feat(gb-infra): Add 'gbuser' system user for improved service management across scripts; update user permissions and configurations for bot, directory, email, meeting, and proxy services

gb-infra/README.md

@@ -7,6 +7,9 @@ rsync -avz --progress --bwlimit=0 -e "ssh -p 22 -T -c aes128-gcm@openssh.com -o
 
 
 # Security
+apt update && apt install -y fail2ban 
+systemctl enable fail2ban
+
 
 apt update && apt install -y fail2ban iptables-persistent
 

gb-infra/src/templates/opt/gbo/tenants/default/alm-ci/alm-ci.sh

@@ -38,6 +38,8 @@ done
 lxc exec "$CONTAINER_NAME" -- bash -c "
 set -e
 
+useradd --system --no-create-home --shell /bin/false gbuser
+
 # Update and install dependencies
 apt-get update && apt-get install -y wget || { echo 'Package installation failed'; exit 1; }
 

gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/botserver"
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/bot"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
@@ -8,59 +8,105 @@ HOST_LOGS="$HOST_BASE/logs"
 mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 chmod -R 750 "$HOST_BASE"
 
-lxc launch images:debian/12 "$PARAM_TENANT"-botserver -c security.privileged=true
+lxc launch images:debian/12 "$PARAM_TENANT"-bot -c security.privileged=true
 sleep 15
 
-lxc exec "$PARAM_TENANT"-botserver -- bash -c "
+lxc exec "$PARAM_TENANT"-bot -- bash -c "
 apt-get update && apt-get install -y \
 build-essential cmake git pkg-config libjpeg-dev libtiff-dev \
 libpng-dev libavcodec-dev libavformat-dev libswscale-dev \
 libv4l-dev libatlas-base-dev gfortran python3-dev cpulimit \
 expect libxtst-dev libpng-dev
 
+sudo apt-get install -y libcairo2-dev libpango1.0-dev libgif-dev librsvg2-dev
+sudo apt install xvfb -y
+
+sudo apt install -y \
+  libnss3 \
+  libatk1.0-0 \
+  libatk-bridge2.0-0 \
+  libcups2 \
+  libdrm2 \
+  libxkbcommon0 \
+  libxcomposite1 \
+  libxdamage1 \
+  libxfixes3 \
+  libxrandr2 \
+  libgbm1 \
+  libasound2 \
+  libpangocairo-1.0-0
+
 export OPENCV4NODEJS_DISABLE_AUTOBUILD=1
 export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu
 
-useradd --system --no-create-home --shell /bin/false botserver
+useradd --system --no-create-home --shell /bin/false gbuser
 "
 
-BOT_UID=$(lxc exec "$PARAM_TENANT"-botserver -- id -u botserver)
-BOT_GID=$(lxc exec "$PARAM_TENANT"-botserver -- id -g botserver)
+BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u gbuser)
+BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g gbuser)
 HOST_BOT_UID=$((100000 + BOT_UID))
 HOST_BOT_GID=$((100000 + BOT_GID))
 chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE"
 
-lxc config device add "$PARAM_TENANT"-botserver botdata disk source="$HOST_DATA" path=/var/lib/botserver
-lxc config device add "$PARAM_TENANT"-botserver botconf disk source="$HOST_CONF" path=/etc/botserver
-lxc config device add "$PARAM_TENANT"-botserver botlogs disk source="$HOST_LOGS" path=/var/log/botserver
+lxc config device add "$PARAM_TENANT"-bot botdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-bot botconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-bot botlogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
-lxc exec "$PARAM_TENANT"-botserver -- bash -c "
-mkdir -p /var/lib/botserver /etc/botserver /var/log/botserver
-chown -R botserver:botserver /var/lib/botserver /etc/botserver /var/log/botserver
+lxc exec "$PARAM_TENANT"-bot -- bash -c '
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 
-cat > /etc/systemd/system/botserver.service <<EOF
+sudo apt update
+sudo apt install -y curl gnupg ca-certificates git
+
+# Install Node.js 22.x
+curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash -
+sudo apt install -y nodejs
+
+# Install Xvfb and other dependencies
+sudo apt install -y xvfb libgbm-dev
+
+# Clone and setup bot server
+cd /opt/gbo/data
+git clone https://alm.pragmatismo.com.br/generalbots/botserver.git
+cd botserver
+npm install
+npx puppeteer browsers install chrome
+./node_modules/.bin/tsc
+cd packages/default.gbui
+npm install
+npm run build
+
+chown -R gbuser:gbuser /opt/gbo
+
+# Create systemd service
+sudo tee /etc/systemd/system/bot.service > /dev/null <<EOF
 [Unit]
 Description=Bot Server
 After=network.target
 
 [Service]
-User=botserver
-Group=botserver
-WorkingDirectory=/var/lib/botserver
-ExecStart=/usr/bin/node /var/lib/botserver/main.js
+User=gbuser
+Group=gbuser
+Environment="DISPLAY=:99"
+ExecStartPre=/bin/bash -c "/usr/bin/Xvfb :99 -screen 0 1024x768x24 -ac +extension GLX +render -noreset &"
+WorkingDirectory=/opt/gbo/data/botserver
+ExecStart=/usr/bin/node /opt/gbo/data/botserver/boot.mjs
 Restart=always
-Environment=PORT=$PARAM_BOT_PORT
+RestartSec=5
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
-systemctl daemon-reload
-systemctl enable botserver
-systemctl start botserver
-"
+# Reload and start service
+sudo systemctl daemon-reload
+sudo systemctl enable bot.service
+sudo systemctl start bot.service
+'
 
-lxc config device remove "$PARAM_TENANT"-botserver bot-proxy 2>/dev/null || true
-lxc config device add "$PARAM_TENANT"-botserver bot-proxy proxy \
+lxc config device remove "$PARAM_TENANT"-bot bot-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-bot bot-proxy proxy \
     listen=tcp:0.0.0.0:"$PARAM_BOT_PORT" \
     connect=tcp:127.0.0.1:"$PARAM_BOT_PORT"

gb-infra/src/templates/opt/gbo/tenants/default/directory/directory.sh

@@ -1,28 +1,41 @@
 #!/bin/bash
 
-DIRECTORY_VERSION="v2.71.2"
 HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/directory"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
 
-mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
-chmod -R 750 "$HOST_BASE"
+sudo mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+sudo chmod -R 750 "$HOST_BASE"
 
 lxc launch images:debian/12 "$PARAM_TENANT"-directory -c security.privileged=true
 sleep 15
 
-lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/var/lib/zitadel
-lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/etc/zitadel
-lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/var/log/zitadel
+lxc exec "$PARAM_TENANT"-directory -- bash -c "
+apt-get update && apt-get install -y wget libcap2-bin
+wget -c https://github.com/zitadel/zitadel/releases/download/v2.71.2/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /tmp
+mkdir -p /opt/gbo/bin
+mv /tmp/zitadel-linux-amd64/zitadel /opt/gbo/bin/zitadel
+chmod +x /opt/gbo/bin/zitadel
+sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/zitadel
+
+useradd --system --no-create-home --shell /bin/false gbuser
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+"
+
+GBUSER_UID=$(lxc exec "$PARAM_TENANT"-directory -- id -u gbuser)
+GBUSER_GID=$(lxc exec "$PARAM_TENANT"-directory -- id -g gbuser)
+HOST_GBUSER_UID=$((100000 + GBUSER_UID))
+HOST_GBUSER_GID=$((100000 + GBUSER_GID))
+sudo chown -R "$HOST_GBUSER_UID:$HOST_GBUSER_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-directory -- bash -c "
-apt-get update && apt-get install -y wget
-wget -c https://github.com/zitadel/zitadel/releases/download/$DIRECTORY_VERSION/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /usr/local/bin/
-
-useradd -r -s /bin/false zitadel
-mkdir -p /var/lib/zitadel /etc/zitadel /var/log/zitadel
-chown -R zitadel:zitadel /var/lib/zitadel /etc/zitadel /var/log/zitadel
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
 
 cat > /etc/systemd/system/directory.service <<EOF
 [Unit]
@@ -31,24 +44,12 @@ After=network.target
 
 [Service]
 Type=simple
-User=zitadel
-Group=zitadel
-Environment=ZITADEL_DEFAULTINSTANCE_INSTANCENAME=$PARAM_TENANT
-Environment=ZITADEL_DEFAULTINSTANCE_ORG_NAME=$PARAM_TENANT
-Environment=ZITADEL_DATABASE_TABLES_HOST=$PARAM_TABLES_HOST
-Environment=ZITADEL_DATABASE_TABLES_PORT=$PARAM_TABLES_PORT
-Environment=ZITADEL_DATABASE_TABLES_DATABASE=$PARAM_DIRECTORY_DATABASE
-Environment=ZITADEL_DATABASE_TABLES_USER_USERNAME=$PARAM_TABLES_USERNAME
-Environment=ZITADEL_DATABASE_TABLES_USER_PASSWORD=$PARAM_TABLES_PASSWORD
-Environment=ZITADEL_DATABASE_TABLES_ADMIN_SSL_MODE=disable
-Environment=ZITADEL_DATABASE_TABLES_USER_SSL_MODE=disable
-Environment=ZITADEL_DATABASE_TABLES_ADMIN_USERNAME=$PARAM_TABLES_USERNAME
-Environment=ZITADEL_DATABASE_TABLES_ADMIN_PASSWORD=$PARAM_TABLES_PASSWORD
-Environment=ZITADEL_EXTERNALSECURE=true
-ExecStart=/usr/local/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /etc/zitadel/config.yaml
-WorkingDirectory=/var/lib/zitadel
-StandardOutput=append:/var/log/zitadel/output.log
-StandardError=append:/var/log/zitadel/error.log
+User=gbuser
+Group=gbuser
+ExecStart=/opt/gbo/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /opt/gbo/conf/config.yaml --tlsMode external
+WorkingDirectory=/opt/gbo/bin
+StandardOutput=append:/opt/gbo/logs/output.log
+StandardError=append:/opt/gbo/logs/error.log
 Restart=always
 
 [Install]
@@ -63,4 +64,4 @@ systemctl start directory
 lxc config device remove "$PARAM_TENANT"-directory directory-proxy 2>/dev/null || true
 lxc config device add "$PARAM_TENANT"-directory directory-proxy proxy \
     listen=tcp:0.0.0.0:"$PARAM_DIRECTORY_PORT" \
-    connect=tcp:127.0.0.1:"$PARAM_DIRECTORY_PORT"
+    connect=tcp:127.0.0.1:"$PARAM_DIRECTORY_PORT"

gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-
 PUBLIC_INTERFACE="eth0"                 # Your host's public network interface
 
 # Enable IP forwarding
@@ -18,6 +17,7 @@ if command -v iptables-persistent >/dev/null; then
     sudo iptables-save | sudo tee /etc/iptables/rules.v4
 fi
 
+
 # ------------------------- CONTAINER SETUP -------------------------
 
 # Create directory structure
@@ -38,12 +38,15 @@ sleep 15
 echo "[CONTAINER] Installing Stalwart Mail..."
 lxc exec "$PARAM_TENANT"-email -- bash -c "
 apt-get update && apt-get install -y wget libcap2-bin
-wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.11.8/stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
+wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.12.4/stalwart-x86_64-unknown-linux-gnu.tar.gz
+                             
 tar -xzf /tmp/stalwart.tar.gz -C /tmp
 mkdir -p /opt/gbo/bin
-mv /tmp/stalwart-mail /opt/gbo/bin/stalwart-mail
-chmod +x /opt/gbo/bin/stalwart-mail
+mv /tmp/stalwart /opt/gbo/bin/stalwart
+chmod +x /opt/gbo/bin/stalwart
+sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/stalwart
 rm /tmp/stalwart.tar.gz
+
 useradd --system --no-create-home --shell /bin/false email
 mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
 chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
@@ -77,7 +80,7 @@ After=network.target
 Type=simple
 User=email
 Group=email
-ExecStart=/opt/gbo/bin/stalwart-mail --config /opt/gbo/conf/config.toml
+ExecStart=/opt/gbo/bin/stalwart --config /opt/gbo/conf/config.toml
 WorkingDirectory=/opt/gbo/bin
 Restart=always
 
@@ -89,38 +92,3 @@ systemctl daemon-reload
 systemctl enable email
 systemctl start email
 "
-
-# ------------------------- PORT FORWARDING -------------------------
-
-# Get container IP
-CONTAINER_IP=$(lxc list "$PARAM_TENANT"-email -c 4 --format csv | awk '{print $1}')
-
-# Setup port forwarding
-echo "[HOST] Setting up port forwarding..."
-declare -A PORTS=(
-  ["email"]="$PARAM_EMAIL_SMTP_PORT"
-  ["http"]="$PARAM_EMAIL_HTTP_PORT" 
-  ["imap"]="$PARAM_EMAIL_IMAP_PORT"
-  ["imaps"]="$PARAM_EMAIL_IMAPS_PORT"
-  ["pop3"]="$PARAM_EMAIL_POP3_PORT"
-  ["pop3s"]="$PARAM_EMAIL_POP3S_PORT"
-  ["submission"]="$PARAM_EMAIL_SUBMISSION_PORT"
-  ["submissions"]="$PARAM_EMAIL_SUBMISSIONS_PORT"
-  ["sieve"]="$PARAM_EMAIL_SIEVE_PORT"
-)
-
-for service in "${!PORTS[@]}"; do
-    # Container proxy device
-    lxc config device remove "$PARAM_TENANT"-email "$service-proxy" 2>/dev/null || true
-    lxc config device add "$PARAM_TENANT"-email "$service-proxy" proxy \
-      listen=tcp:0.0.0.0:"${PORTS[$service]}" \
-      connect=tcp:127.0.0.1:"${PORTS[$service]}"
-    
-    # Host port forwarding
-    sudo iptables -t nat -A PREROUTING -i $PUBLIC_INTERFACE -p tcp --dport "${PORTS[$service]}" -j DNAT --to-destination "$CONTAINER_IP":"${PORTS[$service]}"
-done
-
-# Save iptables rules again
-if command -v iptables-persistent >/dev/null; then
-    sudo iptables-save | sudo tee /etc/iptables/rules.v4
-fi

gb-infra/src/templates/opt/gbo/tenants/default/meeting/meeting.sh

@@ -12,42 +12,50 @@ lxc launch images:debian/12 "$PARAM_TENANT"-meeting -c security.privileged=true
 sleep 15
 
 lxc exec "$PARAM_TENANT"-meeting -- bash -c "
+
 apt-get update && apt-get install -y wget coturn
-mkdir -p /opt/livekit-server
-cd /opt/livekit-server
+mkdir -p /opt/gbo/bin
+cd /opt/gbo/bin
 wget -q https://github.com/livekit/livekit/releases/download/v1.8.4/livekit_1.8.4_linux_amd64.tar.gz
 tar -xzf livekit*.tar.gz
+rm livekit_1.8.4_linux_amd64.tar.gz
 chmod +x livekit-server
 
 while netstat -tuln | grep -q \":$PARAM_MEETING_TURN_PORT \"; do
   ((PARAM_MEETING_TURN_PORT++))
 done
+
+useradd --system --no-create-home --shell /bin/false gbuser
+
 "
 
-MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u turnserver)
-MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g turnserver)
+MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u gbuser)
+MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g gbuser)
 HOST_MEETING_UID=$((100000 + MEETING_UID))
 HOST_MEETING_GID=$((100000 + MEETING_GID))
 chown -R "$HOST_MEETING_UID:$HOST_MEETING_GID" "$HOST_BASE"
 
-lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/var/lib/livekit
-lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/etc/livekit
-lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/var/log/livekit
+lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-meeting -- bash -c "
-mkdir -p /var/lib/livekit /etc/livekit /var/log/livekit
-chown -R turnserver:turnserver /var/lib/livekit /etc/livekit /var/log/livekit
 
-cat > /etc/systemd/system/livekit.service <<EOF
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+
+sudo chown gbuser:gbuser /var/run/turnserver.pid
+
+
+cat > /etc/systemd/system/meeting.service <<EOF
 [Unit]
 Description=LiveKit Server
 After=network.target
 
 [Service]
-User=turnserver
-Group=turnserver
-WorkingDirectory=/opt/livekit-server
-ExecStart=/opt/livekit-server/livekit-server --config /etc/livekit/config.yaml
+User=gbuser
+Group=gbuser
+ExecStart=/opt/gbo/bin/livekit-server --config /opt/gbo/conf/config.yaml
 Restart=always
 Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
 
@@ -55,15 +63,15 @@ Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
 WantedBy=multi-user.target
 EOF
 
-cat > /etc/systemd/system/turnserver.service <<EOF
+cat > /etc/systemd/system/meeting-turn.service <<EOF
 [Unit]
 Description=TURN Server
 After=network.target
 
 [Service]
-User=turnserver
-Group=turnserver
-ExecStart=/usr/bin/turnserver -c /etc/livekit/turnserver.conf
+User=gbuser
+Group=gbuser
+ExecStart=/usr/bin/turnserver -c /opt/gbo/conf/turnserver.conf
 Restart=always
 
 [Install]
@@ -71,8 +79,8 @@ WantedBy=multi-user.target
 EOF
 
 systemctl daemon-reload
-systemctl enable livekit turnserver
-systemctl start livekit turnserver
+systemctl enable meeting meeting-turn
+systemctl start meeting meeting-turn
 "
 
 lxc config device remove "$PARAM_TENANT"-meeting meeting-proxy 2>/dev/null || true

gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt

@@ -0,0 +1,16 @@
+    do not comment or echo anything
+    
+    keep lines condensed
+    always call it <kind> not own name. Eg.: proxy instead of Caddy. alm instead of forgejo.
+    use KISS priciple
+     
+    use local /opt/gbo/{logs, data, conf} exposed as 
+        HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/<kind>"
+        HOST_DATA="$HOST_BASE/data" 
+        HOST_CONF="$HOST_BASE/conf"
+        HOST_LOGS="$HOST_BASE/logs"
+        instead of using app original paths.
+    and use /opt/gbo/bin to put local binaries of installations 
+    during sh exection, never touch files in /opt/gbo/{logs, data, conf}
+    use wget
+    use gbuser as system user

gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh

@@ -1,79 +1,56 @@
 #!/bin/bash
-
 HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/proxy"
 HOST_DATA="$HOST_BASE/data"
 HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
-
-mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
-chmod -R 750 "$HOST_BASE"
+mkdir -p "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod 750 "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 
 lxc launch images:debian/12 "$PARAM_TENANT"-proxy -c security.privileged=true
 sleep 15
 
 lxc exec "$PARAM_TENANT"-proxy -- bash -c "
-apt-get update && apt-get install -y curl libcap2-bin
-curl -sL \"https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz\" | tar -C /usr/local/bin -xz caddy
-chmod 755 /usr/local/bin/caddy
-setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
-useradd --system --no-create-home --shell /usr/sbin/nologin caddy
+mkdir -p /opt/gbo/{bin,data,conf,logs}
+apt-get update && apt-get install -y wget libcap2-bin
+wget -q https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz
+tar -xzf caddy_2.10.0-beta.3_linux_amd64.tar.gz -C /opt/gbo/bin
+rm caddy_2.10.0-beta.3_linux_amd64.tar.gz
+chmod 750 /opt/gbo/bin/caddy
+setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/caddy
+useradd --create-home --system --shell /usr/sbin/nologin gbuser
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
 "
 
-CADDY_UID=$(lxc exec "$PARAM_TENANT"-proxy -- id -u caddy)
-CADDY_GID=$(lxc exec "$PARAM_TENANT"-proxy -- id -g caddy)
-HOST_CADDY_UID=$((100000 + CADDY_UID))
-HOST_CADDY_GID=$((100000 + CADDY_GID))
-chown -R "$HOST_CADDY_UID:$HOST_CADDY_GID" "$HOST_BASE"
-
-lxc config device add "$PARAM_TENANT"-proxy proxydata disk source="$HOST_DATA" path=/var/lib/caddy
-lxc config device add "$PARAM_TENANT"-proxy proxyconf disk source="$HOST_CONF" path=/etc/caddy
-lxc config device add "$PARAM_TENANT"-proxy proxylogs disk source="$HOST_LOGS" path=/var/log/caddy
+lxc config device add "$PARAM_TENANT"-proxy data disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-proxy conf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-proxy logs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-proxy -- bash -c "
-mkdir -p /var/lib/caddy /etc/caddy /var/log/caddy
-chown -R caddy:caddy /var/lib/caddy /etc/caddy /var/log/caddy
-
-cat > /etc/caddy/Caddyfile <<EOF
-:80 {
-    respond \"Welcome to $PARAM_TENANT Proxy\"
-    log {
-        output file /var/log/caddy/access.log
-    }
-}
-EOF
-
-cat > /etc/systemd/system/caddy.service <<EOF
+cat > /etc/systemd/system/proxy.service <<EOF
 [Unit]
-Description=Caddy
+Description=Proxy
 After=network.target
-
 [Service]
-User=caddy
-Group=caddy
-ExecStart=/usr/local/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
-ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
-TimeoutStopSec=5s
-LimitNOFILE=1048576
-LimitNPROC=512
-PrivateTmp=true
-ProtectSystem=full
+User=gbuser
+Group=gbuser
+Environment=XDG_DATA_HOME=/opt/gbo/data
+ExecStart=/opt/gbo/bin/caddy run --config /opt/gbo/conf/config --adapter caddyfile
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
-
 systemctl daemon-reload
-systemctl enable caddy
-systemctl start caddy
+
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
+
+systemctl enable proxy
 "
 
-lxc config device remove "$PARAM_TENANT"-proxy http-proxy 2>/dev/null || true
-lxc config device add "$PARAM_TENANT"-proxy http-proxy proxy \
-    listen=tcp:0.0.0.0:"$PARAM_HTTP_PORT" \
-    connect=tcp:127.0.0.1:"$PARAM_HTTP_PORT"
+for port in 80 443; do
+lxc config device remove "$PARAM_TENANT"-proxy "port-$port" 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-proxy "port-$port" proxy listen=tcp:0.0.0.0:$port connect=tcp:127.0.0.1:$port
+done
 
-lxc config device remove "$PARAM_TENANT"-proxy https-proxy 2>/dev/null || true
-lxc config device add "$PARAM_TENANT"-proxy https-proxy proxy \
-    listen=tcp:0.0.0.0:"$PARAM_HTTPS_PORT" \
-    connect=tcp:127.0.0.1:"$PARAM_HTTPS_PORT"
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.mknod true
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.setxattr true

gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh

@@ -0,0 +1,5 @@
+printf "%-20s %-10s %-10s %-10s %-6s %s\n" "CONTAINER" "USED" "AVAIL" "TOTAL" "USE%" "MOUNT"
+for container in $(lxc list -c n --format csv); do
+    disk_info=$(lxc exec $container -- df -h / --output=used,avail,size,pcent | tail -n 1)
+    printf "%-20s %s\n" "$container" "$disk_info"
+done

gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh

@@ -1,17 +1,53 @@
+#!/usr/bin/env bash
+
+# Define container limits in an associative array
+declare -A container_limits=(
+    # Pattern       Memory    CPU Allowance
+    ["*tables*"]="2048MB:33ms/100ms"
+    ["*alm*"]="5126MB:15ms/100ms"
+    ["*email*"]="4024MB:100ms/100ms"
+    ["*webmail*"]="1024MB:20ms/100ms"
+    ["*bot*"]="2048MB:20ms/100ms"
+    ["*drive*"]="1024MB:20ms/100ms"
+)
+
+# Default values (for containers that don't match any pattern)
+DEFAULT_MEMORY="1024MB"
+DEFAULT_CPU_ALLOWANCE="15ms/100ms"
+CPU_COUNT=1
+CPU_PRIORITY=10
+
+# Configure all containers
 for container in $(lxc list -c n --format csv); do
-    lxc config set "$container" limits.memory 2048MB
-    lxc config set "$container" limits.cpu.allowance "20ms/100ms"
-    lxc config set "$container" limits.cpu 1
-    lxc config set "$container" limits.cpu.priority 1
+    echo "Configuring $container..."
+    
+    memory=$DEFAULT_MEMORY
+    cpu_allowance=$DEFAULT_CPU_ALLOWANCE
+    
+    # Check if container matches any pattern
+    for pattern in "${!container_limits[@]}"; do
+        if [[ $container == $pattern ]]; then
+            IFS=':' read -r memory cpu_allowance <<< "${container_limits[$pattern]}"
+            break
+        fi
+    done
+    
+    # Apply configuration
+    lxc config set "$container" limits.memory "$memory"
+    lxc config set "$container" limits.cpu.allowance "$cpu_allowance"
+    lxc config set "$container" limits.cpu "$CPU_COUNT"
+    lxc config set "$container" limits.cpu.priority "$CPU_PRIORITY"
 done
 
-# Restart all containers (gracefully)
+# Restart all containers
+echo "Restarting containers..."
 for container in $(lxc list -c n --format csv); do
     echo "Restarting $container..."
-    lxc restart "$container"   # --force ensures a hard restart if needed
+    lxc restart "$container"
 done
 
-# Check limits for all containers
+# Verify configuration
+echo "Verifying limits..."
 for container in $(lxc list -c n --format csv); do
     echo "--- $container ---"
     lxc config show "$container" | grep -E "memory|cpu"

gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh

@@ -0,0 +1,33 @@
+for container in $(lxc list --format csv -c n); do
+    echo "Processing $container..."
+    
+    # Stop container safely
+    lxc stop "$container" 
+
+    # Set new 5GB limit (works for most drivers)
+    if ! lxc config device override "$container" root size=5GB; then
+        echo "Failed to set config, trying alternative method..."
+        lxc config device set "$container" root size=5GB
+    fi
+    
+    # Start container
+    lxc start "$container"
+    
+    # Find root device inside container
+    ROOT_DEV=$(lxc exec "$container" -- df / --output=source | tail -1)
+    
+    # Resize filesystem (with proper error handling)
+    if lxc exec "$container" -- which resize2fs >/dev/null 2>&1; then
+        echo "Resizing filesystem for $container..."
+        if [[ "$ROOT_DEV" == /dev/* ]]; then
+            lxc exec "$container" -- growpart "$(dirname "$ROOT_DEV")" "$(basename "$ROOT_DEV")"
+            lxc exec "$container" -- resize2fs "$ROOT_DEV"
+        else
+            echo "Non-standard root device $ROOT_DEV - manual resize needed"
+        fi
+    else
+        echo "resize2fs not available in $container - install it first"
+    fi
+    
+    echo "Completed $container"
+done

gb-infra/src/templates/opt/gbo/tenants/default/social/.sh

@@ -0,0 +1 @@
+https://www.brasil247.com/mundo/meta-quer-automatizar-totalmente-publicidade-com-ia-ate-2026-diz-wsj

gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh

@@ -6,7 +6,6 @@ HOST_CONF="$HOST_BASE/conf"
 HOST_LOGS="$HOST_BASE/logs"
 
 PARAM_RC_VERSION="1.6.6"
-RC_PATH="$HOST_DATA/wwwroot"
 
 mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
 chmod -R 750 "$HOST_BASE"
@@ -14,6 +13,8 @@ chmod -R 750 "$HOST_BASE"
 lxc launch images:debian/12 "$PARAM_TENANT"-webmail -c security.privileged=true
 sleep 15
 
+RC_PATH="/opt/gbo/data"
+
 lxc exec "$PARAM_TENANT"-webmail -- bash -c '
 # Install prerequisites
 apt install -y ca-certificates apt-transport-https lsb-release gnupg wget
@@ -39,19 +40,19 @@ apt install -y \
 
 # Restart PHP-FPM
 systemctl restart php8.1-fpm
-if [ ! -d '"$RC_PATH"' ]; then
-    mkdir -p '"$RC_PATH"'
-    wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
-    tar -xzf roundcubemail-*.tar.gz
-    mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
-    rm -rf roundcubemail-*
-fi
 
-chown -R www-data:www-data '"$RC_PATH"'
+mkdir -p '"$RC_PATH"'
+wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
+tar -xzf roundcubemail-*.tar.gz
+mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
+rm -rf roundcubemail-*
+
+mkdir -p /opt/gbo/logs
+
 chmod 750 '"$RC_PATH"'
 find '"$RC_PATH"' -type d -exec chmod 750 {} \;
 find '"$RC_PATH"' -type f -exec chmod 640 {} \;
-mkdir -p '"$HOST_LOGS"'
+
 '
 
 WEBMAIL_UID=$(lxc exec "$PARAM_TENANT"-webmail -- id -u www-data)
@@ -60,11 +61,11 @@ HOST_WEBMAIL_UID=$((100000 + WEBMAIL_UID))
 HOST_WEBMAIL_GID=$((100000 + WEBMAIL_GID))
 chown -R "$HOST_WEBMAIL_UID:$HOST_WEBMAIL_GID" "$HOST_BASE"
 
-lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path=/var/lib/roundcube
-lxc config device add "$PARAM_TENANT"-webmail webmailconf disk source="$HOST_CONF" path=/etc/roundcube
-lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/var/log/roundcube
+lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path="$RC_PATH"
+lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/opt/gbo/logs
 
 lxc exec "$PARAM_TENANT"-webmail -- bash -c "
+chown -R www-data:www-data '"$RC_PATH"' /opt/gbo/logs
 cat > /etc/systemd/system/webmail.service <<EOF
 [Unit]
 Description=Roundcube Webmail
@@ -74,10 +75,10 @@ After=network.target php8.1-fpm.service
 User=www-data
 Group=www-data
 WorkingDirectory=$RC_PATH
-ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/public_html
+ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/wwwroot/public_html
 Restart=always
-StandardOutput=append:/var/log/roundcube/stdout.log
-StandardError=append:/var/log/roundcube/stderr.log
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
 
 [Install]
 WantedBy=multi-user.target