feat(docker): 生产环境 DevOps 基础设施 — TLS + 备份加密 + Prometheus + Redis 持久化

新增:
- nginx/nginx.conf: TLS 1.2/1.3 终端 + HSTS/CSP 安全头 + SSE 长连接 + 50M 上传限制
- prometheus/prometheus.yml: HMS/PostgreSQL/Redis/Nginx 四指标源
- prometheus/alerts.yml: 4 组告警规则（系统/应用/数据库/Redis），含 5xx 错误率 + 内存 + 连接数
- restore.sh: 备份恢复脚本（支持加密备份解密恢复）

改进:
- backup.sh: 新增 BACKUP_PASSPHRASE 加密（AES-256-CBC）+ 完整性校验 + 恢复指引
- docker-compose.production.yml: 添加 Nginx/Prometheus/Grafana/uploads-backup 容器
- docker-compose.yml: Redis 添加 --appendonly yes 持久化
- .env.production.example: 添加 DevOps 相关环境变量模板

docker/restore.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# PostgreSQL 备份恢复脚本
+# 用法: BACKUP_PASSPHRASE=xxx ./docker/restore.sh /backups/erp_20260521_020000.sql.gz.enc
+set -euo pipefail
+
+BACKUP_FILE="${1:?用法: restore.sh <备份文件路径>}"
+PG_HOST="${PGHOST:-postgres}"
+PG_PORT="${PGPORT:-5432}"
+PG_USER="${PGUSER:-erp}"
+PG_DB="${PGDATABASE:-erp}"
+
+if [ ! -f "${BACKUP_FILE}" ]; then
+    echo "错误: 文件不存在: ${BACKUP_FILE}" >&2
+    exit 1
+fi
+
+echo "[$(date -Iseconds)] 恢复目标: ${PG_HOST}:${PG_PORT}/${PG_DB}"
+echo "[$(date -Iseconds)] 备份文件: ${BACKUP_FILE}"
+
+# 解密（如果是加密文件）
+if [[ "${BACKUP_FILE}" == *.enc ]]; then
+    if [ -z "${BACKUP_PASSPHRASE:-}" ]; then
+        echo "错误: 加密备份需要设置 BACKUP_PASSPHRASE 环境变量" >&2
+        exit 1
+    fi
+    DECRYPTED="${BACKUP_FILE%.enc}"
+    echo "[$(date -Iseconds)] 解密中..."
+    openssl enc -d -aes-256-cbc -pbkdf2 -pass "pass:${BACKUP_PASSPHRASE}" \
+        -in "${BACKUP_FILE}" -out "${DECRYPTED}"
+    BACKUP_FILE="${DECRYPTED}"
+fi
+
+# 解压并恢复
+echo "[$(date -Iseconds)] 恢复中..."
+gunzip -c "${BACKUP_FILE}" | psql -h "${PG_HOST}" -p "${PG_PORT}" -U "${PG_USER}" -d "${PG_DB}"
+
+echo "[$(date -Iseconds)] 恢复完成"
+
+# 清理解密文件
+if [ -n "${DECRYPTED:-}" ] && [ -f "${DECRYPTED}" ]; then
+    rm -f "${DECRYPTED}"
+    echo "[$(date -Iseconds)] 已清理解密临时文件"
+fi