GeneralBots/gbserver
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat(gb-infra): Enhance security and resource management by adding fail2ban installation, updating bot and email scripts for improved configuration, and implementing container size limits

Browse source
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2025-06-03 23:51:27 -03:00
parent af16522a50
commit 794db6717c
7 changed files with 162 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
gb-infra/README.md
View file

@ -7,6 +7,9 @@ rsync -avz --progress --bwlimit=0 -e "ssh -p 22 -T -c aes128-gcm@openssh.com -o
# Security # Security
apt update && apt install -y fail2ban
systemctl enable fail2ban
apt update && apt install -y fail2ban iptables-persistent apt update && apt install -y fail2ban iptables-persistent

75
gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/botserver" HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/bot"
HOST_DATA="$HOST_BASE/data" HOST_DATA="$HOST_BASE/data"
HOST_CONF="$HOST_BASE/conf" HOST_CONF="$HOST_BASE/conf"
HOST_LOGS="$HOST_BASE/logs" HOST_LOGS="$HOST_BASE/logs"
@ -8,59 +8,90 @@ HOST_LOGS="$HOST_BASE/logs"
mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS" mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
chmod -R 750 "$HOST_BASE" chmod -R 750 "$HOST_BASE"
lxc launch images:debian/12 "$PARAM_TENANT"-botserver -c security.privileged=true lxc launch images:debian/12 "$PARAM_TENANT"-bot -c security.privileged=true
sleep 15 sleep 15
lxc exec "$PARAM_TENANT"-botserver -- bash -c " lxc exec "$PARAM_TENANT"-bot -- bash -c "
apt-get update && apt-get install -y \ apt-get update && apt-get install -y \
build-essential cmake git pkg-config libjpeg-dev libtiff-dev \ build-essential cmake git pkg-config libjpeg-dev libtiff-dev \
libpng-dev libavcodec-dev libavformat-dev libswscale-dev \ libpng-dev libavcodec-dev libavformat-dev libswscale-dev \
libv4l-dev libatlas-base-dev gfortran python3-dev cpulimit \ libv4l-dev libatlas-base-dev gfortran python3-dev cpulimit \
expect libxtst-dev libpng-dev expect libxtst-dev libpng-dev
sudo apt-get install -y libcairo2-dev libpango1.0-dev libgif-dev librsvg2-dev
sudo apt install xvfb -y
sudo apt install -y \
libnss3 \
libatk1.0-0 \
libatk-bridge2.0-0 \
libcups2 \
libdrm2 \
libxkbcommon0 \
libxcomposite1 \
libxdamage1 \
libxfixes3 \
libxrandr2 \
libgbm1 \
libasound2 \
libpangocairo-1.0-0
export OPENCV4NODEJS_DISABLE_AUTOBUILD=1 export OPENCV4NODEJS_DISABLE_AUTOBUILD=1
export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu
useradd --system --no-create-home --shell /bin/false botserver useradd --system --no-create-home --shell /bin/false bot
" "
BOT_UID=$(lxc exec "$PARAM_TENANT"-botserver -- id -u botserver) BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u bot)
BOT_GID=$(lxc exec "$PARAM_TENANT"-botserver -- id -g botserver) BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g bot)
HOST_BOT_UID=$((100000 + BOT_UID)) HOST_BOT_UID=$((100000 + BOT_UID))
HOST_BOT_GID=$((100000 + BOT_GID)) HOST_BOT_GID=$((100000 + BOT_GID))
chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE" chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE"
lxc config device add "$PARAM_TENANT"-botserver botdata disk source="$HOST_DATA" path=/var/lib/botserver lxc config device add "$PARAM_TENANT"-bot botdata disk source="$HOST_DATA" path=/opt/gbo/data
lxc config device add "$PARAM_TENANT"-botserver botconf disk source="$HOST_CONF" path=/etc/botserver lxc config device add "$PARAM_TENANT"-bot botconf disk source="$HOST_CONF" path=/opt/gbo/conf
lxc config device add "$PARAM_TENANT"-botserver botlogs disk source="$HOST_LOGS" path=/var/log/botserver lxc config device add "$PARAM_TENANT"-bot botlogs disk source="$HOST_LOGS" path=/opt/gbo/logs
lxc exec "$PARAM_TENANT"-botserver -- bash -c " lxc exec "$PARAM_TENANT"-bot -- bash -c "
mkdir -p /var/lib/botserver /etc/botserver /var/log/botserver mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
chown -R botserver:botserver /var/lib/botserver /etc/botserver /var/log/botserver chown -R bot:bot /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
cat > /etc/systemd/system/botserver.service <<EOF sudo apt install -y curl gnupg ca-certificates
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash -
sudo apt install -y nodejs
cd /opt/gbo/data
git clone https://alm.pragmatismo.com.br/generalbots/botserver.git
cd botserver
npm i
./node_modules/.bin/tsc
npx puppeteer browsers install
cat > /etc/systemd/system/bot.service <<EOF
[Unit] [Unit]
Description=Bot Server Description=Bot Server
After=network.target After=network.target
[Service] [Service]
User=botserver User=bot
Group=botserver Group=root
WorkingDirectory=/var/lib/botserver Environment="DISPLAY=:99"
ExecStart=/usr/bin/node /var/lib/botserver/main.js ExecStartPre=/bin/bash -c "/usr/bin/Xvfb :99 -screen 0 1024x768x24 -ac +extension GLX +render -noreset &"
WorkingDirectory=/opt/gbo/data/botserver
ExecStart=/usr/bin/node /opt/gbo/data/botserver/boot.mjs
Restart=always Restart=always
Environment=PORT=$PARAM_BOT_PORT StandardOutput=append:/opt/gbo/logs/stdout.log
StandardError=append:/opt/gbo/logs/stderr.log
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
EOF EOF
systemctl daemon-reload systemctl daemon-reload
systemctl enable botserver systemctl enable bot
systemctl start botserver systemctl start bot
" "
lxc config device remove "$PARAM_TENANT"-botserver bot-proxy 2>/dev/null || true lxc config device remove "$PARAM_TENANT"-bot bot-proxy 2>/dev/null || true
lxc config device add "$PARAM_TENANT"-botserver bot-proxy proxy \ lxc config device add "$PARAM_TENANT"-bot bot-proxy proxy \
listen=tcp:0.0.0.0:"$PARAM_BOT_PORT" \ listen=tcp:0.0.0.0:"$PARAM_BOT_PORT" \
connect=tcp:127.0.0.1:"$PARAM_BOT_PORT" connect=tcp:127.0.0.1:"$PARAM_BOT_PORT"

47
gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
View file

@ -95,32 +95,35 @@ systemctl start email
# Get container IP # Get container IP
CONTAINER_IP=$(lxc list "$PARAM_TENANT"-email -c 4 --format csv | awk '{print $1}') CONTAINER_IP=$(lxc list "$PARAM_TENANT"-email -c 4 --format csv | awk '{print $1}')
# Setup port forwarding
echo "[HOST] Setting up port forwarding..."
declare -A PORTS=( declare -A PORTS=(
["email"]="$PARAM_EMAIL_SMTP_PORT" ["smtp"]="25"
["http"]="$PARAM_EMAIL_HTTP_PORT" ["submission"]="587"
["imap"]="$PARAM_EMAIL_IMAP_PORT" ["submissions"]="465"
["imaps"]="$PARAM_EMAIL_IMAPS_PORT" ["imap"]="143"
["pop3"]="$PARAM_EMAIL_POP3_PORT" ["imaps"]="993"
["pop3s"]="$PARAM_EMAIL_POP3S_PORT" ["sieve"]="4190"
["submission"]="$PARAM_EMAIL_SUBMISSION_PORT"
["submissions"]="$PARAM_EMAIL_SUBMISSIONS_PORT"
["sieve"]="$PARAM_EMAIL_SIEVE_PORT"
) )
for service in "${!PORTS[@]}"; do for service in "${!PORTS[@]}"; do
# Container proxy device port="${PORTS[$service]}"
lxc config device remove "$PARAM_TENANT"-email "$service-proxy" 2>/dev/null || true
lxc config device add "$PARAM_TENANT"-email "$service-proxy" proxy \
listen=tcp:0.0.0.0:"${PORTS[$service]}" \
connect=tcp:127.0.0.1:"${PORTS[$service]}"
# Host port forwarding # Add LXC proxy device
sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport "${PORTS[$service]}" -j DNAT --to-destination "$CONTAINER_IP":"${PORTS[$service]}" lxc config device remove pragmatismo-email "${service}-proxy" 2>/dev/null || true
lxc config device add pragmatismo-email "${service}-proxy" proxy \
listen=tcp:0.0.0.0:"${port}" \
connect=tcp:"${CONTAINER_IP}":"${port}" \
bind=host \
nat=false
# Add correct iptables rules
sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport ${port} -j DNAT --to-destination ${CONTAINER_IP}:${port}
sudo iptables -A FORWARD -p tcp --dport ${port} -j ACCEPT
done done
# Save iptables rules again # Enable IP forwarding
if command -v iptables-persistent >/dev/null; then echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo iptables-save | sudo tee /etc/iptables/rules.v4 sudo sysctl -p
fi
# Save rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4

5
gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh Normal file
View file

@ -0,0 +1,5 @@
printf "%-20s %-10s %-10s %-10s %-6s %s\n" "CONTAINER" "USED" "AVAIL" "TOTAL" "USE%" "MOUNT"
for container in $(lxc list -c n --format csv); do
disk_info=$(lxc exec $container -- df -h / --output=used,avail,size,pcent | tail -n 1)
printf "%-20s %s\n" "$container" "$disk_info"
done

49
gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh
View file

@ -1,17 +1,52 @@
#!/usr/bin/env bash
# Define container limits in an associative array
declare -A container_limits=(
# Pattern Memory CPU Allowance
["*alm*"]="5126MB:15ms/100ms"
["*email*"]="1024MB:15ms/100ms"
["*webmail*"]="1024MB:20ms/100ms"
["*bot*"]="2048MB:20ms/100ms"
["*drive*"]="1024MB:20ms/100ms"
)
# Default values (for containers that don't match any pattern)
DEFAULT_MEMORY="1024MB"
DEFAULT_CPU_ALLOWANCE="15ms/100ms"
CPU_COUNT=1
CPU_PRIORITY=10
# Configure all containers
for container in $(lxc list -c n --format csv); do for container in $(lxc list -c n --format csv); do
lxc config set "$container" limits.memory 2048MB echo "Configuring $container..."
lxc config set "$container" limits.cpu.allowance "20ms/100ms"
lxc config set "$container" limits.cpu 1 memory=$DEFAULT_MEMORY
lxc config set "$container" limits.cpu.priority 1 cpu_allowance=$DEFAULT_CPU_ALLOWANCE
# Check if container matches any pattern
for pattern in "${!container_limits[@]}"; do
if [[ $container == $pattern ]]; then
IFS=':' read -r memory cpu_allowance <<< "${container_limits[$pattern]}"
break
fi
done
# Apply configuration
lxc config set "$container" limits.memory "$memory"
lxc config set "$container" limits.cpu.allowance "$cpu_allowance"
lxc config set "$container" limits.cpu "$CPU_COUNT"
lxc config set "$container" limits.cpu.priority "$CPU_PRIORITY"
done done
# Restart all containers (gracefully) # Restart all containers
echo "Restarting containers..."
for container in $(lxc list -c n --format csv); do for container in $(lxc list -c n --format csv); do
echo "Restarting $container..." echo "Restarting $container..."
lxc restart "$container" # --force ensures a hard restart if needed lxc restart "$container"
done done
# Check limits for all containers # Verify configuration
echo "Verifying limits..."
for container in $(lxc list -c n --format csv); do for container in $(lxc list -c n --format csv); do
echo "--- $container ---" echo "--- $container ---"
lxc config show "$container" | grep -E "memory|cpu" lxc config show "$container" | grep -E "memory|cpu"

33
gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh Normal file
View file

@ -0,0 +1,33 @@
for container in $(lxc list --format csv -c n); do
echo "Processing $container..."
# Stop container safely
lxc stop "$container"
# Set new 5GB limit (works for most drivers)
if ! lxc config device override "$container" root size=5GB; then
echo "Failed to set config, trying alternative method..."
lxc config device set "$container" root size=5GB
fi
# Start container
lxc start "$container"
# Find root device inside container
ROOT_DEV=$(lxc exec "$container" -- df / --output=source | tail -1)
# Resize filesystem (with proper error handling)
if lxc exec "$container" -- which resize2fs >/dev/null 2>&1; then
echo "Resizing filesystem for $container..."
if [[ "$ROOT_DEV" == /dev/* ]]; then
lxc exec "$container" -- growpart "$(dirname "$ROOT_DEV")" "$(basename "$ROOT_DEV")"
lxc exec "$container" -- resize2fs "$ROOT_DEV"
else
echo "Non-standard root device $ROOT_DEV - manual resize needed"
fi
else
echo "resize2fs not available in $container - install it first"
fi
echo "Completed $container"
done

1
gb-infra/src/templates/opt/gbo/tenants/default/social/.sh Normal file
View file

@ -0,0 +1 @@
https://www.brasil247.com/mundo/meta-quer-automatizar-totalmente-publicidade-com-ia-ate-2026-diz-wsj