feat(docker): add PostGIS-compatible backup and DB role separation

jeremi · jeremi · commit 5a04d3af46f0 · 2026-02-04T14:34:51.000+07:00
- Upgrade PostGIS from 17-3.5 to 18-3.6
- Replace postgres-backup-local with custom backup scripts using
  PostGIS image for full spatial data compatibility
- Add Option A/B pattern for strict DB role separation:
  - Option A: separate admin superuser and limited Odoo user
  - Option B: single user (backward compatible default)
- Add initdb script for strict mode role creation
- Update worker formula comment to (CPU cores * 2) + 1
diff --git a/docker/.env.production.example b/docker/.env.production.example
@@ -16,6 +16,8 @@ DOMAIN=openspp.example.org
 ACME_EMAIL=admin@example.org
 
 # Database password (use a strong, random password)
+# If using strict mode with a separate DB_ADMIN_USER, set the Odoo user password
+# in docker/initdb/01-create-roles.sql to match DB_PASSWORD (or adjust accordingly).
 # Generate with: openssl rand -base64 32
 DB_PASSWORD=CHANGE_ME_STRONG_PASSWORD_HERE
 
@@ -31,6 +33,10 @@ ODOO_ADMIN_PASSWD=CHANGE_ME_ADMIN_PASSWORD_HERE
 # Uses the db service defined in docker-compose.production.yml
 DB_HOST=db
 DB_PORT=5432
+# DB_ADMIN_USER is created as a superuser by the database container on first init.
+# Option A (strict): set DB_ADMIN_USER to an admin role and create DB_USER via init scripts.
+# Option B (flexible): set DB_ADMIN_USER=DB_USER (default).
+DB_ADMIN_USER=odoo
 DB_USER=odoo
 DB_NAME=openspp
 
@@ -51,7 +57,7 @@ DB_SSLMODE=prefer
 #   50k beneficiaries:  4 vCPU / 16GB -> WORKERS=4, ODOO_MEMORY=8G, DB_MEMORY=6G
 #   100k beneficiaries: 8 vCPU / 32GB -> WORKERS=6, ODOO_MEMORY=12G, DB_MEMORY=16G
 
-# Number of Odoo workers (rule: 1 worker per 2 CPU cores)
+# Number of Odoo workers (rule: (CPU cores * 2) + 1; ~1 worker per 6 concurrent users)
 ODOO_WORKERS=2
 
 # Queue job concurrent channels
diff --git a/docker/backup-entrypoint.sh b/docker/backup-entrypoint.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+# Backup container entrypoint
+#
+# Sets up cron schedule and runs crond in foreground.
+# Also supports running a one-off backup via: docker compose exec backup /backup.sh
+
+set -e
+
+BACKUP_SCHEDULE="${BACKUP_SCHEDULE:-0 2 * * *}"
+
+echo "[$(date -Iseconds)] Setting up backup schedule: ${BACKUP_SCHEDULE}"
+
+# Create crontab with environment variables
+cat > /etc/crontabs/root << EOF
+# OpenSPP Database Backup
+# Schedule: ${BACKUP_SCHEDULE}
+${BACKUP_SCHEDULE} /backup.sh >> /var/log/backup.log 2>&1
+EOF
+
+# Export PostgreSQL environment for cron
+cat > /etc/profile.d/pg_env.sh << EOF
+export PGHOST="${PGHOST:-db}"
+export PGPORT="${PGPORT:-5432}"
+export PGUSER="${PGUSER:-odoo}"
+export PGPASSWORD="${PGPASSWORD}"
+export PGDATABASE="${PGDATABASE:-openspp}"
+export BACKUP_DIR="${BACKUP_DIR:-/backups}"
+export BACKUP_KEEP_DAYS="${BACKUP_KEEP_DAYS:-7}"
+export BACKUP_KEEP_WEEKS="${BACKUP_KEEP_WEEKS:-4}"
+export BACKUP_KEEP_MONTHS="${BACKUP_KEEP_MONTHS:-6}"
+EOF
+
+# Source env for current shell
+. /etc/profile.d/pg_env.sh
+
+# Create log file
+touch /var/log/backup.log
+
+echo "[$(date -Iseconds)] Waiting for database to be ready..."
+until pg_isready -h "${PGHOST}" -p "${PGPORT}" -U "${PGUSER}" -d "${PGDATABASE}" -q; do
+    sleep 2
+done
+echo "[$(date -Iseconds)] Database is ready"
+
+echo "[$(date -Iseconds)] Starting crond..."
+exec crond -f -l 2
diff --git a/docker/backup.sh b/docker/backup.sh
@@ -0,0 +1,83 @@
+#!/bin/sh
+# OpenSPP PostgreSQL/PostGIS Backup Script
+#
+# Performs daily backups with retention policy:
+#   - 7 daily backups
+#   - 4 weekly backups (Sundays)
+#   - 6 monthly backups (1st of month)
+#
+# Usage: Run via cron or manually: /backup.sh
+#
+# Environment variables:
+#   PGHOST, PGPORT, PGUSER, PGPASSWORD, PGDATABASE (standard PostgreSQL vars)
+#   BACKUP_DIR (default: /backups)
+#   BACKUP_KEEP_DAYS (default: 7)
+#   BACKUP_KEEP_WEEKS (default: 4)
+#   BACKUP_KEEP_MONTHS (default: 6)
+
+set -e
+
+# Configuration with defaults
+BACKUP_DIR="${BACKUP_DIR:-/backups}"
+BACKUP_KEEP_DAYS="${BACKUP_KEEP_DAYS:-7}"
+BACKUP_KEEP_WEEKS="${BACKUP_KEEP_WEEKS:-4}"
+BACKUP_KEEP_MONTHS="${BACKUP_KEEP_MONTHS:-6}"
+
+# Directories
+DAILY_DIR="${BACKUP_DIR}/daily"
+WEEKLY_DIR="${BACKUP_DIR}/weekly"
+MONTHLY_DIR="${BACKUP_DIR}/monthly"
+
+# Create directories
+mkdir -p "${DAILY_DIR}" "${WEEKLY_DIR}" "${MONTHLY_DIR}"
+
+# Timestamp
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+DATE=$(date +%Y%m%d)
+DAY_OF_WEEK=$(date +%u)  # 1=Monday, 7=Sunday
+DAY_OF_MONTH=$(date +%d)
+
+# Backup filename
+BACKUP_FILE="${PGDATABASE:-openspp}_${TIMESTAMP}.dump"
+
+echo "[$(date -Iseconds)] Starting backup of ${PGDATABASE:-openspp}..."
+
+# Perform backup using pg_dump with custom format (supports PostGIS)
+# -Fc = custom format (compressed, supports parallel restore)
+# -Z6 = compression level 6
+pg_dump -Fc -Z6 -f "${DAILY_DIR}/${BACKUP_FILE}"
+
+# Update latest symlink
+ln -sf "${BACKUP_FILE}" "${DAILY_DIR}/${PGDATABASE:-openspp}_latest.dump"
+
+echo "[$(date -Iseconds)] Daily backup complete: ${BACKUP_FILE}"
+
+# Weekly backup (Sunday)
+if [ "${DAY_OF_WEEK}" = "7" ]; then
+    cp "${DAILY_DIR}/${BACKUP_FILE}" "${WEEKLY_DIR}/"
+    echo "[$(date -Iseconds)] Weekly backup saved"
+fi
+
+# Monthly backup (1st of month)
+if [ "${DAY_OF_MONTH}" = "01" ]; then
+    cp "${DAILY_DIR}/${BACKUP_FILE}" "${MONTHLY_DIR}/"
+    echo "[$(date -Iseconds)] Monthly backup saved"
+fi
+
+# Cleanup old backups
+echo "[$(date -Iseconds)] Cleaning up old backups..."
+
+# Remove daily backups older than BACKUP_KEEP_DAYS
+find "${DAILY_DIR}" -name "*.dump" -type f -mtime +${BACKUP_KEEP_DAYS} -delete 2>/dev/null || true
+
+# Remove weekly backups older than BACKUP_KEEP_WEEKS weeks
+find "${WEEKLY_DIR}" -name "*.dump" -type f -mtime +$((BACKUP_KEEP_WEEKS * 7)) -delete 2>/dev/null || true
+
+# Remove monthly backups older than BACKUP_KEEP_MONTHS months (approximate: 30 days per month)
+find "${MONTHLY_DIR}" -name "*.dump" -type f -mtime +$((BACKUP_KEEP_MONTHS * 30)) -delete 2>/dev/null || true
+
+# Report disk usage
+echo "[$(date -Iseconds)] Backup sizes:"
+du -sh "${DAILY_DIR}" "${WEEKLY_DIR}" "${MONTHLY_DIR}" 2>/dev/null || true
+
+echo "[$(date -Iseconds)] Backup complete"
diff --git a/docker/docker-compose.production.yml b/docker/docker-compose.production.yml
@@ -81,15 +81,21 @@ services:
   # ==========================================================================
   # Comment out this service if using DATABASE_URL with external database
   db:
-    image: postgis/postgis:17-3.5-alpine
+    image: postgis/postgis:18-3.6-alpine
     environment:
-      POSTGRES_USER: ${DB_USER:-odoo}
+      # NOTE: POSTGRES_USER is created as a superuser by the image.
+      # Option A (strict): set DB_ADMIN_USER to an admin role, set DB_USER to a non-superuser,
+      # and create DB_USER via init scripts (/docker-entrypoint-initdb.d).
+      # Option B (flexible): keep DB_ADMIN_USER=odoo and DB_USER=odoo (default).
+      POSTGRES_USER: ${DB_ADMIN_USER:-odoo}
       POSTGRES_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
       POSTGRES_DB: ${DB_NAME:-openspp}
       # Performance tuning for production
       POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
     volumes:
-      - postgres_data:/var/lib/postgresql/data
+      - postgres_data:/var/lib/postgresql
+      # Option A (strict): init scripts to create non-superuser Odoo role
+      # - ./initdb:/docker-entrypoint-initdb.d:ro
     networks:
       - openspp-prod
     restart: unless-stopped
@@ -122,6 +128,7 @@ services:
       DATABASE_URL: ${DATABASE_URL:-}
       DB_HOST: ${DB_HOST:-db}
       DB_PORT: ${DB_PORT:-5432}
+      # Option A (strict): DB_USER must be a non-superuser created via init script.
       DB_USER: ${DB_USER:-odoo}
       DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
       DB_NAME: ${DB_NAME:-openspp}
@@ -132,7 +139,7 @@ services:
       # Admin credentials
       ODOO_ADMIN_PASSWD: ${ODOO_ADMIN_PASSWD:?ODOO_ADMIN_PASSWD is required}
 
-      # Workers - adjust based on CPU cores (rule: 1 worker per 2 cores)
+      # Workers - adjust based on CPU cores (rule: (CPU cores * 2) + 1; ~1 worker per 6 concurrent users)
       ODOO_WORKERS: ${ODOO_WORKERS:-2}
       ODOO_CRON_THREADS: "1"
 
@@ -290,28 +297,33 @@ services:
           memory: ${QUEUE_MEMORY_RESERVATION:-1G}
 
   # ==========================================================================
-  # Backup - Automated PostgreSQL backups (optional but recommended)
+  # Backup - Automated PostgreSQL/PostGIS backups
   # ==========================================================================
+  # Uses official PostGIS image for full compatibility with spatial data.
+  # Backups run daily at 2am by default (configurable via BACKUP_SCHEDULE).
+  # Retention: 7 daily, 4 weekly, 6 monthly backups.
   backup:
-    image: prodrigestivill/postgres-backup-local:17
+    image: postgis/postgis:18-3.6-alpine
+    entrypoint: ["/backup-entrypoint.sh"]
     depends_on:
       db:
         condition: service_healthy
     environment:
-      POSTGRES_HOST: ${DB_HOST:-db}
-      POSTGRES_PORT: ${DB_PORT:-5432}
-      POSTGRES_DB: ${DB_NAME:-openspp}
-      POSTGRES_USER: ${DB_USER:-odoo}
-      POSTGRES_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
-      # Backup schedule (default: daily at 2am)
-      SCHEDULE: ${BACKUP_SCHEDULE:-0 2 * * *}
-      # Keep 7 daily, 4 weekly, 6 monthly backups
-      BACKUP_KEEP_DAYS: 7
-      BACKUP_KEEP_WEEKS: 4
-      BACKUP_KEEP_MONTHS: 6
-      # Compression
-      POSTGRES_EXTRA_OPTS: "-Z6 --format=custom"
+      # PostgreSQL connection (standard PG* variables)
+      PGHOST: ${DB_HOST:-db}
+      PGPORT: ${DB_PORT:-5432}
+      PGDATABASE: ${DB_NAME:-openspp}
+      PGUSER: ${DB_USER:-odoo}
+      PGPASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
+      # Backup schedule (cron format, default: daily at 2am)
+      BACKUP_SCHEDULE: ${BACKUP_SCHEDULE:-0 2 * * *}
+      # Retention policy
+      BACKUP_KEEP_DAYS: ${BACKUP_KEEP_DAYS:-7}
+      BACKUP_KEEP_WEEKS: ${BACKUP_KEEP_WEEKS:-4}
+      BACKUP_KEEP_MONTHS: ${BACKUP_KEEP_MONTHS:-6}
     volumes:
+      - ./backup.sh:/backup.sh:ro
+      - ./backup-entrypoint.sh:/backup-entrypoint.sh:ro
       - backup_data:/backups
     networks:
       - openspp-prod
diff --git a/docker/initdb/01-create-roles.sql b/docker/initdb/01-create-roles.sql
@@ -0,0 +1,23 @@
+-- OpenSPP initdb roles (Option A - strict)
+-- Edit passwords and database name to match your .env.production
+-- This file runs only on first initialization when the data directory is empty.
+
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'odoo') THEN
+    CREATE ROLE odoo LOGIN PASSWORD 'CHANGE_ME_STRONG_PASSWORD_HERE' NOSUPERUSER NOCREATEDB;
+  END IF;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'openspp_admin') THEN
+    CREATE ROLE openspp_admin LOGIN PASSWORD 'CHANGE_ME_ADMIN_PASSWORD_HERE' SUPERUSER;
+  END IF;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = 'openspp') THEN
+    CREATE DATABASE openspp OWNER openspp_admin;
+  ELSE
+    ALTER DATABASE openspp OWNER TO openspp_admin;
+  END IF;
+END $$;
+
+\connect openspp
+CREATE EXTENSION IF NOT EXISTS postgis;
