This commit is contained in:
VPN SaaS Dev
@@ -20,7 +20,5 @@ SECRET_KEY=change-this-long-random-secret
|
|||||||
REDIS_URL=redis://redis:6379/0
|
REDIS_URL=redis://redis:6379/0
|
||||||
OCR_PROVIDER=tesseract
|
OCR_PROVIDER=tesseract
|
||||||
OCR_LANGUAGES=eng+rus+kor
|
OCR_LANGUAGES=eng+rus+kor
|
||||||
LLM_BASE_URL=
|
|
||||||
LLM_MODEL=
|
|
||||||
ADMIN_TELEGRAM_IDS=
|
ADMIN_TELEGRAM_IDS=
|
||||||
ADMIN_BOOTSTRAP_TOKEN=
|
ADMIN_BOOTSTRAP_TOKEN=
|
||||||
|
|||||||
17
DEPLOY.md
17
DEPLOY.md
@@ -19,7 +19,7 @@ Edit `.env` and set real secrets:
|
|||||||
- `INTERNAL_API_TOKEN`
|
- `INTERNAL_API_TOKEN`
|
||||||
- `SECRET_KEY`
|
- `SECRET_KEY`
|
||||||
- `REDIS_URL` if Redis is external
|
- `REDIS_URL` if Redis is external
|
||||||
- `VAPID_PUBLIC_KEY` / `VAPID_PRIVATE_KEY` when browser push is enabled
|
- `VAPID_PUBLIC_KEY` / `VAPID_PRIVATE_KEY` only when browser push beta is enabled
|
||||||
- `ADMIN_TELEGRAM_IDS`
|
- `ADMIN_TELEGRAM_IDS`
|
||||||
|
|
||||||
Production must use public HTTPS URLs and `ALLOW_DEV_AUTH=false`.
|
Production must use public HTTPS URLs and `ALLOW_DEV_AUTH=false`.
|
||||||
@@ -34,6 +34,7 @@ curl -fsS http://127.0.0.1:8000/ready
|
|||||||
```
|
```
|
||||||
|
|
||||||
The default compose stack includes Postgres, Redis, API and bot services with health checks, restart policies and log rotation.
|
The default compose stack includes Postgres, Redis, API and bot services with health checks, restart policies and log rotation.
|
||||||
|
Telegram notifications are the primary pilot notification channel. Browser push currently stores subscriptions and is treated as beta until server-side Web Push delivery is enabled.
|
||||||
|
|
||||||
## Git-Based Update
|
## Git-Based Update
|
||||||
|
|
||||||
@@ -51,7 +52,7 @@ The script runs:
|
|||||||
- Docker build/up
|
- Docker build/up
|
||||||
- `alembic upgrade head`
|
- `alembic upgrade head`
|
||||||
- Python smoke compile
|
- Python smoke compile
|
||||||
- `/ready` health check
|
- `/health`, `/ready` and `/metrics` smoke checks
|
||||||
|
|
||||||
Do not use rsync as the primary deploy mechanism.
|
Do not use rsync as the primary deploy mechanism.
|
||||||
|
|
||||||
@@ -75,12 +76,24 @@ Create a compressed custom-format dump before risky deploys:
|
|||||||
BACKUP_DIR=/opt/carpass/backups ./scripts/backup_db.sh
|
BACKUP_DIR=/opt/carpass/backups ./scripts/backup_db.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Compatibility wrapper:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
BACKUP_DIR=/opt/carpass/backups ./scripts/backup.sh
|
||||||
|
```
|
||||||
|
|
||||||
Restore only during a maintenance window:
|
Restore only during a maintenance window:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./scripts/restore_db.sh /opt/carpass/backups/carpass-drivers-YYYYMMDDTHHMMSSZ.dump
|
./scripts/restore_db.sh /opt/carpass/backups/carpass-drivers-YYYYMMDDTHHMMSSZ.dump
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Compatibility wrapper:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./scripts/restore.sh /opt/carpass/backups/carpass-drivers-YYYYMMDDTHHMMSSZ.dump
|
||||||
|
```
|
||||||
|
|
||||||
For volume-level recovery, back up the Docker named volumes `pgdata` and `redisdata` according to the host backup policy.
|
For volume-level recovery, back up the Docker named volumes `pgdata` and `redisdata` according to the host backup policy.
|
||||||
|
|
||||||
## Logs
|
## Logs
|
||||||
|
|||||||
@@ -63,6 +63,8 @@ CarPass создает рекомендации обслуживания из д
|
|||||||
|
|
||||||
Уведомления имеют статусы `pending`, `processing`, `sent`, `failed`, `retrying`, `abandoned`, `read`, счетчик повторов и idempotency key, чтобы не плодить дубли.
|
Уведомления имеют статусы `pending`, `processing`, `sent`, `failed`, `retrying`, `abandoned`, `read`, счетчик повторов и idempotency key, чтобы не плодить дубли.
|
||||||
|
|
||||||
|
Telegram-уведомления являются основным каналом закрытого пилота. Browser push уже умеет сохранять подписки в Mini App и принимать push-события в service worker, но серверная Web Push-доставка помечена как beta и не считается критическим каналом пилота.
|
||||||
|
|
||||||
## Безопасность данных
|
## Безопасность данных
|
||||||
|
|
||||||
CarPass не раскрывает историю автомобиля по одному VIN или госномеру. СТО видит только разрешенный владельцем объем данных: базовую карточку, историю обслуживания или полный доступ. Любые чувствительные изменения, включая VIN, номер, пробег и технические параметры, проходят подтверждение владельца.
|
CarPass не раскрывает историю автомобиля по одному VIN или госномеру. СТО видит только разрешенный владельцем объем данных: базовую карточку, историю обслуживания или полный доступ. Любые чувствительные изменения, включая VIN, номер, пробег и технические параметры, проходят подтверждение владельца.
|
||||||
|
|||||||
@@ -22,8 +22,6 @@ class Settings(BaseSettings):
|
|||||||
allow_dev_auth: bool = False
|
allow_dev_auth: bool = False
|
||||||
ocr_provider: str = "tesseract"
|
ocr_provider: str = "tesseract"
|
||||||
ocr_languages: str = "eng+rus+kor"
|
ocr_languages: str = "eng+rus+kor"
|
||||||
llm_base_url: str = ""
|
|
||||||
llm_model: str = ""
|
|
||||||
admin_telegram_ids: str = ""
|
admin_telegram_ids: str = ""
|
||||||
admin_bootstrap_token: str = ""
|
admin_bootstrap_token: str = ""
|
||||||
|
|
||||||
|
|||||||
@@ -54,8 +54,6 @@ services:
|
|||||||
ALLOW_DEV_AUTH: ${ALLOW_DEV_AUTH:-false}
|
ALLOW_DEV_AUTH: ${ALLOW_DEV_AUTH:-false}
|
||||||
OCR_PROVIDER: ${OCR_PROVIDER:-tesseract}
|
OCR_PROVIDER: ${OCR_PROVIDER:-tesseract}
|
||||||
OCR_LANGUAGES: ${OCR_LANGUAGES:-eng+rus+kor}
|
OCR_LANGUAGES: ${OCR_LANGUAGES:-eng+rus+kor}
|
||||||
LLM_BASE_URL: ${LLM_BASE_URL:-}
|
|
||||||
LLM_MODEL: ${LLM_MODEL:-}
|
|
||||||
REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
|
REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
|
||||||
SECRET_KEY: ${SECRET_KEY:-}
|
SECRET_KEY: ${SECRET_KEY:-}
|
||||||
VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
|
VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
|
||||||
@@ -91,8 +89,6 @@ services:
|
|||||||
APP_ENV: ${APP_ENV:-development}
|
APP_ENV: ${APP_ENV:-development}
|
||||||
OCR_PROVIDER: ${OCR_PROVIDER:-tesseract}
|
OCR_PROVIDER: ${OCR_PROVIDER:-tesseract}
|
||||||
OCR_LANGUAGES: ${OCR_LANGUAGES:-eng+rus+kor}
|
OCR_LANGUAGES: ${OCR_LANGUAGES:-eng+rus+kor}
|
||||||
LLM_BASE_URL: ${LLM_BASE_URL:-}
|
|
||||||
LLM_MODEL: ${LLM_MODEL:-}
|
|
||||||
REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
|
REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
|
||||||
SECRET_KEY: ${SECRET_KEY:-}
|
SECRET_KEY: ${SECRET_KEY:-}
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|||||||
4
scripts/backup.sh
Executable file
4
scripts/backup.sh
Executable file
@@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
exec "$(dirname "$0")/backup_db.sh" "$@"
|
||||||
@@ -44,6 +44,7 @@ for attempt in {1..30}; do
|
|||||||
if curl -fsS "$HEALTH_URL" >/tmp/carpass-ready.json; then
|
if curl -fsS "$HEALTH_URL" >/tmp/carpass-ready.json; then
|
||||||
cat /tmp/carpass-ready.json
|
cat /tmp/carpass-ready.json
|
||||||
echo
|
echo
|
||||||
|
BASE_URL="${BASE_URL:-${HEALTH_URL%/ready}}" ./scripts/smoke_test.sh
|
||||||
$COMPOSE ps
|
$COMPOSE ps
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|||||||
4
scripts/restore.sh
Executable file
4
scripts/restore.sh
Executable file
@@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
exec "$(dirname "$0")/restore_db.sh" "$@"
|
||||||
16
scripts/smoke_test.sh
Executable file
16
scripts/smoke_test.sh
Executable file
@@ -0,0 +1,16 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
BASE_URL="${BASE_URL:-http://127.0.0.1:8000}"
|
||||||
|
|
||||||
|
echo "Checking health..."
|
||||||
|
curl -fsS "$BASE_URL/health"
|
||||||
|
echo
|
||||||
|
|
||||||
|
echo "Checking readiness..."
|
||||||
|
curl -fsS "$BASE_URL/ready"
|
||||||
|
echo
|
||||||
|
|
||||||
|
echo "Checking metrics..."
|
||||||
|
curl -fsS "$BASE_URL/metrics" | grep -q "carpass_requests_total"
|
||||||
|
echo "Smoke test passed."
|
||||||
Reference in New Issue
Block a user