feat: 生产环境部署方案 (#91)

- docker-compose.override.yml: 生产覆盖配置（资源限制、日志驱动、安全加固、只读文件系统）
- nginx/nginx.conf: 生产 Nginx 配置（HTTPS、HTTP/2、安全 headers、限流、WebSocket、Gzip）
- nginx/certbot-renew.sh: Let's Encrypt 证书自动续期脚本
- backup/backup-db.sh: 数据库备份脚本（每日/每周/每月保留策略、压缩、可选加密、S3 上传、企业微信通知）
- backup/restore-db.sh: 数据库恢复脚本（支持按文件/日期/最近备份恢复）
- monitoring/prometheus.yml: Prometheus 指标抓取配置（全部微服务 + 基础设施）
- monitoring/alert_rules.yml: 告警规则（CPU>80%、内存>85%、磁盘>90%、服务宕机等）
- monitoring/docker-compose.monitoring.yml: 监控栈编排（Prometheus + Grafana + NodeExporter + cAdvisor + AlertManager）
- monitoring/alertmanager.yml: AlertManager 告警路由与企业微信通知
- monitoring/grafana/provisioning/datasources.yml: Grafana 数据源自动配置
- logging/docker-compose.logging.yml: 日志栈编排（Loki + Promtail 轻量方案）
- logging/loki-config.yml: Loki 日志存储配置（30天保留）
- logging/promtail-config.yml: Promtail 日志收集配置（Docker 容器、Nginx、系统日志）
- server-setup.sh: 服务器初始化脚本（系统更新、Docker、防火墙、SSH加固、Fail2Ban、内核优化）
- README.md: 完整生产部署文档（服务器要求、部署步骤、监控、备份、运维手册、故障排查）
- .env.production.example: 生产环境变量模板

deploy/production/.env.production.example

@@ -0,0 +1,53 @@
+# ============================================================
+# 生产环境配置文件
+# 复制此文件为 .env 并修改所有占位符
+# ============================================================
+
+# ==================== 域名 ====================
+DOMAIN=water.example.com
+CERTBOT_EMAIL=admin@example.com
+
+# ==================== 数据库 ====================
+POSTGRES_DB=water_management
+POSTGRES_USER=water
+POSTGRES_PASSWORD=<请设置强密码，至少16位>
+
+# ==================== Redis ====================
+REDIS_PASSWORD=<请设置强密码，至少16位>
+
+# ==================== EMQX MQTT ====================
+EMQX_ADMIN_USER=admin
+EMQX_ADMIN_PASSWORD=<请设置强密码>
+
+# ==================== MinIO 对象存储 ====================
+MINIO_USER=minioadmin
+MINIO_PASSWORD=<请设置强密码>
+
+# ==================== GeoServer GIS ====================
+GEOSERVER_USER=admin
+GEOSERVER_PASSWORD=<请设置强密码>
+
+# ==================== 镜像配置 ====================
+REGISTRY=
+IMAGE_TAG=latest
+
+# ==================== Spring 配置 ====================
+SPRING_PROFILES=prod
+
+# ==================== 监控 ====================
+GRAFANA_ADMIN_USER=admin
+GRAFANA_ADMIN_PASSWORD=<请设置强密码>
+GRAFANA_ROOT_URL=https://grafana.water.example.com
+
+# ==================== 备份 ====================
+S3_ENABLED=false
+S3_BUCKET=water-backups
+S3_ENDPOINT=http://minio:9000
+S3_ACCESS_KEY=minioadmin
+S3_SECRET_KEY=<请设置强密码>
+ENCRYPT_ENABLED=false
+ENCRYPT_PASSPHRASE=<加密密钥>
+WECOM_WEBHOOK=
+
+# ==================== Kafka ====================
+KAFKA_ADVERTISED=kafka

deploy/production/README.md

@@ -0,0 +1,583 @@
+# 生产环境部署指南
+
+> 智慧水务管理系统 - 生产环境完整部署文档
+
+---
+
+## 目录
+
+1. [服务器配置要求](#服务器配置要求)
+2. [前置准备](#前置准备)
+3. [服务器初始化](#服务器初始化)
+4. [应用部署](#应用部署)
+5. [HTTPS 配置](#https-配置)
+6. [监控告警](#监控告警)
+7. [日志收集](#日志收集)
+8. [数据库备份策略](#数据库备份策略)
+9. [运维手册](#运维手册)
+10. [故障排查](#故障排查)
+
+---
+
+## 服务器配置要求
+
+### 最低配置（小规模部署，≤500 设备）
+
+| 配置项 | 要求 |
+|--------|------|
+| CPU | 4 核 |
+| 内存 | 8 GB |
+| 系统盘 | 100 GB SSD |
+| 数据盘 | 200 GB SSD |
+| 网络 | 10 Mbps |
+| 系统 | Ubuntu 22.04 LTS / CentOS 8+ |
+
+### 推荐配置（中等规模，500-5000 设备）
+
+| 配置项 | 要求 |
+|--------|------|
+| CPU | 8 核 |
+| 内存 | 16 GB |
+| 系统盘 | 100 GB SSD |
+| 数据盘 | 500 GB SSD |
+| 网络 | 100 Mbps |
+| 系统 | Ubuntu 22.04 LTS |
+
+### 高可用配置（大规模，>5000 设备）
+
+| 配置项 | 要求 |
+|--------|------|
+| 应用服务器 | 2+ 台，8C16G，负载均衡 |
+| 数据库 | 主从架构，8C32G |
+| Redis | 哨兵/集群模式 |
+| Kafka | 3 节点集群 |
+| 存储 | MinIO 分布式或云存储 |
+
+---
+
+## 前置准备
+
+### 1. 域名配置
+
+- 准备主域名（如 `water.example.com`）用于 Web 访问
+- 准备 MQTT 域名（如 `mqtt.example.com`）用于设备接入
+- 配置 DNS A 记录指向服务器 IP
+
+### 2. 环境变量
+
+复制并编辑 `.env` 文件：
+
+```bash
+cp .env.example .env
+```
+
+**必须修改的配置：**
+
+```bash
+# 数据库
+POSTGRES_DB=water_management
+POSTGRES_USER=water
+POSTGRES_PASSWORD=<强密码>
+
+# Redis
+REDIS_PASSWORD=<强密码>
+
+# EMQX MQTT
+EMQX_ADMIN_USER=admin
+EMQX_ADMIN_PASSWORD=<强密码>
+
+# MinIO
+MINIO_USER=minioadmin
+MINIO_PASSWORD=<强密码>
+
+# 镜像标签
+IMAGE_TAG=latest
+
+# 域名
+DOMAIN=water.example.com
+```
+
+### 3. SSL 证书
+
+准备 Let's Encrypt 证书（服务器初始化后可自动申请）。
+
+---
+
+## 服务器初始化
+
+### 步骤 1: 执行初始化脚本
+
+```bash
+# 以 root 或 sudo 执行
+sudo chmod +x deploy/production/server-setup.sh
+sudo deploy/production/server-setup.sh
+```
+
+该脚本将自动完成：
+- ✅ 系统包更新
+- ✅ Docker & Docker Compose 安装
+- ✅ 防火墙配置（仅开放 22/80/443/1883）
+- ✅ SSH 安全加固
+- ✅ Fail2Ban 防暴力破解
+- ✅ 创建部署用户 (`deploy`)
+- ✅ 创建目录结构
+- ✅ 内核参数优化
+- ✅ 定时任务配置
+
+### 步骤 2: 配置 SSH 公钥
+
+```bash
+# 在本地机器执行
+ssh-copy-id deploy@your-server-ip
+```
+
+### 步骤 3: 上传代码
+
+```bash
+# 在服务器执行
+sudo -u deploy git clone http://git.xayunmei.com/bot_ym/water-management-system.git /opt/water-management
+cd /opt/water-management
+cp .env.example .env
+vim .env  # 编辑环境变量
+```
+
+---
+
+## 应用部署
+
+### 首次部署
+
+```bash
+cd /opt/water-management
+
+# 构建镜像（如使用远程镜像仓库可跳过）
+docker compose build
+
+# 启动所有服务
+docker compose \
+  -f docker-compose.yml \
+  -f deploy/production/docker-compose.override.yml \
+  up -d
+
+# 查看服务状态
+docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml ps
+
+# 查看日志
+docker compose logs -f
+```
+
+### 更新部署
+
+```bash
+cd /opt/water-management
+
+# 拉取最新代码
+git pull origin master
+
+# 拉取最新镜像
+docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml pull
+
+# 滚动更新
+docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml up -d --remove-orphans
+
+# 清理旧镜像
+docker image prune -f
+```
+
+### 使用 CI/CD 自动部署
+
+```bash
+# 通过 scripts/deploy.sh 脚本
+./scripts/deploy.sh \
+  --env production \
+  --host your-server-ip \
+  --user deploy \
+  --tag latest
+```
+
+---
+
+## HTTPS 配置
+
+### 首次申请证书
+
+```bash
+# 安装 certbot
+sudo apt install certbot
+
+# 确保 Nginx 已启动且 80 端口可访问
+# 申请证书（替换域名和邮箱）
+sudo certbot certonly --webroot \
+  -w /var/www/certbot \
+  -d water.example.com \
+  --email admin@example.com \
+  --agree-tos \
+  --no-eff-email
+```
+
+### 自动续期
+
+证书续期脚本已配置为定时任务（每天凌晨 3 点检查），也可手动执行：
+
+```bash
+sudo deploy/production/nginx/certbot-renew.sh
+```
+
+手动续期：
+
+```bash
+sudo certbot renew --dry-run
+sudo certbot renew
+```
+
+### 验证 HTTPS
+
+```bash
+curl -I https://water.example.com
+# 应返回 HTTP/2 200 及 HSTS header
+```
+
+---
+
+## 监控告警
+
+### 部署监控栈
+
+```bash
+cd /opt/water-management
+
+# 启动监控组件
+docker compose \
+  -f deploy/production/monitoring/docker-compose.monitoring.yml \
+  up -d
+
+# 查看状态
+docker compose -f deploy/production/monitoring/docker-compose.monitoring.yml ps
+```
+
+### 组件说明
+
+| 组件 | 端口 | 用途 |
+|------|------|------|
+| Prometheus | 9090 | 指标收集与存储 |
+| Grafana | 3000 | 可视化仪表盘 |
+| Node Exporter | 9100 | 主机指标 |
+| cAdvisor | 8880 | 容器指标 |
+| AlertManager | 9093 | 告警管理 |
+| Postgres Exporter | 9187 | PostgreSQL 指标 |
+| Redis Exporter | 9121 | Redis 指标 |
+
+### 访问 Grafana
+
+1. 浏览器打开 `http://your-server-ip:3000`（生产环境建议配置 Nginx 反向代理 + HTTPS）
+2. 默认账号：`admin` / `admin`（首次登录后修改）
+3. 数据源已自动配置（Prometheus + PostgreSQL）
+
+### 告警规则
+
+已配置以下告警（详见 `monitoring/alert_rules.yml`）：
+
+| 告警名称 | 触发条件 | 严重级别 |
+|----------|----------|----------|
+| HighCPUUsage | CPU > 80% 持续 5 分钟 | Warning |
+| CriticalCPUUsage | CPU > 95% 持续 2 分钟 | Critical |
+| HighMemoryUsage | 内存 > 85% 持续 5 分钟 | Warning |
+| HighDiskUsage | 磁盘 > 90% 持续 5 分钟 | Critical |
+| ServiceDown | 服务宕机 1 分钟 | Critical |
+| ServiceSlowResponse | 响应时间 > 5s 持续 5 分钟 | Warning |
+| HighErrorRate | 5xx 错误率 > 5% | Critical |
+| PostgresHighConnections | 连接数 > 80% | Warning |
+
+### 企业微信告警配置
+
+编辑 `monitoring/alertmanager.yml`，配置 Webhook：
+
+```yaml
+receivers:
+  - name: 'wecom'
+    webhook_configs:
+      - url: 'https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=YOUR_KEY'
+```
+
+---
+
+## 日志收集
+
+### 部署日志栈（Loki 轻量方案）
+
+```bash
+cd /opt/water-management
+
+docker compose \
+  -f deploy/production/logging/docker-compose.logging.yml \
+  up -d
+```
+
+### 组件说明
+
+| 组件 | 端口 | 用途 |
+|------|------|------|
+| Loki | 3100 | 日志聚合存储 |
+| Promtail | 9080 | 日志收集代理 |
+
+### 在 Grafana 中查看日志
+
+1. 打开 Grafana → Explore
+2. 选择 Loki 数据源
+3. 使用 LogQL 查询：
+   ```
+   {container="wm-gateway"} |= "error"
+   {service="revenue"} | json | level="ERROR"
+   ```
+
+### 日志保留策略
+
+- 日志保留 30 天
+- 自动清理过期日志
+
+---
+
+## 数据库备份策略
+
+### 备份方式
+
+| 类型 | 频率 | 保留时间 | 说明 |
+|------|------|----------|------|
+| 每日备份 | 每天凌晨 2 点 | 7 天 | 全量 pg_dump |
+| 每周备份 | 每周日凌晨 | 4 周 | 全量 pg_dump |
+| 每月备份 | 每月 1 号 | 12 个月 | 全量 pg_dump |
+
+### 手动备份
+
+```bash
+# 执行备份
+deploy/production/backup/backup-db.sh
+
+# 列出备份
+deploy/production/backup/restore-db.sh --list
+```
+
+### 数据库恢复
+
+```bash
+# 恢复最近备份
+deploy/production/backup/restore-db.sh --latest
+
+# 恢复指定日期
+deploy/production/backup/restore-db.sh --date 2026-06-15
+
+# 恢复指定文件
+deploy/production/backup/restore-db.sh --file /opt/water-management/backups/daily/wm_water_management_20260615_020000.sql.gz
+```
+
+### 远程备份（MinIO/S3）
+
+在 `.env` 中配置：
+
+```bash
+S3_ENABLED=true
+S3_BUCKET=water-backups
+S3_ENDPOINT=http://minio:9000
+S3_ACCESS_KEY=minioadmin
+S3_SECRET_KEY=<密码>
+```
+
+---
+
+## 运维手册
+
+### 常用命令
+
+```bash
+# ===== 服务管理 =====
+# 查看所有服务状态
+docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml ps
+
+# 重启单个服务
+docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml restart gateway
+
+# 查看服务日志
+docker compose logs -f --tail=100 gateway
+
+# 进入容器
+docker exec -it wm-gateway bash
+
+# ===== 数据库 =====
+# 连接数据库
+docker exec -it wm-postgres psql -U water -d water_management
+
+# 查看活跃连接
+docker exec -it wm-postgres psql -U water -c "SELECT count(*) FROM pg_stat_activity WHERE state='active';"
+
+# ===== Redis =====
+# 查看 Redis 信息
+docker exec -it wm-redis redis-cli -a <密码> info
+
+# ===== 资源监控 =====
+# 查看容器资源使用
+docker stats --no-stream
+
+# 查看磁盘使用
+df -h
+docker system df
+```
+
+### 扩缩容
+
+```bash
+# 水平扩展应用实例（需要负载均衡器）
+docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml up -d --scale gateway=2
+
+# 修改资源限制
+# 编辑 deploy/production/docker-compose.override.yml 中的 deploy.resources
+```
+
+### 证书管理
+
+```bash
+# 查看证书过期时间
+sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/water.example.com/fullchain.pem
+
+# 手动续期
+sudo certbot renew
+
+# 重新申请
+sudo certbot certonly --webroot -w /var/www/certbot -d water.example.com --force-renewal
+```
+
+---
+
+## 故障排查
+
+### 服务无法启动
+
+```bash
+# 查看详细日志
+docker compose logs --tail=200 <service-name>
+
+# 检查端口冲突
+ss -tlnp | grep <port>
+
+# 检查资源
+docker stats --no-stream
+df -h
+free -h
+```
+
+### 数据库连接问题
+
+```bash
+# 检查 PostgreSQL 是否运行
+docker exec -it wm-postgres pg_isready
+
+# 检查连接数
+docker exec -it wm-postgres psql -U water -c "SELECT count(*) FROM pg_stat_activity;"
+
+# 检查慢查询
+docker exec -it wm-postgres psql -U water -c "SELECT pid, now()-query_start AS duration, query FROM pg_stat_activity WHERE state='active' ORDER BY duration DESC LIMIT 5;"
+```
+
+### 内存不足
+
+```bash
+# 查看内存使用
+docker stats --no-stream --format "table {{.Name}}\t{{.MemUsage}}\t{{.MemPerc}}"
+
+# 清理无用镜像和容器
+docker system prune -a --volumes
+
+# 调整 JVM 内存参数
+# 编辑 docker-compose.override.yml 中的 JAVA_OPTS
+```
+
+### 磁盘空间不足
+
+```bash
+# 查看磁盘使用
+df -h
+du -sh /opt/water-management/*
+docker system df -v
+
+# 清理旧备份
+find /opt/water-management/backups -name "*.sql.gz" -mtime +30 -delete
+
+# 清理 Docker
+docker system prune -f
+docker volume prune -f
+```
+
+### MQTT 连接问题
+
+```bash
+# 检查 EMQX 状态
+docker exec -it wm-emqx emqx status
+
+# 查看 EMQX 日志
+docker logs wm-emqx
+
+# 测试 MQTT 连接
+mosquitto_pub -h localhost -p 1883 -t "test" -m "hello"
+```
+
+---
+
+## 附录
+
+### 目录结构
+
+```
+/opt/water-management/
+├── .env                           # 环境变量
+├── docker-compose.yml             # 基础编排
+├── deploy/
+│   └── production/
+│       ├── docker-compose.override.yml  # 生产覆盖配置
+│       ├── nginx/
+│       │   ├── nginx.conf               # Nginx 配置
+│       │   └── certbot-renew.sh         # 证书续期
+│       ├── backup/
+│       │   ├── backup-db.sh             # 数据库备份
+│       │   └── restore-db.sh            # 数据库恢复
+│       ├── monitoring/
+│       │   ├── docker-compose.monitoring.yml
+│       │   ├── prometheus.yml
+│       │   ├── alert_rules.yml
+│       │   └── grafana/
+│       ├── logging/
+│       │   ├── docker-compose.logging.yml
+│       │   ├── loki-config.yml
+│       │   └── promtail-config.yml
+│       ├── server-setup.sh              # 服务器初始化
+│       └── README.md                    # 本文档
+├── backups/                       # 数据库备份
+│   ├── daily/
+│   ├── weekly/
+│   └── monthly/
+└── logs/                          # 应用日志
+```
+
+### 端口清单
+
+| 服务 | 端口 | 用途 |
+|------|------|------|
+| Nginx HTTP | 80 | Web 访问（跳转 HTTPS） |
+| Nginx HTTPS | 443 | Web 安全访问 |
+| MQTT | 1883 | 物联网设备接入 |
+| Gateway | 8080 | API 网关（内部） |
+| PostgreSQL | 5432 | 数据库（仅本地） |
+| Redis | 6379 | 缓存（仅本地） |
+| Grafana | 3000 | 监控面板（仅本地） |
+| Prometheus | 9090 | 指标查询（仅本地） |
+
+### 安全建议
+
+1. **定期更新**：每月执行系统更新和 Docker 镜像更新
+2. **密码管理**：使用强密码，定期轮换
+3. **访问控制**：生产环境仅通过 HTTPS 访问，内部端口不对外开放
+4. **备份验证**：每月至少恢复一次备份进行验证
+5. **日志审计**：定期检查访问日志和错误日志
+6. **证书监控**：确保证书自动续期正常
+
+---
+
+*文档版本: 1.0 | 最后更新: 2026-06-16*

deploy/production/backup/backup-db.sh

@@ -0,0 +1,248 @@
+#!/bin/bash
+# ============================================================
+# 数据库备份脚本
+# 
+# 功能:
+#   - PostgreSQL 全量备份 (pg_dump)
+#   - 备份保留策略: 每日(7天) + 每周(4周) + 每月(12月)
+#   - 压缩 + 可选加密
+#   - 上传到 MinIO/S3 或本地归档
+#   - 企业微信通知备份结果
+#
+# Cron 配置 (每天凌晨 2 点执行):
+#   0 2 * * * /opt/water-management/deploy/production/backup/backup-db.sh >> /var/log/wm-backup.log 2>&1
+# ============================================================
+set -euo pipefail
+
+# ==================== 配置 ====================
+# 数据库配置
+DB_HOST="${DB_HOST:-localhost}"
+DB_PORT="${DB_PORT:-5432}"
+DB_NAME="${POSTGRES_DB:-water_management}"
+DB_USER="${POSTGRES_USER:-water}"
+DB_PASSWORD="${POSTGRES_PASSWORD:-}"
+PGPASSWORD="${DB_PASSWORD}"
+export PGPASSWORD
+
+# 备份目录
+BACKUP_BASE="${BACKUP_DIR:-/opt/water-management/backups}"
+BACKUP_DAILY="${BACKUP_BASE}/daily"
+BACKUP_WEEKLY="${BACKUP_BASE}/weekly"
+BACKUP_MONTHLY="${BACKUP_BASE}/monthly"
+
+# 保留策略
+DAILY_RETENTION=7
+WEEKLY_RETENTION=4
+MONTHLY_RETENTION=12
+
+# MinIO/S3 配置（可选）
+S3_ENABLED="${S3_ENABLED:-false}"
+S3_BUCKET="${S3_BUCKET:-water-backups}"
+S3_ENDPOINT="${S3_ENDPOINT:-http://localhost:9000}"
+S3_ACCESS_KEY="${S3_ACCESS_KEY:-}"
+S3_SECRET_KEY="${S3_SECRET_KEY:-}"
+
+# 加密配置（可选）
+ENCRYPT_ENABLED="${ENCRYPT_ENABLED:-false}"
+ENCRYPT_PASSPHRASE="${ENCRYPT_PASSPHRASE:-}"
+
+# 企业微信 Webhook
+WECOM_WEBHOOK="${WECOM_WEBHOOK:-}"
+
+# ==================== 初始化 ====================
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+DATE=$(date +%Y-%m-%d)
+DAY_OF_WEEK=$(date +%u)  # 1=Monday, 7=Sunday
+DAY_OF_MONTH=$(date +%d)
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+}
+
+# 创建备份目录
+mkdir -p "$BACKUP_DAILY" "$BACKUP_WEEKLY" "$BACKUP_MONTHLY"
+
+# ==================== 备份函数 ====================
+
+# 全量备份
+do_full_backup() {
+    local target_dir="$1"
+    local backup_name="wm_${DB_NAME}_${TIMESTAMP}.sql.gz"
+    local backup_path="${target_dir}/${backup_name}"
+    
+    log "📦 开始全量备份: ${DB_NAME}"
+    
+    # pg_dump 全量备份 + gzip 压缩
+    pg_dump \
+        -h "$DB_HOST" \
+        -p "$DB_PORT" \
+        -U "$DB_USER" \
+        -d "$DB_NAME" \
+        --format=plain \
+        --verbose \
+        --no-owner \
+        --no-privileges \
+        --clean \
+        --if-exists \
+        2>/dev/null | gzip -9 > "$backup_path"
+    
+    local size
+    size=$(du -sh "$backup_path" | cut -f1)
+    log "✅ 备份完成: ${backup_name} (${size})"
+    
+    # 可选加密
+    if [ "$ENCRYPT_ENABLED" = "true" ] && [ -n "$ENCRYPT_PASSPHRASE" ]; then
+        log "🔐 加密备份文件..."
+        openssl enc -aes-256-cbc -salt -pbkdf2 \
+            -in "$backup_path" \
+            -out "${backup_path}.enc" \
+            -pass "pass:${ENCRYPT_PASSPHRASE}"
+        rm "$backup_path"
+        backup_path="${backup_path}.enc"
+        log "✅ 加密完成"
+    fi
+    
+    # 上传到 S3/MinIO
+    if [ "$S3_ENABLED" = "true" ]; then
+        upload_to_s3 "$backup_path"
+    fi
+    
+    echo "$backup_path"
+}
+
+# 上传到 S3/MinIO
+upload_to_s3() {
+    local file="$1"
+    local filename
+    filename=$(basename "$file")
+    local s3_path="s3://${S3_BUCKET}/db/${DATE}/${filename}"
+    
+    log "☁️ 上传到 S3: ${s3_path}"
+    
+    # 使用 mc (MinIO Client) 或 aws cli
+    if command -v mc &>/dev/null; then
+        mc alias set wm-s3 "$S3_ENDPOINT" "$S3_ACCESS_KEY" "$S3_SECRET_KEY" 2>/dev/null
+        mc cp "$file" "wm-s3/${S3_BUCKET}/db/${DATE}/${filename}" 2>/dev/null
+    elif command -v aws &>/dev/null; then
+        aws --endpoint-url "$S3_ENDPOINT" s3 cp "$file" "$s3_path" 2>/dev/null
+    else
+        log "⚠️ 未找到 mc 或 aws 命令，跳过 S3 上传"
+        return 0
+    fi
+    
+    log "✅ S3 上传完成"
+}
+
+# ==================== 保留策略 ====================
+
+# 清理过期备份
+cleanup_old_backups() {
+    log "🧹 执行备份保留策略..."
+    
+    # 每日备份：保留最近 N 天
+    local daily_count
+    daily_count=$(ls -1 "$BACKUP_DAILY"/*.sql.gz 2>/dev/null | wc -l || echo 0)
+    if [ "$daily_count" -gt "$DAILY_RETENTION" ]; then
+        local to_delete=$((daily_count - DAILY_RETENTION))
+        log "  清理每日备份: 删除最旧的 ${to_delete} 个文件"
+        ls -1t "$BACKUP_DAILY"/*.sql.gz 2>/dev/null | tail -n "$to_delete" | xargs rm -f
+    fi
+    
+    # 每周备份：保留最近 N 周
+    local weekly_count
+    weekly_count=$(ls -1 "$BACKUP_WEEKLY"/*.sql.gz 2>/dev/null | wc -l || echo 0)
+    if [ "$weekly_count" -gt "$WEEKLY_RETENTION" ]; then
+        local to_delete=$((weekly_count - WEEKLY_RETENTION))
+        log "  清理每周备份: 删除最旧的 ${to_delete} 个文件"
+        ls -1t "$BACKUP_WEEKLY"/*.sql.gz 2>/dev/null | tail -n "$to_delete" | xargs rm -f
+    fi
+    
+    # 每月备份：保留最近 N 个月
+    local monthly_count
+    monthly_count=$(ls -1 "$BACKUP_MONTHLY"/*.sql.gz 2>/dev/null | wc -l || echo 0)
+    if [ "$monthly_count" -gt "$MONTHLY_RETENTION" ]; then
+        local to_delete=$((monthly_count - MONTHLY_RETENTION))
+        log "  清理每月备份: 删除最旧的 ${to_delete} 个文件"
+        ls -1t "$BACKUP_MONTHLY"/*.sql.gz 2>/dev/null | tail -n "$to_delete" | xargs rm -f
+    fi
+    
+    log "✅ 保留策略执行完毕"
+}
+
+# ==================== 通知 ====================
+
+send_notification() {
+    local status="$1"
+    local message="$2"
+    local backup_path="$3"
+    
+    if [ -z "$WECOM_WEBHOOK" ]; then
+        log "⚠️ 未配置企业微信 Webhook，跳过通知"
+        return 0
+    fi
+    
+    local emoji="✅"
+    local color="info"
+    if [ "$status" = "failure" ]; then
+        emoji="❌"
+        color="warning"
+    fi
+    
+    local backup_size="N/A"
+    if [ -f "$backup_path" ]; then
+        backup_size=$(du -sh "$backup_path" | cut -f1)
+    fi
+    
+    local payload
+    payload=$(cat <<EOF
+{
+    "msgtype": "markdown",
+    "markdown": {
+        "content": "## ${emoji} 数据库备份通知\n\n**数据库:** ${DB_NAME}\n**状态:** <font color=\"${color}\">${status}</font>\n**大小:** ${backup_size}\n**时间:** $(date '+%Y-%m-%d %H:%M:%S')\n\n${message}"
+    }
+}
+EOF
+)
+    
+    curl -s -X POST "$WECOM_WEBHOOK" \
+        -H "Content-Type: application/json" \
+        -d "$payload" > /dev/null 2>&1 || true
+    
+    log "📤 通知已发送"
+}
+
+# ==================== 主逻辑 ====================
+
+log "========================================="
+log "数据库备份开始 - ${DB_NAME}"
+log "========================================="
+
+BACKUP_PATH=""
+STATUS="success"
+MESSAGE=""
+
+# 执行每日备份
+log "📅 执行每日备份..."
+BACKUP_PATH=$(do_full_backup "$BACKUP_DAILY")
+
+# 周日执行每周备份
+if [ "$DAY_OF_WEEK" = "7" ]; then
+    log "📅 今天是周日，执行每周备份..."
+    do_full_backup "$BACKUP_WEEKLY" > /dev/null
+fi
+
+# 每月1号执行每月备份
+if [ "$DAY_OF_MONTH" = "01" ]; then
+    log "📅 今天是月初，执行每月备份..."
+    do_full_backup "$BACKUP_MONTHLY" > /dev/null
+fi
+
+# 清理过期备份
+cleanup_old_backups
+
+# 发送通知
+send_notification "$STATUS" "每日全量备份完成" "$BACKUP_PATH"
+
+log "========================================="
+log "备份全部完成"
+log "========================================="

deploy/production/backup/restore-db.sh

@@ -0,0 +1,244 @@
+#!/bin/bash
+# ============================================================
+# 数据库恢复脚本
+# 
+# 用法:
+#   ./restore-db.sh --file /path/to/backup.sql.gz
+#   ./restore-db.sh --latest                          # 恢复最近一次备份
+#   ./restore-db.sh --date 2026-06-15                 # 恢复指定日期的备份
+#   ./restore-db.sh --list                            # 列出所有可用备份
+# ============================================================
+set -euo pipefail
+
+# ==================== 配置 ====================
+DB_HOST="${DB_HOST:-localhost}"
+DB_PORT="${DB_PORT:-5432}"
+DB_NAME="${POSTGRES_DB:-water_management}"
+DB_USER="${POSTGRES_USER:-water}"
+DB_PASSWORD="${POSTGRES_PASSWORD:-}"
+PGPASSWORD="${DB_PASSWORD}"
+export PGPASSWORD
+
+BACKUP_BASE="${BACKUP_DIR:-/opt/water-management/backups}"
+BACKUP_DAILY="${BACKUP_BASE}/daily"
+BACKUP_WEEKLY="${BACKUP_BASE}/weekly"
+BACKUP_MONTHLY="${BACKUP_BASE}/monthly"
+
+# ==================== 参数 ====================
+BACKUP_FILE=""
+MODE="file"  # file | latest | date | list
+TARGET_DATE=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --file)    BACKUP_FILE="$2"; MODE="file"; shift 2 ;;
+        --latest)  MODE="latest"; shift ;;
+        --date)    TARGET_DATE="$2"; MODE="date"; shift 2 ;;
+        --list)    MODE="list"; shift ;;
+        -h|--help)
+            echo "用法: $0 [选项]"
+            echo ""
+            echo "选项:"
+            echo "  --file PATH      指定备份文件路径"
+            echo "  --latest         恢复最近一次备份"
+            echo "  --date YYYY-MM-DD 恢复指定日期的备份"
+            echo "  --list           列出所有可用备份"
+            echo ""
+            echo "示例:"
+            echo "  $0 --file /opt/water-management/backups/daily/wm_water_management_20260615_020000.sql.gz"
+            echo "  $0 --latest"
+            echo "  $0 --date 2026-06-15"
+            exit 0
+            ;;
+        *)
+            echo "❌ 未知参数: $1"
+            exit 1
+            ;;
+    esac
+done
+
+# ==================== 函数 ====================
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+}
+
+# 列出所有可用备份
+list_backups() {
+    echo "========================================="
+    echo " 可用备份列表"
+    echo "========================================="
+    echo ""
+    
+    echo "📅 每日备份:"
+    if [ -d "$BACKUP_DAILY" ]; then
+        ls -lht "$BACKUP_DAILY"/*.sql.gz 2>/dev/null | head -10 || echo "  (无)"
+    fi
+    echo ""
+    
+    echo "📅 每周备份:"
+    if [ -d "$BACKUP_WEEKLY" ]; then
+        ls -lht "$BACKUP_WEEKLY"/*.sql.gz 2>/dev/null | head -10 || echo "  (无)"
+    fi
+    echo ""
+    
+    echo "📅 每月备份:"
+    if [ -d "$BACKUP_MONTHLY" ]; then
+        ls -lht "$BACKUP_MONTHLY"/*.sql.gz 2>/dev/null | head -10 || echo "  (无)"
+    fi
+    echo ""
+}
+
+# 查找最近的备份
+find_latest_backup() {
+    local latest=""
+    latest=$(ls -1t "$BACKUP_DAILY"/*.sql.gz 2>/dev/null | head -1 || echo "")
+    
+    if [ -z "$latest" ]; then
+        latest=$(ls -1t "$BACKUP_WEEKLY"/*.sql.gz 2>/dev/null | head -1 || echo "")
+    fi
+    
+    if [ -z "$latest" ]; then
+        latest=$(ls -1t "$BACKUP_MONTHLY"/*.sql.gz 2>/dev/null | head -1 || echo "")
+    fi
+    
+    echo "$latest"
+}
+
+# 查找指定日期的备份
+find_backup_by_date() {
+    local date_str="$1"
+    local date_compact
+    date_compact=$(echo "$date_str" | tr -d '-')
+    
+    local found=""
+    found=$(ls -1 "$BACKUP_DAILY"/*${date_compact}*.sql.gz 2>/dev/null | head -1 || echo "")
+    
+    echo "$found"
+}
+
+# 解密备份文件（如果需要）
+decrypt_if_needed() {
+    local file="$1"
+    
+    if [[ "$file" == *.enc ]]; then
+        log "🔐 检测到加密文件，正在解密..."
+        local decrypted="${file%.enc}"
+        openssl enc -d -aes-256-cbc -pbkdf2 \
+            -in "$file" \
+            -out "$decrypted" \
+            -pass "pass:${ENCRYPT_PASSPHRASE:-}"
+        echo "$decrypted"
+    else
+        echo "$file"
+    fi
+}
+
+# 恢复数据库
+restore_database() {
+    local backup_file="$1"
+    
+    if [ ! -f "$backup_file" ]; then
+        log "❌ 备份文件不存在: $backup_file"
+        exit 1
+    fi
+    
+    local file_size
+    file_size=$(du -sh "$backup_file" | cut -f1)
+    
+    log "========================================="
+    log " 数据库恢复"
+    log "========================================="
+    log "备份文件: $backup_file"
+    log "文件大小: $file_size"
+    log "目标数据库: $DB_NAME"
+    log "目标主机: $DB_HOST:$DB_PORT"
+    log ""
+    
+    # 确认操作
+    read -p "⚠️  此操作将覆盖当前数据库，是否继续？(yes/no): " confirm
+    if [ "$confirm" != "yes" ]; then
+        log "❌ 操作已取消"
+        exit 0
+    fi
+    
+    log "🔄 开始恢复..."
+    
+    # 解密（如果需要）
+    local actual_file
+    actual_file=$(decrypt_if_needed "$backup_file")
+    
+    # 恢复数据库
+    if [[ "$actual_file" == *.gz ]]; then
+        gunzip -c "$actual_file" | psql \
+            -h "$DB_HOST" \
+            -p "$DB_PORT" \
+            -U "$DB_USER" \
+            -d "$DB_NAME" \
+            --single-transaction \
+            -v ON_ERROR_STOP=1 \
+            2>&1 | tail -20
+    else
+        psql \
+            -h "$DB_HOST" \
+            -p "$DB_PORT" \
+            -U "$DB_USER" \
+            -d "$DB_NAME" \
+            --single-transaction \
+            -v ON_ERROR_STOP=1 \
+            -f "$actual_file" \
+            2>&1 | tail -20
+    fi
+    
+    if [ ${PIPESTATUS[0]} -eq 0 ]; then
+        log "✅ 数据库恢复成功"
+    else
+        log "❌ 数据库恢复可能存在问题，请检查日志"
+        exit 1
+    fi
+    
+    # 清理解密的临时文件
+    if [ "$actual_file" != "$backup_file" ] && [ -f "$actual_file" ]; then
+        rm -f "$actual_file"
+    fi
+}
+
+# ==================== 主逻辑 ====================
+
+case "$MODE" in
+    list)
+        list_backups
+        ;;
+    latest)
+        BACKUP_FILE=$(find_latest_backup)
+        if [ -z "$BACKUP_FILE" ]; then
+            log "❌ 未找到任何备份文件"
+            exit 1
+        fi
+        restore_database "$BACKUP_FILE"
+        ;;
+    date)
+        if [ -z "$TARGET_DATE" ]; then
+            log "❌ 必须指定日期: --date YYYY-MM-DD"
+            exit 1
+        fi
+        BACKUP_FILE=$(find_backup_by_date "$TARGET_DATE")
+        if [ -z "$BACKUP_FILE" ]; then
+            log "❌ 未找到 ${TARGET_DATE} 的备份文件"
+            list_backups
+            exit 1
+        fi
+        restore_database "$BACKUP_FILE"
+        ;;
+    file)
+        if [ -z "$BACKUP_FILE" ]; then
+            log "❌ 必须指定备份文件: --file /path/to/backup.sql.gz"
+            exit 1
+        fi
+        restore_database "$BACKUP_FILE"
+        ;;
+    *)
+        echo "❌ 未知模式: $MODE"
+        exit 1
+        ;;
+esac

deploy/production/docker-compose.override.yml

@@ -0,0 +1,526 @@
+# ============================================================
+# 生产环境 Docker Compose 覆盖配置
+# 使用方式: docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml up -d
+# ============================================================
+
+services:
+  # ==================== 基础设施 ====================
+
+  postgres:
+    restart: always
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    ports:
+      - "127.0.0.1:5432:5432"
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+      - /opt/water-management/config/postgres:/etc/postgresql:ro
+    deploy:
+      resources:
+        limits:
+          cpus: '2.0'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
+
+  redis:
+    restart: always
+    command: >
+      redis-server
+      --requirepass ${REDIS_PASSWORD}
+      --maxmemory 512mb
+      --maxmemory-policy allkeys-lru
+      --appendonly yes
+      --appendfsync everysec
+    ports:
+      - "127.0.0.1:6379:6379"
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "20m"
+        max-file: "3"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /run
+
+  tdengine:
+    restart: always
+    ports:
+      - "127.0.0.1:6030:6030"
+      - "127.0.0.1:6041:6041"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+
+  kafka:
+    restart: always
+    ports:
+      - "127.0.0.1:9092:9092"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+
+  emqx:
+    restart: always
+    ports:
+      - "1883:1883"
+      - "127.0.0.1:8083:8083"
+      - "127.0.0.1:18083:18083"
+    environment:
+      EMQX_DASHBOARD__DEFAULT_USERNAME: ${EMQX_ADMIN_USER}
+      EMQX_DASHBOARD__DEFAULT_PASSWORD: ${EMQX_ADMIN_PASSWORD}
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+
+  nacos:
+    restart: always
+    ports:
+      - "127.0.0.1:8848:8848"
+      - "127.0.0.1:9848:9848"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+
+  minio:
+    restart: always
+    ports:
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:9001:9001"
+    environment:
+      MINIO_ROOT_USER: ${MINIO_USER}
+      MINIO_ROOT_PASSWORD: ${MINIO_PASSWORD}
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+
+  # ==================== 应用服务 ====================
+
+  gateway:
+    restart: always
+    image: ${REGISTRY:-}water/wm-gateway:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8080:8080"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_CLOUD_NACOS_CONFIG_SERVER_ADDR: nacos:8848
+      SPRING_DATA_REDIS_HOST: redis
+      SPRING_DATA_REDIS_PASSWORD: ${REDIS_PASSWORD}
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  base:
+    restart: always
+    image: ${REGISTRY:-}water/wm-base:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8091:8081"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      SPRING_DATA_REDIS_HOST: redis
+      SPRING_DATA_REDIS_PASSWORD: ${REDIS_PASSWORD}
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  iot:
+    restart: always
+    image: ${REGISTRY:-}water/wm-iot:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8092:8082"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      MQTT_BROKER_URL: tcp://emqx:1883
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  data-engine:
+    restart: always
+    image: ${REGISTRY:-}water/wm-data-engine:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8093:8083"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms512m -Xmx1g -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.5'
+          memory: 1536M
+        reservations:
+          cpus: '0.5'
+          memory: 512M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  bpm:
+    restart: always
+    image: ${REGISTRY:-}water/wm-bpm:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8094:8084"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  production:
+    restart: always
+    image: ${REGISTRY:-}water/wm-production:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8095:8085"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  revenue:
+    restart: always
+    image: ${REGISTRY:-}water/wm-revenue:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8096:8086"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  patrol:
+    restart: always
+    image: ${REGISTRY:-}water/wm-patrol:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8097:8087"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms256m -Xmx512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 768M
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  notify:
+    restart: always
+    image: ${REGISTRY:-}water/wm-notify:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8099:8089"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms128m -Xmx256m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 384M
+        reservations:
+          cpus: '0.1'
+          memory: 128M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  job:
+    restart: always
+    image: ${REGISTRY:-}water/wm-job:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "127.0.0.1:8100:8090"
+    environment:
+      SPRING_PROFILES_ACTIVE: prod
+      SPRING_CLOUD_NACOS_DISCOVERY_SERVER_ADDR: nacos:8848
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      JAVA_OPTS: "-Xms128m -Xmx256m -XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 384M
+        reservations:
+          cpus: '0.1'
+          memory: 128M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp
+
+  # ==================== 前端 ====================
+
+  frontend:
+    restart: always
+    image: ${REGISTRY:-}water/frontend:${IMAGE_TAG:-latest}
+    build: !reset null
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./deploy/production/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /var/www/certbot:/var/www/certbot:ro
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 256M
+        reservations:
+          cpus: '0.1'
+          memory: 64M
+    logging:
+      driver: json-file
+      options:
+        max-size: "20m"
+        max-file: "3"
+    security_opt:
+      - no-new-privileges:true

deploy/production/logging/docker-compose.logging.yml

@@ -0,0 +1,88 @@
+# ============================================================
+# 日志收集栈 Docker Compose 编排 (轻量级 Loki 方案)
+# 
+# 使用方式:
+#   docker compose -f deploy/production/logging/docker-compose.logging.yml up -d
+#
+# 包含组件:
+#   - Loki (日志聚合存储)
+#   - Promtail (日志收集代理)
+#   - 可选: Filebeat (替代 Promtail)
+# ============================================================
+
+services:
+  # ==================== Loki (日志聚合) ====================
+  loki:
+    image: grafana/loki:2.9.6
+    container_name: wm-loki
+    restart: always
+    command: -config.file=/etc/loki/loki-config.yml
+    ports:
+      - "127.0.0.1:3100:3100"
+    volumes:
+      - ./loki-config.yml:/etc/loki/loki-config.yml:ro
+      - loki_data:/loki
+    networks:
+      - wm-network
+      - logging
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3100/ready"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # ==================== Promtail (日志收集) ====================
+  promtail:
+    image: grafana/promtail:2.9.6
+    container_name: wm-promtail
+    restart: always
+    command: -config.file=/etc/promtail/promtail-config.yml
+    volumes:
+      - ./promtail-config.yml:/etc/promtail/promtail-config.yml:ro
+      - /var/log:/var/log:ro
+      - /var/lib/docker/containers:/var/lib/docker/containers:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - logging
+      - wm-network
+    depends_on:
+      - loki
+    deploy:
+      resources:
+        limits:
+          cpus: '0.3'
+          memory: 256M
+        reservations:
+          cpus: '0.1'
+          memory: 64M
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+# ==================== 数据卷 ====================
+volumes:
+  loki_data:
+
+# ==================== 网络 ====================
+networks:
+  logging:
+    driver: bridge
+    name: wm-logging
+  wm-network:
+    external: true
+    name: wm-network

deploy/production/logging/loki-config.yml

@@ -0,0 +1,64 @@
+# ============================================================
+# Loki 配置 - 日志聚合存储
+# ============================================================
+
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+  log_level: info
+
+common:
+  path_prefix: /loki
+  storage:
+    filesystem:
+      chunks_directory: /loki/chunks
+      rules_directory: /loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+schema_config:
+  configs:
+    - from: "2024-01-01"
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+storage_config:
+  tsdb_shipper:
+    active_index_directory: /loki/tsdb-index
+    cache_location: /loki/tsdb-cache
+    cache_ttl: 24h
+
+limits_config:
+  retention_period: 30d
+  max_query_series: 500
+  max_query_parallelism: 4
+  max_entries_limit_per_query: 5000
+  ingestion_rate_mb: 10
+  ingestion_burst_size_mb: 20
+  per_stream_rate_limit: 5MB
+  per_stream_rate_limit_burst: 15MB
+
+chunk_store_config:
+  max_look_back_period: 0s
+
+table_manager:
+  retention_deletes_enabled: true
+  retention_period: 720h  # 30 days
+
+compactor:
+  working_directory: /loki/compactor
+  compaction_interval: 10m
+  retention_enabled: true
+  retention_delete_delay: 2h
+  delete_request_store: filesystem
+
+analytics:
+  reporting_enabled: false

deploy/production/logging/promtail-config.yml

@@ -0,0 +1,108 @@
+# ============================================================
+# Promtail 配置 - 日志收集代理
+# ============================================================
+
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+  log_level: info
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+    batchwait: 1s
+    batchsize: 1048576  # 1MB
+    timeout: 10s
+
+scrape_configs:
+  # ==================== Docker 容器日志 ====================
+  - job_name: docker
+    docker_sd_configs:
+      - host: unix:///var/run/docker.sock
+        refresh_interval: 5s
+        filters:
+          - name: name
+            values: ["wm-*"]
+    relabel_configs:
+      - source_labels: ['__meta_docker_container_name']
+        regex: '/(.*)'
+        target_label: 'container'
+      - source_labels: ['__meta_docker_container_label_com_docker_compose_service']
+        target_label: 'service'
+    pipeline_stages:
+      - json:
+          expressions:
+            level: level
+            msg: msg
+            time: time
+      - labels:
+          level:
+          service:
+      - timestamp:
+          source: time
+          format: RFC3339Nano
+          fallback_formats:
+            - "2006-01-02T15:04:05.000Z"
+      - output:
+          source: msg
+
+  # ==================== Nginx 访问日志 ====================
+  - job_name: nginx-access
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: nginx-access
+          __path__: /var/lib/docker/containers/**/wm-frontend*.log
+    pipeline_stages:
+      - json:
+          expressions:
+            log: log
+      - regex:
+          expression: '^(?P<remote_addr>\S+) - (?P<remote_user>\S+) \[(?P<time_local>[^\]]+)\] "(?P<request>[^"]*)" (?P<status>\d+) (?P<body_bytes_sent>\d+) "(?P<referer>[^"]*)" "(?P<user_agent>[^"]*)"'
+          source: log
+      - labels:
+          status:
+      - timestamp:
+          source: time_local
+          format: "02/Jan/2006:15:04:05 -0700"
+
+  # ==================== 系统日志 ====================
+  - job_name: syslog
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: syslog
+          __path__: /var/log/syslog
+    pipeline_stages:
+      - regex:
+          expression: '^(?P<timestamp>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<host>\S+)\s+(?P<process>\S+):\s+(?P<message>.+)$'
+      - labels:
+          host:
+          process:
+      - timestamp:
+          source: timestamp
+          format: "Jan  2 15:04:05"
+
+  # ==================== Docker 系统日志 ====================
+  - job_name: docker-system
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: docker
+          __path__: /var/lib/docker/containers/*/*.log
+    pipeline_stages:
+      - json:
+          expressions:
+            stream: stream
+            log: log
+            time: time
+      - labels:
+          stream:
+      - timestamp:
+          source: time
+          format: RFC3339Nano

deploy/production/monitoring/alert_rules.yml

@@ -0,0 +1,184 @@
+# ============================================================
+# Prometheus 告警规则
+# ============================================================
+
+groups:
+  # ==================== 主机告警 ====================
+  - name: host_alerts
+    rules:
+      # CPU 使用率 > 80% 持续 5 分钟
+      - alert: HighCPUUsage
+        expr: 100 - (avg by(instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "主机 CPU 使用率过高 ({{ $labels.instance }})"
+          description: "CPU 使用率超过 80%，当前值: {{ $value | printf \"%.2f\" }}%"
+
+      # CPU 使用率 > 95% 持续 2 分钟
+      - alert: CriticalCPUUsage
+        expr: 100 - (avg by(instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 95
+        for: 2m
+        labels:
+          severity: critical
+        annotations:
+          summary: "主机 CPU 使用率严重过高 ({{ $labels.instance }})"
+          description: "CPU 使用率超过 95%，当前值: {{ $value | printf \"%.2f\" }}%"
+
+      # 内存使用率 > 85%
+      - alert: HighMemoryUsage
+        expr: (1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) * 100 > 85
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "主机内存使用率过高 ({{ $labels.instance }})"
+          description: "内存使用率超过 85%，当前值: {{ $value | printf \"%.2f\" }}%"
+
+      # 磁盘使用率 > 90%
+      - alert: HighDiskUsage
+        expr: (1 - (node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"})) * 100 > 90
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "主机磁盘空间不足 ({{ $labels.instance }})"
+          description: "磁盘使用率超过 90%，当前值: {{ $value | printf \"%.2f\" }}%"
+
+      # 磁盘 IO 等待 > 10%
+      - alert: HighDiskIOWait
+        expr: rate(node_cpu_seconds_total{mode="iowait"}[5m]) * 100 > 10
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "磁盘 IO 等待过高 ({{ $labels.instance }})"
+          description: "IO 等待超过 10%，当前值: {{ $value | printf \"%.2f\" }}%"
+
+  # ==================== 容器告警 ====================
+  - name: container_alerts
+    rules:
+      # 容器 CPU 使用率 > 80%
+      - alert: ContainerHighCPU
+        expr: (sum by(name) (rate(container_cpu_usage_seconds_total{name!=""}[5m])) * 100) > 80
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "容器 CPU 使用率过高 ({{ $labels.name }})"
+          description: "容器 {{ $labels.name }} CPU 使用率超过 80%"
+
+      # 容器内存使用率 > 85%
+      - alert: ContainerHighMemory
+        expr: (container_memory_usage_bytes{name!=""} / container_spec_memory_limit_bytes{name!=""} * 100) > 85
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "容器内存使用率过高 ({{ $labels.name }})"
+          description: "容器 {{ $labels.name }} 内存使用率超过 85%"
+
+      # 容器重启次数
+      - alert: ContainerFrequentRestart
+        expr: increase(container_last_seen{name!=""}[1h]) > 3
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: "容器频繁重启 ({{ $labels.name }})"
+          description: "容器 {{ $labels.name }} 在过去1小时内重启超过3次"
+
+  # ==================== 服务告警 ====================
+  - name: service_alerts
+    rules:
+      # 服务宕机
+      - alert: ServiceDown
+        expr: up{job=~"wm-.*"} == 0
+        for: 1m
+        labels:
+          severity: critical
+        annotations:
+          summary: "服务宕机 ({{ $labels.job }})"
+          description: "服务 {{ $labels.job }} 已停止响应超过1分钟"
+
+      # 服务响应时间 > 5s
+      - alert: ServiceSlowResponse
+        expr: histogram_quantile(0.95, rate(http_server_requests_seconds_bucket{job=~"wm-.*"}[5m])) > 5
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "服务响应缓慢 ({{ $labels.job }})"
+          description: "服务 {{ $labels.job }} 95% 请求响应时间超过5秒"
+
+      # HTTP 5xx 错误率 > 5%
+      - alert: HighErrorRate
+        expr: |
+          (
+            sum by(job) (rate(http_server_requests_seconds_count{status=~"5.."}[5m]))
+            /
+            sum by(job) (rate(http_server_requests_seconds_count[5m]))
+          ) * 100 > 5
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "服务错误率过高 ({{ $labels.job }})"
+          description: "服务 {{ $labels.job }} 5xx 错误率超过 5%"
+
+  # ==================== 数据库告警 ====================
+  - name: database_alerts
+    rules:
+      # PostgreSQL 连接数 > 80%
+      - alert: PostgresHighConnections
+        expr: pg_stat_activity_count / pg_settings_max_connections * 100 > 80
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "PostgreSQL 连接数过高"
+          description: "数据库连接数使用率超过 80%"
+
+      # PostgreSQL 死锁
+      - alert: PostgresDeadlock
+        expr: increase(pg_stat_database_deadlocks[5m]) > 0
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: "PostgreSQL 检测到死锁"
+          description: "数据库发生死锁"
+
+      # Redis 内存使用率 > 85%
+      - alert: RedisHighMemory
+        expr: redis_memory_used_bytes / redis_memory_max_bytes * 100 > 85
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Redis 内存使用率过高"
+          description: "Redis 内存使用率超过 85%"
+
+  # ==================== 消息队列告警 ====================
+  - name: mq_alerts
+    rules:
+      # Kafka 消费延迟
+      - alert: KafkaConsumerLag
+        expr: kafka_consumergroup_lag_sum > 10000
+        for: 10m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Kafka 消费延迟过高"
+          description: "消费者组 {{ $labels.group }} 延迟超过 10000 条消息"
+
+      # EMQX 连接数过多
+      - alert: EmqxHighConnections
+        expr: emqx_connections_count > 10000
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "EMQX 连接数过高"
+          description: "MQTT 连接数超过 10000"

deploy/production/monitoring/alertmanager.yml

@@ -0,0 +1,66 @@
+# ============================================================
+# AlertManager 配置 - 告警路由与通知
+# ============================================================
+
+global:
+  resolve_timeout: 5m
+
+# ==================== 告警模板 ====================
+templates:
+  - '/etc/alertmanager/templates/*.tmpl'
+
+# ==================== 路由规则 ====================
+route:
+  group_by: ['alertname', 'job']
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 4h
+  receiver: 'wecom'
+
+  routes:
+    # 严重告警 - 立即通知
+    - match:
+        severity: critical
+      receiver: 'wecom-critical'
+      group_wait: 10s
+      repeat_interval: 1h
+
+    # 普通告警
+    - match:
+        severity: warning
+      receiver: 'wecom'
+      repeat_interval: 4h
+
+# ==================== 接收器 ====================
+receivers:
+  # 企业微信通知 - 普通告警
+  - name: 'wecom'
+    webhook_configs:
+      - url: 'http://wecom-alert-proxy:8080/alert'
+        send_resolved: true
+        http_config:
+          follow_redirects: true
+
+  # 企业微信通知 - 严重告警
+  - name: 'wecom-critical'
+    webhook_configs:
+      - url: 'http://wecom-alert-proxy:8080/alert-critical'
+        send_resolved: true
+        http_config:
+          follow_redirects: true
+
+# ==================== 告警抑制 ====================
+inhibit_rules:
+  # 同一告警，critical 触发时抑制 warning
+  - source_match:
+      severity: 'critical'
+    target_match:
+      severity: 'warning'
+    equal: ['alertname', 'instance']
+
+  # 服务宕机时抑制该服务的其他告警
+  - source_match:
+      alertname: 'ServiceDown'
+    target_match_re:
+      alertname: 'ServiceSlowResponse|HighErrorRate'
+    equal: ['job']

deploy/production/monitoring/docker-compose.monitoring.yml

@@ -0,0 +1,259 @@
+# ============================================================
+# 监控栈 Docker Compose 编排
+# 
+# 使用方式:
+#   docker compose -f deploy/production/monitoring/docker-compose.monitoring.yml up -d
+#
+# 包含组件:
+#   - Prometheus (指标收集与告警)
+#   - Grafana (可视化仪表盘)
+#   - Node Exporter (主机指标)
+#   - cAdvisor (容器指标)
+#   - AlertManager (告警管理)
+# ============================================================
+
+services:
+  # ==================== Prometheus ====================
+  prometheus:
+    image: prom/prometheus:v2.51.0
+    container_name: wm-prometheus
+    restart: always
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--storage.tsdb.path=/prometheus'
+      - '--storage.tsdb.retention.time=30d'
+      - '--storage.tsdb.retention.size=10GB'
+      - '--web.console.libraries=/etc/prometheus/console_libraries'
+      - '--web.console.templates=/etc/prometheus/consoles'
+      - '--web.enable-lifecycle'
+      - '--web.enable-admin-api'
+    ports:
+      - "127.0.0.1:9090:9090"
+    volumes:
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - ./alert_rules.yml:/etc/prometheus/alert_rules.yml:ro
+      - prometheus_data:/prometheus
+    networks:
+      - wm-network
+      - monitoring
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 2G
+        reservations:
+          cpus: '0.25'
+          memory: 512M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "3"
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:9090/-/healthy"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # ==================== Grafana ====================
+  grafana:
+    image: grafana/grafana:10.4.0
+    container_name: wm-grafana
+    restart: always
+    ports:
+      - "127.0.0.1:3000:3000"
+    environment:
+      GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER:-admin}
+      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-admin}
+      GF_SERVER_ROOT_URL: ${GRAFANA_ROOT_URL:-http://localhost:3000}
+      GF_INSTALL_PLUGINS: grafana-clock-panel,grafana-simple-json-datasource
+      GF_USERS_ALLOW_SIGN_UP: "false"
+      GF_AUTH_ANONYMOUS_ENABLED: "false"
+      GF_SECURITY_COOKIE_SECURE: "true"
+      GF_SECURITY_STRICT_TRANSPORT_SECURITY: "true"
+    volumes:
+      - ./grafana/provisioning/datasources.yml:/etc/grafana/provisioning/datasources/datasources.yml:ro
+      - grafana_data:/var/lib/grafana
+    networks:
+      - monitoring
+      - wm-network
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 512M
+        reservations:
+          cpus: '0.1'
+          memory: 128M
+    logging:
+      driver: json-file
+      options:
+        max-size: "30m"
+        max-file: "3"
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # ==================== Node Exporter ====================
+  node-exporter:
+    image: prom/node-exporter:v1.7.0
+    container_name: wm-node-exporter
+    restart: always
+    command:
+      - '--path.rootfs=/host'
+      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
+    ports:
+      - "127.0.0.1:9100:9100"
+    volumes:
+      - /:/host:ro,rslave
+    pid: host
+    networks:
+      - monitoring
+    deploy:
+      resources:
+        limits:
+          cpus: '0.2'
+          memory: 128M
+        reservations:
+          cpus: '0.05'
+          memory: 32M
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # ==================== cAdvisor ====================
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:v0.49.1
+    container_name: wm-cadvisor
+    restart: always
+    ports:
+      - "127.0.0.1:8880:8080"
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+      - /dev/disk/:/dev/disk:ro
+    privileged: true
+    devices:
+      - /dev/kmsg:/dev/kmsg
+    networks:
+      - monitoring
+    deploy:
+      resources:
+        limits:
+          cpus: '0.3'
+          memory: 256M
+        reservations:
+          cpus: '0.1'
+          memory: 64M
+    logging:
+      driver: json-file
+      options:
+        max-size: "20m"
+        max-file: "3"
+
+  # ==================== AlertManager ====================
+  alertmanager:
+    image: prom/alertmanager:v0.27.0
+    container_name: wm-alertmanager
+    restart: always
+    command:
+      - '--config.file=/etc/alertmanager/alertmanager.yml'
+      - '--storage.path=/alertmanager'
+    ports:
+      - "127.0.0.1:9093:9093"
+    volumes:
+      - ./alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
+      - alertmanager_data:/alertmanager
+    networks:
+      - monitoring
+    deploy:
+      resources:
+        limits:
+          cpus: '0.2'
+          memory: 256M
+        reservations:
+          cpus: '0.05'
+          memory: 64M
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # ==================== PostgreSQL Exporter ====================
+  postgres-exporter:
+    image: prometheuscommunity/postgres-exporter:v0.15.0
+    container_name: wm-postgres-exporter
+    restart: always
+    environment:
+      DATA_SOURCE_NAME: "postgresql://${POSTGRES_USER:-water}:${POSTGRES_PASSWORD:-water123}@postgres:5432/${POSTGRES_DB:-water_management}?sslmode=disable"
+    ports:
+      - "127.0.0.1:9187:9187"
+    depends_on:
+      - postgres
+    networks:
+      - monitoring
+      - wm-network
+    deploy:
+      resources:
+        limits:
+          cpus: '0.2'
+          memory: 128M
+        reservations:
+          cpus: '0.05'
+          memory: 32M
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # ==================== Redis Exporter ====================
+  redis-exporter:
+    image: oliver006/redis_exporter:v1.58.0
+    container_name: wm-redis-exporter
+    restart: always
+    environment:
+      REDIS_ADDR: redis://redis:6379
+      REDIS_PASSWORD: ${REDIS_PASSWORD:-water123}
+    ports:
+      - "127.0.0.1:9121:9121"
+    depends_on:
+      - redis
+    networks:
+      - monitoring
+      - wm-network
+    deploy:
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 64M
+        reservations:
+          cpus: '0.02'
+          memory: 16M
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+# ==================== 数据卷 ====================
+volumes:
+  prometheus_data:
+  grafana_data:
+  alertmanager_data:
+
+# ==================== 网络 ====================
+networks:
+  monitoring:
+    driver: bridge
+    name: wm-monitoring
+  wm-network:
+    external: true
+    name: wm-network

deploy/production/monitoring/grafana/provisioning/datasources.yml

@@ -0,0 +1,59 @@
+# ============================================================
+# Grafana 数据源自动配置 (Provisioning)
+# 放置于 /etc/grafana/provisioning/datasources/datasources.yml
+# ============================================================
+
+apiVersion: 1
+
+deleteDatasources: []
+
+datasources:
+  # ==================== Prometheus ====================
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://prometheus:9090
+    isDefault: true
+    editable: false
+    jsonData:
+      timeInterval: "15s"
+      httpMethod: POST
+      queryTimeout: "60s"
+    version: 1
+
+  # ==================== Loki (日志) ====================
+  - name: Loki
+    type: loki
+    access: proxy
+    url: http://loki:3100
+    editable: false
+    jsonData:
+      maxLines: 1000
+    version: 1
+
+  # ==================== PostgreSQL ====================
+  - name: PostgreSQL
+    type: postgres
+    access: proxy
+    url: postgres:5432
+    database: water_management
+    user: water
+    editable: false
+    secureJsonData:
+      password: "${POSTGRES_PASSWORD}"
+    jsonData:
+      sslmode: "disable"
+      maxOpenConns: 5
+      maxIdleConns: 2
+      connMaxLifetime: 14400
+    version: 1
+
+  # ==================== AlertManager ====================
+  - name: AlertManager
+    type: alertmanager
+    access: proxy
+    url: http://alertmanager:9093
+    editable: false
+    jsonData:
+      implementation: prometheus
+    version: 1

deploy/production/monitoring/prometheus.yml

@@ -0,0 +1,158 @@
+# ============================================================
+# Prometheus 配置 - 生产环境监控
+# ============================================================
+
+global:
+  scrape_interval: 15s
+  evaluation_interval: 15s
+  scrape_timeout: 10s
+  external_labels:
+    cluster: water-management-prod
+    environment: production
+
+# ==================== 告警规则 ====================
+rule_files:
+  - "alert_rules.yml"
+
+# ==================== AlertManager ====================
+alerting:
+  alertmanagers:
+    - static_configs:
+        - targets:
+            - alertmanager:9093
+
+# ==================== 抓取目标 ====================
+scrape_configs:
+  # ==================== Prometheus 自身 ====================
+  - job_name: 'prometheus'
+    static_configs:
+      - targets: ['localhost:9090']
+    metrics_path: /metrics
+
+  # ==================== Node Exporter (主机指标) ====================
+  - job_name: 'node-exporter'
+    static_configs:
+      - targets: ['node-exporter:9100']
+    scrape_interval: 10s
+    relabel_configs:
+      - source_labels: [__address__]
+        regex: '([^:]+):\d+'
+        target_label: instance
+        replacement: '${1}'
+
+  # ==================== cAdvisor (容器指标) ====================
+  - job_name: 'cadvisor'
+    static_configs:
+      - targets: ['cadvisor:8080']
+    scrape_interval: 15s
+    metrics_path: /metrics
+
+  # ==================== 应用服务 (Spring Boot Actuator) ====================
+  - job_name: 'wm-gateway'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-gateway:8080']
+        labels:
+          service: gateway
+          module: base
+
+  - job_name: 'wm-base'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-base:8081']
+        labels:
+          service: base
+          module: system
+
+  - job_name: 'wm-iot'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-iot:8082']
+        labels:
+          service: iot
+          module: data-engine
+
+  - job_name: 'wm-data-engine'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-data-engine:8083']
+        labels:
+          service: data-engine
+          module: data-engine
+
+  - job_name: 'wm-bpm'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-bpm:8084']
+        labels:
+          service: bpm
+          module: bpm
+
+  - job_name: 'wm-production'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-production:8085']
+        labels:
+          service: production
+          module: production
+
+  - job_name: 'wm-revenue'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-revenue:8086']
+        labels:
+          service: revenue
+          module: revenue
+
+  - job_name: 'wm-patrol'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-patrol:8087']
+        labels:
+          service: patrol
+          module: patrol
+
+  - job_name: 'wm-notify'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-notify:8089']
+        labels:
+          service: notify
+          module: notify
+
+  - job_name: 'wm-job'
+    metrics_path: /actuator/prometheus
+    static_configs:
+      - targets: ['wm-job:8090']
+        labels:
+          service: job
+          module: job
+
+  # ==================== PostgreSQL ====================
+  - job_name: 'postgres'
+    static_configs:
+      - targets: ['postgres-exporter:9187']
+    scrape_interval: 30s
+
+  # ==================== Redis ====================
+  - job_name: 'redis'
+    static_configs:
+      - targets: ['redis-exporter:9121']
+    scrape_interval: 30s
+
+  # ==================== Nginx ====================
+  - job_name: 'nginx'
+    static_configs:
+      - targets: ['wm-frontend:9113']
+    scrape_interval: 15s
+    metrics_path: /metrics
+
+  # ==================== EMQX MQTT ====================
+  - job_name: 'emqx'
+    static_configs:
+      - targets: ['wm-emqx:18083']
+    scrape_interval: 30s
+    metrics_path: /api/v5/metrics
+    basic_auth:
+      username: admin
+      password: public

deploy/production/nginx/certbot-renew.sh

@@ -0,0 +1,160 @@
+#!/bin/bash
+# ============================================================
+# Let's Encrypt 证书自动续期脚本
+# 
+# 首次申请证书:
+#   certbot certonly --webroot -w /var/www/certbot \
+#     -d your-domain.com -d www.your-domain.com \
+#     --email admin@your-domain.com --agree-tos --no-eff-email
+#
+# 配置 cron 自动续期 (每天凌晨 3 点检查):
+#   0 3 * * * /opt/water-management/deploy/production/nginx/certbot-renew.sh >> /var/log/certbot-renew.log 2>&1
+# ============================================================
+set -euo pipefail
+
+# ==================== 配置 ====================
+DOMAIN="${DOMAIN:-water.example.com}"
+WEBROOT="/var/www/certbot"
+EMAIL="${CERTBOT_EMAIL:-admin@example.com}"
+NGINX_CONTAINER="${NGINX_CONTAINER:-wm-frontend}"
+RENEW_DAYS_BEFORE_EXPIRY=30
+
+# ==================== 函数 ====================
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+}
+
+# 检查证书是否需要续期
+check_cert_expiry() {
+    local cert_path="/etc/letsencrypt/live/${DOMAIN}/fullchain.pem"
+    
+    if [ ! -f "$cert_path" ]; then
+        log "⚠️ 证书文件不存在: $cert_path"
+        return 1
+    fi
+    
+    local expiry_date
+    expiry_date=$(openssl x509 -enddate -noout -in "$cert_path" | cut -d= -f2)
+    local expiry_epoch
+    expiry_epoch=$(date -d "$expiry_date" +%s)
+    local now_epoch
+    now_epoch=$(date +%s)
+    local days_left=$(( (expiry_epoch - now_epoch) / 86400 ))
+    
+    log "📅 证书过期时间: $expiry_date (剩余 ${days_left} 天)"
+    
+    if [ $days_left -le $RENEW_DAYS_BEFORE_EXPIRY ]; then
+        log "⚠️ 证书将在 ${days_left} 天内过期，需要续期"
+        return 0
+    else
+        log "✅ 证书有效，无需续期"
+        return 1
+    fi
+}
+
+# 首次申请证书
+init_cert() {
+    log "🔐 首次申请证书..."
+    
+    # 确保 webroot 目录存在
+    mkdir -p "$WEBROOT"
+    
+    # 使用 webroot 方式申请（不需要停止 Nginx）
+    certbot certonly --webroot \
+        -w "$WEBROOT" \
+        -d "$DOMAIN" \
+        --email "$EMAIL" \
+        --agree-tos \
+        --no-eff-email \
+        --non-interactive
+    
+    if [ $? -eq 0 ]; then
+        log "✅ 证书申请成功"
+        reload_nginx
+    else
+        log "❌ 证书申请失败"
+        exit 1
+    fi
+}
+
+# 续期证书
+renew_cert() {
+    log "🔄 开始续期证书..."
+    
+    certbot renew \
+        --webroot \
+        -w "$WEBROOT" \
+        --non-interactive \
+        --quiet
+    
+    if [ $? -eq 0 ]; then
+        log "✅ 证书续期成功"
+        reload_nginx
+    else
+        log "❌ 证书续期失败"
+        send_alert "证书续期失败，请手动检查！"
+        exit 1
+    fi
+}
+
+# 重载 Nginx
+reload_nginx() {
+    log "🔄 重载 Nginx 配置..."
+    
+    if docker exec "$NGINX_CONTAINER" nginx -s reload 2>/dev/null; then
+        log "✅ Nginx 重载成功"
+    else
+        log "⚠️ Docker 方式重载失败，尝试系统方式..."
+        systemctl reload nginx 2>/dev/null || nginx -s reload 2>/dev/null || true
+    fi
+}
+
+# 发送告警（企业微信 Webhook）
+send_alert() {
+    local message="$1"
+    local webhook="${WECOM_WEBHOOK:-}"
+    
+    if [ -z "$webhook" ]; then
+        log "⚠️ 未配置企业微信 Webhook，跳过告警"
+        return 0
+    fi
+    
+    local payload
+    payload=$(cat <<EOF
+{
+    "msgtype": "text",
+    "text": {
+        "content": "🚨 证书告警 [${DOMAIN}]\n${message}\n时间: $(date '+%Y-%m-%d %H:%M:%S')"
+    }
+}
+EOF
+)
+    
+    curl -s -X POST "$webhook" \
+        -H "Content-Type: application/json" \
+        -d "$payload" > /dev/null 2>&1 || true
+    
+    log "📤 告警已发送"
+}
+
+# ==================== 主逻辑 ====================
+
+log "========================================="
+log "Let's Encrypt 证书管理 - ${DOMAIN}"
+log "========================================="
+
+# 检查证书是否存在
+if [ ! -d "/etc/letsencrypt/live/${DOMAIN}" ]; then
+    log "📋 证书不存在，执行首次申请"
+    init_cert
+else
+    # 检查是否需要续期
+    if check_cert_expiry; then
+        renew_cert
+    fi
+fi
+
+log "========================================="
+log "执行完毕"
+log "========================================="

deploy/production/nginx/nginx.conf

@@ -0,0 +1,283 @@
+# ============================================================
+# 生产环境 Nginx 配置
+# 支持 HTTPS, HTTP/2, 安全 headers, 限流, WebSocket
+# ============================================================
+
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 65535;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log warn;
+
+events {
+    worker_connections 4096;
+    multi_accept on;
+    use epoll;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # ==================== 日志格式 ====================
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    'rt=$request_time';
+
+    log_format json escape=json '{'
+        '"time":"$time_iso8601",'
+        '"remote_addr":"$remote_addr",'
+        '"request":"$request",'
+        '"status":$status,'
+        '"body_bytes_sent":$body_bytes_sent,'
+        '"referer":"$http_referer",'
+        '"user_agent":"$http_user_agent",'
+        '"request_time":$request_time,'
+        '"upstream_response_time":"$upstream_response_time"'
+    '}';
+
+    access_log /var/log/nginx/access.log json;
+
+    # ==================== 基础优化 ====================
+    sendfile           on;
+    tcp_nopush         on;
+    tcp_nodelay        on;
+    keepalive_timeout  65;
+    keepalive_requests 1000;
+    types_hash_max_size 2048;
+    server_names_hash_bucket_size 128;
+    client_max_body_size 50m;
+    client_body_buffer_size 128k;
+
+    # ==================== Gzip 压缩 ====================
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_min_length 1024;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/json
+        application/javascript
+        application/x-javascript
+        application/xml
+        application/xml+rss
+        application/vnd.ms-fontobject
+        font/opentype
+        image/svg+xml
+        image/x-icon;
+
+    # ==================== 限流配置 ====================
+    # 全局 API 限流: 每秒 30 个请求
+    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/s;
+    # 登录接口限流: 每分钟 10 个请求
+    limit_req_zone $binary_remote_addr zone=login_limit:10m rate=10r/m;
+    # WebSocket 连接数限制
+    limit_conn_zone $binary_remote_addr zone=ws_conn_limit:10m;
+
+    # ==================== 上游服务 ====================
+    upstream gateway {
+        server wm-gateway:8080;
+        keepalive 32;
+    }
+
+    # ==================== HTTP → HTTPS 跳转 ====================
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name _;
+
+        # Let's Encrypt 验证路径
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+            allow all;
+        }
+
+        # 其余请求全部 301 跳转到 HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # ==================== HTTPS 主服务 ====================
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name _;
+
+        # ==================== SSL 证书 ====================
+        # Let's Encrypt 证书路径（使用 certbot 自动生成）
+        ssl_certificate     /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN}/chain.pem;
+
+        # SSL 优化
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:50m;
+        ssl_session_tickets off;
+
+        # SSL 协议和加密套件
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        # OCSP Stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        resolver 8.8.8.8 8.8.4.4 valid=300s;
+        resolver_timeout 5s;
+
+        # ==================== 安全 Headers ====================
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: ws: https:; frame-ancestors 'self';" always;
+
+        # 隐藏 Nginx 版本
+        server_tokens off;
+
+        # ==================== 前端静态资源 ====================
+        root /usr/share/nginx/html;
+        index index.html;
+
+        location / {
+            try_files $uri $uri/ /index.html;
+
+            # HTML 文件不缓存（确保更新及时生效）
+            location ~* \.html$ {
+                expires -1;
+                add_header Cache-Control "no-cache, no-store, must-revalidate";
+            }
+        }
+
+        # 静态资源长期缓存（带 hash 的文件名）
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|map)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+            access_log off;
+        }
+
+        # ==================== API 反向代理 ====================
+        location /api/ {
+            limit_req zone=api_limit burst=50 nodelay;
+            limit_req_status 429;
+
+            proxy_pass http://gateway/;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Request-ID $request_id;
+            proxy_set_header Connection "";
+
+            proxy_connect_timeout 30s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 120s;
+
+            proxy_buffering on;
+            proxy_buffer_size 4k;
+            proxy_buffers 8 16k;
+            proxy_busy_buffers_size 32k;
+
+            # 文件上传大小限制
+            client_max_body_size 50m;
+        }
+
+        # 登录接口严格限流
+        location ~* ^/api/(auth|login|oauth) {
+            limit_req zone=login_limit burst=5 nodelay;
+            limit_req_status 429;
+
+            proxy_pass http://gateway;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # ==================== WebSocket 代理 ====================
+        location /ws/ {
+            limit_conn ws_conn_limit 10;
+
+            proxy_pass http://gateway/ws/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_connect_timeout 7d;
+            proxy_send_timeout 7d;
+            proxy_read_timeout 7d;
+        }
+
+        # ==================== MQTT over WebSocket ====================
+        location /mqtt {
+            proxy_pass http://wm-emqx:8083/mqtt;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_read_timeout 3600s;
+        }
+
+        # ==================== GeoServer GIS 代理 ====================
+        location /geoserver/ {
+            proxy_pass http://wm-geoserver:8080/geoserver/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # GIS 数据可能较大
+            client_max_body_size 100m;
+            proxy_read_timeout 300s;
+        }
+
+        # ==================== MinIO 对象存储代理 ====================
+        location /minio/ {
+            proxy_pass http://wm-minio:9000/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 500m;
+        }
+
+        # ==================== 健康检查 ====================
+        location /health {
+            access_log off;
+            return 200 '{"status":"UP"}';
+            add_header Content-Type application/json;
+        }
+
+        # 禁止访问隐藏文件
+        location ~ /\. {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+
+        # 错误页面
+        error_page 404 /index.html;
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root /usr/share/nginx/html;
+            internal;
+        }
+    }
+}

deploy/production/server-setup.sh

@@ -0,0 +1,379 @@
+#!/bin/bash
+# ============================================================
+# 生产服务器初始化脚本
+# 
+# 功能:
+#   - 系统更新
+#   - Docker 安装
+#   - 防火墙配置 (ufw)
+#   - SSH 加固
+#   - 用户创建
+#   - 目录结构创建
+#
+# 用法: sudo ./server-setup.sh
+# ============================================================
+set -euo pipefail
+
+# ==================== 配置 ====================
+DEPLOY_USER="${DEPLOY_USER:-deploy}"
+APP_DIR="${APP_DIR:-/opt/water-management}"
+BACKUP_DIR="${BACKUP_DIR:-/opt/water-management/backups}"
+LOG_DIR="${LOG_DIR:-/opt/water-management/logs}"
+
+# ==================== 函数 ====================
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+}
+
+check_root() {
+    if [ "$(id -u)" -ne 0 ]; then
+        log "❌ 请以 root 用户或 sudo 执行此脚本"
+        exit 1
+    fi
+}
+
+# ==================== 系统更新 ====================
+update_system() {
+    log "📦 更新系统包..."
+    
+    if command -v apt-get &>/dev/null; then
+        apt-get update -y
+        apt-get upgrade -y
+        apt-get install -y \
+            curl \
+            wget \
+            git \
+            unzip \
+            software-properties-common \
+            apt-transport-https \
+            ca-certificates \
+            gnupg \
+            lsb-release \
+            htop \
+            iotop \
+            jq \
+            openssl \
+            fail2ban \
+            ufw
+    elif command -v yum &>/dev/null; then
+        yum update -y
+        yum install -y \
+            curl \
+            wget \
+            git \
+            unzip \
+            yum-utils \
+            htop \
+            iotop \
+            jq \
+            openssl \
+            fail2ban \
+            firewalld
+    else
+        log "⚠️ 未知的包管理器，请手动安装依赖"
+    fi
+    
+    log "✅ 系统更新完成"
+}
+
+# ==================== Docker 安装 ====================
+install_docker() {
+    if command -v docker &>/dev/null; then
+        log "✅ Docker 已安装: $(docker --version)"
+        return 0
+    fi
+    
+    log "🐳 安装 Docker..."
+    
+    # 使用官方安装脚本
+    curl -fsSL https://get.docker.com | sh
+    
+    # 启动 Docker
+    systemctl enable docker
+    systemctl start docker
+    
+    # 配置 Docker 镜像加速（中国大陆）
+    mkdir -p /etc/docker
+    cat > /etc/docker/daemon.json <<EOF
+{
+    "registry-mirrors": [
+        "https://docker.mirrors.ustc.edu.cn",
+        "https://hub-mirror.c.163.com"
+    ],
+    "log-driver": "json-file",
+    "log-opts": {
+        "max-size": "50m",
+        "max-file": "3"
+    },
+    "storage-driver": "overlay2",
+    "live-restore": true,
+    "default-ulimits": {
+        "nofile": {
+            "Name": "nofile",
+            "Hard": 65535,
+            "Soft": 65535
+        }
+    }
+}
+EOF
+    
+    systemctl restart docker
+    
+    # 安装 Docker Compose
+    COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep -oP '"tag_name": "\K(.*)(?=")')
+    curl -L "https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" \
+        -o /usr/local/bin/docker-compose
+    chmod +x /usr/local/bin/docker-compose
+    ln -sf /usr/local/bin/docker-compose /usr/bin/docker-compose
+    
+    log "✅ Docker 安装完成: $(docker --version)"
+    log "✅ Docker Compose 安装完成: $(docker-compose --version)"
+}
+
+# ==================== 防火墙配置 ====================
+setup_firewall() {
+    log "🔥 配置防火墙..."
+    
+    if command -v ufw &>/dev/null; then
+        # Ubuntu/Debian - UFW
+        ufw default deny incoming
+        ufw default allow outgoing
+        
+        # SSH
+        ufw allow 22/tcp comment "SSH"
+        ufw limit 22/tcp
+        
+        # HTTP/HTTPS
+        ufw allow 80/tcp comment "HTTP"
+        ufw allow 443/tcp comment "HTTPS"
+        
+        # MQTT (物联网设备接入)
+        ufw allow 1883/tcp comment "MQTT"
+        
+        # 内部服务端口（仅允许内网访问，按实际 IP 段调整）
+        # ufw allow from 10.0.0.0/8 to any port 8080
+        # ufw allow from 10.0.0.0/8 to any port 8848
+        
+        ufw --force enable
+        log "✅ UFW 防火墙已启用"
+        
+    elif command -v firewall-cmd &>/dev/null; then
+        # CentOS/RHEL - firewalld
+        systemctl enable firewalld
+        systemctl start firewalld
+        
+        firewall-cmd --permanent --add-service=ssh
+        firewall-cmd --permanent --add-service=http
+        firewall-cmd --permanent --add-service=https
+        firewall-cmd --permanent --add-port=1883/tcp
+        firewall-cmd --reload
+        
+        log "✅ firewalld 防火墙已配置"
+    fi
+}
+
+# ==================== SSH 加固 ====================
+harden_ssh() {
+    log "🔒 SSH 加固..."
+    
+    local sshd_config="/etc/ssh/sshd_config"
+    
+    # 备份原配置
+    cp "$sshd_config" "${sshd_config}.bak.$(date +%Y%m%d)"
+    
+    # 禁用 root 密码登录
+    sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' "$sshd_config"
+    
+    # 禁用空密码
+    sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$sshd_config"
+    
+    # 启用公钥认证
+    sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$sshd_config"
+    
+    # 禁用密码登录（确保已配置公钥后启用）
+    # sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$sshd_config"
+    
+    # 限制最大认证尝试
+    sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$sshd_config"
+    
+    # 客户端存活检测
+    sed -i 's/^#*ClientAliveInterval.*/ClientAliveInterval 300/' "$sshd_config"
+    sed -i 's/^#*ClientAliveCountMax.*/ClientAliveCountMax 2/' "$sshd_config"
+    
+    systemctl restart sshd
+    
+    log "✅ SSH 加固完成"
+}
+
+# ==================== Fail2Ban 配置 ====================
+setup_fail2ban() {
+    log "🛡️ 配置 Fail2Ban..."
+    
+    cat > /etc/fail2ban/jail.local <<EOF
+[DEFAULT]
+bantime = 3600
+findtime = 600
+maxretry = 5
+backend = systemd
+
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 86400
+EOF
+    
+    systemctl enable fail2ban
+    systemctl restart fail2ban
+    
+    log "✅ Fail2Ban 已配置"
+}
+
+# ==================== 创建部署用户 ====================
+create_deploy_user() {
+    log "👤 创建部署用户: ${DEPLOY_USER}"
+    
+    if id "$DEPLOY_USER" &>/dev/null; then
+        log "✅ 用户已存在: ${DEPLOY_USER}"
+    else
+        useradd -m -s /bin/bash "$DEPLOY_USER"
+        usermod -aG docker "$DEPLOY_USER"
+        log "✅ 用户已创建: ${DEPLOY_USER}"
+    fi
+    
+    # 配置 sudo 权限（免密码执行 docker 命令）
+    cat > "/etc/sudoers.d/${DEPLOY_USER}" <<EOF
+${DEPLOY_USER} ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/docker-compose, /usr/local/bin/docker-compose
+EOF
+    chmod 440 "/etc/sudoers.d/${DEPLOY_USER}"
+    
+    # 创建 SSH 目录
+    local user_home
+    user_home=$(eval echo "~${DEPLOY_USER}")
+    mkdir -p "${user_home}/.ssh"
+    chmod 700 "${user_home}/.ssh"
+    chown -R "${DEPLOY_USER}:${DEPLOY_USER}" "${user_home}/.ssh"
+    
+    log "✅ 部署用户配置完成"
+    log "⚠️  请将公钥添加到 ${user_home}/.ssh/authorized_keys"
+}
+
+# ==================== 创建目录结构 ====================
+create_directories() {
+    log "📁 创建应用目录结构..."
+    
+    mkdir -p "${APP_DIR}"
+    mkdir -p "${APP_DIR}/config"
+    mkdir -p "${APP_DIR}/config/postgres"
+    mkdir -p "${APP_DIR}/config/nginx"
+    mkdir -p "${APP_DIR}/config/certs"
+    mkdir -p "${BACKUP_DIR}/daily"
+    mkdir -p "${BACKUP_DIR}/weekly"
+    mkdir -p "${BACKUP_DIR}/monthly"
+    mkdir -p "${LOG_DIR}"
+    
+    chown -R "${DEPLOY_USER}:${DEPLOY_USER}" "${APP_DIR}"
+    
+    log "✅ 目录结构创建完成"
+}
+
+# ==================== 内核优化 ====================
+optimize_kernel() {
+    log "⚙️ 内核参数优化..."
+    
+    cat > /etc/sysctl.d/99-water-management.conf <<EOF
+# TCP 优化
+net.core.somaxconn = 65535
+net.ipv4.tcp_max_syn_backlog = 65535
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.ip_local_port_range = 1024 65535
+
+# 文件描述符
+fs.file-max = 655350
+fs.inotify.max_user_watches = 524288
+
+# 内存优化
+vm.swappiness = 10
+vm.dirty_ratio = 15
+vm.dirty_background_ratio = 5
+
+# 网络优化
+net.ipv4.tcp_keepalive_time = 600
+net.ipv4.tcp_keepalive_intvl = 30
+net.ipv4.tcp_keepalive_probes = 3
+EOF
+    
+    sysctl -p /etc/sysctl.d/99-water-management.conf
+    
+    # 文件描述符限制
+    cat > /etc/security/limits.d/99-water-management.conf <<EOF
+* soft nofile 65535
+* hard nofile 65535
+* soft nproc 65535
+* hard nproc 65535
+${DEPLOY_USER} soft nofile 65535
+${DEPLOY_USER} hard nofile 65535
+EOF
+    
+    log "✅ 内核优化完成"
+}
+
+# ==================== 配置定时任务 ====================
+setup_cron() {
+    log "⏰ 配置定时任务..."
+    
+    local cron_file="/etc/cron.d/water-management"
+    
+    cat > "$cron_file" <<EOF
+# 数据库备份 - 每天凌晨 2 点
+0 2 * * * ${DEPLOY_USER} ${APP_DIR}/deploy/production/backup/backup-db.sh >> ${LOG_DIR}/backup.log 2>&1
+
+# 证书续期 - 每天凌晨 3 点
+0 3 * * * root ${APP_DIR}/deploy/production/nginx/certbot-renew.sh >> ${LOG_DIR}/certbot-renew.log 2>&1
+
+# 日志清理 - 每天凌晨 4 点
+0 4 * * * ${DEPLOY_USER} find ${LOG_DIR} -name "*.log" -mtime +30 -delete 2>/dev/null || true
+
+# 磁盘监控 - 每小时
+0 * * * * ${DEPLOY_USER} df -h | awk 'NR>1 && +\$5>90 {print "⚠️ 磁盘告警: "\$0}' | mail -s "磁盘告警" root 2>/dev/null || true
+EOF
+    
+    chmod 644 "$cron_file"
+    
+    log "✅ 定时任务配置完成"
+}
+
+# ==================== 主流程 ====================
+
+log "========================================="
+log " 生产服务器初始化"
+log "========================================="
+
+check_root
+update_system
+install_docker
+setup_firewall
+harden_ssh
+setup_fail2ban
+create_deploy_user
+create_directories
+optimize_kernel
+setup_cron
+
+log "========================================="
+log " ✅ 服务器初始化完成!"
+log "========================================="
+log ""
+log "后续步骤:"
+log "1. 将 SSH 公钥添加到 /home/${DEPLOY_USER}/.ssh/authorized_keys"
+log "2. 配置 .env 环境变量文件: ${APP_DIR}/.env"
+log "3. 配置域名 DNS 解析"
+log "4. 申请 Let's Encrypt 证书"
+log "5. 部署应用: docker compose -f docker-compose.yml -f deploy/production/docker-compose.override.yml up -d"
+log "6. 启动监控栈: docker compose -f deploy/production/monitoring/docker-compose.monitoring.yml up -d"
+log "7. 启动日志栈: docker compose -f deploy/production/logging/docker-compose.logging.yml up -d"
+log ""