Telegram-Market/telegram-shop
1
1
Fork 0
Code Issues 40 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
155 Commits 9 Branches 0 Tags
6aa7980ddf4cbfb81c8fa262d993d59cbe66ff72
Commit Graph

4 Commits

Author SHA1 Message Date
NW
d8bfb29205 feat: add tor-proxy service for SSH and admin panel access via Tor 
- Add tor-proxy/Dockerfile: Alpine + Tor with entrypoint
- Add tor-proxy/entrypoint.sh: dynamic torrc generation with env var validation
- Update docker-compose.yml: add tor-proxy service with shared tor_proxy_net network
- Two Tor hidden services: SSH (port 22) and admin panel (port 80 -> 3001)
- Update .env.example: add SSH_HOST_IP, SHOP_CONTAINER, ADMIN_PORT vars
 2026-06-24 11:30:38 +01:00
NW
49945d9d81 security(csv-export): harden mnemonic export with super admin, audit, watermark (#48) 
- Add SUPER_ADMIN_IDS config (fallback to ADMIN_IDS if not set)
- Add isSuperAdmin() to middleware/auth.js
- Create auditService.js for structured audit logging (DB + pino)
- Create migration 005_audit_log.js
- Add confirmation dialog before CSV export (confirm_export_ callback)
- Check isSuperAdmin before export — block non-super admins
- Audit log every export: admin ID, wallet type, wallet count
- Add exported_by watermark column to CSV with admin telegram ID
- Notify all other super admins when export occurs
- Add SUPER_ADMIN_IDS to .env.example

8 files changed, 154 insertions, 39 deletions
 2026-06-22 10:07:58 +01:00
NW
ba80784ae7 security(docker): remove privileged mode, SYS_MODULE; harden WireGuard (#49 #50) 
- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example

SECURITY: Rotate WireGuard keys on server if previously used in production
 2026-06-22 01:26:35 +01:00
NW
7e0839d8cd chore: add .env.example template and expand .gitignore for secrets 
- Add .env.example with all config vars (no real secrets)
- Exclude .env, .env.*, docker-compose.override.yml
- Exclude wg/ (WireGuard configs with private keys)
- Exclude dump/, dump.zip, *.csv (sensitive exports)
- Keep .env.example tracked (!.env.example exception)
 2026-06-17 20:32:26 +01:00