feat(gb-infra): Update email, proxy, and webmail scripts for improved configuration and resource management; add prompt guidelines for consistency

2025-06-07 18:31:39 -03:00 · 2025-06-07 18:31:39 -03:00 · 0558329cb4
commit 0558329cb4
parent 5277a50aa0
5 changed files with 70 additions and 128 deletions
--- a/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
@ -1,22 +1,5 @@
 #!/bin/bash
 PUBLIC_INTERFACE="eth0"                 # Your host's public network interface
 # Enable IP forwarding
 echo "[HOST] Enabling IP forwarding..."
 echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
 sudo sysctl -p
 # Configure firewall
 echo "[HOST] Configuring firewall..."
 sudo iptables -A FORWARD -i $PUBLIC_INTERFACE -o lxcbr0 -p tcp -m multiport --dports 25,80,110,143,465,587,993,995,4190 -j ACCEPT
 sudo iptables -A FORWARD -i lxcbr0 -o $PUBLIC_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
 sudo iptables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
 # Save iptables rules permanently (adjust based on your distro)
 if command -v iptables-persistent >/dev/null; then
    sudo iptables-save | sudo tee /etc/iptables/rules.v4
 fi
 # ------------------------- CONTAINER SETUP -------------------------
@ -38,11 +21,12 @@ sleep 15
 echo "[CONTAINER] Installing Stalwart Mail..."
 lxc exec "$PARAM_TENANT"-email -- bash -c "
 apt-get update && apt-get install -y wget libcap2-bin
-wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.11.8/stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
+wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.12.4/stalwart-x86_64-unknown-linux-gnu.tar.gz
 tar -xzf /tmp/stalwart.tar.gz -C /tmp
 mkdir -p /opt/gbo/bin
-mv /tmp/stalwart-mail /opt/gbo/bin/stalwart-mail
+mv /tmp/stalwart /opt/gbo/bin/stalwart
-chmod +x /opt/gbo/bin/stalwart-mail
+chmod +x /opt/gbo/bin/stalwart
 rm /tmp/stalwart.tar.gz
 useradd --system --no-create-home --shell /bin/false email
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
@ -90,40 +74,3 @@ systemctl enable email
 systemctl start email
 "
 # ------------------------- PORT FORWARDING -------------------------
 # Get container IP
 CONTAINER_IP=$(lxc list "$PARAM_TENANT"-email -c 4 --format csv | awk '{print $1}')
 declare -A PORTS=(
    ["smtp"]="25"
    ["submission"]="587"
    ["submissions"]="465"
    ["imap"]="143"
    ["imaps"]="993"
    ["sieve"]="4190"
 )
 for service in "${!PORTS[@]}"; do
    port="${PORTS[$service]}"
    # Add LXC proxy device
    lxc config device remove pragmatismo-email "${service}-proxy" 2>/dev/null || true
    lxc config device add pragmatismo-email "${service}-proxy" proxy \
        listen=tcp:0.0.0.0:"${port}" \
        connect=tcp:"${CONTAINER_IP}":"${port}" \
        bind=host \
        nat=false 
    # Add correct iptables rules
    sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport ${port} -j DNAT --to-destination ${CONTAINER_IP}:${port}
    sudo iptables -A FORWARD -p tcp --dport ${port} -j ACCEPT
 done
 # Enable IP forwarding
 echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
 sudo sysctl -p
 # Save rules
 sudo iptables-save | sudo tee /etc/iptables/rules.v4
--- a/gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt
@ -0,0 +1,16 @@
    do not comment or echo anything
    keep lines condensed
    always call it <kind> not own name. Eg.: proxy instead of Caddy. alm instead of forgejo.
    use KISS priciple
    use local /opt/gbo/{logs, data, conf} exposed as 
        HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/<kind>"
        HOST_DATA="$HOST_BASE/data" 
        HOST_CONF="$HOST_BASE/conf"
        HOST_LOGS="$HOST_BASE/logs"
        instead of using app original paths.
    and use /opt/gbo/bin to put local binaries of installations 
    during sh exection, never touch files in /opt/gbo/{logs, data, conf}
    use wget
    use gbuser as system user
--- a/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
@ -1,79 +1,56 @@
 #!/bin/bash
 HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/proxy"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
-
+mkdir -p "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
-mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod 750 "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 chmod -R 750 "$HOST_BASE"
 lxc launch images:debian/12 "$PARAM_TENANT"-proxy -c security.privileged=true
 sleep 15
 lxc exec "$PARAM_TENANT"-proxy -- bash -c "
-apt-get update && apt-get install -y curl libcap2-bin
+mkdir -p /opt/gbo/{bin,data,conf,logs}
-curl -sL \"https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz\" | tar -C /usr/local/bin -xz caddy
+apt-get update && apt-get install -y wget libcap2-bin
-chmod 755 /usr/local/bin/caddy
+wget -q https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz
-setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
+tar -xzf caddy_2.10.0-beta.3_linux_amd64.tar.gz -C /opt/gbo/bin
-useradd --system --no-create-home --shell /usr/sbin/nologin caddy
+rm caddy_2.10.0-beta.3_linux_amd64.tar.gz
 chmod 750 /opt/gbo/bin/caddy
 setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/caddy
 useradd --system --shell /usr/sbin/nologin gbuser
 chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 "
-CADDY_UID=$(lxc exec "$PARAM_TENANT"-proxy -- id -u caddy)
+lxc config device add "$PARAM_TENANT"-proxy data disk source="$HOST_DATA" path=/opt/gbo/data
-CADDY_GID=$(lxc exec "$PARAM_TENANT"-proxy -- id -g caddy)
+lxc config device add "$PARAM_TENANT"-proxy conf disk source="$HOST_CONF" path=/opt/gbo/conf
-HOST_CADDY_UID=$((100000 + CADDY_UID))
+lxc config device add "$PARAM_TENANT"-proxy logs disk source="$HOST_LOGS" path=/opt/gbo/logs
 HOST_CADDY_GID=$((100000 + CADDY_GID))
 chown -R "$HOST_CADDY_UID:$HOST_CADDY_GID" "$HOST_BASE"
 lxc config device add "$PARAM_TENANT"-proxy proxydata disk source="$HOST_DATA" path=/var/lib/caddy
 lxc config device add "$PARAM_TENANT"-proxy proxyconf disk source="$HOST_CONF" path=/etc/caddy
 lxc config device add "$PARAM_TENANT"-proxy proxylogs disk source="$HOST_LOGS" path=/var/log/caddy
 lxc exec "$PARAM_TENANT"-proxy -- bash -c "
-mkdir -p /var/lib/caddy /etc/caddy /var/log/caddy
+cat > /etc/systemd/system/proxy.service <<EOF
 chown -R caddy:caddy /var/lib/caddy /etc/caddy /var/log/caddy
 cat > /etc/caddy/Caddyfile <<EOF
 :80 {
    respond \"Welcome to $PARAM_TENANT Proxy\"
    log {
        output file /var/log/caddy/access.log
    }
 }
 EOF
 cat > /etc/systemd/system/caddy.service <<EOF
 [Unit]
-Description=Caddy
+Description=Proxy
 After=network.target
 [Service]
-User=root
+User=gbuser
-Group=root
+Group=gbuser
-ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
+Environment=XDG_DATA_HOME=/opt/gbo/data
-ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
+ExecStart=/opt/gbo/bin/caddy run --config /opt/gbo/conf/config --adapter caddyfile
 TimeoutStopSec=5s
 LimitNOFILE=1048576
 LimitNPROC=512
 PrivateTmp=true
 ProtectSystem=full
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl daemon-reload
-systemctl enable caddy
+
-systemctl start caddy
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 systemctl enable proxy
 "
-lxc config device remove "$PARAM_TENANT"-proxy http-proxy 2>/dev/null || true
+for port in 80 443 25 110 143 465 587 993 995; do
-lxc config device add "$PARAM_TENANT"-proxy http-proxy proxy \
+lxc config device remove "$PARAM_TENANT"-proxy "port-$port" 2>/dev/null || true
-    listen=tcp:0.0.0.0:"$PARAM_HTTP_PORT" \
+lxc config device add "$PARAM_TENANT"-proxy "port-$port" proxy listen=tcp:0.0.0.0:$port connect=tcp:127.0.0.1:$port
-    connect=tcp:127.0.0.1:"$PARAM_HTTP_PORT"
+done
-lxc config device remove "$PARAM_TENANT"-proxy https-proxy 2>/dev/null || true
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.mknod true
-lxc config device add "$PARAM_TENANT"-proxy https-proxy proxy \
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.setxattr true
    listen=tcp:0.0.0.0:"$PARAM_HTTPS_PORT" \
    connect=tcp:127.0.0.1:"$PARAM_HTTPS_PORT"
--- a/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh
@ -3,8 +3,9 @@
 # Define container limits in an associative array
 declare -A container_limits=(
    # Pattern       Memory    CPU Allowance
    ["*tables*"]="2048MB:33ms/100ms"
    ["*alm*"]="5126MB:15ms/100ms"
-    ["*email*"]="1024MB:15ms/100ms"
+    ["*email*"]="4024MB:100ms/100ms"
    ["*webmail*"]="1024MB:20ms/100ms"
    ["*bot*"]="2048MB:20ms/100ms"
    ["*drive*"]="1024MB:20ms/100ms"
--- a/gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh
@ -6,7 +6,6 @@ HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
 PARAM_RC_VERSION="1.6.6"
 RC_PATH="$HOST_DATA/wwwroot"
 mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 chmod -R 750 "$HOST_BASE"
@ -14,6 +13,8 @@ chmod -R 750 "$HOST_BASE"
 lxc launch images:debian/12 "$PARAM_TENANT"-webmail -c security.privileged=true
 sleep 15
 RC_PATH="/opt/gbo/data"
 lxc exec "$PARAM_TENANT"-webmail -- bash -c '
 # Install prerequisites
 apt install -y ca-certificates apt-transport-https lsb-release gnupg wget
@ -39,19 +40,19 @@ apt install -y \
 # Restart PHP-FPM
 systemctl restart php8.1-fpm
 if [ ! -d '"$RC_PATH"' ]; then
    mkdir -p '"$RC_PATH"'
    wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
    tar -xzf roundcubemail-*.tar.gz
    mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
    rm -rf roundcubemail-*
 fi
-chown -R www-data:www-data '"$RC_PATH"'
+mkdir -p '"$RC_PATH"'
 wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
 tar -xzf roundcubemail-*.tar.gz
 mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
 rm -rf roundcubemail-*
 mkdir -p /opt/gbo/logs
 chmod 750 '"$RC_PATH"'
 find '"$RC_PATH"' -type d -exec chmod 750 {} \;
 find '"$RC_PATH"' -type f -exec chmod 640 {} \;
-mkdir -p '"$HOST_LOGS"'
+
 '
 WEBMAIL_UID=$(lxc exec "$PARAM_TENANT"-webmail -- id -u www-data)
@ -60,11 +61,11 @@ HOST_WEBMAIL_UID=$((100000 + WEBMAIL_UID))
 HOST_WEBMAIL_GID=$((100000 + WEBMAIL_GID))
 chown -R "$HOST_WEBMAIL_UID:$HOST_WEBMAIL_GID" "$HOST_BASE"
-lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path=/var/lib/roundcube
+lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path="$RC_PATH"
-lxc config device add "$PARAM_TENANT"-webmail webmailconf disk source="$HOST_CONF" path=/etc/roundcube
+lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/var/log/roundcube
 lxc exec "$PARAM_TENANT"-webmail -- bash -c "
 chown -R www-data:www-data '"$RC_PATH"' /opt/gbo/logs
 cat > /etc/systemd/system/webmail.service <<EOF
 [Unit]
 Description=Roundcube Webmail
@ -74,10 +75,10 @@ After=network.target php8.1-fpm.service
 User=www-data
 Group=www-data
 WorkingDirectory=$RC_PATH
-ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/public_html
+ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/wwwroot/public_html
 Restart=always
-StandardOutput=append:/var/log/roundcube/stdout.log
+StandardOutput=append:/opt/gbo/logs/stdout.log
-StandardError=append:/var/log/roundcube/stderr.log
+StandardError=append:/opt/gbo/logs/stderr.log
 [Install]
 WantedBy=multi-user.target