Best Practices

Use a Strong Session Key

The session key (-s flag) is used to sign session cookies. Use a long, random string:

vps-deployer config -w /opt/vps-deployer -p 3000 -s $(openssl rand -hex 32)

Run as a Non-Root User

VPS Deployer is designed to run as a user-level systemd service. Never run it as root:

# Create a dedicated user
sudo useradd -m -s /bin/bash vpsdeployer
sudo su - vpsdeployer
npm install -g vps-deployer

Use HTTPS in Production

Always expose VPS Deployer behind HTTPS. See HTTPS Setup for configuration.

Without HTTPS:

Session cookies can be intercepted
Webhook secrets travel in plain text
Build command output is exposed

Configure Firewall Rules

Only expose the ports you need:

# Allow SSH
sudo ufw allow 22

# Allow HTTP/HTTPS (if using reverse proxy)
sudo ufw allow 80
sudo ufw allow 443

# Block direct access to VPS Deployer port
sudo ufw deny 3000

Use Sudoers for Privileged Commands

If your build commands need sudo (e.g., systemctl restart nginx), configure sudoers with specific rules:

vpsdeployer ALL=(ALL) NOPASSWD: /usr/bin/pm2, /usr/bin/systemctl restart nginx, /usr/bin/docker compose *

Never use NOPASSWD: ALL. Only whitelist the exact commands you need.

Keep Your Working Directory Restricted

Set permissions so only the VPS Deployer user can access the working directory:

chmod 700 /opt/vps-deployer

Rotate Webhook Secrets

If you suspect a webhook secret has been compromised:

Delete the project in VPS Deployer
Recreate it (generates a new secret)
Update the webhook in GitHub

Monitor Logs

Regularly check both application and system logs:

# Application logs
tail -f /opt/vps-deployer/vps-deployer.log

# Systemd logs
journalctl --user -u vps-deployer -f

Back Up Regularly

Back up your database and working directory:

tar -czf vps-deployer-backup-$(date +%Y%m%d).tar.gz /opt/vps-deployer/

Store backups off-site.