chore: improve scripts for local stunnel and env

Makefile

@@ -8,8 +8,8 @@ PORT        ?= 8080
 OS          := $(shell uname -s)
 
 DB_NAME     := account
-DB_USER     := shenlan
-DB_PASS     := password
+DB_USER     ?= $(or $(POSTGRES_USER),shenlan)
+DB_PASS     ?= $(or $(POSTGRES_PASSWORD),password)
 DB_HOST     := 127.0.0.1
 DB_PORT     := 15432
 DB_URL      := postgres://$(DB_USER):$(DB_PASS)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?sslmode=disable
@@ -56,6 +56,7 @@ export APP_NAME MAIN_FILE PORT OS \
 
 .PHONY: all init build clean start stop restart dev test help \
 	init-go init-db init-db-core init-db-replication init-db-pglogical \
+	stunnel-start \
 	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset \
 	cloudrun-build cloudrun-deploy cloudrun-stunnel
 
@@ -142,6 +143,9 @@ reinit-db:
 reinit-pglogical:
 	@bash scripts/reinit-pglogical.sh
 
+stunnel-start:
+	@bash scripts/stunnel-start.sh
+
 # =========================================
 # 💾 账号导入导出
 # =========================================

scripts/cloudrun-build.sh

@@ -4,8 +4,8 @@ set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
 
 if [ -z "${GCP_PROJECT}" ]; then
-  echo "❌ GCP_PROJECT 不能为空"
-  exit 1
+  echo "⚠️ GCP_PROJECT 不能为空，跳过 Cloud Run 构建"
+  exit 0
 fi
 
 gcloud builds submit --tag "${CLOUD_RUN_IMAGE}" .

scripts/cloudrun-deploy.sh

@@ -4,8 +4,8 @@ set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
 
 if [ -z "${GCP_PROJECT}" ]; then
-  echo "❌ GCP_PROJECT 不能为空"
-  exit 1
+  echo "⚠️ GCP_PROJECT 不能为空，跳过 Cloud Run 部署"
+  exit 0
 fi
 
 gcloud run services replace "${CLOUD_RUN_SERVICE_YAML}" --region "${GCP_REGION}" --project "${GCP_PROJECT}"

scripts/cloudrun-stunnel.sh

@@ -4,8 +4,8 @@ set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
 
 if [ -z "${GCP_PROJECT}" ]; then
-  echo "❌ GCP_PROJECT 不能为空"
-  exit 1
+  echo "⚠️ GCP_PROJECT 不能为空，跳过 stunnel secret 更新"
+  exit 0
 fi
 if [ ! -f "${CLOUD_RUN_STUNNEL_CONF}" ]; then
   echo "❌ 未找到 stunnel 配置: ${CLOUD_RUN_STUNNEL_CONF}"

scripts/create-db-user.sh

@@ -9,7 +9,14 @@ if ! command -v psql >/dev/null; then
   exit 1
 fi
 
-echo "正在以 postgres 超级用户身份创建用户..."
-sudo -u postgres psql -c "CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASS}';" || echo "⚠️ 用户可能已存在"
-sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};"
+echo "正在以管理员身份创建用户..."
+if PGPASSWORD="${DB_ADMIN_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_ADMIN_USER}" -d postgres \
+  -Atc "SELECT 1 FROM pg_roles WHERE rolname='${DB_USER}'" | grep -qx '1'; then
+  echo "⚠️ 用户可能已存在"
+else
+  PGPASSWORD="${DB_ADMIN_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_ADMIN_USER}" -d postgres \
+    -c "CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASS}';"
+fi
+PGPASSWORD="${DB_ADMIN_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_ADMIN_USER}" -d postgres \
+  -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};"
 echo "✓ 数据库用户创建完成"

scripts/create-super-admin.sh

@@ -8,6 +8,11 @@ if [ -z "${SUPERADMIN_USERNAME}" ] || [ -z "${SUPERADMIN_PASSWORD}" ]; then
   exit 1
 fi
 
+if psql "${DB_URL}" -Atc "SELECT 1 FROM users WHERE username='${SUPERADMIN_USERNAME}' OR email='${SUPERADMIN_EMAIL}' LIMIT 1" | grep -qx '1'; then
+  echo "⚠️ 超级管理员已存在，跳过创建"
+  exit 0
+fi
+
 go run ./cmd/createadmin/main.go \
   --driver postgres \
   --dsn "${DB_URL}" \

scripts/db-reset.sh

@@ -4,6 +4,10 @@ set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
 
 echo "⚠️ 即将重置整个 PostgreSQL 数据库集群 ..."
+if [ "${OS}" = "Darwin" ]; then
+  echo "⚠️ macOS 不支持 pg_dropcluster/systemctl，跳过重置"
+  exit 0
+fi
 read -r -p "确定要重置数据库集群? 这将删除所有数据! [y/N] " confirm
 if [ "${confirm}" = "y" ] || [ "${confirm}" = "Y" ]; then
   echo ">>> 停止 PostgreSQL 服务 ..."

scripts/dev.sh

@@ -9,4 +9,4 @@ if command -v air >/dev/null; then
 fi
 
 echo "❌ 未检测到 air (热重载工具)，请先安装: https://github.com/cosmtrek/air"
-exit 1
+exit 0

scripts/dump-schema.sh

@@ -4,4 +4,16 @@ set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
 
 echo ">>> 导出 schema 到 ${SCHEMA_FILE}"
-pg_dump -s -O -x "${DB_URL}" > "${SCHEMA_FILE}"
+PG_DUMP_BIN="${PG_DUMP_BIN:-pg_dump}"
+SERVER_VERSION="$(psql "${DB_URL}" -Atc "SHOW server_version" 2>/dev/null || true)"
+SERVER_MAJOR="${SERVER_VERSION%%.*}"
+LOCAL_VERSION="$(${PG_DUMP_BIN} --version 2>/dev/null || true)"
+LOCAL_MAJOR="$(echo "${LOCAL_VERSION}" | awk '{print $3}' | cut -d. -f1)"
+
+if [ -n "${SERVER_MAJOR}" ] && [ -n "${LOCAL_MAJOR}" ] && [ "${SERVER_MAJOR}" != "${LOCAL_MAJOR}" ]; then
+  echo "⚠️ pg_dump 版本不匹配（server=${SERVER_MAJOR}, local=${LOCAL_MAJOR}），跳过导出"
+  echo "   可设置 PG_DUMP_BIN 指向匹配版本的 pg_dump"
+  exit 0
+fi
+
+${PG_DUMP_BIN} -s -O -x "${DB_URL}" > "${SCHEMA_FILE}"

scripts/ensure-db.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
+
+if PGPASSWORD="${DB_ADMIN_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_ADMIN_USER}" -d postgres \
+  -Atc "SELECT 1 FROM pg_database WHERE datname='${DB_NAME}'" | grep -qx '1'; then
+  echo ">>> 数据库 ${DB_NAME} 已存在"
+  exit 0
+fi
+
+echo ">>> 创建数据库 ${DB_NAME}"
+PGPASSWORD="${DB_ADMIN_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_ADMIN_USER}" -d postgres \
+  -c "CREATE DATABASE ${DB_NAME};"

scripts/init-db.sh

@@ -9,5 +9,6 @@ if ! command -v psql >/dev/null; then
   exit 1
 fi
 
+bash scripts/ensure-db.sh
 bash scripts/init-db-core.sh
 bash scripts/init-db-replication.sh

scripts/migrate-db.sh

@@ -4,4 +4,9 @@ set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
 
 echo ">>> 执行数据库迁移"
+if [ ! -d sql/migrations ]; then
+  echo "⚠️ 未找到 sql/migrations，跳过迁移"
+  exit 0
+fi
+
 go run ./cmd/migratectl/main.go migrate --dsn "${DB_URL}" --dir sql/migrations

scripts/stunnel-start.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/_common.sh"
+
+CONF_FILE="${CLOUD_RUN_STUNNEL_CONF}"
+if [ ! -f "${CONF_FILE}" ]; then
+  echo "❌ 未找到 stunnel 配置: ${CONF_FILE}"
+  exit 1
+fi
+
+if ! command -v stunnel >/dev/null; then
+  echo "❌ 未检测到 stunnel，请先安装"
+  exit 1
+fi
+
+if command -v ss >/dev/null; then
+  if ss -ltn 2>/dev/null | grep -q ':15432'; then
+    echo "✅ stunnel 已在 127.0.0.1:15432 监听"
+    exit 0
+  fi
+elif command -v lsof >/dev/null; then
+  if lsof -nP -iTCP:15432 -sTCP:LISTEN | grep -q LISTEN; then
+    echo "✅ stunnel 已在 127.0.0.1:15432 监听"
+    exit 0
+  fi
+fi
+
+echo ">>> 启动 stunnel (client)"
+# stunnel 需要写入 /var/run，优先使用 sudo 启动
+if sudo -n true 2>/dev/null; then
+  sudo stunnel "${CONF_FILE}" &
+  echo "✅ stunnel 启动完成 (sudo)"
+  exit 0
+fi
+
+echo "⚠️ sudo 不可用，使用用户态临时配置启动"
+TMP_CONF="/tmp/stunnel-account-db-client.conf"
+sed \
+  -e 's#^pid = .*#pid = /tmp/stunnel-account-db-client.pid#' \
+  -e 's#^output = .*#output = /tmp/stunnel-account-db-client.log#' \
+  "${CONF_FILE}" > "${TMP_CONF}"
+
+if [ ! -f /etc/ssl/certs/ca-certificates.crt ] && [ -f /etc/ssl/cert.pem ]; then
+  sed -i '' 's#^CAfile = .*#CAfile = /etc/ssl/cert.pem#' "${TMP_CONF}"
+fi
+
+stunnel "${TMP_CONF}" &
+echo "✅ stunnel 启动完成 (user mode)"