErrDeploymentInProgress indicates another deployment is already running.
 	ErrDeploymentInProgress = errors.New("deployment already in progress for this app")
+	// ErrDeployCancelled indicates the deployment was cancelled by a newer deploy.
+	ErrDeployCancelled = errors.New("deployment cancelled by newer deploy")
 	// ErrBuildTimeout indicates the build phase exceeded the timeout.
 	ErrBuildTimeout = errors.New("build timeout exceeded")
 	// ErrDeployTimeout indicates the deploy phase exceeded the timeout.
 	ErrDeployTimeout = errors.New("deploy timeout exceeded")
+	// ErrNoPreviousImage indicates there is no previous image to rollback to.
+	ErrNoPreviousImage = errors.New("no previous image available for rollback")
 )
 
 // logFlushInterval is how often to flush buffered logs to the database.
@@ -78,7 +82,7 @@ type deploymentLogWriter struct {
 	lineBuffer bytes.Buffer // buffer for incomplete lines
 	mu         sync.Mutex
 	done       chan struct{}
-	flushed    sync.WaitGroup // waits for flush goroutine to finish
+	flushed    sync.WaitGroup  // waits for flush goroutine to finish
 	flushCtx   context.Context //nolint:containedctx // needed for async flush goroutine
 }
 
@@ -205,15 +209,22 @@ type ServiceParams struct {
 	Notify   *notify.Service
 }
 
+// activeDeploy tracks a running deployment so it can be cancelled.
+type activeDeploy struct {
+	cancel context.CancelFunc
+	done   chan struct{}
+}
+
 // Service provides deployment functionality.
 type Service struct {
-	log      *slog.Logger
+	log           *slog.Logger
-	db       *database.Database
+	db            *database.Database
-	docker   *docker.Client
+	docker        *docker.Client
-	notify   *notify.Service
+	notify        *notify.Service
-	config   *config.Config
+	config        *config.Config
-	params   *ServiceParams
+	params        *ServiceParams
-	appLocks sync.Map // map[string]*sync.Mutex - per-app deployment locks
+	activeDeploys sync.Map // map[string]*activeDeploy - per-app active deployment tracking
+	appLocks      sync.Map // map[string]*sync.Mutex - per-app deployment locks
 }
 
 // New creates a new deploy Service.
@@ -274,12 +285,39 @@ func (svc *Service) GetLogFilePath(app *models.App, deployment *models.Deploymen
 	return filepath.Join(svc.config.DataDir, "logs", hostname, app.Name, filename)
 }
 
-// Deploy deploys an app.
+// HasActiveDeploy returns true if there is an active deployment for the given app.
+func (svc *Service) HasActiveDeploy(appID string) bool {
+	_, ok := svc.activeDeploys.Load(appID)
+
+	return ok
+}
+
+// CancelDeploy cancels any in-progress deployment for the given app
+// and waits for it to finish before returning. Returns true if a deployment
+// was cancelled, false if there was nothing to cancel.
+func (svc *Service) CancelDeploy(appID string) bool {
+	if !svc.HasActiveDeploy(appID) {
+		return false
+	}
+
+	svc.cancelActiveDeploy(appID)
+
+	return true
+}
+
+// Deploy deploys an app. If cancelExisting is true (e.g. webhook-triggered),
+// any in-progress deploy for the same app will be cancelled before starting.
+// If cancelExisting is false and a deploy is in progress, ErrDeploymentInProgress is returned.
 func (svc *Service) Deploy(
 	ctx context.Context,
 	app *models.App,
 	webhookEventID *int64,
+	cancelExisting bool,
 ) error {
+	if cancelExisting {
+		svc.cancelActiveDeploy(app.ID)
+	}
+
 	// Try to acquire per-app deployment lock
 	if !svc.tryLockApp(app.ID) {
 		svc.log.Warn("deployment already in progress", "app", app.Name)
@@ -288,45 +326,186 @@ func (svc *Service) Deploy(
 	}
 	defer svc.unlockApp(app.ID)
 
+	// Set up cancellable context and register as active deploy
+	deployCtx, cancel := context.WithCancel(ctx)
+	done := make(chan struct{})
+	ad := &activeDeploy{cancel: cancel, done: done}
+	svc.activeDeploys.Store(app.ID, ad)
+
+	defer func() {
+		cancel()
+		close(done)
+		svc.activeDeploys.Delete(app.ID)
+	}()
+
 	// Fetch webhook event and create deployment record
-	webhookEvent := svc.fetchWebhookEvent(ctx, webhookEventID)
+	webhookEvent := svc.fetchWebhookEvent(deployCtx, webhookEventID)
 
-	deployment, err := svc.createDeploymentRecord(ctx, app, webhookEventID, webhookEvent)
+	// Use a background context for DB operations that must complete regardless of cancellation
+	bgCtx := context.WithoutCancel(deployCtx)
+
+	deployment, err := svc.createDeploymentRecord(bgCtx, app, webhookEventID, webhookEvent)
 	if err != nil {
 		return err
 	}
 
-	svc.logWebhookPayload(ctx, deployment, webhookEvent)
+	svc.logWebhookPayload(bgCtx, deployment, webhookEvent)
 
-	err = svc.updateAppStatusBuilding(ctx, app)
+	err = svc.updateAppStatusBuilding(bgCtx, app)
 	if err != nil {
 		return err
 	}
 
-	svc.notify.NotifyBuildStart(ctx, app, deployment)
+	svc.notify.NotifyBuildStart(bgCtx, app, deployment)
 
+	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
+}
+
+// Rollback rolls back an app to its previous image.
+// It stops the current container, starts a new one with the previous image,
+// and creates a deployment record for the rollback.
+func (svc *Service) Rollback(ctx context.Context, app *models.App) error {
+	if !app.PreviousImageID.Valid || app.PreviousImageID.String == "" {
+		return ErrNoPreviousImage
+	}
+
+	// Acquire per-app deployment lock
+	if !svc.tryLockApp(app.ID) {
+		return ErrDeploymentInProgress
+	}
+	defer svc.unlockApp(app.ID)
+
+	bgCtx := context.WithoutCancel(ctx)
+
+	deployment, err := svc.createRollbackDeployment(bgCtx, app)
+	if err != nil {
+		return err
+	}
+
+	return svc.executeRollback(ctx, bgCtx, app, deployment)
+}
+
+// createRollbackDeployment creates a deployment record for a rollback operation.
+func (svc *Service) createRollbackDeployment(
+	ctx context.Context,
+	app *models.App,
+) (*models.Deployment, error) {
+	deployment := models.NewDeployment(svc.db)
+	deployment.AppID = app.ID
+	deployment.Status = models.DeploymentStatusDeploying
+	deployment.ImageID = sql.NullString{String: app.PreviousImageID.String, Valid: true}
+
+	saveErr := deployment.Save(ctx)
+	if saveErr != nil {
+		return nil, fmt.Errorf("failed to create rollback deployment: %w", saveErr)
+	}
+
+	_ = deployment.AppendLog(ctx, "Rolling back to previous image: "+app.PreviousImageID.String)
+
+	return deployment, nil
+}
+
+// executeRollback performs the container swap for a rollback.
+func (svc *Service) executeRollback(
+	ctx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
+	previousImageID := app.PreviousImageID.String
+
+	svc.removeOldContainer(ctx, app, deployment)
+
+	rollbackOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, err)
+
+		return fmt.Errorf("failed to build container options: %w", err)
+	}
+
+	rollbackOpts.Image = previousImageID
+
+	containerID, err := svc.docker.CreateContainer(ctx, rollbackOpts)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to create rollback container: %w", err))
+
+		return fmt.Errorf("failed to create rollback container: %w", err)
+	}
+
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
+	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID)
+
+	startErr := svc.docker.StartContainer(ctx, containerID)
+	if startErr != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to start rollback container: %w", startErr))
+
+		return fmt.Errorf("failed to start rollback container: %w", startErr)
+	}
+
+	_ = deployment.AppendLog(bgCtx, "Rollback container started")
+
+	currentImageID := app.ImageID
+	app.ImageID = sql.NullString{String: previousImageID, Valid: true}
+	app.PreviousImageID = currentImageID
+	app.Status = models.AppStatusRunning
+
+	saveErr := app.Save(bgCtx)
+	if saveErr != nil {
+		return fmt.Errorf("failed to update app after rollback: %w", saveErr)
+	}
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusSuccess)
+	_ = deployment.AppendLog(bgCtx, "Rollback complete")
+
+	svc.log.Info("rollback completed", "app", app.Name, "image", previousImageID)
+
+	return nil
+}
+
+// runBuildAndDeploy executes the build and deploy phases, handling cancellation.
+func (svc *Service) runBuildAndDeploy(
+	deployCtx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
 	// Build phase with timeout
-	imageID, err := svc.buildImageWithTimeout(ctx, app, deployment)
+	imageID, err := svc.buildImageWithTimeout(deployCtx, app, deployment)
 	if err != nil {
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment)
+		if cancelErr != nil {
+			return cancelErr
+		}
+
 		return err
 	}
 
-	svc.notify.NotifyBuildSuccess(ctx, app, deployment)
+	svc.notify.NotifyBuildSuccess(bgCtx, app, deployment)
 
 	// Deploy phase with timeout
-	err = svc.deployContainerWithTimeout(ctx, app, deployment, imageID)
+	err = svc.deployContainerWithTimeout(deployCtx, app, deployment, imageID)
 	if err != nil {
+		cancelErr := svc.checkCancelled(deployCtx, bgCtx, app, deployment)
+		if cancelErr != nil {
+			return cancelErr
+		}
+
 		return err
 	}
 
-	err = svc.updateAppRunning(ctx, app, imageID)
+	// Save current image as previous before updating to new one
+	if app.ImageID.Valid && app.ImageID.String != "" {
+		app.PreviousImageID = app.ImageID
+	}
+
+	err = svc.updateAppRunning(bgCtx, app, imageID)
 	if err != nil {
 		return err
 	}
 
 	// Use context.WithoutCancel to ensure health check completes even if
 	// the parent context is cancelled (e.g., HTTP request ends).
-	go svc.checkHealthAfterDelay(context.WithoutCancel(ctx), app, deployment)
+	go svc.checkHealthAfterDelay(bgCtx, app, deployment)
 
 	return nil
 }
@@ -463,6 +642,43 @@ func (svc *Service) unlockApp(appID string) {
 	svc.getAppLock(appID).Unlock()
 }
 
+// cancelActiveDeploy cancels any in-progress deployment for the given app
+// and waits for it to finish before returning.
+func (svc *Service) cancelActiveDeploy(appID string) {
+	val, ok := svc.activeDeploys.Load(appID)
+	if !ok {
+		return
+	}
+
+	ad, ok := val.(*activeDeploy)
+	if !ok {
+		return
+	}
+
+	svc.log.Info("cancelling in-progress deployment", "app_id", appID)
+	ad.cancel()
+	<-ad.done
+}
+
+// checkCancelled checks if the deploy context was cancelled (by a newer deploy)
+// and if so, marks the deployment as cancelled. Returns ErrDeployCancelled or nil.
+func (svc *Service) checkCancelled(
+	deployCtx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
+	if !errors.Is(deployCtx.Err(), context.Canceled) {
+		return nil
+	}
+
+	svc.log.Info("deployment cancelled by newer deploy", "app", app.Name)
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusCancelled)
+
+	return ErrDeployCancelled
+}
+
 func (svc *Service) fetchWebhookEvent(
 	ctx context.Context,
 	webhookEventID *int64,

internal/service/deploy/deploy_cancel_test.go

@@ -0,0 +1,133 @@
+package deploy_test
+
+import (
+	"context"
+	"log/slog"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestCancelActiveDeploy_NoExisting(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Should not panic or block when no active deploy exists
+	svc.CancelActiveDeploy("nonexistent-app")
+}
+
+func TestCancelActiveDeploy_CancelsAndWaits(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-1", cancel, done)
+
+	// Simulate a running deploy that respects cancellation
+	var deployFinished bool
+
+	go func() {
+		<-ctx.Done()
+
+		deployFinished = true
+
+		close(done)
+	}()
+
+	svc.CancelActiveDeploy("app-1")
+	assert.True(t, deployFinished, "deploy should have finished after cancellation")
+}
+
+func TestCancelActiveDeploy_BlocksUntilDone(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-2", cancel, done)
+
+	// Simulate slow cleanup after cancellation
+	go func() {
+		<-ctx.Done()
+		time.Sleep(50 * time.Millisecond)
+		close(done)
+	}()
+
+	start := time.Now()
+
+	svc.CancelActiveDeploy("app-2")
+
+	elapsed := time.Since(start)
+
+	assert.GreaterOrEqual(t, elapsed, 50*time.Millisecond,
+		"cancelActiveDeploy should block until the deploy finishes")
+}
+
+func TestTryLockApp_PreventsConcurrent(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	assert.True(t, svc.TryLockApp("app-1"), "first lock should succeed")
+	assert.False(t, svc.TryLockApp("app-1"), "second lock should fail")
+
+	svc.UnlockApp("app-1")
+
+	assert.True(t, svc.TryLockApp("app-1"), "lock after unlock should succeed")
+
+	svc.UnlockApp("app-1")
+}
+
+func TestCancelActiveDeploy_AllowsNewDeploy(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Simulate an active deploy holding the lock
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+
+	svc.RegisterActiveDeploy("app-3", cancel, done)
+
+	// Lock the app as if a deploy is in progress
+	assert.True(t, svc.TryLockApp("app-3"))
+
+	// Simulate deploy goroutine: release lock on cancellation
+	var mu sync.Mutex
+
+	released := false
+
+	go func() {
+		<-ctx.Done()
+
+		svc.UnlockApp("app-3")
+
+		mu.Lock()
+		released = true
+		mu.Unlock()
+
+		close(done)
+	}()
+
+	// Cancel should cause the old deploy to release its lock
+	svc.CancelActiveDeploy("app-3")
+
+	mu.Lock()
+	assert.True(t, released)
+	mu.Unlock()
+
+	// Now a new deploy should be able to acquire the lock
+	assert.True(t, svc.TryLockApp("app-3"), "should be able to lock after cancellation")
+
+	svc.UnlockApp("app-3")
+}

internal/service/deploy/deploy_rollback_test.go

@@ -0,0 +1,74 @@
+package deploy_test
+
+import (
+	"context"
+	"database/sql"
+	"log/slog"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestRollback_NoPreviousImage(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+	app := &models.App{
+		ID:              "app-rollback-1",
+		PreviousImageID: sql.NullString{},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrNoPreviousImage)
+}
+
+func TestRollback_EmptyPreviousImage(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+	app := &models.App{
+		ID:              "app-rollback-2",
+		PreviousImageID: sql.NullString{String: "", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrNoPreviousImage)
+}
+
+func TestRollback_DeploymentLocked(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Simulate a deploy holding the lock
+	assert.True(t, svc.TryLockApp("app-rollback-3"))
+	defer svc.UnlockApp("app-rollback-3")
+
+	app := &models.App{
+		ID:              "app-rollback-3",
+		PreviousImageID: sql.NullString{String: "sha256:abc123", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrDeploymentInProgress)
+}
+
+func TestRollback_LockedApp(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	assert.True(t, svc.TryLockApp("app-rollback-4"))
+	defer svc.UnlockApp("app-rollback-4")
+
+	app := &models.App{
+		ID:              "app-rollback-4",
+		PreviousImageID: sql.NullString{String: "sha256:abc123", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrDeploymentInProgress)
+}

internal/service/deploy/export_test.go

@@ -0,0 +1,33 @@
+package deploy
+
+import (
+	"context"
+	"log/slog"
+)
+
+// NewTestService creates a Service with minimal dependencies for testing.
+func NewTestService(log *slog.Logger) *Service {
+	return &Service{
+		log: log,
+	}
+}
+
+// CancelActiveDeploy exposes cancelActiveDeploy for testing.
+func (svc *Service) CancelActiveDeploy(appID string) {
+	svc.cancelActiveDeploy(appID)
+}
+
+// RegisterActiveDeploy registers an active deploy for testing.
+func (svc *Service) RegisterActiveDeploy(appID string, cancel context.CancelFunc, done chan struct{}) {
+	svc.activeDeploys.Store(appID, &activeDeploy{cancel: cancel, done: done})
+}
+
+// TryLockApp exposes tryLockApp for testing.
+func (svc *Service) TryLockApp(appID string) bool {
+	return svc.tryLockApp(appID)
+}
+
+// UnlockApp exposes unlockApp for testing.
+func (svc *Service) UnlockApp(appID string) {
+	svc.unlockApp(appID)
+}

internal/service/webhook/webhook.go

@@ -143,7 +143,7 @@ func (svc *Service) triggerDeployment(
 		// even if the HTTP request context is cancelled.
 		deployCtx := context.WithoutCancel(ctx)
 
-		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID)
+		deployErr := svc.deploy.Deploy(deployCtx, app, &eventID, true)
 		if deployErr != nil {
 			svc.log.Error("deployment failed", "error", deployErr, "app", appName)
 		}

static/css/input.css

@@ -57,6 +57,10 @@
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-success-500 text-white hover:bg-success-700 active:bg-green-800 focus:ring-green-500 shadow-elevation-1 hover:shadow-elevation-2;
   }
 
+  .btn-warning {
+    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-warning-500 text-white hover:bg-warning-700 active:bg-orange-800 focus:ring-orange-500 shadow-elevation-1 hover:shadow-elevation-2;
+  }
+
   .btn-text {
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed text-primary-600 hover:bg-primary-50 active:bg-primary-100;
   }

templates/app_detail.html

@@ -40,6 +40,16 @@
                     <span x-text="deploying ? 'Deploying...' : 'Deploy Now'"></span>
                 </button>
             </form>
+            <form method="POST" action="/apps/{{.App.ID}}/deployments/cancel" class="inline" x-show="deploying" x-cloak x-data="confirmAction('Cancel the current deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-danger">Cancel Deploy</button>
+            </form>
+            {{if .App.PreviousImageID.Valid}}
+            <form method="POST" action="/apps/{{.App.ID}}/rollback" class="inline" x-data="confirmAction('Roll back to the previous deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-warning">Rollback</button>
+            </form>
+            {{end}}
         </div>
     </div>