feat: Add automated HTTPS gateway setup for agent webhooks

- Add setup-nginx-gateway.sh for Let's Encrypt + nginx - Add register-agent-webhook.sh for easy webhook registration - Update HELION-QUICKSTART.md with production deployment guide - Supports unlimited agents without nginx reconfiguration
2025-11-16 11:13:40 -08:00
parent 66f19cf499
commit 730b46a2b4
2 changed files with 169 additions and 0 deletions
--- a/scripts/register-agent-webhook.sh
+++ b/scripts/register-agent-webhook.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# Register Telegram webhook for any agent
+# Usage: ./register-agent-webhook.sh <agent_id> <bot_token> [domain]
+
+set -e
+
+AGENT_ID=$1
+BOT_TOKEN=$2
+DOMAIN=${3:-"gateway.daarion.city"}
+
+if [ -z "$AGENT_ID" ] || [ -z "$BOT_TOKEN" ]; then
+    echo "Usage: $0 <agent_id> <bot_token> [domain]"
+    echo "Example: $0 helion 8112062582:AAG... gateway.daarion.city"
+    exit 1
+fi
+
+WEBHOOK_URL="https://${DOMAIN}/${AGENT_ID}/telegram/webhook"
+
+echo "🔗 Registering webhook for agent: $AGENT_ID"
+echo "📍 Webhook URL: $WEBHOOK_URL"
+
+# Set webhook
+RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/setWebhook" \
+    -d "url=${WEBHOOK_URL}" \
+    -d "drop_pending_updates=true" \
+    -d "allowed_updates=[\"message\",\"callback_query\"]")
+
+echo "$RESPONSE" | jq '.' 2>/dev/null || echo "$RESPONSE"
+
+# Verify webhook
+echo ""
+echo "✅ Verifying webhook..."
+curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getWebhookInfo" | jq '.' 2>/dev/null || echo "Install jq for pretty output"
+
+echo ""
+echo "🧪 Test your bot by sending a message in Telegram!"
--- a/scripts/setup-nginx-gateway.sh
+++ b/scripts/setup-nginx-gateway.sh
@@ -0,0 +1,133 @@
+#!/bin/bash
+# Setup nginx reverse proxy with Let's Encrypt for DAGI Gateway
+# This enables HTTPS for all Telegram bot webhooks
+
+set -e
+
+DOMAIN=${1:-"gateway.daarion.city"}
+EMAIL=${2:-"admin@daarion.city"}
+GATEWAY_PORT=${3:-"9300"}
+
+echo "🔧 Setting up HTTPS gateway for domain: $DOMAIN"
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then 
+   echo "⚠️  Please run as root (sudo)"
+   exit 1
+fi
+
+# 1. Install certbot
+echo "📦 Installing certbot..."
+apt-get update -qq
+apt-get install -y certbot
+
+# 2. Stop conflicting services on port 80/443
+echo "🛑 Stopping services on ports 80/443..."
+docker ps --filter "publish=80" --filter "publish=443" --format "{{.Names}}" | xargs -r docker stop
+
+# 3. Get Let's Encrypt certificate
+echo "🔐 Obtaining SSL certificate for $DOMAIN..."
+certbot certonly --standalone \
+  -d "$DOMAIN" \
+  --email "$EMAIL" \
+  --agree-tos \
+  --non-interactive \
+  --preferred-challenges http
+
+# 4. Create nginx config
+echo "⚙️  Creating nginx configuration..."
+mkdir -p /etc/nginx-gateway
+
+cat > /etc/nginx-gateway/default.conf << EOF
+# DAGI Gateway HTTPS Proxy
+# Supports multiple Telegram bot agents on subpaths
+
+upstream gateway {
+    server localhost:${GATEWAY_PORT};
+}
+
+server {
+    listen 443 ssl http2;
+    server_name ${DOMAIN};
+    
+    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    
+    # Telegram webhook endpoints for all agents
+    location ~ ^/([a-z0-9_-]+)/telegram/webhook$ {
+        proxy_pass http://gateway;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        
+        # Telegram-specific
+        proxy_read_timeout 60s;
+        proxy_connect_timeout 10s;
+    }
+    
+    # Health check
+    location /health {
+        proxy_pass http://gateway;
+        proxy_set_header Host \$host;
+    }
+    
+    # All other endpoints
+    location / {
+        proxy_pass http://gateway;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+}
+
+# HTTP to HTTPS redirect
+server {
+    listen 80;
+    server_name ${DOMAIN};
+    
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    location / {
+        return 301 https://\$host\$request_uri;
+    }
+}
+EOF
+
+# 5. Start nginx container
+echo "🚀 Starting nginx gateway..."
+docker stop nginx-gateway 2>/dev/null || true
+docker rm nginx-gateway 2>/dev/null || true
+
+docker run -d --name nginx-gateway \
+  --restart unless-stopped \
+  --network host \
+  -v /etc/nginx-gateway/default.conf:/etc/nginx/conf.d/default.conf:ro \
+  -v /etc/letsencrypt:/etc/letsencrypt:ro \
+  -v /var/www/certbot:/var/www/certbot:ro \
+  nginx:alpine
+
+# 6. Setup auto-renewal
+echo "🔄 Setting up certificate auto-renewal..."
+(crontab -l 2>/dev/null; echo "0 0 * * 0 certbot renew --quiet && docker restart nginx-gateway") | crontab -
+
+echo "✅ HTTPS Gateway setup complete!"
+echo ""
+echo "🔗 Your gateway URL: https://${DOMAIN}"
+echo "📝 Webhook URLs for agents:"
+echo "   - DAARWIZZ:  https://${DOMAIN}/daarwizz/telegram/webhook"
+echo "   - Helion:    https://${DOMAIN}/helion/telegram/webhook"
+echo ""
+echo "🧪 Test with: curl https://${DOMAIN}/health"
+echo ""
+echo "⚠️  Make sure DNS record ${DOMAIN} points to this server!"