SILVER
/
NODEDC_PLATFORM
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

OPS - PLATFORM: add Synology runtime backup workflow

This commit is contained in:
Codex 2026-05-14 14:35:51 +03:00
parent 932b9bc7ec
commit d3af184096
3 changed files with 135 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
infra/synology/README.md
View File

@ -44,6 +44,7 @@ http://task.nas.nodedc:18090
- `docker-compose.platform-http.yml` поднимает новый Authentik, Launcher и Caddy edge. - `docker-compose.platform-http.yml` поднимает новый Authentik, Launcher и Caddy edge.
- `Caddyfile.http` маршрутизирует локальные `auth/launcher/task.nas.nodedc` и внешние `id/hub/ops.nodedc.ru`. - `Caddyfile.http` маршрутизирует локальные `auth/launcher/task.nas.nodedc` и внешние `id/hub/ops.nodedc.ru`.
- `deploy-current.sh` синхронизирует compose, Caddyfile, Authentik templates и опционально Launcher source в NAS mount. - `deploy-current.sh` синхронизирует compose, Caddyfile, Authentik templates и опционально Launcher source в NAS mount.
- `backup-current.sh` делает snapshot Launcher runtime/uploads/Auth templates/config и готовит команду `pg_dump` для Authentik Postgres.
- Tasker поднимается отдельным compose из `NODEDC_TASKMANAGER/plane-app/docker-compose.yaml` на порту `18090`. - Tasker поднимается отдельным compose из `NODEDC_TASKMANAGER/plane-app/docker-compose.yaml` на порту `18090`.
## Синхронизация текущего состояния ## Синхронизация текущего состояния
@ -59,6 +60,23 @@ LAUNCHER_REPO=/Users/dcconstructions/Downloads/mnt/data/nodedc_launcher \
Скрипт не запускает Docker сам: на NAS `sudo` интерактивный, поэтому команды применения печатаются в конце. Скрипт не запускает Docker сам: на NAS `sudo` интерактивный, поэтому команды применения печатаются в конце.
## Backup текущего состояния
С Mac, при смонтированном `/Volumes/docker`:
```bash
cd /Users/dcconstructions/Downloads/mnt/NODEDC/platform
NAS_ROOT=/Volumes/docker/nodedc-platform ./infra/synology/backup-current.sh
```
Файловый backup создаётся в `/Volumes/docker/nodedc-platform/backups/platform-current-*`.
Для Authentik Postgres dump нужно выполнить напечатанную команду на Synology, потому что Docker доступен через интерактивный `sudo`:
```bash
bash /volume1/docker/nodedc-platform/backups/platform-current-YYYYMMDD-HHMMSS/run-authentik-db-dump-on-synology.sh
```
## Что нужно перед запуском ## Что нужно перед запуском
- Собрать или загрузить `linux/amd64` images: - Собрать или загрузить `linux/amd64` images:

112
infra/synology/backup-current.sh Executable file
View File

@ -0,0 +1,112 @@
#!/usr/bin/env bash
set -euo pipefail
NAS_ROOT="${NAS_ROOT:-/Volumes/docker/nodedc-platform}"
NAS_PLATFORM_DIR="${NAS_PLATFORM_DIR:-/volume1/docker/nodedc-platform/platform}"
BACKUP_ROOT="${BACKUP_ROOT:-${NAS_ROOT}/backups}"
TIMESTAMP="${TIMESTAMP:-$(date +%Y%m%d-%H%M%S)}"
BACKUP_DIR="${BACKUP_DIR:-${BACKUP_ROOT}/platform-current-${TIMESTAMP}}"
DOCKER_BIN="${DOCKER_BIN:-/usr/local/bin/docker}"
COMPOSE_FILE="${COMPOSE_FILE:-${NAS_PLATFORM_DIR}/docker-compose.platform-http.yml}"
ENV_FILE="${ENV_FILE:-${NAS_PLATFORM_DIR}/.env.synology}"
mkdir -p "${BACKUP_DIR}/files/platform" \
"${BACKUP_DIR}/files/launcher" \
"${BACKUP_DIR}/files/authentik"
rsync_dir() {
local source="$1"
local destination="$2"
if [[ -e "${source}" ]]; then
rsync -a --delete "${source}" "${destination}"
else
echo "skip missing: ${source}" | tee -a "${BACKUP_DIR}/warnings.log" >&2
fi
}
rsync_file() {
local source="$1"
local destination="$2"
if [[ -f "${source}" ]]; then
rsync -a "${source}" "${destination}"
else
echo "skip missing: ${source}" | tee -a "${BACKUP_DIR}/warnings.log" >&2
fi
}
rsync_dir "${NAS_ROOT}/launcher/server-storage/" "${BACKUP_DIR}/files/launcher/server-storage/"
rsync_dir "${NAS_ROOT}/launcher/uploads/" "${BACKUP_DIR}/files/launcher/uploads/"
rsync_dir "${NAS_ROOT}/authentik/custom-templates/" "${BACKUP_DIR}/files/authentik/custom-templates/"
rsync_dir "${NAS_ROOT}/platform/authentik/" "${BACKUP_DIR}/files/platform/authentik/"
rsync_file "${NAS_ROOT}/platform/.env.synology" "${BACKUP_DIR}/files/platform/"
rsync_file "${NAS_ROOT}/platform/.env.synology.example" "${BACKUP_DIR}/files/platform/"
rsync_file "${NAS_ROOT}/platform/docker-compose.platform-http.yml" "${BACKUP_DIR}/files/platform/"
rsync_file "${NAS_ROOT}/platform/Caddyfile.http" "${BACKUP_DIR}/files/platform/"
cat > "${BACKUP_DIR}/manifest.txt" <<EOF
NODE.DC platform current backup
timestamp=${TIMESTAMP}
nas_root=${NAS_ROOT}
backup_dir=${BACKUP_DIR}
Contains:
- Launcher runtime snapshot: launcher/server-storage
- Launcher uploads: launcher/uploads
- Authentik custom templates: authentik/custom-templates
- Platform runtime config: platform/.env.synology, compose, Caddyfile
Secrets:
- files/platform/.env.synology contains live secrets.
- Keep this backup private.
EOF
cat > "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh" <<EOF
#!/usr/bin/env bash
set -euo pipefail
BACKUP_DIR="/volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")"
cd "${NAS_PLATFORM_DIR}"
sudo "${DOCKER_BIN}" compose \\
--env-file "${ENV_FILE}" \\
-f "${COMPOSE_FILE}" \\
exec -T postgresql-authentik \\
sh -lc 'pg_dump -U "\${POSTGRES_USER:-authentik}" -d "\${POSTGRES_DB:-authentik}" --format=custom --no-owner --no-acl' \\
> "\${BACKUP_DIR}/authentik-postgres.dump"
sudo "${DOCKER_BIN}" compose \\
--env-file "${ENV_FILE}" \\
-f "${COMPOSE_FILE}" \\
exec -T postgresql-authentik \\
sh -lc 'pg_restore --list /dev/stdin >/dev/null' \\
< "\${BACKUP_DIR}/authentik-postgres.dump"
if command -v sha256sum >/dev/null 2>&1; then
(cd "\${BACKUP_DIR}" && sha256sum authentik-postgres.dump > SHA256SUMS)
else
(cd "\${BACKUP_DIR}" && shasum -a 256 authentik-postgres.dump > SHA256SUMS)
fi
echo "authentik-db-dump-ok: \${BACKUP_DIR}/authentik-postgres.dump"
EOF
chmod +x "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh"
find "${BACKUP_DIR}" -name @eaDir -prune -o -type d -exec chmod 700 {} \;
find "${BACKUP_DIR}" -name @eaDir -prune -o -type f -exec chmod 600 {} \;
chmod 700 "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh"
if [[ -x "${DOCKER_BIN}" && "${NAS_ROOT}" == /volume1/* ]]; then
"${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh"
else
cat <<EOF
file-backup-ok: ${BACKUP_DIR}
DB dump was not run from this host.
Run on Synology:
bash /volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")/run-authentik-db-dump-on-synology.sh
EOF
fi

5
infra/synology/deploy-current.sh
View File

@ -22,6 +22,11 @@ rsync -av \
"${PLATFORM_REPO}/infra/synology/Caddyfile.http" \ "${PLATFORM_REPO}/infra/synology/Caddyfile.http" \
"${NAS_ROOT}/platform/Caddyfile.http" "${NAS_ROOT}/platform/Caddyfile.http"
rsync -av \
"${PLATFORM_REPO}/infra/synology/deploy-current.sh" \
"${PLATFORM_REPO}/infra/synology/backup-current.sh" \
"${NAS_ROOT}/platform/"
rsync -av --delete \ rsync -av --delete \
"${PLATFORM_REPO}/infra/authentik/custom-templates/" \ "${PLATFORM_REPO}/infra/authentik/custom-templates/" \
"${NAS_ROOT}/authentik/custom-templates/" "${NAS_ROOT}/authentik/custom-templates/"