feat(gb-infra): Add 'gbuser' system user for improved service management across scripts; update user permissions and configurations for bot, directory, email, meeting, and proxy services

.forgejo/workflows/node.yaml

@@ -1,48 +1,28 @@
-name: gbserver Rust CI/CD
+name: GBCI
 
 on:
   push:
-    branches: ["main"]
+    branches: [ "main" ]
   pull_request:
-    branches: ["main"]
+    branches: [ "main" ]
 
 jobs:
-  build-and-deploy:
+  build:
     runs-on: gbo
     
     steps:
+    - name: Disable SSL verification (temporary)
+      run: git config --global http.sslVerify false
+
     - uses: actions/checkout@v4
 
     - name: Install Rust
-      uses: actions-rs/toolchain@v1
+      uses: msrd0/rust-toolchain@v1
       with:
         toolchain: stable
-        profile: minimal
-        override: true
-        components: rustfmt, clippy
         
-    - name: Cache cargo registry
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cargo/registry
-          ~/.cargo/git
-          target
-        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-        restore-keys: |
-          ${{ runner.os }}-cargo-
-
-    - name: Build release binary
-      uses: actions-rs/cargo@v1
-      with:
-        command: build
-        args: --release --locked
-
-    - name: Run tests
-      uses: actions-rs/cargo@v1
-      with:
-        command: test
-        args: --release
+    - name: Run build
+      run: cargo build --workspace --release --locked
 
     - name: Deploy binary
       run: |

.gitignore

@@ -1,2 +1,3 @@
 target
 .env
+*.env

gb-infra/README.md

@@ -0,0 +1,17 @@
+
+# Backup
+
+## Fastest way to tranfer files between servers over TCP/IP
+
+rsync -avz --progress --bwlimit=0 -e "ssh -p 22 -T -c aes128-gcm@openssh.com -o Compression=no -o IPQoS=throughput" gbbackup@host.com.br:/opt/gbo/backup /home/user/Desktop
+
+
+# Security
+apt update && apt install -y fail2ban 
+systemctl enable fail2ban
+
+
+apt update && apt install -y fail2ban iptables-persistent
+
+systemctl enable fail2ban
+systemctl enable netfilter-persistent

gb-infra/src/templates/opt/gbo/tenants/default/alm-ci/alm-ci.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# Configuration
+ALM_CI_NAME="CI"
+ALM_CI_LABELS="gbo"
+FORGEJO_RUNNER_VERSION="v6.3.1"
+FORGEJO_RUNNER_BINARY="forgejo-runner-6.3.1-linux-amd64"
+CONTAINER_IMAGE="images:debian/12"
+ 
+# Paths
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/alm-ci"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+BIN_PATH="/opt/gbo/bin"
+CONTAINER_NAME="${PARAM_TENANT}-alm-ci"
+
+# Create host directories
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS" || exit 1
+chmod -R 750 "$HOST_BASE" || exit 1
+
+# Launch container
+if ! lxc launch "$CONTAINER_IMAGE" "$CONTAINER_NAME"; then
+    echo "Failed to launch container"
+    exit 1
+fi
+
+# Wait for container to be ready
+for i in {1..10}; do
+    if lxc exec "$CONTAINER_NAME" -- bash -c "true"; then
+        break
+    fi
+    sleep 3
+done
+
+
+# Container setup
+lxc exec "$CONTAINER_NAME" -- bash -c "
+set -e
+
+useradd --system --no-create-home --shell /bin/false gbuser
+
+# Update and install dependencies
+apt-get update && apt-get install -y wget || { echo 'Package installation failed'; exit 1; }
+
+# Create directories
+mkdir -p \"$BIN_PATH\" /opt/gbo/data /opt/gbo/conf /opt/gbo/logs || { echo 'Directory creation failed'; exit 1; }
+
+# Download and install forgejo-runner
+wget -O \"$BIN_PATH/forgejo-runner\" \"https://code.forgejo.org/forgejo/runner/releases/download/$FORGEJO_RUNNER_VERSION/$FORGEJO_RUNNER_BINARY\" || { echo 'Download failed'; exit 1; }
+chmod +x \"$BIN_PATH/forgejo-runner\" || { echo 'chmod failed'; exit 1; }
+
+cd \"$BIN_PATH\"
+
+# Register runner
+\"$BIN_PATH/forgejo-runner\" register --no-interactive \\
+    --name \"$ALM_CI_NAME\" \\
+    --instance \"$PARAM_ALM_CI_INSTANCE\" \\
+    --token \"$PARAM_ALM_CI_TOKEN\" \\
+    --labels \"$ALM_CI_LABELS\" || { echo 'Runner registration failed'; exit 1; }
+
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+"
+
+# Set permissions
+echo "[CONTAINER] Setting permissions..."
+EMAIL_UID=$(lxc exec "$PARAM_TENANT"-alm-ci -- id -u gbuser)
+EMAIL_GID=$(lxc exec "$PARAM_TENANT"-alm-ci -- id -g gbuser)
+HOST_EMAIL_UID=$((100000 + EMAIL_UID))
+HOST_EMAIL_GID=$((100000 + EMAIL_GID))
+sudo chown -R "$HOST_EMAIL_UID:$HOST_EMAIL_GID" "$HOST_BASE"
+
+
+# Add directory mappings
+lxc config device add "$CONTAINER_NAME" almdata disk source="$HOST_DATA" path=/opt/gbo/data || exit 1
+lxc config device add "$CONTAINER_NAME" almconf disk source="$HOST_CONF" path=/opt/gbo/conf || exit 1
+lxc config device add "$CONTAINER_NAME" almlogs disk source="$HOST_LOGS" path=/opt/gbo/logs || exit 1
+
+lxc exec "$CONTAINER_NAME" -- bash -c "
+# Create systemd service
+cat > /etc/systemd/system/alm-ci.service <<EOF
+[Unit]
+Description=ALM CI Runner
+After=network.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+WorkingDirectory=$BIN_PATH
+ExecStart=$BIN_PATH/forgejo-runner daemon
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Enable and start service
+systemctl daemon-reload || { echo 'daemon-reload failed'; exit 1; }
+systemctl enable alm-ci || { echo 'enable service failed'; exit 1; }
+systemctl start alm-ci || { echo 'start service failed'; exit 1; }
+"

gb-infra/src/templates/opt/gbo/tenants/default/alm/alm.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/alm"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+ALM_PATH=/opt/gbo/bin
+
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod -R 750 "$HOST_BASE"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-alm -c security.privileged=true
+sleep 15
+
+lxc exec "$PARAM_TENANT"-alm -- bash -c "
+apt-get update && apt-get install -y git git-lfs wget
+mkdir -p /opt/gbo/bin
+wget https://codeberg.org/forgejo/forgejo/releases/download/v10.0.2/forgejo-10.0.2-linux-amd64 -O $ALM_PATH/forgejo
+chmod +x $ALM_PATH/forgejo
+useradd --system --no-create-home --shell /bin/false alm
+"
+
+FORGEJO_UID=$(lxc exec "$PARAM_TENANT"-alm -- id -u alm)
+FORGEJO_GID=$(lxc exec "$PARAM_TENANT"-alm -- id -g alm)
+HOST_FORGEJO_UID=$((100000 + FORGEJO_UID))
+HOST_FORGEJO_GID=$((100000 + FORGEJO_GID))
+chown -R "$HOST_FORGEJO_UID:$HOST_FORGEJO_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-alm almdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-alm almconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-alm almlogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+lxc exec "$PARAM_TENANT"-alm -- bash -c "
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R alm:alm /opt/gbo
+
+
+cat > /etc/systemd/system/alm.service <<EOF
+[Unit]
+Description=alm
+After=network.target
+
+[Service]
+User=alm
+Group=alm
+WorkingDirectory=/opt/gbo/data
+ExecStart=/opt/gbo/bin/forgejo web --config /opt/gbo/conf/app.ini
+Restart=always
+Environment=USER=alm HOME=/opt/gbo/data
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable alm
+systemctl start alm
+"
+
+lxc config device remove "$PARAM_TENANT"-alm alm-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-alm alm-proxy proxy \
+    listen=tcp:0.0.0.0:"$PARAM_ALM_PORT" \
+    connect=tcp:127.0.0.1:"$PARAM_ALM_PORT"

gb-infra/src/templates/opt/gbo/tenants/default/bot/bot.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/bot"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod -R 750 "$HOST_BASE"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-bot -c security.privileged=true
+sleep 15
+
+lxc exec "$PARAM_TENANT"-bot -- bash -c "
+apt-get update && apt-get install -y \
+build-essential cmake git pkg-config libjpeg-dev libtiff-dev \
+libpng-dev libavcodec-dev libavformat-dev libswscale-dev \
+libv4l-dev libatlas-base-dev gfortran python3-dev cpulimit \
+expect libxtst-dev libpng-dev
+
+sudo apt-get install -y libcairo2-dev libpango1.0-dev libgif-dev librsvg2-dev
+sudo apt install xvfb -y
+
+sudo apt install -y \
+  libnss3 \
+  libatk1.0-0 \
+  libatk-bridge2.0-0 \
+  libcups2 \
+  libdrm2 \
+  libxkbcommon0 \
+  libxcomposite1 \
+  libxdamage1 \
+  libxfixes3 \
+  libxrandr2 \
+  libgbm1 \
+  libasound2 \
+  libpangocairo-1.0-0
+
+export OPENCV4NODEJS_DISABLE_AUTOBUILD=1
+export OPENCV_LIB_DIR=/usr/lib/x86_64-linux-gnu
+
+useradd --system --no-create-home --shell /bin/false gbuser
+"
+
+BOT_UID=$(lxc exec "$PARAM_TENANT"-bot -- id -u gbuser)
+BOT_GID=$(lxc exec "$PARAM_TENANT"-bot -- id -g gbuser)
+HOST_BOT_UID=$((100000 + BOT_UID))
+HOST_BOT_GID=$((100000 + BOT_GID))
+chown -R "$HOST_BOT_UID:$HOST_BOT_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-bot botdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-bot botconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-bot botlogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+lxc exec "$PARAM_TENANT"-bot -- bash -c '
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+
+sudo apt update
+sudo apt install -y curl gnupg ca-certificates git
+
+# Install Node.js 22.x
+curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash -
+sudo apt install -y nodejs
+
+# Install Xvfb and other dependencies
+sudo apt install -y xvfb libgbm-dev
+
+# Clone and setup bot server
+cd /opt/gbo/data
+git clone https://alm.pragmatismo.com.br/generalbots/botserver.git
+cd botserver
+npm install
+npx puppeteer browsers install chrome
+./node_modules/.bin/tsc
+cd packages/default.gbui
+npm install
+npm run build
+
+chown -R gbuser:gbuser /opt/gbo
+
+# Create systemd service
+sudo tee /etc/systemd/system/bot.service > /dev/null <<EOF
+[Unit]
+Description=Bot Server
+After=network.target
+
+[Service]
+User=gbuser
+Group=gbuser
+Environment="DISPLAY=:99"
+ExecStartPre=/bin/bash -c "/usr/bin/Xvfb :99 -screen 0 1024x768x24 -ac +extension GLX +render -noreset &"
+WorkingDirectory=/opt/gbo/data/botserver
+ExecStart=/usr/bin/node /opt/gbo/data/botserver/boot.mjs
+Restart=always
+RestartSec=5
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Reload and start service
+sudo systemctl daemon-reload
+sudo systemctl enable bot.service
+sudo systemctl start bot.service
+'
+
+lxc config device remove "$PARAM_TENANT"-bot bot-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-bot bot-proxy proxy \
+    listen=tcp:0.0.0.0:"$PARAM_BOT_PORT" \
+    connect=tcp:127.0.0.1:"$PARAM_BOT_PORT"

gb-infra/src/templates/opt/gbo/tenants/default/directory/directory.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/directory"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+
+sudo mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+sudo chmod -R 750 "$HOST_BASE"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-directory -c security.privileged=true
+sleep 15
+
+lxc exec "$PARAM_TENANT"-directory -- bash -c "
+apt-get update && apt-get install -y wget libcap2-bin
+wget -c https://github.com/zitadel/zitadel/releases/download/v2.71.2/zitadel-linux-amd64.tar.gz -O - | tar -xz -C /tmp
+mkdir -p /opt/gbo/bin
+mv /tmp/zitadel-linux-amd64/zitadel /opt/gbo/bin/zitadel
+chmod +x /opt/gbo/bin/zitadel
+sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/zitadel
+
+useradd --system --no-create-home --shell /bin/false gbuser
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+"
+
+GBUSER_UID=$(lxc exec "$PARAM_TENANT"-directory -- id -u gbuser)
+GBUSER_GID=$(lxc exec "$PARAM_TENANT"-directory -- id -g gbuser)
+HOST_GBUSER_UID=$((100000 + GBUSER_UID))
+HOST_GBUSER_GID=$((100000 + GBUSER_GID))
+sudo chown -R "$HOST_GBUSER_UID:$HOST_GBUSER_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-directory directorydata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-directory directoryconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-directory directorylogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+lxc exec "$PARAM_TENANT"-directory -- bash -c "
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+
+cat > /etc/systemd/system/directory.service <<EOF
+[Unit]
+Description=Directory Service
+After=network.target
+
+[Service]
+Type=simple
+User=gbuser
+Group=gbuser
+ExecStart=/opt/gbo/bin/zitadel start --masterkey $PARAM_DIRECTORY_MASTERKEY --config /opt/gbo/conf/config.yaml --tlsMode external
+WorkingDirectory=/opt/gbo/bin
+StandardOutput=append:/opt/gbo/logs/output.log
+StandardError=append:/opt/gbo/logs/error.log
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable directory
+systemctl start directory
+"
+
+lxc config device remove "$PARAM_TENANT"-directory directory-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-directory directory-proxy proxy \
+    listen=tcp:0.0.0.0:"$PARAM_DIRECTORY_PORT" \
+    connect=tcp:127.0.0.1:"$PARAM_DIRECTORY_PORT"

gb-infra/src/templates/opt/gbo/tenants/default/drive/drive.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+STORAGE_PATH="/opt/gbo/tenants/$PARAM_TENANT/drive/data"
+LOGS_PATH="/opt/gbo/tenants/$PARAM_TENANT/drive/logs"
+
+mkdir -p "${STORAGE_PATH}" "${LOGS_PATH}"
+chmod -R 770 "${STORAGE_PATH}" "${LOGS_PATH}"
+chown -R 100999:100999 "${STORAGE_PATH}" "${LOGS_PATH}"
+
+lxc launch images:debian/12 "${PARAM_TENANT}-drive" -c security.privileged=true
+sleep 15
+
+lxc config device add "${PARAM_TENANT}-drive" storage disk source="${STORAGE_PATH}" path=/data
+lxc config device add "${PARAM_TENANT}-drive" logs disk source="${LOGS_PATH}" path=/var/log/minio
+
+lxc exec "${PARAM_TENANT}-drive" -- bash -c '
+apt-get update && apt-get install -y wget
+wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /usr/local/bin/minio
+chmod +x /usr/local/bin/minio
+
+useradd -r -s /bin/false minio-user || true
+mkdir -p /var/log/minio /data
+chown -R minio-user:minio-user /var/log/minio /data
+
+cat > /etc/systemd/system/minio.service <<EOF
+[Unit]
+Description=MinIO
+After=network.target
+
+[Service]
+Type=simple
+User=minio-user
+Group=minio-user
+Environment="MINIO_ROOT_USER='"${PARAM_DRIVE_USER}"'"
+Environment="MINIO_ROOT_PASSWORD='"${PARAM_DRIVE_PASSWORD}"'"
+ExecStart=/usr/local/bin/minio server --console-address ":'"${PARAM_DRIVE_PORT}"'" /data
+StandardOutput=append:/var/log/minio/output.log
+StandardError=append:/var/log/minio/error.log
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable minio
+systemctl start minio
+'
+
+lxc config device remove "${PARAM_TENANT}-drive" minio-proxy 2>/dev/null || true
+lxc config device add "${PARAM_TENANT}-drive" minio-proxy proxy \
+    listen=tcp:0.0.0.0:"${PARAM_DRIVE_API_PORT}" \
+    connect=tcp:127.0.0.1:"${PARAM_DRIVE_API_PORT}"
+
+lxc config device remove "${PARAM_TENANT}-drive" console-proxy 2>/dev/null || true
+lxc config device add "${PARAM_TENANT}-drive" console-proxy proxy \
+    listen=tcp:0.0.0.0:"${PARAM_DRIVE_PORT}" \
+    connect=tcp:127.0.0.1:"${PARAM_DRIVE_PORT}"

gb-infra/src/templates/opt/gbo/tenants/default/email/email.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+PUBLIC_INTERFACE="eth0"                 # Your host's public network interface
+
+# Enable IP forwarding
+echo "[HOST] Enabling IP forwarding..."
+echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
+sudo sysctl -p
+
+# Configure firewall
+echo "[HOST] Configuring firewall..."
+sudo iptables -A FORWARD -i $PUBLIC_INTERFACE -o lxcbr0 -p tcp -m multiport --dports 25,80,110,143,465,587,993,995,4190 -j ACCEPT
+sudo iptables -A FORWARD -i lxcbr0 -o $PUBLIC_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
+
+# Save iptables rules permanently (adjust based on your distro)
+if command -v iptables-persistent >/dev/null; then
+    sudo iptables-save | sudo tee /etc/iptables/rules.v4
+fi
+
+
+# ------------------------- CONTAINER SETUP -------------------------
+
+# Create directory structure
+echo "[CONTAINER] Creating directories..."
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/email"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+
+sudo mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+sudo chmod -R 750 "$HOST_BASE"
+
+# Launch container
+echo "[CONTAINER] Launching LXC container..."
+lxc launch images:debian/12 "$PARAM_TENANT"-email -c security.privileged=true
+sleep 15
+
+echo "[CONTAINER] Installing Stalwart Mail..."
+lxc exec "$PARAM_TENANT"-email -- bash -c "
+apt-get update && apt-get install -y wget libcap2-bin
+wget -O /tmp/stalwart.tar.gz https://github.com/stalwartlabs/stalwart/releases/download/v0.12.4/stalwart-x86_64-unknown-linux-gnu.tar.gz
+                             
+tar -xzf /tmp/stalwart.tar.gz -C /tmp
+mkdir -p /opt/gbo/bin
+mv /tmp/stalwart /opt/gbo/bin/stalwart
+chmod +x /opt/gbo/bin/stalwart
+sudo setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/stalwart
+rm /tmp/stalwart.tar.gz
+
+useradd --system --no-create-home --shell /bin/false email
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+"
+
+# Set permissions
+echo "[CONTAINER] Setting permissions..."
+EMAIL_UID=$(lxc exec "$PARAM_TENANT"-email -- id -u email)
+EMAIL_GID=$(lxc exec "$PARAM_TENANT"-email -- id -g email)
+HOST_EMAIL_UID=$((100000 + EMAIL_UID))
+HOST_EMAIL_GID=$((100000 + EMAIL_GID))
+sudo chown -R "$HOST_EMAIL_UID:$HOST_EMAIL_GID" "$HOST_BASE"
+
+# Mount directories
+echo "[CONTAINER] Mounting directories..."
+lxc config device add "$PARAM_TENANT"-email emaildata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-email emailconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-email emaillogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+# Create systemd service
+echo "[CONTAINER] Creating email service..."
+lxc exec "$PARAM_TENANT"-email -- bash -c "
+chown -R email:email /opt/gbo/data /opt/gbo/conf /opt/gbo/logs /opt/gbo/bin
+
+cat > /etc/systemd/system/email.service <<EOF
+[Unit]
+Description=Email Service
+After=network.target
+
+[Service]
+Type=simple
+User=email
+Group=email
+ExecStart=/opt/gbo/bin/stalwart --config /opt/gbo/conf/config.toml
+WorkingDirectory=/opt/gbo/bin
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable email
+systemctl start email
+"

gb-infra/src/templates/opt/gbo/tenants/default/meeting/meeting.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/meeting"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod -R 750 "$HOST_BASE"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-meeting -c security.privileged=true
+sleep 15
+
+lxc exec "$PARAM_TENANT"-meeting -- bash -c "
+
+apt-get update && apt-get install -y wget coturn
+mkdir -p /opt/gbo/bin
+cd /opt/gbo/bin
+wget -q https://github.com/livekit/livekit/releases/download/v1.8.4/livekit_1.8.4_linux_amd64.tar.gz
+tar -xzf livekit*.tar.gz
+rm livekit_1.8.4_linux_amd64.tar.gz
+chmod +x livekit-server
+
+while netstat -tuln | grep -q \":$PARAM_MEETING_TURN_PORT \"; do
+  ((PARAM_MEETING_TURN_PORT++))
+done
+
+useradd --system --no-create-home --shell /bin/false gbuser
+
+"
+
+MEETING_UID=$(lxc exec "$PARAM_TENANT"-meeting -- id -u gbuser)
+MEETING_GID=$(lxc exec "$PARAM_TENANT"-meeting -- id -g gbuser)
+HOST_MEETING_UID=$((100000 + MEETING_UID))
+HOST_MEETING_GID=$((100000 + MEETING_GID))
+chown -R "$HOST_MEETING_UID:$HOST_MEETING_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-meeting meetingdata disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-meeting meetingconf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-meeting meetinglogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+lxc exec "$PARAM_TENANT"-meeting -- bash -c "
+
+mkdir -p /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+chown -R gbuser:gbuser /opt/gbo/data /opt/gbo/conf /opt/gbo/logs
+
+sudo chown gbuser:gbuser /var/run/turnserver.pid
+
+
+cat > /etc/systemd/system/meeting.service <<EOF
+[Unit]
+Description=LiveKit Server
+After=network.target
+
+[Service]
+User=gbuser
+Group=gbuser
+ExecStart=/opt/gbo/bin/livekit-server --config /opt/gbo/conf/config.yaml
+Restart=always
+Environment=TURN_PORT=$PARAM_MEETING_TURN_PORT
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/meeting-turn.service <<EOF
+[Unit]
+Description=TURN Server
+After=network.target
+
+[Service]
+User=gbuser
+Group=gbuser
+ExecStart=/usr/bin/turnserver -c /opt/gbo/conf/turnserver.conf
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable meeting meeting-turn
+systemctl start meeting meeting-turn
+"
+
+lxc config device remove "$PARAM_TENANT"-meeting meeting-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-meeting meeting-proxy proxy \
+    listen=tcp:0.0.0.0:"$PARAM_MEETING_PORT" \
+    connect=tcp:127.0.0.1:"$PARAM_MEETING_PORT"

gb-infra/src/templates/opt/gbo/tenants/default/prompt.txt

@@ -0,0 +1,16 @@
+    do not comment or echo anything
+    
+    keep lines condensed
+    always call it <kind> not own name. Eg.: proxy instead of Caddy. alm instead of forgejo.
+    use KISS priciple
+     
+    use local /opt/gbo/{logs, data, conf} exposed as 
+        HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/<kind>"
+        HOST_DATA="$HOST_BASE/data" 
+        HOST_CONF="$HOST_BASE/conf"
+        HOST_LOGS="$HOST_BASE/logs"
+        instead of using app original paths.
+    and use /opt/gbo/bin to put local binaries of installations 
+    during sh exection, never touch files in /opt/gbo/{logs, data, conf}
+    use wget
+    use gbuser as system user

gb-infra/src/templates/opt/gbo/tenants/default/proxy/proxy.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/proxy"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+mkdir -p "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod 750 "$HOST_BASE" "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-proxy -c security.privileged=true
+sleep 15
+
+lxc exec "$PARAM_TENANT"-proxy -- bash -c "
+mkdir -p /opt/gbo/{bin,data,conf,logs}
+apt-get update && apt-get install -y wget libcap2-bin
+wget -q https://github.com/caddyserver/caddy/releases/download/v2.10.0-beta.3/caddy_2.10.0-beta.3_linux_amd64.tar.gz
+tar -xzf caddy_2.10.0-beta.3_linux_amd64.tar.gz -C /opt/gbo/bin
+rm caddy_2.10.0-beta.3_linux_amd64.tar.gz
+chmod 750 /opt/gbo/bin/caddy
+setcap 'cap_net_bind_service=+ep' /opt/gbo/bin/caddy
+useradd --create-home --system --shell /usr/sbin/nologin gbuser
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
+"
+
+lxc config device add "$PARAM_TENANT"-proxy data disk source="$HOST_DATA" path=/opt/gbo/data
+lxc config device add "$PARAM_TENANT"-proxy conf disk source="$HOST_CONF" path=/opt/gbo/conf
+lxc config device add "$PARAM_TENANT"-proxy logs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+lxc exec "$PARAM_TENANT"-proxy -- bash -c "
+cat > /etc/systemd/system/proxy.service <<EOF
+[Unit]
+Description=Proxy
+After=network.target
+[Service]
+User=gbuser
+Group=gbuser
+Environment=XDG_DATA_HOME=/opt/gbo/data
+ExecStart=/opt/gbo/bin/caddy run --config /opt/gbo/conf/config --adapter caddyfile
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload
+
+chown -R gbuser:gbuser /opt/gbo/{bin,data,conf,logs}
+
+systemctl enable proxy
+"
+
+for port in 80 443; do
+lxc config device remove "$PARAM_TENANT"-proxy "port-$port" 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-proxy "port-$port" proxy listen=tcp:0.0.0.0:$port connect=tcp:127.0.0.1:$port
+done
+
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.mknod true
+lxc config set "$PARAM_TENANT"-proxy security.syscalls.intercept.setxattr true

gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/check-space.sh

@@ -0,0 +1,5 @@
+printf "%-20s %-10s %-10s %-10s %-6s %s\n" "CONTAINER" "USED" "AVAIL" "TOTAL" "USE%" "MOUNT"
+for container in $(lxc list -c n --format csv); do
+    disk_info=$(lxc exec $container -- df -h / --output=used,avail,size,pcent | tail -n 1)
+    printf "%-20s %s\n" "$container" "$disk_info"
+done

gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/limits.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Define container limits in an associative array
+declare -A container_limits=(
+    # Pattern       Memory    CPU Allowance
+    ["*tables*"]="2048MB:33ms/100ms"
+    ["*alm*"]="5126MB:15ms/100ms"
+    ["*email*"]="4024MB:100ms/100ms"
+    ["*webmail*"]="1024MB:20ms/100ms"
+    ["*bot*"]="2048MB:20ms/100ms"
+    ["*drive*"]="1024MB:20ms/100ms"
+)
+
+# Default values (for containers that don't match any pattern)
+DEFAULT_MEMORY="1024MB"
+DEFAULT_CPU_ALLOWANCE="15ms/100ms"
+CPU_COUNT=1
+CPU_PRIORITY=10
+
+# Configure all containers
+for container in $(lxc list -c n --format csv); do
+    echo "Configuring $container..."
+    
+    memory=$DEFAULT_MEMORY
+    cpu_allowance=$DEFAULT_CPU_ALLOWANCE
+    
+    # Check if container matches any pattern
+    for pattern in "${!container_limits[@]}"; do
+        if [[ $container == $pattern ]]; then
+            IFS=':' read -r memory cpu_allowance <<< "${container_limits[$pattern]}"
+            break
+        fi
+    done
+    
+    # Apply configuration
+    lxc config set "$container" limits.memory "$memory"
+    lxc config set "$container" limits.cpu.allowance "$cpu_allowance"
+    lxc config set "$container" limits.cpu "$CPU_COUNT"
+    lxc config set "$container" limits.cpu.priority "$CPU_PRIORITY"
+done
+
+# Restart all containers
+echo "Restarting containers..."
+for container in $(lxc list -c n --format csv); do
+    echo "Restarting $container..."
+    lxc restart "$container"
+done
+
+# Verify configuration
+echo "Verifying limits..."
+for container in $(lxc list -c n --format csv); do
+    echo "--- $container ---"
+    lxc config show "$container" | grep -E "memory|cpu"
+done

gb-infra/src/templates/opt/gbo/tenants/default/shared/scripts/set-size-5GB.sh

@@ -0,0 +1,33 @@
+for container in $(lxc list --format csv -c n); do
+    echo "Processing $container..."
+    
+    # Stop container safely
+    lxc stop "$container" 
+
+    # Set new 5GB limit (works for most drivers)
+    if ! lxc config device override "$container" root size=5GB; then
+        echo "Failed to set config, trying alternative method..."
+        lxc config device set "$container" root size=5GB
+    fi
+    
+    # Start container
+    lxc start "$container"
+    
+    # Find root device inside container
+    ROOT_DEV=$(lxc exec "$container" -- df / --output=source | tail -1)
+    
+    # Resize filesystem (with proper error handling)
+    if lxc exec "$container" -- which resize2fs >/dev/null 2>&1; then
+        echo "Resizing filesystem for $container..."
+        if [[ "$ROOT_DEV" == /dev/* ]]; then
+            lxc exec "$container" -- growpart "$(dirname "$ROOT_DEV")" "$(basename "$ROOT_DEV")"
+            lxc exec "$container" -- resize2fs "$ROOT_DEV"
+        else
+            echo "Non-standard root device $ROOT_DEV - manual resize needed"
+        fi
+    else
+        echo "resize2fs not available in $container - install it first"
+    fi
+    
+    echo "Completed $container"
+done

gb-infra/src/templates/opt/gbo/tenants/default/social/.sh

@@ -0,0 +1 @@
+https://www.brasil247.com/mundo/meta-quer-automatizar-totalmente-publicidade-com-ia-ate-2026-diz-wsj

gb-infra/src/templates/opt/gbo/tenants/default/tables/tables.sh

@@ -0,0 +1,91 @@
+
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/tables"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-tables -c security.privileged=true
+
+until lxc exec "$PARAM_TENANT"-tables -- test -f /bin/bash; do
+
+    sleep 5
+done
+sleep 10
+
+lxc exec "$PARAM_TENANT"-tables -- bash -c "
+set -e
+export DEBIAN_FRONTEND=noninteractive
+apt-get update
+apt-get install -y wget gnupg2 sudo lsb-release
+CODENAME=\$(lsb_release -cs)
+
+wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/postgresql.gpg
+apt-get install -y postgresql-14 postgresql-client-14
+if ! id postgres &>/dev/null; then
+
+    exit 1
+fi
+systemctl stop postgresql@14-main 2>/dev/null || systemctl stop postgresql 2>/dev/null || true
+"
+
+POSTGRES_UID=$(lxc exec "$PARAM_TENANT"-tables -- id -u postgres)
+POSTGRES_GID=$(lxc exec "$PARAM_TENANT"-tables -- id -g postgres)
+
+HOST_POSTGRES_UID=$((100000 + POSTGRES_UID))
+HOST_POSTGRES_GID=$((100000 + POSTGRES_GID))
+
+chown -R "$HOST_POSTGRES_UID:$HOST_POSTGRES_GID" "$HOST_BASE"
+chmod -R 750 "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-tables pgdata disk source="$HOST_DATA" path=/var/lib/postgresql/14/main
+lxc config device add "$PARAM_TENANT"-tables pgconf disk source="$HOST_CONF" path=/etc/postgresql/14/main
+lxc config device add "$PARAM_TENANT"-tables pglogs disk source="$HOST_LOGS" path=/var/log/postgresql
+
+mkdir -p /var/lib/postgresql/14/main
+mkdir -p /etc/postgresql/14/main
+mkdir -p /var/log/postgresql
+chown -R postgres:postgres /var/lib/postgresql/14/main
+chown -R postgres:postgres /etc/postgresql/14/main
+chown -R postgres:postgres /var/log/postgresql
+chmod 700 /var/lib/postgresql/14/main
+
+sudo -u postgres /usr/lib/postgresql/14/bin/initdb -D /var/lib/postgresql/14/main
+
+cat > /etc/postgresql/14/main/postgresql.conf <<EOF
+data_directory = '/var/lib/postgresql/14/main'
+hba_file = '/etc/postgresql/14/main/pg_hba.conf'
+ident_file = '/etc/postgresql/14/main/pg_ident.conf'
+listen_addresses = '*'
+port = $PARAM_TABLES_PORT
+max_connections = 100
+shared_buffers = 128MB
+log_destination = 'stderr'
+logging_collector = on
+log_directory = '/var/log/postgresql'
+log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
+EOF
+
+cat > /etc/postgresql/14/main/pg_hba.conf <<EOF
+local   all             postgres                                peer
+local   all             all                                     peer
+host    all             all             127.0.0.1/32            md5
+host    all             all             ::1/128                 md5
+host    all             all             0.0.0.0/0               md5
+systemctl start postgresql@14-main
+systemctl enable postgresql@14-main
+EOF
+
+lxc config device remove "$PARAM_TENANT"-tables postgres-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-tables postgres-proxy proxy \
+    listen=tcp:0.0.0.0:"$PARAM_TABLES_PORT" \
+    connect=tcp:127.0.0.1:"$PARAM_TABLES_PORT"
+
+cd /var/lib/postgresql
+until sudo -u postgres psql -p $PARAM_TABLES_PORT -c '\q' 2>/dev/null; do 
+
+sleep 3
+sudo -u "$PARAM_TABLES_USER" psql -p $PARAM_TABLES_PORT -c \"CREATE USER $PARAM_TENANT WITH PASSWORD '$PARAM_TABLES_PASSWORD';\" 2>/dev/null
+sudo -u "$PARAM_TABLES_USER" psql -p $PARAM_TABLES_PORT -c \"CREATE DATABASE ${PARAM_TENANT}_db OWNER $PARAM_TENANT;\" 2>/dev/null
+sudo -u "$PARAM_TABLES_USER" psql -p $PARAM_TABLES_PORT -c \"GRANT ALL PRIVILEGES ON DATABASE ${PARAM_TENANT}_db TO $PARAM_TENANT;\" 2>/dev/null

gb-infra/src/templates/opt/gbo/tenants/default/webmail/webmail.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+HOST_BASE="/opt/gbo/tenants/$PARAM_TENANT/webmail"
+HOST_DATA="$HOST_BASE/data"
+HOST_CONF="$HOST_BASE/conf"
+HOST_LOGS="$HOST_BASE/logs"
+
+PARAM_RC_VERSION="1.6.6"
+
+mkdir -p "$HOST_DATA" "$HOST_CONF" "$HOST_LOGS"
+chmod -R 750 "$HOST_BASE"
+
+lxc launch images:debian/12 "$PARAM_TENANT"-webmail -c security.privileged=true
+sleep 15
+
+RC_PATH="/opt/gbo/data"
+
+lxc exec "$PARAM_TENANT"-webmail -- bash -c '
+# Install prerequisites
+apt install -y ca-certificates apt-transport-https lsb-release gnupg wget
+
+# Add the Sury PHP repository (official for Debian)
+wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
+sh -c '\''echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'\''
+
+# Update and install PHP 8.1
+apt update
+apt install -y \
+    php8.1 \
+    php8.1-fpm \
+    php8.1-imap \
+    php8.1-pgsql \
+    php8.1-mbstring \
+    php8.1-xml \
+    php8.1-curl \
+    php8.1-zip \
+    php8.1-cli \
+    php8.1-intl \
+    php8.1-dom
+
+# Restart PHP-FPM
+systemctl restart php8.1-fpm
+
+mkdir -p '"$RC_PATH"'
+wget -q https://github.com/roundcube/roundcubemail/releases/download/'"$PARAM_RC_VERSION"'/roundcubemail-'"$PARAM_RC_VERSION"'-complete.tar.gz
+tar -xzf roundcubemail-*.tar.gz
+mv roundcubemail-'"$PARAM_RC_VERSION"'/* '"$RC_PATH"'
+rm -rf roundcubemail-*
+
+mkdir -p /opt/gbo/logs
+
+chmod 750 '"$RC_PATH"'
+find '"$RC_PATH"' -type d -exec chmod 750 {} \;
+find '"$RC_PATH"' -type f -exec chmod 640 {} \;
+
+'
+
+WEBMAIL_UID=$(lxc exec "$PARAM_TENANT"-webmail -- id -u www-data)
+WEBMAIL_GID=$(lxc exec "$PARAM_TENANT"-webmail -- id -g www-data)
+HOST_WEBMAIL_UID=$((100000 + WEBMAIL_UID))
+HOST_WEBMAIL_GID=$((100000 + WEBMAIL_GID))
+chown -R "$HOST_WEBMAIL_UID:$HOST_WEBMAIL_GID" "$HOST_BASE"
+
+lxc config device add "$PARAM_TENANT"-webmail webmaildata disk source="$HOST_DATA" path="$RC_PATH"
+lxc config device add "$PARAM_TENANT"-webmail webmaillogs disk source="$HOST_LOGS" path=/opt/gbo/logs
+
+lxc exec "$PARAM_TENANT"-webmail -- bash -c "
+chown -R www-data:www-data '"$RC_PATH"' /opt/gbo/logs
+cat > /etc/systemd/system/webmail.service <<EOF
+[Unit]
+Description=Roundcube Webmail
+After=network.target php8.1-fpm.service
+
+[Service]
+User=www-data
+Group=www-data
+WorkingDirectory=$RC_PATH
+ExecStart=/usr/bin/php -S 0.0.0.0:$PARAM_WEBMAIL_PORT -t $RC_PATH/wwwroot/public_html
+Restart=always
+StandardOutput=append:/opt/gbo/logs/stdout.log
+StandardError=append:/opt/gbo/logs/stderr.log
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable webmail
+systemctl restart php8.1-fpm
+systemctl start webmail
+"
+
+# Check if port is available before adding proxy
+if lsof -i :$PARAM_WEBMAIL_PORT >/dev/null; then
+    echo "Port $PARAM_WEBMAIL_PORT is already in use. Please choose a different port."
+    exit 1
+fi
+
+
+lxc config device remove "$PARAM_TENANT"-webmail webmail-proxy 2>/dev/null || true
+lxc config device add "$PARAM_TENANT"-webmail webmail-proxy proxy \
+    listen=tcp:0.0.0.0:"$PARAM_WEBMAIL_PORT" \
+    connect=tcp:127.0.0.1:"$PARAM_WEBMAIL_PORT"