c539e6fd83
- Base platform from base.git (ERP base: auth, core, config, message, workflow, plugin) - Created erp-diary module skeleton (lib.rs, dto.rs, error.rs, event.rs, state.rs) - Integrated erp-diary into workspace and erp-server - Added DiaryModule registration in main.rs - Added DiaryState FromRef in state.rs - Diary routes mounted (empty routes, ready for implementation) - Product design spec v1.2 preserved in docs/ - Implementation plan preserved in plans/ Cargo check: OK Cargo test: OK (78+ base tests passing)
96 lines
3.5 KiB
Bash
96 lines
3.5 KiB
Bash
#!/usr/bin/env bash
|
||
# PostgreSQL 自动备份脚本(含加密)
|
||
# 用法:
|
||
# 手动: ./docker/backup.sh
|
||
# 自动: 由 docker compose backup 服务每日 02:00 执行
|
||
#
|
||
# 加密方式(二选一):
|
||
# BACKUP_PASSPHRASE — 使用 openssl AES-256-CBC 对称加密(无额外依赖)
|
||
# GPG_RECIPIENT — 使用 GPG 非对称加密(需预置公钥)
|
||
set -euo pipefail
|
||
|
||
BACKUP_DIR="${BACKUP_DIR:-/backups}"
|
||
PG_HOST="${PGHOST:-postgres}"
|
||
PG_PORT="${PGPORT:-5432}"
|
||
PG_USER="${PGUSER:-erp}"
|
||
PG_DB="${PGDATABASE:-erp}"
|
||
KEEP_DAYS="${KEEP_DAYS:-7}"
|
||
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
|
||
FILENAME="${PG_DB}_${TIMESTAMP}.sql.gz"
|
||
ENCRYPTED_FILENAME="${FILENAME}.enc"
|
||
FILEPATH="${BACKUP_DIR}/${FILENAME}"
|
||
ENCRYPTED_FILEPATH="${BACKUP_DIR}/${ENCRYPTED_FILENAME}"
|
||
|
||
mkdir -p "${BACKUP_DIR}"
|
||
|
||
echo "[$(date -Iseconds)] 开始备份 ${PG_DB} → ${FILEPATH}"
|
||
|
||
if pg_dump \
|
||
-h "${PG_HOST}" \
|
||
-p "${PG_PORT}" \
|
||
-U "${PG_USER}" \
|
||
-d "${PG_DB}" \
|
||
--format=plain \
|
||
--no-owner \
|
||
--no-privileges \
|
||
| gzip > "${FILEPATH}"; then
|
||
SIZE=$(du -h "${FILEPATH}" | cut -f1)
|
||
echo "[$(date -Iseconds)] 备份完成: ${FILENAME} (${SIZE})"
|
||
else
|
||
echo "[$(date -Iseconds)] 备份失败!" >&2
|
||
rm -f "${FILEPATH}"
|
||
exit 1
|
||
fi
|
||
|
||
# ── 加密备份 ──
|
||
if [ -n "${BACKUP_PASSPHRASE:-}" ]; then
|
||
echo "[$(date -Iseconds)] 使用 AES-256-CBC 加密备份..."
|
||
if openssl enc -aes-256-cbc -salt -pbkdf2 -pass "pass:${BACKUP_PASSPHRASE}" \
|
||
-in "${FILEPATH}" -out "${ENCRYPTED_FILEPATH}"; then
|
||
rm -f "${FILEPATH}"
|
||
ENC_SIZE=$(du -h "${ENCRYPTED_FILEPATH}" | cut -f1)
|
||
echo "[$(date -Iseconds)] 加密完成: ${ENCRYPTED_FILENAME} (${ENC_SIZE})"
|
||
else
|
||
echo "[$(date -Iseconds)] 加密失败!保留未加密备份" >&2
|
||
rm -f "${ENCRYPTED_FILEPATH}"
|
||
fi
|
||
elif [ -n "${GPG_RECIPIENT:-}" ]; then
|
||
echo "[$(date -Iseconds)] 使用 GPG 加密备份..."
|
||
if gpg --batch --yes --encrypt --recipient "${GPG_RECIPIENT}" "${FILEPATH}"; then
|
||
rm -f "${FILEPATH}"
|
||
ENC_SIZE=$(du -h "${ENCRYPTED_FILEPATH}" | cut -f1)
|
||
echo "[$(date -Iseconds)] 加密完成: ${ENCRYPTED_FILENAME} (${ENC_SIZE})"
|
||
else
|
||
echo "[$(date -Iseconds)] GPG 加密失败!保留未加密备份" >&2
|
||
rm -f "${FILEPATH}.gpg"
|
||
fi
|
||
else
|
||
echo "[$(date -Iseconds)] 警告: 未设置 BACKUP_PASSPHRASE 或 GPG_RECIPIENT,备份未加密!" >&2
|
||
fi
|
||
|
||
# ── 备份完整性校验 ──
|
||
LATEST_FILE=$(ls -t "${BACKUP_DIR}/${PG_DB}"_*.sql.gz* 2>/dev/null | head -1)
|
||
if [ -n "${LATEST_FILE}" ] && [ -f "${LATEST_FILE}" ]; then
|
||
if [[ "${LATEST_FILE}" == *.enc ]]; then
|
||
echo "[$(date -Iseconds)] 加密备份文件存在: $(basename "${LATEST_FILE}")"
|
||
elif gzip -t "${LATEST_FILE}" 2>/dev/null; then
|
||
echo "[$(date -Iseconds)] 备份完整性校验通过"
|
||
else
|
||
echo "[$(date -Iseconds)] 警告: 备份文件可能损坏: ${LATEST_FILE}" >&2
|
||
fi
|
||
fi
|
||
|
||
# ── 清理过期备份 ──
|
||
DELETED=$(find "${BACKUP_DIR}" -name "${PG_DB}_*.sql.gz*" -mtime +${KEEP_DAYS} -delete -print | wc -l)
|
||
if [ "${DELETED}" -gt 0 ]; then
|
||
echo "[$(date -Iseconds)] 已清理 ${DELETED} 个过期备份(>${KEEP_DAYS}天)"
|
||
fi
|
||
|
||
# ── 恢复指引 ──
|
||
echo ""
|
||
echo "恢复方法:"
|
||
echo " # 解密(如加密):"
|
||
echo " openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:\$BACKUP_PASSPHRASE -in ${ENCRYPTED_FILEPATH} -out ${FILEPATH}"
|
||
echo " # 恢复:"
|
||
echo " gunzip -c ${FILEPATH} | psql -h \$PGHOST -U \$PGUSER -d \$PGDB"
|