feat(gb-infra): Update ALM CI, Drive, and Email scripts for improved directory management and service setup

gb-infra/README.md

@@ -0,0 +1,14 @@
+
+# Backup
+
+## Fastest way to tranfer files between servers over TCP/IP
+
+rsync -avz --progress --bwlimit=0 -e "ssh -p 22 -T -c aes128-gcm@openssh.com -o Compression=no -o IPQoS=throughput" gbbackup@host.com.br:/opt/gbo/backup /home/user/Desktop
+
+
+# Security
+
+apt update && apt install -y fail2ban iptables-persistent
+
+systemctl enable fail2ban
+systemctl enable netfilter-persistent

gb-infra/src/scripts/alm-ci.sh

@@ -1,29 +1,81 @@
 #!/bin/bash
 
-ALM_CI_VERSION="v6.3.1"
+# Configuration
 ALM_CI_NAME="CI"
-ALM_CI_LABELS="pragmatismo.com.br"
+ALM_CI_LABELS="gbo"
-ALM_CI_BIN_PATH="/opt/gbo/bin"
+FORGEJO_RUNNER_VERSION="v6.3.1"
+FORGEJO_RUNNER_BINARY="forgejo-runner-6.3.1-linux-amd64"
+CONTAINER_IMAGE="images:debian/12"
+ 
+# Paths
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/alm-ci"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+BIN_PATH="/opt/gbo/bin"
+CONTAINER_NAME="${PARAM_TENANT}-alm-ci"
+
+# Create host directories
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS" || exit 1
+chmod -R 750 "$HOST_BASE" || exit 1
+
+# Launch container
+if ! lxc launch "$CONTAINER_IMAGE" "$CONTAINER_NAME"; then
+    echo "Failed to launch container"
+    exit 1
+fi
+
+# Wait for container to be ready
+for i in {1..10}; do
+    if lxc exec "$CONTAINER_NAME" -- bash -c "true"; then
+        break
+    fi
+    sleep 3
+done
 
 
-mkdir -p "${ALM_CI_BIN_PATH}"
+# Container setup
-chmod -R 750 "${ALM_CI_BIN_PATH}"
+lxc exec "$CONTAINER_NAME" -- bash -c "
-chown -R 100999:100999 "${ALM_CI_BIN_PATH}"
+set -e
 
-lxc launch images:debian/12 "${PARAM_TENANT}-alm-ci" -c security.privileged=true
+# Update and install dependencies
-sleep 15
+apt-get update && apt-get install -y wget || { echo 'Package installation failed'; exit 1; }
 
-lxc exec "${PARAM_TENANT}-alm-ci" -- bash -c "
+# Create directories
-apt-get update && apt-get install -y wget
+mkdir -p \"$BIN_PATH\" /opt/gbo/data /opt/gbo/conf /opt/gbo/logs || { echo 'Directory creation failed'; exit 1; }
-wget -O ${ALM_CI_BIN_PATH}/forgejo-runner https://code.forgejo.org/forgejo/runner/releases/download/${ALM_CI_VERSION}/forgejo-runner-${ALM_CI_VERSION}-linux-amd64
-chmod +x ${ALM_CI_BIN_PATH}/forgejo-runner
 
-${ALM_CI_BIN_PATH}/forgejo-runner register --no-interactive \
+# Download and install forgejo-runner
-    --name \"${ALM_CI_NAME}\" \
+wget -O \"$BIN_PATH/forgejo-runner\" \"https://code.forgejo.org/forgejo/runner/releases/download/$FORGEJO_RUNNER_VERSION/$FORGEJO_RUNNER_BINARY\" || { echo 'Download failed'; exit 1; }
-    --instance \"${PARAM_ALM_CI_INSTANCE}\" \
+chmod +x \"$BIN_PATH/forgejo-runner\" || { echo 'chmod failed'; exit 1; }
-    --token \"${PARAM_ALM_CI_TOKEN}\" \
-    --labels \"${ALM_CI_LABELS}\"
 
+cd \"$BIN_PATH\"
+
+# Register runner
+\"$BIN_PATH/forgejo-runner\" register --no-interactive \\
+    --name \"$ALM_CI_NAME\" \\
+    --instance \"$PARAM_ALM_CI_INSTANCE\" \\
+    --token \"$PARAM_ALM_CI_TOKEN\" \\
+    --labels \"$ALM_CI_LABELS\" || { echo 'Runner registration failed'; exit 1; }
+
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+"
+
+# Set permissions
+echo "[CONTAINER] Setting permissions..."
+EMAIL_UID=$(lxc exec "$PARAM_TENANT"-alm-ci -- id -u gbuser)
+EMAIL_GID=$(lxc exec "$PARAM_TENANT"-alm-ci -- id -g gbuser)
+HOST_EMAIL_UID=$((100000 + EMAIL_UID))
+HOST_EMAIL_GID=$((100000 + EMAIL_GID))
+sudo chown -R "$HOST_EMAIL_UID:$HOST_EMAIL_GID" "$HOST_BASE"
+
+
+# Add directory mappings
+lxc config device add "$CONTAINER_NAME" almdata disk source="$HOST_DATA" path=/opt/gbo/data || exit 1
+lxc config device add "$CONTAINER_NAME" almconf disk source="$HOST_CONF" path=/opt/gbo/conf || exit 1
+lxc config device add "$CONTAINER_NAME" almlogs disk source="$HOST_LOGS" path=/opt/gbo/logs || exit 1
+
+lxc exec "$CONTAINER_NAME" -- bash -c "
+# Create systemd service
 cat > /etc/systemd/system/alm-ci.service <<EOF
 [Unit]
 Description=ALM CI Runner
@@ -33,14 +85,16 @@ After=network.target
 Type=simple
 User=root
 Group=root
-ExecStart=${ALM_CI_BIN_PATH}/forgejo-runner daemon
+WorkingDirectory=$BIN_PATH
+ExecStart=$BIN_PATH/forgejo-runner daemon
 Restart=always
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
-systemctl daemon-reload
+# Enable and start service
-systemctl enable alm-ci
+systemctl daemon-reload || { echo 'daemon-reload failed'; exit 1; }
-systemctl start alm-ci
+systemctl enable alm-ci || { echo 'enable service failed'; exit 1; }
-"
+systemctl start alm-ci || { echo 'start service failed'; exit 1; }
+"

gb-infra/src/scripts/alm.sh

@@ -32,7 +32,8 @@ lxc config device add "$PARAM_TENANT"-alm almlogs disk source="$HOST_LOGS" path=
 
 lxc exec "$PARAM_TENANT"-alm -- bash -c "
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
-chown -R alm:alm /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R alm:alm /opt/gbo
+
 
 cat > /etc/systemd/system/alm.service <<EOF
 [Unit]

gb-infra/src/scripts/email.sh

@@ -35,17 +35,15 @@ echo "[CONTAINER] Launching LXC container..."
 lxc launch images:debian/12 "$PARAM_TENANT"-email -c security.privileged=true
 sleep 15
 
-# Install Stalwart Mail
 echo "[CONTAINER] Installing Stalwart Mail..."
 lxc exec "$PARAM_TENANT"-email -- bash -c "
-apt-get update && apt-get install -y wget
+apt-get update && apt-get install -y wget libcap2-bin
-wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.12.3/stalwart-x86_64-unknown-linux-gnu.tar.gz
+wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.11.8/stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
 tar -xzf /tmp/stalwart.tar.gz -C /tmp
 mkdir -p /opt/gbo/bin
-mv /tmp/stalwart /opt/gbo/bin/stalwart-mail
+mv /tmp/stalwart-mail /opt/gbo/bin/stalwart-mail
 chmod +x /opt/gbo/bin/stalwart-mail
 rm /tmp/stalwart.tar.gz
-
 useradd --system --no-create-home --shell /bin/false email
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
@@ -68,6 +66,8 @@ lxc config device add "$PARAM_TENANT"-email emaillogs disk source="$HOST_LOGS" p
 # Create systemd service
 echo "[CONTAINER] Creating email service..."
 lxc exec "$PARAM_TENANT"-email -- bash -c "
+chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+
 cat > /etc/systemd/system/email.service <<EOF
 [Unit]
 Description=Email Service
@@ -78,9 +78,7 @@ Type=simple
 User=email
 Group=email
 ExecStart=/opt/gbo/bin/stalwart-mail --config /opt/gbo/conf/config.toml
-WorkingDirectory=/opt/gbo/data
+WorkingDirectory=/opt/gbo/bin
-StandardOutput=append:/opt/gbo/logs/output.log
-StandardError=append:/opt/gbo/logs/error.log
 Restart=always
 
 [Install]
@@ -122,8 +120,6 @@ for service in "${!PORTS[@]}"; do
     sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport "${PORTS[$service]}" -j DNAT --to-destination "$CONTAINER_IP":"${PORTS[$service]}"
 done
 
-lxc exec $PARAM_TENANT-email -- sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/stalwart-mail
-
 # Save iptables rules again
 if command -v iptables-persistent >/dev/null; then
     sudo iptables-save | sudo tee /etc/iptables/rules.v4

gb-infra/src/scripts/limits.sh

@@ -0,0 +1,18 @@
+for container in $(lxc list -c n --format csv); do
+    lxc config set "$container" limits.memory 2048MB
+    lxc config set "$container" limits.cpu.allowance "20ms/100ms"
+    lxc config set "$container" limits.cpu 1
+    lxc config set "$container" limits.cpu.priority 1
+done
+
+# Restart all containers (gracefully)
+for container in $(lxc list -c n --format csv); do
+    echo "Restarting $container..."
+    lxc restart "$container"   # --force ensures a hard restart if needed
+done
+
+# Check limits for all containers
+for container in $(lxc list -c n --format csv); do
+    echo "--- $container ---"
+    lxc config show "$container" | grep -E "memory|cpu"
+done