bc571c7749
新增: - nginx/nginx.conf: TLS 1.2/1.3 终端 + HSTS/CSP 安全头 + SSE 长连接 + 50M 上传限制 - prometheus/prometheus.yml: HMS/PostgreSQL/Redis/Nginx 四指标源 - prometheus/alerts.yml: 4 组告警规则(系统/应用/数据库/Redis),含 5xx 错误率 + 内存 + 连接数 - restore.sh: 备份恢复脚本(支持加密备份解密恢复) 改进: - backup.sh: 新增 BACKUP_PASSPHRASE 加密(AES-256-CBC)+ 完整性校验 + 恢复指引 - docker-compose.production.yml: 添加 Nginx/Prometheus/Grafana/uploads-backup 容器 - docker-compose.yml: Redis 添加 --appendonly yes 持久化 - .env.production.example: 添加 DevOps 相关环境变量模板
44 lines
1.4 KiB
Bash
44 lines
1.4 KiB
Bash
#!/usr/bin/env bash
|
|
# PostgreSQL 备份恢复脚本
|
|
# 用法: BACKUP_PASSPHRASE=xxx ./docker/restore.sh /backups/erp_20260521_020000.sql.gz.enc
|
|
set -euo pipefail
|
|
|
|
BACKUP_FILE="${1:?用法: restore.sh <备份文件路径>}"
|
|
PG_HOST="${PGHOST:-postgres}"
|
|
PG_PORT="${PGPORT:-5432}"
|
|
PG_USER="${PGUSER:-erp}"
|
|
PG_DB="${PGDATABASE:-erp}"
|
|
|
|
if [ ! -f "${BACKUP_FILE}" ]; then
|
|
echo "错误: 文件不存在: ${BACKUP_FILE}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "[$(date -Iseconds)] 恢复目标: ${PG_HOST}:${PG_PORT}/${PG_DB}"
|
|
echo "[$(date -Iseconds)] 备份文件: ${BACKUP_FILE}"
|
|
|
|
# 解密(如果是加密文件)
|
|
if [[ "${BACKUP_FILE}" == *.enc ]]; then
|
|
if [ -z "${BACKUP_PASSPHRASE:-}" ]; then
|
|
echo "错误: 加密备份需要设置 BACKUP_PASSPHRASE 环境变量" >&2
|
|
exit 1
|
|
fi
|
|
DECRYPTED="${BACKUP_FILE%.enc}"
|
|
echo "[$(date -Iseconds)] 解密中..."
|
|
openssl enc -d -aes-256-cbc -pbkdf2 -pass "pass:${BACKUP_PASSPHRASE}" \
|
|
-in "${BACKUP_FILE}" -out "${DECRYPTED}"
|
|
BACKUP_FILE="${DECRYPTED}"
|
|
fi
|
|
|
|
# 解压并恢复
|
|
echo "[$(date -Iseconds)] 恢复中..."
|
|
gunzip -c "${BACKUP_FILE}" | psql -h "${PG_HOST}" -p "${PG_PORT}" -U "${PG_USER}" -d "${PG_DB}"
|
|
|
|
echo "[$(date -Iseconds)] 恢复完成"
|
|
|
|
# 清理解密文件
|
|
if [ -n "${DECRYPTED:-}" ] && [ -f "${DECRYPTED}" ]; then
|
|
rm -f "${DECRYPTED}"
|
|
echo "[$(date -Iseconds)] 已清理解密临时文件"
|
|
fi
|