================================================================================
                         CURRENT BTCPAY CONFIGURATION BACKUP
================================================================================
Backup Date: September 10, 2025
Source: Ubuntu 24.04 BTCPay Setup (to be replaced with Debian 13)
Status: WORKING - Bitcoin pruning active, Tor fully operational

================================================================================
                              TOR ONION ADDRESSES
================================================================================

🧅 CURRENT ONION ADDRESSES (will change with new installation):
   BTCPay Server: njoc2ubkk7ymgqfg6plt3wcltvcvuv3j4eemixnovicegrlwhq2zwfad.onion
   Bitcoin P2P:   s7n55wptvooma4gqsbdo5vn6v6nphjffqsmlufoa3fzqhwkqgeasslad.onion

⚠️ NOTE: New Debian 13 installation will generate NEW onion addresses
   These addresses will be lost and cannot be recovered.

================================================================================
                            BTCPAY ENVIRONMENT BACKUP
================================================================================

Working BTCPay Environment Variables (/opt/.env):

BTCPAY_PROTOCOL=https
BTCPAY_HOST=srv1002428.hstgr.cloud
BTCPAY_LIGHTNING_HOST=
BTCPAY_ADDITIONAL_HOSTS=
BTCPAY_ANNOUNCEABLE_HOST=srv1002428.hstgr.cloud
REVERSEPROXY_HTTP_PORT=80
REVERSEPROXY_HTTPS_PORT=443
REVERSEPROXY_DEFAULT_HOST=none
NOREVERSEPROXY_HTTP_PORT=
BTCPAY_IMAGE=
ACME_CA_URI=production
NBITCOIN_NETWORK=mainnet
LETSENCRYPT_EMAIL=
LIGHTNING_ALIAS=
BTCPAY_SSHTRUSTEDFINGERPRINTS=
BTCPAY_SSHKEYFILE=/datadir/host_id_ed25519
BTCPAY_SSHAUTHORIZEDKEYS=/datadir/host_authorized_keys
BTCPAY_HOST_SSHAUTHORIZEDKEYS=/home/ubuntu/.ssh/authorized_keys
LIBREPATRON_HOST=
TALLYCOIN_APIKEY=
TALLYCOIN_PASSWD=
TALLYCOIN_PASSWD_CLEARTEXT=
CLOUDFLARE_TUNNEL_TOKEN=

================================================================================
                          WORKING BITCOIN CONFIGURATION
================================================================================

CRITICAL: Working Bitcoin Configuration in Docker Compose:

BITCOIN_EXTRA_ARGS: |-
  rpcport=43782
  rpcbind=0.0.0.0:43782
  rpcallowip=0.0.0.0/0
  port=39388
  whitelist=0.0.0.0/0
  maxmempool=500
  prune=10000                    ⭐ CRITICAL: Pruning enabled (10GB max)

  onion=tor:9050                 ⭐ CRITICAL: Tor-only networking
  rpcauth=btcrpc:a6a5d29a3f44f02e4cd8cabb5b10a234$ab6152915515f6a9cca806d2ab5f0e2794c346ba74f812c61e48241d523778b8

  mempoolfullrbf=1

HIDDEN SERVICES:
  HIDDENSERVICE_NAME: BTC-P2P,BTC-RPC
  BTC-P2P_HIDDENSERVICE_VIRTUAL_PORT: 8333
  BTC-P2P_HIDDENSERVICE_PORT: 39388
  BTC-RPC_HIDDENSERVICE_VIRTUAL_PORT: 8332

================================================================================
                             SSH SECURITY BACKUP
================================================================================

Working SSH Configuration:

Port 2255                                    ⭐ CRITICAL: Custom port
PermitRootLogin no                          ⭐ CRITICAL: Root disabled
PubkeyAuthentication yes                    ⭐ CRITICAL: Key auth
PasswordAuthentication yes                  ⚠️  Enabled for safety (disable after key test)
AuthorizedKeysFile .ssh/authorized_keys
MaxAuthTries 3
LoginGraceTime 30
MaxStartups 3
ChallengeResponseAuthentication no
UsePAM yes
Protocol 2
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
AllowUsers ubuntu                           ⭐ CRITICAL: Only ubuntu user
Banner /etc/ssh/ssh-banner

SSH Public Key (for ubuntu user):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDoUnUn5wsJyelx5NAzP1lrcTBKAV93m8R1hlR0ZU07Z vps-hardening-20250910

================================================================================
                            FIREWALL CONFIGURATION
================================================================================

Working UFW Rules:

Status: active

To                         Action      From
--                         ------      ----
2255/tcp                   ALLOW       Anywhere                   # SSH-Hardened
80/tcp                     ALLOW       Anywhere                   # HTTP-BTCPay
443/tcp                    ALLOW       Anywhere                   # HTTPS-BTCPay
3000/tcp                   DENY        Anywhere                   # Block-Dokploy-External
9050/tcp                   ALLOW       127.0.0.0/8                # Tor-Local

================================================================================
                           FAIL2BAN CONFIGURATION
================================================================================

Working Jail Configuration (/etc/fail2ban/jail.local):

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
loglevel = INFO

[sshd]
enabled = true
port = 2255                              ⭐ CRITICAL: Custom SSH port
filter = sshd
backend = systemd
bantime = 7200
maxretry = 3

[nginx-http-auth]
enabled = true
port = 80,443
filter = nginx-http-auth
logpath = /var/log/nginx/error.log

[nginx-noscript]
enabled = true
port = 80,443
filter = nginx-noscript
logpath = /var/log/nginx/access.log

[nginx-badbots]
enabled = true
port = 80,443
filter = nginx-badbots  
logpath = /var/log/nginx/access.log
maxretry = 2

================================================================================
                            DOCKER SERVICES STATUS
================================================================================

Working Docker Containers (8 total):

✅ btcpayserver_bitcoind                  - Bitcoin Core (pruned + Tor)
✅ generated_btcpayserver_1               - BTCPay Server application  
✅ generated_nbxplorer_1                  - Blockchain explorer
✅ generated_postgres_1                   - PostgreSQL database
✅ nginx                                  - Reverse proxy + SSL
✅ tor                                    - Tor daemon
✅ tor-gen                                - Tor config generator
✅ letsencrypt-nginx-proxy-companion      - SSL certificate manager

All containers: UP and running
Bitcoin status: PRUNED mode confirmed in logs
Tor status: Hidden services active

================================================================================
                               DISK USAGE STATUS
================================================================================

Working Storage Allocation:

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       387G   11G  377G   3% /

Breakdown:
- System + Docker:     ~5GB
- BTCPay Services:     ~3GB  
- Bitcoin (pruned):    ~3GB (will grow to max 10GB)
- Available:          377GB

⭐ CRITICAL SUCCESS: Bitcoin pruning working - logs show:
   "Config file arg: [main] prune="10000""
   "Prune configured to target 10000 MiB on disk for block and undo files."

================================================================================
                              MONITORING COMMANDS
================================================================================

Working Commands for New Installation:

# Status monitoring
~/monitor-btcpay.sh                     # Overall status
docker ps | grep btcpay                 # Container status
df -h /                                  # Disk usage
sudo fail2ban-client status             # Security status

# Bitcoin specific  
docker exec btcpayserver_bitcoind bitcoin-cli getblockchaininfo
docker logs btcpayserver_bitcoind | grep prune

# Tor addresses
sudo cat /var/lib/docker/volumes/generated_tor_servicesdir/_data/BTCPayServer/hostname
sudo cat /var/lib/docker/volumes/generated_tor_servicesdir/_data/BTC-P2P/hostname

# Maintenance
sudo btcpay-restart.sh                  # Restart services
sudo btcpay-update.sh                   # Update BTCPay
sudo btcpay-clean.sh                    # Clean Docker images

================================================================================
                               CRITICAL LESSONS
================================================================================

⭐ CRITICAL ISSUES RESOLVED:

1. BITCOIN PRUNING CONFIGURATION:
   - Must add "prune=10000" to Docker Compose BITCOIN_EXTRA_ARGS
   - BTCPay generator overwrites manual bitcoin.conf changes
   - Required clearing blockchain data to activate pruning from scratch
   - Logs must show: "Prune configured to target 10000 MiB"

2. TOR CONFIGURATION:
   - opt-add-tor fragment works correctly
   - Hidden services generate automatically within 5 minutes
   - onion=tor:9050 in BITCOIN_EXTRA_ARGS enables Tor-only networking

3. SSH SECURITY:
   - Port 2255 avoids common attacks on port 22
   - Must disable systemd ssh.socket to use custom port
   - Keep password auth enabled until SSH keys tested
   - AllowUsers ubuntu prevents root access

4. FIREWALL SETUP:
   - UFW must allow new SSH port before restarting SSH
   - Tor port 9050 needs local access for Bitcoin
   - Block unnecessary services (like Dokploy port 3000)

5. STORAGE MANAGEMENT:
   - 387GB VPS is perfect with pruning (10GB Bitcoin max)
   - Monitor disk usage during initial sync
   - Clear blockchain data if pruning not working

================================================================================
                               BACKUP VERIFICATION
================================================================================

✅ Configuration backed up and verified working
✅ Automation scripts created and tested
✅ SSH keys preserved for new installation  
✅ All critical settings documented
✅ Troubleshooting knowledge captured
✅ Ready for Debian 13 OS reinstallation

ESTIMATED RESTORATION TIME: 30 minutes + 24 hours Bitcoin sync

================================================================================
                               END OF BACKUP
================================================================================