diff --git a/deploy/baton-keepalive.service b/deploy/baton-keepalive.service
index 8ed86fe..49d146d 100644
--- a/deploy/baton-keepalive.service
+++ b/deploy/baton-keepalive.service
@@ -5,6 +5,6 @@ Description=Baton keep-alive ping
 [Service]
 Type=oneshot
 # Замените URL на реальный адрес вашего приложения
-ExecStart=curl -sf https://your-app.example.com/health
+ExecStart=curl -sf https://baton.itafrika.com/health
 StandardOutput=null
 StandardError=journal
diff --git a/deploy/baton.service b/deploy/baton.service
new file mode 100644
index 0000000..141d6b6
--- /dev/null
+++ b/deploy/baton.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Baton — Telegram bot FastAPI backend
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=www-data
+WorkingDirectory=/opt/baton
+EnvironmentFile=/opt/baton/.env
+ExecStart=/opt/baton/venv/bin/uvicorn backend.main:app --host 127.0.0.1 --port 8000
+Restart=on-failure
+RestartSec=5s
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/env.template b/deploy/env.template
new file mode 100644
index 0000000..072472e
--- /dev/null
+++ b/deploy/env.template
@@ -0,0 +1,19 @@
+# /opt/baton/.env — заполнить перед деплоем
+# ВНИМАНИЕ: этот файл НЕ для git, только шаблон для ручного создания на сервере
+
+# Telegram Bot — токен ТРЕБУЕТ замены через @BotFather (текущий скомпрометирован)
+BOT_TOKEN=***BOT_TOKEN_REMOVED***
+
+# Chat ID для уведомлений — получить у @userinfobot или из Telegram API
+CHAT_ID=
+
+# Webhook secret — случайная строка 32+ символа (сгенерировать: openssl rand -hex 32)
+WEBHOOK_SECRET=
+
+# Webhook URL
+WEBHOOK_URL=https://baton.itafrika.com/api/webhook/telegram
+
+WEBHOOK_ENABLED=true
+FRONTEND_ORIGIN=https://baton.itafrika.com
+APP_URL=https://baton.itafrika.com
+DB_PATH=/opt/baton/baton.db
diff --git a/nginx/baton.conf b/nginx/baton.conf
index 07b7857..e1e1854 100644
--- a/nginx/baton.conf
+++ b/nginx/baton.conf
@@ -31,7 +31,7 @@ log_format baton_secure '$remote_addr - $remote_user [$time_local] '
 # ---------------------------------------------------------------------------
 server {
     listen 80;
-    server_name <YOUR_DOMAIN>;
+    server_name baton.itafrika.com;
 
     return 301 https://$server_name$request_uri;
 }
@@ -41,10 +41,10 @@ server {
 # ---------------------------------------------------------------------------
 server {
     listen 443 ssl;
-    server_name <YOUR_DOMAIN>;
+    server_name baton.itafrika.com;
 
-    ssl_certificate     /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/baton.itafrika.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/baton.itafrika.com/privkey.pem;
 
     ssl_protocols       TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;