YaltopiaTech/Yaltopia-Homes-TGClient
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
Yaltopia-Homes-TGClient/docs/SECURITY_DEPLOYMENT_CHECKLIST.md
debudebuye fb6e91a42a Security audit and improvements
2026-01-08 19:06:12 +03:00

369 lines
8.3 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# <20> DevOps YDeployment Guide - Yaltipia Telegram Bot
## 📋 **QUICK DEPLOYMENT CHECKLIST**
### **⚡ Pre-Deployment (5 minutes)**
- [ ] **Clone repository** (exclude .env files)
- [ ] **Install Node.js 16+** and npm
- [ ] **Create production environment file**
- [ ] **Set up process manager** (PM2 recommended)
- [ ] **Configure firewall** (ports 3000, 3001)
### **🔒 Security Requirements (Critical)**
- [ ] **Generate new bot token** in BotFather (never use development token)
- [ ] **Use HTTPS URLs only** (no HTTP in production)
- [ ] **Set strong admin chat IDs**
- [ ] **Configure monitoring alerts**
---
## <20> *e*STEP-BY-STEP DEPLOYMENT**
### **1. 📦 Server Setup**
```bash
# Install Node.js (Ubuntu/Debian)
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs
# Install PM2 globally
sudo npm install -g pm2
# Create application user
sudo useradd -m -s /bin/bash yaltipia-bot
sudo mkdir -p /opt/yaltipia-bot
sudo chown yaltipia-bot:yaltipia-bot /opt/yaltipia-bot
```
### **2. 📥 Application Deployment**
```bash
# Switch to app user
sudo su - yaltipia-bot
# Clone repository
cd /opt/yaltipia-bot
git clone <your-repository-url> .
# Install dependencies (production only)
npm ci --only=production
# Set proper permissions
chmod 755 src/
chmod 644 package*.json
```
### **3. 🔧 Environment Configuration**
```bash
# Copy production template
cp .env.production .env
# Edit with production values
nano .env
```
**Required Environment Variables:**
```env
# CRITICAL: Replace with production values
TELEGRAM_BOT_TOKEN=YOUR_PRODUCTION_BOT_TOKEN
API_BASE_URL=https://your-production-api.com/api
WEBSITE_URL=https://yaltipia.com
# Notification System
NOTIFICATION_MODE=optimized
NOTIFICATION_CHECK_INTERVAL_HOURS=6
MAX_NOTIFICATIONS_PER_USER=3
SEND_NO_MATCH_NOTIFICATIONS=false
# Monitoring (Replace with your admin chat)
ADMIN_CHAT_IDS=YOUR_ADMIN_CHAT_ID
MONITORING_TOPIC_ID=YOUR_TOPIC_ID
HEALTH_CHECK_INTERVAL_MINUTES=30
DAILY_REPORT_HOUR=9
ERROR_CLEANUP_INTERVAL_HOURS=1
# Security
NODE_ENV=production
WEBHOOK_PORT=3001
```
### **4. 🔒 Security Hardening**
```bash
# Set secure file permissions
chmod 600 .env
chmod 700 /opt/yaltipia-bot
# Create systemd service (optional)
sudo tee /etc/systemd/system/yaltipia-bot.service > /dev/null <<EOF
[Unit]
Description=Yaltipia Telegram Bot
After=network.target
[Service]
Type=simple
User=yaltipia-bot
WorkingDirectory=/opt/yaltipia-bot
ExecStart=/usr/bin/node src/bot.js
Restart=always
RestartSec=10
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
EOF
```
### **5. 🚀 Start Application**
```bash
# Using PM2 (Recommended)
pm2 start src/bot.js --name "yaltipia-bot" --env production
pm2 save
pm2 startup
# OR using systemd
sudo systemctl enable yaltipia-bot
sudo systemctl start yaltipia-bot
```
### **6. 🔥 Firewall Configuration**
```bash
# Ubuntu/Debian with UFW
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP (if needed)
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 3001/tcp # Webhook port (if using webhooks)
sudo ufw enable
# CentOS/RHEL with firewalld
sudo firewall-cmd --permanent --add-port=3001/tcp
sudo firewall-cmd --reload
```
---
## 📊 **MONITORING & HEALTH CHECKS**
### **🔍 Verify Deployment**
```bash
# Check application status
pm2 status
pm2 logs yaltipia-bot --lines 50
# Test bot responsiveness
curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getMe"
# Check webhook endpoint (if enabled)
curl -s http://localhost:3001/status
```
### **📈 Monitoring Setup**
```bash
# Install monitoring tools
sudo npm install -g pm2-logrotate
pm2 install pm2-logrotate
# Configure log rotation
pm2 set pm2-logrotate:max_size 10M
pm2 set pm2-logrotate:retain 7
pm2 set pm2-logrotate:compress true
```
### **🚨 Health Check Endpoints**
| Endpoint | Purpose | Expected Response |
|----------|---------|-------------------|
| `GET /status` | Application health | `{"success": true, "webhook": {...}}` |
| `GET /webhook/health` | Webhook health | `{"success": true, "message": "..."}` |
---
## 🔒 **SECURITY CONFIGURATION**
### **🛡️ Essential Security Measures**
```bash
# 1. Secure SSH (if not already done)
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 2. Install fail2ban
sudo apt-get install fail2ban
sudo systemctl enable fail2ban
# 3. Set up automatic security updates
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
```
### **🔐 Bot Security Checklist**
- [ ] **New bot token generated** (not development token)
- [ ] **Bot privacy mode enabled** in BotFather
- [ ] **Admin chat IDs verified** and secured
- [ ] **API endpoints use HTTPS** only
- [ ] **Environment variables secured** (600 permissions)
---
## 🚨 **TROUBLESHOOTING**
### **Common Issues & Solutions**
| Issue | Symptom | Solution |
|-------|---------|----------|
| **Bot not responding** | No response to /start | Check bot token, verify network |
| **API connection failed** | 401/403 errors | Verify API_BASE_URL and credentials |
| **Notifications not working** | No automatic notifications | Check user sessions and API connectivity |
| **High memory usage** | Memory alerts | Restart bot, check for memory leaks |
### **🔧 Debug Commands**
```bash
# Check application logs
pm2 logs yaltipia-bot --lines 100
# Monitor real-time logs
pm2 logs yaltipia-bot --follow
# Check system resources
pm2 monit
# Restart application
pm2 restart yaltipia-bot
# Check environment variables
pm2 env 0
```
---
## 📋 **MAINTENANCE PROCEDURES**
### **🔄 Regular Maintenance**
```bash
# Weekly maintenance script
#!/bin/bash
# /opt/yaltipia-bot/maintenance.sh
echo "Starting weekly maintenance..."
# Update application (if needed)
git pull origin main
npm ci --only=production
# Restart application
pm2 restart yaltipia-bot
# Clean old logs
pm2 flush yaltipia-bot
# Check health
sleep 10
pm2 status
echo "Maintenance completed"
```
### **📊 Monitoring Alerts**
The bot sends automatic alerts to admin chat for:
-**System health issues** (high memory, error rates)
-**Failed login attempts** (security alerts)
-**Application errors** (with stack traces)
-**Daily reports** (system statistics)
---
## 🚀 **SCALING & PERFORMANCE**
### **📈 Performance Optimization**
```bash
# For high-traffic deployments
# 1. Increase Node.js memory limit
pm2 start src/bot.js --name "yaltipia-bot" --node-args="--max-old-space-size=2048"
# 2. Enable cluster mode (if stateless)
pm2 start src/bot.js --name "yaltipia-bot" -i max
# 3. Configure nginx reverse proxy (if using webhooks)
sudo apt-get install nginx
```
### **🔧 Load Balancing (Advanced)**
```nginx
# /etc/nginx/sites-available/yaltipia-bot
upstream yaltipia_bot {
server 127.0.0.1:3001;
# Add more instances if needed
}
server {
listen 80;
server_name your-bot-domain.com;
location /webhook {
proxy_pass http://yaltipia_bot;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
---
## 📞 **SUPPORT & CONTACTS**
### **🆘 Emergency Procedures**
**If bot stops working:**
1. Check PM2 status: `pm2 status`
2. Check logs: `pm2 logs yaltipia-bot --lines 50`
3. Restart: `pm2 restart yaltipia-bot`
4. If persistent: Check API connectivity and bot token
**If security breach suspected:**
1. Stop bot: `pm2 stop yaltipia-bot`
2. Regenerate bot token in BotFather
3. Update .env file
4. Restart: `pm2 start yaltipia-bot`
### **📋 Deployment Verification**
After deployment, verify these functions work:
- [ ] Bot responds to `/start`
- [ ] User registration works
- [ ] Notification creation works
- [ ] Admin monitoring works
- [ ] Health checks respond
- [ ] Logs are being written
---
## ✅ **DEPLOYMENT COMPLETE**
Your Yaltipia Telegram Bot is now deployed and ready for production use!
**Key Features Active:**
- ✅ Automatic property notifications (6-hour intervals)
- ✅ User authentication and management
- ✅ Admin monitoring and alerts
- ✅ Security hardening and rate limiting
- ✅ Error handling and logging
- ✅ Health monitoring and reporting
**Next Steps:**
1. Monitor logs for first 24 hours
2. Test with real users
3. Set up backup procedures
4. Plan for webhook integration (future)
**🎉 Congratulations! Your bot is live and serving users!** 🚀
Reference in New Issue View Git Blame Copy Permalink