feat(gb-infra): Add 'gbuser' system user for improved service management across scripts; update user permissions and configurations for bot, directory, email, meeting, and proxy services

gb-infra/src/templates/opt/gbo/tenants/default/alm-ci/alm-ci.sh

@@ -38,6 +38,8 @@ done
 lxc exec "$CONTAINER_NAME" -- bash -c "
 set -e
 
+useradd --system --no-create-home --shell /bin/false gbuser
+
 # Update and install dependencies
 apt-get update && apt-get install -y wget || { echo 'Package installation failed'; exit 1; }
 

gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh

@@ -39,11 +39,11 @@ sudo apt install -y \
 export OPENCV4NODEJS_DISABLE_AUTOBUILD=1
 export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu
 
-useradd --system --no-create-home --shell /bin/false bot
+useradd --system --no-create-home --shell /bin/false gbuser
 "
 
-BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u bot)
-BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g bot)
+BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u gbuser)
+BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g gbuser)
 HOST_BOT_UID=$((100000 + BOT_UID))
 HOST_BOT_GID=$((100000 + BOT_GID))
 chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE"
@@ -54,7 +54,6 @@ lxc config device add "$PARAM_TENANT"-bot botlogs disk source="$HOST_LOGS" path=
 
 lxc exec "$PARAM_TENANT"-bot -- bash -c '
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
-chown -R bot:bot /opt/gbo
 
 sudo apt update
 sudo apt install -y curl gnupg ca-certificates git
@@ -73,6 +72,11 @@ cd botserver
 npm install
 npx puppeteer browsers install chrome
 ./node_modules/.bin/tsc
+cd packages/default.gbui
+npm install
+npm run build
+
+chown -R gbuser:gbuser /opt/gbo
 
 # Create systemd service
 sudo tee /etc/systemd/system/bot.service > /dev/null <<EOF
@@ -81,8 +85,8 @@ Description=Bot Server
 After=network.target
 
 [Service]
-User=bot
-Group=bot
+User=gbuser
+Group=gbuser
 Environment="DISPLAY=:99"
 ExecStartPre=/bin/bash -c "/usr/bin/Xvfb :99 -screen 0 1024x768x24 -ac +extension GLX +render -noreset &"
 WorkingDirectory=/opt/gbo/data/botserver

gb-infra/src/templates/opt/gbo/tenants/default/directory/directory.sh

@@ -1,28 +1,41 @@
 #!/bin/bash
 
-DIRECTORY_VERSION="v2.71.2"
 HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/directory"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
 
-mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
-chmod -R 750 "$HOST_BASE"
+sudo mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+sudo chmod -R 750 "$HOST_BASE"
 
 lxc launch images:debian/12 "$PARAM_TENANT"-directory -c security.privileged=true
 sleep 15
 
-lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/var/lib/zitadel
-lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/etc/zitadel
-lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/var/log/zitadel
+lxc exec "$PARAM_TENANT"-directory -- bash -c "
+apt-get update && apt-get install -y wget libcap2-bin
+wget -c https://github.com/zitadel/zitadel/releases/download/v2.71.2/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /tmp
+mkdir -p /opt/gbo/bin
+mv /tmp/zitadel-linux-amd64/zitadel /opt/gbo/bin/zitadel
+chmod +x /opt/gbo/bin/zitadel
+sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/zitadel
+
+useradd --system --no-create-home --shell /bin/false gbuser
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+"
+
+GBUSER_UID=$(lxc exec "$PARAM_TENANT"-directory -- id -u gbuser)
+GBUSER_GID=$(lxc exec "$PARAM_TENANT"-directory -- id -g gbuser)
+HOST_GBUSER_UID=$((100000 + GBUSER_UID))
+HOST_GBUSER_GID=$((100000 + GBUSER_GID))
+sudo chown -R "$HOST_GBUSER_UID:$HOST_GBUSER_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-directory -- bash -c "
-apt-get update && apt-get install -y wget
-wget -c https://github.com/zitadel/zitadel/releases/download/$DIRECTORY_VERSION/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /usr/local/bin/
-
-useradd -r -s /bin/false zitadel
-mkdir -p /var/lib/zitadel /etc/zitadel /var/log/zitadel
-chown -R zitadel:zitadel /var/lib/zitadel /etc/zitadel /var/log/zitadel
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
 
 cat > /etc/systemd/system/directory.service <<EOF
 [Unit]
@@ -31,24 +44,12 @@ After=network.target
 
 [Service]
 Type=simple
-User=zitadel
-Group=zitadel
-Environment=ZITADEL_DEFAULTINSTANCE_INSTANCENAME=$PARAM_TENANT
-Environment=ZITADEL_DEFAULTINSTANCE_ORG_NAME=$PARAM_TENANT
-Environment=ZITADEL_DATABASE_TABLES_HOST=$PARAM_TABLES_HOST
-Environment=ZITADEL_DATABASE_TABLES_PORT=$PARAM_TABLES_PORT
-Environment=ZITADEL_DATABASE_TABLES_DATABASE=$PARAM_DIRECTORY_DATABASE
-Environment=ZITADEL_DATABASE_TABLES_USER_USERNAME=$PARAM_TABLES_USERNAME
-Environment=ZITADEL_DATABASE_TABLES_USER_PASSWORD=$PARAM_TABLES_PASSWORD
-Environment=ZITADEL_DATABASE_TABLES_ADMIN_SSL_MODE=disable
-Environment=ZITADEL_DATABASE_TABLES_USER_SSL_MODE=disable
-Environment=ZITADEL_DATABASE_TABLES_ADMIN_USERNAME=$PARAM_TABLES_USERNAME
-Environment=ZITADEL_DATABASE_TABLES_ADMIN_PASSWORD=$PARAM_TABLES_PASSWORD
-Environment=ZITADEL_EXTERNALSECURE=true
-ExecStart=/usr/local/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /etc/zitadel/config.yaml
-WorkingDirectory=/var/lib/zitadel
-StandardOutput=append:/var/log/zitadel/output.log
-StandardError=append:/var/log/zitadel/error.log
+User=gbuser
+Group=gbuser
+ExecStart=/opt/gbo/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /opt/gbo/conf/config.yaml --tlsMode external
+WorkingDirectory=/opt/gbo/bin
+StandardOutput=append:/opt/gbo/logs/output.log
+StandardError=append:/opt/gbo/logs/error.log
 Restart=always
 
 [Install]

gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh

@@ -1,4 +1,21 @@
 #!/bin/bash
+PUBLIC_INTERFACE="eth0"                 # Your host's public network interface
+
+# Enable IP forwarding
+echo "[HOST] Enabling IP forwarding..."
+echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
+sudo sysctl -p
+
+# Configure firewall
+echo "[HOST] Configuring firewall..."
+sudo iptables -A FORWARD -i $PUBLIC_INTERFACE -o lxcbr0 -p tcp -m multiport --dports 25,80,110,143,465,587,993,995,4190 -j ACCEPT
+sudo iptables -A FORWARD -i lxcbr0 -o $PUBLIC_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
+
+# Save iptables rules permanently (adjust based on your distro)
+if command -v iptables-persistent >/dev/null; then
+    sudo iptables-save | sudo tee /etc/iptables/rules.v4
+fi
 
 
 # ------------------------- CONTAINER SETUP -------------------------
@@ -27,7 +44,9 @@ tar -xzf /tmp/stalwart.tar.gz -C /tmp
 mkdir -p /opt/gbo/bin
 mv /tmp/stalwart /opt/gbo/bin/stalwart
 chmod +x /opt/gbo/bin/stalwart
+sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/stalwart
 rm /tmp/stalwart.tar.gz
+
 useradd --system --no-create-home --shell /bin/false email
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
@@ -61,7 +80,7 @@ After=network.target
 Type=simple
 User=email
 Group=email
-ExecStart=/opt/gbo/bin/stalwart-mail --config /opt/gbo/conf/config.toml
+ExecStart=/opt/gbo/bin/stalwart --config /opt/gbo/conf/config.toml
 WorkingDirectory=/opt/gbo/bin
 Restart=always
 
@@ -73,4 +92,3 @@ systemctl daemon-reload
 systemctl enable email
 systemctl start email
 "
-

gb-infra/src/templates/opt/gbo/tenants/default/meeting/meeting.sh

@@ -12,42 +12,50 @@ lxc launch images:debian/12 "$PARAM_TENANT"-meeting -c security.privileged=true
 sleep 15
 
 lxc exec "$PARAM_TENANT"-meeting -- bash -c "
+
 apt-get update && apt-get install -y wget coturn
-mkdir -p /opt/livekit-server
-cd /opt/livekit-server
+mkdir -p /opt/gbo/bin
+cd /opt/gbo/bin
 wget -q https://github.com/livekit/livekit/releases/download/v1.8.4/livekit_1.8.4_linux_amd64.tar.gz
 tar -xzf livekit*.tar.gz
+rm livekit_1.8.4_linux_amd64.tar.gz
 chmod +x livekit-server
 
 while netstat -tuln | grep -q \":$PARAM_MEETING_TURN_PORT \"; do
   ((PARAM_MEETING_TURN_PORT++))
 done
+
+useradd --system --no-create-home --shell /bin/false gbuser
+
 "
 
-MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u turnserver)
-MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g turnserver)
+MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u gbuser)
+MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g gbuser)
 HOST_MEETING_UID=$((100000 + MEETING_UID))
 HOST_MEETING_GID=$((100000 + MEETING_GID))
 chown -R "$HOST_MEETING_UID:$HOST_MEETING_GID" "$HOST_BASE"
 
-lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/var/lib/livekit
-lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/etc/livekit
-lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/var/log/livekit
+lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-meeting -- bash -c "
-mkdir -p /var/lib/livekit /etc/livekit /var/log/livekit
-chown -R turnserver:turnserver /var/lib/livekit /etc/livekit /var/log/livekit
 
-cat > /etc/systemd/system/livekit.service <<EOF
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+
+sudo chown gbuser:gbuser /var/run/turnserver.pid
+
+
+cat > /etc/systemd/system/meeting.service <<EOF
 [Unit]
 Description=LiveKit Server
 After=network.target
 
 [Service]
-User=turnserver
-Group=turnserver
-WorkingDirectory=/opt/livekit-server
-ExecStart=/opt/livekit-server/livekit-server --config /etc/livekit/config.yaml
+User=gbuser
+Group=gbuser
+ExecStart=/opt/gbo/bin/livekit-server --config /opt/gbo/conf/config.yaml
 Restart=always
 Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
 
@@ -55,15 +63,15 @@ Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
 WantedBy=multi-user.target
 EOF
 
-cat > /etc/systemd/system/turnserver.service <<EOF
+cat > /etc/systemd/system/meeting-turn.service <<EOF
 [Unit]
 Description=TURN Server
 After=network.target
 
 [Service]
-User=turnserver
-Group=turnserver
-ExecStart=/usr/bin/turnserver -c /etc/livekit/turnserver.conf
+User=gbuser
+Group=gbuser
+ExecStart=/usr/bin/turnserver -c /opt/gbo/conf/turnserver.conf
 Restart=always
 
 [Install]
@@ -71,8 +79,8 @@ WantedBy=multi-user.target
 EOF
 
 systemctl daemon-reload
-systemctl enable livekit turnserver
-systemctl start livekit turnserver
+systemctl enable meeting meeting-turn
+systemctl start meeting meeting-turn
 "
 
 lxc config device remove "$PARAM_TENANT"-meeting meeting-proxy 2>/dev/null || true

gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh

@@ -17,7 +17,7 @@ tar -xzf caddy_2.10.0-beta.3_linux_amd64.tar.gz -C /opt/gbo/bin
 rm caddy_2.10.0-beta.3_linux_amd64.tar.gz
 chmod 750 /opt/gbo/bin/caddy
 setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/caddy
-useradd --system --shell /usr/sbin/nologin gbuser
+useradd --create-home --system --shell /usr/sbin/nologin gbuser
 chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 "
 
@@ -47,7 +47,7 @@ chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 systemctl enable proxy
 "
 
-for port in 80 443 25 110 143 465 587 993 995; do
+for port in 80 443; do
 lxc config device remove "$PARAM_TENANT"-proxy "port-$port" 2>/dev/null || true
 lxc config device add "$PARAM_TENANT"-proxy "port-$port" proxy listen=tcp:0.0.0.0:$port connect=tcp:127.0.0.1:$port
 done