feat(gb-infra): Add 'gbuser' system user for improved service management across scripts; update user permissions and configurations for bot, directory, email, meeting, and proxy services

2025-06-08 21:12:27 -03:00 · 2025-06-08 21:12:27 -03:00 · d722849a7b
commit d722849a7b
parent a9d9ddac4c
6 changed files with 94 additions and 61 deletions
--- a/gb-infra/src/templates/opt/gbo/tenants/default/alm-ci/alm-ci.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/alm-ci/alm-ci.sh
@ -38,6 +38,8 @@ done
 lxc exec "$CONTAINER_NAME" -- bash -c "
 set -e
 useradd --system --no-create-home --shell /bin/false gbuser
 # Update and install dependencies
 apt-get update && apt-get install -y wget || { echo 'Package installation failed'; exit 1; }
--- a/gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh
@ -39,11 +39,11 @@ sudo apt install -y \
 export OPENCV4NODEJS_DISABLE_AUTOBUILD=1
 export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu
-useradd --system --no-create-home --shell /bin/false bot
+useradd --system --no-create-home --shell /bin/false gbuser
 "
-BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u bot)
+BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u gbuser)
-BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g bot)
+BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g gbuser)
 HOST_BOT_UID=$((100000 + BOT_UID))
 HOST_BOT_GID=$((100000 + BOT_GID))
 chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE"
@ -54,7 +54,6 @@ lxc config device add "$PARAM_TENANT"-bot botlogs disk source="$HOST_LOGS" path=
 lxc exec "$PARAM_TENANT"-bot -- bash -c '
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R bot:bot /opt/gbo
 sudo apt update
 sudo apt install -y curl gnupg ca-certificates git
@ -73,6 +72,11 @@ cd botserver
 npm install
 npx puppeteer browsers install chrome
 ./node_modules/.bin/tsc
 cd packages/default.gbui
 npm install
 npm run build
 chown -R gbuser:gbuser /opt/gbo
 # Create systemd service
 sudo tee /etc/systemd/system/bot.service > /dev/null <<EOF
@ -81,8 +85,8 @@ Description=Bot Server
 After=network.target
 [Service]
-User=bot
+User=gbuser
-Group=bot
+Group=gbuser
 Environment="DISPLAY=:99"
 ExecStartPre=/bin/bash -c "/usr/bin/Xvfb :99 -screen 0 1024x768x24 -ac +extension GLX +render -noreset &"
 WorkingDirectory=/opt/gbo/data/botserver
--- a/gb-infra/src/templates/opt/gbo/tenants/default/directory/directory.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/directory/directory.sh
@ -1,28 +1,41 @@
 #!/bin/bash
 DIRECTORY_VERSION="v2.71.2"
 HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/directory"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
-mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+sudo mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
-chmod -R 750 "$HOST_BASE"
+sudo chmod -R 750 "$HOST_BASE"
 lxc launch images:debian/12 "$PARAM_TENANT"-directory -c security.privileged=true
 sleep 15
-lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/var/lib/zitadel
+lxc exec "$PARAM_TENANT"-directory -- bash -c "
-lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/etc/zitadel
+apt-get update && apt-get install -y wget libcap2-bin
-lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/var/log/zitadel
+wget -c https://github.com/zitadel/zitadel/releases/download/v2.71.2/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /tmp
 mkdir -p /opt/gbo/bin
 mv /tmp/zitadel-linux-amd64/zitadel /opt/gbo/bin/zitadel
 chmod +x /opt/gbo/bin/zitadel
 sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/zitadel
 useradd --system --no-create-home --shell /bin/false gbuser
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
 "
 GBUSER_UID=$(lxc exec "$PARAM_TENANT"-directory -- id -u gbuser)
 GBUSER_GID=$(lxc exec "$PARAM_TENANT"-directory -- id -g gbuser)
 HOST_GBUSER_UID=$((100000 + GBUSER_UID))
 HOST_GBUSER_GID=$((100000 + GBUSER_GID))
 sudo chown -R "$HOST_GBUSER_UID:$HOST_GBUSER_GID" "$HOST_BASE"
 lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/opt/gbo/data
 lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/opt/gbo/conf
 lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 lxc exec "$PARAM_TENANT"-directory -- bash -c "
-apt-get update && apt-get install -y wget
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
 wget -c https://github.com/zitadel/zitadel/releases/download/$DIRECTORY_VERSION/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /usr/local/bin/
 useradd -r -s /bin/false zitadel
 mkdir -p /var/lib/zitadel /etc/zitadel /var/log/zitadel
 chown -R zitadel:zitadel /var/lib/zitadel /etc/zitadel /var/log/zitadel
 cat > /etc/systemd/system/directory.service <<EOF
 [Unit]
@ -31,24 +44,12 @@ After=network.target
 [Service]
 Type=simple
-User=zitadel
+User=gbuser
-Group=zitadel
+Group=gbuser
-Environment=ZITADEL_DEFAULTINSTANCE_INSTANCENAME=$PARAM_TENANT
+ExecStart=/opt/gbo/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /opt/gbo/conf/config.yaml --tlsMode external
-Environment=ZITADEL_DEFAULTINSTANCE_ORG_NAME=$PARAM_TENANT
+WorkingDirectory=/opt/gbo/bin
-Environment=ZITADEL_DATABASE_TABLES_HOST=$PARAM_TABLES_HOST
+StandardOutput=append:/opt/gbo/logs/output.log
-Environment=ZITADEL_DATABASE_TABLES_PORT=$PARAM_TABLES_PORT
+StandardError=append:/opt/gbo/logs/error.log
 Environment=ZITADEL_DATABASE_TABLES_DATABASE=$PARAM_DIRECTORY_DATABASE
 Environment=ZITADEL_DATABASE_TABLES_USER_USERNAME=$PARAM_TABLES_USERNAME
 Environment=ZITADEL_DATABASE_TABLES_USER_PASSWORD=$PARAM_TABLES_PASSWORD
 Environment=ZITADEL_DATABASE_TABLES_ADMIN_SSL_MODE=disable
 Environment=ZITADEL_DATABASE_TABLES_USER_SSL_MODE=disable
 Environment=ZITADEL_DATABASE_TABLES_ADMIN_USERNAME=$PARAM_TABLES_USERNAME
 Environment=ZITADEL_DATABASE_TABLES_ADMIN_PASSWORD=$PARAM_TABLES_PASSWORD
 Environment=ZITADEL_EXTERNALSECURE=true
 ExecStart=/usr/local/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /etc/zitadel/config.yaml
 WorkingDirectory=/var/lib/zitadel
 StandardOutput=append:/var/log/zitadel/output.log
 StandardError=append:/var/log/zitadel/error.log
 Restart=always
 [Install]
@ -63,4 +64,4 @@ systemctl start directory
 lxc config device remove "$PARAM_TENANT"-directory directory-proxy 2>/dev/null || true
 lxc config device add "$PARAM_TENANT"-directory directory-proxy proxy \
    listen=tcp:0.0.0.0:"$PARAM_DIRECTORY_PORT" \
-    connect=tcp:127.0.0.1:"$PARAM_DIRECTORY_PORT"
+    connect=tcp:127.0.0.1:"$PARAM_DIRECTORY_PORT"
--- a/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh
@ -1,4 +1,21 @@
 #!/bin/bash
 PUBLIC_INTERFACE="eth0"                 # Your host's public network interface
 # Enable IP forwarding
 echo "[HOST] Enabling IP forwarding..."
 echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
 sudo sysctl -p
 # Configure firewall
 echo "[HOST] Configuring firewall..."
 sudo iptables -A FORWARD -i $PUBLIC_INTERFACE -o lxcbr0 -p tcp -m multiport --dports 25,80,110,143,465,587,993,995,4190 -j ACCEPT
 sudo iptables -A FORWARD -i lxcbr0 -o $PUBLIC_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
 sudo iptables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
 # Save iptables rules permanently (adjust based on your distro)
 if command -v iptables-persistent >/dev/null; then
    sudo iptables-save | sudo tee /etc/iptables/rules.v4
 fi
 # ------------------------- CONTAINER SETUP -------------------------
@ -27,7 +44,9 @@ tar -xzf /tmp/stalwart.tar.gz -C /tmp
 mkdir -p /opt/gbo/bin
 mv /tmp/stalwart /opt/gbo/bin/stalwart
 chmod +x /opt/gbo/bin/stalwart
 sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/stalwart
 rm /tmp/stalwart.tar.gz
 useradd --system --no-create-home --shell /bin/false email
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
@ -61,7 +80,7 @@ After=network.target
 Type=simple
 User=email
 Group=email
-ExecStart=/opt/gbo/bin/stalwart-mail --config /opt/gbo/conf/config.toml
+ExecStart=/opt/gbo/bin/stalwart --config /opt/gbo/conf/config.toml
 WorkingDirectory=/opt/gbo/bin
 Restart=always
@ -73,4 +92,3 @@ systemctl daemon-reload
 systemctl enable email
 systemctl start email
 "
--- a/gb-infra/src/templates/opt/gbo/tenants/default/meeting/meeting.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/meeting/meeting.sh
@ -12,42 +12,50 @@ lxc launch images:debian/12 "$PARAM_TENANT"-meeting -c security.privileged=true
 sleep 15
 lxc exec "$PARAM_TENANT"-meeting -- bash -c "
 apt-get update && apt-get install -y wget coturn
-mkdir -p /opt/livekit-server
+mkdir -p /opt/gbo/bin
-cd /opt/livekit-server
+cd /opt/gbo/bin
 wget -q https://github.com/livekit/livekit/releases/download/v1.8.4/livekit_1.8.4_linux_amd64.tar.gz
 tar -xzf livekit*.tar.gz
 rm livekit_1.8.4_linux_amd64.tar.gz
 chmod +x livekit-server
 while netstat -tuln | grep -q \":$PARAM_MEETING_TURN_PORT \"; do
  ((PARAM_MEETING_TURN_PORT++))
 done
 useradd --system --no-create-home --shell /bin/false gbuser
 "
-MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u turnserver)
+MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u gbuser)
-MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g turnserver)
+MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g gbuser)
 HOST_MEETING_UID=$((100000 + MEETING_UID))
 HOST_MEETING_GID=$((100000 + MEETING_GID))
 chown -R "$HOST_MEETING_UID:$HOST_MEETING_GID" "$HOST_BASE"
-lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/var/lib/livekit
+lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/opt/gbo/data
-lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/etc/livekit
+lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/opt/gbo/conf
-lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/var/log/livekit
+lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 lxc exec "$PARAM_TENANT"-meeting -- bash -c "
 mkdir -p /var/lib/livekit /etc/livekit /var/log/livekit
 chown -R turnserver:turnserver /var/lib/livekit /etc/livekit /var/log/livekit
-cat > /etc/systemd/system/livekit.service <<EOF
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 sudo chown gbuser:gbuser /var/run/turnserver.pid
 cat > /etc/systemd/system/meeting.service <<EOF
 [Unit]
 Description=LiveKit Server
 After=network.target
 [Service]
-User=turnserver
+User=gbuser
-Group=turnserver
+Group=gbuser
-WorkingDirectory=/opt/livekit-server
+ExecStart=/opt/gbo/bin/livekit-server --config /opt/gbo/conf/config.yaml
 ExecStart=/opt/livekit-server/livekit-server --config /etc/livekit/config.yaml
 Restart=always
 Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
@ -55,15 +63,15 @@ Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
 WantedBy=multi-user.target
 EOF
-cat > /etc/systemd/system/turnserver.service <<EOF
+cat > /etc/systemd/system/meeting-turn.service <<EOF
 [Unit]
 Description=TURN Server
 After=network.target
 [Service]
-User=turnserver
+User=gbuser
-Group=turnserver
+Group=gbuser
-ExecStart=/usr/bin/turnserver -c /etc/livekit/turnserver.conf
+ExecStart=/usr/bin/turnserver -c /opt/gbo/conf/turnserver.conf
 Restart=always
 [Install]
@ -71,8 +79,8 @@ WantedBy=multi-user.target
 EOF
 systemctl daemon-reload
-systemctl enable livekit turnserver
+systemctl enable meeting meeting-turn
-systemctl start livekit turnserver
+systemctl start meeting meeting-turn
 "
 lxc config device remove "$PARAM_TENANT"-meeting meeting-proxy 2>/dev/null || true
--- a/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
+++ b/gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh
@ -17,7 +17,7 @@ tar -xzf caddy_2.10.0-beta.3_linux_amd64.tar.gz -C /opt/gbo/bin
 rm caddy_2.10.0-beta.3_linux_amd64.tar.gz
 chmod 750 /opt/gbo/bin/caddy
 setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/caddy
-useradd --system --shell /usr/sbin/nologin gbuser
+useradd --create-home --system --shell /usr/sbin/nologin gbuser
 chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 "
@ -47,7 +47,7 @@ chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 systemctl enable proxy
 "
-for port in 80 443 25 110 143 465 587 993 995; do
+for port in 80 443; do
 lxc config device remove "$PARAM_TENANT"-proxy "port-$port" 2>/dev/null || true
 lxc config device add "$PARAM_TENANT"-proxy "port-$port" proxy listen=tcp:0.0.0.0:$port connect=tcp:127.0.0.1:$port
 done