YaltopiaTech/Yaltopia-Homes-TGClient
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
Yaltopia-Homes-TGClient/docs/SECURITY_DEPLOYMENT_CHECKLIST.md
debudebuye fb6e91a42a Security audit and improvements
2026-01-08 19:06:12 +03:00

8.3 KiB
Raw Permalink Blame History

<EFBFBD> DevOps YDeployment Guide - Yaltipia Telegram Bot

📋 QUICK DEPLOYMENT CHECKLIST

Pre-Deployment (5 minutes)

  • Clone repository (exclude .env files)
  • Install Node.js 16+ and npm
  • Create production environment file
  • Set up process manager (PM2 recommended)
  • Configure firewall (ports 3000, 3001)

🔒 Security Requirements (Critical)

  • Generate new bot token in BotFather (never use development token)
  • Use HTTPS URLs only (no HTTP in production)
  • Set strong admin chat IDs
  • Configure monitoring alerts

<EFBFBD> eSTEP-BY-STEP DEPLOYMENT**

1. 📦 Server Setup

# Install Node.js (Ubuntu/Debian)
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs

# Install PM2 globally
sudo npm install -g pm2

# Create application user
sudo useradd -m -s /bin/bash yaltipia-bot
sudo mkdir -p /opt/yaltipia-bot
sudo chown yaltipia-bot:yaltipia-bot /opt/yaltipia-bot

2. 📥 Application Deployment

# Switch to app user
sudo su - yaltipia-bot

# Clone repository
cd /opt/yaltipia-bot
git clone <your-repository-url> .

# Install dependencies (production only)
npm ci --only=production

# Set proper permissions
chmod 755 src/
chmod 644 package*.json

3. 🔧 Environment Configuration

# Copy production template
cp .env.production .env

# Edit with production values
nano .env

Required Environment Variables:

# CRITICAL: Replace with production values
TELEGRAM_BOT_TOKEN=YOUR_PRODUCTION_BOT_TOKEN
API_BASE_URL=https://your-production-api.com/api
WEBSITE_URL=https://yaltipia.com

# Notification System
NOTIFICATION_MODE=optimized
NOTIFICATION_CHECK_INTERVAL_HOURS=6
MAX_NOTIFICATIONS_PER_USER=3
SEND_NO_MATCH_NOTIFICATIONS=false

# Monitoring (Replace with your admin chat)
ADMIN_CHAT_IDS=YOUR_ADMIN_CHAT_ID
MONITORING_TOPIC_ID=YOUR_TOPIC_ID
HEALTH_CHECK_INTERVAL_MINUTES=30
DAILY_REPORT_HOUR=9
ERROR_CLEANUP_INTERVAL_HOURS=1

# Security
NODE_ENV=production
WEBHOOK_PORT=3001

4. 🔒 Security Hardening

# Set secure file permissions
chmod 600 .env
chmod 700 /opt/yaltipia-bot

# Create systemd service (optional)
sudo tee /etc/systemd/system/yaltipia-bot.service > /dev/null <<EOF
[Unit]
Description=Yaltipia Telegram Bot
After=network.target

[Service]
Type=simple
User=yaltipia-bot
WorkingDirectory=/opt/yaltipia-bot
ExecStart=/usr/bin/node src/bot.js
Restart=always
RestartSec=10
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target
EOF

5. 🚀 Start Application

# Using PM2 (Recommended)
pm2 start src/bot.js --name "yaltipia-bot" --env production
pm2 save
pm2 startup

# OR using systemd
sudo systemctl enable yaltipia-bot
sudo systemctl start yaltipia-bot

6. 🔥 Firewall Configuration

# Ubuntu/Debian with UFW
sudo ufw allow 22/tcp    # SSH
sudo ufw allow 80/tcp    # HTTP (if needed)
sudo ufw allow 443/tcp   # HTTPS
sudo ufw allow 3001/tcp  # Webhook port (if using webhooks)
sudo ufw enable

# CentOS/RHEL with firewalld
sudo firewall-cmd --permanent --add-port=3001/tcp
sudo firewall-cmd --reload

📊 MONITORING & HEALTH CHECKS

🔍 Verify Deployment

# Check application status
pm2 status
pm2 logs yaltipia-bot --lines 50

# Test bot responsiveness
curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getMe"

# Check webhook endpoint (if enabled)
curl -s http://localhost:3001/status

📈 Monitoring Setup

# Install monitoring tools
sudo npm install -g pm2-logrotate
pm2 install pm2-logrotate

# Configure log rotation
pm2 set pm2-logrotate:max_size 10M
pm2 set pm2-logrotate:retain 7
pm2 set pm2-logrotate:compress true

🚨 Health Check Endpoints

Endpoint Purpose Expected Response
GET /status Application health {"success": true, "webhook": {...}}
GET /webhook/health Webhook health {"success": true, "message": "..."}

🔒 SECURITY CONFIGURATION

🛡️ Essential Security Measures

# 1. Secure SSH (if not already done)
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# 2. Install fail2ban
sudo apt-get install fail2ban
sudo systemctl enable fail2ban

# 3. Set up automatic security updates
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

🔐 Bot Security Checklist

  • New bot token generated (not development token)
  • Bot privacy mode enabled in BotFather
  • Admin chat IDs verified and secured
  • API endpoints use HTTPS only
  • Environment variables secured (600 permissions)

🚨 TROUBLESHOOTING

Common Issues & Solutions

Issue Symptom Solution
Bot not responding No response to /start Check bot token, verify network
API connection failed 401/403 errors Verify API_BASE_URL and credentials
Notifications not working No automatic notifications Check user sessions and API connectivity
High memory usage Memory alerts Restart bot, check for memory leaks

🔧 Debug Commands

# Check application logs
pm2 logs yaltipia-bot --lines 100

# Monitor real-time logs
pm2 logs yaltipia-bot --follow

# Check system resources
pm2 monit

# Restart application
pm2 restart yaltipia-bot

# Check environment variables
pm2 env 0

📋 MAINTENANCE PROCEDURES

🔄 Regular Maintenance

# Weekly maintenance script
#!/bin/bash
# /opt/yaltipia-bot/maintenance.sh

echo "Starting weekly maintenance..."

# Update application (if needed)
git pull origin main
npm ci --only=production

# Restart application
pm2 restart yaltipia-bot

# Clean old logs
pm2 flush yaltipia-bot

# Check health
sleep 10
pm2 status

echo "Maintenance completed"

📊 Monitoring Alerts

The bot sends automatic alerts to admin chat for:

  • System health issues (high memory, error rates)
  • Failed login attempts (security alerts)
  • Application errors (with stack traces)
  • Daily reports (system statistics)

🚀 SCALING & PERFORMANCE

📈 Performance Optimization

# For high-traffic deployments
# 1. Increase Node.js memory limit
pm2 start src/bot.js --name "yaltipia-bot" --node-args="--max-old-space-size=2048"

# 2. Enable cluster mode (if stateless)
pm2 start src/bot.js --name "yaltipia-bot" -i max

# 3. Configure nginx reverse proxy (if using webhooks)
sudo apt-get install nginx

🔧 Load Balancing (Advanced)

# /etc/nginx/sites-available/yaltipia-bot
upstream yaltipia_bot {
    server 127.0.0.1:3001;
    # Add more instances if needed
}

server {
    listen 80;
    server_name your-bot-domain.com;
    
    location /webhook {
        proxy_pass http://yaltipia_bot;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

📞 SUPPORT & CONTACTS

🆘 Emergency Procedures

If bot stops working:

  1. Check PM2 status: pm2 status
  2. Check logs: pm2 logs yaltipia-bot --lines 50
  3. Restart: pm2 restart yaltipia-bot
  4. If persistent: Check API connectivity and bot token

If security breach suspected:

  1. Stop bot: pm2 stop yaltipia-bot
  2. Regenerate bot token in BotFather
  3. Update .env file
  4. Restart: pm2 start yaltipia-bot

📋 Deployment Verification

After deployment, verify these functions work:

  • Bot responds to /start
  • User registration works
  • Notification creation works
  • Admin monitoring works
  • Health checks respond
  • Logs are being written

DEPLOYMENT COMPLETE

Your Yaltipia Telegram Bot is now deployed and ready for production use!

Key Features Active:

  • Automatic property notifications (6-hour intervals)
  • User authentication and management
  • Admin monitoring and alerts
  • Security hardening and rate limiting
  • Error handling and logging
  • Health monitoring and reporting

Next Steps:

  1. Monitor logs for first 24 hours
  2. Test with real users
  3. Set up backup procedures
  4. Plan for webhook integration (future)

🎉 Congratulations! Your bot is live and serving users! 🚀