From 94abb1b02fbb7e10fcfd16b1f11a9e5b1e4b94a2 Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Sun, 1 Jun 2025 17:08:15 -0300
Subject: [PATCH] feat(gb-infra): Update ALM CI and Drive scripts for improved
 configuration and service management

---
 gb-infra/README.md             | 14 ++++++++++
 gb-infra/src/scripts/alm-ci.sh | 37 ++++++++++++++++++--------
 gb-infra/src/scripts/drive.sh  | 48 ++++++++++++++++++----------------
 gb-infra/src/scripts/limits.sh | 18 +++++++++++++
 4 files changed, 83 insertions(+), 34 deletions(-)
 create mode 100644 gb-infra/README.md
 create mode 100644 gb-infra/src/scripts/limits.sh

diff --git a/gb-infra/README.md b/gb-infra/README.md
new file mode 100644
index 0000000..c8efeb6
--- /dev/null
+++ b/gb-infra/README.md
@@ -0,0 +1,14 @@
+
+# Backup
+
+## Fastest way to tranfer files between servers over TCP/IP
+
+rsync -avz --progress --bwlimit=0 -e "ssh -p 22 -T -c aes128-gcm@openssh.com -o Compression=no -o IPQoS=throughput" gbbackup@host.com.br:/opt/gbo/backup /home/user/Desktop
+
+
+# Security
+
+apt update && apt install -y fail2ban iptables-persistent
+
+systemctl enable fail2ban
+systemctl enable netfilter-persistent
\ No newline at end of file
diff --git a/gb-infra/src/scripts/alm-ci.sh b/gb-infra/src/scripts/alm-ci.sh
index 248f70e..356ff61 100644
--- a/gb-infra/src/scripts/alm-ci.sh
+++ b/gb-infra/src/scripts/alm-ci.sh
@@ -1,24 +1,33 @@
 #!/bin/bash
 
-ALM_CI_VERSION="v6.3.1"
 ALM_CI_NAME="CI"
-ALM_CI_LABELS="pragmatismo.com.br"
-ALM_CI_BIN_PATH="/opt/gbo/bin"
+ALM_CI_LABELS="gbo"
 
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/alm-ci"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+BIN_PATH="/opt/gbo/bin"
 
-mkdir -p "${ALM_CI_BIN_PATH}"
-chmod -R 750 "${ALM_CI_BIN_PATH}"
-chown -R 100999:100999 "${ALM_CI_BIN_PATH}"
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod -R 750 "$HOST_BASE"
 
 lxc launch images:debian/12 "${PARAM_TENANT}-alm-ci" -c security.privileged=true
 sleep 15
 
+# Add directory mappings before installation
+lxc config device add "${PARAM_TENANT}-alm-ci" almdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "${PARAM_TENANT}-alm-ci" almconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "${PARAM_TENANT}-alm-ci" almlogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
 lxc exec "${PARAM_TENANT}-alm-ci" -- bash -c "
 apt-get update && apt-get install -y wget
-wget -O ${ALM_CI_BIN_PATH}/forgejo-runner https://code.forgejo.org/forgejo/runner/releases/download/${ALM_CI_VERSION}/forgejo-runner-${ALM_CI_VERSION}-linux-amd64
-chmod +x ${ALM_CI_BIN_PATH}/forgejo-runner
 
-${ALM_CI_BIN_PATH}/forgejo-runner register --no-interactive \
+mkdir -p ${BIN_PATH} /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+wget -O ${BIN_PATH}/forgejo-runner https://code.forgejo.org/forgejo/runner/releases/download/v6.3.1/forgejo-runner-6.3.1-linux-amd64
+chmod +x ${BIN_PATH}/forgejo-runner
+
+${BIN_PATH}/forgejo-runner register --no-interactive \
     --name \"${ALM_CI_NAME}\" \
     --instance \"${PARAM_ALM_CI_INSTANCE}\" \
     --token \"${PARAM_ALM_CI_TOKEN}\" \
@@ -33,8 +42,11 @@ After=network.target
 Type=simple
 User=root
 Group=root
-ExecStart=${ALM_CI_BIN_PATH}/forgejo-runner daemon
+WorkingDirectory=/opt/gbo/data
+ExecStart=${BIN_PATH}/forgejo-runner daemon
 Restart=always
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
 
 [Install]
 WantedBy=multi-user.target
@@ -43,4 +55,7 @@ EOF
 systemctl daemon-reload
 systemctl enable alm-ci
 systemctl start alm-ci
-"
\ No newline at end of file
+"
+
+# Fix permissions on host
+chown -R 100000:100000 "$HOST_BASE"  # Using default LXC mapping for root
\ No newline at end of file
diff --git a/gb-infra/src/scripts/drive.sh b/gb-infra/src/scripts/drive.sh
index ca7b476..99720aa 100644
--- a/gb-infra/src/scripts/drive.sh
+++ b/gb-infra/src/scripts/drive.sh
@@ -1,52 +1,54 @@
 #!/bin/bash
-STORAGE_PATH="/opt/gbo/tenants/$PARAM_TENANT/drive/data"
+
+DATA_PATH="/opt/gbo/tenants/$PARAM_TENANT/drive/data"
 LOGS_PATH="/opt/gbo/tenants/$PARAM_TENANT/drive/logs"
 
-mkdir -p "${STORAGE_PATH}" "${LOGS_PATH}"
-chmod -R 770 "${STORAGE_PATH}" "${LOGS_PATH}"
-chown -R 100999:100999 "${STORAGE_PATH}" "${LOGS_PATH}"
+mkdir -p "${DATA_PATH}" "${LOGS_PATH}"
+chmod -R 770 "${DATA_PATH}" "${LOGS_PATH}"
+chown -R 100999:100999 "${DATA_PATH}" "${LOGS_PATH}"
 
 lxc launch images:debian/12 "${PARAM_TENANT}-drive" -c security.privileged=true
 sleep 15
 
-lxc config device add "${PARAM_TENANT}-drive" storage disk source="${STORAGE_PATH}" path=/data
-lxc config device add "${PARAM_TENANT}-drive" logs disk source="${LOGS_PATH}" path=/var/log/minio
+lxc config device add "${PARAM_TENANT}-drive" storage disk source="${DATA_PATH}" path=/opt/gbo/data
+lxc config device add "${PARAM_TENANT}-drive" logs disk source="${LOGS_PATH}" path=/opt/gbo/logs
 
 lxc exec "${PARAM_TENANT}-drive" -- bash -c '
+
+mkdir -p /opt/gbo/logs /opt/gbo/data /opt/gbo/bin
+useradd -r -s /bin/false gbuser || true
+chown -R gbuser:gbuser /opt/gbo/logs /opt/gbo/data
+
 apt-get update && apt-get install -y wget
-wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /usr/local/bin/minio
-chmod +x /usr/local/bin/minio
+wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /opt/gbo/bin/minio
+chmod +x /opt/gbo/bin/minio
 
-useradd -r -s /bin/false minio-user || true
-mkdir -p /var/log/minio /data
-chown -R minio-user:minio-user /var/log/minio /data
-
-cat > /etc/systemd/system/minio.service <<EOF
+cat > /etc/systemd/system/drive.service <<EOF
 [Unit]
-Description=MinIO
+Description=drive
 After=network.target
 
 [Service]
 Type=simple
-User=minio-user
-Group=minio-user
+User=gbuser
+Group=gbuser
 Environment="MINIO_ROOT_USER='"${PARAM_DRIVE_USER}"'"
 Environment="MINIO_ROOT_PASSWORD='"${PARAM_DRIVE_PASSWORD}"'"
-ExecStart=/usr/local/bin/minio server --console-address ":'"${PARAM_DRIVE_PORT}"'" /data
-StandardOutput=append:/var/log/minio/output.log
-StandardError=append:/var/log/minio/error.log
+ExecStart=/opt/gbo/bin/minio server --console-address ":'"${PARAM_DRIVE_PORT}"'" /opt/gbo/data
+StandardOutput=append:/opt/gbo/logs/output.log
+StandardError=append:/opt/gbo/logs/error.log
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
 systemctl daemon-reload
-systemctl enable minio
-systemctl start minio
+systemctl enable drive
+systemctl start drive
 '
 
-lxc config device remove "${PARAM_TENANT}-drive" minio-proxy 2>/dev/null || true
-lxc config device add "${PARAM_TENANT}-drive" minio-proxy proxy \
+lxc config device remove "${PARAM_TENANT}-drive" drive-proxy 2>/dev/null || true
+lxc config device add "${PARAM_TENANT}-drive" drive-proxy proxy \
     listen=tcp:0.0.0.0:"${PARAM_DRIVE_API_PORT}" \
     connect=tcp:127.0.0.1:"${PARAM_DRIVE_API_PORT}"
 
diff --git a/gb-infra/src/scripts/limits.sh b/gb-infra/src/scripts/limits.sh
new file mode 100644
index 0000000..e985b86
--- /dev/null
+++ b/gb-infra/src/scripts/limits.sh
@@ -0,0 +1,18 @@
+for container in $(lxc list -c n --format csv); do
+    lxc config set "$container" limits.memory 2048MB
+    lxc config set "$container" limits.cpu.allowance "20ms/100ms"
+    lxc config set "$container" limits.cpu 1
+    lxc config set "$container" limits.cpu.priority 1
+done
+
+# Restart all containers (gracefully)
+for container in $(lxc list -c n --format csv); do
+    echo "Restarting $container..."
+    lxc restart "$container"   # --force ensures a hard restart if needed
+done
+
+# Check limits for all containers
+for container in $(lxc list -c n --format csv); do
+    echo "--- $container ---"
+    lxc config show "$container" | grep -E "memory|cpu"
+done
\ No newline at end of file